modified plugin to use first part in the URI path to be the key of th…

…e selector Signed-off-by: snanjundaswamy <[email protected]>
spiffe · Feb 8, 2025 · 21e9359 · 21e9359
1 parent 6cd9980
commit 21e9359
Show file tree

Hide file tree

Showing 13 changed files with 138 additions and 106 deletions.
diff --git a/doc/plugin_server_nodeattestor_x509pop.md b/doc/plugin_server_nodeattestor_x509pop.md
@@ -44,7 +44,7 @@ A sample configuration:
 | Common Name      | `x509pop:subject:cn:example.org`                                  | The Subject's Common Name (see X.500 Distinguished Names)                                |
 | SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. |
 | SerialNumber     | `x509pop:serialnumber:0a1b2c3d4e5f`                               | The leaf certificate serial number as a lowercase hexadecimal string                     |
-| San     | `x509pop:san.<key>:<value>`                               | The san selectors on the leaf selectors. The expected format of the uri san is `x509pop://<trust_domain>/<key>:<value>`  string                     |
+| San     | `x509pop:san:<key>:<value>`                               | The san selectors on the leaf certificate. The expected format of the uri san is `x509pop://<trust_domain>/<key>:<value>`. One selector is exposed per uri san corresponding to x509pop uri scheme. string                     |
 
 ## SVID Path Prefix
 

diff --git a/pkg/common/plugin/x509pop/x509pop.go b/pkg/common/plugin/x509pop/x509pop.go
@@ -36,7 +36,7 @@ type agentPathTemplateData struct {
 	PluginName      string
 	TrustDomain     string
 	SVIDPathTrimmed string
-	San             map[string]string
+	URISanSelectors map[string]string
 }
 
 type AttestationData struct {
@@ -277,7 +277,7 @@ func MakeAgentID(td spiffeid.TrustDomain, agentPathTemplate *agentpathtemplate.T
 		SerialNumberHex: SerialNumberHex(cert.SerialNumber),
 		Fingerprint:     Fingerprint(cert),
 		SVIDPathTrimmed: svidPathTrimmed,
-		San:             sanSelectors,
+		URISanSelectors: sanSelectors,
 	})
 	if err != nil {
 		return spiffeid.ID{}, err

diff --git a/pkg/common/plugin/x509pop/x509pop_test.go b/pkg/common/plugin/x509pop/x509pop_test.go
@@ -149,9 +149,9 @@ func TestMakeAgentID(t *testing.T) {
 		},
 		{
 			desc:         "custom template with san selectors",
-			template:     agentpathtemplate.MustParse("/foo/{{ .San.datacenter }}/{{ .San.environment }}"),
-			sanSelectors: map[string]string{"datacenter": "us-east-1", "environment": "production"},
-			expectID:     "spiffe://example.org/spire/agent/foo/us-east-1/production",
+			template:     agentpathtemplate.MustParse("/foo/{{ .URISanSelectors.datacenter }}/{{ .URISanSelectors.environment }}/{{ .URISanSelectors.key }}"),
+			sanSelectors: map[string]string{"datacenter": "us-east-1", "environment": "production", "key": "path/to/value"},
+			expectID:     "spiffe://example.org/spire/agent/foo/us-east-1/production/path/to/value",
 		},
 		{
 			desc:      "custom template with nonexistant fields",

diff --git a/pkg/server/plugin/nodeattestor/x509pop/x509pop.go b/pkg/server/plugin/nodeattestor/x509pop/x509pop.go
@@ -258,7 +258,7 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
 		svidPath = strings.TrimPrefix(svidPath, config.svidPrefix)
 	}
 
-	sanSelectors := parseUriSanSelectors(leaf, config.trustDomain.Name())
+	sanSelectors := p.parseUriSanSelectors(leaf, config.trustDomain.Name())
 
 	spiffeid, err := x509pop.MakeAgentID(config.trustDomain, config.pathTemplate, leaf, svidPath, sanSelectors)
 	if err != nil {
@@ -368,19 +368,21 @@ func buildSelectorValues(leaf *x509.Certificate, chains [][]*x509.Certificate, s
 	return selectorValues
 }
 
-func parseUriSanSelectors(leaf *x509.Certificate, trustDomain string) map[string]string {
+func (p *Plugin) parseUriSanSelectors(leaf *x509.Certificate, trustDomain string) map[string]string {
 	uriSelectorMap := make(map[string]string)
 	sanPrefix := "x509pop://" + trustDomain + "/"
 	for _, uri := range leaf.URIs {
-		if strings.HasPrefix(uri.String(), sanPrefix) {
-			unprefixedUriSan := strings.TrimPrefix(uri.String(), sanPrefix)
-			if strings.Contains(unprefixedUriSan, ":") {
-				lastIndex := strings.LastIndex(unprefixedUriSan, ":")
-				uriSelectorKey := unprefixedUriSan[:lastIndex]
-				uriSelectorValue := unprefixedUriSan[lastIndex+1:]
-				uriSelectorMap[uriSelectorKey] = uriSelectorValue
-			}
+		if !strings.HasPrefix(uri.String(), sanPrefix) {
+			p.log.Warn(uri.String(), "san does not contain the expected scheme or trust domain")
+			continue
+		}
+		segments := strings.Split(strings.Trim(uri.Path, "/"), "/")
+		if len(segments) < 2 {
+			p.log.Warn("cannot extract x509pop san selectors from", uri.String())
+			continue
 		}
+
+		uriSelectorMap[segments[0]] = strings.Join(segments[1:], "/")
 	}
 	return uriSelectorMap
 }
diff --git a/pkg/server/plugin/nodeattestor/x509pop/x509pop_test.go b/pkg/server/plugin/nodeattestor/x509pop/x509pop_test.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"sort"
 	"testing"
 
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
@@ -126,6 +127,13 @@ func (s *Suite) TestAttestSuccess() {
 			certs:         s.svidExchange,
 			serialnumber:  "serialnumber:0a1b2c3d4e7f",
 		},
+		{
+			desc:          "success with custom X509pop san selectors",
+			expectAgentID: "spiffe://example.org/spire/agent/foo/us-east-1/production/path/to/value",
+			giveConfig:    s.createConfiguration("ca_bundle_paths", `agent_path_template = "/foo/{{ .URISanSelectors.datacenter }}/{{ .URISanSelectors.environment }}/{{ .URISanSelectors.key }}"`),
+			certs:         s.leafBundle,
+			serialnumber:  "serialnumber:0a1b2c3d4e5f",
+		},
 	}
 
 	for _, tt := range tests {
@@ -153,15 +161,20 @@ func (s *Suite) TestAttestSuccess() {
 			require.NoError(t, err)
 			require.Equal(t, tt.expectAgentID, result.AgentID)
 
+			expectedSelectors := []*common.Selector{
+				{Type: "x509pop", Value: "subject:cn:COMMONNAME"},
+				{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.intermediateCert)},
+				{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.rootCert)},
+				{Type: "x509pop", Value: tt.serialnumber},
+				{Type: "x509pop", Value: "san:datacenter:us-east-1"},
+				{Type: "x509pop", Value: "san:environment:production"},
+				{Type: "x509pop", Value: "san:key:path/to/value"},
+			}
+			sortX509PopSelectors(expectedSelectors)
+			sortX509PopSelectors(result.Selectors)
+
 			spiretest.AssertProtoListEqual(t,
-				[]*common.Selector{
-					{Type: "x509pop", Value: "subject:cn:COMMONNAME"},
-					{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.intermediateCert)},
-					{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.rootCert)},
-					{Type: "x509pop", Value: tt.serialnumber},
-					{Type: "x509pop", Value: "san:datacenter:us-east-1"},
-					{Type: "x509pop", Value: "san:environment:production"},
-				}, result.Selectors)
+				expectedSelectors, result.Selectors)
 		})
 	}
 }
@@ -429,3 +442,12 @@ func unmarshal(t *testing.T, data []byte, obj any) {
 func expectNoChallenge(context.Context, []byte) ([]byte, error) {
 	return nil, errors.New("challenge is not expected")
 }
+
+func sortX509PopSelectors(s []*common.Selector) {
+	sort.Slice(s, func(i, j int) bool {
+		if s[i].Type == s[j].Type {
+			return s[i].Value < s[j].Value
+		}
+		return s[i].Type < s[j].Type
+	})
+}
diff --git a/test/fixture/nodeattestor/x509pop/generate.go b/test/fixture/nodeattestor/x509pop/generate.go
@@ -49,8 +49,9 @@ func main() {
 		NotAfter:     neverExpires,
 		Subject:      pkix.Name{CommonName: "COMMONNAME"},
 		URIs: []*url.URL{
-			{Scheme: "x509pop", Host: "example.org", Path: "/datacenter:us-east-1"},
-			{Scheme: "x509pop", Host: "example.org", Path: "/environment:production"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/datacenter/us-east-1"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/environment/production"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/key/path/to/value"},
 		},
 	}, intermediateKey, intermediateCert)
 
@@ -69,8 +70,12 @@ func main() {
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		NotAfter:     neverExpires,
 		Subject:      pkix.Name{CommonName: "COMMONNAME"},
-		URIs: []*url.URL{svidExchange, {Scheme: "x509pop", Host: "example.org", Path: "/datacenter:us-east-1"},
-			{Scheme: "x509pop", Host: "example.org", Path: "/environment:production"}},
+		URIs: []*url.URL{
+			svidExchange,
+			{Scheme: "x509pop", Host: "example.org", Path: "/datacenter/us-east-1"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/environment/production"},
+			{Scheme: "x509pop", Host: "example.org", Path: "/key/path/to/value"},
+		},
 	}, intermediateKey, intermediateCert)
 
 	writeKey("leaf-key.pem", leafKey)

diff --git a/test/fixture/nodeattestor/x509pop/intermediate.pem b/test/fixture/nodeattestor/x509pop/intermediate.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
-RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
-2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
-X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
-FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
-lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
+ALaWTeGivnnNjL964wNhM80p8b8yTa6mpq+rYj3L0UIYJHcPBQ7XB7o0+EWWEsKW
+Qs5E5vY8p56aq0y4pU0SgIMioqThX+KcmLMgs1JoJ42ZE20eFYDVqcWfSJp4o4w+
+hQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ2FBvOaL0Mi7fy
+W2QJimLBmz5PKTANBgkqhkiG9w0BAQsFAANhADOBJA7AEgjKU++fRmWauP8pR+Nk
+v9nbj0mABiBA0GUX116MwKs/nWq56IgzCTzqRbLKMeQt+7AIdFNp4kcrEcKU57Vw
+SWgH3QLhFGbXi61FGEfFvomk72ksIV6loR6lrg==
 -----END CERTIFICATE-----
diff --git a/test/fixture/nodeattestor/x509pop/leaf-crt-bundle.pem b/test/fixture/nodeattestor/x509pop/leaf-crt-bundle.pem
@@ -1,23 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAXOgAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
+MIICFTCCAZ+gAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
-1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
-+6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaOBmTCBljAOBgNVHQ8BAf8E
-BAMCB4AwHwYDVR0jBBgwFoAU2beVGEps4qqb+l/jV9VkPgXOV6gwYwYDVR0RBFww
-WoYqeDUwOXBvcDovL2V4YW1wbGUub3JnL2RhdGFjZW50ZXI6dXMtZWFzdC0xhix4
-NTA5cG9wOi8vZXhhbXBsZS5vcmcvZW52aXJvbm1lbnQ6cHJvZHVjdGlvbjANBgkq
-hkiG9w0BAQsFAANhAFy8KJm4DiNVJldT289sERz4OtvgEt9oTd0IdYrPBJSkmdut
-TuCbJV5K8Jr+fXZju5TrICysDleVzad5suYG3Bj4BzSu8kBgd7qMCKFdywVAX4MI
-5w95GWjv4HEpg+801g==
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDlTw9or+1nmNIvdmZACCj+3NLW0VpX
+vx14+0j74/eMLI1QZaAe11kq4tqOfitQrM6h1cDgn3Vw97AvLdSrhfX/gYTGCuq+
+iw5k6b7n3OJwAZ/F2HH64Mjk1UWcGBZwwTUCAwEAAaOBxTCBwjAOBgNVHQ8BAf8E
+BAMCB4AwHwYDVR0jBBgwFoAUNhQbzmi9DIu38ltkCYpiwZs+TykwgY4GA1UdEQSB
+hjCBg4YqeDUwOXBvcDovL2V4YW1wbGUub3JnL2RhdGFjZW50ZXIvdXMtZWFzdC0x
+hix4NTA5cG9wOi8vZXhhbXBsZS5vcmcvZW52aXJvbm1lbnQvcHJvZHVjdGlvboYn
+eDUwOXBvcDovL2V4YW1wbGUub3JnL2tleS9wYXRoL3RvL3ZhbHVlMA0GCSqGSIb3
+DQEBCwUAA2EACXpd607HIbI8FUFjVBWugGUJOE2OSTHJ11tErBghIC+dmGUXa9x4
+gfBBRjw7oZFqtZgDodi6dLd05LwYjT31b+fBNDH3B2IKCG4jwFGkgJ4LE5S0BVIT
+eoqivvzXS4cu
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
-RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
-2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
-X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
-FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
-lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
+ALaWTeGivnnNjL964wNhM80p8b8yTa6mpq+rYj3L0UIYJHcPBQ7XB7o0+EWWEsKW
+Qs5E5vY8p56aq0y4pU0SgIMioqThX+KcmLMgs1JoJ42ZE20eFYDVqcWfSJp4o4w+
+hQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ2FBvOaL0Mi7fy
+W2QJimLBmz5PKTANBgkqhkiG9w0BAQsFAANhADOBJA7AEgjKU++fRmWauP8pR+Nk
+v9nbj0mABiBA0GUX116MwKs/nWq56IgzCTzqRbLKMeQt+7AIdFNp4kcrEcKU57Vw
+SWgH3QLhFGbXi61FGEfFvomk72ksIV6loR6lrg==
 -----END CERTIFICATE-----
diff --git a/test/fixture/nodeattestor/x509pop/leaf-key.pem b/test/fixture/nodeattestor/x509pop/leaf-key.pem
@@ -1,13 +1,13 @@
 -----BEGIN PRIVATE KEY-----
-MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAozF7EjQSEWZhpAjb
-Ke75P/ISPwhKf9QsHSmrA4+1Br2csKyCToN4UnemBbXY3t8O/W/Lf6vEtmOCMGBY
-3ehKilWCDFk1Hfuk53edkbMB0o1okB0zFetBhU/l6eXfcKP1AgMBAAECYDsa2LAn
-G8QhiIuYiYgOfUejrOgXYKQbfD6zsLSBf9cJJY73a9pz00hK/V5kFj/iGT+Tta8Q
-4YBizRQZrCeh3JWYR/tK8nwe3tSt8lzW2P9O1AcUX/e5IVol+p9nKNwLoQIxAMRR
-w+CTQNoiFppiIBN0+6Ftk/yuvYkULmfRWpgwJQcLS03gPatDam3ORM7c6tc7mwIx
-ANTNuvkEfc6TlqcXJ5tGe2/4x/jbEW7s3em5r3zoAkLsz0gv8LaShE/FDPyk84d/
-rwIwWrMD8g9WGPFCzBSliRe04YHEqyr3+grO3bwFROaJVNXM9q+xDhzZYN25QHEk
-NkgdAjEAjMLAyHLWHMy3PDMuuaD3iWtQKyYM9AiuCSoQEFkPFeG6go9jdACakIFR
-Q9SAWcJ1AjEAq5QNpUwPi2bKKVJ3G6Bb97IiQly25KjfibRfirT/gNV9gWbJc5EP
-nENp3XUtwu65
+MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEA5U8PaK/tZ5jSL3Zm
+QAgo/tzS1tFaV78dePtI++P3jCyNUGWgHtdZKuLajn4rUKzOodXA4J91cPewLy3U
+q4X1/4GExgrqvosOZOm+59zicAGfxdhx+uDI5NVFnBgWcME1AgMBAAECYQDbSM+j
+fRm6iBn36XG+qg8KKoI1i96pKso0d5lDyK1iDvjUeVq2I5nRuT7oJR+m9piUI0Bp
+ZXuQYdbvNKQMneo6vfM2Q8RFzfbMErtyjDztD5qFTV339u3j7dbSMUCafcECMQDz
+h4oQTR56B5to32oLOUBntubVVjVOJhqsYV2vGVijzNeFeN1TQZf5bf2DZHSeFGMC
+MQDxDRnPL7781JoIEpozRw+NkAA3+x6fkoTms1p37ot1fiVt5PWOX9ZKpRCLLDPp
+S4cCMGcAUdXZOGW2p/WwYQLEQUhcpL9gygT2uttkByLTHpmRPyrV1w6qtKOr8MjN
+CUH/LwIxAN7KGPyhSIgth1/GsbaLCxjv6wPSmW8q4KLJSehnFYY2XSnA4CQC9/Bt
+t2iqJiCNqQIwLd2tR9k8VmX+6cGbFK4tD/4i5HuNLtDizZ/DnYZcKqkR61gzr7Us
+B69agNW/wxep
 -----END PRIVATE KEY-----
diff --git a/test/fixture/nodeattestor/x509pop/leaf.pem b/test/fixture/nodeattestor/x509pop/leaf.pem
@@ -1,13 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAXOgAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
+MIICFTCCAZ+gAwIBAgIGChssPU5fMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
-1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
-+6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaOBmTCBljAOBgNVHQ8BAf8E
-BAMCB4AwHwYDVR0jBBgwFoAU2beVGEps4qqb+l/jV9VkPgXOV6gwYwYDVR0RBFww
-WoYqeDUwOXBvcDovL2V4YW1wbGUub3JnL2RhdGFjZW50ZXI6dXMtZWFzdC0xhix4
-NTA5cG9wOi8vZXhhbXBsZS5vcmcvZW52aXJvbm1lbnQ6cHJvZHVjdGlvbjANBgkq
-hkiG9w0BAQsFAANhAFy8KJm4DiNVJldT289sERz4OtvgEt9oTd0IdYrPBJSkmdut
-TuCbJV5K8Jr+fXZju5TrICysDleVzad5suYG3Bj4BzSu8kBgd7qMCKFdywVAX4MI
-5w95GWjv4HEpg+801g==
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDlTw9or+1nmNIvdmZACCj+3NLW0VpX
+vx14+0j74/eMLI1QZaAe11kq4tqOfitQrM6h1cDgn3Vw97AvLdSrhfX/gYTGCuq+
+iw5k6b7n3OJwAZ/F2HH64Mjk1UWcGBZwwTUCAwEAAaOBxTCBwjAOBgNVHQ8BAf8E
+BAMCB4AwHwYDVR0jBBgwFoAUNhQbzmi9DIu38ltkCYpiwZs+TykwgY4GA1UdEQSB
+hjCBg4YqeDUwOXBvcDovL2V4YW1wbGUub3JnL2RhdGFjZW50ZXIvdXMtZWFzdC0x
+hix4NTA5cG9wOi8vZXhhbXBsZS5vcmcvZW52aXJvbm1lbnQvcHJvZHVjdGlvboYn
+eDUwOXBvcDovL2V4YW1wbGUub3JnL2tleS9wYXRoL3RvL3ZhbHVlMA0GCSqGSIb3
+DQEBCwUAA2EACXpd607HIbI8FUFjVBWugGUJOE2OSTHJ11tErBghIC+dmGUXa9x4
+gfBBRjw7oZFqtZgDodi6dLd05LwYjT31b+fBNDH3B2IKCG4jwFGkgJ4LE5S0BVIT
+eoqivvzXS4cu
 -----END CERTIFICATE-----
diff --git a/test/fixture/nodeattestor/x509pop/root-crt.pem b/test/fixture/nodeattestor/x509pop/root-crt.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgMaKzwwDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AL0/cQnluD8iio71FR62xRxWFBFdHTkn42IzSCjhcv0EvUDYiKz7gzM0tYW6ykQA
-CtIvQvKxWABrCmnO65tK05Fp6MXHWfgpiooMdrYx9G45AFkPG2M4dmo3XmmFimHe
-rQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQtsgHE8HmiL2mV
-Uv20DV2KbNBspjANBgkqhkiG9w0BAQsFAANhAEif5xsWtJxEewr0XNn0cFVU5Q0z
-AlkdDxtLlmcVTDRxJXGavu54zAGOzZvYCNjCiZ2HKc3o37XI3s77lwmomofvxaZ6
-YqbBDKocjsqYcry1RTmHVeUS9sabZjTubBLN6g==
+ALKIawaz1D65b3PIiQX1hNw/P3ooQGP1TWA1ljPrbMNaeEknkXnLLqpvTNDiZuuy
+XeQRMcfhQw40D5GOXF1bNqHT5eBDXL875Advg8oSAusz8c1KR+pHDFdaOsME+B6q
+rwIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRk+dq09oRmca9H
+e6WkMzIXYcEkdDANBgkqhkiG9w0BAQsFAANhADz62bzT/odKiqawXsOTSACyhMb/
+K+G2W/2TptH8T9onLJjbrxvuvoSR7mnneTXxaS572TTowz+6igsBdDhtdAd3bCmz
+e4Ty1ihYDu4OjBwYF7FxpozumQ3hqCnYtraCgQ==
 -----END CERTIFICATE-----
diff --git a/test/fixture/nodeattestor/x509pop/svidexchange.pem b/test/fixture/nodeattestor/x509pop/svidexchange.pem
@@ -1,24 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIICGjCCAaSgAwIBAgIGChssPU5/MA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
+MIICQzCCAc2gAwIBAgIGChssPU5/MA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
-1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
-+6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaOByjCBxzAOBgNVHQ8BAf8E
-BAMCB4AwHwYDVR0jBBgwFoAU2beVGEps4qqb+l/jV9VkPgXOV6gwgZMGA1UdEQSB
-izCBiIYsc3BpZmZlOi8vZXhhbXBsZS5vcmcvc3BpcmUtZXhjaGFuZ2UvdGVzdGhv
-c3SGKng1MDlwb3A6Ly9leGFtcGxlLm9yZy9kYXRhY2VudGVyOnVzLWVhc3QtMYYs
-eDUwOXBvcDovL2V4YW1wbGUub3JnL2Vudmlyb25tZW50OnByb2R1Y3Rpb24wDQYJ
-KoZIhvcNAQELBQADYQDgERn9LfokKHe+5CKl1kHHFHvWc0BQvXvlS95jUMh/PlRM
-61IsgeWBBb9eje74+YVYcJys6fC2FQ85vIfC5h1xgNLGEX7s0cZDvZkU+WmFDpE4
-1hfFpUzOEd8J6JJtS20=
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDlTw9or+1nmNIvdmZACCj+3NLW0VpX
+vx14+0j74/eMLI1QZaAe11kq4tqOfitQrM6h1cDgn3Vw97AvLdSrhfX/gYTGCuq+
+iw5k6b7n3OJwAZ/F2HH64Mjk1UWcGBZwwTUCAwEAAaOB8zCB8DAOBgNVHQ8BAf8E
+BAMCB4AwHwYDVR0jBBgwFoAUNhQbzmi9DIu38ltkCYpiwZs+TykwgbwGA1UdEQSB
+tDCBsYYsc3BpZmZlOi8vZXhhbXBsZS5vcmcvc3BpcmUtZXhjaGFuZ2UvdGVzdGhv
+c3SGKng1MDlwb3A6Ly9leGFtcGxlLm9yZy9kYXRhY2VudGVyL3VzLWVhc3QtMYYs
+eDUwOXBvcDovL2V4YW1wbGUub3JnL2Vudmlyb25tZW50L3Byb2R1Y3Rpb26GJ3g1
+MDlwb3A6Ly9leGFtcGxlLm9yZy9rZXkvcGF0aC90by92YWx1ZTANBgkqhkiG9w0B
+AQsFAANhADcgsPZ6WdGKcwq7C8UoGjSmQz84+Gj4EP6+Yu+4DBydkTla5ZQUk2ck
+lR+XLUclhAYuDxV46WLGGC2ppmueU4nDXFD0afbnc47P7t/zthYF+TxoaRmnKljd
+NB/+3/o6AQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
-RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
-2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
-X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
-FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
-lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
+ALaWTeGivnnNjL964wNhM80p8b8yTa6mpq+rYj3L0UIYJHcPBQ7XB7o0+EWWEsKW
+Qs5E5vY8p56aq0y4pU0SgIMioqThX+KcmLMgs1JoJ42ZE20eFYDVqcWfSJp4o4w+
+hQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ2FBvOaL0Mi7fy
+W2QJimLBmz5PKTANBgkqhkiG9w0BAQsFAANhADOBJA7AEgjKU++fRmWauP8pR+Nk
+v9nbj0mABiBA0GUX116MwKs/nWq56IgzCTzqRbLKMeQt+7AIdFNp4kcrEcKU57Vw
+SWgH3QLhFGbXi61FGEfFvomk72ksIV6loR6lrg==
 -----END CERTIFICATE-----
diff --git a/test/fixture/nodeattestor/x509pop/svidreg.pem b/test/fixture/nodeattestor/x509pop/svidreg.pem
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIBrDCCATagAwIBAgIGChssPU5vMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAx
 MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEGA1UEAxMKQ09NTU9OTkFN
-RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCjMXsSNBIRZmGkCNsp7vk/8hI/CEp/
-1CwdKasDj7UGvZywrIJOg3hSd6YFtdje3w79b8t/q8S2Y4IwYFjd6EqKVYIMWTUd
-+6Tnd52RswHSjWiQHTMV60GFT+Xp5d9wo/UCAwEAAaNdMFswDgYDVR0PAQH/BAQD
-AgeAMB8GA1UdIwQYMBaAFNm3lRhKbOKqm/pf41fVZD4FzleoMCgGA1UdEQQhMB+G
+RTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDlTw9or+1nmNIvdmZACCj+3NLW0VpX
+vx14+0j74/eMLI1QZaAe11kq4tqOfitQrM6h1cDgn3Vw97AvLdSrhfX/gYTGCuq+
+iw5k6b7n3OJwAZ/F2HH64Mjk1UWcGBZwwTUCAwEAAaNdMFswDgYDVR0PAQH/BAQD
+AgeAMB8GA1UdIwQYMBaAFDYUG85ovQyLt/JbZAmKYsGbPk8pMCgGA1UdEQQhMB+G
 HXNwaWZmZTovL2V4YW1wbGUub3JnL3NvbWVzdmlkMA0GCSqGSIb3DQEBCwUAA2EA
-yob7rIAH0OKGidwRqFFcbis+UjRz1AydG9rhzHvQyWytDK5XB8FAEECVMm6aza6m
-uIg7499sEjcgwup4GpOuf8Q5XIfE9RJnBfMKTdGTjv71gqmwX6ZgN/0SWAJMpkFt
+EihBZKPIogPRoxohOcm61SRe+8n9OMxORlMg6ovXKQd/nv1B1HF2X0BCxXcoHDae
+MMKzAxmbPHlwmLw1Y5J1SkDLEyNb/ZYOWbVMpgfAdaXMVg1R/pW2aZThpjkUZel5
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIBaDCB86ADAgECAgNNXm8wDQYJKoZIhvcNAQELBQAwADAiGA8wMDAxMDEwMTAw
 MDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAAMHwwDQYJKoZIhvcNAQEBBQADawAwaAJh
-AOyUq4DauBpBOpJp7UtaRIEkpgBlE1ZYKaUqQMGFHh6vEZ03EpN3gW1Rk7NBoDtc
-RrlyXcyoK0OH7YyKP6BgtxE+STBVUQ6ygFXP60+Sy1VmTzunJQMIPpr+d5OoOL5d
-2QIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTZt5UYSmziqpv6
-X+NX1WQ+Bc5XqDANBgkqhkiG9w0BAQsFAANhAJ9nBZaexubtA6Ksp2VM5xCHZ0Qw
-FgamYcAYIY6DvXgSuwY+jssQ9SPU3qTWymkuUCNknFfmlNntwHrkkdy/iSzZW2JU
-lR6zH3JDeiZ2f37O04e44HRcxFiisDMP6SiYBA==
+ALaWTeGivnnNjL964wNhM80p8b8yTa6mpq+rYj3L0UIYJHcPBQ7XB7o0+EWWEsKW
+Qs5E5vY8p56aq0y4pU0SgIMioqThX+KcmLMgs1JoJ42ZE20eFYDVqcWfSJp4o4w+
+hQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ2FBvOaL0Mi7fy
+W2QJimLBmz5PKTANBgkqhkiG9w0BAQsFAANhADOBJA7AEgjKU++fRmWauP8pR+Nk
+v9nbj0mABiBA0GUX116MwKs/nWq56IgzCTzqRbLKMeQt+7AIdFNp4kcrEcKU57Vw
+SWgH3QLhFGbXi61FGEfFvomk72ksIV6loR6lrg==
 -----END CERTIFICATE-----