From b9e1be17ac43abd4c851f8b861fabece403d6df6 Mon Sep 17 00:00:00 2001
From: Vincent Janelle <vjanelle@salesforce.com>
Date: Sun, 11 Nov 2018 09:24:26 -0800
Subject: [PATCH] (#18) Add configuration flag to always overwrite the cache

* Add configuration flag to filesec/puppetsec to tell the provider to
always overwrite the local cache of a certificate with the one one
that's been presented (defaults to false for existing environments)
* Implement tests around configuration flag
* Update test certificates to replicate an updated certificate being
seen later
---
 filesec/file_security.go                      | 34 ++++++++------
 filesec/file_security_test.go                 | 44 ++++++++++++++++++
 glide.lock                                    | 37 ++++++++++-----
 puppetsec/puppet_security.go                  | 18 +++++---
 testdata/intermediate/Makefile                | 28 +++++++++++
 testdata/intermediate/certs/ca.pem            | 16 +++----
 .../intermediate/certs/rip.mcollective.pem    | 46 +++++++++----------
 .../certs/second.rip.mcollective.pem          | 34 ++++++++++++++
 .../intermediate/chain-rip.mcollective.pem    | 34 ++++++++++++++
 .../second-chain-rip.mcollective.pem          | 34 ++++++++++++++
 .../intermediate/second-rip.mcollective.pem   | 19 ++++++++
 11 files changed, 280 insertions(+), 64 deletions(-)
 create mode 100644 testdata/intermediate/Makefile
 create mode 100644 testdata/intermediate/certs/second.rip.mcollective.pem
 create mode 100644 testdata/intermediate/chain-rip.mcollective.pem
 create mode 100644 testdata/intermediate/second-chain-rip.mcollective.pem
 create mode 100644 testdata/intermediate/second-rip.mcollective.pem

diff --git a/filesec/file_security.go b/filesec/file_security.go
index 63cae05..165606d 100644
--- a/filesec/file_security.go
+++ b/filesec/file_security.go
@@ -69,6 +69,9 @@ type Config struct {
 
 	// DisableTLSVerify disables TLS verify in HTTP clients etc
 	DisableTLSVerify bool
+
+	// Support always overwriting the local filesystem cache
+	AlwaysOverwriteCache bool
 }
 
 // Option is a function that can configure the File Security Provider
@@ -77,14 +80,15 @@ type Option func(*FileSecurity) error
 // WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration
 func WithChoriaConfig(c *config.Config) Option {
 	cfg := Config{
-		AllowList:        c.Choria.CertnameWhitelist,
-		CA:               c.Choria.FileSecurityCA,
-		Cache:            c.Choria.FileSecurityCache,
-		Certificate:      c.Choria.FileSecurityCertificate,
-		DisableTLSVerify: c.DisableTLSVerify,
-		Key:              c.Choria.FileSecurityKey,
-		PrivilegedUsers:  c.Choria.PrivilegedUsers,
-		Identity:         c.Identity,
+		AllowList:            c.Choria.CertnameWhitelist,
+		CA:                   c.Choria.FileSecurityCA,
+		Cache:                c.Choria.FileSecurityCache,
+		Certificate:          c.Choria.FileSecurityCertificate,
+		DisableTLSVerify:     c.DisableTLSVerify,
+		Key:                  c.Choria.FileSecurityKey,
+		PrivilegedUsers:      c.Choria.PrivilegedUsers,
+		Identity:             c.Identity,
+		AlwaysOverwriteCache: c.Choria.SecurityAlwaysOverwriteCache,
 	}
 
 	if cn, ok := os.LookupEnv("MCOLLECTIVE_CERTNAME"); ok {
@@ -333,10 +337,12 @@ func (s *FileSecurity) CachePublicData(data []byte, identity string) error {
 		return err
 	}
 
-	_, err = os.Stat(certfile)
-	if err == nil {
-		s.log.Debugf("Already have a certificate in %s, refusing to overwrite with a new one", certfile)
-		return nil
+	if !s.conf.AlwaysOverwriteCache {
+		_, err = os.Stat(certfile)
+		if err == nil {
+			s.log.Debugf("Already have a certificate in %s, refusing to overwrite with a new one", certfile)
+			return nil
+		}
 	}
 
 	err = ioutil.WriteFile(certfile, []byte(data), os.FileMode(int(0644)))
@@ -430,9 +436,9 @@ func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error {
 	}
 
 	opts := x509.VerifyOptions{
-		Roots: roots,
+		Roots:         roots,
 		Intermediates: intermediates,
-		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 
 	if name != "" {
diff --git a/filesec/file_security_test.go b/filesec/file_security_test.go
index 80c1212..7fcdf19 100644
--- a/filesec/file_security_test.go
+++ b/filesec/file_security_test.go
@@ -1,6 +1,7 @@
 package filesec
 
 import (
+	"bytes"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/pem"
@@ -56,6 +57,7 @@ var _ = Describe("FileSSL", func() {
 		setSSL(cfg, goodStub, "rip.mcollective")
 
 		l = logrus.New()
+
 		l.Out = ioutil.Discard
 
 		prov, err = New(WithConfig(cfg), WithLog(l.WithFields(logrus.Fields{})))
@@ -505,6 +507,48 @@ var _ = Describe("FileSSL", func() {
 			Expect(stat.Size()).To(Equal(int64(16)))
 		})
 
+		It("Should support always overwrite files", func() {
+			c, err := config.NewDefaultConfig()
+			Expect(err).ToNot(HaveOccurred())
+
+			identity := "rip.mcollective"
+
+			// These certs both have the same hostname.  First we cache the first one, then we attempt to cache the second one.
+			// This should result in the caching layer storing the second certificate.
+			firstcert := filepath.Join("..", "testdata", "intermediate", "certs", identity+".pem")
+			secondcert := filepath.Join("..", "testdata", "intermediate", "certs", "second."+identity+".pem")
+
+			c.Choria.FileSecurityCertificate = firstcert
+			c.Choria.FileSecurityCA = filepath.Join("..", "testdata", "intermediate", "certs", "ca.pem")
+			c.Choria.FileSecurityCache = filepath.Join("..", "testdata", "intermediate", "certs")
+			c.Choria.SecurityAlwaysOverwriteCache = true
+
+			c.Choria.FileSecurityCache, err = ioutil.TempDir("", "cache-always")
+			Expect(err).ToNot(HaveOccurred())
+			defer os.RemoveAll(c.Choria.FileSecurityCache)
+
+			prov, err := New(WithChoriaConfig(c), WithLog(l.WithFields(logrus.Fields{})))
+			Expect(err).ToNot(HaveOccurred())
+
+			fpd, err := ioutil.ReadFile(firstcert)
+			Expect(err).ToNot(HaveOccurred())
+
+			err = prov.CachePublicData(fpd, identity)
+			Expect(err).ToNot(HaveOccurred())
+
+			spd, err := ioutil.ReadFile(secondcert)
+			Expect(err).ToNot(HaveOccurred())
+
+			err = prov.CachePublicData(spd, identity)
+			Expect(err).To(BeNil())
+
+			cpd, err := prov.CachedPublicData(identity)
+			Expect(err).ToNot(HaveOccurred())
+
+			res := bytes.Compare(spd, cpd)
+			Expect(res).To(BeZero())
+		})
+
 		It("Should fail cache validation if allow lists change", func() {
 			cfg.Cache = os.TempDir()
 			cfg.Cache = os.TempDir()
diff --git a/glide.lock b/glide.lock
index c5f7b3e..8ba3185 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,5 +1,5 @@
 hash: 2a412acb3adac850adf2684018e2b5e8530cf2fff05952a31838b3f969673e50
-updated: 2018-06-15T14:10:28.400205+02:00
+updated: 2018-11-15T09:36:00.562889-08:00
 imports:
 - name: github.com/alecthomas/template
   version: a0175ee3bccc567396460bf5acd36800cb10c49c
@@ -12,7 +12,7 @@ imports:
   subpackages:
   - quantile
 - name: github.com/choria-io/go-choria
-  version: b3717c9a6fbd0447cc76c4ff106c8d934112ec9c
+  version: 2ece4ea72ff60d44818365d0655832d2d7ff35c0
   subpackages:
   - build
   - config
@@ -32,9 +32,11 @@ imports:
   - regex
   - shellsafe
 - name: github.com/golang/protobuf
-  version: 3a3da3a4e26776cc22a79ef46d5d58477532dede
+  version: 52132540909e117f2b98b0694383dc0ab1e1deca
   subpackages:
   - proto
+- name: github.com/konsorten/go-windows-terminal-sequences
+  version: 5c8c8bd35d3832f5d134ae1e1e375b69a4d25242
 - name: github.com/matttproud/golang_protobuf_extensions
   version: c12348ce28de40eed0136aa2b644d0ee0650e56c
   subpackages:
@@ -44,29 +46,29 @@ imports:
   subpackages:
   - prometheus
 - name: github.com/prometheus/client_model
-  version: 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c
+  version: 5c3871d89910bfb32f5fcab2aa4b9ec68e65a99f
   subpackages:
   - go
 - name: github.com/prometheus/common
-  version: 7600349dcfe1abd18d72d3a1770870d9800a7801
+  version: 41aa239b4cce3c56ab88fc366ae8b0a6423fa239
   subpackages:
   - expfmt
   - internal/bitbucket.org/ww/goautoneg
   - model
 - name: github.com/prometheus/procfs
-  version: fe93d378a6b03758a2c1b65e86cf630bf78681c0
+  version: 185b4288413d2a0dd0806f78c90dde719829e5ae
   subpackages:
   - internal/util
   - nfs
   - xfs
 - name: github.com/sirupsen/logrus
-  version: c155da19408a8799da419ed3eeb0cb5db0ad5dbc
+  version: bcd833dfe83d3cebad139e4a29ed79cb2318bf95
 - name: golang.org/x/crypto
   version: 9477e0b78b9ac3d0b03822fd95422e2fe07627cd
   subpackages:
   - ssh/terminal
 - name: golang.org/x/sys
-  version: f7928cfef4d09d1b080aa2b6fd3ca9ba1567c733
+  version: 66b7b1311ac80bbafcd2daeef9a5e6e2cd1e2399
   subpackages:
   - unix
 - name: gopkg.in/alecthomas/kingpin.v2
@@ -76,8 +78,15 @@ testImports:
   version: 8b2eeeb0ca5f56c78bec5efde9c4a21d9201126c
   subpackages:
   - gomock
+- name: github.com/hpcloud/tail
+  version: a1dbeea552b7c8df4b542c66073e393de198a800
+  subpackages:
+  - ratelimiter
+  - util
+  - watch
+  - winfile
 - name: github.com/onsi/ginkgo
-  version: fa5fabab2a1bfbd924faf4c067d07ae414e2aedf
+  version: 3774a09d95489ccaa16032e0770d08ea77ba6184
   subpackages:
   - config
   - internal/codelocation
@@ -97,7 +106,7 @@ testImports:
   - reporters/stenographer/support/go-isatty
   - types
 - name: github.com/onsi/gomega
-  version: 62bff4df71bdbc266561a0caee19f0594b17c240
+  version: 7615b9433f86a8bdf29709bf288bc4fd0636a369
   subpackages:
   - format
   - internal/assertion
@@ -111,14 +120,14 @@ testImports:
   - matchers/support/goraph/util
   - types
 - name: golang.org/x/net
-  version: 89e543239a64caf31d3a6865872ea120b41446df
+  version: adae6a3d119ae4890b46832a2e88a95adc62b8e7
   subpackages:
   - context
   - html
   - html/atom
   - html/charset
 - name: golang.org/x/text
-  version: 5c1cf69b5978e5a34c5f9ba09a83e56acc4b7877
+  version: 6f44c5a2ea40ee3593d98cdcc905cc1fdaa660e2
   subpackages:
   - encoding
   - encoding/charmap
@@ -137,5 +146,9 @@ testImports:
   - language
   - runes
   - transform
+- name: gopkg.in/fsnotify/fsnotify.v1
+  version: c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9
+- name: gopkg.in/tomb.v1
+  version: c131134a1947e9afd9cecfe11f4c6dff0732ae58
 - name: gopkg.in/yaml.v2
   version: 5420a8b6744d3b0345ab293f6fcba19c978f1183
diff --git a/puppetsec/puppet_security.go b/puppetsec/puppet_security.go
index 86fc842..0d0d736 100644
--- a/puppetsec/puppet_security.go
+++ b/puppetsec/puppet_security.go
@@ -74,6 +74,9 @@ type Config struct {
 
 	useFakeUID bool
 	fakeUID    int
+
+	//Support always overwriting the local filesystem cache
+	AlwaysOverwriteCache bool
 }
 
 // Option is a function that can configure the Puppet Security Provider
@@ -83,13 +86,14 @@ type Option func(*PuppetSecurity) error
 func WithChoriaConfig(c *config.Config) Option {
 	return func(p *PuppetSecurity) error {
 		cfg := Config{
-			AllowList:        c.Choria.CertnameWhitelist,
-			DisableTLSVerify: c.DisableTLSVerify,
-			PrivilegedUsers:  c.Choria.PrivilegedUsers,
-			SSLDir:           c.Choria.SSLDir,
-			PuppetCAHost:     c.Choria.PuppetCAHost,
-			PuppetCAPort:     c.Choria.PuppetCAPort,
-			Identity:         c.Identity,
+			AllowList:            c.Choria.CertnameWhitelist,
+			DisableTLSVerify:     c.DisableTLSVerify,
+			PrivilegedUsers:      c.Choria.PrivilegedUsers,
+			SSLDir:               c.Choria.SSLDir,
+			PuppetCAHost:         c.Choria.PuppetCAHost,
+			PuppetCAPort:         c.Choria.PuppetCAPort,
+			Identity:             c.Identity,
+			AlwaysOverwriteCache: c.Choria.SecurityAlwaysOverwriteCache,
 		}
 
 		if c.HasOption("plugin.choria.puppetca_host") || c.HasOption("plugin.choria.puppetca_port") {
diff --git a/testdata/intermediate/Makefile b/testdata/intermediate/Makefile
new file mode 100644
index 0000000..71bd223
--- /dev/null
+++ b/testdata/intermediate/Makefile
@@ -0,0 +1,28 @@
+all:
+	@rm -f ${PWD}/*.csr ${PWD}/*.pem
+	cfssl genkey -initca root.json | cfssljson -bare ca
+	cfssl genkey -initca intermediate.json | cfssljson -bare intermediate
+	cfssl sign -profile ca-to-root -ca ca.pem -ca-key ca-key.pem -config config.json intermediate.csr | cfssljson -bare intermediate
+	cfssl genkey csr.json | cfssljson -bare rip.mcollective
+	cfssl gencsr -key rip.mcollective-key.pem csr.json  | cfssljson -bare rip.mcollective
+	cfssl sign -ca intermediate.pem -ca-key intermediate-key.pem rip.mcollective.csr subject.json | cfssljson -bare rip.mcollective && openssl x509 -in rip.mcollective.pem -noout -text
+	cat rip.mcollective.pem intermediate.pem > chain-rip.mcollective.pem
+	openssl verify -CAfile ca.pem -untrusted chain-rip.mcollective.pem chain-rip.mcollective.pem
+	cp ca.pem certs/ca.pem
+	cp chain-rip.mcollective.pem certs/rip.mcollective.pem
+	
+second:
+	# Make second cert chain to test caching
+	cfssl gencsr -key rip.mcollective-key.pem csr.json  | cfssljson -bare second-rip.mcollective
+	cfssl sign -ca intermediate.pem -ca-key intermediate-key.pem rip.mcollective.csr subject.json | cfssljson -bare second-rip.mcollective && openssl x509 -in second-rip.mcollective.pem -noout -text
+	cat second-rip.mcollective.pem intermediate.pem > second-chain-rip.mcollective.pem
+	openssl x509 -in second-rip.mcollective.pem -noout -text
+
+deploy:
+	cp ca.pem certs/ca.pem
+	cp chain-rip.mcollective.pem certs/rip.mcollective.pem
+	cp second-chain-rip.mcollective.pem certs/second.rip.mcollective.pem
+
+
+clean:
+	rm -f *.pem *.csr
diff --git a/testdata/intermediate/certs/ca.pem b/testdata/intermediate/certs/ca.pem
index 316a89a..8cbbc14 100644
--- a/testdata/intermediate/certs/ca.pem
+++ b/testdata/intermediate/certs/ca.pem
@@ -1,14 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIICOTCCAd+gAwIBAgIUHcItm2WcJQd0By9Sg5Wqlt0sONIwCgYIKoZIzj0EAwIw
+MIICOjCCAd+gAwIBAgIUSHvvZWWyM18ks49RZkbWkyLslH0wCgYIKoZIzj0EAwIw
 eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
 MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
-ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTExMjEzMDAwWhcNNDgx
-MTAzMjEzMDAwWjB5MQswCQYDVQQGEwJYWDERMA8GA1UECBMITG9jYWxpdHkxDTAL
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTEzMDEyMzAwWhcNNDgx
+MTA1MDEyMzAwWjB5MQswCQYDVQQGEwJYWDERMA8GA1UECBMITG9jYWxpdHkxDTAL
 BgNVBAcTBENpdHkxDzANBgNVBAoTBkNob3JpYTElMCMGA1UECxMcVW5pdCB0ZXN0
 aW5nIEludGVybWVkaWF0ZSBDQTEQMA4GA1UEAxMHUm9vdCBDQTBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABPt/emjXdaHwnClOeT4qCjjPgOy8P5+sWwkV7UvWqDGW
-YozFo0J9Sy5zBDAEdw6vmFA9F1yqx4Huuip4M/yF6USjRTBDMA4GA1UdDwEB/wQE
-AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRT2Qng+4kiaIILKMQ1
-n9xNF5Rj3DAKBggqhkjOPQQDAgNIADBFAiEA+4RpvLfS0zX5T/uPXr2vHX7Ws78J
-P/EyAiAYha39SNwCIDuRVsoTy72UtQdSkUAhslporEUNkNtbphynP3DaLZdd
+AgEGCCqGSM49AwEHA0IABKKemAj1QsoT3pXQCYK7DD94vNry5BL9OnCmaojzlBFZ
+0n0vZJi7/GHtr/OVnUXBQOD7XOOWkHCwHDJq2O0+Am6jRTBDMA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQ2M6o4bz7r8MgG9Q0/
+7rN8OgoiETAKBggqhkjOPQQDAgNJADBGAiEA/Yxzoa8YLNzIyWQqHq7tJHnnk3qt
+anWV8i+8LIDItw4CIQC6YnE5cNQSUYXtK9L5A8sB8ZcBdO0LIu/zlrbBHQo53A==
 -----END CERTIFICATE-----
diff --git a/testdata/intermediate/certs/rip.mcollective.pem b/testdata/intermediate/certs/rip.mcollective.pem
index 9c3587a..c0e7988 100644
--- a/testdata/intermediate/certs/rip.mcollective.pem
+++ b/testdata/intermediate/certs/rip.mcollective.pem
@@ -1,34 +1,34 @@
 -----BEGIN CERTIFICATE-----
-MIIDBjCCAqygAwIBAgIUVH5ROCpcZSA1uKg3RUD4/+GdFskwCgYIKoZIzj0EAwIw
+MIIDBzCCAqygAwIBAgIUGCd2Rj5pwjR9bGLD9BS6YpWw7SIwCgYIKoZIzj0EAwIw
 gYExCzAJBgNVBAYTAlhYMREwDwYDVQQIEwhMb2NhbGl0eTENMAsGA1UEBxMEQ2l0
 eTEPMA0GA1UEChMGQ2hvcmlhMSUwIwYDVQQLExxVbml0IHRlc3RpbmcgSW50ZXJt
-ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTExMjEz
-MDAwWhcNMTkxMTExMjEzMDAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNagA3ZY7Ohu2MscPPUy1
-Yp8960WQdGUjBCGbN6nFOofGChuTRZXwVLxONWQuXS3fcBFkLQ9gfGBFyGSaYcKq
-A2nYAvsuS46xTa+SkDUFePwE+JY/TcQR1lOLr2iCTqcNOFVaEYPsqaGhSlWnxZ9d
-1sA7enzOb9DnDeHc/SAJII7r3cY3TLzvNqbBLcmfOh3wdA2Eqvosd7/TXcTY2eHQ
-k9a9PJWbFeuLELgnPNROkw/ul0Dl1Vg0wGlr7q6jQFg22N+zZiKRa2740coSyuZ9
-ziWVhW3H+XeWJSQrsmkML7xfTjTNTpPJfh18DWdjJ6mTq8yVkACkAlu3LZZiKd6H
+ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTEzMDEy
+MzAwWhcNMTkxMTEzMDEyMzAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNN5jOHMOMISkSrwFLmxIS
+bKoEuDAwlOSbhFHc89GVbPcHziIJPLqur+YdV0xLZht+ZXvSZDsgo4hjZqXsOCbi
+WZkzN5xfSuZqai8NvfEXOjXYjofCh3/bZ7gVcEkSt3EclxbcZ2d1pcX1sjl8GyH5
+pyHmfOJHrpXdVE10Z4QuA58UKZoQ3i9R7ohCVYoUaAJn6+5015x/mWhzuB8ebdjc
+mqt/aYK/f1apIxIo909nkXz2BS94B/s6zUGG89sA47Pi13CNC5u7cJ7VEfAQYHWP
+F8sXzi6u7+MvDVXRcBPsy1sT89+udANidAtxYhn5On/dDB5qMD77DvJcVN/8Qil5
 AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRD5gmqomK9pQOzUE6p
-gbLgBP48JjAfBgNVHSMEGDAWgBTE9RmIwQ7C2pfp37E4djWmkQrMyzAaBgNVHREE
-EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSAAwRQIgKNywnHJ4NExk
-1w8iwrvGP8bP9oeyoRBqPJjcCPWdNYACIQCyOi4N9N5vMK8QSSEJ2vRizq9neWhX
-Y11phu0xsBIBPQ==
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTmgrLpFNVMbh1C5UsF
+xVDjd549xzAfBgNVHSMEGDAWgBSlQrdE6JCCk8azRsWXnRuk2ctF+jAaBgNVHREE
+EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSQAwRgIhAIDvVp0fzmEK
+ULH79CDG3TqcCDiGRPwWMyRUFjazykNuAiEAypPXG9z+/MgGIO2lsYyhQR/Kd+ao
+18XVjuUb3P2egYE=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICYzCCAgmgAwIBAgIUM0jKjSKTjq5eO7N1jAHG+pVH3FUwCgYIKoZIzj0EAwIw
+MIICZDCCAgmgAwIBAgIUMHE90peOTHN6Iv2S2R2astND6lswCgYIKoZIzj0EAwIw
 eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
 MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
-ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTExMjEzMDAwWhcNNDgx
-MTAzMjEzMDAwWjCBgTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0w
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTEzMDEyMzAwWhcNNDgx
+MTA1MDEyMzAwWjCBgTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0w
 CwYDVQQHEwRDaXR5MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVz
 dGluZyBJbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTBZ
-MBMGByqGSM49AgEGCCqGSM49AwEHA0IABLrrCCE1cvyKEHwmmKu5x2/eCnR8Qgkk
-/TGi3eygp671u0G9kZOy2MdvgCecHCF/zR/YUPozEILZE9QldXVQWg+jZjBkMA4G
-A1UdDwEB/wQEAwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTE9RmI
-wQ7C2pfp37E4djWmkQrMyzAfBgNVHSMEGDAWgBRT2Qng+4kiaIILKMQ1n9xNF5Rj
-3DAKBggqhkjOPQQDAgNIADBFAiEAtH7hxZ7QcPlFnM+YJuptChhGox7fSwwPbnyH
-z7YMKygCIGn4lC2hIXRTk9FHPPCcZSPi8bJ9j5ZgKJO08xh3UGkb
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNGtHy1coQANdtEj/OK8JjgVxQ+owXlq
+X3PWtohIhx1dlD4MS78sPoEblHcU5NAfSPTN23gPw2kalFjV5NJH3I+jZjBkMA4G
+A1UdDwEB/wQEAwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSlQrdE
+6JCCk8azRsWXnRuk2ctF+jAfBgNVHSMEGDAWgBQ2M6o4bz7r8MgG9Q0/7rN8Ogoi
+ETAKBggqhkjOPQQDAgNJADBGAiEAueRTGMy56l9024iI0tE+huS5E0wEu1ZyQfpI
+AnqVQ70CIQCqVCe23uL3Po9THrXrmpVF7n+CJLQnKdpM3uxxsPWAIg==
 -----END CERTIFICATE-----
diff --git a/testdata/intermediate/certs/second.rip.mcollective.pem b/testdata/intermediate/certs/second.rip.mcollective.pem
new file mode 100644
index 0000000..c940438
--- /dev/null
+++ b/testdata/intermediate/certs/second.rip.mcollective.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAqygAwIBAgIUUIJHuge/BYroZQukVOUe3ngKW1EwCgYIKoZIzj0EAwIw
+gYExCzAJBgNVBAYTAlhYMREwDwYDVQQIEwhMb2NhbGl0eTENMAsGA1UEBxMEQ2l0
+eTEPMA0GA1UEChMGQ2hvcmlhMSUwIwYDVQQLExxVbml0IHRlc3RpbmcgSW50ZXJt
+ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTEzMDEy
+NDAwWhcNMTkxMTEzMDEyNDAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNN5jOHMOMISkSrwFLmxIS
+bKoEuDAwlOSbhFHc89GVbPcHziIJPLqur+YdV0xLZht+ZXvSZDsgo4hjZqXsOCbi
+WZkzN5xfSuZqai8NvfEXOjXYjofCh3/bZ7gVcEkSt3EclxbcZ2d1pcX1sjl8GyH5
+pyHmfOJHrpXdVE10Z4QuA58UKZoQ3i9R7ohCVYoUaAJn6+5015x/mWhzuB8ebdjc
+mqt/aYK/f1apIxIo909nkXz2BS94B/s6zUGG89sA47Pi13CNC5u7cJ7VEfAQYHWP
+F8sXzi6u7+MvDVXRcBPsy1sT89+udANidAtxYhn5On/dDB5qMD77DvJcVN/8Qil5
+AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTmgrLpFNVMbh1C5UsF
+xVDjd549xzAfBgNVHSMEGDAWgBSlQrdE6JCCk8azRsWXnRuk2ctF+jAaBgNVHREE
+EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSAAwRQIgTpWO8zo+gkat
+hQ434PMXz6kItjEKrmxf12wn1eGWLtACIQDh68GztHVc2t3cod80CIWPvXy66bMb
+f8ubH54MEUwIFQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICZDCCAgmgAwIBAgIUMHE90peOTHN6Iv2S2R2astND6lswCgYIKoZIzj0EAwIw
+eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
+MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTEzMDEyMzAwWhcNNDgx
+MTA1MDEyMzAwWjCBgTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0w
+CwYDVQQHEwRDaXR5MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVz
+dGluZyBJbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNGtHy1coQANdtEj/OK8JjgVxQ+owXlq
+X3PWtohIhx1dlD4MS78sPoEblHcU5NAfSPTN23gPw2kalFjV5NJH3I+jZjBkMA4G
+A1UdDwEB/wQEAwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSlQrdE
+6JCCk8azRsWXnRuk2ctF+jAfBgNVHSMEGDAWgBQ2M6o4bz7r8MgG9Q0/7rN8Ogoi
+ETAKBggqhkjOPQQDAgNJADBGAiEAueRTGMy56l9024iI0tE+huS5E0wEu1ZyQfpI
+AnqVQ70CIQCqVCe23uL3Po9THrXrmpVF7n+CJLQnKdpM3uxxsPWAIg==
+-----END CERTIFICATE-----
diff --git a/testdata/intermediate/chain-rip.mcollective.pem b/testdata/intermediate/chain-rip.mcollective.pem
new file mode 100644
index 0000000..c0e7988
--- /dev/null
+++ b/testdata/intermediate/chain-rip.mcollective.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAqygAwIBAgIUGCd2Rj5pwjR9bGLD9BS6YpWw7SIwCgYIKoZIzj0EAwIw
+gYExCzAJBgNVBAYTAlhYMREwDwYDVQQIEwhMb2NhbGl0eTENMAsGA1UEBxMEQ2l0
+eTEPMA0GA1UEChMGQ2hvcmlhMSUwIwYDVQQLExxVbml0IHRlc3RpbmcgSW50ZXJt
+ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTEzMDEy
+MzAwWhcNMTkxMTEzMDEyMzAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNN5jOHMOMISkSrwFLmxIS
+bKoEuDAwlOSbhFHc89GVbPcHziIJPLqur+YdV0xLZht+ZXvSZDsgo4hjZqXsOCbi
+WZkzN5xfSuZqai8NvfEXOjXYjofCh3/bZ7gVcEkSt3EclxbcZ2d1pcX1sjl8GyH5
+pyHmfOJHrpXdVE10Z4QuA58UKZoQ3i9R7ohCVYoUaAJn6+5015x/mWhzuB8ebdjc
+mqt/aYK/f1apIxIo909nkXz2BS94B/s6zUGG89sA47Pi13CNC5u7cJ7VEfAQYHWP
+F8sXzi6u7+MvDVXRcBPsy1sT89+udANidAtxYhn5On/dDB5qMD77DvJcVN/8Qil5
+AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTmgrLpFNVMbh1C5UsF
+xVDjd549xzAfBgNVHSMEGDAWgBSlQrdE6JCCk8azRsWXnRuk2ctF+jAaBgNVHREE
+EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSQAwRgIhAIDvVp0fzmEK
+ULH79CDG3TqcCDiGRPwWMyRUFjazykNuAiEAypPXG9z+/MgGIO2lsYyhQR/Kd+ao
+18XVjuUb3P2egYE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICZDCCAgmgAwIBAgIUMHE90peOTHN6Iv2S2R2astND6lswCgYIKoZIzj0EAwIw
+eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
+MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTEzMDEyMzAwWhcNNDgx
+MTA1MDEyMzAwWjCBgTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0w
+CwYDVQQHEwRDaXR5MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVz
+dGluZyBJbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNGtHy1coQANdtEj/OK8JjgVxQ+owXlq
+X3PWtohIhx1dlD4MS78sPoEblHcU5NAfSPTN23gPw2kalFjV5NJH3I+jZjBkMA4G
+A1UdDwEB/wQEAwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSlQrdE
+6JCCk8azRsWXnRuk2ctF+jAfBgNVHSMEGDAWgBQ2M6o4bz7r8MgG9Q0/7rN8Ogoi
+ETAKBggqhkjOPQQDAgNJADBGAiEAueRTGMy56l9024iI0tE+huS5E0wEu1ZyQfpI
+AnqVQ70CIQCqVCe23uL3Po9THrXrmpVF7n+CJLQnKdpM3uxxsPWAIg==
+-----END CERTIFICATE-----
diff --git a/testdata/intermediate/second-chain-rip.mcollective.pem b/testdata/intermediate/second-chain-rip.mcollective.pem
new file mode 100644
index 0000000..c940438
--- /dev/null
+++ b/testdata/intermediate/second-chain-rip.mcollective.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAqygAwIBAgIUUIJHuge/BYroZQukVOUe3ngKW1EwCgYIKoZIzj0EAwIw
+gYExCzAJBgNVBAYTAlhYMREwDwYDVQQIEwhMb2NhbGl0eTENMAsGA1UEBxMEQ2l0
+eTEPMA0GA1UEChMGQ2hvcmlhMSUwIwYDVQQLExxVbml0IHRlc3RpbmcgSW50ZXJt
+ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTEzMDEy
+NDAwWhcNMTkxMTEzMDEyNDAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNN5jOHMOMISkSrwFLmxIS
+bKoEuDAwlOSbhFHc89GVbPcHziIJPLqur+YdV0xLZht+ZXvSZDsgo4hjZqXsOCbi
+WZkzN5xfSuZqai8NvfEXOjXYjofCh3/bZ7gVcEkSt3EclxbcZ2d1pcX1sjl8GyH5
+pyHmfOJHrpXdVE10Z4QuA58UKZoQ3i9R7ohCVYoUaAJn6+5015x/mWhzuB8ebdjc
+mqt/aYK/f1apIxIo909nkXz2BS94B/s6zUGG89sA47Pi13CNC5u7cJ7VEfAQYHWP
+F8sXzi6u7+MvDVXRcBPsy1sT89+udANidAtxYhn5On/dDB5qMD77DvJcVN/8Qil5
+AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTmgrLpFNVMbh1C5UsF
+xVDjd549xzAfBgNVHSMEGDAWgBSlQrdE6JCCk8azRsWXnRuk2ctF+jAaBgNVHREE
+EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSAAwRQIgTpWO8zo+gkat
+hQ434PMXz6kItjEKrmxf12wn1eGWLtACIQDh68GztHVc2t3cod80CIWPvXy66bMb
+f8ubH54MEUwIFQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICZDCCAgmgAwIBAgIUMHE90peOTHN6Iv2S2R2astND6lswCgYIKoZIzj0EAwIw
+eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
+MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTEzMDEyMzAwWhcNNDgx
+MTA1MDEyMzAwWjCBgTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0w
+CwYDVQQHEwRDaXR5MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVz
+dGluZyBJbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNGtHy1coQANdtEj/OK8JjgVxQ+owXlq
+X3PWtohIhx1dlD4MS78sPoEblHcU5NAfSPTN23gPw2kalFjV5NJH3I+jZjBkMA4G
+A1UdDwEB/wQEAwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSlQrdE
+6JCCk8azRsWXnRuk2ctF+jAfBgNVHSMEGDAWgBQ2M6o4bz7r8MgG9Q0/7rN8Ogoi
+ETAKBggqhkjOPQQDAgNJADBGAiEAueRTGMy56l9024iI0tE+huS5E0wEu1ZyQfpI
+AnqVQ70CIQCqVCe23uL3Po9THrXrmpVF7n+CJLQnKdpM3uxxsPWAIg==
+-----END CERTIFICATE-----
diff --git a/testdata/intermediate/second-rip.mcollective.pem b/testdata/intermediate/second-rip.mcollective.pem
new file mode 100644
index 0000000..8e445b6
--- /dev/null
+++ b/testdata/intermediate/second-rip.mcollective.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAqygAwIBAgIUUIJHuge/BYroZQukVOUe3ngKW1EwCgYIKoZIzj0EAwIw
+gYExCzAJBgNVBAYTAlhYMREwDwYDVQQIEwhMb2NhbGl0eTENMAsGA1UEBxMEQ2l0
+eTEPMA0GA1UEChMGQ2hvcmlhMSUwIwYDVQQLExxVbml0IHRlc3RpbmcgSW50ZXJt
+ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTEzMDEy
+NDAwWhcNMTkxMTEzMDEyNDAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNN5jOHMOMISkSrwFLmxIS
+bKoEuDAwlOSbhFHc89GVbPcHziIJPLqur+YdV0xLZht+ZXvSZDsgo4hjZqXsOCbi
+WZkzN5xfSuZqai8NvfEXOjXYjofCh3/bZ7gVcEkSt3EclxbcZ2d1pcX1sjl8GyH5
+pyHmfOJHrpXdVE10Z4QuA58UKZoQ3i9R7ohCVYoUaAJn6+5015x/mWhzuB8ebdjc
+mqt/aYK/f1apIxIo909nkXz2BS94B/s6zUGG89sA47Pi13CNC5u7cJ7VEfAQYHWP
+F8sXzi6u7+MvDVXRcBPsy1sT89+udANidAtxYhn5On/dDB5qMD77DvJcVN/8Qil5
+AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTmgrLpFNVMbh1C5UsF
+xVDjd549xzAfBgNVHSMEGDAWgBSlQrdE6JCCk8azRsWXnRuk2ctF+jAaBgNVHREE
+EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSAAwRQIgTpWO8zo+gkat
+hQ434PMXz6kItjEKrmxf12wn1eGWLtACIQDh68GztHVc2t3cod80CIWPvXy66bMb
+f8ubH54MEUwIFQ==
+-----END CERTIFICATE-----