From f78fdec7d64f0e7267d73a7654595d0cc2eba929 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Fri, 30 Sep 2022 15:55:59 +1000
Subject: [PATCH 1/3] Add test vectors

---
 tls/tls.md | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/tls/tls.md b/tls/tls.md
index 692c31e9d..2febb6c35 100644
--- a/tls/tls.md
+++ b/tls/tls.md
@@ -29,6 +29,7 @@ and spec status.
     - [Handshake Protocol](#handshake-protocol)
     - [Peer Authentication](#peer-authentication)
         - [libp2p Public Key Extension](#libp2p-public-key-extension)
+    - [Test vectors](#test-vectors)
     - [Future Extensibility](#future-extensibility)
 
 ## Introduction
@@ -119,6 +120,46 @@ How the public key is encoded into the `Data` bytes depends on the Key Type.
 - `Secp256k1`: Only the compressed form of the public key. 33 bytes.
 - The rest of the keys are encoded as a [SubjectPublicKeyInfo structure](https://www.rfc-editor.org/rfc/rfc5280.html#section-4.1) in PKIX, ASN.1 DER form.
 
+## Test vectors
+
+The following items presents test vectors that a compatible implementation should pass.
+All certificates are HEX encoded.
+
+### 1. Valid certificate authenticating an ED25519 Peer ID
+
+Certificate:
+```
+308201773082011ea003020102020900f5bd0debaa597f52300a06082a8648ce3d04030230003020170d3735303130313030303030305a180f34303936303130313030303030305a30003059301306072a8648ce3d020106082a8648ce3d030107034200046bf9871220d71dcb3483ecdfcbfcc7c103f8509d0974b3c18ab1f1be1302d643103a08f7a7722c1b247ba3876fe2c59e26526f479d7718a85202ddbe47562358a37f307d307b060a2b0601040183a25a01010101ff046a30680424080112207fda21856709c5ae12fd6e8450623f15f11955d384212b89f56e7e136d2e17280440aaa6bffabe91b6f30c35e3aa4f94b1188fed96b0ffdd393f4c58c1c047854120e674ce64c788406d1c2c4b116581fd7411b309881c3c7f20b46e54c7e6fe7f0f300a06082a8648ce3d040302034700304402207d1a1dbd2bda235ff2ec87daf006f9b04ba076a5a5530180cd9c2e8f6399e09d0220458527178c7e77024601dbb1b256593e9b96d961b96349d1f560114f61a87595
+```
+
+PeerId: `12D3KooWJRSrypvnpHgc6ZAgyCni4KcSmbV7uGRaMw5LgMKT18fq`
+
+### 2. Valid certificate authenticating an ECDSA Peer ID
+
+Certificate:
+```
+308201c030820166a003020102020900eaf419a6e3edb4a6300a06082a8648ce3d04030230003020170d3735303130313030303030305a180f34303936303130313030303030305a30003059301306072a8648ce3d020106082a8648ce3d030107034200048dbf1116c7c608d6d5292bd826c3feb53483a89fce434bf64538a359c8e07538ff71f6766239be6a146dcc1a5f3bb934bcd4ae2ae1d4da28ac68b4a20593f06ba381c63081c33081c0060a2b0601040183a25a01010101ff0481ae3081ab045f0803125b3059301306072a8648ce3d020106082a8648ce3d0301070342000484b93fa456a74bd0153919f036db7bc63c802f055bc7023395d0203de718ee0fc7b570b767cdd858aca6c7c4113ff002e78bd2138ac1a3b26dde3519e06979ad04483046022100bc84014cea5a41feabdf4c161096564b9ccf4b62fbef4fe1cd382c84e11101780221009204f086a84cb8ed8a9ddd7868dc90c792ee434adf62c66f99a08a5eba11615b300a06082a8648ce3d0403020348003045022054b437be9a2edf591312d68ff24bf91367ad4143f76cf80b5658f232ade820da022100e23b48de9df9c25d4c83ddddf75d2676f0b9318ee2a6c88a736d85eab94a912f
+```
+
+PeerId: `QmZcrvr3r4S3QvwFdae3c2EWTfo792Y14UpzCZurhmiWeX`
+
+### 3. Valid certificate authenticating a secp256k1 Peer ID
+
+Certificate:
+```
+3082018230820128a003020102020900f3b305f55622cfdf300a06082a8648ce3d04030230003020170d3735303130313030303030305a180f34303936303130313030303030305a30003059301306072a8648ce3d020106082a8648ce3d0301070342000458f7e9581748ff9bdd933b655cc0e5552a1248f840658cc221dec2186b5a2fe4641b86ab7590a3422cdbb1000cf97662f27e5910d7569f22feed8829c8b52e0fa38188308185308182060a2b0601040183a25a01010101ff0471306f042508021221026b053094d1112bce799dc8026040ae6d4eb574157929f1598172061f753d9b1b04463044022040712707e97794c478d93989aaa28ae1f71c03af524a8a4bd2d98424948a782302207b61b7f074b696a25fb9e0059141a811cccc4cc28042d9301b9b2a4015e87470300a06082a8648ce3d04030203480030450220143ae4d86fdc8675d2480bb6912eca5e39165df7f572d836aa2f2d6acfab13f8022100831d1979a98f0c4a6fb5069ca374de92f1a1205c962a6d90ad3d7554cb7d9df4
+```
+
+PeerId: `16Uiu2HAm2dSCBFxuge46aEt7U1oejtYuBUZXxASHqmcfVmk4gsbx`
+
+### 4. Invalid certificate
+
+This certificate has a mismatch between the Peer ID that it claims to authenticate vs the key that was used to sign it.
+
+Certificate:
+```
+308201773082011da003020102020830a73c5d896a1109300a06082a8648ce3d04030230003020170d3735303130313030303030305a180f34303936303130313030303030305a30003059301306072a8648ce3d020106082a8648ce3d03010703420004bbe62df9a7c1c46b7f1f21d556deec5382a36df146fb29c7f1240e60d7d5328570e3b71d99602b77a65c9b3655f62837f8d66b59f1763b8c9beba3be07778043a37f307d307b060a2b0601040183a25a01010101ff046a3068042408011220ec8094573afb9728088860864f7bcea2d4fd412fef09a8e2d24d482377c20db60440ecabae8354afa2f0af4b8d2ad871e865cb5a7c0c8d3dbdbf42de577f92461a0ebb0a28703e33581af7d2a4f2270fc37aec6261fcc95f8af08f3f4806581c730a300a06082a8648ce3d040302034800304502202dfb17a6fa0f94ee0e2e6a3b9fb6e986f311dee27392058016464bd130930a61022100ba4b937a11c8d3172b81e7cd04aedb79b978c4379c2b5b24d565dd5d67d3cb3c
+```
 
 ## Future Extensibility
 

From e63dbf432a94512ea3cda63db6e4baaa95178256 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Fri, 30 Sep 2022 16:00:24 +1000
Subject: [PATCH 2/3] Describe test cases

---
 tls/tls.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tls/tls.md b/tls/tls.md
index 2febb6c35..648f00e83 100644
--- a/tls/tls.md
+++ b/tls/tls.md
@@ -123,7 +123,11 @@ How the public key is encoded into the `Data` bytes depends on the Key Type.
 ## Test vectors
 
 The following items presents test vectors that a compatible implementation should pass.
-All certificates are HEX encoded.
+Due to the randomness required when signing certificates, it is hard to provide testcases for generating certificates.
+These test cases verify that implements can correctly parse certificates with all key types.
+Implementations are encouraged to also perform roundtrip tests on their own certificate generation.
+
+All certificates in these testcases are HEX encoded.
 
 ### 1. Valid certificate authenticating an ED25519 Peer ID
 

From 99994ed9ae7205a310c47315b2a8801d09a0b63c Mon Sep 17 00:00:00 2001
From: Max Inden <mail@max-inden.de>
Date: Tue, 4 Oct 2022 12:11:39 +0100
Subject: [PATCH 3/3] Apply suggestions from code review

---
 tls/tls.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tls/tls.md b/tls/tls.md
index 648f00e83..997c94df6 100644
--- a/tls/tls.md
+++ b/tls/tls.md
@@ -122,9 +122,9 @@ How the public key is encoded into the `Data` bytes depends on the Key Type.
 
 ## Test vectors
 
-The following items presents test vectors that a compatible implementation should pass.
+The following items present test vectors that a compatible implementation should pass.
 Due to the randomness required when signing certificates, it is hard to provide testcases for generating certificates.
-These test cases verify that implements can correctly parse certificates with all key types.
+These test cases verify that implementations can correctly parse certificates with all key types.
 Implementations are encouraged to also perform roundtrip tests on their own certificate generation.
 
 All certificates in these testcases are HEX encoded.