diff --git a/security/advancedtls/advancedtls.go b/security/advancedtls/advancedtls.go
index ce7fb2e0..f8fe638f 100644
--- a/security/advancedtls/advancedtls.go
+++ b/security/advancedtls/advancedtls.go
@@ -322,8 +322,8 @@ func buildVerifyFunc(c *advancedTLSCreds,
}
}
-// NewClient uses ClientOptions to construct a TransportCredentials based on TLS.
-func NewClient(o *ClientOptions) (credentials.TransportCredentials, error) {
+// NewClientCreds uses ClientOptions to construct a TransportCredentials based on TLS.
+func NewClientCreds(o *ClientOptions) (credentials.TransportCredentials, error) {
conf, err := o.config()
if err != nil {
return nil, err
@@ -338,8 +338,8 @@ func NewClient(o *ClientOptions) (credentials.TransportCredentials, error) {
return tc, nil
}
-// NewServer uses ServerOptions to construct a TransportCredentials based on TLS.
-func NewServer(o *ServerOptions) (credentials.TransportCredentials, error) {
+// NewServerCreds uses ServerOptions to construct a TransportCredentials based on TLS.
+func NewServerCreds(o *ServerOptions) (credentials.TransportCredentials, error) {
conf, err := o.config()
if err != nil {
return nil, err
diff --git a/security/advancedtls/advancedtls_integration_test.go b/security/advancedtls/advancedtls_integration_test.go
new file mode 100644
index 00000000..41c428a2
--- /dev/null
+++ b/security/advancedtls/advancedtls_integration_test.go
@@ -0,0 +1,402 @@
+/*
+ *
+ * Copyright 2020 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package advancedtls
+
+import (
+ "context"
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "net"
+ "sync"
+ "testing"
+ "time"
+
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/credentials"
+ pb "google.golang.org/grpc/examples/helloworld/helloworld"
+ "google.golang.org/grpc/security/advancedtls/testdata"
+)
+
+var (
+ address = "localhost:50051"
+ port = ":50051"
+)
+
+// stageInfo contains a stage number indicating the current phase of each integration test, and a mutex.
+// Based on the stage number of current test, we will use different certificates and server authorization
+// functions to check if our tests behave as expected.
+type stageInfo struct {
+ mutex sync.Mutex
+ stage int
+}
+
+func (s *stageInfo) increase() {
+ s.mutex.Lock()
+ defer s.mutex.Unlock()
+ s.stage = s.stage + 1
+}
+
+func (s *stageInfo) read() int {
+ s.mutex.Lock()
+ defer s.mutex.Unlock()
+ return s.stage
+}
+
+func (s *stageInfo) reset() {
+ s.mutex.Lock()
+ defer s.mutex.Unlock()
+ s.stage = 0
+}
+
+// certStore contains all the certificates used in the integration tests.
+type certStore struct {
+ // clientPeer1 is the certificate sent by client to prove its identity. It is trusted by serverTrust1.
+ clientPeer1 tls.Certificate
+ // clientPeer2 is the certificate sent by client to prove its identity. It is trusted by serverTrust2.
+ clientPeer2 tls.Certificate
+ // serverPeer1 is the certificate sent by server to prove its identity. It is trusted by clientTrust1.
+ serverPeer1 tls.Certificate
+ // serverPeer2 is the certificate sent by server to prove its identity. It is trusted by clientTrust2.
+ serverPeer2 tls.Certificate
+ clientTrust1 *x509.CertPool
+ clientTrust2 *x509.CertPool
+ serverTrust1 *x509.CertPool
+ serverTrust2 *x509.CertPool
+}
+
+// loadCerts function is used to load test certificates at the beginning of each integration test.
+func (cs *certStore) loadCerts() error {
+ var err error
+ cs.clientPeer1, err = tls.LoadX509KeyPair(testdata.Path("client_cert_1.pem"),
+ testdata.Path("client_key_1.pem"))
+ if err != nil {
+ return err
+ }
+ cs.clientPeer2, err = tls.LoadX509KeyPair(testdata.Path("client_cert_2.pem"),
+ testdata.Path("client_key_2.pem"))
+ if err != nil {
+ return err
+ }
+ cs.serverPeer1, err = tls.LoadX509KeyPair(testdata.Path("server_cert_1.pem"),
+ testdata.Path("server_key_1.pem"))
+ if err != nil {
+ return err
+ }
+ cs.serverPeer2, err = tls.LoadX509KeyPair(testdata.Path("server_cert_2.pem"),
+ testdata.Path("server_key_2.pem"))
+ if err != nil {
+ return err
+ }
+ cs.clientTrust1, err = readTrustCert(testdata.Path("client_trust_cert_1.pem"))
+ if err != nil {
+ return err
+ }
+ cs.clientTrust2, err = readTrustCert(testdata.Path("client_trust_cert_2.pem"))
+ if err != nil {
+ return err
+ }
+ cs.serverTrust1, err = readTrustCert(testdata.Path("server_trust_cert_1.pem"))
+ if err != nil {
+ return err
+ }
+ cs.serverTrust2, err = readTrustCert(testdata.Path("server_trust_cert_2.pem"))
+ if err != nil {
+ return err
+ }
+ return nil
+}
+
+// serverImpl is used to implement pb.GreeterServer.
+type serverImpl struct{}
+
+// SayHello is a simple implementation of pb.GreeterServer.
+func (s *serverImpl) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
+ return &pb.HelloReply{Message: "Hello " + in.Name}, nil
+}
+
+func callAndVerify(msg string, client pb.GreeterClient, shouldFail bool) error {
+ ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+ defer cancel()
+ _, err := client.SayHello(ctx, &pb.HelloRequest{Name: msg})
+ if want, got := shouldFail == true, err != nil; got != want {
+ return fmt.Errorf("want and got mismatch, want shouldFail=%v, got fail=%v, rpc error: %v", want, got, err)
+ }
+ return nil
+}
+
+func callAndVerifyWithClientConn(connCtx context.Context, msg string, creds credentials.TransportCredentials, shouldFail bool) (*grpc.ClientConn, pb.GreeterClient, error) {
+ var conn *grpc.ClientConn
+ var err error
+ // If we want the test to fail, we establish a non-blocking connection to avoid it hangs and killed by the context.
+ if shouldFail {
+ conn, err = grpc.DialContext(connCtx, address, grpc.WithTransportCredentials(creds))
+ if err != nil {
+ return nil, nil, fmt.Errorf("client failed to connect to %s. Error: %v", address, err)
+ }
+ } else {
+ conn, err = grpc.DialContext(connCtx, address, grpc.WithTransportCredentials(creds), grpc.WithBlock())
+ if err != nil {
+ return nil, nil, fmt.Errorf("client failed to connect to %s. Error: %v", address, err)
+ }
+ }
+ greetClient := pb.NewGreeterClient(conn)
+ err = callAndVerify(msg, greetClient, shouldFail)
+ if err != nil {
+ return nil, nil, err
+ }
+ return conn, greetClient, nil
+}
+
+// The advanced TLS features are tested in different stages.
+// At stage 0, we establish a good connection between client and server.
+// At stage 1, we change one factor(it could be we change the server's certificate, or server authorization function, etc),
+// and test if the following connections would be dropped.
+// At stage 2, we re-establish the connection by changing the counterpart of the factor we modified in stage 1.
+// (could be change the client's trust certificate, or change server authorization function, etc)
+func TestEnd2End(t *testing.T) {
+ cs := &certStore{}
+ cs.loadCerts()
+ stage := &stageInfo{}
+ for _, test := range []struct {
+ desc string
+ clientCert []tls.Certificate
+ clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
+ clientRoot *x509.CertPool
+ clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
+ clientVerifyFunc CustomVerificationFunc
+ serverCert []tls.Certificate
+ serverGetCert func(*tls.ClientHelloInfo) (*tls.Certificate, error)
+ serverRoot *x509.CertPool
+ serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
+ }{
+ // Test Scenarios:
+ // At initialization(stage = 0), client will be initialized with cert clientPeer1 and clientTrust1, server with serverPeer1 and serverTrust1.
+ // The mutual authentication works at the beginning, since clientPeer1 is trusted by serverTrust1, and serverPeer1 by clientTrust1.
+ // At stage 1, client changes clientPeer1 to clientPeer2. Since clientPeer2 is not trusted by serverTrust1, following rpc calls are expected
+ // to fail, while the previous rpc calls are still good because those are already authenticated.
+ // At stage 2, the server changes serverTrust1 to serverTrust2, and we should see it again accepts the connection, since clientPeer2 is trusted
+ // by serverTrust2.
+ {
+ desc: "TestClientPeerCertReloadServerTrustCertReload",
+ clientCert: nil,
+ clientGetCert: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+ switch stage.read() {
+ case 0:
+ return &cs.clientPeer1, nil
+ default:
+ return &cs.clientPeer2, nil
+ }
+ },
+ clientGetRoot: nil,
+ clientRoot: cs.clientTrust1,
+ clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
+ return &VerificationResults{}, nil
+ },
+ serverCert: []tls.Certificate{cs.serverPeer1},
+ serverGetCert: nil,
+ serverRoot: nil,
+ serverGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
+ switch stage.read() {
+ case 0, 1:
+ return &GetRootCAsResults{TrustCerts: cs.serverTrust1}, nil
+ default:
+ return &GetRootCAsResults{TrustCerts: cs.serverTrust2}, nil
+ }
+ },
+ },
+ // Test Scenarios:
+ // At initialization(stage = 0), client will be initialized with cert clientPeer1 and clientTrust1, server with serverPeer1 and serverTrust1.
+ // The mutual authentication works at the beginning, since clientPeer1 is trusted by serverTrust1, and serverPeer1 by clientTrust1.
+ // At stage 1, server changes serverPeer1 to serverPeer2. Since serverPeer2 is not trusted by clientTrust1, following rpc calls are expected
+ // to fail, while the previous rpc calls are still good because those are already authenticated.
+ // At stage 2, the client changes clientTrust1 to clientTrust2, and we should see it again accepts the connection, since serverPeer2 is trusted
+ // by clientTrust2.
+ {
+ desc: "TestServerPeerCertReloadClientTrustCertReload",
+ clientCert: []tls.Certificate{cs.clientPeer1},
+ clientGetCert: nil,
+ clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
+ switch stage.read() {
+ case 0, 1:
+ return &GetRootCAsResults{TrustCerts: cs.clientTrust1}, nil
+ default:
+ return &GetRootCAsResults{TrustCerts: cs.clientTrust2}, nil
+ }
+ },
+ clientRoot: nil,
+ clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
+ return &VerificationResults{}, nil
+ },
+ serverCert: nil,
+ serverGetCert: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+ switch stage.read() {
+ case 0:
+ return &cs.serverPeer1, nil
+ default:
+ return &cs.serverPeer2, nil
+ }
+ },
+ serverRoot: cs.serverTrust1,
+ serverGetRoot: nil,
+ },
+ // Test Scenarios:
+ // At initialization(stage = 0), client will be initialized with cert clientPeer1 and clientTrust1, server with serverPeer1 and serverTrust1.
+ // The mutual authentication works at the beginning, since clientPeer1 trusted by serverTrust1, serverPeer1 by clientTrust1, and also the
+ // custom server authorization check allows the CommonName on serverPeer1.
+ // At stage 1, server changes serverPeer1 to serverPeer2, and client changes clientTrust1 to clientTrust2. Although serverPeer2 is trusted by
+ // clientTrust2, our authorization check only accepts serverPeer1, and hence the following calls should fail. Previous connections should
+ // not be affected.
+ // At stage 2, the client changes authorization check to only accept serverPeer2. Now we should see the connection becomes normal again.
+ {
+ desc: "TestClientCustomServerAuthz",
+ clientCert: []tls.Certificate{cs.clientPeer1},
+ clientGetCert: nil,
+ clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
+ switch stage.read() {
+ case 0:
+ return &GetRootCAsResults{TrustCerts: cs.clientTrust1}, nil
+ default:
+ return &GetRootCAsResults{TrustCerts: cs.clientTrust2}, nil
+ }
+ },
+ clientRoot: nil,
+ clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
+ if len(params.RawCerts) == 0 {
+ return nil, fmt.Errorf("no peer certs")
+ }
+ cert, err := x509.ParseCertificate(params.RawCerts[0])
+ if err != nil || cert == nil {
+ return nil, fmt.Errorf("failed to parse certificate: " + err.Error())
+ }
+ authzCheck := false
+ switch stage.read() {
+ case 0, 1:
+ // foo.bar.com is the common name on serverPeer1
+ if cert.Subject.CommonName == "foo.bar.com" {
+ authzCheck = true
+ }
+ default:
+ // foo.bar.server2.com is the common name on serverPeer2
+ if cert.Subject.CommonName == "foo.bar.server2.com" {
+ authzCheck = true
+ }
+ }
+ if authzCheck {
+ return &VerificationResults{}, nil
+ }
+ return nil, fmt.Errorf("custom authz check fails")
+ },
+ serverCert: nil,
+ serverGetCert: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+ switch stage.read() {
+ case 0:
+ return &cs.serverPeer1, nil
+ default:
+ return &cs.serverPeer2, nil
+ }
+ },
+ serverRoot: cs.serverTrust1,
+ serverGetRoot: nil,
+ },
+ } {
+ test := test
+ t.Run(test.desc, func(t *testing.T) {
+ // Start a server using ServerOptions in another goroutine.
+ serverOptions := &ServerOptions{
+ Certificates: test.serverCert,
+ GetCertificate: test.serverGetCert,
+ RootCertificateOptions: RootCertificateOptions{
+ RootCACerts: test.serverRoot,
+ GetRootCAs: test.serverGetRoot,
+ },
+ RequireClientCert: true,
+ }
+ serverTLSCreds, err := NewServerCreds(serverOptions)
+ if err != nil {
+ t.Fatalf("Failed to create server creds: %v", err)
+ }
+ s := grpc.NewServer(grpc.Creds(serverTLSCreds))
+ defer s.Stop()
+ go func(s *grpc.Server) {
+ lis, err := net.Listen("tcp", port)
+ // defer lis.Close()
+ if err != nil {
+ t.Fatalf("Failed to listen: %v", err)
+ }
+ pb.RegisterGreeterServer(s, &serverImpl{})
+ if err := s.Serve(lis); err != nil {
+ t.Fatalf("failed to serve: %v", err)
+ }
+ }(s)
+ clientOptions := &ClientOptions{
+ Certificates: test.clientCert,
+ GetClientCertificate: test.clientGetCert,
+ VerifyPeer: test.clientVerifyFunc,
+ RootCertificateOptions: RootCertificateOptions{
+ RootCACerts: test.clientRoot,
+ GetRootCAs: test.clientGetRoot,
+ },
+ }
+ clientTLSCreds, err := NewClientCreds(clientOptions)
+ if err != nil {
+ t.Fatalf("clientTLSCreds failed to create")
+ }
+ // ------------------------Scenario 1-----------------------------------------
+ // stage = 0, initial connection should succeed
+ ctx1, cancel1 := context.WithTimeout(context.Background(), 5*time.Second)
+ defer cancel1()
+ conn, greetClient, err := callAndVerifyWithClientConn(ctx1, "rpc call 1", clientTLSCreds, false)
+ defer conn.Close()
+ if err != nil {
+ t.Fatal(err)
+ }
+ // ---------------------------------------------------------------------------
+ stage.increase()
+ // ------------------------Scenario 2-----------------------------------------
+ // stage = 1, previous connection should still succeed
+ err = callAndVerify("rpc call 2", greetClient, false)
+ if err != nil {
+ t.Fatal(err)
+ }
+ // ------------------------Scenario 3-----------------------------------------
+ // stage = 1, new connection should fail
+ ctx2, cancel2 := context.WithTimeout(context.Background(), 5*time.Second)
+ defer cancel2()
+ conn2, greetClient, err := callAndVerifyWithClientConn(ctx2, "rpc call 3", clientTLSCreds, true)
+ defer conn2.Close()
+ if err != nil {
+ t.Fatal(err)
+ }
+ //// ---------------------------------------------------------------------------
+ stage.increase()
+ // ------------------------Scenario 4-----------------------------------------
+ // stage = 2, new connection should succeed
+ ctx3, cancel3 := context.WithTimeout(context.Background(), 5*time.Second)
+ defer cancel3()
+ conn3, greetClient, err := callAndVerifyWithClientConn(ctx3, "rpc call 4", clientTLSCreds, false)
+ defer conn3.Close()
+ if err != nil {
+ t.Fatal(err)
+ }
+ // ---------------------------------------------------------------------------
+ stage.reset()
+ })
+ }
+}
diff --git a/security/advancedtls/advancedtls_test.go b/security/advancedtls/advancedtls_test.go
index e027a8bd..509befa0 100644
--- a/security/advancedtls/advancedtls_test.go
+++ b/security/advancedtls/advancedtls_test.go
@@ -450,7 +450,7 @@ func TestClientServerHandshake(t *testing.T) {
close(done)
return
}
- serverTLS, err := NewServer(serverOptions)
+ serverTLS, err := NewServerCreds(serverOptions)
if err != nil {
serverRawConn.Close()
close(done)
@@ -481,7 +481,7 @@ func TestClientServerHandshake(t *testing.T) {
GetRootCAs: test.clientGetRoot,
},
}
- clientTLS, newClientErr := NewClient(clientOptions)
+ clientTLS, newClientErr := NewClientCreds(clientOptions)
if newClientErr != nil && test.clientExpectCreateError {
return
}
@@ -566,7 +566,7 @@ func TestAdvancedTLSOverrideServerName(t *testing.T) {
},
ServerNameOverride: expectedServerName,
}
- c, err := NewClient(clientOptions)
+ c, err := NewClientCreds(clientOptions)
if err != nil {
t.Fatalf("Client is unable to create credentials. Error: %v", err)
}
@@ -588,7 +588,7 @@ func TestTLSClone(t *testing.T) {
},
ServerNameOverride: expectedServerName,
}
- c, err := NewClient(clientOptions)
+ c, err := NewClientCreds(clientOptions)
if err != nil {
t.Fatalf("Failed to create new client: %v", err)
}
diff --git a/security/advancedtls/go.mod b/security/advancedtls/go.mod
index 23cd36f4..9e6d64a2 100644
--- a/security/advancedtls/go.mod
+++ b/security/advancedtls/go.mod
@@ -2,4 +2,4 @@ module google.golang.org/grpc/security/advancedtls
go 1.13
-require google.golang.org/grpc v1.25.1
+require google.golang.org/grpc v1.26.0
diff --git a/security/advancedtls/go.sum b/security/advancedtls/go.sum
index c5932214..2872b56a 100644
--- a/security/advancedtls/go.sum
+++ b/security/advancedtls/go.sum
@@ -1,8 +1,10 @@
+cloud.google.com/go v0.26.0 h1:e0WKqKTd5BnrG8aKH3J3h+QvEIQtSUcf2n5UZ5ZgLtQ=
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -19,13 +21,16 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -34,10 +39,13 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.25.1 h1:wdKvqQk7IttEw92GoRyKG2IDrUIpgpj6H6m81yfeMW0=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0 h1:2dTRdpdFEEhJYQD8EMLB61nnrzSCTbG38PhqdhvOltg=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/security/advancedtls/testdata/README.md b/security/advancedtls/testdata/README.md
new file mode 100644
index 00000000..48a1c135
--- /dev/null
+++ b/security/advancedtls/testdata/README.md
@@ -0,0 +1,42 @@
+About This Directory
+-------------
+This testdata directory contains the certificates used in the tests of package advancedtls.
+
+How to Generate Test Certificates Using OpenSSL
+-------------
+
+Supposing we are going to create a `subject_cert.pem` that is trusted by `ca_cert.pem`, here are the
+commands we run:
+
+1. Generate the private key, `ca_key.pem`, and the cert `ca_cert.pem`, for the CA:
+
+ ```
+ $ openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -nodes -days $DURATION_DAYS
+ ```
+
+2. Generate a CSR `csr.pem` using `subject_key.pem`:
+
+ ```
+ $ openssl req -new -key subject_key.pem -out csr.pem
+ ```
+
+3. Generate a private key `subject_key.pem` for the subject:
+
+ ```
+ $ openssl genrsa -out subject_key.pem 4096
+ ```
+
+4. Use `ca_key.pem` and `ca_cert.pem` to sign `csr.pem`, and get a certificate, `subject_cert.pem`, for the subject:
+
+ This step requires some additional files and please check out [this answer from StackOverflow](https://stackoverflow.com/a/21340898) for more.
+
+ ```
+ $ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out subject_cert.pem -in csr.pem -keyfile ca_key.pem -cert ca_cert.pem
+ ```
+5. Verify the `subject_cert.pem` is trusted by `ca_cert.pem`:
+
+
+ ```
+ $ openssl verify -verbose -CAfile ca_cert.pem subject_cert.pem
+
+ ```
diff --git a/security/advancedtls/testdata/client_cert_2.pem b/security/advancedtls/testdata/client_cert_2.pem
new file mode 100644
index 00000000..3f5d6460
--- /dev/null
+++ b/security/advancedtls/testdata/client_cert_2.pem
@@ -0,0 +1,122 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=foo.bar.server2.trust.com
+ Validity
+ Not Before: Jan 9 22:47:15 2020 GMT
+ Not After : Oct 23 22:47:15 2293 GMT
+ Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=foo.bar.client2.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:b9:3e:c6:3b:cb:d6:77:4b:17:d4:8b:91:27:f4:
+ 62:01:60:8d:01:2f:0a:a8:b1:d6:e3:59:d6:25:3a:
+ a1:7f:2f:5d:ef:02:f9:6f:4f:72:db:75:ce:0b:22:
+ a2:05:7c:e0:7c:a3:d3:c8:fa:87:c0:6c:a9:47:00:
+ ed:52:2b:ba:95:36:36:1a:d3:59:1e:a7:30:a7:48:
+ 38:7f:1a:7a:3f:84:cf:83:f0:fe:60:61:9e:c0:46:
+ ce:44:b5:37:83:ef:14:6c:9a:ea:3b:fe:37:8a:ab:
+ ea:28:59:43:f0:d7:1a:a0:57:a6:5e:a7:3f:46:95:
+ 92:fb:44:77:68:ee:41:ca:57:1b:de:4c:80:ea:16:
+ b7:25:c5:b2:e5:d4:47:a7:bb:8d:f5:53:9d:a3:0e:
+ d0:eb:59:5e:7a:6d:8e:a1:8e:f3:b7:b1:4a:8b:f1:
+ 8a:01:f1:e1:14:85:dc:91:ce:25:7a:fd:db:17:b8:
+ 15:60:34:4b:f5:35:df:bd:22:65:b9:85:4a:7a:39:
+ 74:c0:88:c9:15:61:62:a8:4b:b6:ae:87:0b:2d:5f:
+ 2b:c6:13:c5:9c:1b:63:c0:23:73:6f:24:5e:e1:f9:
+ f5:ed:82:81:51:90:4a:08:7f:6e:4f:bd:27:00:b2:
+ b4:be:a8:0b:65:95:22:a4:c7:24:5b:07:5f:3c:66:
+ 55:2d:af:ec:d3:f7:ca:e6:07:44:09:6f:da:a2:f3:
+ c9:4b:1f:9b:d7:e0:0c:6c:a0:be:4d:4c:6c:c5:3a:
+ bb:0d:a1:c4:82:75:42:ba:c0:10:d2:93:a4:0e:4e:
+ 41:9a:c2:3c:68:ae:17:92:ec:4b:4f:ca:ef:09:7c:
+ b2:6d:16:31:15:31:67:78:02:0a:57:6b:60:4e:7f:
+ cb:0a:27:a5:cd:dd:d9:29:a5:a2:e8:d8:f5:e9:8c:
+ a3:16:72:9d:b9:94:3e:ef:b1:70:27:2e:16:0f:06:
+ f9:50:81:99:a2:aa:b2:74:d8:b9:24:0d:08:f4:ff:
+ 16:c1:2b:32:ad:d1:7d:c2:db:ed:e5:8c:52:26:ed:
+ 8c:04:af:86:9e:a1:5f:48:81:20:79:bc:57:58:25:
+ 89:85:02:ba:e1:5f:66:e4:4a:30:2e:6d:3b:89:2c:
+ 4f:e9:02:6a:e9:9e:b3:6c:7e:9d:1b:a9:37:3e:bf:
+ 06:ec:ce:d6:d7:6e:e3:e2:5c:2a:fd:98:dd:4d:59:
+ e8:43:be:44:fe:ee:0a:64:fe:fc:e3:4d:88:23:27:
+ 46:a7:f0:b5:80:c4:d8:2c:ad:02:a9:68:a7:d5:64:
+ 74:b9:14:21:68:c9:f5:3c:62:73:ed:b2:be:10:89:
+ 1f:d0:1d:1b:8a:ef:5e:6b:4b:08:15:25:4d:9c:b6:
+ f4:2a:0b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ E0:27:7D:90:FC:81:7F:F3:EE:97:CE:65:A2:AD:D2:1E:CC:D5:2B:0F
+ X509v3 Authority Key Identifier:
+ keyid:63:88:EA:4D:D0:3E:EF:5E:F8:43:91:75:40:E4:16:AB:15:B3:32:B9
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ Signature Algorithm: sha256WithRSAEncryption
+ 8c:81:8f:65:38:2c:db:69:34:26:47:62:b7:5d:4e:67:41:c2:
+ 67:b2:97:72:51:84:f5:73:8e:cf:9d:0f:a2:91:1e:ec:e4:72:
+ 6f:08:da:26:06:c0:f0:11:fd:b8:ac:23:c7:cf:35:ac:d0:90:
+ e3:da:f0:8b:7b:55:16:00:5f:82:92:40:07:12:d1:ae:06:13:
+ c0:5d:7c:9b:64:d7:35:86:59:c3:8d:cd:b9:a8:17:03:2e:b5:
+ d4:8b:18:11:cf:8d:90:74:8f:12:f6:53:99:66:d8:50:b6:c6:
+ ef:c8:e3:bc:26:74:67:cb:6d:34:bd:c6:58:38:ef:4b:5e:56:
+ 80:37:2d:25:64:31:96:6e:8d:13:ff:21:63:c9:ec:8f:b6:05:
+ 5a:8b:b5:ae:88:50:af:00:c4:c7:9d:9b:88:a3:05:6c:63:85:
+ 46:1a:b1:6b:32:11:cc:0c:a6:75:44:a2:39:c6:58:c8:2a:f8:
+ 08:8c:9a:12:c2:49:e0:03:da:fa:f7:67:a3:7b:91:71:46:24:
+ 71:83:3f:a9:a0:a9:4f:e5:77:9d:a4:49:2b:0e:69:dd:47:93:
+ b9:4d:82:3d:f7:12:b1:02:0e:ec:4c:98:76:c2:48:81:30:68:
+ 7c:04:90:e7:a7:e5:0f:44:cf:48:e3:04:1b:9c:4a:0f:20:25:
+ ce:74:13:83:96:d8:78:69:a0:1c:e4:9e:8d:1b:0c:9f:e8:43:
+ 29:72:82:96:98:6e:8e:8b:0c:0e:18:4e:dd:62:e8:e9:5c:77:
+ 64:40:5b:c3:44:3d:21:0f:3f:ef:04:c8:83:f0:af:cc:be:9c:
+ b5:6b:32:c3:26:66:a0:06:bc:7b:b0:c8:54:8f:0a:d7:57:bb:
+ c7:d9:7a:7f:3e:61:ab:64:03:cc:32:44:a1:71:6f:9a:cc:80:
+ a6:e6:de:2d:8e:8a:2f:ca:bf:63:42:24:de:3f:c2:47:a4:e2:
+ fb:3d:6f:70:3f:6f:cb:bd:61:40:af:c9:59:75:99:39:9d:65:
+ e4:89:48:fc:14:1c:ad:03:fc:5f:a2:69:be:4d:a1:a3:ad:6b:
+ e7:f8:8d:13:64:f8:76:7d:04:af:61:f9:9c:39:68:68:99:bc:
+ ec:53:b9:d1:e7:f3:c2:c9:87:42:f0:26:8f:47:c3:6d:de:2a:
+ f5:df:b4:58:f2:1e:f5:6c:29:0b:dd:de:ea:1a:88:21:a4:d1:
+ bb:7f:54:c5:cd:75:71:4e:ef:d0:50:f8:ff:a2:0f:d5:02:fd:
+ 51:52:86:b8:30:db:4f:e0:3b:f1:91:45:72:49:df:a4:17:97:
+ 25:ca:12:9d:61:9d:29:2c:e4:5f:da:c7:3c:ee:4c:65:5d:2f:
+ 38:a6:7d:8b:52:af:af:18
+-----BEGIN CERTIFICATE-----
+MIIFkzCCA3ugAwIBAgIBBjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEi
+MCAGA1UEAwwZZm9vLmJhci5zZXJ2ZXIyLnRydXN0LmNvbTAgFw0yMDAxMDkyMjQ3
+MTVaGA8yMjkzMTAyMzIyNDcxNVowWzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME2Zv
+by5iYXIuY2xpZW50Mi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQC5PsY7y9Z3SxfUi5En9GIBYI0BLwqosdbjWdYlOqF/L13vAvlvT3Lbdc4LIqIF
+fOB8o9PI+ofAbKlHAO1SK7qVNjYa01kepzCnSDh/Gno/hM+D8P5gYZ7ARs5EtTeD
+7xRsmuo7/jeKq+ooWUPw1xqgV6Zepz9GlZL7RHdo7kHKVxveTIDqFrclxbLl1Een
+u431U52jDtDrWV56bY6hjvO3sUqL8YoB8eEUhdyRziV6/dsXuBVgNEv1Nd+9ImW5
+hUp6OXTAiMkVYWKoS7auhwstXyvGE8WcG2PAI3NvJF7h+fXtgoFRkEoIf25PvScA
+srS+qAtllSKkxyRbB188ZlUtr+zT98rmB0QJb9qi88lLH5vX4AxsoL5NTGzFOrsN
+ocSCdUK6wBDSk6QOTkGawjxorheS7EtPyu8JfLJtFjEVMWd4AgpXa2BOf8sKJ6XN
+3dkppaLo2PXpjKMWcp25lD7vsXAnLhYPBvlQgZmiqrJ02LkkDQj0/xbBKzKt0X3C
+2+3ljFIm7YwEr4aeoV9IgSB5vFdYJYmFArrhX2bkSjAubTuJLE/pAmrpnrNsfp0b
+qTc+vwbsztbXbuPiXCr9mN1NWehDvkT+7gpk/vzjTYgjJ0an8LWAxNgsrQKpaKfV
+ZHS5FCFoyfU8YnPtsr4QiR/QHRuK715rSwgVJU2ctvQqCwIDAQABo1owWDAdBgNV
+HQ4EFgQU4Cd9kPyBf/Pul85loq3SHszVKw8wHwYDVR0jBBgwFoAUY4jqTdA+7174
+Q5F1QOQWqxWzMrkwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEL
+BQADggIBAIyBj2U4LNtpNCZHYrddTmdBwmeyl3JRhPVzjs+dD6KRHuzkcm8I2iYG
+wPAR/bisI8fPNazQkOPa8It7VRYAX4KSQAcS0a4GE8BdfJtk1zWGWcONzbmoFwMu
+tdSLGBHPjZB0jxL2U5lm2FC2xu/I47wmdGfLbTS9xlg470teVoA3LSVkMZZujRP/
+IWPJ7I+2BVqLta6IUK8AxMedm4ijBWxjhUYasWsyEcwMpnVEojnGWMgq+AiMmhLC
+SeAD2vr3Z6N7kXFGJHGDP6mgqU/ld52kSSsOad1Hk7lNgj33ErECDuxMmHbCSIEw
+aHwEkOen5Q9Ez0jjBBucSg8gJc50E4OW2HhpoBzkno0bDJ/oQylygpaYbo6LDA4Y
+Tt1i6Olcd2RAW8NEPSEPP+8EyIPwr8y+nLVrMsMmZqAGvHuwyFSPCtdXu8fZen8+
+YatkA8wyRKFxb5rMgKbm3i2Oii/Kv2NCJN4/wkek4vs9b3A/b8u9YUCvyVl1mTmd
+ZeSJSPwUHK0D/F+iab5NoaOta+f4jRNk+HZ9BK9h+Zw5aGiZvOxTudHn88LJh0Lw
+Jo9Hw23eKvXftFjyHvVsKQvd3uoaiCGk0bt/VMXNdXFO79BQ+P+iD9UC/VFShrgw
+20/gO/GRRXJJ36QXlyXKEp1hnSks5F/axzzuTGVdLzimfYtSr68Y
+-----END CERTIFICATE-----
diff --git a/security/advancedtls/testdata/client_key_2.pem b/security/advancedtls/testdata/client_key_2.pem
new file mode 100644
index 00000000..c56b1c10
--- /dev/null
+++ b/security/advancedtls/testdata/client_key_2.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAuT7GO8vWd0sX1IuRJ/RiAWCNAS8KqLHW41nWJTqhfy9d7wL5
+b09y23XOCyKiBXzgfKPTyPqHwGypRwDtUiu6lTY2GtNZHqcwp0g4fxp6P4TPg/D+
+YGGewEbORLU3g+8UbJrqO/43iqvqKFlD8NcaoFemXqc/RpWS+0R3aO5Bylcb3kyA
+6ha3JcWy5dRHp7uN9VOdow7Q61leem2OoY7zt7FKi/GKAfHhFIXckc4lev3bF7gV
+YDRL9TXfvSJluYVKejl0wIjJFWFiqEu2rocLLV8rxhPFnBtjwCNzbyRe4fn17YKB
+UZBKCH9uT70nALK0vqgLZZUipMckWwdfPGZVLa/s0/fK5gdECW/aovPJSx+b1+AM
+bKC+TUxsxTq7DaHEgnVCusAQ0pOkDk5BmsI8aK4XkuxLT8rvCXyybRYxFTFneAIK
+V2tgTn/LCielzd3ZKaWi6Nj16YyjFnKduZQ+77FwJy4WDwb5UIGZoqqydNi5JA0I
+9P8WwSsyrdF9wtvt5YxSJu2MBK+GnqFfSIEgebxXWCWJhQK64V9m5EowLm07iSxP
+6QJq6Z6zbH6dG6k3Pr8G7M7W127j4lwq/ZjdTVnoQ75E/u4KZP78402IIydGp/C1
+gMTYLK0CqWin1WR0uRQhaMn1PGJz7bK+EIkf0B0biu9ea0sIFSVNnLb0KgsCAwEA
+AQKCAgBtWJWxJFBzWFs3ti630/Sp9XEmOrti+p7q0tOqZCKCLdaXyDyurMoSq0Y1
+onrbHGxyhk30O5Y4SqvdYrmzoGZhv39OdGUNyAjbJbFbrahtqBrKOk4dXGJWAzWs
+rv+XHGAE/6i2QwhMDdCJgq+tEXwBG9vz0WtzYcVCFpcZ1FH3e1XS8XvDMidn33wL
+WDP32akhH/tUDeHamoU/ZT4lNXm9e6SSWMBrB3kiISYi1vme0QwrwxizEguoMeXh
+AdXkHb7pyNKW9+cifLq8tvydps89OAlhwbgKvswx1XtFJsXvRBob2cY1/CMHQxk9
+bl0Ad3xjclRP4Sly9K4MIZzgzVMHRCstG1K60cDVK5GeiBkXHKfihgXIIk5iILjH
+jplpTx54KEtC+NTd0/i9DsK6/DKcATt+AAPgjoEy2giSgfTpZqyMgLgIAvYKgrYF
+SME7jm4rFe950VpR7vBVtBtXKnea39/75uwbTAjL6kpqvDARM7MWb4R25voOmlo+
+6Jzw4VyktVb/p7HLq0ayONGGBIF3H3P+wnvhulHR1I/OHhNwnYsH5mFju7t5qO3H
+ot/DxLOTmV8PkrHgfGwvbmwF5E66dpv4m5oCYHn8SiCEsXF1PkVrnSE1yeuzq681
+tAnaLPRO2UXlpe4I1CY45a/WTPoXCfxJdtjjLchY10bZXV+dEQKCAQEA6eSN8as7
+aJa7ljqh4Qf9LkD2lDzvYlyxzuwIh5d4+4YoctaiZdHWxXMeI6xPTrS2gTQVyCW/
+9edq9822Xo6ti4RK2yab1ewAcBDEBpDdTrcQZ9k9f5HVrCXyEuajKBCN0j5uGsPQ
+cwv415xyfj/fudH/xj+FwstBnc6YDxHGC6SdhXghhLCfAJJROneu7W8eQuqt8tKo
+eOGheiTo/WPGkNOPu6BXW5/lxMXXCPsqPJS6MBAphFDkCp+deXw4xjL4sKyqRWFY
+HFH17tzPiyCPdOEnuytFJcrK7+0svACdwYbypbJpHSvjWmPwoB9+58mFODF4Lvub
+ZD5VviRyDerf6QKCAQEAysEbRyEFquN+6PPhiS9wYdjHHiJXBtfmXf2fKBCRrLJ3
+y+/qPaViyEBgb7mKblaFBluitKevg7Oge6VY22moMRTR8L9zU6mKPjt2OiHmwsB+
+L0+8Z1wTO7knBJq8dwCc8Y1gpU+fWGoz5vYAWDX03yJeLsW9OG/pKm0tAFEY4GxJ
+qVIz2NRjBc6ojisWN+QTonxQXkevaXw0sIL7Ol1pW0zQIXVkrzjvxV1KfdXwhXLI
+jdxs5NrVOGNLCtrW8+vLBTbCuOWSJIzJOEMUH6UYhQCXLM5T+snEL3S0U46yqHOG
+FcepRU2ncsHEz5eMN+JA8N6/ZVv2eIXfub/59dOV0wKCAQEAk3nsUmRgijr4vunr
+ZkOuTTri/2dInaHK76j+W9iTjSzzVi2lqkPcgxVp/J5KR1tE9ETOMywyVK/9T5Cj
+HA4kuSLKPFKk0gcD46V+pJE1KcveCUz+LPDcZLZsY6SPXdTKR7XboP608cWruu/H
+dXl67OTPvMYS5ldY4VMBqAbR9Edwl1a+87aWGzsnApGyd72nvBPTaJeRaN8D/UtG
+qXb/HhR3vZuFWZ2BuEfypZQQ9q/kkieuteJ3V4d7OL2t4rMDAgttNWACuaCoTFto
+ddYq/kx1y9ultwWeXhgTK9vLnNolJ3tOMfmZWkZH0/7n+uijGmJ+4Ej/mv5+++xp
+CgN9+QKCAQAstfDB+rI5QPmXfVBa5C8wJJGkP4ZZZ/rQ90DFoQG+x4xLWJibB4GF
+D0001gGE22dyQ3rZw7CcplvZaFjz6ZTBXgn9wPo5lMV7e7lSkG9GuxQYcsjlMhS7
+stS72zN8OpJhYf/R9ID7ClBvugfRa/SX0Ahc4BYd/++2/2RREZEezEJiKFJumkdL
+3Iqm7zFzGcSKrEc8wyoXZOBpnDiyYi79hy7OcgjF6xRUvYHTxf3IL8uyHM2Wmfsy
++BJwTlngaDrY536BL37OuI0W7xPc9pc1nS+5Hba/MwckP+QUGP+kzfTfkKvvMHSg
+hcJU1OKC4E3Z0AT84Q60/TCc0YzZfNMpAoIBAA3Bb4lau9KWjVMza2fLdLmPqMM0
+MSCU7jo+xGH49YgET+lGFy00lbdIENMP0nv8pr7IKFy3pbMsZRHG53VPylUXSvdE
+UJdW+7X/d5G8VVDypypgtSptD96kAU/ctq/Ty7uZw621vvTMuwokRTsL5ipE24ys
+aA7M5GrMer9wrp3q7RNz64MVrnqJEFc4waFn9W7ZWG2i/upTj1oFcFF57QJz793m
+KnFy7cOApEBahRFIkW3AuVdg0pJuYTRsrvfjYvFD5eKEON4qSXPxAgRl2zLR8i0x
+jbKCySBaSFSYrnWs9Tt4QEiEYLGNe1WoCfxaUHCvM+d50GiZeJQkXCT3m80=
+-----END RSA PRIVATE KEY-----
diff --git a/security/advancedtls/testdata/client_trust_cert_2.pem b/security/advancedtls/testdata/client_trust_cert_2.pem
new file mode 100644
index 00000000..01bb113f
--- /dev/null
+++ b/security/advancedtls/testdata/client_trust_cert_2.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpTCCA42gAwIBAgIURc12C7/2O090oCXCOxpatu7h4m8wDQYJKoZIhvcNAQEL
+BQAwYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQxIjAgBgNVBAMMGWZvby5iYXIuY2xpZW50Mi50cnVz
+dC5jb20wIBcNMjAwMTA5MjI0OTU1WhgPMjIyNTA1MTQyMjQ5NTVaMGExCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMSIwIAYDVQQDDBlmb28uYmFyLmNsaWVudDIudHJ1c3QuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxWqK9pdKrJUupCKUCcaVGWLq1wh6
+9I8YhLuWv73R15FbImFeh3085o009a4symIMSgfn8iPrN97WAMn4OSxAmJfSs0FA
+DBmfpf0JOloFM5GHYVgGpdkFCiEjnJ+eTvIxRwsvbeT9EsLkeOVb8syr9bp/w5ZW
+oh5Su9b7pwpAanQx67dxq2lCndVjxZLKgAXO23m70xoFOKwVaynxcUdnYVskFy30
+SRhB9h0w7I0L1pb5F1BTrsMgBLtrg81JCQzdmgoTKnn8AHDnA+rwe7ushXE3eCrm
+Uxj4n2OYc2siSXBQFyUa/x18kgubS/FPJNHYFPqnyw+g+yk9hraq3OQ8XwHA03eg
+1TZkttQwfUV3g2gywDaC6e2PGl2q8+h1g/7kaSu9yiihlMfgQoa7cmC+j1MKAgki
+FEkyuQtYGx08rAKL/Gllmgm0VxT9jO33YnuZBqDbfnF3PYGBo4ZW9ERyJDguPTI6
+6Ms68uO/B10mNePwOunlKwJxnYZkDnGcqVZpm0RCt5IFWIk+b0ek1OhpzEeGmQp+
+xLWzC+O62WVmW5B2aKmJ/jV4MUOA9HFELrbh0kS+Odp1ANgFr0UKQK1O04Hex+7O
+3rnHHzeAjHk8SzZRENKFp0Srf5L9GpDb4/FDmNM1XWw2g12R7nD69dNvC6OCiRvi
+8TQxRAMYqSU8XKcCAwEAAaNTMFEwHQYDVR0OBBYEFAF0qURhPXq7wjLN0O0g2jrE
+xgLoMB8GA1UdIwQYMBaAFAF0qURhPXq7wjLN0O0g2jrExgLoMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBABHATLUgMaHJwT5Rc5P/vPeIu09zZyK5
+avol+tSGbMmcWAUK9gYlivyqcPzeJ6m5+GJ2WkfumdhkUY7XclddxEGyw6q/eRE6
+nirt84TFlc2QleSFFg84lwTLT6wE6Ym9+qC3C2b0nOgUeGl5J9itoYqDTOp5gF7Q
+Ileh2+9aZSnbaR9W3QgRteTIq+9cVnBZExwgrLa6/Iam0x1ERtd/U94prO57D6mE
+Wspvj3wfn7oUfTsTGuBjq20xjmQEGxMF+zgMTJGgkOUxwIGrhXWlK80GX6ff9tJJ
+3WQ1lBG2BE1eB3NWLuyQjtO0Jl9bfrpz5sUyXMWyGD9bOz/qFLLdi1AxPAu4qIWt
+j8avS4DavUtU3LJarW2IVIrVVSs+hg+mrzMpjso0/8QI7kG5hV4vvD6bOxMZzoBW
+g6M9+eXYsp03HjNI34Je/w5tcUY90Jfk3mVxz1hTRh1Hj5EhtSlmwxLdBgRe1fdM
+Y3gsHP/OFk7MpMFWZQmxZhsfrV1Nfh1XeznKuUCx0EaGPuZcjKeqUroYvlSWKLl9
+F2VfCIo0hKE1VZ9G1QxVuB65N+sdgotyj45LCn51HV1unYqY7Lsnmvbyxgevz1Sv
+X9kF21BV+lBLQq8aQGyGwk2RfUVlVp2cKvWHqVT+qF9QgW66Dt1gU7+m9qC4jCTO
+2OGZ/CvtfsXA
+-----END CERTIFICATE-----
diff --git a/security/advancedtls/testdata/client_trust_key_2.pem b/security/advancedtls/testdata/client_trust_key_2.pem
new file mode 100644
index 00000000..2a8af364
--- /dev/null
+++ b/security/advancedtls/testdata/client_trust_key_2.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDFaor2l0qslS6k
+IpQJxpUZYurXCHr0jxiEu5a/vdHXkVsiYV6HfTzmjTT1rizKYgxKB+fyI+s33tYA
+yfg5LECYl9KzQUAMGZ+l/Qk6WgUzkYdhWAal2QUKISOcn55O8jFHCy9t5P0SwuR4
+5VvyzKv1un/DllaiHlK71vunCkBqdDHrt3GraUKd1WPFksqABc7bebvTGgU4rBVr
+KfFxR2dhWyQXLfRJGEH2HTDsjQvWlvkXUFOuwyAEu2uDzUkJDN2aChMqefwAcOcD
+6vB7u6yFcTd4KuZTGPifY5hzayJJcFAXJRr/HXySC5tL8U8k0dgU+qfLD6D7KT2G
+tqrc5DxfAcDTd6DVNmS21DB9RXeDaDLANoLp7Y8aXarz6HWD/uRpK73KKKGUx+BC
+hrtyYL6PUwoCCSIUSTK5C1gbHTysAov8aWWaCbRXFP2M7fdie5kGoNt+cXc9gYGj
+hlb0RHIkOC49Mjroyzry478HXSY14/A66eUrAnGdhmQOcZypVmmbREK3kgVYiT5v
+R6TU6GnMR4aZCn7EtbML47rZZWZbkHZoqYn+NXgxQ4D0cUQutuHSRL452nUA2AWv
+RQpArU7Tgd7H7s7euccfN4CMeTxLNlEQ0oWnRKt/kv0akNvj8UOY0zVdbDaDXZHu
+cPr1028Lo4KJG+LxNDFEAxipJTxcpwIDAQABAoICAG9UwV+FPKCNVQtNUM0eh3EU
+nrl719NZa4tXOxGQ2+lE2O9Pl/6yuwiN86Llge70Ulfhk4WzifAtI+S4AdtEQH2N
+iU576sGoJad3Rp/4qlxFouJbwQwAkl3/CFVIkv+UiAO3pBzGeY3+CNjBCBSqJgPj
+FDBZ9StiDGhQOgUeu+sM8iYrgtgW+XGHKMgAG2ENZXXSdgD7+JvYOBACTF4E1aFK
+w9Sqnswl+PTxy2hrtpRi+cCTFU5GTiU9CMoAmEKZVdOMAPkAaARbp3xHHy24TffH
+PG/xSYjtWTCR+ySD84cU5qXW0B21JE48a2ztfiOWj9Rs8vmKK8/YlxEErOD7eatg
+v1e47Ygv8JBLhEvk38HQYv3EdsV/2jAXg7K3d1s4znyiJdHg2ujCuTiR98auDh5S
+Er3yFG38KKagw9I7yli/S5B7RKbhjHIunBfCA2W6cJVyA7smBllQ3YraVZWWWKIX
+Z9UeZrA+KoBssg16c2Pwyg0X8HuDN39n9YwTFqj2VCrap71NYNn9G0q40aI7duaA
+Ehl/NOBPyBMnXbnocj+0QkuKwW/i4wMRKREkzTGRHI1fXy0/LRO4Adc3ZUXaOxZx
+aIM/BnNhuifk7rBk8VHAngWxRj3vfVP4lgqmizczHQ5hHO15Tb6Rhng3LfqeDJjZ
+NOgdYMNm7epr5OsMjgApAoIBAQDrVAqnLm8jkBJHyrM577RVqCrPOUsndVZ86lg+
+cN4oyg6CWyNWJyKBYHpEyAx7d6qSOyRwMZfXlupXJga/sUQzvRdS96jbcBRMLXfN
+ObHFRbgFF4xIuvqhUagzrMhtRPchh4dOQND8mpzRQoAvKryJrlm1o62AK1v/94a8
+K4Tbtpogfc/si2RimHeNc5dilBiNRhrewA4xXYvZ2xhNBfHD1AP8O3wSsmd3aI9J
+PAqLaDCFuA+h8qa0qQmQC1Rehf031PEHGWmluEGuxfA6eeCQha5fzMPj7qWIN5RL
+X7oGji+dj+pyKfKGbOnNTNJzHi7ppnh2R2saf19+j7joadGtAoIBAQDWwfNZPQkS
+5tEHzDeEyG+oWBn9OxMaBoJ1VEuZNrcjSbqgDxwcyczUTO6dpINz2ve7Dv3s0V8T
+75YI16jorpT6iJr3oD+6F28PD3jghgCTtEJoFbojdffBXXTvGU1UwtJ5eTTBpKRe
+mOuxNL8dhMqCnmDVZ+4DQSWQ8h29xshVuymnlADfSqZC/zYLjLZrPFj2Lv/QVsvt
+7V+D4UFlNI9aEYgnlsMa5A7MfTr7M1cEDhfUz7QpUufZRzGvVx4gk98lF6AzuvRI
+tdcpOJUAowU8XchtI8x5NubtF04e0lpmlQMKhq8eZ7+URmYwZIROim4KV2eYL0M/
+PB4Jl6otwbojAoIBAQDDABb7xaxuiZm8R6kQHyMNv5YJtO4jukV6qS2KQDi3EAfJ
+2P+FClS7ZFis2iANx3FeTwe4uD+cc/+nS2lYOunK/atwIqyXeV44aYzWUDKQx17f
+SU4DjnzUZDe+6jQC55zo+ccS/v6t8uhzNmnFq+IjLIhFzWWdyVAo4NGS53TmI3+/
+4MEEv9TlJnYajmgpVZKqribh4b9hBKU4Vybh3EUkAnFy90+upoq6Fbh19Py/3Awp
+IgZCKjIdjdzQsbKtyNW1CAzZ1yMGIZK74mVX71o4J64A0Eqae0xLfdKySpZ5jCTE
+qVaaV0wSO/nZFwlkPuSc1EcJq9CCWn2lAC8210jZAoIBAEI/uIsp2fe7vnXyWJoc
+nt1GuFW2+JCJu4roQx3zlBFNuEWSA7EZy5ceWGnHC0odHVjWKhz5BaSHvzfhF1kY
+KhsTMwL6q04D1p3Fvxs8G0d1Txr+wNoZlSFQbDcqDgH8y6Lvcgfee1o3QFX9GIvJ
+oBMlOmf61KCqYyVQmz4k6T4RK6tna9F2HM4EHq73bHquNh9TplSlwekW1eVAAsVu
+rl4xlFfqGSvdeHc6loxRbSFyG4XpwQESczVC0h/t9vxDwY2WuTPcE2mutr4fl0+H
++qCBqceJSJWICzrOeqnlaD/G7hY8MB9oD+B0yydYirwT1hhYmDuJMOx75iQ9ZiER
+ZxMCggEAUenerHVg6/+T0IwSeWPjR3GtJ+SWij44n99ojhq67rXaJ2jHuMaC0t4N
++VsspSISO71PuOgjQNjdN8xn8QaYBcLt8HMAcZFLJnDnbhfJ4iNbToIWhKqwjtKW
+8eMeNziz9kE9jazOt8l9ErRiXmxZ7P7P4fnARtX0+X2TU2r1pYFt21Mj6yrqVkj5
+d4EMIl8NrHxoHhdGXN78yI6eoAxBwanLdILVw51PHShXODiCnA22lzzialsVxp09
+wV0LJJv2AsnVHxFdYCVZjDKG6WDL/U8PgDgsznhkCOuvzLPUtM2rAxgq//QtJygY
+QBqTUW3bGnskKC0gOUqWO3Kd9zCnbA==
+-----END PRIVATE KEY-----
diff --git a/security/advancedtls/testdata/server_cert_2.pem b/security/advancedtls/testdata/server_cert_2.pem
new file mode 100644
index 00000000..bb0132ed
--- /dev/null
+++ b/security/advancedtls/testdata/server_cert_2.pem
@@ -0,0 +1,122 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=foo.bar.client2.trust.com
+ Validity
+ Not Before: Jan 9 22:51:54 2020 GMT
+ Not After : Oct 23 22:51:54 2293 GMT
+ Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=foo.bar.server2.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:b1:0b:d3:7e:5b:61:30:db:b0:5f:3f:6d:d2:e0:
+ 3b:c6:4c:88:95:f5:7e:fd:cd:aa:20:5d:08:b9:6e:
+ 41:db:c4:ed:0d:f8:bc:cb:b4:ee:c5:87:11:05:a0:
+ ac:12:3b:4e:0b:4c:e4:43:e4:17:89:c1:ae:b4:13:
+ 58:1c:31:58:6a:f2:01:ed:df:66:e9:f9:2e:9c:c5:
+ 85:e6:02:db:36:f4:f3:07:39:75:30:f1:b5:55:5b:
+ 46:2f:87:b0:d4:a0:ab:57:df:30:45:ae:bd:b0:49:
+ 9a:fc:ba:5e:bc:d0:5d:86:f4:24:45:4a:d5:4d:5b:
+ b6:ba:e8:b7:a1:3b:c3:2f:46:2e:b3:ad:2c:63:03:
+ df:cb:f4:56:62:91:bd:bc:23:00:af:a2:7a:3d:6f:
+ f1:33:81:60:0e:bc:20:f5:8a:49:5f:ec:58:bc:64:
+ d5:47:36:a0:2b:b8:1f:76:25:01:89:3e:ff:52:69:
+ 95:03:8f:bb:14:2f:1a:38:a3:9f:c1:45:20:22:77:
+ 70:97:5e:25:51:b8:3d:5d:89:7a:bb:15:12:cd:1d:
+ 96:d2:9c:72:67:12:85:72:6e:27:7a:ef:25:da:af:
+ 49:26:8d:eb:a0:34:a4:4d:64:c3:63:33:77:5d:ad:
+ 53:c7:ee:51:32:7b:cc:43:bb:86:8d:f9:52:ba:35:
+ 23:0e:30:5d:dc:3b:25:63:c1:e3:5f:4b:b2:02:fc:
+ fe:5b:18:7f:84:aa:f3:71:e4:16:b5:98:bc:73:c5:
+ 58:13:41:38:eb:f3:a2:fa:8c:98:bd:f1:10:ee:b6:
+ fe:7e:a5:81:c7:5e:f2:72:54:8e:db:09:f0:35:42:
+ ca:b7:86:c2:48:b2:c6:18:08:ac:d1:f0:5d:de:b0:
+ b8:25:8b:3b:bd:61:48:0f:71:3f:ed:97:72:02:c9:
+ 44:5d:0c:00:fc:30:ca:5d:1c:e5:13:1b:3a:d0:ce:
+ d9:36:a0:db:f5:c2:ad:a6:95:26:4e:7b:29:2d:fc:
+ c4:04:1d:47:6e:03:59:68:1e:7a:20:6d:e8:a8:e1:
+ 3c:57:59:f8:3d:2f:16:61:7e:24:e5:13:ca:48:0a:
+ e6:f0:60:a3:2d:93:0b:8f:93:eb:b5:d1:06:26:52:
+ c0:63:1f:fc:9b:73:fe:91:c3:04:40:32:8d:09:d5:
+ 9e:c4:f6:0b:61:3d:9f:a1:d7:94:a2:e1:3d:b6:bb:
+ 60:26:74:89:33:25:18:0f:c3:88:db:10:5e:a0:5b:
+ f4:ee:d0:18:ab:36:50:c5:44:9b:6d:ba:ea:e2:6e:
+ 52:3a:55:49:a3:72:ae:04:af:1d:f6:f2:83:27:17:
+ 8b:9a:98:0a:f5:44:b1:c8:f2:a9:c8:ed:b0:75:ca:
+ 52:25:f3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 74:BD:18:0B:32:AF:D0:51:8E:4C:4C:8D:B2:F6:4E:B8:6D:AB:BD:BA
+ X509v3 Authority Key Identifier:
+ keyid:01:74:A9:44:61:3D:7A:BB:C2:32:CD:D0:ED:20:DA:3A:C4:C6:02:E8
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ Signature Algorithm: sha256WithRSAEncryption
+ b5:63:0c:d8:ed:af:74:2d:4c:94:36:41:05:2a:f2:ef:45:e5:
+ 6a:0c:76:0c:f3:90:25:e0:54:56:f3:26:23:95:7e:24:74:6b:
+ fd:02:0a:bc:33:ba:e8:e8:8f:a3:b3:85:2e:59:4c:cf:e3:85:
+ 1a:d6:70:5c:7c:86:e2:7a:11:99:a8:fa:43:9a:bf:50:54:00:
+ 9e:6a:7b:72:7f:c5:20:89:6e:18:6c:46:64:ce:44:44:47:4d:
+ 87:b5:fc:cf:f3:b9:9f:45:a3:cb:b0:91:00:96:2d:29:68:8b:
+ ff:c7:e0:f1:b7:8d:31:c2:01:be:5b:51:1d:af:42:b1:17:22:
+ bc:91:e4:d9:b9:96:6d:64:40:79:6c:71:ed:f6:e5:49:16:0a:
+ e3:bc:18:95:2e:89:ba:c4:a5:ce:ba:ab:3a:32:eb:bc:d8:91:
+ cd:f2:ee:d1:fc:67:3a:51:00:92:bd:b8:68:0b:54:04:d5:07:
+ 0b:97:11:2c:42:64:7c:47:c1:68:b4:eb:21:c4:e4:ad:17:a7:
+ 16:b9:e0:e6:cd:04:c6:89:36:40:d4:4b:c3:f7:7e:26:6b:3a:
+ d7:68:b3:b2:da:00:65:13:c8:fa:d0:1c:2e:10:ba:71:3e:0f:
+ aa:8b:d0:ff:b7:3e:83:9c:bc:b3:d1:52:0c:9f:3f:21:4a:10:
+ dc:8f:ab:38:45:d4:2c:2a:15:2d:71:45:fe:91:a2:d8:d9:dd:
+ 0c:dc:a7:d9:cd:1b:f5:35:fe:14:ba:c5:1f:ed:ee:fb:87:cc:
+ 87:a1:08:c2:2e:ff:5d:af:b3:3d:6e:11:94:79:0b:28:e6:83:
+ 4e:fc:28:8f:7f:00:85:79:7f:3a:d1:07:ee:6e:fa:94:c4:0b:
+ 4b:2c:05:b1:68:00:e8:37:bc:b8:b2:03:5c:5a:ca:13:f2:68:
+ 57:df:ac:fc:da:be:27:24:7e:6d:c4:a9:53:2d:f2:43:0e:30:
+ 9c:82:d5:fb:f1:a2:0a:83:e0:a5:d8:9f:09:3e:99:c8:39:d6:
+ 69:6d:d6:c2:27:70:59:05:3c:3c:7d:d6:41:6a:b4:9c:1f:70:
+ 7e:3e:ee:6f:67:de:95:1d:eb:31:8b:11:c8:0d:a1:25:4e:08:
+ ef:3a:11:2d:a7:98:0d:a1:d9:30:2d:da:d2:a0:05:6b:34:38:
+ a6:87:b2:bd:0f:9c:51:cc:e0:2e:a2:1b:a3:a0:a6:eb:1f:0a:
+ 22:70:59:f0:0b:c9:bd:94:4e:1d:65:3b:99:5d:8e:6c:18:82:
+ 1d:b5:cc:6f:14:21:c4:89:07:9b:81:1d:9a:79:ff:bf:fd:ce:
+ e4:77:11:0f:47:21:dc:d9:79:f3:40:26:56:5c:b4:86:32:8e:
+ 28:b9:14:e7:b3:fe:86:47
+-----BEGIN CERTIFICATE-----
+MIIFkzCCA3ugAwIBAgIBBzANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEi
+MCAGA1UEAwwZZm9vLmJhci5jbGllbnQyLnRydXN0LmNvbTAgFw0yMDAxMDkyMjUx
+NTRaGA8yMjkzMTAyMzIyNTE1NFowWzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME2Zv
+by5iYXIuc2VydmVyMi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCxC9N+W2Ew27BfP23S4DvGTIiV9X79zaogXQi5bkHbxO0N+LzLtO7FhxEFoKwS
+O04LTORD5BeJwa60E1gcMVhq8gHt32bp+S6cxYXmAts29PMHOXUw8bVVW0Yvh7DU
+oKtX3zBFrr2wSZr8ul680F2G9CRFStVNW7a66LehO8MvRi6zrSxjA9/L9FZikb28
+IwCvono9b/EzgWAOvCD1iklf7Fi8ZNVHNqAruB92JQGJPv9SaZUDj7sULxo4o5/B
+RSAid3CXXiVRuD1diXq7FRLNHZbSnHJnEoVybid67yXar0kmjeugNKRNZMNjM3dd
+rVPH7lEye8xDu4aN+VK6NSMOMF3cOyVjweNfS7IC/P5bGH+EqvNx5Ba1mLxzxVgT
+QTjr86L6jJi98RDutv5+pYHHXvJyVI7bCfA1Qsq3hsJIssYYCKzR8F3esLglizu9
+YUgPcT/tl3ICyURdDAD8MMpdHOUTGzrQztk2oNv1wq2mlSZOeykt/MQEHUduA1lo
+Hnogbeio4TxXWfg9LxZhfiTlE8pICubwYKMtkwuPk+u10QYmUsBjH/ybc/6RwwRA
+Mo0J1Z7E9gthPZ+h15Si4T22u2AmdIkzJRgPw4jbEF6gW/Tu0BirNlDFRJttuuri
+blI6VUmjcq4Erx328oMnF4uamAr1RLHI8qnI7bB1ylIl8wIDAQABo1owWDAdBgNV
+HQ4EFgQUdL0YCzKv0FGOTEyNsvZOuG2rvbowHwYDVR0jBBgwFoAUAXSpRGE9ervC
+Ms3Q7SDaOsTGAugwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEL
+BQADggIBALVjDNjtr3QtTJQ2QQUq8u9F5WoMdgzzkCXgVFbzJiOVfiR0a/0CCrwz
+uujoj6OzhS5ZTM/jhRrWcFx8huJ6EZmo+kOav1BUAJ5qe3J/xSCJbhhsRmTORERH
+TYe1/M/zuZ9Fo8uwkQCWLSloi//H4PG3jTHCAb5bUR2vQrEXIryR5Nm5lm1kQHls
+ce325UkWCuO8GJUuibrEpc66qzoy67zYkc3y7tH8ZzpRAJK9uGgLVATVBwuXESxC
+ZHxHwWi06yHE5K0Xpxa54ObNBMaJNkDUS8P3fiZrOtdos7LaAGUTyPrQHC4QunE+
+D6qL0P+3PoOcvLPRUgyfPyFKENyPqzhF1CwqFS1xRf6RotjZ3Qzcp9nNG/U1/hS6
+xR/t7vuHzIehCMIu/12vsz1uEZR5Cyjmg078KI9/AIV5fzrRB+5u+pTEC0ssBbFo
+AOg3vLiyA1xayhPyaFffrPzavickfm3EqVMt8kMOMJyC1fvxogqD4KXYnwk+mcg5
+1mlt1sIncFkFPDx91kFqtJwfcH4+7m9n3pUd6zGLEcgNoSVOCO86ES2nmA2h2TAt
+2tKgBWs0OKaHsr0PnFHM4C6iG6OgpusfCiJwWfALyb2UTh1lO5ldjmwYgh21zG8U
+IcSJB5uBHZp5/7/9zuR3EQ9HIdzZefNAJlZctIYyjii5FOez/oZH
+-----END CERTIFICATE-----
diff --git a/security/advancedtls/testdata/server_key_2.pem b/security/advancedtls/testdata/server_key_2.pem
new file mode 100644
index 00000000..74e572de
--- /dev/null
+++ b/security/advancedtls/testdata/server_key_2.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAsQvTflthMNuwXz9t0uA7xkyIlfV+/c2qIF0IuW5B28TtDfi8
+y7TuxYcRBaCsEjtOC0zkQ+QXicGutBNYHDFYavIB7d9m6fkunMWF5gLbNvTzBzl1
+MPG1VVtGL4ew1KCrV98wRa69sEma/LpevNBdhvQkRUrVTVu2uui3oTvDL0Yus60s
+YwPfy/RWYpG9vCMAr6J6PW/xM4FgDrwg9YpJX+xYvGTVRzagK7gfdiUBiT7/UmmV
+A4+7FC8aOKOfwUUgIndwl14lUbg9XYl6uxUSzR2W0pxyZxKFcm4neu8l2q9JJo3r
+oDSkTWTDYzN3Xa1Tx+5RMnvMQ7uGjflSujUjDjBd3DslY8HjX0uyAvz+Wxh/hKrz
+ceQWtZi8c8VYE0E46/Oi+oyYvfEQ7rb+fqWBx17yclSO2wnwNULKt4bCSLLGGAis
+0fBd3rC4JYs7vWFID3E/7ZdyAslEXQwA/DDKXRzlExs60M7ZNqDb9cKtppUmTnsp
+LfzEBB1HbgNZaB56IG3oqOE8V1n4PS8WYX4k5RPKSArm8GCjLZMLj5PrtdEGJlLA
+Yx/8m3P+kcMEQDKNCdWexPYLYT2fodeUouE9trtgJnSJMyUYD8OI2xBeoFv07tAY
+qzZQxUSbbbrq4m5SOlVJo3KuBK8d9vKDJxeLmpgK9USxyPKpyO2wdcpSJfMCAwEA
+AQKCAgEAmB9YNs7fgLKTJhQDElk3Ixipl2gcGIm5bxthHqsdDW90XDfoSIQLUU/P
+kW1PzE6GrXEBBVCb5PK1YObqIzdHCIUuoSv+anV/1pZliY/UubDYjNGS314f99p4
+QOivSNNQxizwdj9Bn5JvCE4+jq/eXNGzxJIbGt/97zV8ap5GBH2iLSJT7DPs/HrS
+KtmdFGVi9oZ90AI6Vo4IckC1dSTADRqv2BgvpYPLNiV7avE7E6k8ipxLvIaoMRyT
+xCzbXJ4/kT3dUUJEgKX0nEU/XjYqNHIDIK3qIqQoY31AkQGhHfjUurrgxYPV1OYK
+eFdFbgk63qPnwp/akCw13hFnQrXbiqt+ecpH82aGA5XW7wdngo59Ehpy7XWwG4Zn
+MuyNVusSRUcclWD8PydLaweAKizjRzfVW/6nVtKiYTfkscArQTMZwEdkFkT/ZwcG
+OSPTyf3hSUSmd17HPCvHm66jX2EVfB+MQfQhDulcbPyzvNDNHg83miMv0nrnWiHe
+viOxT7M6pdJwMdHH7KfkkJmx+HJYDa8GwdGyCh2+dTfq42hRFvHNUMTCNrupwTO7
+yrxFnKMo/c5z6m6OvYyCh5k/wAkpbgZi5/k1EQG9uo7E7crO9AdMuzAgR1bvcU48
+MjJvxxh51J5A/VqV3RZR9CNomfLQ3WD6xVZUuvAyspRf3meO2akCggEBAOasi0oL
+eEXNSLRlW+OxBenEL2Ke/GuAVy1+TkUAgNtHawUNK81FWSDIjv/+gB7WDZ2CaLUw
+5UY6QigQ5Qjme0cE8QPnAdbCev0LSrXXbZ1aCF546szZu3VYVdU4s4PHcOojAzKk
+pHYIYfbD11VHK5f5Ve8qt/I+DDGGALldfzgdSwx8K7n01Uu6zmeOvpXXirfR10AS
+BOU9m/O2K5qk8g1MD33xqQjEk5BKdpgz9zfyWYlPj4rdo4IFK0em9bnwPJLPDu58
+F7DbKoAH5a5GY3bsODzWMWMhThpNTTvmqgZ1bLPBepnREslQ5Mf8MJYG0WU6QPNx
+7tErFtpgY9PDEzcCggEBAMR7/PmV6fIpkEeAo490csFl1uoeiFEUF62SosJD2lpx
++iUirGAqs0c59NtzS8PzheDuU6S1EAvMcd5uJetST4NH/Yw4T1xjKFqkRC6Wlq/x
+iokaH8SDizFx20dRCsJiNaxqqyr/RrVVYv27R2ihtW2482NNIl/bG/GgESZKN0hb
+yHplWH0UoAwwSsJDRASi4CcrS30khjr/W3LKIo2iXVEd00P+Wbin9Vo7SgrpVujS
+P2jrd0pp33yxZetur8XESnAjOiyStZ2tcapp1rFvj8i2YS9Zxd9bRXoaHd2XPvb2
+hm2l6VtqLZVpJyUlTNvWqWmM84EZAPSfB3BSMI/AGSUCggEAHioOBN6/GZGgokZm
+3710Yn9PGvxjUcN0ovRTU96e+w25xu1T/wHEh+7yFDO5mU6wdRpqitccBDT2Fbsv
+2BwbnsvcoIAC04yW/KQPXvwOz3bIhWIWgjcutkeY4csKXn8kGtn9PxAcmXq7JMOz
+Uul9n9/xBtd1Om42tfsp+RNq4XGjMLzEEwsbIU4KU6xs67dF4ofEOBKjJT8LN7Fo
+vk43gNmjZPrG+eiKy2GRZJHXEC/W2YfX43bcPNJkOHhyxZ/Oq/v7neAIUQ433oop
+1MJLm2+EYyA3URk312SoZt7g+Ps9/budRqP6auzzHduylsvJcg1OFQefDScvU9sq
+8rQdvQKCAQALgzhPZ3lNtyG9DsyGm0weCNmO3jsehQ7eHLlsqI0iv4rooh93gwj+
+I2c1dIv770jo5Q4BmJpYFqKVZd7S6v+9sXopvSLpRuYWaYmVMT2jEYQMhHtYCF0f
+iIxQoW7/9MEwWQ+udUavWVFzjIWim9cFltCsANkCxNPeVIKsu6yBkN8uTMHiklLO
+ZAX9W/OgUerQYLkLnBhBXLT/BNkBc4IEPrsiQMUBDNZTcyXjfciZ27fbbfCPa6Ss
+qbhPEy05aUbzSx0df3skwgTm90ydGOxT1lvbamctryti/CTD1xjZX5iA1DfYI2CI
+YKDqjET0nJ9Qj/G0nsJvkuHcsvQleBwBAoIBAQCvilpLyh8XzVY3TAsvVEaHpoNp
+y2sIwDiI2elZOBcQkeUbsD4bhA1iF/4cpI9tgl7ApK8ZmmcRiKh1/PIHI4Ru4nB4
+bNqn7FP32vKyJ5O0o7bQBGGJIpLe0rVUmJ+ROB5PLw5aG/oo1bVKoMuw/u4o1z9S
+90qI3LW6jNs+7UOELH6Gex6rfA+9xi//7NDUlJhQST++mS2pTm1/cq4RIaWx6EyF
+N1hqjcWESyS1EtZYKp+/Mx4PDQKDAm2f9mjuTViW15EdcOBlMm40ZKRbxIJImlEe
+fjZBgqsDoQKK0yYcQiVimMNc5vtNaT38lVu1NxvKJg1OeTboMBISLUOzZqQj
+-----END RSA PRIVATE KEY-----
diff --git a/security/advancedtls/testdata/server_trust_cert_2.pem b/security/advancedtls/testdata/server_trust_cert_2.pem
new file mode 100644
index 00000000..4a3c9731
--- /dev/null
+++ b/security/advancedtls/testdata/server_trust_cert_2.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpTCCA42gAwIBAgIUTdt7HKlUedh94k4eA+nlamVgGSkwDQYJKoZIhvcNAQEL
+BQAwYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQxIjAgBgNVBAMMGWZvby5iYXIuc2VydmVyMi50cnVz
+dC5jb20wIBcNMjAwMTA5MjI0NDA5WhgPMjIyNTA1MTQyMjQ0MDlaMGExCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMSIwIAYDVQQDDBlmb28uYmFyLnNlcnZlcjIudHJ1c3QuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2KadB/xdPMRDW/LhFGJcbzVU+yoS
+iRudc8w0Wq/0XpQwcDjxrq6v5XuzFIZU46Wb2g+eALNMjW7zv4BLFwEU0+CvMYWt
+vgbTA2A07sU7P3WA8uZwjB25nkk0iMVBclL+g1XABnfXNobbKB/dyKArlyzFBV+w
+rpV17RdkfXfGjeFWpfxF7KF4Wzh86XKSDYSQQE4kcQqSxDeZfRwm02jaXuPDmvUw
+KFIxcfEW/3SadulFvOKgHWjUEirTGsT+8B8fWsfeJjGRmFcc1+utpOoOaC1+sRe6
+xTe7JJB9F13mZxEPJuFxuBvjmGiSXkyLWhVWeqzhTipojZ69mYzAxMs8AVWrYeru
+EKuf3MlABub8dgDLocvOYD3A0IDm5173pU5RPW9tA2jBNLnyEF+wYFLjtFfYQesl
+UlldccG+nZowaeUsiUPhTBzwAYSCdB+imtJxIT0xdOQCo+h9ASvnPpgk6AYaU/2d
+gsFY39CvKmTFYlH2EGIJK3MWm6YT3T1fTTUgs/s++CkLzwAXpna4w8SLDl3IdeLX
+lMiXhnoNr3uYeusxkJp5rtUHBsYPbH4Ec4erNRgbUuBnHJe4nlC6LCCycLHywhBr
+niPPxyNBZzvrmRrVwx5xNEQn8r4ffftpASY/uePJK2wtrZop7mWFo/OnfMO6y/3C
+22FK5wIbVLLsDlECAwEAAaNTMFEwHQYDVR0OBBYEFGOI6k3QPu9e+EORdUDkFqsV
+szK5MB8GA1UdIwQYMBaAFGOI6k3QPu9e+EORdUDkFqsVszK5MA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAMJtk0AbpT3pu+2G+NK3D4T2brrP66An
+lRlQxDXQ0uKunGYMgam+sJWMz3agviekRVQk9Vog9FwiGoYsS3X6ojLrA1FXp/8h
+oVXNmW8R87IS2KyPbzTmO+0OvO/KhYmA0USIhAmj645fyy8dGCQQOZCSfXE5/zCM
+ODnrgeai3qw+KB4aGJ6fgDKMdPbyl7fyvu5EWDIycuij9S8FQJ7m2gWolxFAN4/c
+nnWr/s6n8AQrb+k4Dp50nOrDA7JUEnFfQcBuJpDN2v5MD1/x83R1ZVuqNa+fOgrW
+DdSm/XbaPpzZa/R6iJQxG8mNpNEjMnBq7WCa1tLLd7MrdxzrwaFdfRiMj91b/A4W
+GZbX7SMrByI/6M01YoTdsPW2i/EDxJjghSGkvwuA2MPe8UqXELn5wpTXTDgCsj8V
+j25GUupDB8Dm5aocLEFHiUwzAGcy19zVqepTaM4w//iA1qUuaG7DE8pVzL9XFxm+
+L1CGfxSTqdbqWa9PcLUoTI/8n6KQdK+vczgY4y+aUOZdGgLcVoO1BF6McnNPiihk
+d+HdWb0xGjw63XsV5kC41y6mHBQJdJTm0CE+yZ1e6gt+YEZCELxpxg530J0CngHs
+tCftzNI8o2pQhDhhKzxxGiA1cuzrrLDpdqNZo6VNm5tyYPicVbicZoJSbNDxohEJ
+rzhu9hQ7iDV5
+-----END CERTIFICATE-----
diff --git a/security/advancedtls/testdata/server_trust_key_2.pem b/security/advancedtls/testdata/server_trust_key_2.pem
new file mode 100644
index 00000000..d04d1767
--- /dev/null
+++ b/security/advancedtls/testdata/server_trust_key_2.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDYpp0H/F08xENb
+8uEUYlxvNVT7KhKJG51zzDRar/RelDBwOPGurq/le7MUhlTjpZvaD54As0yNbvO/
+gEsXARTT4K8xha2+BtMDYDTuxTs/dYDy5nCMHbmeSTSIxUFyUv6DVcAGd9c2htso
+H93IoCuXLMUFX7CulXXtF2R9d8aN4Val/EXsoXhbOHzpcpINhJBATiRxCpLEN5l9
+HCbTaNpe48Oa9TAoUjFx8Rb/dJp26UW84qAdaNQSKtMaxP7wHx9ax94mMZGYVxzX
+662k6g5oLX6xF7rFN7skkH0XXeZnEQ8m4XG4G+OYaJJeTItaFVZ6rOFOKmiNnr2Z
+jMDEyzwBVath6u4Qq5/cyUAG5vx2AMuhy85gPcDQgObnXvelTlE9b20DaME0ufIQ
+X7BgUuO0V9hB6yVSWV1xwb6dmjBp5SyJQ+FMHPABhIJ0H6Ka0nEhPTF05AKj6H0B
+K+c+mCToBhpT/Z2CwVjf0K8qZMViUfYQYgkrcxabphPdPV9NNSCz+z74KQvPABem
+drjDxIsOXch14teUyJeGeg2ve5h66zGQmnmu1QcGxg9sfgRzh6s1GBtS4Gccl7ie
+ULosILJwsfLCEGueI8/HI0FnO+uZGtXDHnE0RCfyvh99+2kBJj+548krbC2tminu
+ZYWj86d8w7rL/cLbYUrnAhtUsuwOUQIDAQABAoICAQCioY/Hat3iu8GEyHHFh4Cz
+ymkckZyQZ7ZuMqAqY2MhjERAOb7SzjckIRNxGNWofazcqFSHWhDhKqS24Gt9vUYR
+NtzMY/jkaOMF6bZSdqPfIynFLM7Xn4izFWjmMozKcRq1JC2drWBUgi8Jk8I81F9k
+gCr1ubs7kt6PN7wrozndT4Zn21PyKdPbRjAeXe7dTuGqI/6fDLzXppUFoZhToqYq
+DPfM3rljyy9qxPvqj3FUShAbllNzQDnR2WvW8IIfZn12/An6ycLthJcWTshuv3RJ
+J72u2o1NdmR5Mi102PwX6mphWWKwPd8/jWAygWsqGFJujFAlCRirFrplBY+/KoDD
+bcJz7jek7elO09SGA20W2G9DHRvUr4fknUsXCUj5PCGehDQrfYFeKFt3t383i765
+WIXZmak1owxPtSuOmVbXqEVvwBkQ990E0+qxKeo1Tn1aANBZZVVb1LgJ75Zkmqrp
+ARRb0h75G9cKZYex+3mgjECsBWurk2eriHS2D3RfJzlDpoZWqiMhMjC32kJQonws
+0X7fgGs0vl2gPxq1xAs0QLjV6BgcYwJF7QdhEXiJUUKaB7aDBpVr+7jbVl8eIoql
+zPE9owqQHhN5POSEnu76RPByYHt2twHXBpF0SFWKx7Nu0DpNqNqexVpqMNlz2Ehk
+tjY6xm/hdWRLw0cNUI/4AQKCAQEA9sBDIEmXbnF0RtuKXMkkDOaeS3QM6vDQbRPf
+itfuC9+B+qeLUkA4yyMLYml5mNuHawx34NoClmruESw/ASqgcqCxX/R9qGBJzkXn
+saN6uF1ZQKKngzZ3UdrbVf7R1RBikHZHN0/Sn7mdhwM/CyQnD6/H0EOHLTk90v1d
+Ctz8zOn6yqCqpyLedQteZavO3WKLzzothzS9WmblgALuYfGG/bRhNIkoM4JtkLsB
+4hdp0n/tbIEIbMNAtvemXDO4N0VvMOa4m5if26tYI0vGIvkqHc+Oe5Jx1w3u9G6J
+n+gF4hvdgpa3hpmIyP6o97hmyviP4I1KaonT5lHk9UvbKVEz8QKCAQEA4MWFJ5+7
+dpjvHLH9p1iBEbtdpd3Nd6wdcNjGErFdMEdsSdEQgVdbQVSbnCPqr9d79lqrzIsM
+wfV6AND15SfAVdD4BS7DQI5RxwQCnMU+Z4knGTUZp72TtuWYLDQ1zkKbVfl9U97a
+jtCz+YYp/GHJxHF+TVW8ltvPmNja+Cccf1DfXXwJG539Rl7NGULaBurRn4rNKNA2
+JmNB5DEnI+34ly+DBt5KKzbUc1nL6dO2ddnl7uokgDW3B6xDSZ+tdLFhYPSrX1em
+VhxxvteLTqv9hyLu9u5f6wxphyo6GSMXTA8Yc+ID0GNLLb8kJmi97jFYVxRbWxev
+QtOJGRjn631gYQKCAQEAoBFk+kMDG0A6H+U3Qq2w1zWbpnLoFliVvMzRjO46nDUn
+yoR5mqfSr+RR9Etb+E8g786szY5fc1h2i2lajdUrNHEN36NpCJs+BbPPc6sLZyIX
+Thi19iaVDOKeupCNalwwtGomFLmRdtAgYn82nHGdbU2on2/O9wVVF9QIUY296Og4
+Ks5DJh02llMDr4zeqzrMW2fwNO9/jm+FnZ9JKPxXh6lGDaCUFaYckXDe7d4mZclb
+KbIi1vtqtca9gr6CWEiQsvZY94bw3L2wdWUoaXOdYK1OTtdXRhzh0GsMmFEZz+4n
+qhk/gO+Ejm61Cc3z0OOh4heGGMrETXr+vimxSIJG4QKCAQBTYfLbmC36+RD7HCx1
+ACghY9iBx56JXpgtXL1eAd4IIvbRC3WMBdQckD6J1ekiAlZCNbC12H+LFH2F//64
+W97F9xeLFKXqNOGxapNthN55mi+e8kvqJjG+D74758JuGdd2NW+AxZNel52sW1EI
+B17KOTAZkEy9yh1hHlFc7WVs9ZtnGrRmQl3K1TBQxrQLDOFmxh8FnPf5lajD9lgG
+xCkMLNv2mE/7aAO4Jv+2ZouxfHwH/WQ9C7AycH0lus6mE4eEaD+KxwE1wKeRnHRZ
+YwRSNWtgv11l3Nzo/4k9+f6SgKcZlibED5G8DsRiW0jaLAQRicO6LzcdG0wou0yN
+150BAoIBAQD0dDgOjnlXzvw8OXFcNn41K9U/oXzO/cNyxbRZP4wY0f7PEUIoF2gJ
+OZ4bTAXA5PQxs3fwKfC1UKN129mTcJy9HnJGJQKBRwN+W/SRbnw7yR93idwe1kGy
+iGGBO1bORbgj9y40QamZgnGqDRxsYmwCVss6mamtyNJtwobkWK4Wb33Uex6ZXyFK
+wJ5htqviYe5oYo2Yor9ok5Xf66npmYTtv5STAhKjk+PTvlTGckwr4zEWvkgnXHJd
+XDNx0r6O6FhkxPMIlLfX5fsaCL0jBxX+tkh/vYuF70JnZAQmEphRsLljVCr2jIQs
+m4DEMelbu4jDoUwmms+yra/9chKHzaRB
+-----END PRIVATE KEY-----