diff options
86 files changed, 3914 insertions, 541 deletions
diff --git a/botan_version.py b/botan_version.py index 2f34dcf4f..a99c6fc51 100644 --- a/botan_version.py +++ b/botan_version.py @@ -1,7 +1,7 @@ release_major = 1 release_minor = 11 -release_patch = 22 +release_patch = 24 release_so_abi_rev = release_patch # These are set by the distribution script diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst index 554846c25..f96f27620 100644 --- a/doc/manual/tls.rst +++ b/doc/manual/tls.rst @@ -194,19 +194,20 @@ TLS Clients .. cpp:class:: TLS::Client - .. cpp:function:: TLS::Client( \ - output_fn output, \ - data_cb data, \ - alert_cb alert, \ - handshake_cb handshake_complete, \ - TLS::Session_Manager& session_manager, \ - Credentials_Manager& credendials_manager, \ - const TLS::Policy& policy, \ - RandomNumberGenerator& rng, \ - const Server_Information& server_info, \ - const Protocol_Version offer_version, \ - const std::vector<std::string>& app_protocols, - size_t reserved_io_buffer_size) + .. cpp:function:: Client( \ + output_fn out, \ + data_cb app_data_cb, \ + alert_cb alert_cb, \ + handshake_cb hs_cb, \ + Session_Manager& session_manager, \ + Credentials_Manager& creds, \ + const Policy& policy, \ + RandomNumberGenerator& rng, \ + const Server_Information& server_info = Server_Information(), \ + const Protocol_Version offer_version = Protocol_Version::latest_tls_version(), \ + const std::vector<std::string>& next_protocols = {}, \ + size_t reserved_io_buffer_size = 16*1024 \ + ) Initialize a new TLS client. The constructor will immediately initiate a new session. @@ -284,20 +285,21 @@ TLS Servers .. cpp:class:: TLS::Server - .. cpp:function:: TLS::Server( \ - std::function<void, const byte*, size_t> output_fn, \ - std::function<void, const byte*, size_t> data_cb, \ - std::function<TLS::Alert, const byte*, size_t> alert_cb, \ - TLS::Session_Manager& session_manager, \ - Credentials_Manager& creds, \ - const TLS::Policy& policy, \ - RandomNumberGenerator& rng, \ - std::function<std::string, std::vector<std::string> > proto_chooser, - const std::vector<std::string>& protocols, \ - bool is_datagram = false, \ - bool reserved_io_buffer_size) - -The first 7 arguments as well as the final argument + .. cpp:function:: Server( \ + output_fn output, \ + data_cb data_cb, \ + alert_cb alert_cb, \ + handshake_cb handshake_cb, \ + Session_Manager& session_manager, \ + Credentials_Manager& creds, \ + const Policy& policy, \ + RandomNumberGenerator& rng, \ + next_protocol_fn next_proto = next_protocol_fn(), \ + bool is_datagram = false, \ + size_t reserved_io_buffer_size = 16*1024 \ + ) + +The first 8 arguments as well as the final argument *reserved_io_buffer_size*, are treated similiarly to the :ref:`client <tls_client>`. @@ -517,7 +519,9 @@ policy settings from a file. authentication, sending data in cleartext) are also not supported by the implementation and cannot be negotiated. - Default value: "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM", + Values without an explicit mode use old-style CBC with HMAC encryption. + + Default value: "AES-256/GCM", "AES-128/GCM", "ChaCha20Poly1305", "AES-256/CCM", "AES-128/CCM", "AES-256/CCM-8", "AES-128/CCM-8", "AES-256", "AES-128" @@ -570,7 +574,7 @@ policy settings from a file. Default: "ECDSA", "RSA", "DSA" - Also allowed: "" (meaning anonymous) + Also allowed (disabled by default): "" (meaning anonymous) .. cpp:function:: std::vector<std::string> allowed_ecc_curves() const @@ -742,20 +746,10 @@ The ``TLS::Protocol_Version`` class represents a specific version: .. cpp:class:: TLS::Protocol_Version - .. cpp:type:: enum Version_Code + .. cpp:enum:: Version_Code ``TLS_V10``, ``TLS_V11``, ``TLS_V12``, ``DTLS_V10``, ``DTLS_V12`` - .. cpp:function:: static Protocol_Version latest_tls_version() - - Returns the latest version of TLS supported by this implementation - (currently TLS v1.2) - - .. cpp:function:: static Protocol_Version latest_dtls_version() - - Returns the latest version of DTLS supported by this implementation - (currently DTLS v1.2) - .. cpp:function:: Protocol_Version(Version_Code named_version) Create a specific version diff --git a/doc/manual/x509.rst b/doc/manual/x509.rst index d4500d692..84263ae3d 100644 --- a/doc/manual/x509.rst +++ b/doc/manual/x509.rst @@ -20,13 +20,13 @@ in the :doc:`tls` protocol. A X.509 certificate is represented by Returns the public key of the subject - .. cpp:function:: X509_DN subject_dn() const + .. cpp:function:: X509_DN issuer_dn() const - Returns the distinguished name of the issuer + Returns the distinguished name (DN) of the certificate's issuer .. cpp:function:: X509_DN subject_dn() const - Returns the distinguished name of the issuer + Returns the distinguished name (DN) of the certificate's subject .. cpp:function:: std::string start_time() const diff --git a/doc/news.rst b/doc/news.rst index 72ab4ad9f..7d53f9d24 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -1,15 +1,34 @@ Release Notes ======================================== -Version 1.11.22, Not Yet Released +Version 1.11.24, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* The routines for decoding PKCS #1 encryption and OAEP blocks have been - rewritten to run without secret indexes or branches. These cryptographic - operations are vulnerable to oracle attacks, including via side channels such - as timing or cache-based analysis. In theory it would be possible to attack - the previous implementations using such a side channel, which could allow - an attacker to mount a plaintext recovery attack. +* Fixed an endian dependency in McEliece key generation which caused + keys to be generated differently on big and little endian systems, + even when using a deterministic PRNG with the same seed. + +Version 1.11.23, 2015-10-26 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* CVE-2015-7824: An information leak allowed padding oracle attacks against + TLS CBC decryption. Found in a review by Sirrix AG and 3curity GmbH. + +* CVE-2015-7825: Validating a malformed certificate chain could cause an + infinite loop. Found in a review by Sirrix AG and 3curity GmbH. + +* CVE-2015-7826: X.509 path validation violated RFC 6125 and would accept + certificates which should not validate under those rules. In particular botan + would accept wildcard certificates as matching in situations where it should + not (for example it would erronously accept '*.example.com' as a valid + wildcard for 'foo.bar.example.com') + +* CVE-2015-7827: The routines for decoding PKCS #1 encryption and OAEP blocks + have been rewritten to run without secret indexes or branches. These + cryptographic operations are vulnerable to oracle attacks, including via side + channels such as timing or cache-based analysis. In theory it would be + possible to attack the previous implementations using such a side channel, + which could allow an attacker to mount a plaintext recovery attack. By writing the code such that it does not depend on secret inputs for branch or memory indexes, such a side channel would be much less likely to exist. @@ -35,6 +54,8 @@ Version 1.11.22, Not Yet Released deriving the next value by squaring the previous ones. The reinitializion interval can be controlled by the build.h parameter BOTAN_BLINDING_REINIT_INTERVAL. +* A bug decoding DTLS client hellos prevented session resumption for suceeding. + * DL_Group now prohibits creating a group smaller than 1024 bits. * Add System_RNG type. Previously the global system RNG was only accessible via @@ -48,6 +69,11 @@ Version 1.11.22, Not Yet Released * The `configure.py` option `--no-autoload` is now also available under the more understandable name `--minimized-build`. +* Note: 1.11.22 was briefly released on 2015-10-26. The only difference between + the two was a fix for a compilation problem in the OpenSSL RSA code. As the + 1.11.22 release had already been tagged it was simpler to immediately release + 1.11.23 rather than redo the release. + Version 1.11.21, 2015-10-11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/doc/security.rst b/doc/security.rst index 4b36fa717..192571829 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -19,7 +19,66 @@ Advisories 2015 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* 2015-08-03 (CVE-2015-5726) +* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS + + A padding oracle attack was possible against TLS CBC ciphersuites because if a + certain length check on the packet fields failed, a different alert type than + one used for message authentication failure would be returned to the sender. + This check triggering would leak information about the value of the padding + bytes and could be used to perform iterative decryption. + + As with most such oracle attacks, the danger depends on the underlying + protocol - HTTP servers are particularly vulnerable. The current analysis + suggests that to exploit it an attacker would first have to guess several + bytes of plaintext, but again this is quite possible in many situations + including HTTP. + + Found in a review by Sirrix AG and 3curity GmbH. + + Introduced in 1.11.0, fixed in 1.11.22 + +* 2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation + + When evaluating a certificate path, if a loop in the certificate chain + was encountered (for instance where C1 certifies C2, which certifies C1) + an infinite loop would occur eventually resulting in memory exhaustion. + Found in a review by Sirrix AG and 3curity GmbH. + + Introduced in 1.11.6, fixed in 1.11.22 + +* 2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names + + RFC 6125 specifies how to match a X.509v3 certificate against a DNS name + for application usage. + + Otherwise valid certificates using wildcards would be accepted as matching + certain hostnames that should they should not according to RFC 6125. For + example a certificate issued for '*.example.com' should match + 'foo.example.com' but not 'example.com' or 'bar.foo.example.com'. Previously + Botan would accept such a certificate as valid for 'bar.foo.example.com'. + + RFC 6125 also requires that when matching a X.509 certificate against a DNS + name, the CN entry is only compared if no subjectAlternativeName entry is + available. Previously X509_Certificate::matches_dns_name would always check + both names. + + Found in a review by Sirrix AG and 3curity GmbH. + + Introduced in 1.11.0, fixed in 1.11.22 + +* 2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time + + During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was + input dependent. If these differences could be measured by an attacker, it + could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5 + decoding has been rewritten to use a sequence of operations which do not + contain any input-dependent indexes or jumps. Notations for checking constant + time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS + #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH. + + Fixed in 1.11.22. Affected all previous versions. + +* 2015-08-03 (CVE-2015-5726): Crash in BER decoder The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be @@ -28,7 +87,7 @@ Advisories Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 -* 2015-08-03 (CVE-2015-5727) +* 2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might @@ -39,7 +98,7 @@ Advisories 2014 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* 2014-04-10 (CVE-2014-9742) +* 2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check A bug in the Miller-Rabin primality test resulted in only a single random base being used instead of a sequence of such bases. This increased the probability @@ -48,4 +107,4 @@ Advisories number being incorrectly classed as prime with a single base is around 2^-40. Reported by Jeff Marrison. - Fixed in 1.11.9 and 1.10.8, affected all versions since 1.8.3 + Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9 diff --git a/readme.rst b/readme.rst index 24613faf7..928efab35 100644 --- a/readme.rst +++ b/readme.rst @@ -72,6 +72,9 @@ There is also a third party open source implementation of Download ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +See the `change notes <http://botan.randombit.net/news.html>`_ and +`security page <http://botan.randombit.net/security.html>`_ + All releases are signed with a `PGP key <http://botan.randombit.net/pgpkey.txt>`_:: @@ -100,9 +103,9 @@ later, Clang 3.4 and later, and MSVC 2013 are regularly tested. A new development release is made on the first Monday of every month. The latest development release is -`1.11.21 <http://botan.randombit.net/releases/Botan-1.11.21.tgz>`_ -`(sig) <http://botan.randombit.net/releases/Botan-1.11.21.tgz.asc>`_ -released on 2015-10-11 +`1.11.23 <http://botan.randombit.net/releases/Botan-1.11.23.tgz>`_ +`(sig) <http://botan.randombit.net/releases/Botan-1.11.23.tgz.asc>`_ +released on 2015-10-26 Old Stable Series (1.10) ---------------------------------------- diff --git a/src/lib/cert/x509/cert_status.h b/src/lib/cert/x509/cert_status.h index 56777cae8..5028af384 100644 --- a/src/lib/cert/x509/cert_status.h +++ b/src/lib/cert/x509/cert_status.h @@ -31,6 +31,8 @@ enum class Certificate_Status_Code { CERT_ISSUER_NOT_FOUND = 3000, CANNOT_ESTABLISH_TRUST, + CERT_CHAIN_LOOP, + // Validation errors POLICY_ERROR = 4000, INVALID_USAGE, @@ -42,6 +44,8 @@ enum class Certificate_Status_Code { OCSP_CERT_NOT_LISTED, OCSP_BAD_STATUS, + CERT_NAME_NOMATCH, + // Hard failures CERT_IS_REVOKED = 5000, CRL_BAD_SIGNATURE, diff --git a/src/lib/cert/x509/info.txt b/src/lib/cert/x509/info.txt index 291be3114..be1e879c3 100644 --- a/src/lib/cert/x509/info.txt +++ b/src/lib/cert/x509/info.txt @@ -1,4 +1,4 @@ -define X509_CERTIFICATES 20131128 +define X509_CERTIFICATES 20151023 define OCSP 20131128 <requires> diff --git a/src/lib/cert/x509/key_constraint.h b/src/lib/cert/x509/key_constraint.h index 3509b6868..179e413b5 100644 --- a/src/lib/cert/x509/key_constraint.h +++ b/src/lib/cert/x509/key_constraint.h @@ -18,15 +18,15 @@ namespace Botan { */ enum Key_Constraints { NO_CONSTRAINTS = 0, - DIGITAL_SIGNATURE = 32768, - NON_REPUDIATION = 16384, - KEY_ENCIPHERMENT = 8192, - DATA_ENCIPHERMENT = 4096, - KEY_AGREEMENT = 2048, - KEY_CERT_SIGN = 1024, - CRL_SIGN = 512, - ENCIPHER_ONLY = 256, - DECIPHER_ONLY = 128 + DIGITAL_SIGNATURE = 1 << 15, + NON_REPUDIATION = 1 << 14, + KEY_ENCIPHERMENT = 1 << 13, + DATA_ENCIPHERMENT = 1 << 12, + KEY_AGREEMENT = 1 << 11, + KEY_CERT_SIGN = 1 << 10, + CRL_SIGN = 1 << 9, + ENCIPHER_ONLY = 1 << 8, + DECIPHER_ONLY = 1 << 7 }; class Public_Key; diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp index 48e437352..3d1ebbbad 100644 --- a/src/lib/cert/x509/x509cert.cpp +++ b/src/lib/cert/x509/x509cert.cpp @@ -1,6 +1,6 @@ /* * X.509 Certificates -* (C) 1999-2010 Jack Lloyd +* (C) 1999-2010,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -224,7 +224,7 @@ bool X509_Certificate::is_CA_cert() const if(!subject.get1_u32bit("X509v3.BasicConstraints.is_ca")) return false; - return allowed_usage(KEY_CERT_SIGN); + return allowed_usage(Key_Constraints(KEY_CERT_SIGN)); } bool X509_Certificate::allowed_usage(Key_Constraints usage) const @@ -236,10 +236,37 @@ bool X509_Certificate::allowed_usage(Key_Constraints usage) const bool X509_Certificate::allowed_usage(const std::string& usage) const { - for(auto constraint : ex_constraints()) - if(constraint == usage) + const std::vector<std::string> ex = ex_constraints(); + + if(ex.empty()) + return true; + + if(std::find(ex.begin(), ex.end(), usage) != ex.end()) + return true; + + return false; + } + +bool X509_Certificate::allowed_usage(Usage_Type usage) const + { + switch(usage) + { + case Usage_Type::UNSPECIFIED: return true; + case Usage_Type::TLS_SERVER_AUTH: + return allowed_usage(Key_Constraints(DATA_ENCIPHERMENT | KEY_ENCIPHERMENT | DIGITAL_SIGNATURE)) && allowed_usage("PKIX.ServerAuth"); + + case Usage_Type::TLS_CLIENT_AUTH: + return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.ClientAuth"); + + case Usage_Type::OCSP_RESPONDER: + return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.OCSPSigning"); + + case Usage_Type::CERTIFICATE_AUTHORITY: + return is_CA_cert(); + } + return false; } @@ -310,9 +337,6 @@ std::vector<byte> X509_Certificate::serial_number() const return subject.get1_memvec("X509.Certificate.serial"); } -/* -* Return the distinguished name of the issuer -*/ X509_DN X509_Certificate::issuer_dn() const { return create_dn(issuer); @@ -323,9 +347,6 @@ std::vector<byte> X509_Certificate::raw_issuer_dn() const return issuer.get1_memvec("X509.Certificate.dn_bits"); } -/* -* Return the distinguished name of the subject -*/ X509_DN X509_Certificate::subject_dn() const { return create_dn(subject); @@ -336,36 +357,6 @@ std::vector<byte> X509_Certificate::raw_subject_dn() const return subject.get1_memvec("X509.Certificate.dn_bits"); } -namespace { - -bool cert_subject_dns_match(const std::string& name, - const std::vector<std::string>& cert_names) - { - for(size_t i = 0; i != cert_names.size(); ++i) - { - const std::string cn = cert_names[i]; - - if(cn == name) - return true; - - /* - * Possible wildcard match. We only support the most basic form of - * cert wildcarding ala RFC 2595 - */ - if(cn.size() > 2 && cn[0] == '*' && cn[1] == '.' && name.size() > cn.size()) - { - const std::string base = cn.substr(1, std::string::npos); - - if(name.compare(name.size() - base.size(), base.size(), base) == 0) - return true; - } - } - - return false; - } - -} - std::string X509_Certificate::fingerprint(const std::string& hash_name) const { std::unique_ptr<HashFunction> hash(HashFunction::create(hash_name)); @@ -391,11 +382,17 @@ bool X509_Certificate::matches_dns_name(const std::string& name) const if(name == "") return false; - if(cert_subject_dns_match(name, subject_info("DNS"))) - return true; + std::vector<std::string> issued_names = subject_info("DNS"); - if(cert_subject_dns_match(name, subject_info("Name"))) - return true; + // Fall back to CN only if no DNS names are set (RFC 6125 sec 6.4.4) + if(issued_names.empty()) + issued_names = subject_info("Name"); + + for(size_t i = 0; i != issued_names.size(); ++i) + { + if(host_wildcard_match(issued_names[i], name)) + return true; + } return false; } @@ -436,45 +433,36 @@ bool operator!=(const X509_Certificate& cert1, const X509_Certificate& cert2) std::string X509_Certificate::to_string() const { - const char* dn_fields[] = { "Name", - "Email", - "Organization", - "Organizational Unit", - "Locality", - "State", - "Country", - "IP", - "DNS", - "URI", - "PKIX.XMPPAddr", - nullptr }; + const std::vector<std::string> dn_fields{ + "Name", + "Email", + "Organization", + "Organizational Unit", + "Locality", + "State", + "Country", + "IP", + "DNS", + "URI", + "PKIX.XMPPAddr" + }; std::ostringstream out; - for(size_t i = 0; dn_fields[i]; ++i) + for(auto&& field : dn_fields) { - const std::vector<std::string> vals = this->subject_info(dn_fields[i]); - - if(vals.empty()) - continue; - - out << "Subject " << dn_fields[i] << ":"; - for(size_t j = 0; j != vals.size(); ++j) - out << " " << vals[j]; - out << "\n"; + for(auto&& val : subject_info(field)) + { + out << "Subject " << field << ": " << val << "\n"; + } } - for(size_t i = 0; dn_fields[i]; ++i) + for(auto&& field : dn_fields) { - const std::vector<std::string> vals = this->issuer_info(dn_fields[i]); - - if(vals.empty()) - continue; - - out << "Issuer " << dn_fields[i] << ":"; - for(size_t j = 0; j != vals.size(); ++j) - out << " " << vals[j]; - out << "\n"; + for(auto&& val : issuer_info(field)) + { + out << "Issuer " << field << ": " << val << "\n"; + } } out << "Version: " << this->x509_version() << "\n"; diff --git a/src/lib/cert/x509/x509cert.h b/src/lib/cert/x509/x509cert.h index 9fd3e660a..578360a80 100644 --- a/src/lib/cert/x509/x509cert.h +++ b/src/lib/cert/x509/x509cert.h @@ -1,6 +1,6 @@ /* * X.509 Certificates -* (C) 1999-2007 Jack Lloyd +* (C) 1999-2007,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -18,6 +18,15 @@ namespace Botan { +enum class Usage_Type + { + UNSPECIFIED, // no restrictions + TLS_SERVER_AUTH, + TLS_CLIENT_AUTH, + CERTIFICATE_AUTHORITY, + OCSP_RESPONDER + }; + /** * This class represents X.509 Certificate */ @@ -37,13 +46,13 @@ class BOTAN_DLL X509_Certificate : public X509_Object std::vector<byte> subject_public_key_bits() const; /** - * Get the issuer certificate DN. + * Get the certificate's issuer distinguished name (DN). * @return issuer DN of this certificate */ X509_DN issuer_dn() const; /** - * Get the subject certificate DN. + * Get the certificate's subject distinguished name (DN). * @return subject DN of this certificate */ X509_DN subject_dn() const; @@ -137,6 +146,8 @@ class BOTAN_DLL X509_Certificate : public X509_Object */ bool allowed_usage(const std::string& usage) const; + bool allowed_usage(Usage_Type usage) const; + /** * Get the path limit as defined in the BasicConstraints extension of * this certificate. diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp index 09cabcb65..a6c3ce6e9 100644 --- a/src/lib/cert/x509/x509path.cpp +++ b/src/lib/cert/x509/x509path.cpp @@ -214,7 +214,9 @@ check_chain(const std::vector<X509_Certificate>& cert_path, Path_Validation_Result x509_path_validate( const std::vector<X509_Certificate>& end_certs, const Path_Validation_Restrictions& restrictions, - const std::vector<Certificate_Store*>& certstores) + const std::vector<Certificate_Store*>& certstores, + const std::string& hostname, + Usage_Type usage) { if(end_certs.empty()) throw std::invalid_argument("x509_path_validate called with no subjects"); @@ -222,6 +224,13 @@ Path_Validation_Result x509_path_validate( std::vector<X509_Certificate> cert_path; cert_path.push_back(end_certs[0]); + /* + * This is an inelegant but functional way of preventing path loops + * (where C1 -> C2 -> C3 -> C1). We store a set of all the certificate + * fingerprints in the path. If there is a duplicate, we error out. + */ + std::set<std::string> certs_seen; + Certificate_Store_Overlay extra(end_certs); // iterate until we reach a root or cannot find the issuer @@ -231,38 +240,55 @@ Path_Validation_Result x509_path_validate( if(!cert) return Path_Validation_Result(Certificate_Status_Code::CERT_ISSUER_NOT_FOUND); + const std::string fprint = cert->fingerprint("SHA-256"); + if(certs_seen.count(fprint) > 0) + return Path_Validation_Result(Certificate_Status_Code::CERT_CHAIN_LOOP); + certs_seen.insert(fprint); cert_path.push_back(*cert); } - return Path_Validation_Result(check_chain(cert_path, restrictions, certstores), - std::move(cert_path)); + std::vector<std::set<Certificate_Status_Code>> res = check_chain(cert_path, restrictions, certstores); + + if(hostname != "" && !cert_path[0].matches_dns_name(hostname)) + res[0].insert(Certificate_Status_Code::CERT_NAME_NOMATCH); + + if(!cert_path[0].allowed_usage(usage)) + res[0].insert(Certificate_Status_Code::INVALID_USAGE); + + return Path_Validation_Result(res, std::move(cert_path)); } Path_Validation_Result x509_path_validate( const X509_Certificate& end_cert, const Path_Validation_Restrictions& restrictions, - const std::vector<Certificate_Store*>& certstores) + const std::vector<Certificate_Store*>& certstores, + const std::string& hostname, + Usage_Type usage) { std::vector<X509_Certificate> certs; certs.push_back(end_cert); - return x509_path_validate(certs, restrictions, certstores); + return x509_path_validate(certs, restrictions, certstores, hostname, usage); } Path_Validation_Result x509_path_validate( const std::vector<X509_Certificate>& end_certs, const Path_Validation_Restrictions& restrictions, - const Certificate_Store& store) + const Certificate_Store& store, + const std::string& hostname, + Usage_Type usage) { std::vector<Certificate_Store*> certstores; certstores.push_back(const_cast<Certificate_Store*>(&store)); - return x509_path_validate(end_certs, restrictions, certstores); + return x509_path_validate(end_certs, restrictions, certstores, hostname, usage); } Path_Validation_Result x509_path_validate( const X509_Certificate& end_cert, const Path_Validation_Restrictions& restrictions, - const Certificate_Store& store) + const Certificate_Store& store, + const std::string& hostname, + Usage_Type usage) { std::vector<X509_Certificate> certs; certs.push_back(end_cert); @@ -270,7 +296,7 @@ Path_Validation_Result x509_path_validate( std::vector<Certificate_Store*> certstores; certstores.push_back(const_cast<Certificate_Store*>(&store)); - return x509_path_validate(certs, restrictions, certstores); + return x509_path_validate(certs, restrictions, certstores, hostname, usage); } Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev, @@ -310,6 +336,9 @@ Path_Validation_Result::Path_Validation_Result(std::vector<std::set<Certificate_ const X509_Certificate& Path_Validation_Result::trust_root() const { + if(m_cert_path.empty()) + throw std::runtime_error("Path_Validation_Result::trust_root no path set"); + return m_cert_path[m_cert_path.size()-1]; } @@ -366,6 +395,8 @@ const char* Path_Validation_Result::status_string(Certificate_Status_Code code) return "Certificate issuer not found"; case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST: return "Cannot establish trust"; + case Certificate_Status_Code::CERT_CHAIN_LOOP: + return "Loop in certificate chain"; case Certificate_Status_Code::POLICY_ERROR: return "Policy error"; @@ -381,6 +412,8 @@ const char* Path_Validation_Result::status_string(Certificate_Status_Code code) return "OCSP cert not listed"; case Certificate_Status_Code::OCSP_BAD_STATUS: return "OCSP bad status"; + case Certificate_Status_Code::CERT_NAME_NOMATCH: + return "Certificate does not match provided name"; case Certificate_Status_Code::CERT_IS_REVOKED: return "Certificate is revoked"; @@ -388,9 +421,10 @@ const char* Path_Validation_Result::status_string(Certificate_Status_Code code) return "CRL bad signature"; case Certificate_Status_Code::SIGNATURE_ERROR: return "Signature error"; - default: - return "Unknown error"; + // intentionally no default so we are warned } + + return "Unknown error"; } } diff --git a/src/lib/cert/x509/x509path.h b/src/lib/cert/x509/x509path.h index f400641be..c56aef21f 100644 --- a/src/lib/cert/x509/x509path.h +++ b/src/lib/cert/x509/x509path.h @@ -132,13 +132,16 @@ class BOTAN_DLL Path_Validation_Result std::vector<X509_Certificate> m_cert_path; }; + /** * PKIX Path Validation */ Path_Validation_Result BOTAN_DLL x509_path_validate( const std::vector<X509_Certificate>& end_certs, const Path_Validation_Restrictions& restrictions, - const std::vector<Certificate_Store*>& certstores); + const std::vector<Certificate_Store*>& certstores, + const std::string& hostname = "", + Usage_Type usage = Usage_Type::UNSPECIFIED); /** * PKIX Path Validation @@ -146,7 +149,9 @@ Path_Validation_Result BOTAN_DLL x509_path_validate( Path_Validation_Result BOTAN_DLL x509_path_validate( const X509_Certificate& end_cert, const Path_Validation_Restrictions& restrictions, - const std::vector<Certificate_Store*>& certstores); + const std::vector<Certificate_Store*>& certstores, + const std::string& hostname = "", + Usage_Type usage = Usage_Type::UNSPECIFIED); /** * PKIX Path Validation @@ -154,7 +159,9 @@ Path_Validation_Result BOTAN_DLL x509_path_validate( Path_Validation_Result BOTAN_DLL x509_path_validate( const X509_Certificate& end_cert, const Path_Validation_Restrictions& restrictions, - const Certificate_Store& store); + const Certificate_Store& store, + const std::string& hostname = "", + Usage_Type usage = Usage_Type::UNSPECIFIED); /** * PKIX Path Validation @@ -162,7 +169,9 @@ Path_Validation_Result BOTAN_DLL x509_path_validate( Path_Validation_Result BOTAN_DLL x509_path_validate( const std::vector<X509_Certificate>& end_certs, const Path_Validation_Restrictions& restrictions, - const Certificate_Store& store); + const Certificate_Store& store, + const std::string& hostname = "", + Usage_Type usage = Usage_Type::UNSPECIFIED); } diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp index 6b3bce0aa..5ff288db2 100644 --- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp +++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp @@ -28,8 +28,7 @@ secure_vector<byte> EME_PKCS1v15::pad(const byte in[], size_t inlen, out[0] = 0x02; for(size_t j = 1; j != olen - inlen - 1; ++j) - while(out[j] == 0) - out[j] = rng.next_byte(); + out[j] = rng.next_nonzero_byte(); buffer_insert(out, olen - inlen, in, inlen); return out; diff --git a/src/lib/pubkey/mce/code_based_key_gen.cpp b/src/lib/pubkey/mce/code_based_key_gen.cpp index 44b1cb4d6..8fb290386 100644 --- a/src/lib/pubkey/mce/code_based_key_gen.cpp +++ b/src/lib/pubkey/mce/code_based_key_gen.cpp @@ -4,12 +4,14 @@ * * (C) 2014 cryptosource GmbH * (C) 2014 Falko Strenzke [email protected] + * (C) 2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) * */ #include <botan/mceliece.h> +#include <botan/internal/mce_internal.h> #include <botan/internal/code_based_util.h> #include <botan/loadstor.h> @@ -133,21 +135,14 @@ secure_vector<int> binary_matrix::row_reduced_echelon_form() return perm; } -void randomize_support(u32bit n, std::vector<gf2m> & L, RandomNumberGenerator & rng) +void randomize_support(std::vector<gf2m>& L, RandomNumberGenerator& rng) { - unsigned int i, j; - gf2m tmp; - - for (i = 0; i < n; ++i) + for(u32bit i = 0; i != L.size(); ++i) { + gf2m rnd = random_gf2m(rng); - gf2m rnd; - rng.randomize(reinterpret_cast<byte*>(&rnd), sizeof(rnd)); - j = rnd % n; // no rejection sampling, but for useful code-based parameters with n <= 13 this seem tolerable - - tmp = L[j]; - L[j] = L[i]; - L[i] = tmp; + // no rejection sampling, but for useful code-based parameters with n <= 13 this seem tolerable + std::swap(L[i], L[rnd % L.size()]); } } @@ -234,7 +229,7 @@ McEliece_PrivateKey generate_mceliece_key( RandomNumberGenerator & rng, u32bit e { L[i]=i; } - randomize_support(code_length,L,rng); + randomize_support(L, rng); polyn_gf2m g(sp_field); // create as zero bool success = false; do diff --git a/src/lib/pubkey/mce/polyn_gf2m.cpp b/src/lib/pubkey/mce/polyn_gf2m.cpp index 4d9bcf2e8..ec60213db 100644 --- a/src/lib/pubkey/mce/polyn_gf2m.cpp +++ b/src/lib/pubkey/mce/polyn_gf2m.cpp @@ -4,6 +4,7 @@ * * (C) 2014 cryptosource GmbH * (C) 2014 Falko Strenzke [email protected] + * (C) 2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) * @@ -14,6 +15,7 @@ #include <botan/internal/bit_ops.h> #include <botan/rng.h> #include <botan/exceptn.h> +#include <botan/loadstor.h> namespace Botan { @@ -25,6 +27,9 @@ gf2m generate_gf2m_mask(gf2m a) return ~(result - 1); } +/** +* number of leading zeros +*/ unsigned nlz_16bit(u16bit x) { unsigned n; @@ -55,24 +60,31 @@ int polyn_gf2m::calc_degree_secure() const const_cast<polyn_gf2m*>(this)->m_deg = result; return result; } -/** -* number of leading zeros -*/ -gf2m random_code_element(unsigned code_length, Botan::RandomNumberGenerator& rng) +gf2m random_gf2m(RandomNumberGenerator& rng) + { + byte b[2]; + rng.randomize(b, sizeof(b)); + return make_u16bit(b[1], b[0]); + } + +gf2m random_code_element(unsigned code_length, RandomNumberGenerator& rng) { if(code_length == 0) { throw Invalid_Argument("random_code_element() was supplied a code length of zero"); } - unsigned nlz = nlz_16bit(code_length-1); - gf2m mask = (1 << (16-nlz)) -1; + const unsigned nlz = nlz_16bit(code_length-1); + const gf2m mask = (1 << (16-nlz)) -1; + gf2m result; + do { - rng.randomize(reinterpret_cast<byte*>(&result), sizeof(result)); + result = random_gf2m(rng); result &= mask; } while(result >= code_length); // rejection sampling + return result; } diff --git a/src/lib/pubkey/mce/polyn_gf2m.h b/src/lib/pubkey/mce/polyn_gf2m.h index 1c8cc5211..5d012f27b 100644 --- a/src/lib/pubkey/mce/polyn_gf2m.h +++ b/src/lib/pubkey/mce/polyn_gf2m.h @@ -152,6 +152,7 @@ struct polyn_gf2m std::shared_ptr<GF2m_Field> msp_field; }; +gf2m random_gf2m(RandomNumberGenerator& rng); gf2m random_code_element(unsigned code_length, RandomNumberGenerator& rng); std::vector<polyn_gf2m> syndrome_init(polyn_gf2m const& generator, std::vector<gf2m> const& support, int n); diff --git a/src/lib/pubkey/rsa/openssl_rsa.cpp b/src/lib/pubkey/rsa/openssl_rsa.cpp index f2825634a..a25c8552e 100644 --- a/src/lib/pubkey/rsa/openssl_rsa.cpp +++ b/src/lib/pubkey/rsa/openssl_rsa.cpp @@ -11,6 +11,7 @@ #include <botan/internal/openssl.h> #include <botan/internal/pk_utils.h> +#include <botan/internal/ct_utils.h> #include <functional> #include <memory> @@ -35,22 +36,6 @@ std::pair<int, size_t> get_openssl_enc_pad(const std::string& eme) throw Lookup_Error("OpenSSL RSA does not support EME " + eme); } -secure_vector<byte> strip_leading_zeros(const secure_vector<byte>& input) - { - size_t leading_zeros = 0; - - for(size_t i = 0; i != input.size(); ++i) - { - if(input[i] != 0) - break; - ++leading_zeros; - } - - secure_vector<byte> output(&input[leading_zeros], - &input[input.size()]); - return output; - } - class OpenSSL_RSA_Encryption_Operation : public PK_Ops::Encryption { public: @@ -164,8 +149,9 @@ class OpenSSL_RSA_Decryption_Operation : public PK_Ops::Decryption if(m_padding == RSA_NO_PADDING) { - return strip_leading_zeros(buf); + return CT::strip_leading_zeros(buf); } + return buf; } @@ -219,7 +205,7 @@ class OpenSSL_RSA_Verification_Operation : public PK_Ops::Verification_with_EMSA if(rc < 0) throw Invalid_Argument("RSA_public_decrypt"); - return strip_leading_zeros(outbuf); + return CT::strip_leading_zeros(outbuf); } private: std::unique_ptr<RSA, std::function<void (RSA*)>> m_openssl_rsa; diff --git a/src/lib/rng/rng.h b/src/lib/rng/rng.h index 6ee67f66f..261880d5d 100644 --- a/src/lib/rng/rng.h +++ b/src/lib/rng/rng.h @@ -75,6 +75,14 @@ class BOTAN_DLL RandomNumberGenerator */ byte next_byte() { return get_random<byte>(); } + byte next_nonzero_byte() + { + byte b = next_byte(); + while(b == 0) + b = next_byte(); + return b; + } + /** * Check whether this RNG is seeded. * @return true if this RNG was already seeded, false otherwise. diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp index 6443bb246..43ba7650a 100644 --- a/src/lib/tls/credentials_manager.cpp +++ b/src/lib/tls/credentials_manager.cpp @@ -104,6 +104,17 @@ bool cert_in_some_store(const std::vector<Certificate_Store*>& trusted_CAs, return false; } +Usage_Type choose_leaf_usage(const std::string& ctx) + { + // These are reversed because ctx is denoting the current perspective + if(ctx == "tls-client") + return Usage_Type::TLS_SERVER_AUTH; + else if(ctx == "tls-server") + return Usage_Type::TLS_CLIENT_AUTH; + else + return Usage_Type::UNSPECIFIED; + } + } void Credentials_Manager::verify_certificate_chain( @@ -120,16 +131,12 @@ void Credentials_Manager::verify_certificate_chain( auto result = x509_path_validate(cert_chain, restrictions, - trusted_CAs); - - if(!result.successful_validation()) - throw std::runtime_error("Certificate validation failure: " + result.result_string()); + trusted_CAs, + purported_hostname, + choose_leaf_usage(type)); if(!cert_in_some_store(trusted_CAs, result.trust_root())) throw std::runtime_error("Certificate chain roots in unknown/untrusted CA"); - - if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname)) - throw std::runtime_error("Certificate did not match hostname"); } } diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp index 82ba6f4f6..77bdc5cf5 100644 --- a/src/lib/tls/msg_client_hello.cpp +++ b/src/lib/tls/msg_client_hello.cpp @@ -1,6 +1,6 @@ /* * TLS Hello Request and Client Hello Messages -* (C) 2004-2011 Jack Lloyd +* (C) 2004-2011,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -210,11 +210,11 @@ Client_Hello::Client_Hello(const std::vector<byte>& buf) m_random = reader.get_fixed<byte>(32); + m_session_id = reader.get_range<byte>(1, 0, 32); + if(m_version.is_datagram_protocol()) m_hello_cookie = reader.get_range<byte>(1, 0, 255); - m_session_id = reader.get_range<byte>(1, 0, 32); - m_suites = reader.get_range_vector<u16bit>(2, 1, 32767); m_comp_methods = reader.get_range_vector<byte>(1, 1, 255); diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp index c8dc2aad8..c5b9305c7 100644 --- a/src/lib/tls/msg_client_kex.cpp +++ b/src/lib/tls/msg_client_kex.cpp @@ -17,31 +17,12 @@ #include <botan/srp6.h> #include <botan/rng.h> #include <botan/loadstor.h> +#include <botan/internal/ct_utils.h> namespace Botan { namespace TLS { -namespace { - -secure_vector<byte> strip_leading_zeros(const secure_vector<byte>& input) - { - size_t leading_zeros = 0; - - for(size_t i = 0; i != input.size(); ++i) - { - if(input[i] != 0) - break; - ++leading_zeros; - } - - secure_vector<byte> output(&input[leading_zeros], - &input[input.size()]); - return output; - } - -} - /* * Create a new Client Key Exchange message */ @@ -134,7 +115,7 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io, PK_Key_Agreement ka(priv_key, "Raw"); - secure_vector<byte> dh_secret = strip_leading_zeros( + secure_vector<byte> dh_secret = CT::strip_leading_zeros( ka.derive_key(0, counterparty_key.public_value()).bits_of()); if(kex_algo == "DH") @@ -373,7 +354,7 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents, secure_vector<byte> shared_secret = ka.derive_key(0, client_pubkey).bits_of(); if(ka_key->algo_name() == "DH") - shared_secret = strip_leading_zeros(shared_secret); + shared_secret = CT::strip_leading_zeros(shared_secret); if(kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK") { diff --git a/src/lib/tls/tls_channel.cpp b/src/lib/tls/tls_channel.cpp index e2b1aad9d..5dfcec34e 100644 --- a/src/lib/tls/tls_channel.cpp +++ b/src/lib/tls/tls_channel.cpp @@ -23,17 +23,21 @@ Channel::Channel(output_fn output_fn, data_cb data_cb, alert_cb alert_cb, handshake_cb handshake_cb, + handshake_msg_cb handshake_msg_cb, Session_Manager& session_manager, RandomNumberGenerator& rng, + const Policy& policy, bool is_datagram, size_t reserved_io_buffer_size) : m_is_datagram(is_datagram), - m_handshake_cb(handshake_cb), m_data_cb(data_cb), m_alert_cb(alert_cb), m_output_fn(output_fn), - m_rng(rng), - m_session_manager(session_manager) + m_handshake_cb(handshake_cb), + m_handshake_msg_cb(handshake_msg_cb), + m_session_manager(session_manager), + m_policy(policy), + m_rng(rng) { /* epoch 0 is plaintext, thus null cipher state */ m_write_cipher_states[0] = nullptr; @@ -66,20 +70,16 @@ Connection_Sequence_Numbers& Channel::sequence_numbers() const std::shared_ptr<Connection_Cipher_State> Channel::read_cipher_state_epoch(u16bit epoch) const { auto i = m_read_cipher_states.find(epoch); - - BOTAN_ASSERT(i != m_read_cipher_states.end(), - "Have a cipher state for the specified epoch"); - + if(i == m_read_cipher_states.end()) + throw Internal_Error("TLS::Channel No read cipherstate for epoch " + std::to_string(epoch)); return i->second; } std::shared_ptr<Connection_Cipher_State> Channel::write_cipher_state_epoch(u16bit epoch) const { auto i = m_write_cipher_states.find(epoch); - - BOTAN_ASSERT(i != m_write_cipher_states.end(), - "Have a cipher state for the specified epoch"); - + if(i == m_write_cipher_states.end()) + throw Internal_Error("TLS::Channel No write cipherstate for epoch " + std::to_string(epoch)); return i->second; } @@ -120,17 +120,17 @@ Handshake_State& Channel::create_handshake_state(Protocol_Version version) std::unique_ptr<Handshake_IO> io; if(version.is_datagram_protocol()) { - // default MTU is IPv6 min MTU minus UDP/IP headers (TODO: make configurable) - const u16bit mtu = 1280 - 40 - 8; - io.reset(new Datagram_Handshake_IO( std::bind(&Channel::send_record_under_epoch, this, _1, _2, _3), sequence_numbers(), - mtu)); + m_policy.dtls_default_mtu(), + m_policy.dtls_initial_timeout(), + m_policy.dtls_maximum_timeout())); } else - io.reset(new Stream_Handshake_IO( - std::bind(&Channel::send_record, this, _1, _2))); + { + io.reset(new Stream_Handshake_IO(std::bind(&Channel::send_record, this, _1, _2))); + } m_pending_state.reset(new_handshake_state(io.release())); @@ -333,12 +333,13 @@ size_t Channel::received_data(const byte input[], size_t input_size) if(record.size() > max_fragment_size) throw TLS_Exception(Alert::RECORD_OVERFLOW, - "Plaintext record is too large"); + "TLS input record is larger than allowed maximum"); if(record_type == HANDSHAKE || record_type == CHANGE_CIPHER_SPEC) { if(!m_pending_state) { + // No pending handshake, possibly new: if(record_version.is_datagram_protocol()) { if(m_sequence_numbers) @@ -374,6 +375,7 @@ size_t Channel::received_data(const byte input[], size_t input_size) } } + // May have been created in above conditional if(m_pending_state) { m_pending_state->handshake_io().add_record(unlock(record), diff --git a/src/lib/tls/tls_channel.h b/src/lib/tls/tls_channel.h index 4e6874a16..9ef2d17c4 100644 --- a/src/lib/tls/tls_channel.h +++ b/src/lib/tls/tls_channel.h @@ -24,6 +24,7 @@ namespace TLS { class Connection_Cipher_State; class Connection_Sequence_Numbers; class Handshake_State; +class Handshake_Message; /** * Generic interface for TLS endpoint @@ -35,15 +36,18 @@ class BOTAN_DLL Channel typedef std::function<void (const byte[], size_t)> data_cb; typedef std::function<void (Alert, const byte[], size_t)> alert_cb; typedef std::function<bool (const Session&)> handshake_cb; + typedef std::function<void (const Handshake_Message&)> handshake_msg_cb; Channel(output_fn out, data_cb app_data_cb, alert_cb alert_cb, handshake_cb hs_cb, + handshake_msg_cb hs_msg_cb, Session_Manager& session_manager, RandomNumberGenerator& rng, + const Policy& policy, bool is_datagram, - size_t reserved_io_buffer_size); + size_t io_buf_sz = 16*1024); Channel(const Channel&) = delete; @@ -196,6 +200,8 @@ class BOTAN_DLL Channel Handshake_State& create_handshake_state(Protocol_Version version); + void inspect_handshake_message(const Handshake_Message& msg); + void activate_session(); void change_cipher_spec_reader(Connection_Side side); @@ -214,8 +220,11 @@ class BOTAN_DLL Channel Session_Manager& session_manager() { return m_session_manager; } + const Policy& policy() const { return m_policy; } + bool save_session(const Session& session) const { return m_handshake_cb(session); } + handshake_msg_cb get_handshake_msg_cb() const { return m_handshake_msg_cb; } private: size_t maximum_fragment_size() const; @@ -245,14 +254,16 @@ class BOTAN_DLL Channel bool m_is_datagram; /* callbacks */ - handshake_cb m_handshake_cb; data_cb m_data_cb; alert_cb m_alert_cb; output_fn m_output_fn; + handshake_cb m_handshake_cb; + handshake_msg_cb m_handshake_msg_cb; /* external state */ - RandomNumberGenerator& m_rng; Session_Manager& m_session_manager; + const Policy& m_policy; + RandomNumberGenerator& m_rng; /* sequence number state */ std::unique_ptr<Connection_Sequence_Numbers> m_sequence_numbers; diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 9306092ce..82630b7fa 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -1,6 +1,6 @@ /* * TLS Client -* (C) 2004-2011,2012 Jack Lloyd +* (C) 2004-2011,2012,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -23,8 +23,7 @@ class Client_Handshake_State : public Handshake_State public: // using Handshake_State::Handshake_State; - Client_Handshake_State(Handshake_IO* io, hs_msg_cb cb = hs_msg_cb()) : - Handshake_State(io, cb) {} + Client_Handshake_State(Handshake_IO* io, handshake_msg_cb cb) : Handshake_State(io, cb) {} const Public_Key& get_server_public_Key() const { @@ -55,9 +54,31 @@ Client::Client(output_fn output_fn, const Protocol_Version offer_version, const std::vector<std::string>& next_protos, size_t io_buf_sz) : - Channel(output_fn, proc_cb, alert_cb, handshake_cb, session_manager, rng, - offer_version.is_datagram_protocol(), io_buf_sz), - m_policy(policy), + Channel(output_fn, proc_cb, alert_cb, handshake_cb, Channel::handshake_msg_cb(), + session_manager, rng, policy, offer_version.is_datagram_protocol(), io_buf_sz), + m_creds(creds), + m_info(info) + { + const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname()); + + Handshake_State& state = create_handshake_state(offer_version); + send_client_hello(state, false, offer_version, srp_identifier, next_protos); + } + +Client::Client(output_fn output_fn, + data_cb proc_cb, + alert_cb alert_cb, + handshake_cb handshake_cb, + handshake_msg_cb hs_msg_cb, + Session_Manager& session_manager, + Credentials_Manager& creds, + const Policy& policy, + RandomNumberGenerator& rng, + const Server_Information& info, + const Protocol_Version offer_version, + const std::vector<std::string>& next_protos) : + Channel(output_fn, proc_cb, alert_cb, handshake_cb, hs_msg_cb, + session_manager, rng, policy, offer_version.is_datagram_protocol()), m_creds(creds), m_info(info) { @@ -69,7 +90,7 @@ Client::Client(output_fn output_fn, Handshake_State* Client::new_handshake_state(Handshake_IO* io) { - return new Client_Handshake_State(io); // , m_hs_msg_cb); + return new Client_Handshake_State(io, get_handshake_msg_cb()); } std::vector<X509_Certificate> @@ -111,7 +132,7 @@ void Client::send_client_hello(Handshake_State& state_base, state.client_hello(new Client_Hello( state.handshake_io(), state.hash(), - m_policy, + policy(), rng(), secure_renegotiation_data_for_client_hello(), session_info, @@ -128,7 +149,7 @@ void Client::send_client_hello(Handshake_State& state_base, state.handshake_io(), state.hash(), version, - m_policy, + policy(), rng(), secure_renegotiation_data_for_client_hello(), next_protocols, @@ -157,9 +178,9 @@ void Client::process_handshake_msg(const Handshake_State* active_state, if(state.client_hello()) return; - if(m_policy.allow_server_initiated_renegotiation()) + if(policy().allow_server_initiated_renegotiation()) { - if(!secure_renegotiation_supported() && m_policy.allow_insecure_renegotiation() == false) + if(!secure_renegotiation_supported() && policy().allow_insecure_renegotiation() == false) send_warning_alert(Alert::NO_RENEGOTIATION); else this->initiate_handshake(state, false); @@ -263,7 +284,9 @@ void Client::process_handshake_msg(const Handshake_State* active_state, if(state.server_hello()->supports_session_ticket()) state.set_expected_next(NEW_SESSION_TICKET); else + { state.set_expected_next(HANDSHAKE_CCS); + } } else { @@ -282,7 +305,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state, "Server replied with later version than in hello"); } - if(!m_policy.acceptable_protocol_version(state.version())) + if(!policy().acceptable_protocol_version(state.version())) { throw TLS_Exception(Alert::PROTOCOL_VERSION, "Server version " + state.version().to_string() + @@ -406,7 +429,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state, state.client_kex( new Client_Key_Exchange(state.handshake_io(), state, - m_policy, + policy(), m_creds, state.server_public_key.get(), m_info.hostname(), @@ -426,7 +449,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state, state.client_verify( new Certificate_Verify(state.handshake_io(), state, - m_policy, + policy(), rng(), private_key) ); @@ -477,7 +500,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state, const std::vector<byte>& session_ticket = state.session_ticket(); if(session_id.empty() && !session_ticket.empty()) - session_id = make_hello_random(rng(), m_policy); + session_id = make_hello_random(rng(), policy()); Session session_info( session_id, diff --git a/src/lib/tls/tls_client.h b/src/lib/tls/tls_client.h index e4e0dc363..b835c013e 100644 --- a/src/lib/tls/tls_client.h +++ b/src/lib/tls/tls_client.h @@ -67,6 +67,20 @@ class BOTAN_DLL Client : public Channel size_t reserved_io_buffer_size = 16*1024 ); + Client(output_fn out, + data_cb app_data_cb, + alert_cb alert_cb, + handshake_cb hs_cb, + handshake_msg_cb hs_msg_cb, + Session_Manager& session_manager, + Credentials_Manager& creds, + const Policy& policy, + RandomNumberGenerator& rng, + const Server_Information& server_info = Server_Information(), + const Protocol_Version offer_version = Protocol_Version::latest_tls_version(), + const std::vector<std::string>& next_protocols = {} + ); + const std::string& application_protocol() const { return m_application_protocol; } private: std::vector<X509_Certificate> @@ -88,7 +102,6 @@ class BOTAN_DLL Client : public Channel Handshake_State* new_handshake_state(Handshake_IO* io) override; - const Policy& m_policy; Credentials_Manager& m_creds; const Server_Information m_info; std::string m_application_protocol; diff --git a/src/lib/tls/tls_handshake_io.cpp b/src/lib/tls/tls_handshake_io.cpp index 6286eab08..f39c9f84e 100644 --- a/src/lib/tls/tls_handshake_io.cpp +++ b/src/lib/tls/tls_handshake_io.cpp @@ -1,6 +1,6 @@ /* * TLS Handshake IO -* (C) 2012,2014 Jack Lloyd +* (C) 2012,2014,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -33,6 +33,24 @@ void store_be24(byte out[3], size_t val) out[2] = get_byte<u32bit>(3, val); } +u64bit steady_clock_ms() + { + return std::chrono::duration_cast<std::chrono::milliseconds>( + std::chrono::steady_clock::now().time_since_epoch()).count(); + } + +size_t split_for_mtu(size_t mtu, size_t msg_size) + { + const size_t DTLS_HEADERS_SIZE = 25; // DTLS record+handshake headers + + const size_t parts = (msg_size + mtu) / mtu; + + if(parts + DTLS_HEADERS_SIZE > mtu) + return parts + 1; + + return parts; + } + } Protocol_Version Stream_Handshake_IO::initial_record_version() const @@ -123,41 +141,15 @@ Protocol_Version Datagram_Handshake_IO::initial_record_version() const return Protocol_Version::DTLS_V10; } -namespace { - -// 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1 -const u64bit INITIAL_TIMEOUT = 1*1000; -const u64bit MAXIMUM_TIMEOUT = 60*1000; - -u64bit steady_clock_ms() +void Datagram_Handshake_IO::retransmit_last_flight() { - return std::chrono::duration_cast<std::chrono::milliseconds>( - std::chrono::steady_clock::now().time_since_epoch()).count(); + const size_t flight_idx = (m_flights.size() == 1) ? 0 : (m_flights.size() - 2); + retransmit_flight(flight_idx); } -} - -bool Datagram_Handshake_IO::timeout_check() +void Datagram_Handshake_IO::retransmit_flight(size_t flight_idx) { - if(m_last_write == 0 || (m_flights.size() > 1 && !m_flights.rbegin()->empty())) - { - /* - If we haven't written anything yet obviously no timeout. - Also no timeout possible if we are mid-flight, - */ - return false; - } - - const u64bit ms_since_write = steady_clock_ms() - m_last_write; - - if(ms_since_write < m_next_timeout) - return false; - - std::vector<u16bit> flight; - if(m_flights.size() == 1) - flight = m_flights.at(0); // lost initial client hello - else - flight = m_flights.at(m_flights.size() - 2); + const std::vector<u16bit>& flight = m_flights.at(flight_idx); BOTAN_ASSERT(flight.size() > 0, "Nonempty flight to retransmit"); @@ -177,8 +169,27 @@ bool Datagram_Handshake_IO::timeout_check() send_message(msg_seq, msg.epoch, msg.msg_type, msg.msg_bits); epoch = msg.epoch; } + } + +bool Datagram_Handshake_IO::timeout_check() + { + if(m_last_write == 0 || (m_flights.size() > 1 && !m_flights.rbegin()->empty())) + { + /* + If we haven't written anything yet obviously no timeout. + Also no timeout possible if we are mid-flight, + */ + return false; + } + + const u64bit ms_since_write = steady_clock_ms() - m_last_write; + + if(ms_since_write < m_next_timeout) + return false; - m_next_timeout = std::min(2 * m_next_timeout, MAXIMUM_TIMEOUT); + retransmit_last_flight(); + + m_next_timeout = std::min(2 * m_next_timeout, m_max_timeout); return true; } @@ -251,7 +262,6 @@ Datagram_Handshake_IO::get_next_record(bool expecting_ccs) if(m_ccs_epochs.count(current_epoch)) return std::make_pair(HANDSHAKE_CCS, std::vector<byte>()); } - return std::make_pair(HANDSHAKE_NONE, std::vector<byte>()); } @@ -376,21 +386,6 @@ Datagram_Handshake_IO::format(const std::vector<byte>& msg, return format_w_seq(msg, type, m_in_message_seq - 1); } -namespace { - -size_t split_for_mtu(size_t mtu, size_t msg_size) - { - const size_t DTLS_HEADERS_SIZE = 25; // DTLS record+handshake headers - - const size_t parts = (msg_size + mtu) / mtu; - - if(parts + DTLS_HEADERS_SIZE > mtu) - return parts + 1; - - return parts; - } - -} std::vector<byte> Datagram_Handshake_IO::send(const Handshake_Message& msg) @@ -411,7 +406,7 @@ Datagram_Handshake_IO::send(const Handshake_Message& msg) m_out_message_seq += 1; m_last_write = steady_clock_ms(); - m_next_timeout = INITIAL_TIMEOUT; + m_next_timeout = m_initial_timeout; return send_message(m_out_message_seq - 1, epoch, msg_type, msg_bits); } @@ -425,7 +420,9 @@ std::vector<byte> Datagram_Handshake_IO::send_message(u16bit msg_seq, format_w_seq(msg_bits, msg_type, msg_seq); if(no_fragment.size() + DTLS_HEADER_SIZE <= m_mtu) + { m_send_hs(epoch, HANDSHAKE, no_fragment); + } else { const size_t parts = split_for_mtu(m_mtu, msg_bits.size()); diff --git a/src/lib/tls/tls_handshake_io.h b/src/lib/tls/tls_handshake_io.h index 00074a744..a1c1c5ce3 100644 --- a/src/lib/tls/tls_handshake_io.h +++ b/src/lib/tls/tls_handshake_io.h @@ -100,8 +100,14 @@ class Datagram_Handshake_IO : public Handshake_IO Datagram_Handshake_IO(writer_fn writer, class Connection_Sequence_Numbers& seq, - u16bit mtu) : - m_seqs(seq), m_flights(1), m_send_hs(writer), m_mtu(mtu) {} + u16bit mtu, u64bit initial_timeout_ms, u64bit max_timeout_ms) : + m_seqs(seq), + m_flights(1), + m_initial_timeout(initial_timeout_ms), + m_max_timeout(max_timeout_ms), + m_send_hs(writer), + m_mtu(mtu) + {} Protocol_Version initial_record_version() const override; @@ -120,6 +126,9 @@ class Datagram_Handshake_IO : public Handshake_IO std::pair<Handshake_Type, std::vector<byte>> get_next_record(bool expecting_ccs) override; private: + void retransmit_flight(size_t flight); + void retransmit_last_flight(); + std::vector<byte> format_fragment( const byte fragment[], size_t fragment_len, @@ -183,6 +192,9 @@ class Datagram_Handshake_IO : public Handshake_IO std::vector<std::vector<u16bit>> m_flights; std::map<u16bit, Message_Info> m_flight_data; + u64bit m_initial_timeout = 0; + u64bit m_max_timeout = 0; + u64bit m_last_write = 0; u64bit m_next_timeout = 0; diff --git a/src/lib/tls/tls_handshake_msg.h b/src/lib/tls/tls_handshake_msg.h index 6937d4f2c..7e527abf4 100644 --- a/src/lib/tls/tls_handshake_msg.h +++ b/src/lib/tls/tls_handshake_msg.h @@ -22,6 +22,8 @@ namespace TLS { class BOTAN_DLL Handshake_Message { public: + std::string type_string() const; + virtual Handshake_Type type() const = 0; virtual std::vector<byte> serialize() const = 0; diff --git a/src/lib/tls/tls_handshake_state.cpp b/src/lib/tls/tls_handshake_state.cpp index cbbca3a0d..f885d3b08 100644 --- a/src/lib/tls/tls_handshake_state.cpp +++ b/src/lib/tls/tls_handshake_state.cpp @@ -1,6 +1,6 @@ /* * TLS Handshaking -* (C) 2004-2006,2011,2012 Jack Lloyd +* (C) 2004-2006,2011,2012,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -13,6 +13,67 @@ namespace Botan { namespace TLS { +std::string Handshake_Message::type_string() const + { + return handshake_type_to_string(type()); + } + +const char* handshake_type_to_string(Handshake_Type type) + { + switch(type) + { + case HELLO_VERIFY_REQUEST: + return "hello_verify_request"; + + case HELLO_REQUEST: + return "hello_request"; + + case CLIENT_HELLO: + return "client_hello"; + + case SERVER_HELLO: + return "server_hello"; + + case CERTIFICATE: + return "certificate"; + + case CERTIFICATE_URL: + return "certificate_url"; + + case CERTIFICATE_STATUS: + return "certificate_status"; + + case SERVER_KEX: + return "server_key_exchange"; + + case CERTIFICATE_REQUEST: + return "certificate_request"; + + case SERVER_HELLO_DONE: + return "server_hello_done"; + + case CERTIFICATE_VERIFY: + return "certificate_verify"; + + case CLIENT_KEX: + return "client_key_exchange"; + + case NEW_SESSION_TICKET: + return "new_session_ticket"; + + case HANDSHAKE_CCS: + return "change_cipher_spec"; + + case FINISHED: + return "finished"; + + case HANDSHAKE_NONE: + return "invalid"; + } + + throw Internal_Error("Unknown TLS handshake message type " + std::to_string(type)); + } + namespace { u32bit bitmask_for_handshake_type(Handshake_Type type) @@ -25,9 +86,6 @@ u32bit bitmask_for_handshake_type(Handshake_Type type) case HELLO_REQUEST: return (1 << 1); - /* - * Same code point for both client hello styles - */ case CLIENT_HELLO: return (1 << 2); @@ -75,12 +133,48 @@ u32bit bitmask_for_handshake_type(Handshake_Type type) throw Internal_Error("Unknown handshake type " + std::to_string(type)); } +std::string handshake_mask_to_string(u32bit mask) + { + const Handshake_Type types[] = { + HELLO_VERIFY_REQUEST, + HELLO_REQUEST, + CLIENT_HELLO, + CERTIFICATE, + CERTIFICATE_URL, + CERTIFICATE_STATUS, + SERVER_KEX, + CERTIFICATE_REQUEST, + SERVER_HELLO_DONE, + CERTIFICATE_VERIFY, + CLIENT_KEX, + NEW_SESSION_TICKET, + HANDSHAKE_CCS, + FINISHED + }; + + std::ostringstream o; + bool empty = true; + + for(auto&& t : types) + { + if(mask & bitmask_for_handshake_type(t)) + { + if(!empty) + o << ","; + o << handshake_type_to_string(t); + empty = false; + } + } + + return o.str(); + } + } /* * Initialize the SSL/TLS Handshake State */ -Handshake_State::Handshake_State(Handshake_IO* io, hs_msg_cb cb) : +Handshake_State::Handshake_State(Handshake_IO* io, handshake_msg_cb cb) : m_msg_callback(cb), m_handshake_io(io), m_version(m_handshake_io->initial_record_version()) @@ -196,10 +290,10 @@ void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg) const bool ok = (m_hand_expecting_mask & mask); // overlap? if(!ok) - throw Unexpected_Message("Unexpected state transition in handshake, got " + + throw Unexpected_Message("Unexpected state transition in handshake, got type " + std::to_string(handshake_msg) + - " expected " + std::to_string(m_hand_expecting_mask) + - " received " + std::to_string(m_hand_received_mask)); + " expected " + handshake_mask_to_string(m_hand_expecting_mask) + + " received " + handshake_mask_to_string(m_hand_received_mask)); /* We don't know what to expect next, so force a call to set_expected_next; if it doesn't happen, the next transition diff --git a/src/lib/tls/tls_handshake_state.h b/src/lib/tls/tls_handshake_state.h index 3b60178b4..6260b090f 100644 --- a/src/lib/tls/tls_handshake_state.h +++ b/src/lib/tls/tls_handshake_state.h @@ -45,9 +45,9 @@ class Finished; class Handshake_State { public: - typedef std::function<void (const Handshake_Message&)> hs_msg_cb; + typedef std::function<void (const Handshake_Message&)> handshake_msg_cb; - Handshake_State(Handshake_IO* io, hs_msg_cb cb); + Handshake_State(Handshake_IO* io, handshake_msg_cb cb); virtual ~Handshake_State(); @@ -170,7 +170,7 @@ class Handshake_State private: - hs_msg_cb m_msg_callback; + handshake_msg_cb m_msg_callback; std::unique_ptr<Handshake_IO> m_handshake_io; diff --git a/src/lib/tls/tls_magic.h b/src/lib/tls/tls_magic.h index 882e59158..6db908b08 100644 --- a/src/lib/tls/tls_magic.h +++ b/src/lib/tls/tls_magic.h @@ -57,6 +57,8 @@ enum Handshake_Type { HANDSHAKE_NONE = 255 // Null value }; +const char* handshake_type_to_string(Handshake_Type t); + enum Compression_Method { NO_COMPRESSION = 0x00, DEFLATE_COMPRESSION = 0x01 diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index f50cf1f3e..d8dd2c828 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -20,9 +20,9 @@ std::vector<std::string> Policy::allowed_ciphers() const return { //"AES-256/OCB(12)", //"AES-128/OCB(12)", - "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM", + "ChaCha20Poly1305", "AES-256/CCM", "AES-128/CCM", "AES-256/CCM(8)", @@ -35,7 +35,6 @@ std::vector<std::string> Policy::allowed_ciphers() const //"Camellia-128", //"SEED" //"3DES", - //"RC4", }; } @@ -175,6 +174,16 @@ bool Policy::include_time_in_hello_random() const { return true; } bool Policy::hide_unknown_users() const { return false; } bool Policy::server_uses_own_ciphersuite_preferences() const { return true; } +// 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1 +size_t Policy::dtls_initial_timeout() const { return 1*1000; } +size_t Policy::dtls_maximum_timeout() const { return 60*1000; } + +size_t Policy::dtls_default_mtu() const + { + // default MTU is IPv6 min MTU minus UDP/IP headers + return 1280 - 40 - 8; + } + std::vector<u16bit> Policy::srtp_profiles() const { return std::vector<u16bit>(); diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 581d04bcd..c3f8f1ee2 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -13,6 +13,7 @@ #include <botan/x509cert.h> #include <botan/dl_group.h> #include <vector> +#include <sstream> namespace Botan { @@ -173,6 +174,12 @@ class BOTAN_DLL Policy virtual std::vector<u16bit> ciphersuite_list(Protocol_Version version, bool have_srp) const; + virtual size_t dtls_default_mtu() const; + + virtual size_t dtls_initial_timeout() const; + + virtual size_t dtls_maximum_timeout() const; + virtual void print(std::ostream& o) const; virtual ~Policy() {} @@ -299,6 +306,14 @@ class BOTAN_DLL Text_Policy : public Policy return r; } + void set(const std::string& k, const std::string& v) { m_kv[k] = v; } + + Text_Policy(const std::string& s) + { + std::istringstream iss(s); + m_kv = read_cfg(iss); + } + Text_Policy(std::istream& in) { m_kv = read_cfg(in); diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp index 71542de16..e38b26547 100644 --- a/src/lib/tls/tls_record.cpp +++ b/src/lib/tls/tls_record.cpp @@ -12,6 +12,7 @@ #include <botan/internal/tls_seq_numbers.h> #include <botan/internal/tls_session_key.h> #include <botan/internal/rounding.h> +#include <botan/internal/ct_utils.h> #include <botan/rng.h> namespace Botan { @@ -284,31 +285,26 @@ size_t fill_buffer_to(secure_vector<byte>& readbuf, * * Returning 0 in the error case should ensure the MAC check will fail. * This approach is suggested in section 6.2.3.2 of RFC 5246. -* -* Also returns 0 if block_size == 0, so can be safely called with a -* stream cipher in use. -* -* @fixme This should run in constant time */ -size_t tls_padding_check(const byte record[], size_t record_len) +u16bit tls_padding_check(const byte record[], size_t record_len) { - const size_t padding_length = record[(record_len-1)]; - - if(padding_length >= record_len) - return 0; - /* * TLS v1.0 and up require all the padding bytes be the same value * and allows up to 255 bytes. */ - const size_t pad_start = record_len - padding_length - 1; - volatile size_t cmp = 0; + const byte pad_byte = record[(record_len-1)]; - for(size_t i = 0; i != padding_length; ++i) - cmp += record[pad_start + i] ^ padding_length; + byte pad_invalid = 0; + for(size_t i = 0; i != record_len; ++i) + { + const size_t left = record_len - i - 2; + const byte delim_mask = CT::is_less<u16bit>(left, pad_byte) & 0xFF; + pad_invalid |= (delim_mask & (record[i] ^ pad_byte)); + } - return cmp ? 0 : padding_length + 1; + u16bit pad_invalid_mask = CT::expand_mask<u16bit>(pad_invalid); + return CT::select<u16bit>(pad_invalid_mask, 0, pad_byte + 1); } void cbc_decrypt_record(byte record_contents[], size_t record_len, @@ -375,38 +371,39 @@ void decrypt_record(secure_vector<byte>& output, else { // GenericBlockCipher case + BlockCipher* bc = cs.block_cipher(); + BOTAN_ASSERT(bc != nullptr, "No cipher state set but needed to decrypt"); - volatile bool padding_bad = false; - size_t pad_size = 0; + const size_t mac_size = cs.mac_size(); + const size_t iv_size = cs.iv_size(); - if(BlockCipher* bc = cs.block_cipher()) - { - cbc_decrypt_record(record_contents, record_len, cs, *bc); + // This early exit does not leak info because all the values are public + if((record_len < mac_size + iv_size) || (record_len % cs.block_size() != 0)) + throw Decoding_Error("Record sent with invalid length"); - pad_size = tls_padding_check(record_contents, record_len); + CT::poison(record_contents, record_len); - padding_bad = (pad_size == 0); - } - else - { - throw Internal_Error("No cipher state set but needed to decrypt"); - } + cbc_decrypt_record(record_contents, record_len, cs, *bc); - const size_t mac_size = cs.mac_size(); - const size_t iv_size = cs.iv_size(); + // 0 if padding was invalid, otherwise 1 + padding_bytes + u16bit pad_size = tls_padding_check(record_contents, record_len); - const size_t mac_pad_iv_size = mac_size + pad_size + iv_size; + // This mask is zero if there is not enough room in the packet + const u16bit size_ok_mask = CT::is_less<u16bit>(mac_size + pad_size + iv_size, record_len); + pad_size &= size_ok_mask; - if(record_len < mac_pad_iv_size) - throw Decoding_Error("Record sent with invalid length"); + CT::unpoison(record_contents, record_len); - const byte* plaintext_block = &record_contents[iv_size]; - const u16bit plaintext_length = record_len - mac_pad_iv_size; + /* + This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and + then to the timing channel in the MAC computation described in the Lucky 13 paper. + */ + CT::unpoison(pad_size); - cs.mac()->update( - cs.format_ad(record_sequence, record_type, record_version, plaintext_length) - ); + const byte* plaintext_block = &record_contents[iv_size]; + const u16bit plaintext_length = record_len - mac_size - iv_size - pad_size; + cs.mac()->update(cs.format_ad(record_sequence, record_type, record_version, plaintext_length)); cs.mac()->update(plaintext_block, plaintext_length); std::vector<byte> mac_buf(mac_size); @@ -414,12 +411,16 @@ void decrypt_record(secure_vector<byte>& output, const size_t mac_offset = record_len - (mac_size + pad_size); - const bool mac_bad = !same_mem(&record_contents[mac_offset], mac_buf.data(), mac_size); + const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), mac_size); - if(mac_bad || padding_bad) - throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); + const u16bit ok_mask = size_ok_mask & CT::expand_mask<u16bit>(mac_ok) & CT::expand_mask<u16bit>(pad_size); - output.assign(plaintext_block, plaintext_block + plaintext_length); + CT::unpoison(ok_mask); + + if(ok_mask) + output.assign(plaintext_block, plaintext_block + plaintext_length); + else + throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); } } diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 330135e63..774827346 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -21,8 +21,7 @@ class Server_Handshake_State : public Handshake_State public: // using Handshake_State::Handshake_State; - Server_Handshake_State(Handshake_IO* io, hs_msg_cb cb = hs_msg_cb()) : - Handshake_State(io, cb) {} + Server_Handshake_State(Handshake_IO* io, handshake_msg_cb cb) : Handshake_State(io, cb) {} // Used by the server only, in case of RSA key exchange. Not owned Private_Key* server_rsa_kex_key = nullptr; @@ -215,9 +214,26 @@ Server::Server(output_fn output, next_protocol_fn next_proto, bool is_datagram, size_t io_buf_sz) : - Channel(output, data_cb, alert_cb, handshake_cb, - session_manager, rng, is_datagram, io_buf_sz), - m_policy(policy), + Channel(output, data_cb, alert_cb, handshake_cb, Channel::handshake_msg_cb(), + session_manager, rng, policy, is_datagram, io_buf_sz), + m_creds(creds), + m_choose_next_protocol(next_proto) + { + } + +Server::Server(output_fn output, + data_cb data_cb, + alert_cb alert_cb, + handshake_cb handshake_cb, + handshake_msg_cb hs_msg_cb, + Session_Manager& session_manager, + Credentials_Manager& creds, + const Policy& policy, + RandomNumberGenerator& rng, + next_protocol_fn next_proto, + bool is_datagram) : + Channel(output, data_cb, alert_cb, handshake_cb, hs_msg_cb, + session_manager, rng, policy, is_datagram), m_creds(creds), m_choose_next_protocol(next_proto) { @@ -225,7 +241,9 @@ Server::Server(output_fn output, Handshake_State* Server::new_handshake_state(Handshake_IO* io) { - std::unique_ptr<Handshake_State> state(new Server_Handshake_State(io)); + std::unique_ptr<Handshake_State> state( + new Server_Handshake_State(io, get_handshake_msg_cb())); + state->set_expected_next(CLIENT_HELLO); return state.release(); } @@ -278,7 +296,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, { const bool initial_handshake = !active_state; - if(!m_policy.allow_insecure_renegotiation() && + if(!policy().allow_insecure_renegotiation() && !(initial_handshake || secure_renegotiation_supported())) { send_warning_alert(Alert::NO_RENEGOTIATION); @@ -292,7 +310,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, Protocol_Version negotiated_version; const Protocol_Version latest_supported = - m_policy.latest_supported_version(client_version.is_datagram_protocol()); + policy().latest_supported_version(client_version.is_datagram_protocol()); if((initial_handshake && client_version.known_version()) || (!initial_handshake && client_version == active_state->version())) @@ -334,7 +352,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, negotiated_version = latest_supported; } - if(!m_policy.acceptable_protocol_version(negotiated_version)) + if(!policy().acceptable_protocol_version(negotiated_version)) { throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client version " + negotiated_version.to_string() + @@ -359,7 +377,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, session_manager(), m_creds, state.client_hello(), - std::chrono::seconds(m_policy.session_ticket_lifetime())); + std::chrono::seconds(policy().session_ticket_lifetime())); bool have_session_ticket_key = false; @@ -387,7 +405,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, state.server_hello(new Server_Hello( state.handshake_io(), state.hash(), - m_policy, + policy(), rng(), secure_renegotiation_data_for_server_hello(), *state.client_hello(), @@ -423,7 +441,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, new New_Session_Ticket(state.handshake_io(), state.hash(), session_info.encrypt(ticket_key, rng()), - m_policy.session_ticket_lifetime()) + policy().session_ticket_lifetime()) ); } catch(...) {} @@ -469,14 +487,14 @@ void Server::process_handshake_msg(const Handshake_State* active_state, state.server_hello(new Server_Hello( state.handshake_io(), state.hash(), - m_policy, + policy(), rng(), secure_renegotiation_data_for_server_hello(), *state.client_hello(), - make_hello_random(rng(), m_policy), // new session ID + make_hello_random(rng(), policy()), // new session ID state.version(), - choose_ciphersuite(m_policy, state.version(), m_creds, cert_chains, state.client_hello()), - choose_compression(m_policy, state.client_hello()->compression_methods()), + choose_ciphersuite(policy(), state.version(), m_creds, cert_chains, state.client_hello()), + choose_compression(policy(), state.client_hello()->compression_methods()), have_session_ticket_key, m_next_protocol) ); @@ -516,7 +534,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, else { state.server_kex(new Server_Key_Exchange(state.handshake_io(), - state, m_policy, + state, policy(), m_creds, rng(), private_key)); } @@ -534,7 +552,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, { state.cert_req( new Certificate_Req(state.handshake_io(), state.hash(), - m_policy, client_auth_CAs, state.version())); + policy(), client_auth_CAs, state.version())); state.set_expected_next(CERTIFICATE); } @@ -565,7 +583,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, state.client_kex( new Client_Key_Exchange(contents, state, state.server_rsa_kex_key, - m_creds, m_policy, rng()) + m_creds, policy(), rng()) ); state.compute_session_keys(); @@ -649,7 +667,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, new New_Session_Ticket(state.handshake_io(), state.hash(), session_info.encrypt(ticket_key, rng()), - m_policy.session_ticket_lifetime()) + policy().session_ticket_lifetime()) ); } catch(...) {} diff --git a/src/lib/tls/tls_server.h b/src/lib/tls/tls_server.h index 4f2a11ba4..ffe1111bc 100644 --- a/src/lib/tls/tls_server.h +++ b/src/lib/tls/tls_server.h @@ -40,6 +40,19 @@ class BOTAN_DLL Server : public Channel size_t reserved_io_buffer_size = 16*1024 ); + Server(output_fn output, + data_cb data_cb, + alert_cb alert_cb, + handshake_cb handshake_cb, + handshake_msg_cb hs_msg_cb, + Session_Manager& session_manager, + Credentials_Manager& creds, + const Policy& policy, + RandomNumberGenerator& rng, + next_protocol_fn next_proto = next_protocol_fn(), + bool is_datagram = false + ); + /** * Return the protocol notification set by the client (using the * NPN extension) for this connection, if any. This value is not @@ -62,7 +75,6 @@ class BOTAN_DLL Server : public Channel Handshake_State* new_handshake_state(Handshake_IO* io) override; - const Policy& m_policy; Credentials_Manager& m_creds; next_protocol_fn m_choose_next_protocol; diff --git a/src/lib/utils/ct_utils.h b/src/lib/utils/ct_utils.h index 52a3bc388..2307dd587 100644 --- a/src/lib/utils/ct_utils.h +++ b/src/lib/utils/ct_utils.h @@ -14,7 +14,7 @@ #ifndef BOTAN_TIMING_ATTACK_CM_H__ #define BOTAN_TIMING_ATTACK_CM_H__ -#include <botan/types.h> +#include <botan/secmem.h> #include <vector> #if defined(BOTAN_USE_CTGRIND) @@ -51,6 +51,12 @@ inline void unpoison(T* p, size_t n) #endif } +template<typename T> +inline void unpoison(T& p) + { + unpoison(&p, 1); + } + /* * T should be an unsigned machine integer type * Expand to a mask used for other operations @@ -90,6 +96,16 @@ inline T is_equal(T x, T y) } template<typename T> +inline T is_less(T x, T y) + { + /* + This expands to a constant time sequence with GCC 5.2.0 on x86-64 + but something more complicated may be needed for portable const time. + */ + return expand_mask<T>(x < y); + } + +template<typename T> inline void conditional_copy_mem(T value, T* to, const T* from0, @@ -102,6 +118,42 @@ inline void conditional_copy_mem(T value, to[i] = CT::select(mask, from0[i], from1[i]); } +template<typename T> +inline T expand_top_bit(T a) + { + return expand_mask<T>(a >> (sizeof(T)*8-1)); + } + +template<typename T> +inline T max(T a, T b) + { + const T a_larger = b - a; // negative if a is larger + return select(expand_top_bit(a), a, b); + } + +template<typename T> +inline T min(T a, T b) + { + const T a_larger = b - a; // negative if a is larger + return select(expand_top_bit(b), b, a); + } + +template<typename T, typename Alloc> +std::vector<T, Alloc> strip_leading_zeros(const std::vector<T, Alloc>& input) + { + size_t leading_zeros = 0; + + uint8_t only_zeros = 0xFF; + + for(size_t i = 0; i != input.size(); ++i) + { + only_zeros &= CT::is_zero(input[i]); + leading_zeros += CT::select<uint8_t>(only_zeros, 1, 0); + } + + return secure_vector<byte>(input.begin() + leading_zeros, input.end()); + } + } } diff --git a/src/lib/utils/parsing.cpp b/src/lib/utils/parsing.cpp index ea89c8e5f..40eae656a 100644 --- a/src/lib/utils/parsing.cpp +++ b/src/lib/utils/parsing.cpp @@ -1,6 +1,6 @@ /* * Various string utils and parsing functions -* (C) 1999-2007,2013,2014 Jack Lloyd +* (C) 1999-2007,2013,2014,2015 Jack Lloyd * (C) 2015 Simon Warta (Kullo GmbH) * * Botan is released under the Simplified BSD License (see license.txt) @@ -333,4 +333,25 @@ std::string replace_char(const std::string& str, char from_char, char to_char) return out; } +bool host_wildcard_match(const std::string& issued, const std::string& host) + { + if(issued == host) + return true; + + if(issued.size() > 2 && issued[0] == '*' && issued[1] == '.') + { + size_t host_i = host.find('.'); + if(host_i == std::string::npos || host_i == host.size() - 1) + return false; + + const std::string host_base = host.substr(host_i + 1); + const std::string issued_base = issued.substr(2); + + if(host_base == issued_base) + return true; + } + + return false; + } + } diff --git a/src/lib/utils/parsing.h b/src/lib/utils/parsing.h index 25416d43a..db8db198e 100644 --- a/src/lib/utils/parsing.h +++ b/src/lib/utils/parsing.h @@ -128,6 +128,8 @@ std::map<std::string, std::string> BOTAN_DLL read_cfg(std::istream& is); std::string BOTAN_DLL clean_ws(const std::string& s); +bool BOTAN_DLL host_wildcard_match(const std::string& wildcard, const std::string& host); + } diff --git a/src/scripts/dist.py b/src/scripts/dist.py index c0819e2ef..224f01395 100755 --- a/src/scripts/dist.py +++ b/src/scripts/dist.py @@ -42,8 +42,15 @@ def run_git(args): proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) return check_subprocess_results(proc, 'git') +def maybe_gpg(val): + # TODO: verify signatures + if 'BEGIN PGP SIGNATURE' in val: + return val.split('\n')[-2] + else: + return val.strip() + def datestamp(tag): - ts = run_git(['show', '--no-patch', '--format=%ai', tag]) + ts = maybe_gpg(run_git(['show', '--no-patch', '--format=%ai', tag])) ts_matcher = re.compile('^(\d{4})-(\d{2})-(\d{2}) \d{2}:\d{2}:\d{2} .*') match = ts_matcher.match(ts) @@ -55,7 +62,7 @@ def datestamp(tag): return int(match.group(1) + match.group(2) + match.group(3)) def revision_of(tag): - return run_git(['show', '--no-patch', '--format=%H', tag]).strip() + return maybe_gpg(run_git(['show', '--no-patch', '--format=%H', tag])) def extract_revision(revision, to): tar_val = run_git(['archive', '--format=tar', '--prefix=%s/' % (to), revision]) @@ -186,15 +193,17 @@ def main(args = None): else: return 'Botan-' + args[0] - logging.info('Creating release for version %s' % (target_version)) - rev_id = revision_of(target_version) - rel_date = datestamp(target_version) if rev_id == '': logging.error('No tag matching %s found' % (target_version)) return 2 + rel_date = datestamp(target_version) + if rel_date == 0: + logging.error('No date found for version') + return 2 + logging.info('Found %s at revision id %s released %d' % (target_version, rev_id, rel_date)) output_basename = output_name(args) diff --git a/src/tests/data/x509test/InvalidExtendedKeyUsage.pem b/src/tests/data/x509test/InvalidExtendedKeyUsage.pem new file mode 100644 index 000000000..1077d478f --- /dev/null +++ b/src/tests/data/x509test/InvalidExtendedKeyUsage.pem @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAp6gAwIBAgICBTYwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyNVoXDTE2MTAyMTE2MjAyNVowgcAxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRlc3QxHzAdBgkq +hkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBAOVehzMzeL21cKiXqT7azmOk3yTNoRT4ZZIVcPiaSTKX7m+1e26KvDi+ +0bMOAa61edho6OlJ5p0CFOz2A2ebU4QLSl3N4c/jXs60BBx413Vz2Vj0PV93mYQ4 +lUOPZFKoELXGrkllDykq9DPvXVGrl86610YHB85jtzKDnjbR0aDfAgMBAAGjODA2 +MDQGA1UdJQEB/wQqMCgGCCsGAQUFBwMIBggrBgEFBQcDBAYIKwYBBQUHAwIGCCsG +AQUFBwMDMA0GCSqGSIb3DQEBBQUAA4GBAGIOqLpfp3UtxxXF9tEEycMZnNze+NKb +ZyheuTnYgfOPvoKgTSQZy8MQfj+KtUFPYkgyHfKfDKcCx6CgTTDQXDCDxILehIzX +3+ap5mBURcwlo+kyIkRHxtqjSMnW/n/1XYvByFq7PfB03IPBopUcZccL0cfUTqEJ +bK9QDOU+O6hQ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCAFlag.pem b/src/tests/data/x509test/InvalidIntCAFlag.pem new file mode 100644 index 000000000..bf8eadbb4 --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCAFlag.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBVMwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA1OL+Ud1tnY7uAY1FHW5aj+I9WSeeaZdgdnofZC8lKGq6HbbD +vC1BQZyqwQBTOdInwHeMtrn8OZiGjsDEi9VCSZsRWILxdM78kZ/+dE79icFns4is +Wnl7qjqybI8WTpRZRgYl3sCgwm0Ewn8mcfDSjQ0P1VhtEjI2Qc62LCaHA0ECAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQCdidZbDaHGn6nXkExvUNA6tJUj6yw+irx/S2Z3 +Gm6cnXA0xUI7lNTXrYKJeOE14ldhNEsTwvPNtQTI/2k1XsXPK5lqSvv70x11Afo0 +GD3Y9VeuUBJf/oLw9R8ztG5MEEfdnlfoGk+2ixG/kyURVAApNTGx7rIUijzkNrvh +QAkUqA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBVIwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAqZXlFKG9wD3BRNkpS1Xcg8ox3HJT+/xbIwnL +V6MQW/5IX8TY2DhskLwP/fZjAzxkA4Or6/iYGaz6wiYXiprlR8Lp3NvC4abNEC41 +AZA+n4CeC9lYLs1utp9frawY4X5HOG/ucUuR87yp0HKpRHWxHZsju/QNRLf/gxzQ +SaxmmgMCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAJ6dd7TMmcuXJTcnU41EpPhfSqzatpl7jfEHpS0qK ++uObFtHQJYxfYenBePD1yzT/chOGrOgSnSZLLRtW/BCx2vfO39q5ZYJpVOQsP1qk +10oa5gSm1oJGGVtuzjp+LtEH/XXuVGYOFie5aIewxGDCKRy0KGe66XkiMX6929Iw +6+U= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBVEwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAzZCH1Og5mpBoBQZh4GFooIi1iSt266u41CTP +Z6U7OBE68qz4/5cwp4cLYn52bq1f+2ZDFm7RNUNDlPuLO9ErxormeP6gTXSg7pul +6Gsx9k6xTADg5GC/ohp6SBTJIghpYcVrhUh11jK4qsgVTDUr+0w/h4ZAMnQ14Cn4 +FP6CcdUCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAe6/pn+C5xgCGLhg06afuNpiwJzxszgV9mEfewBHF +FShXmCcAo7+S9WSQbX+4P7v/e2OH5QTH0eZn9BD7d5NgMrGNzp7UK9yHvTMxSmlg +u19Rda32QhT/N1yI7fpuBIXOWVKcor51JGgsZflFc4M5VWSWdqKk+OsmcpcJbVbu +UDE= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFjCCAn+gAwIBAgICBVAwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyN1oXDTE2MTAyMTE2MjAyN1owgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKIZPXpqy0ciWiUU1eWWdUDIjJVzM+LgCFEPoKT5W13M +aK2zmNTI4V4euf7CRNtFKgVbWZHuDjCLo/R1Qk0L+LFGBz7j/hQYF8uBsHhXcbkM +KSjbZijDJEB7Od/bVrCa05ZLBvf11j8NvHqI+Nbj8krgcCwCMoACpz4vRYnkRBYh +AgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEANsC9YG6c +qt2NBA3ZIrNXJq3cVEq5UZS2ysIEoioCByQN9G/gypLn4TYuTwhVrrjTRH+T840J +uhS6lXxjcmYckHKmN068kbscNoYFyx7r1p4EGp7ufqJ7Y0MDiu9pz/1uiowyD6EC +wxYVVC/30+KI7YU9kqdOhCWObFVqv5fuWrQ= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCAKeyUsage.pem b/src/tests/data/x509test/InvalidIntCAKeyUsage.pem new file mode 100644 index 000000000..46ea7094f --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCAKeyUsage.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBWswDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAs080jMr1dYNkhWW2r1ZDa+ZE6+W+CXF0mY4sIlRFShSLrcvL +JBcPQ4j1rDDJ8Ubh5B+kX/C3SoTci4TkFjVzDv/VHV+/LsvNUTQgwnKH0SGkQ3tM +wGPA92YTVQ8ivG+dl1fptY/WqJ0XWZgAqDzViSCODwZBNfDKRWIB2xIBnecCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQAC6m+nyqIJCOOO01wAWcow7w3lOLMH8t4uyBFS +Xm6v8owIFAYZtYD9/zq2neRH1g5ZeXbbJTeI7pqeLpO95kZTdFcWc5mdLDt6OaTE +SRo1dlyyLpmU0+rh+rnQMeStR6xI5ATBGsqhPd+GSiFT0Y1vQLhFjJVVL7d9YVhQ +xdPfCA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBWowDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAvE1H7UcgRvB+y9fQU1A0kTR4ejPyNsHfKqfb +D7d2/Q62fnYZTC3wqSAVCqOJ5GpPjtLYXe0rJ31jC1Ck2Yhtvk1cB1mOr4KPzuVx +mbtbkc7SfXohshaoQDERcXzDqILEh0GSv5Nn/NLUiKrD/ND7hp+xkCnpnilUvbVG +MupyCjkCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAWM/xRM22jbcK0Hyd5WwvRnzgNYNUP7tfsH0Kvmv8 +2xOCblejAaEb02BjLaLBibGDv5rDl9a1wtE5JWI+6VuniPov3NMdHtxdJLkb10kd +Aoy16jGFh9gAwDqjUi/gJNRy3PQE5yZlgfQCdc0b0eFxehFdBPXLd+aOd3LjF1Tj +4S4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBWkwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA0EtiWsU5Tu9NOGVdC+Os0gTnhyu1B617QIbv +FR9VMMih79+6eXnb1RDCZX6A75tXm5P4dUXkD5/b8IGSPy2IU5EdMv5EdTTBRccy +AaOPcNOaGT+TL9fZPeACE6G3RWJiK7fxp2gyZexMGtQVzkrFtw6AgS3uKS1t1y2A +GW/hmsMCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEARoBDHytQRiZ3i7ou2K55mXnlYA5JS5ndhcDjawlc +FDtxanT6KndHQNXpMyz36UdjA+870ZBxSC2pp+RsqpObwk/UW8Ez145Ozd1xQzya +dGqR9jvznK6KQVTY+0QUHzLRTtVMZZgUtmzYCPFqjxVGzSNIUfdxBsaJwDuGQI9R +2Qg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDKTCCApKgAwIBAgICBWgwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyN1oXDTE2MTAyMTE2MjAyN1owgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAN2oe7dx8qpMmFRz8H9+mWoWf8Af6mDvkbMIJlvcwjp1 +gHv3gw5pnXSg1X1tbaAn5ZYkVQV5B+kMvKxIUSobw2fxed1/mrMKJGPwLXBkjr46 +fc/Sg2OymroOE9syEhw1jo2PlOkaJXD04H9ajNizGh2rXuWU+h+mcmd6qyPyb3Dr +AgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGiMA0GCSqG +SIb3DQEBBQUAA4GBAAEhJezQ5KRFKzZYYkBaEvVixk/x4xwkFeLvfgzeIePdNq0t +DxkJ2o/84T7mx4FG0uZ41Oab/50j9+wYbuOOkL5zJgSECoatW5dPIwUVC6Vw84aW +AV/MEEpM2PSYc5D/8uE6ElORbjjcsgzL7+s3U76gZzaaBemFT+MT5dhiULju +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCALen.pem b/src/tests/data/x509test/InvalidIntCALen.pem new file mode 100644 index 000000000..66b70d725 --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCALen.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBWMwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAwhW8qYanEvDgb9ZTsgnBpLN2lb79VTAOEuvV7g1mMi2FtH7C +pCxL6V0Qo/tIEszrG5MSFqpY6lTD7d2oZwCwnt5rg11GTF0v5Pr8tBZQ9XvfZFH2 +hEBp8cwuO3AR3ej+43lWRMAVnZ98HjUqsAq9YpBlt0ah9oUyH/IGdMG1lBECAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQB3/xEObIIQlzFkmSWCHKMtL0fRxs0EbFVJbejY +q4wch1p2fgJJYjS+a6CEfVGxq9+ock9QPNLyZl289NpnSSszXVFya4s119n2uISH +0kKF+9+v9QzxYgt80BeKK80LFNl7iExsx+FQqb2lfbWxY6JmmylpDFbpTUq/t0eN +Ru3NMg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBWIwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA4J95YklZ4IoZiobKO6B9wpdQYdjKpDAH6qlJ +dlD1M5Sm5Jr9VCxqeBzTMuzxtJpi0nqJSep3DIFRGvUkFcahYbRpPVMsfnsXJviK +TNBFqrH0Gs1RYOzGZS41iFdQxeul1eorjPrNfkEDxLSQt4nnqxe0e0+8ok9ztEc3 +YZRiyAUCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAloxrmzdw+QC2UOfovVgAyHAgaVfQzoEdVN/O/4Fx +WOWTZ7rnpyp++ToB42zEixiYgDv0Z039NdiXRHemzXQpntYnBOE3ro0lX4kso0sr +95Iwo9/2Whm2y66LmxDR0z+EIpH3ticnU1idmpd6uYDDIGYoJ8doDcq5bZBGa7QB +MiU= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDMTCCApqgAwIBAgICBWEwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAuIQ770rmUh+jbjSOyktIVHJO+az/nVsFUSbp +LHSvQAprzyqZ/UG2g23He+1JW4WPF0AEuRJnCWbLu1p+VrOmtBkbO1DgX0ksv4V/ +MH4L3Un7nPNfyK3wdl1hZ9rEzhSVG+M74p193EQL4FmiIJlljelChqF3CF45urjt +UYg1LuECAwEAAaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMC +AQYwDQYJKoZIhvcNAQEFBQADgYEAt+La7O+rtTCpIk30d+I/uqxeAnXrW60bRciG +KXWKdVizrXMo6SGOkKGafT4kQ7LF+cdcTexuXFS9iR3pcJfCb+b5B9Sp1K7EMA+1 +s1aEHHe4V/+NgGSTXvT+lvZtzeBXdPCmOPXW0YuTyaVjt1C/MMZdpcMMDq82S5Rk +mLlDpjg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLDCCApWgAwIBAgICBWAwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyN1oXDTE2MTAyMTE2MjAyN1owgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAM2H6tTUFiHB6OEkUybL/NfDItiXuCq6pj7f9DH82QXm +C57NAbuEdU0lo1nGfkbR7HHeMjWOV+02Zn/tHqjtiGIJD9bnYF7z5vjp9l1a2W6m +C+XIgU4Lc2RRkhJTSwlimPqTy4T8zf+S3DFOeofFUjVjbsNtvHzciniG4PESjN5n +AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0G +CSqGSIb3DQEBBQUAA4GBAEY5Lt3JY054K/Ntb30/83vKvHE0KiWI4wnhS2p86W3w +vrPbs2KD5+NMT/XrQ0JJuY+YlhYLLJsjd2sDoxz763q4zXYU190fapA7ADfwwcBo +/HIVuVn0FSrlZjksukh5Kh1uEu79lw1htXSPX/yrkFpgUb4lSVxQD9D6BCLIxWZw +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCALoop.pem b/src/tests/data/x509test/InvalidIntCALoop.pem new file mode 100644 index 000000000..bdc130f46 --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCALoop.pem @@ -0,0 +1,79 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBXswDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAnmXnZivUgr/iHm0VdnME2ZjQFYmQCSxrBbCQpIF6dJTrLSuI +DbqwZTor5oZZUKDYUwJK66DR+YvmAEpbdEtqDW7KE9i7pCFn/RAjVRMIoVPDelYO +hCrX1SjH0IhKmSrzyYRJqFR4Da3IaXWCxUW+Vd7j+nnKB6qByaVh0G3IYdECAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQBjtqcclNio3aqM4jk6ZSim1cd1CP4FrmoguwQa +YGcSeTafl9iUCLjdgn5dcuTptg1t1IZwk181N5U6z8muiG5LJBqjw7laoQV7+fR5 +J4BC2GbDTXCObnM0zJCD+KOYfQROkQrvepX9NSiHAdajoXN5NFj79wSG87Jj+eEw +nqbvhg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXowDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA5iteXsj5C5OqcDqs9SCqtbTem22GYpaacDEW +5jPoHLH/7iqIf3uezQ1rZlMSS5rT+iYH4Yv7xEFcDGQKL25rjkV0zmfTRGCh78JN +GW1YG2yb0hR9P7w9BIUl2LJMhBeEFjEIXCzGNdfzqD8dm+g1uSm7sLMGtPR/rucU +l77a2FUCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEALrfXMs6XfoYB9Aj57YAXunFTfdQaBaLrsquZiEk4 +aAjt3+tRBV6BRZBRqW+8q2iDfJqIa8ti+bonDpGc0J309C1UmIsO0ASxZkeBX14S +23Mp/eD5LAKeMoUUiLSlWN+FlyWfY2axA0UDvb5s2q3NvSyx0qY8FBWNeHdwvX9I +Mn8= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXkwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAqsPZjU3HvuNLa4iBQ6X1HuIHTpXxZ3/QxaaY +AWelfG65MtlBFPHrSBEpWcmntUTA75gPXYOP/yu1sAgHzXlAEA4IwRQd4oHr3s+1 +1iZOr2oIEaez72ifgTerQlfBDnxSDqiM91VNuRqkaGXx+qYO7Oyf/VCCVg6QdSDy +dbghbykCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAcJTkIw9pDpmnOW+TBxJ6ygLSkbFwkZR89LTD2hEU +1bTQfqlVAaSYWzkErtc2NfUhn9ukseBw6l2QX1NxBSD/uo0Le2cszvkcE+yNiQZa +KZ2AtHPOFqpQ/P/wNX/qup7HvGdBvosKXn7z8RegVM/Bswspv8Gbv+GRsLhaz3m9 +XY0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXgwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYxLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAzkSy3H+LjALk3Sg3mM6DzB8KzGph1hPUofX4 +9v5yIxToLHykHWAGneGKQY+6bjv5dlkJh5YdI4VDUglDSN+7DV/en+X8ipUliRkK +4Ic2xl7FeVfKi4ZdA6pK/EvHSkSzzq9bCjZvGQr2QjUX3A7AslCGfhQxbdBUm82M +UtTpEL0CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEADnUvQyw1XzfNt4ZHwj8SAP0X6iBGbEWpDf1IbZcU +pNcsE2lAo0zIWV9ShhuVBGNOWVxiCWyPeQGPUm/oQX4rDu3hhKK0ff5DHrIkeQOd +R3vSw2U9ftWGC7ah/mImTIlZGVfas+SKAZMv91YnandHHlIzEtv8Yqn1nLMezjU9 +FSI= +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCASelfSign.pem b/src/tests/data/x509test/InvalidIntCASelfSign.pem new file mode 100644 index 000000000..212cad56f --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCASelfSign.pem @@ -0,0 +1,79 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBV8wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAsom1fnARuMevEExpCF56bBFF6U0bVkBX2UcuXRIU8l2Gu4nl +Mn/qTPzOK+TTCdI6sxv4NlnYwrkuipGZgoCL7IArSOJfpTrHWPszK7X7eo2ZpTF6 +2+qeUGf0r+geX/STSbEcABnjCYgCdLhZfjmCrLNRZQaf0P91XFC1C/MgweMCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQAETF0DSF1rPOwqGX2xQXq7pbruHnNKq09GiObp +tCJ0Jc2QZAvkrqKI5b52xyaP3ZxFFky+2dV49y/nrIHtJuw/3Sxch4kHyFA6Kjma +P7AG6w9neLOFGfF8jVJScZOtHVrNFao2VGBco0NraKW1C3exJlscBJoPddy2Cld/ +GpCFsw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBV4wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAnxjsz3c15kCCvXdynh4AhQ8f1a0Qj5yk2LOj +XT8Oe3XVErMWVHJkAbmwAh0ir4HtI7gqZTdUZe2DQ/Syx/dn1zcXUr3VLerk+fkM +ilejsR7pRWfr5pIA8L5YupZxG5feH8AWMAyCOcbL3iogrv7rGo2Uv9b5xpiDlPpp +H8t3+1sCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEApaIfSqUQbr0bUCocdSvaYUTRVnnZTYhpj2ktvMhO +BFB5iQgOl3k9Bxm0RxHqK50ix50f0sSFdP7Z/IpLzdkDODOKQIkKKfSiLQs3E0Pg +omHUaTY6udk17mlLkp4kNhonzcqPCx5fFD2btVSvsYbaM4Q+WX7AmYlEXu3cRxIA +RoQ= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBV0wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAvuDuMaBRVeccDQMHApE8OldJRDpf1pLjODvx +0/j/QkdRUJTiL3orG1XvT9RuRidRa6iqaKp0Cs4pE7QLv7Vo2Qpq3xgwDf42X9pS +pesx+bzJePTgb/X+rpAx7WNkdkTOoKBUgbbwLjsti/Es4whPXezaZXr6fJd+iuwd +xk+WYXUCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAhMMK1V6OwGRPnBbNddykOBVW546m0F/in8H9cZH/ +jSKMhDxifPV8q0GLF6u+JSQTH6x3llvumXcnwb65gkwmLgVV/TmF4BuiyF59f9Bt +aeU9tBKb6Ef6Hv8hNhVGE11wuIjUERiyPgJ1PAWBKnIHGXEhqg9adpHL3NlFCD7r +sCY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBVwwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYxLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAzPLH+D/L14UV4upNVj8GUzVK0hPqnN3x6Lzy +u/1rXne9nhP+HB/toJUe/VeRw+xs3aVpPE1z9Fx/+h5hmzxM8CmxifdBkhI61AwH +/X/8z+wKfmo5mKTYbP13wHg6aZjlDnKWnabvUYv2VUqfffa9mz+lY8wVm4OTtRXS +v2hI+sUCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAXW153EIEyP0VOyYWIqLMz77XShXmckYKbBKS/kWH +7iYaZhy6Jw1MXluiQ2kYzgxbjBXvFlGo0IOKTnU05NmCOGU3bgBIiZ/oTiQcSges +Omqg7oK85c/kFEQ3QrboJZ+w5HgDtp3Bi6U1qESfnvsjwWhqnXmmtd77z/w0vFYp +t5M= +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCAVersionOne.pem b/src/tests/data/x509test/InvalidIntCAVersionOne.pem new file mode 100644 index 000000000..135b25929 --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCAVersionOne.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBXMwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAoTaHrOkrTBz4bUkJL0WPdClVfptiHd6cKfLIK81Vt88NCHDW ++APuxXvGQ6WqDuOKZdjlbmzvUEN9+JDxZQ3tbg1oOITchMeHXeskuQhBaTiyDqyj +afwRBeFB8kj4fhR7TBIiQ6CmWZg/xn1UR4j19gBggK1gmvZsE+D6GJsmsUMCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQArbFpH3hYIOGCIaR+TkNbaTzqEo4tite//XxnL +VX2Ky+vdZVrjtFbgCkk0SrCIHUJLBA7twxpYvHzVrqr5nKBQd0RRgyK5dukunlDq +4aGduZV0Attlb8TifEvURbNZJpSWy4X3CEm+ksn77lnfB3wdCdD/PEAUNJsuxjC8 +kSc4Gw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXIwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAs6XFhRh2cg8Bdv3FGVPcpT3f2nFbSWh2pkJ0 +SaTByNgVLHSug+Ucz5ZwYOWUrTg73qobjid7IzrPEooUxaKm7Kjxu5QBEr2t9RkZ +YI6LT0QISvjMpG/JTTEBX9lZHkkfAgdre+0hXhdi5TA+0+mrmYk3FGHkJ+62WRht +tGga9EMCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAe6FozKwO6hDkrO6SR88z2iZWG/lJ4g+CJeXnsubK +2r7ewmsq8LchFaoCi8/w2gJgc/wGUCbIWjZ8T4e10qK7MBAzn07lK2uShbdJg/a5 +5telqfgRlngor9W7PmZdvv2NbGkLCv/mvlYdUDWLNUE0G80hwxe1j4kofAxhycbI +sO0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXEwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAvkZQsSfaEYwugamnfXUxQufz/cvE0oDdL8U6 +X/9BGGXggsCEksl3O0oQHOArKkf1lq7b0KIeeUlv98E99HXOcnlDXvzukxfgFTNJ +/4K1ZiwvxDEZ8I/ZvIOEu6VFkzGWSlanegisM9LBXWhaZqX6uEC9Fmobs6cIcKY2 +IesFQ9MCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEARqyWAHKlbjy2tbh4KMLBkuzkORhOvzGQ3fzWTvnr +nZQSqB/4ytBfPiEx7fYa9zhwDbCP/6cLIAx8t+Bb8uZzfH7BimoRjk1Gp1fbKsqc +aSAg3+a/IqjF1ApEpyk3YKbUf2sGVz/nW+KSrILzsGIoXA3OKVhEeuadbbWiPx3P +OWw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC/zCCAmgCAgVwMA0GCSqGSIb3DQEBBQUAMIHEMQswCQYDVQQGEwJVUzELMAkG +A1UECAwCQ0ExGDAWBgNVBAcMD1NhbiBMdWlzIE9iaXNwbzEuMCwGA1UECgwlQ2Vy +dGlmaWNhdGUgVmFsaWRhdGlvbiBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECwwZWDUw +OSBWZXJpZmljYXRpb24gQ2hlY2tlcjEZMBcGA1UEAwwQdmVyaWZ5Lng1MDkudGVz +dDEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTAeFw0xNTEwMjAxNjIw +MjdaFw0xNjEwMjExNjIwMjdaMIHJMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0Ex +GDAWBgNVBAcMD1NhbiBMdWlzIE9iaXNwbzEuMCwGA1UECgwlQ2VydGlmaWNhdGUg +VmFsaWRhdGlvbiBhbmQgQ29tcGxpYW5jZTEiMCAGA1UECwwZWDUwOSBWZXJpZmlj +YXRpb24gQ2hlY2tlcjEeMBwGA1UEAwwVaW50LmxldjEuY2EuYXV0aG9yaXR5MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDN97AmDaTx876SjtpHnrtzpTEWCm7mdEY6JkaxwTKLiPwcjWr0 +E+TZeq4YDyJJD+EPZlAje+NOpTuaWYkQcb0HHvh3mPmvwJhkjv94lw8TZlDjgQ6d +DjGiX7Ie1KTt5KerIg4upK+qn39ByZow30X/SQVgtFxpG7AiLB3WRzNivQIDAQAB +MA0GCSqGSIb3DQEBBQUAA4GBADME04IYoOqkgxlSa8XYB7FqMF7+8GbEJ5jS5FMY +3hRSmFvwcurB7QbcKZUQDontXpmvwi6h8LqHTRlm/BJSCkknlLcQHARTOxhVYL3P +fej0AiIn4flYB8azuLpTNzPSayNGT1/3n+tBlinD25kcVd5WxRmrdl/mHU+LDVaz +RoqP +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidIntCAVersionTwo.pem b/src/tests/data/x509test/InvalidIntCAVersionTwo.pem new file mode 100644 index 000000000..09e51407d --- /dev/null +++ b/src/tests/data/x509test/InvalidIntCAVersionTwo.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBXcwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAxFCLLNsJzBo7D7ORMhtuSVDjU+GpAiLYREeDtFnazGUgwlUr +vdUoVdVgmuvxJQ0DtaWnv3zELb4cT1TYGiNMWXepd13T4yIOv0mKMUzFQdrBXCRw +oPLJbSPLNJipe96BLdLfhDwbaAYEgfA6QAb/Hrnk+utmY4KXLhN7DmxgXbcCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQCoZLe6DNhGFkO2sCW8LfwsR6YuGVXXOyAJtjsR +U1s8Y4zp6hFhwFmNr94dQQswNv8oxY3CUw+1aLTFHetj668A+lxDOadlM3RFpYng +uQOwFAi/Dq4IFx6AJWCm4/0fhBSXRKQe/EVe4A9sYZV49/7E85nLrGvI9GNovm0U +FNc2xA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXYwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA9K+FayI6+UT3+xAMI68BgDhrz9vQRe6iZ3gh +X0hDIYFuANWqomodzD93ADsFB1/qJyP5E28pOSbATkXyC4UfrUZW2ZUgk0/4PcF9 +BUGz3PyIDKrjiJoJAXNKLdf81spi6gQAphui01zp9fforzTUPP4NkUpGPWXI4QEH ++Q4pDPcCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAbdK3s1eLW+7NAsBAPFR96QBBVYo95EzIQ4wHiFa7 +pvvrYSIr8GyzmCrAjnTcFFc7GV2bHHgmi2QnC92ZxiIJ7sIlgkzRxlELeoLiKuyJ +PquhYUhTDby2lM0lBwpXwZJCdIsH7JElU3iUfffiZoKLkRl/YKKtdPahoNzn+5OX +ONk= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXUwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEApLkcf+JB6O2mJ9CY3w7nRlrjOnp7jAhkHMCG +fDR8tFdRETBon6NzD6sHYMbmwkbFrTq/2XNW0IOjFWeWjrr37VJ3jhYMBLGJzDVG +xdG1sjB1dsrv23JluHaYdipotbBDj/03TewfFsOSFYOdSoLOSLaSvSaA+cThFelh +RHv3yn0CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEA1XOlYsC/HWs6XRdHnEoajPO1TwzHWoBP9ditpdcx +If0TtHCEVi/KYR1RNo7WGXsYkOXpSAdt+QLXClBdy5E2LozLO24pCcI6TnimQTW0 +Dq7S+6Pr/79SS3AepA74+y9qQhFXAR4+bQiFApaUX8/voap3LBNLJzGX/8DlFscW +1hY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDBDCCAm2gAwIBAQICBXQwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANW2KEP1QNNBo0O3Z5R+qFq9AWGxGunlBXKRJ8DdpmXU +zmirBjdNL1aDVNeNXsTK/dKLSy/Yul4IosYd69G0q2PrwaXUzew6LlBX9c4QbbBf +L3x3pBKmuJ29vX9IKxggpL5yH1ENZEHCqJ0FCxB0SfrjoTVtGPMzNada9HWqmtCv +AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAMqt9r+fd2yb4Dm4xI8oZcy7HPLJ3C/Ht +Q6beOjUTzMqw2Od127enkpAxREfJSR7QpmwLyEj1niH7cymtPA5ojERGZjlIkmSx +Y0tBC2+RYu1iW2rW9jz9wnLFLqG4WAsXzUXW+xizehuDqVpBGAPbQ7mtIRUaXrAC +3m623OT7aS0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidKeyUsage.pem b/src/tests/data/x509test/InvalidKeyUsage.pem new file mode 100644 index 000000000..dfaf41b5c --- /dev/null +++ b/src/tests/data/x509test/InvalidKeyUsage.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDDzCCAnigAwIBAgICBRcwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyNVoXDTE2MTAyMTE2MjAyNVowgcAxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRlc3QxHzAdBgkq +hkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBAJ9OccDbTmiIksv7f7ciHz9hs/FtN3NsN/1OrGvSoax0ltDfo/G9A8wC +O/Yzf1Uy4YPicQmroVVRtR9OQaf0LCRe3L1fkfWKD2K/3mRjH1CHGwjo5BuyeKfO +Z+x8dBnSUSPyz1FPgHeTUY2DHlHd/6PSYR6e3kIDkyk4vaEGQ1irAgMBAAGjEjAQ +MA4GA1UdDwEB/wQEAwIBAjANBgkqhkiG9w0BAQUFAAOBgQCTm86qq55do9W/CzCx +Db4MtuLRvxHjlSDr/gbBhcEMsxftibeNUXyfGaGROXoefdLW/kzmMPFDzr8kdxY1 ++so0TlCYbe/YMrvMVpSC2EblhHM6B3rzHVfADH90S3M5iqA+1JDQKXr9EEKQSK/e +t/HCRAqms3qq8clkOyiTh5wn+w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidName.pem b/src/tests/data/x509test/InvalidName.pem new file mode 100644 index 000000000..1d911713d --- /dev/null +++ b/src/tests/data/x509test/InvalidName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDCDCCAnGgAwIBAgICBS0wDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxNloXDTE2MTAyMTE2MjAxNlowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDpwcnxAdRIPpgJVdkAUHUkRFmtBhaUT7RUKSp2 +l1dH1pc3cJerHiBI+ocTu7jrFTUa4fFFUs/8kgpGMWct7KQx0GHR1fYnUBQFLpXF +7q0Jz4iI6No2osXur+UNq1rObMxcDua4QvdCiGg/Dr5LyNrBumVlzmoaROR501WM +VRE6lwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAHyWRPotkRuVkU7+Qws5ZLugJATt +zXGN5M28hQODXfhk/R0U79/Zt2aGWTNeTrPkZbCGbvV06rKAGzWX83iSK2HiaZU0 +v0gM0nMo99lX8dyWmyEojyIGBzg8FCV7VlYbMvSdmWhjCha+ilxDVBkNSKR/wUv+ +i6d4uJpNCqa9INag +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNameAltName.pem b/src/tests/data/x509test/InvalidNameAltName.pem new file mode 100644 index 000000000..432c5f7b4 --- /dev/null +++ b/src/tests/data/x509test/InvalidNameAltName.pem @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAp6gAwIBAgICBSUwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyMloXDTE2MTAyMTE2MjAyMlowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQCwjxxDC308U7KsLzaApJrUDI8sMKP4bUFHqXz8 +IMMb9qPHtADyvQcFoFtG3Tar6wpa3K9Mrx4ex67fN4CCWxZA15En4sSiczUoLgra +h0Gh+52GkWk/0YQ6wPmQUMuNooVmuFUMA88w0SCN0yaHPWP+cNJaFF6+wwE0mAhf +UClNQQIDAQABoyswKTAnBgNVHREBAf8EHTAbghl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MA0GCSqGSIb3DQEBBQUAA4GBABVIzzLgsqfDqy7frGI+dQ2LMOA59pJU +2C8+2QFtoDcDZLRoWyU20NVFaydkRQl0XDw0jwMvmG1bBKr0P8s+8eVilFRkiU7r +7f9+Zzuuz3mOvUx9V/uGnVyyHDOAv7WPrEacZmMgWJgriK8iE6yFLGyhGq25vTH/ +XgRWAik4E1kN +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNameAltNameWithSubj.pem b/src/tests/data/x509test/InvalidNameAltNameWithSubj.pem new file mode 100644 index 000000000..906df5abf --- /dev/null +++ b/src/tests/data/x509test/InvalidNameAltNameWithSubj.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDKDCCApGgAwIBAgICBX0wDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAzNFoXDTE2MTAyMTE2MjAzNFowgcAxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRlc3QxHzAdBgkq +hkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBALHJIrXXxvMe9C8uDdBq1yv331JYWcIsW4txS4k5CPqEKfc/Txs/KO66 +pXYH3bGg+Wcy2WCnw0GITIK9br+cBs+929C8AXdSsrenYzZMLLHCiiuZ3jvY0oKk +4xJ5Uo3FDRVyMNOM9z8VSnKyHwokiNwatNn1CTW+gDvuduXc3j6VAgMBAAGjKzAp +MCcGA1UdEQEB/wQdMBuCGXd3dy50bHMudGVzdC5pbnZhbGlkLnRlc3QwDQYJKoZI +hvcNAQEFBQADgYEAxntcJCBk5QT1LbuzgHrqUP/ehz0trIleep+8P4OiPYOEzJNB +IQtgNgYoxZ5gf3DojYU7+5Zr2L/hic64Em2jwyD+uE0MzUF+D7ZC5IvOLNQcjsMr +BmYAM7w2t80IY9zvoYJgqtEOUMMX0ZnmZ8e5qT4MMo3vTZY/3BjzupEBwUg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNameConstraintExclude.pem b/src/tests/data/x509test/InvalidNameConstraintExclude.pem new file mode 100644 index 000000000..9cc79586d --- /dev/null +++ b/src/tests/data/x509test/InvalidNameConstraintExclude.pem @@ -0,0 +1,99 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAoagAwIBAgICBZ0wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAqlu9+3LUJw49TD7NNtZwzrfalSD3BCXGqaXmCRulYHNRD0Dh +Pds/uJlUgIFkf2orncbNjMuNlUzrV4P8L7KX+RF4uIxiW01kpg3rl4INsqn8NWLI +FLbfBEkgebc46bEeq967UX8KEitbrRgq+1FeLlYFbMdBZvbYXhf5Le7KxBECAwEA +AaMbMBkwFwYDVR0RBBAwDoIMd3d3LnRscy50ZXN0MA0GCSqGSIb3DQEBBQUAA4GB +ABZNX4ryTfWDtl2+FvBw3XhEObVyQ05xvZoO8SdLqI5XWxGYHKMEVjKwBX5Jp+fx +JhnyJdBpcRrCNsZqIMX8IPraRcoFBeaEaXCOQXxFmXpUcKbvJspYV06KYLoHiys+ +UsQv3BE5hzAx3xBhvPxGWRNX8eILNu2g/CTQ+XN8SG4a +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBZwwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA579YJqJyfSBD/xEyHXjZ5bu5YwCRWgk6/KjQ +pSSBwl7Ik1G/JUhFP8S85hU03XJ9ENW12YkbiZmwl7TIng8sdLXGZqZTSHMyZlCk ++Rg1Iv2ZuUozDLbwyfk7RuBE+mrLKzr/IrM0UAL58K2n63m6rUBxDaxE7lCZlJZb +YSRS4PcCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjMuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBAER2ODEeD35c57omwLqA5HDSy2urJIxx3IqzeXAvzZ27W5CWoDeLkX6So8Pj +PLYcLTW+whf8LAzbFRzpQt49P2MPudtGoTBF1yfTwRdoPqxwsZ5fJJwuEfs0Vy28 +3bpFT3POHjSdtnn+zYdu3do5FJ2XISmCkwLyxcMscn7+gmbC +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBZswDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAnMA5zohoyoq3U6ziijLTMiCYASAwYvSq5KnN +ZUYtb2Q6570id89nfBRSqH5gepvU3FyOCwMENtPVDCIJDaJKNeNPzbe0C1aDTiJZ +tDx0vt37yRIxbVr3Py+rW8xywVsVQfxUrVB4n6eA/6Gqu7+JFbcfMnX/wFU4Ialu +nVkcSTcCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjIuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBABuBh/2ZOrd/VyGTSwlD9FiautDnqtuuetsjiOGTEWWSHdx1Fr0Z0KAybfTX +Zbl1uhZNrr63+Lmv4Ds85RyZA0VFHz0rrw1665fXYec4XcXHdySJEnY0gQWHHG73 +7+TalgUhyp/V627E6sntLUqMuWNpiVJTCXcCPtntWOLS3WLt +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDdzCCAuCgAwIBAgICBZowDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAzNVoXDTE2MTAyMTE2MjAzNVowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKmvPjnuWdpUGTOyt2uobCWuE8i9/IyFvmnvdm7QeHST +Yvb+3wPXxUgIhh7FwUL5Cg/xtEQu5aWrlbCS/8qM2oSxKJ64mZC9jlwO+sFkExSo +5/vskozM1LCjpodRbH7rqmcplJbcJ/5FBttELVAUSXCqx4QFRLWrgWVUYtwYPisX +AgMBAAGjcTBvMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMCAGA1Ud +EQQZMBeCFWludC5sZXYxLmNhLmF1dGhvcml0eTAqBgNVHR4BAf8EIDAeoBEwD4IN +LmNhLmF1dGhvcml0eaEJMAeCBS50ZXN0MA0GCSqGSIb3DQEBBQUAA4GBADjNUz+b +BKZQPJTRSDR2BmcOOPrJLKY5OoWz9OFne+DXtBY4iWw7n6bwJeDl8CO1rclu04XL +zI/jzsdToQuq9QCTLqudQhZJqcbK8Vl+1XsfBhW+ynkU2Dm4am0lRSNwXrfoA1OW +45ys8ockOR/7MxYelf06Z/9dsdJaFNJE6ANX +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNameConstraintPermit.pem b/src/tests/data/x509test/InvalidNameConstraintPermit.pem new file mode 100644 index 000000000..3aece322f --- /dev/null +++ b/src/tests/data/x509test/InvalidNameConstraintPermit.pem @@ -0,0 +1,99 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAoagAwIBAgICBaEwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAquH5DGj3UqA7pyN3Id+yKxEAYcCl98L8hCtxdGNMbQXWRK7D +QCGzh9G+Bl3gYH9992AdXEsm0++TXfYlQheHRkLfpXVLXbRfG20ozjYysA8v6/bd +yBAFXkBSnkWLDjwTh2A/oGOlpLpF6VQs2lbXshFamV4kYTEHITTlFcpolGcCAwEA +AaMbMBkwFwYDVR0RBBAwDoIMd3d3LnRscy50ZXN0MA0GCSqGSIb3DQEBBQUAA4GB +AGDWwGwd7XFWl5PuRRaD6Il0fvwmZMCwF7/ZaT8z41M6B1lcMtFpyZnKVnNlBiVq +xohS7FWGOtNlumAyJlPBOamlP/YEwNIF9ViczVP2gUgAGt/ORHDjAfMpFvvWuuWn +ZN3sUxByKZ4dsabGqZjKFRn1sjioN27d1zKaQUAAk5a+ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBaAwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAzeyQKMhnPliae0StIhU7iOLM5mNAZ1QaCmHg +ERKKH0uSWYyAe6PVfv19INdeDWNMJD6STv48XnfgEjmN6WMjfMvsgDt14VhZ1psp +BCpm6haqO25B0G15QtW+jPZzxYhWugqBeGbUZKmn3S1XCI1lwK3Pot3bZCWGFvd4 +nDIr0V8CAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjMuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBAD0zwk8VDRgVV4si+F9UusIi6Wn52p6R5koG9y3VPffD311PJsADaHkUmuZD +AXoZpJnPhjCvGZr3a4+uBu/u0DJ/bQmWzF71ZV7B1jMNU7mY2he0m9BUV51Fuzmo +iwJlqG79kCNkOorM5GZGvGIhTGBpfiRgfuM8tqsR14o+CURd +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBZ8wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAxf/HgvShafzkOloC3RxJSnJKO5euYPGgmbdT +6RiveMznQ6d30X2jEpT5F3HhhUDNGhaW2JO5OqBXfXiiB6zpxEXbTCW+RcHevKkT +iIOCgqK2hFUiVJGtPntQn4IQGWV2HZB0jstC6F34nSafw9sAVkkioMdvMuXH0tbt +1Lx+NSUCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjIuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBAFUJltAwOJ9kYlcec2YSr4Ly2ze3sKPJxJuXKEp51h9os5lz2XolYHcpjEni +p5ZesxiLdtFbXXAy7OH+5QimAN9BvWXG2AuW83oPT65mlBSZIhpcIAPPZx6egSSQ +Z/pT+fCKRnGu0zltdoO2SNSb+i+nNXjByVPQt024VdnufaJ/ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDdjCCAt+gAwIBAgICBZ4wDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAzNVoXDTE2MTAyMTE2MjAzNVowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAMt3pACHEotGkwBgzZ3Mg91P08RFDoIf9Cb0UHxEcVFL +FaVneTUKmD9LxdtDU5OJCPTgYW8nJiJTUEGbc3TfzrCa5zrq4lpKYfDH0LBVZco0 +AkTzz9/NCbkltlLivjblGeURSbNtZRkBjJ83fHEYFHJtzeziCgxN5JsZ4mY+/r5P +AgMBAAGjcDBuMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMCAGA1Ud +EQQZMBeCFWludC5sZXYxLmNhLmF1dGhvcml0eTApBgNVHR4BAf8EHzAdoBswD4IN +LmNhLmF1dGhvcml0eTAIggYudGVzdHgwDQYJKoZIhvcNAQEFBQADgYEAmzKbZleA +w9P0nVJvr1etPe7hFVyqVB57LqmBnh9dx2kHPzzErLAfJHISHVlf2XJBBgE4e/sd +0rEy4f9qtFfep1W9fFfIK2FD5ltGdseKFeTpLtCio2EJmhX8VDBe3ryEGgnL6Rvb +6zL7bjG67htCIDFGeADhcdo4dHZ1zsbIBAA= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNameConstraintPermitRight.pem b/src/tests/data/x509test/InvalidNameConstraintPermitRight.pem new file mode 100644 index 000000000..00da5076a --- /dev/null +++ b/src/tests/data/x509test/InvalidNameConstraintPermitRight.pem @@ -0,0 +1,99 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAoagAwIBAgICBaUwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA46JkF8OGNUalSaSDTlr3fnNMySgww5I4B4Stx+oXuCSSDv5+ +7ZfbVGWJO2DNen0mbaiGSIx2+vNilJ+MZPH8b57gRFDw0B671cQiXoy5Uk1ewjuL +qFbMGYLLBdhdiaq5rt1J/5ui625+qvN0eroE8xvos44JgrHfe+d1Q3g3vSECAwEA +AaMbMBkwFwYDVR0RBBAwDoIMd3d3LnRscy50ZXN0MA0GCSqGSIb3DQEBBQUAA4GB +AKUo1PZnjkiyQ0MNqTU3gqJpzZPvh8fL1kDB46dTc3oEfuLXHFQ/Px8fpqpWh2y7 +tZ4bbHIzsel0w36R+VxZlzEa9OGi8h2cuUI6Td57ghD7K9542NKUkviHCW7numZm +iHJ0WxpEhMlqc8AuV4MF217mVDb904gzBSHbNh1k/7hP +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBaQwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA1zCgafoq+uf6A4/QrlroqLywNj09nZXmXK9F +HqgOxCatL8eVvv5I3Gug27Dut4cYmxUPhLM1YUm99eK9w8fjRn/RZ9LgKcpwCMZl +jUt30uFOInqC7X3JDiJDONgDrv6hPbNpDHJHOpP+zIozZYRJ6b8Ny8GUw4egbBPa +FBgsV40CAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjMuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBADnnZd4jyd0LBVc4DgMy1K/sWa1Y+YxLapzI5C+3gyEo0AjcYzvizCGoH0Fh +KWlvknAip6QyFdFEQLAeTYGiNYnBU+hhNrd8HejaFe5AZK+WLSOoEqIewwYDxGH9 +jWSeOPIMA8WdDFTao1Fe1B8C3iJdA4ya08Bf6N9fQK8CTkG8 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBaMwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA1a6Iet+pElb/Wpgj8zIYU1KtjgGqKH9PdYX3 +TzcpVImis8bBBVQ2S6d+RjJ8L9UduEgUPCcaenXCOLS9W0Nna7HPk4Bi/kbx2CwS +xAo6JJFaWYvcrX+RwdIf+2QAxA26DZfBdKFXMx3rjEv6KEiW/n7tf8MQ1gESv0FV +dBuAolMCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjIuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBAE5OCrt7E9FHPC2U1fbm1Pw98ADu/+5qeGV0H+yHCwwSITj8RCt4iqyf9cOY +TQkApYxxb9qtfgrhpUCXshc+RMZ+GBIMaF6KPvA8Q4mR+ygdjouOkizfrjjVkDVz +IBo2rWieSVv2E0hOvuj5Il8kSwtufpI+jd5KdSBlwk+81dcA +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDdDCCAt2gAwIBAgICBaIwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAzNVoXDTE2MTAyMTE2MjAzNVowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKi9QUr+ALhErVJHA+VsEkh05o525a8ttlRXi0Gz3Uk5 +Q/3m1RZYdIzTP030DG5zl9UXCwzjH340qJH+EdtTUd3ObLkmwUQu+ZjR5Al3QBfT +p0zdED4mXwP83aM1mZKzKug4lOyBIgJS8cGkQ6HXSw4pDibDqT2FcdTL9vvqinn5 +AgMBAAGjbjBsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMCAGA1Ud +EQQZMBeCFWludC5sZXYxLmNhLmF1dGhvcml0eTAnBgNVHR4BAf8EHTAboBkwD4IN +LmNhLmF1dGhvcml0eTAGggQudGxzMA0GCSqGSIb3DQEBBQUAA4GBAB4XPEcOd6C4 +cf3tDRlRhBoOgXhHBYgOWig8PJfrHxld7oN5wB4gNDPHJ+iDmurchnYw/+eUnvtc +yvrwNITZPCiezotwzahJth+YHtdW01s91hY6nRw0ymYz6eBzM9fWnR0ponsfK0wx +dBOEcZTRvIDFUHSUCQC0FM+IZcdilbY9 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNameConstraintPermitThenExclude.pem b/src/tests/data/x509test/InvalidNameConstraintPermitThenExclude.pem new file mode 100644 index 000000000..fedfe2893 --- /dev/null +++ b/src/tests/data/x509test/InvalidNameConstraintPermitThenExclude.pem @@ -0,0 +1,100 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAoagAwIBAgICBakwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA4Z/pPfSMPZgg/bImH0j8j8+4qDDsZWCRa7Ra7KSkD/PoxBcl +qA/KBo0h0uhRo3CiHfefM43UrkLQxVtEZGZYyw2OMP872mdvLt1AF/9ZKItjrRYI +WxuXzhgu0QzgokUlYzCyFpl7gtTrWk+SJyJbwuVx4udt3I+x60M2I+wHTlMCAwEA +AaMbMBkwFwYDVR0RBBAwDoIMd3d3LnRscy50ZXN0MA0GCSqGSIb3DQEBBQUAA4GB +AB9QtP9p/q9pk+EXTZ8SyTfEnit8i8f2u4aaecQteKTkI6uSrBPxfc2+ICtS7K5z +OGLo9zd06utdUFqNALahTZB1eTXFYwqq5sUvrsaJrDcXFQh/zaRf0jHINbmKJOLM +3I6Y5ZgY7L1tRUjjVC4/259vO1Wsij8+R4uHvYa/OQC0 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBagwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA3thjDA2sxHu53nc6HTKksipHDMu0/yCPd10N +l9GfqhK3F5T17R1Rbw7uJV03m6wPY4oxUBlYA8ah3M7pXAUMSbhNV3XmRwOaMDKg +ATeabnvp8cAqvkht6EgjV8z9/lEhnOFj6c0uXfixrsDP0Vh/fcdGEv0J15OqFZFb +VwBq48cCAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjMuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBADMERR6zxo4VqaeTp9ZoTyzQnMjxC7hSlk0rh4nCigKbjvacUlzHZ8Y3IkrE +BGPsxPqOhwUTQKocIKWRpa4k+gkTWK/F5Bc+rGOECWNGOcx6nXodj2r/YeIcV7Zs +PMR0Jm4e0UlYQXehsdLqAQkXj0dtGq1P9RcDvBgQ7FuMZdZ/ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDaTCCAtKgAwIBAgICBacwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDM1WhcNMTYxMDIxMTYyMDM1WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAy1HYncuyzWVT9aOjiXiR2mIROZpsmsmOWRaD +tnJq2e9IS1biUte2dStyenB6GVSEIdz+W160CqDzxljbNQ/6bRsFgXkaJCp76Eo+ +0ho6J99Z6AupchweIisGRlTKVy0QMs1jduQHnA18dfyhPRec2qzf4Z+5GuvQ7bCL +UQQUVa8CAwEAAaNeMFwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjIuY2EuYXV0aG9yaXR5MBcGA1UdHgEB/wQNMAuh +CTAHggUudGVzdDANBgkqhkiG9w0BAQUFAAOBgQAbmBRP1wD8DrpZqKiPBUVvIjPP +jUhAzxnjJIp8LANZE1Q2S64tsapW7hqRDEwqihfFXZ0R8U6Mq10prv1ZR2qmwZVW ++wcdlzFOT3+/v2PmuLu/C6xgXRnHLMdTXZuaWKMG61H2rrjUWz5MdfJu/EIwHHJS +QZXoeQfSkJnZz+g17g== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDdTCCAt6gAwIBAgICBaYwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAzNVoXDTE2MTAyMTE2MjAzNVowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAL6W2iiMkMtBSzeGiBREFbHWxaZCT+AyFeAG5MKszv24 +L8LMyFlq8a3o1Mve3q5LaiFtqMAIcgTNwkrLZfGpQwn6UinpTHMpDYCwBjvVmoJA +HymK623+2GpiQ6INGL4dNsQCniDEBgvHGaGBIov/T4sFZZMUCh9AD/2XNYcWJVdn +AgMBAAGjbzBtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMCAGA1Ud +EQQZMBeCFWludC5sZXYxLmNhLmF1dGhvcml0eTAoBgNVHR4BAf8EHjAcoBowD4IN +LmNhLmF1dGhvcml0eTAHggUudGVzdDANBgkqhkiG9w0BAQUFAAOBgQBxuFm4+Qlt +wy2CUH5Fwu4q3UKYI0nqGVFWw4sRXAhE8ekh8A1wOCsFbV9SRPl2ZFEIpSmUihjb +IeRA1erlO/2xx8TY734wzHbp+U6qjWoWWbC4v9kMoW8EQVSwWVZ82+Y8LPIVB0bP +kEl+OP3ah0WaqXVuQzAQlXGYqxZFWUA7Wg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNotAfter.pem b/src/tests/data/x509test/InvalidNotAfter.pem new file mode 100644 index 000000000..710607051 --- /dev/null +++ b/src/tests/data/x509test/InvalidNotAfter.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAmSgAwIBAgICBSIwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxNloXDTE1MTAyMDE2MjAxNlowgcAxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRlc3QxHzAdBgkq +hkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBALnLv3AyB82npd10twi+JMFEC4PCM9h+P4YjTdMi2tu3sDZKeJ2r2SXH +4Lu5TPNWcB7x8TQqIYO9LTBV2q9afq5ghT6DyTnAIjMK6u4kKOqU8Bw2mfiK7HDa +3Jt5C53qzctFCcJMSGTU3Wa5jQtrax5w8GyIu4dYS6BtAW9cwko7AgMBAAEwDQYJ +KoZIhvcNAQEFBQADgYEAHvDGEqV4hIrP8niDoTkfDEizGv0ZvoW280wbuWlprNbu +RNwGJeIS7SQWJ8KazZM4ug2A2/CpFaAOCZMnP/DOpEYOqU6BaDWLNug6FqNvI+zD +W6BJ6WvBfVv2Da9iOMe6L8JyanjXAGQlY7hgZh6VmUUGb7cbV+8TOog9iMdyWQg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNotAfterChained.pem b/src/tests/data/x509test/InvalidNotAfterChained.pem new file mode 100644 index 000000000..25ae1c861 --- /dev/null +++ b/src/tests/data/x509test/InvalidNotAfterChained.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBTAwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDIyWhcNMTYxMDIxMTYyMDIyWjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAsbQhSON6xrzAMoVeGM36YP69fH5qX2arKKwaVvCTgfbj3y5/ +jPCwgCmFkG+ZVEUS6crc6/1Rf1jfva4eYsp09KamdJZXoPtNqWPVZXAJ3JOb3zYx +QIWwb3SJOhXGvm+Di7oH5qbaPHrNFnHW7ERgvEfcckYCqFe+PSBgMG8XIxkCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQATTavXzwODs3/8Extn3yYClK3djy+ZoEwsqYy3 +dTeqysXjQ1pkVjqYlvAGtX4P4Rz48z4slW3GdhgqCH3T+fuGFpUpVH4rMVa5ZfGj +i8XV0NE9ZbZ5arw05eE5u6MCENcVvK7SvzRRL5M8J1e/Phf2G8mxixmtCzC7LN7n +J7W0gQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBS8wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDIyWhcNMTYxMDIxMTYyMDIyWjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAn5YPsT1SO1RWYNqIpfVNNjaHBvfIznu45nlB +xj7v+P524kPz7CO4RvDvQjL9kf6+pyjyMC7Q52FfvVMm6IzJIlx1EwMRxb/l9ved +y4EMsL+BSkkmRAz/dwZWVe3OmDj3goQ3dQtcC1tdXUsC7o1o4u2i5qJsj4nLu0Cq +HX2syp0CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEABrRNnhboO/3EV+Lv4svTXtbGG4sBzets3Tc/aHIV +t1smo3Q+wVAnN8qLPcWSBJxC1WtVvS9UOfY9tpbU+5YRbMbwLQRas2Rz1iCgHVuv ++T4Qwwul5Auz/INbOLbYBl1w1hbcmoxH621+8gmUJtrTIIQyQsb7HyuYy5nLqyWr +i1s= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBS4wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDIyWhcNMTYxMDIxMTYyMDIyWjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAzYW1/olecip0CmSEgjshaDvRWVRbvnjSzCAk +We4h+CC3P/OrCOigj6UJJ0dKoZ/ANoxJAr3ve6iOXPxCIm9pHMFntUFHYTeVODYS +kSvxajE7m+5JqIXgMtk2i5yUMK+eeNOddwBdghWt1gAqf36fdiDw+n948mPCrRqr ++StY8ZkCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEALnjy5NAAhGpwD20HSEl/cx64qYn2LGSV1QezaKMx +8GXiFpt9r9wHE/CkuMJpGXkiQjw2rYjUwFDQZkXobi3azMzVyZ48BkA6//WLQ4wC +m/uJ0Y3+ONIF3NVebLbftgKpPhPvz+lbn5jd36minKiGC0zdiXX6zYYIA4A5xmpA +kG4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDKTCCApKgAwIBAgICBSgwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyMloXDTE1MTAyMDE2MjAyMlowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANQlSEGZ+JsH4feAXMn842mpEGMEUIt70Po2IJZq2WVO +pLNmACrrYXu0zx5H0KLuL/Hgndc9VbYf07iKIK5Ds30glpMJZ/TfS4O/qNAnRY7X +LA1vNFYK2TANC1hRMfaz1KrbuJb4JHkueVCqYjqMfVSwJQE3GXZUa0fQ8e/qEYwd +AgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG +SIb3DQEBBQUAA4GBAKHEF9BD2UMwOdm5OajvkunuLruEeaT7+MwZnGG07d/pEvfz +urUi61RjbNkCE4676SLd7EDbBxrbFQH5NcFVj9VlZvUC2mX8vuu9zhRXTOoUsJFF +brSAYdARmQge/tOrT34I/BWR2Fi5wWbs+bRo1SvN1a9l3J7BUzmqsgYPnlXb +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNotBefore.pem b/src/tests/data/x509test/InvalidNotBefore.pem new file mode 100644 index 000000000..4e18b4bdf --- /dev/null +++ b/src/tests/data/x509test/InvalidNotBefore.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAmSgAwIBAgICBTEwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +NDE2MjAxNloXDTE2MTAyMTE2MjAxNlowgcAxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRlc3QxHzAdBgkq +hkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBAPLeZoJev7YWp1dROtVhH/brTvxADbB5Zc7d4AJuCY6+tIDxIi438IZx +Xjr1Mb3ptD/gLnvekc/BjAiuMssu4Q7NZbanwDOElMIXKmdhpwRWYKZfDEyJz5t1 +2tyZpJBWUrL26b2+GttLg7lfeT3qg7srnFvqEB3kGN6L+rFajobrAgMBAAEwDQYJ +KoZIhvcNAQEFBQADgYEAj6/9hGBdOnz2tree0Lk5Nt7wWhKboYXMnBh8rqugCgAm +2a+PGiZMMWMSHBGD2ArEMmTqCqJElMx8gLuPHESNWTCAxu+kBQKTQ2ZfftAcoi4z +2Bk81ofO2SZMpOCZ8N25Imd7EG59FE9ovYM0CQkVNho2nDdnkiv51U1Q47m52aI= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidNotBeforeChained.pem b/src/tests/data/x509test/InvalidNotBeforeChained.pem new file mode 100644 index 000000000..412eb578c --- /dev/null +++ b/src/tests/data/x509test/InvalidNotBeforeChained.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBU8wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI0WhcNMTYxMDIxMTYyMDI0WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAwvYZAtfuvra0iFtp2F+zznHtGNMQDH0wpAuQLpLf2kp/vEXV +eBYwq5m9s16trYLC+y9vaC1pgQQfixuQA9xY3DswQyPIztcIPz8r9LQL5YQ8EDzo +mm64G+WZ7kn5xX4zCRmX3mS09tQOhe00Thqg+JIkcmoG7hGbcEEZ7iZrRocCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQAeJrnaVGhxc0Oi8a29sTHaTQB9COvE0Th3ZqZ5 +sZ0fKadhmR52C+acUv45rNPwwb8omiw84PZdh+bBYTs75eAEDNb3YlFMb7IQbhlV +mebUO1g0WQ5S7Yd1NPpP4BAfGHkEhXJTWY8dzlpFtubRjlcVtJlWdRi4yoPTfsM8 +HxuJlA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBU4wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI0WhcNMTYxMDIxMTYyMDI0WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAp1rCp+dbNbi3SpGNr4fgJDXWUKa5ydd74ryZ +1TyMVHOaJZvAupi4hFrleQcVpTmdtlNq5BRvyJW1sq6H7d2b3TSXfIi/LdvE9wSe +Wt/llQbp64px6iB1bpHNdLiIr8BcOciqupSNyiMIfPXQ3tRXWjCd0fZcIuStQEFn +bxkWdbMCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAvYoLXJHeWQkFv1315AOAQGpsdsN8NFnONtvWlczN +PiWAI48ZzzxA1ZKS38eELVtKyl2EmltonB2WA3aW3OAPET4ID/995e6c0m01hQ68 +Fxca7n0SKq88AQpUm6a8T/RgduCu77Jjv8wKj0AUH1qCX8GogpdFQTUAwhdvfGnu +pX8= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBU0wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI0WhcNMTYxMDIxMTYyMDI0WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAz6xQVmb+uXY+VNnWYkBuOvMODOzh/v4vMkp1 +n9JNvqmrb6A6UUtD2/2/uuGEbYbvLKmjijSC2b/no79L1fd8sNbAEi5rUPPlTTwN +7j1C9bduyyAoua0/mvkxW0jgqHC2Bbw8J44kZM2D+gfTxFe5Iqow6Z56XLiGoAYW +C5BFtWcCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAchcIZ6Z4LiGsR7UWNd02AJaihwZD2HqHSlY1753K +e9gztxydjMyyHXgVoWc/ZBM9NBuchJwwTb8oEHEfKahIRmZmj5pcvj2KCHz8XQjo +TiA4QrX3PB2b7ZR178NsnUEUuX9NRKLwnTMIYM7IsDpDBC0YLA7VZGnzemlvsgwl +Wbs= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDKTCCApKgAwIBAgICBUcwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +NDE2MjAyNFoXDTE2MTAyMTE2MjAyNFowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAL7MqH32J1i03pXI2CNPR1rc135VJoJIR/u8B1cc5rd/ +rBkunOXV4Ouk0GpTjnk8z9QjJQHFMHpR08AhF6/ILoBDnLGqox1WpS1b1tjw97d0 +uD0mlXRhv/amaBjhK/To1PeuQcdzWrwfUzeanQIc6eJQ2Mg6RxLLnV8DXfjUZ7tZ +AgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG +SIb3DQEBBQUAA4GBACyvNhQw3lDTtoTPKfGIEYWsdxXkPrLCUM0V4lNGAdFk7iDb +642lISrtLNks3TfyeuW2R2lwedOExsJpa2HJdvApo9a//a9UULcjiSvzlc5ScjS2 +WL5zhFUpuY/g/JNBW1EM/B7l5W/6S50Q2tjr2AcOkoKDmKegbwjXwLuD3FCu +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidSelfSign.pem b/src/tests/data/x509test/InvalidSelfSign.pem new file mode 100644 index 000000000..e86d22825 --- /dev/null +++ b/src/tests/data/x509test/InvalidSelfSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAmCgAwIBAgICBRYwDQYJKoZIhvcNAQEFBQAwgcAxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRl +c3QxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcNMTUxMDIwMTYy +MDEzWhcNMTYxMDIxMTYyMDEzWjCBwDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB +MRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNlcnRpZmljYXRl +IFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1MDkgVmVyaWZp +Y2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEfMB0GCSqGSIb3 +DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAqv3vC7ay9UTYAZxJoovYraYkjs8is7YpfsHJXaqvHtPj2xutetMCYcIwVexG +amD9z5pl14ZGtWUO/K7Yha5Fqhrk49bH/M52dcV/2LnXXeqti+HDVfzsxdc2z311 +RYYc7xQxwo+ubnR69qkGG3KwbdouGTpc47NdI7A0gUkavcMCAwEAATANBgkqhkiG +9w0BAQUFAAOBgQBmFIcuPVsCwFh9rbOkJfm8rE28xX6ZsY8qXOnZry8J1LBU9EaM +UNnsRG9VB5XWtdK4eoBJyTixVDz57rRUVO8ElrfYAIfGe95oZlJc00xT3P7UXRMa +AQia66AIfDbvQG/MWZL4mgCm/DJZLPbUf/3k/ayJmw4O3SPyKJ2/D8KrIw== +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardAll.pem b/src/tests/data/x509test/InvalidWildcardAll.pem new file mode 100644 index 000000000..d5eaf6b12 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardAll.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC9DCCAl2gAwIBAgICBYQwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgbkxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMQ4wDAYDVQQDDAUqLiouKjEfMB0GCSqGSIb3DQEJ +ARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +sQKpi0Vjn+H8G+GcTxrp6w39KXYKuyUfILXe+vuo2Au1jomz3E6t7aiiul+EuRaf +uA/CMIdT8yl4+KP8VICqSbOAuknRlSeOMs/6Xjg38TcP0f7aaLBt5f/qt19wF9+6 +AdYUT7baeZ/QwAWNIHaW/z6DiXwD/BV53vzH6D7IcEUCAwEAATANBgkqhkiG9w0B +AQUFAAOBgQCruQezcbBRplYmC3rQwZwoXbe6/QOKp6jYRhmC3iWPQMO+udgeAI9W +g2w2wuayZhLYttmlhEPrR+qKII6CZ0wxOtUyuXP3fT5eNJEs07pvGTaFhPmlYprt +iYbtbAxSq65PYl9lvUBdqvmff5bu8Qaxo96uDMHtxlVRtai9WTAbvw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardAllAltName.pem b/src/tests/data/x509test/InvalidWildcardAllAltName.pem new file mode 100644 index 000000000..b1bd6c1af --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardAllAltName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAoqgAwIBAgICBYcwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDIX+1/MXEwTPXFImigK+Dx5xCBHljUJ56zvvfv +W2Gurq7/R6YjVyY9c/G328TbUssFHxi6YdSwN3XhuM0CVxCmkKo45Duy8IAUtKM2 ++yAbC+W4fMaRvLN9Ff/Q0t9CCGs/5wFh6EEFP/FWH81P5yquNrkSBof+vvc63fAW +5GVwjQIDAQABoxcwFTATBgNVHREBAf8ECTAHggUqLiouKjANBgkqhkiG9w0BAQUF +AAOBgQA7TNSyxf/cXaLBRny3SW4BhgsOW4CP3K2/ANvSHbBnNvy9UnAGZXTbTrSW +hmCQqIsJ2qotJsWnytCBLf07jhO6uYohFwKWuDSGBdBoOnrs1fuQnlRBWHgOd16q +SAc+snIsoLoQNWyLm2ghCHFTWU+z7OodCggCHwmedpLErBa1og== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardLeft.pem b/src/tests/data/x509test/InvalidWildcardLeft.pem new file mode 100644 index 000000000..e7e0fe605 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardLeft.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC9TCCAl6gAwIBAgICBYAwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgboxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMQ8wDQYDVQQDDAYqLnRlc3QxHzAdBgkqhkiG9w0B +CQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB +AMzZREK0of+aoPJkedjQ7JoGU14YetcwhGupU3zoXAvQJkTgax8LNzqQ+2JSeKfg +Pt6+K0S2uXIRneHYAlSWUSvHoSxplsCqBZER7oVLx6dbLNxSNu8ZlwuH0py2DpvB +cvLcLgx6NaXat4oA4lBjPC/a8rcfNfxyX8TNy2X2sBLzAgMBAAEwDQYJKoZIhvcN +AQEFBQADgYEAgVTj5F3n+HwNz7QG24FF36T2NfQ2OdLo0XmkS27dhd5gX/X9aFlK +4SnfKy0HX+l0Y2b9QCfmxjBB7n12/5msrOHQbKvuYTeeZ+e5Dz0NGU4hXZH/qTPg +EQTQr96LcSh+RQMSmi1VhgeqZZZ3yWPJNLtFWCt4aBGBBMnT0h5Ksxg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardLeftAltName.pem b/src/tests/data/x509test/InvalidWildcardLeftAltName.pem new file mode 100644 index 000000000..f91e83b32 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardLeftAltName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAougAwIBAgICBYMwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDZ+EVqAyuE6lRwlLSh/oJusIiZc6WKasK6jGpf +WgOU+f/rPDR3SqysRIicKxVEu4bpK9d+QGWwUIwI9bGtVlOSKeRMgFPPYOcndLW2 +tKvRQ5L/f7py/fk+n58JsHvXVFTG9CB2+qgzrsct+sRt5AUDyl0tJkiVkhDHPYhQ +W+N0/wIDAQABoxgwFjAUBgNVHREBAf8ECjAIggYqLnRlc3QwDQYJKoZIhvcNAQEF +BQADgYEARfFHSnKF+AtJ5G5mNPQYOylDYpDu3Vypcv7uSpYkpguGaMsjAda3/TI0 +S4HlFBBE/TAx9v+HF0jfXq/rVlgzhwlA/WWru/ByCJOQLZYwQKvia0lUI/g3N5DF +/Xfw484O1oqhObq1vFcH1Nf9xCxAi/Nt8rooc14lxG7RyLGdLlM= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardMid.pem b/src/tests/data/x509test/InvalidWildcardMid.pem new file mode 100644 index 000000000..11a9547d1 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardMid.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC+TCCAmKgAwIBAgICBYkwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgb4xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRMwEQYDVQQDDAp3d3cuKi50ZXN0MR8wHQYJKoZI +hvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQDLn7fPepflQP2HYMoNIzWj3nCkYsjY2PLee4hNKwjAtaN5d7VB+KSwTExT +sIR879bhnhrsAarBCgdsfC4X1kgFVy+TPQBjWVbUCyUnxX8+1iDLODSUkusxiDXj +a3WSxb/Y0WLfC5NMFhp8DwrDhDba3pyY0gQ64rkTL0RlMW5AswIDAQABMA0GCSqG +SIb3DQEBBQUAA4GBAK8kfCilBCqNP5WICILa8r6UPfeJRlOXf/tt+AUbfdYo1w4/ +iyszJwc6ris8aIbEpdeCjo7iDDloRT/D3vCfBGcy6l0IKPziZOpKN4ytyHYjelRv +QVNPfBFZ/Zy+jDAYAx+50ntkcB9NyOPOYNZXLaG3GAY++lMQJrH0bSwQFFtw +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardMidAltName.pem b/src/tests/data/x509test/InvalidWildcardMidAltName.pem new file mode 100644 index 000000000..d4a7e0b03 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardMidAltName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDJjCCAo+gAwIBAgICBYwwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQCpu+Fwy+cvq04SskVQAQL9ID9QLmipmH/y27Kk +LKbB7gXUedxMEbJLE5vvaWvVtYO3taAVsuQh6aNt7b8cXSjzXzN9GIE7rVxOSr5b +3Lc9cqq2B7Jhp9HF/viAMAVvjDWR/MPOkQV0A9tlY640B1yXhwQCCSqI+bvZNgof +No+z3QIDAQABoxwwGjAYBgNVHREBAf8EDjAMggp3d3cuKi50ZXN0MA0GCSqGSIb3 +DQEBBQUAA4GBAEKuXokalBre/8OU43XtOoKpFGY6AG80tgNW1+Uf2Yoi7b/uxmCQ +E6TyWpWwcEM6BiZskbiZE/cUKcbZcDrhvgLngj3oLrAIQRuAK1wsJngJaNjsT2vt +KBznbSr7QYiO5tjrmVhuMZN5Yie9LaZ1fUmqPf7jYH1KeVs4uHPWmOzD +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardMidMixed.pem b/src/tests/data/x509test/InvalidWildcardMidMixed.pem new file mode 100644 index 000000000..82c554554 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardMidMixed.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAmOgAwIBAgICBY0wDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgb8xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRQwEgYDVQQDDAt3d3cuKnMudGVzdDEfMB0GCSqG +SIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEA12d3pW20ggJr+ql15wOx4qrbMXx4Y5ajC39DSOs7ZHpSUadvzuO/84nc +TDCBgDk1YcVkmMezp2lBd+VIgppQ6I841XXKWEpqIg/AOMmBgt8BfWtHJ6TtXgU3 +tbAncg5bVCHFV5c5m5el1Ovg8dseqP4HK3AQxDZDfFgZ5vUDobsCAwEAATANBgkq +hkiG9w0BAQUFAAOBgQCMxsaEoGm9uPf1hOmgLErI9+nwxUsGJoRr1fRlO0uGF+nu +Ek8bT3rPlb+Kzr0x+qqOQqczs2+DTGuayiTdeJHWTrJInByJREdHJ4nEDDuW6WqX +TlQ/EK1QIyytuvPPGD2m+YQiADL8UI7SwlYAm7R/dKZFdww19fESVklOi9NEDQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardMidMixedAltName.pem b/src/tests/data/x509test/InvalidWildcardMidMixedAltName.pem new file mode 100644 index 000000000..3e3c4fdd8 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardMidMixedAltName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDJzCCApCgAwIBAgICBZAwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDAqz51KTTwasFgU6IkK589/dM/hSiuxApyRkcv +LwFI8XFoF8Kqu7Mi/O+cWfzD5eVJHPN3H6xASSBsVYc3uOgY9pbM80KMUSMovAcI +YBJ9aTv/uvrKesXhX/BiURbnWj9jkHaWWlnnXSNnw3y6UovI6K//hU/+u8QP7pKY +DKNS8QIDAQABox0wGzAZBgNVHREBAf8EDzANggt3d3cuKnMudGVzdDANBgkqhkiG +9w0BAQUFAAOBgQAgMKayhXb38Gbl7q9p+LI5yyV+gPsYQYIsZ1JlAvcrIBrlal/6 ++5yGM3ggqmzz86umeQX+pD/Dj5eS0J6NNzAuyuK0Mvq9CI3sXlA5FpptIFumA+NM +t+nOrqv2uKHeL5+9QLHVpS03b1ecyE6BM54YWwk/8UquuNE2/QEq4/Jq5w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardSingle.pem b/src/tests/data/x509test/InvalidWildcardSingle.pem new file mode 100644 index 000000000..ef6992c09 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardSingle.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC8DCCAlmgAwIBAgICBXwwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgbUxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMQowCAYDVQQDDAEqMR8wHQYJKoZIhvcNAQkBFhBz +b21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmwWc4 +AgjQxiczSc8sbiZMUpm/NvZ7ncASTpl3H00d7GVF4wBLC25ZKke7cABz4l0SjDx5 +7szbDVAFkkoGcYN0uU1H5KYrvn6T/KZBGDNxTINBSLigzx98fP6KjunVvsKXo0zt +6ILxJ93GGCvr19aYPfekr3rzqbHSzCjGYMOATQIDAQABMA0GCSqGSIb3DQEBBQUA +A4GBAGg1BmBeCbAoHM4MqhX4STpUl+fQ+r8Ge+5HpmiCDE+Y14C+MRTVo+HI3/tW +sY2C0uM565/I/Gt3PdaC+XMvQ3f/h95nyxEgJIF2Hb2UexfY7rhUSyIvSN6QfFE3 +RhUIjIz3ycG5l29nUxefVXDsBm7DJxD6cAl6GAiTt24UPsqs +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/InvalidWildcardSingleAltName.pem b/src/tests/data/x509test/InvalidWildcardSingleAltName.pem new file mode 100644 index 000000000..2c4157cc5 --- /dev/null +++ b/src/tests/data/x509test/InvalidWildcardSingleAltName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAoagAwIBAgICBX8wDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDb1MaXH6cTSHnJ6JiXn15cgl1/Y+v3RPpnNwYH +2kGJYRSxLP0CjZWJxfK5fGngREshLnEFj7Y9oIQnUAuQ11dvKxzQAIGSBTV26uLy +hWRM6NHlOY/PwjaHqrT5mFcH+UMp5j6tfRbJr56ZXA4lwYAO2wCRsMxg/1g3cbmz +hNfzwQIDAQABoxMwETAPBgNVHREBAf8EBTADggEqMA0GCSqGSIb3DQEBBQUAA4GB +ADwFt57Ai8yIE4RXJAixmJOY0uZEwzNsaW193Rvcglr6Pa4MIVaROb5V7srrBmqA +IroeFaOI+OYsKw4PqPE6py2bpQWBjia16aBAJdCO8tpZi4tOfk8kJAYgeWaH/nXS +VMnQC8MuVH+FQpJTC/Nx/G0p9YFjHMi8IG1BBQxwmw8a +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/MissingIntCABasicConstraintWithCertSign.pem b/src/tests/data/x509test/MissingIntCABasicConstraintWithCertSign.pem new file mode 100644 index 000000000..7ed001ef8 --- /dev/null +++ b/src/tests/data/x509test/MissingIntCABasicConstraintWithCertSign.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBW8wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA34jzzg8Xh2qmEg91TRs8g/BZ6JevyLY6Sw8j0fDA60GIdrXo +kB5RA9Y4yrvxq4QwkDOP7ytx8TFBUKLxpThyiNNH1vcCNwsHhZe7ocvcMvNDZfPf +cfcKHrGtQ27LWpE0swfE6eeRvZi9rvREUnmCq6lSfNQv+SokgA82Ofpe3PMCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQB97v2tb0rxPu7GshfSG77t0wub+/3eCWGsW2tp +3aVL04S6DZinZh3AHuzQ1oFBVLwVfD1QAsy1+mY21Xsvy7YMKfaHXnjik9vKRjLs +hPuXjM0mMguSGYw6dL+X2K9Z5nqU0oppzlhcKY1BCx/mNAdPGzPrU70gSymCxBfM +aBCuTg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBW4wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAk7UWIs2Bjbt0W5AmVRuVOh7SaU749Ss8uLms +3ktkDHdG+G5rBaeqbFmIFxuO7asU6SoioEqDQSNJbZl6awnvdI/3ZmdyqGocWrfm +6HHH+AmvYbQBlOh3eybIwJiywSC6GdjDJH+I6gxzLQPItOarjHc8C74AqWLeq730 +MAe7glkCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAc4B5EUesuaruiUuRyzUh4GoYbEP+t1lga+SYtq4l +sxcO+9YZSlle9zb7jU5Ykv5BEOtnyL0961zLEv/sLgtOjFwr5inJi2a3a/P3bsV7 +TNQAH3KNI29q/Qm/+A6XaMk/q2aXmQPraIA3s8NsQFOGeIQ4nz9zTyiOKjPQgwHT +b3A= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBW0wDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAw3sX/u/yrRj1IiYRe3q8cid1nocGUlgtpTj4 +II/YlaJ84coohPwDKQ/+Q4ZOHfevU9xabeP94vm+UiOoIyFPJfJI/3muapxsWmQi +F5Ia1kZSLci6x8eE4LPUgB16aCqCH1XgeXPTFmkAKYjGXxpc5SeqTrF4MOLwrUkk +mwZSapkCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAE18x27W7wxwLtR32oBtaPCsR53EW5/cVQzcalZvX +yGPgyv20TPbgE1lqW1PiXJG875uPqWU+97UyV97VTKBqdHsIHV7HCXSoFZnlnd1z +mBkZcl3n1/ba2y2imtHMDlQXCf7GLkzRmj6aVjN2Q0aPeC9t+y0kXtAJajaWKFbk +hZw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDGDCCAoGgAwIBAgICBWwwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyN1oXDTE2MTAyMTE2MjAyN1owgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAL01za7b2MBCkDvSwc2SF6opdd80MnZ7dZWqQzRboXVz +NLdxh833kQ3Mml8Kkc2s7YJ5qstqHQ5M9Suo/s0QYOSU5wbb1ssWo/mLeAuS5Dr1 +/tfsgvBM1lDvjXITVxKkb0DF8iTsgDsj/PnSvMK84nVOGEIOYoP/imG3x6GRc/EB +AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQCJ/MJn +xUsQhyGZxbWRdY2VnLOn90Aky3oTdHYVEkhFDUjS1ZmyOduAypHa9+QKTO16eDP6 +MhrVh/hU8W/4/QThYa4z5lLw47UUSgQcXr8C0311TAEPSTnV+ZpOu0fFjfMv73c/ +qXVFe68hM3ndXiJOJ16L93v5T9UiOYKK7M8wMw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/MissingIntCAExtensions.pem b/src/tests/data/x509test/MissingIntCAExtensions.pem new file mode 100644 index 000000000..ce5d7ca25 --- /dev/null +++ b/src/tests/data/x509test/MissingIntCAExtensions.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBWcwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA11PHrH3zRiw4nwdy3CV8KR0vmJwxLa3k35YuzN49LMyQyeKa +sYfAX3IQky92z8htlWEyejznIJ60sBPJjfPP6vErjPxvJ9vMtHyj8rSzJMe6E2RU +Hpo3UXYdYCLm5xUKx6BhUJU2/u7v6gIddXNx7zZa8YibCdOz2gt9t1qnVmkCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQBbZA9K2xUGOU9ng1QyCdYFN6hvQeaDmt1hMS57 +SLn0vUlJeq6RN9uT94tbNozYE04/aLsRQkXA2f4i2nyYubl7vNPW56TgvjJmXDbd +tNlGm91gLYvPQ87/S6BOlqNeNGzv7fky3LIeoQAXKT8+HkwQOODujrR93hdT7S90 +jjuHHQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBWYwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAxQo/lGJZhEiNiBpflFrzdQJQwM/qGLNwyYtZ +/JXrzGssz1IJNwCkJcZM+Ub5MJEK120LD+jMFzQ5nEOxDRbGJl1aI0GvCXtSQiH2 ++nT+Ld4jNxEQKgpcnJ2bGRyUpmIQPnrlz/6l0u7uC06C8eEHP6ruIHMaOyw0A0+l +eUmDiXsCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAhvk31fgBPTTwnz4opQFEqkP3yw9/3dG6a7J6e8F+ +x0tulAr3IMyIQbNwlaey+OOqdayTWmT2wK/k1JYa7SNVWtWw+kqAjh8KcXEmmwOc +Ygr2RmPIBJD6awEQ+vq8HdgusHtT3qjs0DoNV7P9nx9U5512WXi9qy1CnDh9D+ZE +mWc= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBWUwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI3WhcNMTYxMDIxMTYyMDI3WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAulbTAYuMCmjCPJLCKT0If1fDL8e+t6YQrWmm +fLrW1qx8M2jUCSoiyxKieWStxc6IDrP2sRHDtEPN0tqFO7msQpF/3ldCJxh9Kyfg +uafSpr3aItwqa1oxhmR2+vbLkvjWUAw1BIVuyhpNRBDjvJ263t+75PfwqeKUahIt +h8bIcDMCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAWkhX69giEWoSz7/jaGYoFPMYHRIW0udxRhohjtno +2ToCrbDO+sJQXxymc4Tl4tqXFiaQzD/+wH+WrRp78VRawFVnTUtFPVlCNXgGYVBS +rrYzr9iuveC/YISowDwYf0GmZvhVxa6/62U+g7LwNb6MQum9WbYj8K0zeW/0KWYV +fak= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDBDCCAm2gAwIBAgICBWQwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyN1oXDTE2MTAyMTE2MjAyN1owgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKqNdXfgN8FRHOohmOpzAgqv3Pb+rp0J4uTRCEzHoq1e +WPE1jYFGwjOJ9IRExWJfsgHMpapchWypkMUTK5XLZn14EvY7+9M3zH3MN5sxTvES +TQBYstlzV7LtfFXebzZCx4A490e4Q7G1OGGu3KqTzF/TdkNPpUQBymFpL3nE/anL +AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAVoILkySxthWJZ7jz2tviJeSQdKhS/fvU +iOPcxKPAFbzvSID2xzTgC/9ZiDVEOZd6/4ohZpS1Ow1PaCuheC6WZBCNCdeY311h +BbfnQ0Wf9VbFs/UJjalOo8ygwAkV1Vg/DfTjpk0FuCTb1u77uuGZXJCo8ThO7b/y +pv+LN+S9LFc= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/ValidAltName.pem b/src/tests/data/x509test/ValidAltName.pem new file mode 100644 index 000000000..5ac372128 --- /dev/null +++ b/src/tests/data/x509test/ValidAltName.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDKDCCApGgAwIBAgICBX4wDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxMFoXDTE2MTAyMTE2MjAxMFowgc0xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMSIwIAYDVQQDDBl3d3cudGxzLnRlc3QuaW52YWxp +ZC50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQC1DBM8CLNnuNfYnRvo1cU7mEAvazteLQ+RfSGI +hNEQGMYokUG/1bPs6E730KJnrvqjz/ZN48UPglqa8r5ybTmDEDpR5tR8dcNnWFCp +fJCx2ewfZujqLFWLlsS3lSEA/NDbe6IOvyo2dauX/VAmKeFnHWJm/H0KPJ50KHR8 +rG+IoQIDAQABox4wHDAaBgNVHREBAf8EEDAOggx3d3cudGxzLnRlc3QwDQYJKoZI +hvcNAQEFBQADgYEAWjU68nLPJChlJhaRSnAdzz4XB5VmK8vSkw54WwK8HnjmK0jO +0Novc3HH98Fh06VCFdW/NdbegI/P2xldqJlKP6AVB9Cdr+vecTNZ8P6WrRwBBuJ+ +NrwSm6RiiXxkZn/IcfUqRB1M15igpQvAxxHmjeaLHbX8tUtS6ZnvZGcVtuo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/ValidCert.pem b/src/tests/data/x509test/ValidCert.pem new file mode 100644 index 000000000..204789966 --- /dev/null +++ b/src/tests/data/x509test/ValidCert.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAmSgAwIBAgICBRUwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxMFoXDTE2MTAyMTE2MjAxMFowgcAxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRUwEwYDVQQDDAx3d3cudGxzLnRlc3QxHzAdBgkq +hkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +MIGJAoGBAN6X3nIL0PLqwnjANgHFOCxezp1eg/sfyofyei1Tp3hafq9ZWQn62pyg +2Aqt0z7SRq4fLKGwyuh1sEhazf5xPgy8L8RGUU+ZRyJAHwQXs15W+sbfphs1liDk +BLuFgcUCEEZ5HfH8kmH1lYOfgisxgVhALQseUCBUNfGXbkX/xIrHAgMBAAEwDQYJ +KoZIhvcNAQEFBQADgYEAVpHtniZAAgBrjbV0Kk0IgYyJYY1zCwZ4oiYpl+WeJpE5 +ygClBCwluCfDbFZMBtpV48mYR4f0KfISFy2W5rdOSi2fdo3NlBUUASUuZCBmPS9t +jy6d1QsK3SCMJa9PV6KR7o6ETbRGoji2HvzlpzGxmh7iN88kFBCjZrYEcuQ+RW0= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/ValidChained.pem b/src/tests/data/x509test/ValidChained.pem new file mode 100644 index 000000000..a7248de4c --- /dev/null +++ b/src/tests/data/x509test/ValidChained.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBXcwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDEwWhcNMTYxMDIxMTYyMDEwWjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAwCwNoOZ+rgu7MQ9INb8eGNjlTemzlcR4vKXytUDyX06qG2Qm +0wt+egqkuVIdfEt6yzhZGVysuqZTbwRu8/YVy7P+m4m2SkXa7qwymS/f3JtBLPtG +iUBN9DKFXufyn3SOspu/NZ4bpqJEJ9w0LUGf1LTGvdPoNYQnT+XAUfVAkNcCAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQBw6Mirr+EWa2IMUf17Ae2a/KLdcY9rfltjktyJ +ZAPZSMHE390Vd4NzC+IwUAAwUMjVyhE/JVzf3fN1xV957ojDbFhRgJbRKDkuYp4D +D2C761Fh2vMNTnvy3CShzF17ZeauE3xt5EuZaBYhuLqXTmZPzZ8vRZyWPx0g+wlY +BfC6uQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXYwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDEwWhcNMTYxMDIxMTYyMDEwWjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA3gWLf6PchbaPfsouVbXoPCvt/X5yp5x0Bsfk +Xvsb+fo1ZHJJkOOWFMx2h6+G4bJSXCE2rvyAlL7gB2Z9zG97I6NlLsPtOCdYyg63 +iuOxbBgzkbqzXYCWJdoYm+WbZfKEBkAYh5Qdh6CnCv8MNbdlAqh15M6whqVmVcbH ++qk9CGsCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAj+dfoCHzPGAuPjm0qXy4gF72wg7sK3VibXD7un7A +5mLgHVaNpOPNBFdXGIfX/ThLzzrMGtDHnnWuK4l76Pawd0e/FEfAaV0eiatGzwZ0 +FCA6Ol4B6fTMXBCKJ6XDvg0ONEBzfkJ3JX+6mHIPA18re0kDOPZBCIFNb3lCf1TD +464= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBXUwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDEwWhcNMTYxMDIxMTYyMDEwWjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAtnqePBelZGBjlAsrTnGAOcFdXaS6WdgFp1Ct +SnhmpKvFlsoSDaKBT/dBp5aghAoaj/cECi1cE+ngrOjM+PQgrJpFD2WLFwsRzm7P +TQPIBbtWjI8oCZnkwfvlAl13wyWeRnm2lrSwgmvmqg4aldsTbR032VCRKtmepyB9 +nh45g/8CAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAPnEL+w27sXOAKIHemIWed7MSZq0YMrgGGYifoiDR +0PoGbaG7pvgoFpjHe2B6mfoDwD17rsjjKox2x+vkrsDeBoPa4DiclqUAPuqW4qmg +OnS4o698ccLkm4arfCuk1y4al86j3h3ZXlvGm2RJZyb1UDXXjRgRCrs5L3cFqHog +Z0c= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDKTCCApKgAwIBAgICBXQwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxMFoXDTE2MTAyMTE2MjAxMFowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANfFYKEzGMbuSThFeCcE3bCK1DABcu/kxLiJK4/dK2Nt +tfel+Pklt1JAk0vt5o4AtmIH68kSc/IbzYhK/Z9GNcHd5H+T/5jkGKBTDYiwql8v +Mg1qgJN7jHgxvBMTN2GJRY/QATq9U2LPc1gg8K9xJBwkv2b4OCc3kl6jsxL8h3NB +AgMBAAGjIzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG +SIb3DQEBBQUAA4GBAMBUe+6du56LFJs4kiD9pNCk6WrhseAsebpuT4HuqmmRcz10 +KhsWmEfXOO8qV9KPktHeb7N9IBEJqWVcBhhNFMjgrLWPwVmc+aKK+IPvFTO/Kckr +j+l+VCVZHrpuJO6ePXMbcZGZIhhmav8kWBEd9eyEm7h9SNazsT2vR30Is9r7 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/ValidIntCALen.pem b/src/tests/data/x509test/ValidIntCALen.pem new file mode 100644 index 000000000..68e6cf91c --- /dev/null +++ b/src/tests/data/x509test/ValidIntCALen.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAmmgAwIBAgICBVcwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA0P2TWIzoFt6EHNAUW4BKtlwWpn/NMaeQqJHTjewzAvQJ5qul +ZdgaguVAibak5DtnM1XrvJTYDGxdhyQtkFWwgGZS/9VYP6YfX0JspnCPu2jdv1Mv +Ziii2F3fSkvHGIMMs2dXqWheV4jOpqtztr9blhN2Ed935QoX70I/gjCNFJECAwEA +ATANBgkqhkiG9w0BAQUFAAOBgQANla2/x6sDwGwtedPSTvUCx+tp5uQoX6AqlpAY +bv9YWNW97yMV4ZTyfSyppjNf59TFnXcfEDDU3xsoK0thRL8fv+PNmL0lWsL9q7Jj +XHo8w8sE9d5mOvWqjYcwlBOMksI42Rj2nTwEVbH5GC/w2A9y1eJqqbvEn5xjZFsb +1HUnPA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDMTCCApqgAwIBAgICBVYwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAxLsGmdJe0lSVprI7J4xOu+D7iimUDcsM5Mab +tYkT+IIUep5okqyCyEVhY1pzLQK3pABg2kaBkD5D59wGnavxObry0At1b76dAZ03 +avqUs/y2tLjJfp1TC1m7Jvp1m2ehD+KAo1rItgwyNOqRXPkVJL7nWSHNvDWkvtYF +10s8cT0CAwEAAaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMC +AQYwDQYJKoZIhvcNAQEFBQADgYEAgmz8CDyA1w10yxjIfFAL1dv4imvQncu4CJTy +iv+jbqoJzYQ24nR85hkVZMCkoTxfp9QQjFoCMGVQO+UwjOOpjcm2B6sEX44nqjTr +UwBjUbdFnoXu2L3U98IHttE9Rx2969DMTXy7zsDUDSFWnuU9BI4i2wtAnQPDtruj +jLFeHRs= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLjCCApegAwIBAgICBVUwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDI4WhcNMTYxMDIxMTYyMDI4WjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA3/Bn96S7g+EduHhDqO1xeHx9KIP7FA2UnLxc +PeblmR3J5gTk4Twzwus0R4+b6qFJp3WN7CvnuaXsNea6bAG7y09ceNKHqDSByzch +ZYKGpZcQ7WDn/4rfWKceIV/qhvQ4zdu5sEVBjdkZVhqbyPTu814zPEOLzQMmm2zh +FhWHEssCAwEAAaMjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADgYEAIY5V0/fZq/7iTtq6hKnC+Aa3nGWr5cQC95dzZ+PT +5XfCgIMr3VSZi0tfmBBVTMBkOUzXBmqK6iOORAPb6Gb+tpEGWM8jgLgTx2835MHW +ffaByIL0enuAjhPl3Xhuq8VPUzLNQgprml4XaYPYrQidBcMFkqS4Oz44PtxNQ7BM +B8o= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDLDCCApWgAwIBAgICBVQwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAyOFoXDTE2MTAyMTE2MjAyOFowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBALz4tk1wnzfDW39Lu8fcN4gCoU47RgTiXV/duqvJ36kY +qyJ7WwlgJGOHOhmLJjpt7WwjDWNRRVS8kPPVfhcZDtMX3IgiaRAEWjij3fpUd6Ai +tiJrnaLdyXlCS5Wt3sEF2/qazv44x4SEaeHtO69kZC565g6bOyaPIyKVwnMmMKVp +AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQUwDgYDVR0PAQH/BAQDAgEGMA0G +CSqGSIb3DQEBBQUAA4GBAMaNLpFGlwisXxlMQxRja4FHvdFW2A6jwVH4wJqhSSBQ +wetgAMaSN28uR+HUC0OWss0L6763fa3hzVVMKEhk1nljGoLyn/Vr1SK1P8KNTyc8 +eGNJwKtAjlooMxD4dJvN/kqN7kkmLRGfPK13mnSlP4X3PBa9fXTzxZi4N3QBb2ph +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/ValidNameConstraint.pem b/src/tests/data/x509test/ValidNameConstraint.pem new file mode 100644 index 000000000..3085e0cb3 --- /dev/null +++ b/src/tests/data/x509test/ValidNameConstraint.pem @@ -0,0 +1,100 @@ +-----BEGIN CERTIFICATE----- +MIIDHTCCAoagAwIBAgICBZkwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2My5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDEwWhcNMTYxMDIxMTYyMDEwWjCBwDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxFTATBgNVBAMMDHd3dy50bHMudGVzdDEf +MB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA1YOhYZy3JK18g0L2gYiDNqgFAmEa9BkNCZmnGmhceJDxHWs6 +eAaLAkWLf8OiedGOnVMgZ93e98k1OsjI+Naml//ekxEDaxSdz+QrFwk7naZcgoI+ +SrlhdDgNhUC0X1DE8I2IrIQUmxCiEjnPtVwImswL4OlMzxPSM4p698cbdH0CAwEA +AaMbMBkwFwYDVR0RBBAwDoIMd3d3LnRscy50ZXN0MA0GCSqGSIb3DQEBBQUAA4GB +AAvL8Gjr/lX6pkBDj+fTJFuhDq27vRQkBc3KtCWPRYO47sbAn7PSj1xjy2qVpf0y +2+5q8DbopxXNYG52PZw9pxotvLf7h0u8q84ruQosmaUbURhkTJoqY4TYz0hVVhJf +VkFk0hnh287gMy7501H5HZi4G3B0/Cb965V4zrqaPLYO +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUDCCArmgAwIBAgICBZgwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2Mi5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDEwWhcNMTYxMDIxMTYyMDEwWjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYzLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEA1+JYv4lqbDzFlNIt9Mc3jI0fDxzAHg4Efdn4 +vuBozAiYAnuXdpDf+CgRP/ioIhfgzgmztzmSAchF5VPRG+xc5hSBCwWrp1OPFyj6 +5nX6RxsuU8wlyzNfZOJ4CpwNrFhWvHRGKvDVNaTYOASGRjz8V3uQ56f/7HmdmBoV +WYz+XiECAwEAAaNFMEMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjMuY2EuYXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUA +A4GBAHrocfhfL6JI0SH0aDhvRTyW1gmD9BTSQvDLiW7VF7fCCh0SEKS8rif75ITR +s/JCnAaSsDickAOCwfOzNxPwwTQupuuwNSZVis0tTy+A3tYrENdLnYjvNfs+qGh2 +OJDbt/vN7V/VXSWwSzDHJSPuU35dygkZwFoCe6CSmxhELZK6 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDfTCCAuagAwIBAgICBZcwDQYJKoZIhvcNAQEFBQAwgckxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5j +YS5hdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wHhcN +MTUxMDIwMTYyMDEwWhcNMTYxMDIxMTYyMDEwWjCByTELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMRgwFgYDVQQHDA9TYW4gTHVpcyBPYmlzcG8xLjAsBgNVBAoMJUNl +cnRpZmljYXRlIFZhbGlkYXRpb24gYW5kIENvbXBsaWFuY2UxIjAgBgNVBAsMGVg1 +MDkgVmVyaWZpY2F0aW9uIENoZWNrZXIxHjAcBgNVBAMMFWludC5sZXYyLmNhLmF1 +dGhvcml0eTEfMB0GCSqGSIb3DQEJARYQc29tZW9uZUBtYWlsLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAvBAI1Vb+DE+Ls0fMCWeLJK5ih73IjV9GXBp9 +lLPa8U/pFuov0U5XyeMvv6OsGp27z788VApHhxNP98xMBA86oAo7C5YpXLD7c7ez +nadlmKq3v3z6c1vDbs9UNViZhT8hSBeFhBvHMY2ZJjimR6UMseygppAlB3CxnlvD +U1ceLXkCAwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +IAYDVR0RBBkwF4IVaW50LmxldjIuY2EuYXV0aG9yaXR5MCsGA1UdHgEB/wQhMB+h +HTAbghl3d3cudGxzLnRlc3QuaW52YWxpZC50ZXN0MA0GCSqGSIb3DQEBBQUAA4GB +ABAHb6ut1XijezhmC+ieQpSeqKcQI9+YacUssH3vyDfgVD5vjDx5jbmr99J5OMGu +IXJr2NPjsYfe+Jl28XibvSVSF4KE1WUCaD5LmXl7KBkbO+DBbnjZqVK7dO84yQn2 +B7YO4QaXeInTyFkyMyZZItsgpheKfngozrJouQ/Fd4SN +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDdTCCAt6gAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxMFoXDTE2MTAyMTE2MjAxMFowgckxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMR4wHAYDVQQDDBVpbnQubGV2MS5jYS5hdXRob3Jp +dHkxHzAdBgkqhkiG9w0BCQEWEHNvbWVvbmVAbWFpbC5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAMQCtMsmfgeXju0UpAgnKddgp7Ytaeh9Fe45+nsWUxKt +UXUumhLqNVYvB3/N91a/Zbye9Vzx25WrBVaxUve23R2u/OtO6/N9shmxMDw93bMA +P9XJTxzksQ2LbpDx0Evo70DFm6uVqADO1ecqSQ9iv0kOTIVsGmIIxs8O9leJOeJ1 +AgMBAAGjbzBtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMCAGA1Ud +EQQZMBeCFWludC5sZXYxLmNhLmF1dGhvcml0eTAoBgNVHR4BAf8EHjAcoBowD4IN +LmNhLmF1dGhvcml0eTAHggUudGVzdDANBgkqhkiG9w0BAQUFAAOBgQCW+xgaaODO +NXKsIV+CUbMUmlRVsLWwsi32FLuqbjAyb61G7TPQWQulG2ixpauKlf1NjrBQPDKA +5T9hUjAHRN2qZZBDqZ2AOr3srRngoLiV9/u4LavKt+vYKvyL5mD4266y7DuoQ0kB +r6IgVc+mL8seW6f/WPInKQkQnE06bYBO7g== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/ValidWildcard.pem b/src/tests/data/x509test/ValidWildcard.pem new file mode 100644 index 000000000..80e38c6f4 --- /dev/null +++ b/src/tests/data/x509test/ValidWildcard.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIC+TCCAmKgAwIBAgICBZEwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MjAxMFoXDTE2MTAyMTE2MjAxMFowgb4xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRMwEQYDVQQDDAoqLnRscy50ZXN0MR8wHQYJKoZI +hvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQDht+9MZmL+5loPrHQ0SElrwe1KWiBJ+e7dkoA4ZkP+hsZNr9ls+TSCBelB +qzJf3v3gIxpG0UJ6/uUZcmz+p/GoQW7CieIueJJ37Y0R9ghaclFHw33tUWsxgKrT +mzcYS0eOfEEnfMH/XsGPjg5wVROS8nl9XoSXzUiatecMpnwNGwIDAQABMA0GCSqG +SIb3DQEBBQUAA4GBAER+QBx0LmdzEuGsryG3Id66iA4Q77NF9J2oNsg8BLypGqP4 +qImscj4zPWdryxgfAeneCSy+A0v+tuTeT0yqUq5aWlsiT9nJ3QXOM7dQdk3SWSEg +/OPU5EcJ9g1BOdET8kYLrnzEoqjf7s+Hb0IkyNN0xDO5Tdbkjjt1sfHsSzYb +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/data/x509test/expected.txt b/src/tests/data/x509test/expected.txt new file mode 100644 index 000000000..67e2937eb --- /dev/null +++ b/src/tests/data/x509test/expected.txt @@ -0,0 +1,43 @@ +InvalidExtendedKeyUsage.pem:Invalid usage +InvalidIntCAFlag.pem:CA certificate not allowed to issue certs +InvalidIntCAKeyUsage.pem:CA certificate not allowed to issue certs +InvalidIntCALen.pem:Certificate chain too long +InvalidIntCALoop.pem:Loop in certificate chain +InvalidIntCASelfSign.pem:Cannot establish trust +InvalidIntCAVersionOne.pem:CA certificate not allowed to issue certs +InvalidIntCAVersionTwo.pem:CA certificate not allowed to issue certs +InvalidKeyUsage.pem:Invalid usage +InvalidName.pem:Certificate does not match provided name +InvalidNameAltName.pem:Certificate does not match provided name +InvalidNameAltNameWithSubj.pem:Certificate does not match provided name +InvalidNotAfter.pem:Certificate has expired +InvalidNotAfterChained.pem:Certificate has expired +InvalidSelfSign.pem:Cannot establish trust +InvalidWildcardAll.pem:Certificate does not match provided name +InvalidWildcardAllAltName.pem:Certificate does not match provided name +InvalidWildcardLeft.pem:Certificate does not match provided name +InvalidWildcardLeftAltName.pem:Certificate does not match provided name +InvalidWildcardMid.pem:Certificate does not match provided name +InvalidWildcardMidAltName.pem:Certificate does not match provided name +InvalidWildcardMidMixed.pem:Certificate does not match provided name +InvalidWildcardMidMixedAltName.pem:Certificate does not match provided name +InvalidWildcardSingle.pem:Certificate does not match provided name +InvalidWildcardSingleAltName.pem:Certificate does not match provided name +MissingIntCABasicConstraintWithCertSign.pem:CA certificate not allowed to issue certs +MissingIntCAExtensions.pem:CA certificate not allowed to issue certs +ValidAltName.pem:Verified +ValidCert.pem:Verified +ValidChained.pem:Verified +ValidIntCALen.pem:Verified +ValidWildcard.pem:Verified + +# Need to fix date settings in x509test and regen +#InvalidNotBefore.pem:Certificate is not yet valid +#InvalidNotBeforeChained.pem:Certificate is not yet valid + +# Missing name constraints +InvalidNameConstraintExclude.pem:Certificate issuer not found +InvalidNameConstraintPermit.pem:Certificate issuer not found +InvalidNameConstraintPermitRight.pem:Certificate issuer not found +InvalidNameConstraintPermitThenExclude.pem:Certificate issuer not found +ValidNameConstraint.pem:Certificate issuer not found diff --git a/src/tests/data/x509test/root.pem b/src/tests/data/x509test/root.pem new file mode 100644 index 000000000..b6b894a04 --- /dev/null +++ b/src/tests/data/x509test/root.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFDCCAn2gAwIBAgICA+kwDQYJKoZIhvcNAQEFBQAwgcQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQK +DCVDZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQL +DBlYNTA5IFZlcmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUw +OS50ZXN0MR8wHQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMB4XDTE1MTAy +MDE2MDM1OFoXDTE2MTAyMTE2MDM1OFowgcQxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJDQTEYMBYGA1UEBwwPU2FuIEx1aXMgT2Jpc3BvMS4wLAYDVQQKDCVDZXJ0aWZp +Y2F0ZSBWYWxpZGF0aW9uIGFuZCBDb21wbGlhbmNlMSIwIAYDVQQLDBlYNTA5IFZl +cmlmaWNhdGlvbiBDaGVja2VyMRkwFwYDVQQDDBB2ZXJpZnkueDUwOS50ZXN0MR8w +HQYJKoZIhvcNAQkBFhBzb21lb25lQG1haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA +A4GNADCBiQKBgQDI2TejJ3VtoPlkcjQsqbaiMRCtLGdIN7Ful9z7PWU7AVbuJZxD +QCeFuFmYsCpBgZD3Rw8JaNfMZLKG3D/peIQ/Hjc44BsFR8H9oa0bIDkZN3kS9O80 +vU4urBwTwt9AFDvGPD4UiFulXsAAHDA4KoBg03R56bm2B+8y2JKiGEQ92QIDAQAB +oxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBALqNB/JaqkTX +slppJEaBHTY5/bGGWwV/0t3WMDNFaMrFgcsEY/KjUSyfWh9c6BHOdr21MmNe4YDh +T8gv9TmcGNsEJRIYD1jly3tCDyA2W0AUIzob1GMGkV8ddKBUrmt/+qLzagxdOrQ0 +dRcxFarWaAJVGhJ+p6kWJt7XJnK341bP +-----END CERTIFICATE----- diff --git a/src/tests/nist_x509.cpp b/src/tests/nist_x509.cpp index 04b569d32..65e154293 100644 --- a/src/tests/nist_x509.cpp +++ b/src/tests/nist_x509.cpp @@ -1,16 +1,7 @@ /* -* (C) 2006,2011,2012,2014 Jack Lloyd +* (C) 2006,2011,2012,2014,2015 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) -* -* Code to run the X.509v3 processing tests described in "Conformance -* Testing of Relying Party Client Certificate Path Proccessing Logic", -* which is available on NIST's web site. -* -* Known Failures/Problems: -* - Policy extensions are not implemented, so we skip tests #34-#53. -* - Tests #75 and #76 are skipped as they make use of relatively -* obscure CRL extensions which are not supported. */ #include "tests.h" @@ -22,6 +13,7 @@ #include <algorithm> #include <iostream> +#include <fstream> #include <iomanip> #include <string> #include <vector> @@ -32,11 +24,110 @@ using namespace Botan; std::map<size_t, Path_Validation_Result::Code> get_expected(); +namespace { + +std::vector<X509_Certificate> load_cert_file(const std::string& filename) + { + DataSource_Stream in(filename); + + std::vector<X509_Certificate> certs; + while(!in.end_of_data()) + { + try { + certs.emplace_back(in); + } + catch(Decoding_Error) {} + } + + return certs; + } + +std::map<std::string, std::string> read_results(const std::string& results_file) + { + std::ifstream in(results_file); + if(!in.good()) + throw std::runtime_error("Failed reading " + results_file); + + std::map<std::string, std::string> m; + std::string line; + while(in.good()) + { + std::getline(in, line); + if(line == "") + continue; + if(line[0] == '#') + continue; + + std::vector<std::string> parts = split_on(line, ':'); + + if(parts.size() != 2) + throw std::runtime_error("Invalid line " + line); + + m[parts[0]] = parts[1]; + } + + return m; + } + +} + +size_t test_x509_x509test() + { + // Test certs generated by https://github.com/yymax/x509test + const std::string test_dir = "src/tests/data/x509test"; + + std::map<std::string, std::string> results = read_results(test_dir + "/expected.txt"); + + const Path_Validation_Restrictions default_restrictions; + + size_t fail = 0; + + X509_Certificate root(test_dir + "/root.pem"); + Certificate_Store_In_Memory trusted; + trusted.add_certificate(root); + + for(auto i = results.begin(); i != results.end(); ++i) + { + const std::string fsname = i->first; + const std::string expected = i->second; + + std::vector<X509_Certificate> certs = load_cert_file(test_dir + "/" + fsname); + + if(certs.empty()) + throw std::runtime_error("Failed to read certs from " + fsname); + + Path_Validation_Result result = x509_path_validate(certs, default_restrictions, trusted, + "www.tls.test", Usage_Type::TLS_SERVER_AUTH); + + if(result.successful_validation() && result.trust_root() != root) + result = Path_Validation_Result(Certificate_Status_Code::CANNOT_ESTABLISH_TRUST); + + if(result.result_string() != expected) + { + std::cout << "FAIL " << fsname << " expected '" << expected << "' got '" << result.result_string() << "'\n"; + ++fail; + } + } + + test_report("X.509 (x509test)", results.size(), fail); + + return fail; + } + size_t test_nist_x509() { + /** + * Code to run the X.509v3 processing tests described in "Conformance + * Testing of Relying Party Client Certificate Path Proccessing Logic", + * which is available on NIST's web site. + * + * Known Failures/Problems: + * - Policy extensions are not implemented, so we skip tests #34-#53. + * - Tests #75 and #76 are skipped as they make use of relatively + * obscure CRL extensions which are not supported. + */ const std::string root_test_dir = "src/tests/data/nist_x509/"; const size_t total_tests = 76; - try { // Do nothing, just test filesystem access @@ -61,8 +152,8 @@ size_t test_nist_x509() for(size_t test_no = 1; test_no <= total_tests; ++test_no) { const std::string test_dir = root_test_dir + "/test" + (test_no <= 9 ? "0" : "") + std::to_string(test_no); - - const std::vector<std::string> all_files = get_files_recursive(test_dir); + + const std::vector<std::string> all_files = get_files_recursive(test_dir); if (all_files.empty()) std::cout << "Warning: No test files found in '" << test_dir << "'" << std::endl; @@ -83,6 +174,7 @@ size_t test_nist_x509() if(expected_results.find(test_no) == expected_results.end()) { + //printf("Skipping %d\n", test_no); skipped++; continue; } @@ -284,6 +376,7 @@ std::map<size_t, Path_Validation_Result::Code> get_expected() #else +size_t test_x509_x509test() { return 0; } size_t test_nist_x509() { return 0; } #endif diff --git a/src/tests/tests.cpp b/src/tests/tests.cpp index d213b6a3a..61378b1a2 100644 --- a/src/tests/tests.cpp +++ b/src/tests/tests.cpp @@ -38,10 +38,10 @@ size_t run_tests_in_dir(const std::string& dir, std::function<size_t (const std: try { auto files = get_files_recursive(dir); - + if (files.empty()) std::cout << "Warning: No test files found in '" << dir << "'" << std::endl; - + for(const auto file: files) fails += fn(file); } @@ -312,6 +312,7 @@ int main(int argc, char* argv[]) DEF_TEST(pk_keygen); DEF_TEST(cvc); DEF_TEST(x509); + DEF_TEST(x509_x509test); DEF_TEST(nist_x509); DEF_TEST(tls); DEF_TEST(compression); diff --git a/src/tests/tests.h b/src/tests/tests.h index 6d6a2d34c..1e496ccb2 100644 --- a/src/tests/tests.h +++ b/src/tests/tests.h @@ -165,6 +165,7 @@ size_t test_ecdsa_unit(); size_t test_ecdh_unit(); size_t test_x509(); +size_t test_x509_x509test(); size_t test_cvc(); size_t test_tls(); diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp index 116eb2cdf..d4abef119 100644 --- a/src/tests/unit_tls.cpp +++ b/src/tests/unit_tls.cpp @@ -11,6 +11,7 @@ #include <botan/tls_server.h> #include <botan/tls_client.h> +#include <botan/tls_handshake_msg.h> #include <botan/pkcs10.h> #include <botan/x509self.h> #include <botan/rsa.h> @@ -21,6 +22,7 @@ #include <iostream> #include <vector> #include <memory> +#include <thread> using namespace Botan; @@ -155,158 +157,441 @@ Credentials_Manager* create_creds() return new Credentials_Manager_Test(server_cert, ca_cert, server_key); } -size_t basic_test_handshake(RandomNumberGenerator& rng, - TLS::Protocol_Version offer_version, - Credentials_Manager& creds, - TLS::Policy& policy) +std::function<void (const byte[], size_t)> queue_inserter(std::vector<byte>& q) { - TLS::Session_Manager_In_Memory server_sessions(rng); - TLS::Session_Manager_In_Memory client_sessions(rng); - - std::vector<byte> c2s_q, s2c_q, c2s_data, s2c_data; + return [&](const byte buf[], size_t sz) { q.insert(q.end(), buf, buf + sz); }; + } - auto handshake_complete = [&](const TLS::Session& session) -> bool +void print_alert(TLS::Alert alert, const byte[], size_t) { - if(session.version() != offer_version) - std::cout << "Offered " << offer_version.to_string() - << " got " << session.version().to_string() << std::endl; - return true; + //std::cout << "Alert " << alert.type_string() << std::endl; }; - auto print_alert = [&](TLS::Alert alert, const byte[], size_t) +void mutate(std::vector<byte>& v, RandomNumberGenerator& rng) { - if(alert.is_valid()) - std::cout << "Server recvd alert " << alert.type_string() << std::endl; - }; + if(v.empty()) + return; - auto save_server_data = [&](const byte buf[], size_t sz) - { - c2s_data.insert(c2s_data.end(), buf, buf+sz); - }; + size_t voff = rng.get_random<size_t>() % v.size(); + v[voff] ^= rng.next_nonzero_byte(); + } - auto save_client_data = [&](const byte buf[], size_t sz) +size_t test_tls_handshake(RandomNumberGenerator& rng, + TLS::Protocol_Version offer_version, + Credentials_Manager& creds, + TLS::Policy& policy) { - s2c_data.insert(s2c_data.end(), buf, buf+sz); - }; + TLS::Session_Manager_In_Memory server_sessions(rng); + TLS::Session_Manager_In_Memory client_sessions(rng); - auto next_protocol_chooser = [&](std::vector<std::string> protos) { - if(protos.size() != 2) - std::cout << "Bad protocol size" << std::endl; - if(protos[0] != "test/1" || protos[1] != "test/2") - std::cout << "Bad protocol values" << std::endl; - return "test/3"; - }; - const std::vector<std::string> protocols_offered = { "test/1", "test/2" }; - - TLS::Server server([&](const byte buf[], size_t sz) - { s2c_q.insert(s2c_q.end(), buf, buf+sz); }, - save_server_data, - print_alert, - handshake_complete, - server_sessions, - creds, - policy, - rng, - next_protocol_chooser, - offer_version.is_datagram_protocol()); - - TLS::Client client([&](const byte buf[], size_t sz) - { c2s_q.insert(c2s_q.end(), buf, buf+sz); }, - save_client_data, - print_alert, - handshake_complete, - client_sessions, - creds, - policy, - rng, - TLS::Server_Information("server.example.com"), - offer_version, - protocols_offered); - - while(true) + for(size_t r = 1; r <= 4; ++r) { - if(client.is_closed() && server.is_closed()) - break; + //std::cout << offer_version.to_string() << " r " << r << "\n"; - if(client.is_active()) - client.send("1"); - if(server.is_active()) - { - if(server.next_protocol() != "test/3") - std::cout << "Wrong protocol " << server.next_protocol() << std::endl; - server.send("2"); - } + bool handshake_done = false; - /* - * Use this as a temp value to hold the queues as otherwise they - * might end up appending more in response to messages during the - * handshake. - */ - std::vector<byte> input; - std::swap(c2s_q, input); + auto handshake_complete = [&](const TLS::Session& session) -> bool { + handshake_done = true; - try - { - server.received_data(input.data(), input.size()); - } - catch(std::exception& e) - { - std::cout << "Server error - " << e.what() << std::endl; - return 1; - } + /* + std::cout << "Session established " << session.version().to_string() << " " + << session.ciphersuite().to_string() << " " << hex_encode(session.session_id()) << "\n"; + */ + + if(session.version() != offer_version) + std::cout << "Offered " << offer_version.to_string() + << " got " << session.version().to_string() << std::endl; + return true; + }; - input.clear(); - std::swap(s2c_q, input); + auto next_protocol_chooser = [&](std::vector<std::string> protos) { + if(protos.size() != 2) + std::cout << "Bad protocol size" << std::endl; + if(protos[0] != "test/1" || protos[1] != "test/2") + std::cout << "Bad protocol values" << std::endl; + return "test/3"; + }; + + const std::vector<std::string> protocols_offered = { "test/1", "test/2" }; try { - client.received_data(input.data(), input.size()); + std::vector<byte> c2s_traffic, s2c_traffic, client_recv, server_recv, client_sent, server_sent; + + TLS::Server server(queue_inserter(s2c_traffic), + queue_inserter(server_recv), + print_alert, + handshake_complete, + server_sessions, + creds, + policy, + rng, + next_protocol_chooser, + false); + + TLS::Client client(queue_inserter(c2s_traffic), + queue_inserter(client_recv), + print_alert, + handshake_complete, + client_sessions, + creds, + policy, + rng, + TLS::Server_Information("server.example.com"), + offer_version, + protocols_offered); + + size_t rounds = 0; + + while(true) + { + ++rounds; + + if(rounds > 25) + { + std::cout << "Still here, something went wrong\n"; + return 1; + } + + if(handshake_done && (client.is_closed() || server.is_closed())) + break; + + if(client.is_active() && client_sent.empty()) + { + // Choose a len between 1 and 511 + const size_t c_len = 1 + rng.next_byte() + rng.next_byte(); + client_sent = unlock(rng.random_vec(c_len)); + + // TODO send in several records + client.send(client_sent); + } + + if(server.is_active() && server_sent.empty()) + { + if(server.next_protocol() != "test/3") + std::cout << "Wrong protocol " << server.next_protocol() << std::endl; + + const size_t s_len = 1 + rng.next_byte() + rng.next_byte(); + server_sent = unlock(rng.random_vec(s_len)); + server.send(server_sent); + } + + const bool corrupt_client_data = (r == 3 && c2s_traffic.size() && rng.next_byte() % 3 == 0 && rounds > 1); + const bool corrupt_server_data = (r == 4 && s2c_traffic.size() && rng.next_byte() % 3 == 0 && rounds > 1); + + try + { + /* + * Use this as a temp value to hold the queues as otherwise they + * might end up appending more in response to messages during the + * handshake. + */ + //std::cout << "server recv " << c2s_traffic.size() << " bytes\n"; + std::vector<byte> input; + std::swap(c2s_traffic, input); + + if(corrupt_server_data) + { + //std::cout << "Corrupting server data\n"; + mutate(input, rng); + } + server.received_data(input.data(), input.size()); + } + catch(std::exception& e) + { + std::cout << "Server error - " << e.what() << std::endl; + continue; + } + + try + { + //std::cout << "client recv " << s2c_traffic.size() << " bytes\n"; + std::vector<byte> input; + std::swap(s2c_traffic, input); + if(corrupt_client_data) + { + //std::cout << "Corrupting client data\n"; + mutate(input, rng); + } + + client.received_data(input.data(), input.size()); + } + catch(std::exception& e) + { + std::cout << "Client error - " << e.what() << std::endl; + continue; + } + + if(client_recv.size()) + { + if(client_recv != server_sent) + { + std::cout << "Error in client recv" << std::endl; + return 1; + } + } + + if(server_recv.size()) + { + if(server_recv != client_sent) + { + std::cout << "Error in server recv" << std::endl; + return 1; + } + } + + if(client.is_closed() && server.is_closed()) + break; + + if(server_recv.size() && client_recv.size()) + { + SymmetricKey client_key = client.key_material_export("label", "context", 32); + SymmetricKey server_key = server.key_material_export("label", "context", 32); + + if(client_key != server_key) + { + std::cout << "TLS key material export mismatch: " + << client_key.as_string() << " != " + << server_key.as_string() << "\n"; + return 1; + } + + if(r % 2 == 0) + client.close(); + else + server.close(); + } + } } catch(std::exception& e) { - std::cout << "Client error - " << e.what() << std::endl; + std::cout << e.what() << "\n"; return 1; } + } - if(c2s_data.size()) - { - if(c2s_data[0] != '1') - { - std::cout << "Error" << std::endl; - return 1; - } - } + return 0; + } + +size_t test_dtls_handshake(RandomNumberGenerator& rng, + TLS::Protocol_Version offer_version, + Credentials_Manager& creds, + TLS::Policy& policy) + { + BOTAN_ASSERT(offer_version.is_datagram_protocol(), "Test is for datagram version"); + + TLS::Session_Manager_In_Memory server_sessions(rng); + TLS::Session_Manager_In_Memory client_sessions(rng); + + for(size_t r = 1; r <= 2; ++r) + { + //std::cout << offer_version.to_string() << " round " << r << "\n"; + + bool handshake_done = false; + + auto handshake_complete = [&](const TLS::Session& session) -> bool { + handshake_done = true; - if(s2c_data.size()) + /* + std::cout << "Session established " << session.version().to_string() << " " + << session.ciphersuite().to_string() << " " << hex_encode(session.session_id()) << "\n"; + */ + + if(session.version() != offer_version) + std::cout << "Offered " << offer_version.to_string() + << " got " << session.version().to_string() << std::endl; + return true; + }; + + auto next_protocol_chooser = [&](std::vector<std::string> protos) { + if(protos.size() != 2) + std::cout << "Bad protocol size" << std::endl; + if(protos[0] != "test/1" || protos[1] != "test/2") + std::cout << "Bad protocol values" << std::endl; + return "test/3"; + }; + + const std::vector<std::string> protocols_offered = { "test/1", "test/2" }; + + try { - if(s2c_data[0] != '2') + std::vector<byte> c2s_traffic, s2c_traffic, client_recv, server_recv, client_sent, server_sent; + + TLS::Server server(queue_inserter(s2c_traffic), + queue_inserter(server_recv), + print_alert, + handshake_complete, + server_sessions, + creds, + policy, + rng, + next_protocol_chooser, + true); + + TLS::Client client(queue_inserter(c2s_traffic), + queue_inserter(client_recv), + print_alert, + handshake_complete, + client_sessions, + creds, + policy, + rng, + TLS::Server_Information("server.example.com"), + offer_version, + protocols_offered); + + size_t rounds = 0; + + while(true) { - std::cout << "Error" << std::endl; - return 1; - } - } + // TODO: client and server should be in different threads + std::this_thread::sleep_for(std::chrono::milliseconds(rng.next_byte() % 2)); + ++rounds; - if(s2c_data.size() && c2s_data.size()) - { - SymmetricKey client_key = client.key_material_export("label", "context", 32); - SymmetricKey server_key = server.key_material_export("label", "context", 32); + if(rounds > 100) + { + std::cout << "Still here, something went wrong\n"; + return 1; + } + + if(handshake_done && (client.is_closed() || server.is_closed())) + break; + + if(client.is_active() && client_sent.empty()) + { + // Choose a len between 1 and 511 and send random chunks: + const size_t c_len = 1 + rng.next_byte() + rng.next_byte(); + client_sent = unlock(rng.random_vec(c_len)); + + // TODO send multiple parts + //std::cout << "Sending " << client_sent.size() << " bytes to server\n"; + client.send(client_sent); + } - if(client_key != server_key) - return 1; + if(server.is_active() && server_sent.empty()) + { + if(server.next_protocol() != "test/3") + std::cout << "Wrong protocol " << server.next_protocol() << std::endl; + + const size_t s_len = 1 + rng.next_byte() + rng.next_byte(); + server_sent = unlock(rng.random_vec(s_len)); + //std::cout << "Sending " << server_sent.size() << " bytes to client\n"; + server.send(server_sent); + } + + const bool corrupt_client_data = (r == 3 && c2s_traffic.size() && rng.next_byte() % 3 == 0 && rounds < 10); + const bool corrupt_server_data = (r == 4 && s2c_traffic.size() && rng.next_byte() % 3 == 0 && rounds < 10); + + try + { + /* + * Use this as a temp value to hold the queues as otherwise they + * might end up appending more in response to messages during the + * handshake. + */ + //std::cout << "server got " << c2s_traffic.size() << " bytes\n"; + std::vector<byte> input; + std::swap(c2s_traffic, input); + + if(corrupt_client_data) + { + //std::cout << "Corrupting client data\n"; + mutate(input, rng); + } + + server.received_data(input.data(), input.size()); + } + catch(std::exception& e) + { + std::cout << "Server error - " << e.what() << std::endl; + continue; + } + + try + { + //std::cout << "client got " << s2c_traffic.size() << " bytes\n"; + std::vector<byte> input; + std::swap(s2c_traffic, input); + + if(corrupt_server_data) + { + //std::cout << "Corrupting server data\n"; + mutate(input, rng); + } + client.received_data(input.data(), input.size()); + } + catch(std::exception& e) + { + std::cout << "Client error - " << e.what() << std::endl; + continue; + } - server.close(); - client.close(); + // If we corrupted a DTLS application message, resend it: + if(client.is_active() && corrupt_client_data && server_recv.empty()) + client.send(client_sent); + if(server.is_active() && corrupt_server_data && client_recv.empty()) + server.send(server_sent); + + if(client_recv.size()) + { + if(client_recv != server_sent) + { + std::cout << "Error in client recv" << std::endl; + return 1; + } + } + + if(server_recv.size()) + { + if(server_recv != client_sent) + { + std::cout << "Error in server recv" << std::endl; + return 1; + } + } + + if(client.is_closed() && server.is_closed()) + break; + + if(server_recv.size() && client_recv.size()) + { + SymmetricKey client_key = client.key_material_export("label", "context", 32); + SymmetricKey server_key = server.key_material_export("label", "context", 32); + + if(client_key != server_key) + { + std::cout << "TLS key material export mismatch: " + << client_key.as_string() << " != " + << server_key.as_string() << "\n"; + return 1; + } + + if(r % 2 == 0) + client.close(); + else + server.close(); + } + } + } + catch(std::exception& e) + { + std::cout << e.what() << "\n"; + return 1; } } return 0; } -class Test_Policy : public TLS::Policy +class Test_Policy : public TLS::Text_Policy { public: + Test_Policy() : Text_Policy("") {} bool acceptable_protocol_version(TLS::Protocol_Version) const override { return true; } bool send_fallback_scsv(TLS::Protocol_Version) const override { return false; } + + size_t dtls_initial_timeout() const override { return 1; } + size_t dtls_maximum_timeout() const override { return 8; } }; } @@ -315,17 +600,43 @@ size_t test_tls() { size_t errors = 0; - Test_Policy default_policy; auto& rng = test_rng(); std::unique_ptr<Credentials_Manager> basic_creds(create_creds()); - errors += basic_test_handshake(rng, TLS::Protocol_Version::TLS_V10, *basic_creds, default_policy); - errors += basic_test_handshake(rng, TLS::Protocol_Version::TLS_V11, *basic_creds, default_policy); - errors += basic_test_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, default_policy); - errors += basic_test_handshake(rng, TLS::Protocol_Version::DTLS_V10, *basic_creds, default_policy); - errors += basic_test_handshake(rng, TLS::Protocol_Version::DTLS_V12, *basic_creds, default_policy); - - test_report("TLS", 5, errors); + Test_Policy policy; + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V10, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V11, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V10, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V12, *basic_creds, policy); + + policy.set("key_exchange_methods", "RSA"); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V10, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V11, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V10, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V12, *basic_creds, policy); + + policy.set("key_exchange_methods", "DH"); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V10, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V11, *basic_creds, policy); + policy.set("key_exchange_methods", "ECDH"); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V10, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V12, *basic_creds, policy); + + policy.set("ciphers", "AES-128"); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V10, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V11, *basic_creds, policy); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V10, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V12, *basic_creds, policy); + + policy.set("ciphers", "ChaCha20Poly1305"); + errors += test_tls_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, policy); + errors += test_dtls_handshake(rng, TLS::Protocol_Version::DTLS_V12, *basic_creds, policy); + + test_report("TLS", 22, errors); return errors; } |