Add support for San selectors in x509pop node attestor plugin

Signed-off-by: snanjundaswamy <bnshiva@gmail.com>

doc/plugin_server_nodeattestor_x509pop.md

@@ -44,6 +44,7 @@ A sample configuration:
 | Common Name      | `x509pop:subject:cn:example.org`                                  | The Subject's Common Name (see X.500 Distinguished Names)                                |
 | SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. |
 | SerialNumber     | `x509pop:serialnumber:0a1b2c3d4e5f`                               | The leaf certificate serial number as a lowercase hexadecimal string                     |
+| San     | `x509pop:san.<key>:<value>`                               | The san selectors on the leaf selectors. The expected format of the uri san is `x509pop://<trust_domain>/<key>:<value>`  string                     |
 
 ## SVID Path Prefix
 

pkg/common/plugin/x509pop/x509pop.go

@@ -36,6 +36,7 @@ type agentPathTemplateData struct {
 	PluginName      string
 	TrustDomain     string
 	SVIDPathTrimmed string
+	San             map[string]string
 }
 
 type AttestationData struct {
@@ -268,14 +269,15 @@ func Fingerprint(cert *x509.Certificate) string {
 }
 
 // MakeAgentID creates an agent ID from X.509 certificate data.
-func MakeAgentID(td spiffeid.TrustDomain, agentPathTemplate *agentpathtemplate.Template, cert *x509.Certificate, svidPathTrimmed string) (spiffeid.ID, error) {
+func MakeAgentID(td spiffeid.TrustDomain, agentPathTemplate *agentpathtemplate.Template, cert *x509.Certificate, svidPathTrimmed string, sanSelectors map[string]string) (spiffeid.ID, error) {
 	agentPath, err := agentPathTemplate.Execute(agentPathTemplateData{
 		TrustDomain:     td.Name(),
 		Certificate:     cert,
 		PluginName:      PluginName,
 		SerialNumberHex: SerialNumberHex(cert.SerialNumber),
 		Fingerprint:     Fingerprint(cert),
 		SVIDPathTrimmed: svidPathTrimmed,
+		San:             sanSelectors,
 	})
 	if err != nil {
 		return spiffeid.ID{}, err

pkg/common/plugin/x509pop/x509pop_test.go

@@ -131,10 +131,11 @@ func createBadCertificate(privateKey, publicKey any) (*x509.Certificate, error)
 
 func TestMakeAgentID(t *testing.T) {
 	tests := []struct {
-		desc      string
-		template  *agentpathtemplate.Template
-		expectID  string
-		expectErr string
+		desc         string
+		template     *agentpathtemplate.Template
+		sanSelectors map[string]string
+		expectID     string
+		expectErr    string
 	}{
 		{
 			desc:     "default template with sha1",
@@ -146,6 +147,12 @@ func TestMakeAgentID(t *testing.T) {
 			template: agentpathtemplate.MustParse("/foo/{{ .Subject.CommonName }}"),
 			expectID: "spiffe://example.org/spire/agent/foo/test-cert",
 		},
+		{
+			desc:         "custom template with san selectors",
+			template:     agentpathtemplate.MustParse("/foo/{{ .San.datacenter }}/{{ .San.environment }}"),
+			sanSelectors: map[string]string{"datacenter": "us-east-1", "environment": "production"},
+			expectID:     "spiffe://example.org/spire/agent/foo/us-east-1/production",
+		},
 		{
 			desc:      "custom template with nonexistant fields",
 			template:  agentpathtemplate.MustParse("/{{ .Foo }}"),
@@ -161,7 +168,7 @@ func TestMakeAgentID(t *testing.T) {
 					CommonName: "test-cert",
 				},
 			}
-			id, err := MakeAgentID(spiffeid.RequireTrustDomainFromString("example.org"), tt.template, cert, "")
+			id, err := MakeAgentID(spiffeid.RequireTrustDomainFromString("example.org"), tt.template, cert, "", tt.sanSelectors)
 			if tt.expectErr != "" {
 				require.Error(t, err)
 				require.Contains(t, err.Error(), tt.expectErr)

pkg/server/plugin/nodeattestor/x509pop/x509pop.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/x509"
 	"encoding/json"
+	"net/url"
 	"strings"
 	"sync"
 
@@ -241,17 +242,25 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
 
 	svidPath := ""
 	if config.mode == "spiffe" {
-		if len(leaf.URIs) == 0 {
+		var spiffeURIs []*url.URL
+		for _, uri := range leaf.URIs {
+			if uri.Scheme == "spiffe" {
+				spiffeURIs = append(spiffeURIs, uri)
+			}
+		}
+		if len(spiffeURIs) == 0 {
 			return status.Errorf(codes.PermissionDenied, "valid SVID x509 cert not found")
 		}
-		svidPath = leaf.URIs[0].EscapedPath()
+		svidPath = spiffeURIs[0].EscapedPath()
 		if !strings.HasPrefix(svidPath, config.svidPrefix) {
 			return status.Errorf(codes.PermissionDenied, "x509 cert doesnt match SVID prefix")
 		}
 		svidPath = strings.TrimPrefix(svidPath, config.svidPrefix)
 	}
 
-	spiffeid, err := x509pop.MakeAgentID(config.trustDomain, config.pathTemplate, leaf, svidPath)
+	sanSelectors := parseUriSanSelectors(leaf, config.trustDomain.Name())
+
+	spiffeid, err := x509pop.MakeAgentID(config.trustDomain, config.pathTemplate, leaf, svidPath, sanSelectors)
 	if err != nil {
 		return status.Errorf(codes.Internal, "failed to make spiffe id: %v", err)
 	}
@@ -260,7 +269,7 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
 		Response: &nodeattestorv1.AttestResponse_AgentAttributes{
 			AgentAttributes: &nodeattestorv1.AgentAttributes{
 				SpiffeId:       spiffeid.String(),
-				SelectorValues: buildSelectorValues(leaf, chains),
+				SelectorValues: buildSelectorValues(leaf, chains, sanSelectors),
 				CanReattest:    true,
 			},
 		},
@@ -323,7 +332,7 @@ func (p *Plugin) getConfig() (*configuration, error) {
 	return p.config, nil
 }
 
-func buildSelectorValues(leaf *x509.Certificate, chains [][]*x509.Certificate) []string {
+func buildSelectorValues(leaf *x509.Certificate, chains [][]*x509.Certificate, sanSelectors map[string]string) []string {
 	var selectorValues []string
 
 	if leaf.Subject.CommonName != "" {
@@ -352,5 +361,26 @@ func buildSelectorValues(leaf *x509.Certificate, chains [][]*x509.Certificate) [
 		selectorValues = append(selectorValues, "serialnumber:"+serialNumberHex)
 	}
 
+	for sanUriKey, saniUriValue := range sanSelectors {
+		selectorValues = append(selectorValues, "san:"+sanUriKey+":"+saniUriValue)
+	}
+
 	return selectorValues
 }
+
+func parseUriSanSelectors(leaf *x509.Certificate, trustDomain string) map[string]string {
+	uriSelectorMap := make(map[string]string)
+	sanPrefix := "x509pop://" + trustDomain + "/"
+	for _, uri := range leaf.URIs {
+		if strings.HasPrefix(uri.String(), sanPrefix) {
+			unprefixedUriSan := strings.TrimPrefix(uri.String(), sanPrefix)
+			if strings.Contains(unprefixedUriSan, ":") {
+				lastIndex := strings.LastIndex(unprefixedUriSan, ":")
+				uriSelectorKey := unprefixedUriSan[:lastIndex]
+				uriSelectorValue := unprefixedUriSan[lastIndex+1:]
+				uriSelectorMap[uriSelectorKey] = uriSelectorValue
+			}
+		}
+	}
+	return uriSelectorMap
+}

pkg/server/plugin/nodeattestor/x509pop/x509pop_test.go

@@ -160,6 +160,8 @@ func (s *Suite) TestAttestSuccess() {
 					{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.intermediateCert)},
 					{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.rootCert)},
 					{Type: "x509pop", Value: tt.serialnumber},
+					{Type: "x509pop", Value: "san:datacenter:us-east-1"},
+					{Type: "x509pop", Value: "san:environment:production"},
 				}, result.Selectors)
 		})
 	}

test/fixture/nodeattestor/x509pop/generate.go

@@ -48,6 +48,10 @@ func main() {
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		NotAfter:     neverExpires,
 		Subject:      pkix.Name{CommonName: "COMMONNAME"},
+		URIs: []*url.URL{
+			{Scheme: "x509pop", Host: "example.org", Path: "/datacenter:us-east-1"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/environment:production"},
+		},
 	}, intermediateKey, intermediateCert)
 
 	svid, _ := url.Parse("spiffe://example.org/somesvid")
@@ -65,7 +69,8 @@ func main() {
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		NotAfter:     neverExpires,
 		Subject:      pkix.Name{CommonName: "COMMONNAME"},
-		URIs:         []*url.URL{svidExchange},
+		URIs: []*url.URL{svidExchange, {Scheme: "x509pop", Host: "example.org", Path: "/datacenter:us-east-1"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/environment:production"}},
 	}, intermediateKey, intermediateCert)
 
 	writeKey("leaf-key.pem", leafKey)

test/fixture/nodeattestor/x509pop/intermediate.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AKpxtqJyka4hQtdKksZdUeSc5yNlu5L/bswWfq1QWR/v4SeWEjdxQVZ7KUiJ9/XB
-traFmbMv880uI9F5F4zfeo0sdQ5aRNlWJWQXcAdoAxg5BDREYSz/HmZDTd9WXU4V
-EwIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRWojkh3HDe3KBD
-qzktBMpG0G+ryzANBgkqhkiG9w0BAQsFAANhAIBVt7ACIz9e8tbo0Zac+qnFO2EM
-oPm76JArWRM51uQFXDu6xDmJ1vqUckyq2yqeQEvyUe7TptqVEx+zZrP/40UFFkhF
-keKJw5C1aZJvTvhVPFKmmQRiuDtRH4LzPt/HuQ==
+AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
+RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
+2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
+X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
+FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
+lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
 -----END CERTIFICATE-----

test/fixture/nodeattestor/x509pop/leaf-crt-bundle.pem

@@ -1,21 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIIBgjCCAQygAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
+MIIB6TCCAXOgAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCwkMtBkQNZtf9oFP/0WMzMHRSp0404
-UFSXkUL0YVNHRv/HnMyGdlA0cCWVsqmkktpEFNC/GYwG9YDDJuttWPMwiIiZN4B+
-ZuksNkKgwENGhRd/Y8w43U6gzJrwGJhfMzUCAwEAAaMzMDEwDgYDVR0PAQH/BAQD
-AgeAMB8GA1UdIwQYMBaAFFaiOSHccN7coEOrOS0EykbQb6vLMA0GCSqGSIb3DQEB
-CwUAA2EAC1/obuB4EjN66H7bOlOqgKzRN1v7YAC9hqKVxDs/CXs4DjAgsBrhiYIf
-uSsNrHhIswS51r2iIMeYh9FTzxg6Nre7m5KoRgiI4pvcKBKQs5R/sF1Ywq1p7dH8
-q+vGqujB
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
+1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
++6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaOBmTCBljAOBgNVHQ8BAf8E
+BAMCB4AwHwYDVR0jBBgwFoAU2beVGEps4qqb+l/jV9VkPgXOV6gwYwYDVR0RBFww
+WoYqeDUwOXBvcDovL2V4YW1wbGUub3JnL2RhdGFjZW50ZXI6dXMtZWFzdC0xhix4
+NTA5cG9wOi8vZXhhbXBsZS5vcmcvZW52aXJvbm1lbnQ6cHJvZHVjdGlvbjANBgkq
+hkiG9w0BAQsFAANhAFy8KJm4DiNVJldT289sERz4OtvgEt9oTd0IdYrPBJSkmdut
+TuCbJV5K8Jr+fXZju5TrICysDleVzad5suYG3Bj4BzSu8kBgd7qMCKFdywVAX4MI
+5w95GWjv4HEpg+801g==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AKpxtqJyka4hQtdKksZdUeSc5yNlu5L/bswWfq1QWR/v4SeWEjdxQVZ7KUiJ9/XB
-traFmbMv880uI9F5F4zfeo0sdQ5aRNlWJWQXcAdoAxg5BDREYSz/HmZDTd9WXU4V
-EwIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRWojkh3HDe3KBD
-qzktBMpG0G+ryzANBgkqhkiG9w0BAQsFAANhAIBVt7ACIz9e8tbo0Zac+qnFO2EM
-oPm76JArWRM51uQFXDu6xDmJ1vqUckyq2yqeQEvyUe7TptqVEx+zZrP/40UFFkhF
-keKJw5C1aZJvTvhVPFKmmQRiuDtRH4LzPt/HuQ==
+AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
+RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
+2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
+X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
+FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
+lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
 -----END CERTIFICATE-----

test/fixture/nodeattestor/x509pop/leaf-key.pem

@@ -1,13 +1,13 @@
 -----BEGIN PRIVATE KEY-----
-MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAsJDLQZEDWbX/aBT/
-9FjMzB0UqdONOFBUl5FC9GFTR0b/x5zMhnZQNHAllbKppJLaRBTQvxmMBvWAwybr
-bVjzMIiImTeAfmbpLDZCoMBDRoUXf2PMON1OoMya8BiYXzM1AgMBAAECYQCQ393H
-CMOlAo50ynZR+eLgwCPKTQkc4dznGIvFlW4NmBYbpW60DbQ1sqdEM3q6zLrqJypr
-7ganReJLIrVl3KDsiwTNey50L7xbLQYNMKRsVJ+yVK0vBzyhEiSgOqhe9SkCMQDT
-ZQS8IkrhRijtqkh3Z6+S2PBSCTIL8fq9urjnXvrUEYJyMz1NXmU3eE64It8ZGEMC
-MQDV0md67EYLZNwb4f+DzPSfFfimi+4TQIhs23z0fDEujMaJ8iX1SovL18Ka48+t
-6ycCMQCMJ47DGU1iHH0oTdzr5b+/cbur+FLJHq8qubC8HfnZPp6pDpXXRP2AkHBI
-nz4hSjcCMBFWaDGdauiNmxNftdo4CjXEEE9g1UMWXnmFKpKgZ1SA8bBJxC4ph0BW
-FF9+zV4qzQIxAMm0CyNcLy30XT00Q2wTu8UCI31xEOkWdsacSxy81ZH5pTCyS6bT
-OuvwN3YFTG4guw==
+MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAozF7EjQSEWZhpAjb
+Ke75P/ISPwhKf9QsHSmrA4+1Br2csKyCToN4UnemBbXY3t8O/W/Lf6vEtmOCMGBY
+3ehKilWCDFk1Hfuk53edkbMB0o1okB0zFetBhU/l6eXfcKP1AgMBAAECYDsa2LAn
+G8QhiIuYiYgOfUejrOgXYKQbfD6zsLSBf9cJJY73a9pz00hK/V5kFj/iGT+Tta8Q
+4YBizRQZrCeh3JWYR/tK8nwe3tSt8lzW2P9O1AcUX/e5IVol+p9nKNwLoQIxAMRR
+w+CTQNoiFppiIBN0+6Ftk/yuvYkULmfRWpgwJQcLS03gPatDam3ORM7c6tc7mwIx
+ANTNuvkEfc6TlqcXJ5tGe2/4x/jbEW7s3em5r3zoAkLsz0gv8LaShE/FDPyk84d/
+rwIwWrMD8g9WGPFCzBSliRe04YHEqyr3+grO3bwFROaJVNXM9q+xDhzZYN25QHEk
+NkgdAjEAjMLAyHLWHMy3PDMuuaD3iWtQKyYM9AiuCSoQEFkPFeG6go9jdACakIFR
+Q9SAWcJ1AjEAq5QNpUwPi2bKKVJ3G6Bb97IiQly25KjfibRfirT/gNV9gWbJc5EP
+nENp3XUtwu65
 -----END PRIVATE KEY-----

test/fixture/nodeattestor/x509pop/leaf.pem

@@ -1,11 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIBgjCCAQygAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
+MIIB6TCCAXOgAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCwkMtBkQNZtf9oFP/0WMzMHRSp0404
-UFSXkUL0YVNHRv/HnMyGdlA0cCWVsqmkktpEFNC/GYwG9YDDJuttWPMwiIiZN4B+
-ZuksNkKgwENGhRd/Y8w43U6gzJrwGJhfMzUCAwEAAaMzMDEwDgYDVR0PAQH/BAQD
-AgeAMB8GA1UdIwQYMBaAFFaiOSHccN7coEOrOS0EykbQb6vLMA0GCSqGSIb3DQEB
-CwUAA2EAC1/obuB4EjN66H7bOlOqgKzRN1v7YAC9hqKVxDs/CXs4DjAgsBrhiYIf
-uSsNrHhIswS51r2iIMeYh9FTzxg6Nre7m5KoRgiI4pvcKBKQs5R/sF1Ywq1p7dH8
-q+vGqujB
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
+1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
++6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaOBmTCBljAOBgNVHQ8BAf8E
+BAMCB4AwHwYDVR0jBBgwFoAU2beVGEps4qqb+l/jV9VkPgXOV6gwYwYDVR0RBFww
+WoYqeDUwOXBvcDovL2V4YW1wbGUub3JnL2RhdGFjZW50ZXI6dXMtZWFzdC0xhix4
+NTA5cG9wOi8vZXhhbXBsZS5vcmcvZW52aXJvbm1lbnQ6cHJvZHVjdGlvbjANBgkq
+hkiG9w0BAQsFAANhAFy8KJm4DiNVJldT289sERz4OtvgEt9oTd0IdYrPBJSkmdut
+TuCbJV5K8Jr+fXZju5TrICysDleVzad5suYG3Bj4BzSu8kBgd7qMCKFdywVAX4MI
+5w95GWjv4HEpg+801g==
 -----END CERTIFICATE-----

test/fixture/nodeattestor/x509pop/root-crt.pem

@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgMaKzwwDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AJTE1G18AwWWAn0/UNj1uJWR3spmfzk+Z/aKWAadZWpB7atofJN5nITymAmTShG5
-ZBfoo028+aG818DQaTN4mw6Bt47WeXLVsuS9hvy9VuyQSNS19Egi5Vzo5h70amK/
-KQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQL3ZehHKEWw1WU
-yXpDDxKTX96WUjANBgkqhkiG9w0BAQsFAANhABicwitW0/1S/IBU4uHxxWh9k+8+
-lQc893kblAL0SsqlZL/qxpVWS271T/gQc2ShvXJf7JabRRQ3jTtos33L5FqpJD5q
-PVv3RRQ3Ex/+SMNgi+NOAqNL/GP+8Y3SxQWhlg==
+AL0/cQnluD8iio71FR62xRxWFBFdHTkn42IzSCjhcv0EvUDYiKz7gzM0tYW6ykQA
+CtIvQvKxWABrCmnO65tK05Fp6MXHWfgpiooMdrYx9G45AFkPG2M4dmo3XmmFimHe
+rQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQtsgHE8HmiL2mV
+Uv20DV2KbNBspjANBgkqhkiG9w0BAQsFAANhAEif5xsWtJxEewr0XNn0cFVU5Q0z
+AlkdDxtLlmcVTDRxJXGavu54zAGOzZvYCNjCiZ2HKc3o37XI3s77lwmomofvxaZ6
+YqbBDKocjsqYcry1RTmHVeUS9sabZjTubBLN6g==
 -----END CERTIFICATE-----

test/fixture/nodeattestor/x509pop/svidexchange.pem

@@ -1,22 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIBuzCCAUWgAwIBAgIGChssPU5/MA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
+MIICGjCCAaSgAwIBAgIGChssPU5/MA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCwkMtBkQNZtf9oFP/0WMzMHRSp0404
-UFSXkUL0YVNHRv/HnMyGdlA0cCWVsqmkktpEFNC/GYwG9YDDJuttWPMwiIiZN4B+
-ZuksNkKgwENGhRd/Y8w43U6gzJrwGJhfMzUCAwEAAaNsMGowDgYDVR0PAQH/BAQD
-AgeAMB8GA1UdIwQYMBaAFFaiOSHccN7coEOrOS0EykbQb6vLMDcGA1UdEQQwMC6G
-LHNwaWZmZTovL2V4YW1wbGUub3JnL3NwaXJlLWV4Y2hhbmdlL3Rlc3Rob3N0MA0G
-CSqGSIb3DQEBCwUAA2EAe/b53CFjgrJRAN7LoFksxpEqtty7Z7sgZkf/D2gsWaAx
-QoX7HHgU2Agso4ivnksuJGjsrjFXbG+qmvMeLG6mjst0mHrlm9e6QNtpN5k/mj6K
-gX3hcDmO2sXXrhU8ySYt
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
+1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
++6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaOByjCBxzAOBgNVHQ8BAf8E
+BAMCB4AwHwYDVR0jBBgwFoAU2beVGEps4qqb+l/jV9VkPgXOV6gwgZMGA1UdEQSB
+izCBiIYsc3BpZmZlOi8vZXhhbXBsZS5vcmcvc3BpcmUtZXhjaGFuZ2UvdGVzdGhv
+c3SGKng1MDlwb3A6Ly9leGFtcGxlLm9yZy9kYXRhY2VudGVyOnVzLWVhc3QtMYYs
+eDUwOXBvcDovL2V4YW1wbGUub3JnL2Vudmlyb25tZW50OnByb2R1Y3Rpb24wDQYJ
+KoZIhvcNAQELBQADYQDgERn9LfokKHe+5CKl1kHHFHvWc0BQvXvlS95jUMh/PlRM
+61IsgeWBBb9eje74+YVYcJys6fC2FQ85vIfC5h1xgNLGEX7s0cZDvZkU+WmFDpE4
+1hfFpUzOEd8J6JJtS20=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AKpxtqJyka4hQtdKksZdUeSc5yNlu5L/bswWfq1QWR/v4SeWEjdxQVZ7KUiJ9/XB
-traFmbMv880uI9F5F4zfeo0sdQ5aRNlWJWQXcAdoAxg5BDREYSz/HmZDTd9WXU4V
-EwIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRWojkh3HDe3KBD
-qzktBMpG0G+ryzANBgkqhkiG9w0BAQsFAANhAIBVt7ACIz9e8tbo0Zac+qnFO2EM
-oPm76JArWRM51uQFXDu6xDmJ1vqUckyq2yqeQEvyUe7TptqVEx+zZrP/40UFFkhF
-keKJw5C1aZJvTvhVPFKmmQRiuDtRH4LzPt/HuQ==
+AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
+RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
+2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
+X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
+FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
+lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
 -----END CERTIFICATE-----

test/fixture/nodeattestor/x509pop/svidreg.pem

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIBrDCCATagAwIBAgIGChssPU5vMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCwkMtBkQNZtf9oFP/0WMzMHRSp0404
-UFSXkUL0YVNHRv/HnMyGdlA0cCWVsqmkktpEFNC/GYwG9YDDJuttWPMwiIiZN4B+
-ZuksNkKgwENGhRd/Y8w43U6gzJrwGJhfMzUCAwEAAaNdMFswDgYDVR0PAQH/BAQD
-AgeAMB8GA1UdIwQYMBaAFFaiOSHccN7coEOrOS0EykbQb6vLMCgGA1UdEQQhMB+G
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
+1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
++6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaNdMFswDgYDVR0PAQH/BAQD
+AgeAMB8GA1UdIwQYMBaAFNm3lRhKbOKqm/pf41fVZD4FzleoMCgGA1UdEQQhMB+G
 HXNwaWZmZTovL2V4YW1wbGUub3JnL3NvbWVzdmlkMA0GCSqGSIb3DQEBCwUAA2EA
-K6U+E2Kq7bR4z8Cc1iaO3mgC2SUAieLDkf8tKcKWKPkd+QMiVR4wAAyvGdRyQynI
-taMknAJxe84hy43OF6JRP9Pz1/c37KFzsGrulC1gjBODeIw+JfkWafy2l43HyLrf
+yob7rIAH0OKGidwRqFFcbis+UjRz1AydG9rhzHvQyWytDK5XB8FAEECVMm6aza6m
+uIg7499sEjcgwup4GpOuf8Q5XIfE9RJnBfMKTdGTjv71gqmwX6ZgN/0SWAJMpkFt
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AKpxtqJyka4hQtdKksZdUeSc5yNlu5L/bswWfq1QWR/v4SeWEjdxQVZ7KUiJ9/XB
-traFmbMv880uI9F5F4zfeo0sdQ5aRNlWJWQXcAdoAxg5BDREYSz/HmZDTd9WXU4V
-EwIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRWojkh3HDe3KBD
-qzktBMpG0G+ryzANBgkqhkiG9w0BAQsFAANhAIBVt7ACIz9e8tbo0Zac+qnFO2EM
-oPm76JArWRM51uQFXDu6xDmJ1vqUckyq2yqeQEvyUe7TptqVEx+zZrP/40UFFkhF
-keKJw5C1aZJvTvhVPFKmmQRiuDtRH4LzPt/HuQ==
+AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
+RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
+2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
+X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
+FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
+lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
 -----END CERTIFICATE-----