Sync pki to chromium 8049b24a3fa617e66c5d3fc0e9322bb07c500f49

Change-Id: Ib65febca30ce312f2c8fd6d6dbc85f24987b50d8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62245
Auto-Submit: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
chromium-stable
Bob Beck 1 year ago committed by Boringssl LUCI CQ
parent dbd143c247
commit 2e1191725f
  1. 98
      pki/cert_net_fetcher.h
  2. 38
      pki/certificate_policies_unittest.cc
  3. 7
      pki/crl.cc
  4. 2
      pki/fillins/log.h
  5. 30
      pki/general_names_unittest.cc
  6. 1
      pki/import_spec.json
  7. 12
      pki/input.cc
  8. 45
      pki/input.h
  9. 13
      pki/name_constraints.cc
  10. 260
      pki/name_constraints_unittest.cc
  11. 2
      pki/ocsp.h
  12. 3
      pki/ocsp_unittest.cc
  13. 28
      pki/parse_certificate_unittest.cc
  14. 12
      pki/parse_name_unittest.cc
  15. 4
      pki/parsed_certificate.h
  16. 3
      pki/path_builder_pkits_unittest.cc
  17. 6
      pki/signature_algorithm_unittest.cc
  18. 4
      pki/simple_path_builder_delegate_unittest.cc
  19. 4
      pki/test_helpers.cc
  20. 3
      pki/test_helpers.h
  21. 17
      pki/testdata/name_constraints_unittest/generate_name_constraints.py
  22. 29
      pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem
  23. 25
      pki/testdata/ssl/certificates/README
  24. 5
      pki/testdata/ssl/certificates/ec-prime256v1-1.key
  25. 5
      pki/testdata/ssl/certificates/ec-prime256v1-2.key
  26. 5
      pki/testdata/ssl/certificates/ec-prime256v1-3.key
  27. 820
      pki/testdata/ssl/certificates/leaf_from_known_root.pem
  28. 16
      pki/testdata/ssl/certificates/rsa-1024-1.key
  29. 16
      pki/testdata/ssl/certificates/rsa-1024-2.key
  30. 16
      pki/testdata/ssl/certificates/rsa-1024-3.key
  31. 28
      pki/testdata/ssl/certificates/rsa-2048-1.key
  32. 28
      pki/testdata/ssl/certificates/rsa-2048-2.key
  33. 28
      pki/testdata/ssl/certificates/rsa-2048-3.key
  34. 13
      pki/testdata/ssl/certificates/rsa-768-1.key
  35. 13
      pki/testdata/ssl/certificates/rsa-768-2.key
  36. 13
      pki/testdata/ssl/certificates/rsa-768-3.key
  37. 100
      pki/testdata/ssl/certificates/rsa-8200-1.key
  38. 9
      pki/verify_name_match_fuzzer.cc
  39. 10
      pki/verify_name_match_normalizename_fuzzer.cc
  40. 252
      pki/verify_name_match_unittest.cc
  41. 11
      pki/verify_name_match_verifynameinsubtree_fuzzer.cc
  42. 8
      pki/verify_signed_data_unittest.cc

@ -1,98 +0,0 @@
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef BSSL_PKI_CERT_NET_FETCHER_H_
#define BSSL_PKI_CERT_NET_FETCHER_H_
#include "webutil/url/url.h"
#include "fillins/openssl_util.h"
#include <stdint.h>
#include <memory>
#include <vector>
#include <memory>
#include "fillins/log.h"
#include "fillins/net_errors.h"
class URL;
namespace bssl {
// CertNetFetcher is a synchronous interface for fetching AIA URLs and CRL
// URLs. It is shared between a caller thread (which starts and waits for
// fetches), and a network thread (which does the actual fetches). It can be
// shutdown from the network thread to cancel outstanding requests.
//
// A Request object is returned when starting a fetch. The consumer can
// use this as a handle for aborting the request (by freeing it), or reading
// the result of the request (WaitForResult)
class OPENSSL_EXPORT CertNetFetcher
{
public:
class Request {
public:
virtual ~Request() = default;
// WaitForResult() can be called at most once.
//
// It will block and wait for the (network) request to complete, and
// then write the result into the provided out-parameters.
virtual void WaitForResult(Error* error, std::vector<uint8_t>* bytes) = 0;
};
// This value can be used in place of timeout or max size limits.
enum { DEFAULT = -1 };
CertNetFetcher() = default;
CertNetFetcher(const CertNetFetcher&) = delete;
CertNetFetcher& operator=(const CertNetFetcher&) = delete;
// Shuts down the CertNetFetcher and cancels outstanding network requests. It
// is not guaranteed that any outstanding or subsequent
// Request::WaitForResult() calls will be completed. Shutdown() must be called
// from the network thread. It can be called more than once, but must be
// called before the CertNetFetcher is destroyed.
virtual void Shutdown() = 0;
// The Fetch*() methods start a request which can be cancelled by
// deleting the returned Request. Here is the meaning of the common
// parameters:
//
// * url -- The http:// URL to fetch.
// * timeout_seconds -- The maximum allowed duration for the fetch job. If
// this delay is exceeded then the request will fail. To use a default
// timeout pass DEFAULT.
// * max_response_bytes -- The maximum size of the response body. If this
// size is exceeded then the request will fail. To use a default timeout
// pass DEFAULT.
[[nodiscard]] virtual std::unique_ptr<Request> FetchCaIssuers(
const URL& url,
int timeout_milliseconds,
int max_response_bytes) = 0;
[[nodiscard]] virtual std::unique_ptr<Request> FetchCrl(
const URL& url,
int timeout_milliseconds,
int max_response_bytes) = 0;
[[nodiscard]] virtual std::unique_ptr<Request> FetchOcsp(
const URL& url,
int timeout_milliseconds,
int max_response_bytes) = 0;
protected:
virtual ~CertNetFetcher() = default;
private:
};
} // namespace net
#endif // BSSL_PKI_CERT_NET_FETCHER_H_

@ -44,7 +44,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidEmpty) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -54,7 +54,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidIdentifierNotOid) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -64,7 +64,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, AnyPolicy) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]);
@ -76,7 +76,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, AnyPolicyWithQualifier) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]);
@ -90,7 +90,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -100,7 +100,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, OnePolicy) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -112,7 +112,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, OnePolicyWithQualifier) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -125,7 +125,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
std::vector<der::Input> policies;
CertErrors errors;
bool result = ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors);
if (fail_parsing_unknown_qualifier_oids()) {
@ -144,7 +144,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -156,7 +156,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -168,7 +168,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -180,7 +180,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@ -190,7 +190,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, TwoPolicies) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(2U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -203,7 +203,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, TwoPoliciesWithQualifiers) {
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(2U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -216,7 +216,7 @@ TEST(ParseCertificatePoliciesExtensionTest, InvalidEmpty) {
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_FALSE(
ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
}
TEST(ParseCertificatePoliciesExtensionTest,
@ -226,7 +226,7 @@ TEST(ParseCertificatePoliciesExtensionTest,
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_FALSE(
ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
}
TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) {
@ -235,7 +235,7 @@ TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) {
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_TRUE(
ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(1U, policies.size());
PolicyInformation& policy = policies[0];
EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid);
@ -256,7 +256,7 @@ TEST(ParseCertificatePoliciesExtensionTest, TwoPolicies) {
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_TRUE(
ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(2U, policies.size());
{
PolicyInformation& policy = policies[0];
@ -276,7 +276,7 @@ TEST(ParseCertificatePoliciesExtensionTest, TwoPoliciesWithQualifiers) {
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_TRUE(
ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(2U, policies.size());
{
PolicyInformation& policy = policies[0];

@ -467,8 +467,9 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl,
std::string normalized_crl_issuer;
if (!NormalizeNameTLV(tbs_cert_list.issuer_tlv, &normalized_crl_issuer))
return CRLRevocationStatus::UNKNOWN;
if (der::Input(&normalized_crl_issuer) != target_cert->normalized_issuer())
if (der::Input(normalized_crl_issuer) != target_cert->normalized_issuer()) {
return CRLRevocationStatus::UNKNOWN;
}
if (tbs_cert_list.crl_extensions_tlv.has_value()) {
std::map<der::Input, ParsedExtension> extensions;
@ -584,8 +585,10 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl,
//
// As the |issuer_cert| is from the already validated chain, it is already
// known to chain to the same trust anchor as the target certificate.
if (der::Input(&normalized_crl_issuer) != issuer_cert->normalized_subject())
if (der::Input(normalized_crl_issuer) !=
issuer_cert->normalized_subject()) {
continue;
}
// 6.3.3 (f) If a key usage extension is present in the CRL issuer's
// certificate, verify that the cRLSign bit is set.

@ -17,8 +17,10 @@
#if defined(_BORINGSSL_LIBPKI_VERBOSE_)
#define DVLOG(l) std::cerr
#define LOG(l) std::cerr
#else
#define DVLOG(l) 0 && std::cerr
#define LOG(l) 0 && std::cerr
#endif // _BORINGSSL_LIBPKI_VERBOSE_
#endif // BSSL_FILLINS_LOG_H_

@ -44,7 +44,7 @@ TEST(GeneralNames, CreateFailsOnEmptySubjectAltName) {
ASSERT_TRUE(
LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der));
CertErrors errors;
EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors));
EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors));
}
TEST(GeneralNames, OtherName) {
@ -53,7 +53,7 @@ TEST(GeneralNames, OtherName) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_OTHER_NAME, general_names->present_name_types);
const uint8_t expected_der[] = {0x06, 0x04, 0x2a, 0x03, 0x04, 0x05,
@ -68,7 +68,7 @@ TEST(GeneralNames, RFC822Name) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->rfc822_names.size());
@ -80,7 +80,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiRFC822Name) {
ASSERT_TRUE(LoadTestSubjectAltNameData("san-rfc822name.pem", &san_der));
ReplaceFirstSubstring(&san_der, "foo@example.com", "f\xF6\xF6@example.com");
CertErrors errors;
EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
}
TEST(GeneralNames, DnsName) {
@ -89,7 +89,7 @@ TEST(GeneralNames, DnsName) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_DNS_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->dns_names.size());
@ -101,7 +101,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiDnsName) {
ASSERT_TRUE(LoadTestSubjectAltNameData("san-dnsname.pem", &san_der));
ReplaceFirstSubstring(&san_der, "foo.example.com", "f\xF6\xF6.example.com");
CertErrors errors;
EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
}
TEST(GeneralNames, X400Address) {
@ -110,7 +110,7 @@ TEST(GeneralNames, X400Address) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->x400_addresses.size());
@ -125,7 +125,7 @@ TEST(GeneralNames, DirectoryName) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->directory_names.size());
@ -140,7 +140,7 @@ TEST(GeneralNames, EDIPartyName) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->edi_party_names.size());
@ -154,7 +154,7 @@ TEST(GeneralNames, URI) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
general_names->present_name_types);
@ -169,7 +169,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiURI) {
ReplaceFirstSubstring(&san_der, "http://example.com",
"http://ex\xE4mple.com");
CertErrors errors;
EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
}
TEST(GeneralNames, IPAddress_v4) {
@ -178,7 +178,7 @@ TEST(GeneralNames, IPAddress_v4) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
@ -192,7 +192,7 @@ TEST(GeneralNames, IPAddress_v6) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
@ -207,7 +207,7 @@ TEST(GeneralNames, CreateFailsOnInvalidLengthIpAddress) {
ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem",
&invalid_san_der));
CertErrors errors;
EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors));
EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors));
}
TEST(GeneralNames, RegisteredIDs) {
@ -216,7 +216,7 @@ TEST(GeneralNames, RegisteredIDs) {
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
GeneralNames::Create(der::Input(&san_der), &errors);
GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, general_names->present_name_types);
ASSERT_EQ(1U, general_names->registered_ids.size());

@ -244,7 +244,6 @@
"files": [
"net/cert/asn1_util.h",
"net/cert/asn1_util.cc",
"net/cert/cert_net_fetcher.h",
"net/cert/cert_status_flags.h",
"net/cert/cert_status_flags_list.h",
"net/cert/cert_verify_proc_blocklist.inc",

@ -10,21 +10,17 @@
namespace bssl::der {
Input::Input(std::string_view in)
: data_(reinterpret_cast<const uint8_t*>(in.data())), len_(in.length()) {}
Input::Input(const std::string* s) : Input(std::string_view(*s)) {}
std::string Input::AsString() const {
return std::string(reinterpret_cast<const char*>(data_), len_);
return std::string(reinterpret_cast<const char*>(data_.data()), data_.size());
}
std::string_view Input::AsStringView() const {
return std::string_view(reinterpret_cast<const char*>(data_), len_);
return std::string_view(reinterpret_cast<const char*>(data_.data()),
data_.size());
}
bssl::Span<const uint8_t> Input::AsSpan() const {
return bssl::MakeSpan(data_, len_);
return data_;
}
bool operator==(const Input& lhs, const Input& rhs) {

@ -10,9 +10,10 @@
#include <stdint.h>
#include <string>
#include <string_view>
#include <openssl/span.h>
#include <openssl/span.h>
namespace bssl::der {
@ -31,30 +32,30 @@ class OPENSSL_EXPORT Input {
// Creates an empty Input, one from which no data can be read.
constexpr Input() = default;
// Creates an Input from a constant array |data|.
template <size_t N>
constexpr explicit Input(const uint8_t (&data)[N]) : data_(data), len_(N) {}
// Creates an Input from a span. The constructed Input is only valid as long
// as |data| points to live memory. If constructed from, say, a
// |std::vector<uint8_t>|, mutating the vector will invalidate the Input.
constexpr explicit Input(bssl::Span<const uint8_t> data) : data_(data) {}
// Creates an Input from the given |data| and |len|.
constexpr explicit Input(const uint8_t* data, size_t len)
: data_(data), len_(len) {}
// Creates an Input from a std::string_view
explicit Input(std::string_view sp);
: data_(bssl::MakeConstSpan(data, len)) {}
// Creates an Input from a std::string. The lifetimes are a bit subtle when
// using this function: The constructed Input is only valid so long as |s| is
// still alive and not mutated.
explicit Input(const std::string* s);
// Creates an Input from a std::string_view. The constructed Input is only
// valid as long as |data| points to live memory. If constructed from, say, a
// |std::string|, mutating the vector will invalidate the Input.
explicit Input(std::string_view str)
: data_(bssl::MakeConstSpan(reinterpret_cast<const uint8_t*>(str.data()),
str.size())) {}
// Returns the length in bytes of an Input's data.
constexpr size_t Length() const { return len_; }
constexpr size_t Length() const { return data_.size(); }
// Returns a pointer to the Input's data. This method is marked as "unsafe"
// because access to the Input's data should be done through ByteReader
// instead. This method should only be used where using a ByteReader truly
// is not an option.
constexpr const uint8_t* UnsafeData() const { return data_; }
constexpr const uint8_t* UnsafeData() const { return data_.data(); }
// Returns a copy of the data represented by this object as a std::string.
std::string AsString() const;
@ -64,21 +65,13 @@ class OPENSSL_EXPORT Input {
// this Input.
std::string_view AsStringView() const;
// Returns a bssl::Span pointing to the same data as the Input. The resulting
// bssl::Span must not outlive the data that was used to construct this
// Input.
// Returns a span pointing to the same data as the Input. The resulting span
// must not outlive the data that was used to construct this Input.
bssl::Span<const uint8_t> AsSpan() const;
private:
// This constructor is deleted to prevent constructing an Input from a
// std::string r-value. Since the Input points to memory owned by another
// object, such an Input would point to invalid memory. Without this deleted
// constructor, a std::string could be passed in to the std::string_view
// constructor because of std::string_view's implicit constructor.
Input(std::string) = delete;
const uint8_t* data_ = nullptr;
size_t len_ = 0;
// TODO(crbug.com/770501): Replace this type with span altogether.
bssl::Span<const uint8_t> data_;
};
// Return true if |lhs|'s data and |rhs|'s data are byte-wise equal.

@ -653,19 +653,26 @@ bool NameConstraints::IsPermittedDirectoryName(
}
bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const {
// fillins::IPAddressMatchesPrefix internally maps v4 addresses to/from v6 on type
// mismatch. We don't wish to do this, so check the sizes match first.
for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
if (fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second))
if (ip.size() == excluded_ip.first.size() &&
fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) {
return false;
}
}
// If permitted subtrees are not constrained, any name that is not excluded is
// allowed.
if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS))
if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS)) {
return true;
}
for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
if (fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second))
if (ip.size() == permitted_ip.first.size() &&
fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) {
return true;
}
}
return false;

@ -10,7 +10,6 @@
#include "common_cert_errors.h"
#include "test_helpers.h"
#include <gtest/gtest.h>
#include <gtest/gtest.h>
namespace bssl {
namespace {
@ -49,12 +48,14 @@ namespace {
std::string* result_der) {
::testing::AssertionResult load_result =
LoadTestSubjectAltNameData(basename, result_der);
if (!load_result)
if (!load_result) {
return load_result;
}
CertErrors errors;
*result = GeneralNames::Create(der::Input(result_der), &errors);
if (!*result)
*result = GeneralNames::Create(der::Input(*result_der), &errors);
if (!*result) {
return ::testing::AssertionFailure() << "Create failed";
}
return ::testing::AssertionSuccess();
}
@ -92,7 +93,7 @@ TEST_P(ParseNameConstraints, DNSNames) {
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
@ -181,7 +182,7 @@ TEST_P(ParseNameConstraints,
ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Matches permitted exactly.
@ -212,7 +213,7 @@ TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// A permitted dNSName constraint of ".bar.com" should only match subdomains
@ -230,7 +231,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// An excluded dNSName constraint of ".bar.com" should only match subdomains
@ -247,7 +248,7 @@ TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) {
ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
@ -263,7 +264,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Only "excluded.permitted.example.com" is excluded, and since permitted is
@ -283,7 +284,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// "permitted.example.com" is in the permitted section, but since "" is
@ -301,7 +302,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// "." is excluded, which should match nothing.
@ -320,7 +321,7 @@ TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
a.replace(replace_location, 1, 1, -1);
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
}
TEST_P(ParseNameConstraints, DirectoryNames) {
@ -347,49 +348,49 @@ TEST_P(ParseNameConstraints, DirectoryNames) {
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Not in any permitted subtree.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_ca)));
SequenceValueFromString(name_ca)));
// Within the permitted C=US subtree.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us)));
SequenceValueFromString(name_us)));
// Within the permitted C=US subtree.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us_az)));
SequenceValueFromString(name_us_az)));
// Within the permitted C=US subtree, however the excluded C=US,ST=California
// subtree takes priority.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us_ca)));
SequenceValueFromString(name_us_ca)));
// Within the permitted C=US subtree as well as the permitted
// C=US,ST=California,L=Mountain View subtree, however the excluded
// C=US,ST=California subtree still takes priority.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us_ca_mountain_view)));
SequenceValueFromString(name_us_ca_mountain_view)));
// Not in any permitted subtree, and also inside the extraneous excluded C=DE
// subtree.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_de)));
SequenceValueFromString(name_de)));
// Not in any permitted subtree.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_jp)));
SequenceValueFromString(name_jp)));
// Within the permitted C=JP,ST=Tokyo subtree.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_jp_tokyo)));
SequenceValueFromString(name_jp_tokyo)));
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
name_constraints->constrained_name_types());
// Within the permitted C=US subtree.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us),
SequenceValueFromString(name_us),
nullptr /* subject_alt_names */));
// Within the permitted C=US subtree, however the excluded C=US,ST=California
// subtree takes priority.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_ca),
SequenceValueFromString(name_us_ca),
nullptr /* subject_alt_names */));
std::string san_der;
@ -417,7 +418,7 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_empty;
@ -433,13 +434,13 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
// Only "C=US,ST=California" is excluded, and since permitted is empty,
// any directoryName outside that is allowed.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_empty)));
SequenceValueFromString(name_empty)));
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us)));
SequenceValueFromString(name_us)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us_ca)));
SequenceValueFromString(name_us_ca)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us_ca_mountain_view)));
SequenceValueFromString(name_us_ca_mountain_view)));
}
TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
@ -448,7 +449,7 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_empty;
@ -466,22 +467,22 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
// "C=US" is in the permitted section, but since an empty
// directoryName is excluded, nothing is permitted.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_empty)));
SequenceValueFromString(name_empty)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us)));
SequenceValueFromString(name_us)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_us_ca)));
SequenceValueFromString(name_us_ca)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
SequenceValueFromString(&name_jp)));
SequenceValueFromString(name_jp)));
}
TEST_P(ParseNameConstraints, IPAdresses) {
TEST_P(ParseNameConstraints, IPAddresses) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// IPv4 tests:
@ -597,13 +598,13 @@ TEST_P(ParseNameConstraints, IPAdresses) {
IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
}
TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
@ -614,13 +615,13 @@ TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
}
TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// 192.168.0.0/255.255.0.0 and
@ -634,13 +635,13 @@ TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
}
TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -651,13 +652,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
}
TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -669,13 +670,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
}
TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -686,13 +687,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
name_constraints->IsPermittedIP(fillins::IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
}
TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(&a), is_critical(), &errors));
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -700,32 +701,65 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
}
TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
}
TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_1.pem", &a));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_2.pem", &a));
EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_3.pem", &a));
EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_4.pem", &a));
EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
}
// Test that v4/v6 mapping is not applied when evaluating name constraints.
TEST_P(ParseNameConstraints, IPAddressesMapped) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// 192.168.1.0/24 is a permitted subtree.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 0)));
// This does not cover ::ffff:192.168.1.0.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0)));
// 192.168.1.1 is excluded.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
// ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
// ::ffff:192.168.2.0/120 is a permitted subtree.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0)));
// This does not cover 192.168.2.0.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 2, 0)));
// ::ffff:192.168.2.1 is excluded.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1)));
// 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2)));
}
TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
@ -734,7 +768,7 @@ TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -757,7 +791,7 @@ TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -780,7 +814,7 @@ TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -842,7 +876,7 @@ TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -892,7 +926,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameInPermitted) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -951,7 +985,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameInExcluded) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1000,7 +1034,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInPermitted) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1050,7 +1084,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInExcluded) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1100,7 +1134,7 @@ TEST_P(ParseNameConstraints, Rfc822NameSubdomainInPermitted) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1138,7 +1172,7 @@ TEST_P(ParseNameConstraints, Rfc822NameSubdomainInExcluded) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1177,7 +1211,7 @@ TEST_P(ParseNameConstraints, Rfc822NameEmptyPermitted) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1202,7 +1236,7 @@ TEST_P(ParseNameConstraints, Rfc822NameEmptyExcluded) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1227,7 +1261,7 @@ TEST_P(ParseNameConstraints, Rfc822NameIPv4Permitted) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1257,7 +1291,7 @@ TEST_P(ParseNameConstraints, Rfc822NameIPv4Excluded) {
LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1288,7 +1322,7 @@ TEST_P(ParseNameConstraints, QuotedRfc822SanWithNoRfc822Constraints) {
LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string san_der;
@ -1306,7 +1340,7 @@ TEST_P(ParseNameConstraints, QuotedRfc822SanMatchesQuotedPermitted) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string san_der;
@ -1325,7 +1359,7 @@ TEST_P(ParseNameConstraints, UnquotedRfc822SanNotMatchingQuotedExcluded) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string san_der;
@ -1345,7 +1379,7 @@ TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1368,7 +1402,7 @@ TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1391,7 +1425,7 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1414,7 +1448,7 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1436,7 +1470,7 @@ TEST_P(ParseNameConstraints, URIsInPermitted) {
ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1458,7 +1492,7 @@ TEST_P(ParseNameConstraints, URIsInExcluded) {
ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1481,7 +1515,7 @@ TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1504,7 +1538,7 @@ TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@ -1530,7 +1564,7 @@ TEST_P(ParseNameConstraints,
// could be changed to allowed if there are buggy encoders out there that
// include it anyway.
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1539,7 +1573,7 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
ASSERT_TRUE(
LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1549,7 +1583,7 @@ TEST_P(ParseNameConstraints,
ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
&constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1558,7 +1592,7 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
&constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1566,14 +1600,14 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
std::string constraints_der;
ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
std::string constraints_der = "";
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1582,7 +1616,7 @@ TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
ASSERT_TRUE(
LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1591,7 +1625,7 @@ TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
&constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1600,7 +1634,7 @@ TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
&constraints_der));
CertErrors errors;
EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@ -1610,7 +1644,7 @@ TEST_P(ParseNameConstraints,
ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@ -1618,14 +1652,14 @@ TEST_P(ParseNameConstraints,
// Name constraints don't contain rfc822Name, so emailAddress in subject is
// allowed regardless.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
// Name constraints don't contain rfc822Name, so emailAddress in subject is
// allowed regardless.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@ -1635,7 +1669,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@ -1644,21 +1678,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
// Name constraints contain rfc822Name, and the address matches the
// constraint (which is all addresses on the hostname.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
// The bytes of the name string match, but the string type is VISIBLESTRING
// which is not supported, so this should fail.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
// Subject contains multiple rfc822Names, and they all match the constraint
// (which is all addresses on the hostname.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@ -1668,7 +1702,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@ -1677,21 +1711,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
// Name constraints contain rfc822Name, and the address does not match the
// constraint.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
// Address is a case-insensitive match, but name constraints (permitted) are
// case-sensitive, so this fails.
ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
// Subject contains multiple rfc822Names, and only the first one matches the
// constraint.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@ -1701,7 +1735,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@ -1710,21 +1744,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
// Name constraints contain excluded rfc822Name, and the address does not
// match the constraint.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
// Name constraints for excluded are done case-insensitive in the local part,
// so this is not allowed.
ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
// Subject contains multiple rfc822Names, and one of them is excluded by the
// constraint.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name),
SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@ -1737,7 +1771,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_us_az_foocom;
@ -1746,7 +1780,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
// (The commonName hostname is not within permitted dNSName constraints, so
// this would not be permitted if hostnames in commonName were checked.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_az_foocom),
SequenceValueFromString(name_us_az_foocom),
nullptr /* subject_alt_names */));
std::string name_us_az_permitted;
@ -1756,7 +1790,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
// permitted dNSName constraints, so this should be permitted regardless if
// hostnames in commonName are checked or not.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_az_permitted),
SequenceValueFromString(name_us_az_permitted),
nullptr /* subject_alt_names */));
std::string name_us_ca_permitted;
@ -1766,7 +1800,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
// this should not be allowed, regardless of checking the
// permitted.example.com in commonName.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_ca_permitted),
SequenceValueFromString(name_us_ca_permitted),
nullptr /* subject_alt_names */));
}
@ -1779,7 +1813,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
"directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
der::Input(&constraints_der), is_critical(), &errors));
der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_us_az_1_1_1_1;
@ -1788,7 +1822,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
// (The commonName IP address is not within permitted iPAddresses constraints,
// so this would not be permitted if IP addresses in commonName were checked.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_az_1_1_1_1),
SequenceValueFromString(name_us_az_1_1_1_1),
nullptr /* subject_alt_names */));
std::string name_us_az_192_168_1_1;
@ -1798,7 +1832,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
// permitted iPAddress constraints, so this should be permitted regardless if
// IP addresses in commonName are checked or not.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_az_192_168_1_1),
SequenceValueFromString(name_us_az_192_168_1_1),
nullptr /* subject_alt_names */));
std::string name_us_ca_192_168_1_1;
@ -1808,7 +1842,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
// this should not be allowed, regardless of checking the
// IP address in commonName.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_ca_192_168_1_1),
SequenceValueFromString(name_us_ca_192_168_1_1),
nullptr /* subject_alt_names */));
std::string name_us_az_ipv6;
@ -1817,7 +1851,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
// (The commonName is an ipv6 address which wasn't supported in the past, but
// since commonName checking is ignored entirely, this is permitted.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
SequenceValueFromString(&name_us_az_ipv6),
SequenceValueFromString(name_us_az_ipv6),
nullptr /* subject_alt_names */));
}

@ -5,8 +5,8 @@
#ifndef BSSL_PKI_OCSP_H_
#define BSSL_PKI_OCSP_H_
#include "webutil/url/url.h"
#include "fillins/openssl_util.h"
#include "webutil/url/url.h"
#include <memory>
#include <vector>

@ -175,8 +175,7 @@ TEST_P(CheckOCSPTest, FromFile) {
std::vector<uint8_t> encoded_request;
ASSERT_TRUE(CreateOCSPRequest(cert.get(), issuer.get(), &encoded_request));
EXPECT_EQ(der::Input(encoded_request.data(), encoded_request.size()),
der::Input(&request_data));
EXPECT_EQ(der::Input(encoded_request), der::Input(request_data));
}
std::string_view kGetURLTestParams[] = {

@ -63,7 +63,7 @@ void RunCertificateTest(const std::string& file_name) {
der::BitString signature_value;
CertErrors errors;
bool actual_result =
ParseCertificate(der::Input(&data), &tbs_certificate_tlv,
ParseCertificate(der::Input(data), &tbs_certificate_tlv,
&signature_algorithm_tlv, &signature_value, &errors);
EXPECT_EQ(expected_result, actual_result);
@ -72,10 +72,10 @@ void RunCertificateTest(const std::string& file_name) {
// Ensure that the parsed certificate matches expectations.
if (expected_result && actual_result) {
EXPECT_EQ(0, signature_value.unused_bits());
EXPECT_EQ(der::Input(&expected_signature), signature_value.bytes());
EXPECT_EQ(der::Input(&expected_signature_algorithm),
EXPECT_EQ(der::Input(expected_signature), signature_value.bytes());
EXPECT_EQ(der::Input(expected_signature_algorithm),
signature_algorithm_tlv);
EXPECT_EQ(der::Input(&expected_tbs_certificate), tbs_certificate_tlv);
EXPECT_EQ(der::Input(expected_tbs_certificate), tbs_certificate_tlv);
}
}
@ -167,7 +167,7 @@ void RunTbsCertificateTestGivenVersion(const std::string& file_name,
ParsedTbsCertificate parsed;
CertErrors errors;
bool actual_result =
ParseTbsCertificate(der::Input(&data), {}, &parsed, &errors);
ParseTbsCertificate(der::Input(data), {}, &parsed, &errors);
EXPECT_EQ(expected_result, actual_result);
VerifyCertErrors(expected_errors, errors, test_file_path);
@ -178,36 +178,36 @@ void RunTbsCertificateTestGivenVersion(const std::string& file_name,
// Ensure that the ParsedTbsCertificate matches expectations.
EXPECT_EQ(expected_version, parsed.version);
EXPECT_EQ(der::Input(&expected_serial_number), parsed.serial_number);
EXPECT_EQ(der::Input(&expected_signature_algorithm),
EXPECT_EQ(der::Input(expected_serial_number), parsed.serial_number);
EXPECT_EQ(der::Input(expected_signature_algorithm),
parsed.signature_algorithm_tlv);
EXPECT_EQ(der::Input(&expected_issuer), parsed.issuer_tlv);
EXPECT_EQ(der::Input(expected_issuer), parsed.issuer_tlv);
// In the test expectations PEM file, validity is described as a
// textual string of the parsed value (rather than as DER).
EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before));
EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after));
EXPECT_EQ(der::Input(&expected_subject), parsed.subject_tlv);
EXPECT_EQ(der::Input(&expected_spki), parsed.spki_tlv);
EXPECT_EQ(der::Input(expected_subject), parsed.subject_tlv);
EXPECT_EQ(der::Input(expected_spki), parsed.spki_tlv);
EXPECT_EQ(!expected_issuer_unique_id.empty(),
parsed.issuer_unique_id.has_value());
if (parsed.issuer_unique_id.has_value()) {
EXPECT_EQ(der::Input(&expected_issuer_unique_id),
EXPECT_EQ(der::Input(expected_issuer_unique_id),
parsed.issuer_unique_id->bytes());
}
EXPECT_EQ(!expected_subject_unique_id.empty(),
parsed.subject_unique_id.has_value());
if (parsed.subject_unique_id.has_value()) {
EXPECT_EQ(der::Input(&expected_subject_unique_id),
EXPECT_EQ(der::Input(expected_subject_unique_id),
parsed.subject_unique_id->bytes());
}
EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value());
if (parsed.extensions_tlv) {
EXPECT_EQ(der::Input(&expected_extensions), parsed.extensions_tlv.value());
EXPECT_EQ(der::Input(expected_extensions), parsed.extensions_tlv.value());
}
}
@ -1008,7 +1008,7 @@ bool ParseAuthorityKeyIdentifierTestData(
file_name;
EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
return ParseAuthorityKeyIdentifier(der::Input(backing_bytes),
return ParseAuthorityKeyIdentifier(der::Input(*backing_bytes),
authority_key_identifier);
}

@ -201,7 +201,7 @@ TEST(ParseNameTest, InvalidNameExtraData) {
ASSERT_TRUE(
LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid));
RDNSequence atv;
ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameEmpty) {
@ -209,7 +209,7 @@ TEST(ParseNameTest, InvalidNameEmpty) {
ASSERT_TRUE(
LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid));
RDNSequence atv;
ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameBadType) {
@ -217,7 +217,7 @@ TEST(ParseNameTest, InvalidNameBadType) {
ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue",
"badAttributeType", &invalid));
RDNSequence atv;
ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameNotSequence) {
@ -225,21 +225,21 @@ TEST(ParseNameTest, InvalidNameNotSequence) {
ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue", "setNotSequence",
&invalid));
RDNSequence atv;
ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameNotSet) {
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid));
RDNSequence atv;
ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameEmptyRdn) {
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
RDNSequence atv;
ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, RFC2253FormatBasic) {

@ -110,7 +110,7 @@ class OPENSSL_EXPORT ParsedCertificate {
// Sequence tag). This is guaranteed to be valid DER, though the contents of
// unhandled string types are treated as raw bytes.
der::Input normalized_subject() const {
return der::Input(&normalized_subject_);
return der::Input(normalized_subject_);
}
// Returns the DER-encoded raw issuer value (including the outer sequence
// tag). This is guaranteed to be valid DER, though the contents of unhandled
@ -120,7 +120,7 @@ class OPENSSL_EXPORT ParsedCertificate {
// Sequence tag). This is guaranteed to be valid DER, though the contents of
// unhandled string types are treated as raw bytes.
der::Input normalized_issuer() const {
return der::Input(&normalized_issuer_);
return der::Input(normalized_issuer_);
}
// Returns true if the certificate has a BasicConstraints extension.

@ -5,7 +5,6 @@
#include "path_builder.h"
#include <cstdint>
#include <iostream>
#include "fillins/log.h"
#include "fillins/net_errors.h"
@ -237,7 +236,7 @@ class PathBuilderPkitsTestDelegate {
for (size_t i = 0; i < result.paths.size(); ++i) {
const CertPathBuilderResultPath* result_path =
result.paths[i].get();
std::cerr << "path " << i << " errors:\n"
LOG(ERROR) << "path " << i << " errors:\n"
<< result_path->errors.ToDebugString(result_path->certs);
}
}

@ -1155,8 +1155,7 @@ TEST(SignatureAlgorithmTest, ParseRsaPss) {
0x04, 0x02, 0x03, 0xa2, 0x03, 0x02, 0x01, 0x40},
SignatureAlgorithm::kRsaPssSha512}};
for (const auto& t : kValidTests) {
EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())),
t.expected);
EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data)), t.expected);
}
struct {
@ -1346,8 +1345,7 @@ TEST(SignatureAlgorithmTest, ParseRsaPss) {
0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x41}},
};
for (const auto& t : kInvalidTests) {
EXPECT_FALSE(
ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())));
EXPECT_FALSE(ParseSignatureAlgorithm(der::Input(t.data)));
}
}

@ -38,11 +38,11 @@ void ReadTestCase(const char* file_name,
ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings));
std::optional<SignatureAlgorithm> sigalg_opt =
ParseSignatureAlgorithm(der::Input(&algorithm_str));
ParseSignatureAlgorithm(der::Input(algorithm_str));
ASSERT_TRUE(sigalg_opt);
*signature_algorithm = *sigalg_opt;
ASSERT_TRUE(ParsePublicKey(der::Input(&public_key_str), public_key));
ASSERT_TRUE(ParsePublicKey(der::Input(public_key_str), public_key));
}
class SimplePathBuilderDelegate1024SuccessTest

@ -110,7 +110,7 @@ void PrintTo(const Input& data, ::std::ostream* os) {
} // namespace der
der::Input SequenceValueFromString(const std::string* s) {
der::Input SequenceValueFromString(std::string_view s) {
der::Parser parser((der::Input(s)));
der::Input data;
if (!parser.ReadTag(der::kSequence, &data)) {
@ -284,7 +284,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
if (value == "DEFAULT") {
value = "211005120000Z";
}
if (!der::ParseUTCTime(der::Input(&value), &test->time)) {
if (!der::ParseUTCTime(der::Input(value), &test->time)) {
ADD_FAILURE() << "Failed parsing UTC time";
return false;
}

@ -9,6 +9,7 @@
#include <ostream>
#include <string>
#include <string_view>
#include <vector>
#include "parsed_certificate.h"
@ -33,7 +34,7 @@ void PrintTo(const Input& data, ::std::ostream* os);
//
// The returned der::Input() is only valid so long as the input string is alive
// and is not mutated.
der::Input SequenceValueFromString(const std::string* s);
der::Input SequenceValueFromString(std::string_view s);
// Helper structure that maps a PEM block header (for instance "CERTIFICATE") to
// the destination where the value for that block should be written.

@ -317,6 +317,23 @@ def main():
enforce_length=False))
generate(c, "ipaddress-invalid_addr.pem")
v4_mapped_prefix = (0, ) * 10 + (255, ) * 2
v4_mapped_mask = (255, ) * 12
c = NameConstraintsGenerator()
c.add_permitted(ip_address_range((192, 168, 1, 0), (255, 255, 255, 0)))
c.add_excluded(ip_address_range((192, 168, 1, 1), (255, 255, 255, 255)))
c.add_excluded(
ip_address_range(v4_mapped_prefix + (192, 168, 1, 2),
v4_mapped_mask + (255, 255, 255, 255)))
c.add_permitted(
ip_address_range(v4_mapped_prefix + (192, 168, 2, 0),
v4_mapped_mask + (255, 255, 255, 0)))
c.add_excluded(
ip_address_range(v4_mapped_prefix + (192, 168, 2, 1),
v4_mapped_mask + (255, 255, 255, 255)))
c.add_excluded(ip_address_range((192, 168, 2, 2), (255, 255, 255, 255)))
generate(c, "ipaddress-mapped_addrs.pem")
n_us = generate_names.NameGenerator()
n_us.add_rdn().add_attr('countryName', 'PRINTABLESTRING', 'US')
generate(n_us, "name-us.pem")

@ -0,0 +1,29 @@
SEQUENCE {
[0] {
SEQUENCE {
[7 PRIMITIVE] { `c0a80100ffffff00` }
}
SEQUENCE {
[7 PRIMITIVE] { `00000000000000000000ffffc0a80200ffffffffffffffffffffffffffffff00` }
}
}
[1] {
SEQUENCE {
[7 PRIMITIVE] { `c0a80101ffffffff` }
}
SEQUENCE {
[7 PRIMITIVE] { `00000000000000000000ffffc0a80102ffffffffffffffffffffffffffffffff` }
}
SEQUENCE {
[7 PRIMITIVE] { `00000000000000000000ffffc0a80201ffffffffffffffffffffffffffffffff` }
}
SEQUENCE {
[7 PRIMITIVE] { `c0a80202ffffffff` }
}
}
}
-----BEGIN NAME CONSTRAINTS-----
MIGUoDAwCocIwKgBAP///wAwIocgAAAAAAAAAAAAAP//wKgCAP///////////////////wChYDAK
hwjAqAEB/////zAihyAAAAAAAAAAAAAA///AqAEC/////////////////////zAihyAAAAAAAAAA
AAAA///AqAIB/////////////////////zAKhwjAqAIC/////w==
-----END NAME CONSTRAINTS-----

@ -46,10 +46,6 @@ unit tests.
purposes is not recommended. This needs to be updated periodically so the
server name the cert is valid for may change.
- treadclimber.pem: A chain where the leaf does not contain embedded SCTs,
and which has a notBefore date after 2018/10/15. Expires 2020/02/07.
- treadclimber.sctlist: The TLS encoded SignedCertificateTimestampList for the
treadclimber.pem leaf certificate.
- lets-encrypt-dst-x3-root.pem: A chain that ends in the Lets encrypt DST X3
root (https://crt.sh/?id=8395). Has the same leaf as
lets-encrypt-isrg-x1-root.pem.
@ -193,18 +189,15 @@ unit tests.
Certificates for testing EV display (including regression test for
https://crbug.com/1069113).
===== From net/data/ssl/scripts/generate-weak-test-chains.sh
- 2048-rsa-root.pem
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
{768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
Test certificates used to ensure that weak keys are detected and rejected
===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
- cross-signed-leaf.pem
- cross-signed-root-md5.pem
- cross-signed-root-sha256.pem
A certificate chain for regression testing http://crbug.com/108514
===== From net/data/ssl/scripts/generate-test-keys.sh
- rsa-{768,1024,2048}-{1..3}.key
- ec-prime256v1-{1..3}.key
Pre-generated keys of various types/sizes.
Useful for tests that generate RSA certificates with CertBuilder without
having to pay the cost of generating RSA keys at runtime. Multiple keys
of each size are provided. (EC keys are cheap to generate at runtime, but
having some as files simplifies test logic in cases where the test is
reading both RSA and EC keys from files.)
===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
- redundant-validated-chain.pem

@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8YeFfq6kLtUZziTV
eBxKf4sdzWhBIrmoa7R6IQ/L0g2hRANCAATwrGqIPnPdqDreHFlZqECUQ0AjHbyi
NWFYmGc3FkPsCS1MWu2WhMYdw7UuLDdMKge7Q6IWMsHum/4G04hRdTYL
-----END PRIVATE KEY-----

@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSCf4GodSLqPExkQ0
Ik8+89ysmrauzOM+YOw7a6XXxpOhRANCAASTFjEdz9MMLzVvqiKJ6hiEmG7+tfn1
6r5Odwu8dkIr69J5RljzPLAbHXN4kXF/ohZbBvKnX+1cEUDO+kBtAHMB
-----END PRIVATE KEY-----

@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSFwCrUE0q+J8WdaB
wuQtvtQuvSVy4xrVUVKbg/b8qmShRANCAAQ0MQNe+C3m+ZxRjUC2VHut66EhAqDQ
EXOCJ3se7ctMpdmVa2ml/4cjz3lnrfbSYe/mM5v3hDN8u8dYmk7zDoL3
-----END PRIVATE KEY-----

@ -1,274 +1,666 @@
===========================================
Certificate0: c74f724a594ff8156228aa8d5b06c2335c45bcc0381cf16deb7ec0330cb454a0
Certificate0: 43a7c7f7b28f92beac4b5e7e002c69801fd82c8656d9cb2993dba2bab0c4ec1e
===========================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
13:00:0f:ee:63:1b:df:c3:25:02:e3:e0:7e:a6:39:50
Serial Number: 5475531677529648189 (0x4bfcff0cd38dac3d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Apr 10 00:00:00 2023 GMT
Not After : May 10 23:59:59 2024 GMT
Subject: CN = horseweather.com
Not Before: Jul 25 02:05:05 2023 GMT
Not After : Aug 24 00:14:22 2024 GMT
Subject: CN = tntpowerwashservices.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:4f:7d:c0:1a:22:1c:a6:88:a0:85:01:3e:4a:
56:e3:3e:2a:f9:9c:f8:15:ce:6f:f7:44:74:00:41:
0f:d9:54:ce:7b:51:70:95:0c:9b:35:b1:68:b9:a6:
75:1a:28:93:4b:c9:64:9c:7e:ea:30:d4:4b:73:44:
62:fa:97:0d:5b:19:f6:6e:a3:44:b1:ea:67:7b:c6:
86:c6:1f:b8:1b:9b:ce:b1:9d:f7:f1:63:f4:63:03:
6b:07:72:f8:9c:f7:62:89:5d:15:2f:eb:ea:f8:18:
8f:55:1d:33:e7:2c:76:fd:3e:1a:16:fb:42:c1:02:
3a:03:82:f8:92:9a:a2:de:f1:8b:06:8e:cc:f9:ca:
1e:29:1c:48:7e:dc:0f:c1:5e:81:91:5c:36:eb:41:
1f:55:23:67:f2:b3:3b:10:73:fc:f0:48:2c:9e:8e:
1b:66:1e:52:38:09:0b:53:10:47:96:39:47:bb:81:
67:c4:4f:33:f2:74:19:c8:b5:16:0b:27:1e:d2:0e:
09:c7:4e:c5:e3:a8:8f:aa:00:1a:3c:9a:19:45:09:
c8:aa:74:e0:7e:a0:7f:e2:46:8e:27:42:d4:ee:80:
60:5d:e1:b4:fc:23:9d:cb:70:be:d6:5b:88:ee:15:
61:1d:f5:4b:8d:02:ae:2f:19:5c:20:fc:17:9f:fc:
5d:b9
00:af:a6:20:2e:e2:8f:f6:61:ba:78:bd:8c:c9:b4:
84:6a:38:53:33:4a:28:e1:f6:9a:f8:be:45:14:18:
ef:0c:57:6c:ae:89:7b:8d:06:89:58:b4:76:21:2c:
43:1f:b9:5d:e0:8d:4b:83:ad:3d:04:fb:e1:bf:76:
f2:e9:1a:80:42:f7:24:65:6d:c9:90:fc:fd:8e:82:
0a:0e:5e:22:78:09:68:59:2a:4b:58:10:99:2d:f8:
57:56:d9:92:a6:58:7e:89:c2:12:ea:c6:e2:43:86:
07:6f:84:e2:c2:cd:1e:9d:4f:ee:62:58:35:a2:13:
d5:bc:20:cf:69:65:c4:74:2a:4d:b1:c2:7b:03:85:
b2:fc:dd:c7:36:30:c2:d6:59:02:e8:7c:41:26:ce:
6b:f0:7a:55:1f:90:42:07:53:2e:a1:47:2e:53:42:
a6:48:1c:d0:d2:bb:9c:76:bf:89:4b:39:9d:69:f5:
80:a4:38:b3:bd:e7:cd:41:0c:69:d7:3d:c1:78:27:
88:05:ee:c7:f3:87:9d:01:e1:fd:70:e4:be:4d:97:
d3:2b:61:f3:0a:d3:2f:63:a9:ce:61:22:08:2e:a3:
d6:ba:de:fe:6b:df:69:ed:2f:50:dd:b8:72:c4:d6:
6b:00:5e:a4:8b:9b:58:c0:43:32:ab:cc:44:55:d7:
70:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Subject Key Identifier:
DE:B8:1F:8D:E5:9F:B7:B7:F7:B6:96:56:D3:F4:2F:58:30:4C:36:0D
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.godaddy.com/gdig2s1-7257.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://sectigo.com/CPS
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Subject Alternative Name:
DNS:horseweather.com, DNS:www.horseweather.com
DNS:tntpowerwashservices.com, DNS:www.tntpowerwashservices.com
X509v3 Subject Key Identifier:
15:BE:40:63:3C:B1:6A:3C:27:52:B1:1E:43:06:A1:1C:0B:09:C7:C8
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Apr 10 14:57:58.554 2023 GMT
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Jul 25 02:05:06.473 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:2C:72:0F:4C:A5:E0:DE:BA:0F:50:D6:79:
57:BB:1E:4C:57:63:08:41:3E:CE:92:04:AF:1D:8B:43:
AC:D3:E0:A9:02:20:73:BD:5A:86:55:76:F4:84:E5:71:
CE:D4:3B:D4:2F:7F:9F:7F:E9:DB:10:8B:97:0B:A5:EC:
FB:B3:99:03:5A:DF
30:45:02:21:00:B6:D5:26:94:10:7C:69:75:D5:83:A6:
4A:7F:4D:87:A3:86:3D:C6:AD:47:17:B7:04:9F:83:0B:
51:7E:41:C5:06:02:20:1E:2C:1C:2F:03:D1:1B:AB:E2:
F5:A0:65:BC:EC:BE:15:D2:05:ED:CC:AC:1A:44:70:DC:
19:B6:87:58:4E:DF:EA
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Apr 10 14:57:58.648 2023 GMT
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Jul 25 02:05:06.771 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:6A:FD:3F:78:6C:23:EE:5E:6D:6F:4C:67:
D5:22:B0:9A:CB:78:01:D2:24:79:DF:56:44:40:23:4E:
8B:CE:B9:10:02:21:00:E7:15:11:84:48:04:FC:2C:CD:
F1:88:4E:79:31:19:4B:DC:E0:B3:74:12:49:3C:DD:4E:
DB:E5:6D:D9:1B:B9:60
30:45:02:20:6F:76:37:49:56:F0:9D:7F:F7:94:58:C9:
9E:D3:D6:36:7D:BD:56:F4:92:41:0B:3E:97:0B:95:84:
53:C6:68:24:02:21:00:87:45:7A:45:89:8E:C0:D9:44:
82:56:24:C1:0D:A3:C4:FC:F8:C8:8E:1D:71:CC:0C:B5:
6E:03:40:8D:3C:34:3A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Apr 10 14:57:58.679 2023 GMT
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Jul 25 02:05:06.882 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:AF:8C:27:AC:66:5E:08:AC:BA:19:1D:
5A:CF:9A:F5:B8:28:A6:CC:9F:C4:99:45:59:10:2E:80:
17:BA:BA:B0:5E:02:21:00:CD:4E:51:2B:C6:12:73:4D:
7E:23:61:15:22:CB:08:CA:19:62:81:95:7E:31:08:B9:
64:F7:96:71:B0:1E:D2:A8
30:46:02:21:00:A1:1F:15:0A:5A:5A:E7:ED:6D:61:5F:
9C:13:0B:66:70:62:95:31:C8:ED:D0:8A:B9:58:B1:90:
97:63:21:C8:2B:02:21:00:F9:67:A5:79:88:32:96:48:
CB:6C:B9:27:76:0D:B6:7C:3A:AE:CB:65:40:87:E3:A5:
A9:FA:03:CA:61:F3:C7:9D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
3b:67:4e:46:c0:7f:d6:2f:4e:64:63:80:21:e4:ea:af:46:06:
e3:83:47:99:88:73:27:6c:96:ae:5e:eb:d3:36:60:4a:1d:b4:
28:57:7d:07:df:40:e2:87:54:d3:dd:bc:5a:e4:e7:9b:f7:72:
4b:c7:5f:5d:50:da:c6:c0:6a:0d:36:c3:f9:ff:db:b5:d2:71:
84:b6:66:0a:15:31:46:79:39:0f:b2:bc:c0:91:8f:d6:03:ab:
10:7d:ea:7e:59:16:13:6c:3a:47:55:12:8b:c5:4a:1f:21:bc:
00:f1:a1:0a:0e:e5:e8:b5:af:38:47:78:44:e9:ab:d9:0c:94:
a1:af:a1:2c:18:5a:15:00:e1:4e:9f:c5:06:88:87:41:25:e7:
92:bf:9e:ee:66:93:88:4d:15:ae:c5:d8:1b:c4:58:e1:3c:fd:
12:bc:8e:44:fa:74:4b:a3:37:bd:7d:49:f9:3e:90:a7:bd:2e:
dc:3d:24:5d:5b:9f:47:3e:6c:3a:7d:17:ab:dc:3b:3c:53:f1:
ac:39:1b:74:51:a9:47:08:d2:af:c1:0c:5b:d3:4c:ed:85:97:
5a:d6:75:1e:d7:d5:69:50:e3:1e:bd:26:cf:b9:94:1a:fb:74:
0b:ac:18:48:6b:61:10:6a:4e:89:6e:b5:c6:eb:c3:90:64:ee:
38:5d:18:17
26:c1:ee:ce:fb:7c:3d:bd:15:19:f7:6e:bc:f2:b0:d3:8b:a0:
d0:26:84:83:2c:06:65:50:68:0e:9a:1e:96:9e:2b:64:ae:7a:
0a:05:e9:78:0a:cc:d5:0d:44:7a:d5:ae:4b:25:0c:a1:5d:a0:
b4:3a:1b:60:6c:6a:e2:30:7e:30:23:2e:eb:74:85:80:84:0f:
e6:cb:89:ee:b8:a9:9d:79:8a:da:dc:13:e1:6d:77:4f:81:7e:
55:b4:0f:4f:41:6d:02:89:bf:73:95:7c:7f:b2:d8:9b:50:4a:
f8:60:36:11:e2:13:32:1f:e5:0f:3a:7d:0e:42:1e:b0:90:eb:
dd:41:57:0c:52:72:28:31:87:13:cb:39:9a:2f:23:66:9f:ca:
a9:4a:d3:26:30:71:ad:72:e2:83:b7:00:29:92:2c:b9:9f:c9:
a2:85:b2:90:29:c0:10:41:e4:6f:6e:d7:3c:ad:96:06:81:75:
09:ff:7e:47:ff:3d:93:18:f5:e8:62:44:f9:8a:6c:37:db:5a:
a6:66:78:ae:3a:84:9b:7c:d0:f0:c9:9d:99:ce:8d:4a:9f:ab:
d6:e1:bd:7c:bc:9c:9d:f2:00:c9:17:aa:7d:97:9f:3f:27:9c:
6c:91:16:a6:8e:39:c8:86:db:0c:14:ea:20:3d:f7:aa:7d:a3:
e2:67:9d:9a
SEQUENCE {
SEQUENCE {
[0] {
INTEGER { 2 }
}
INTEGER { `4bfcff0cd38dac3d` }
SEQUENCE {
# sha256WithRSAEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
NULL {}
}
SEQUENCE {
SET {
SEQUENCE {
# countryName
OBJECT_IDENTIFIER { 2.5.4.6 }
PrintableString { "US" }
}
}
SET {
SEQUENCE {
# stateOrProvinceName
OBJECT_IDENTIFIER { 2.5.4.8 }
PrintableString { "Arizona" }
}
}
SET {
SEQUENCE {
# localityName
OBJECT_IDENTIFIER { 2.5.4.7 }
PrintableString { "Scottsdale" }
}
}
SET {
SEQUENCE {
# organizationName
OBJECT_IDENTIFIER { 2.5.4.10 }
PrintableString { "GoDaddy.com, Inc." }
}
}
SET {
SEQUENCE {
# organizationUnitName
OBJECT_IDENTIFIER { 2.5.4.11 }
PrintableString { "http://certs.godaddy.com/repository/" }
}
}
SET {
SEQUENCE {
# commonName
OBJECT_IDENTIFIER { 2.5.4.3 }
PrintableString { "Go Daddy Secure Certificate Authority - G2" }
}
}
}
SEQUENCE {
UTCTime { "230725020505Z" }
UTCTime { "240824001422Z" }
}
SEQUENCE {
SET {
SEQUENCE {
# commonName
OBJECT_IDENTIFIER { 2.5.4.3 }
PrintableString { "tntpowerwashservices.com" }
}
}
}
SEQUENCE {
SEQUENCE {
# rsaEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
NULL {}
}
BIT_STRING {
`00`
SEQUENCE {
INTEGER { `00afa6202ee28ff661ba78bd8cc9b4846a3853334a28e1f69af8be451418ef0c576cae897b8d068958b476212c431fb95de08d4b83ad3d04fbe1bf76f2e91a8042f724656dc990fcfd8e820a0e5e22780968592a4b5810992df85756d992a6587e89c212eac6e24386076f84e2c2cd1e9d4fee625835a213d5bc20cf6965c4742a4db1c27b0385b2fcddc73630c2d65902e87c4126ce6bf07a551f904207532ea1472e5342a6481cd0d2bb9c76bf894b399d69f580a438b3bde7cd410c69d73dc178278805eec7f3879d01e1fd70e4be4d97d32b61f30ad32f63a9ce6122082ea3d6badefe6bdf69ed2f50ddb872c4d66b005ea48b9b58c04332abcc4455d7702f` }
INTEGER { 65537 }
}
}
}
[3] {
SEQUENCE {
SEQUENCE {
# basicConstraints
OBJECT_IDENTIFIER { 2.5.29.19 }
BOOLEAN { TRUE }
OCTET_STRING {
SEQUENCE {}
}
}
SEQUENCE {
# extKeyUsage
OBJECT_IDENTIFIER { 2.5.29.37 }
OCTET_STRING {
SEQUENCE {
# serverAuth
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.1 }
# clientAuth
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.2 }
}
}
}
SEQUENCE {
# keyUsage
OBJECT_IDENTIFIER { 2.5.29.15 }
BOOLEAN { TRUE }
OCTET_STRING {
BIT_STRING { b`101` }
}
}
SEQUENCE {
# cRLDistributionPoints
OBJECT_IDENTIFIER { 2.5.29.31 }
OCTET_STRING {
SEQUENCE {
SEQUENCE {
[0] {
[0] {
[6 PRIMITIVE] { "http://crl.godaddy.com/gdig2s1-7257.crl" }
}
}
}
}
}
}
SEQUENCE {
# certificatePolicies
OBJECT_IDENTIFIER { 2.5.29.32 }
OCTET_STRING {
SEQUENCE {
SEQUENCE {
OBJECT_IDENTIFIER { 2.16.840.1.114413.1.7.23.1 }
SEQUENCE {
SEQUENCE {
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 }
IA5String { "http://certificates.godaddy.com/repository/" }
}
}
}
SEQUENCE {
# domain-validated
OBJECT_IDENTIFIER { 2.23.140.1.2.1 }
}
}
}
}
SEQUENCE {
# authorityInfoAccess
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 }
OCTET_STRING {
SEQUENCE {
SEQUENCE {
# ocsp
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
[6 PRIMITIVE] { "http://ocsp.godaddy.com/" }
}
SEQUENCE {
# caIssuers
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
[6 PRIMITIVE] { "http://certificates.godaddy.com/repository/gdig2.crt" }
}
}
}
}
SEQUENCE {
# authorityKeyIdentifier
OBJECT_IDENTIFIER { 2.5.29.35 }
OCTET_STRING {
SEQUENCE {
[0 PRIMITIVE] { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` }
}
}
}
SEQUENCE {
# subjectAltName
OBJECT_IDENTIFIER { 2.5.29.17 }
OCTET_STRING {
SEQUENCE {
[2 PRIMITIVE] { "tntpowerwashservices.com" }
[2 PRIMITIVE] { "www.tntpowerwashservices.com" }
}
}
}
SEQUENCE {
# subjectKeyIdentifier
OBJECT_IDENTIFIER { 2.5.29.14 }
OCTET_STRING {
OCTET_STRING { `15be40633cb16a3c2752b11e4306a11c0b09c7c8` }
}
}
SEQUENCE {
# embeddedSCTList
OBJECT_IDENTIFIER { 1.3.6.1.4.1.11129.2.4.2 }
OCTET_STRING {
OCTET_STRING { `0169007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b000001898acafe290000040300473045022100b6d52694107c6975d583a64a7f4d87a3863dc6ad4717b7049f830b517e41c50602201e2c1c2f03d11babe2f5a065bcecbe15d205edccac1a4470dc19b687584edfea00760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d88473000001898acaff53000004030047304502206f76374956f09d7ff79458c99ed3d6367dbd56f492410b3e970b958453c6682402210087457a45898ec0d944825624c10da3c4fcf8c88e1d71cc0cb56e03408d3c343a007700dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab000001898acaffc20000040300483046022100a11f150a5a5ae7ed6d615f9c130b6670629531c8edd08ab958b190976321c82b022100f967a57988329648cb6cb927760db67c3aaecb654087e3a5a9fa03ca61f3c79d` }
}
}
}
}
}
SEQUENCE {
# sha256WithRSAEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
NULL {}
}
BIT_STRING { `00` `26c1eecefb7c3dbd1519f76ebcf2b0d38ba0d02684832c066550680e9a1e969e2b64ae7a0a05e9780accd50d447ad5ae4b250ca15da0b43a1b606c6ae2307e30232eeb748580840fe6cb89eeb8a99d798adadc13e16d774f817e55b40f4f416d0289bf73957c7fb2d89b504af8603611e213321fe50f3a7d0e421eb090ebdd41570c527228318713cb399a2f23669fcaa94ad3263071ad72e283b70029922cb99fc9a285b29029c01041e46f6ed73cad9606817509ff7e47ff3d9318f5e86244f98a6c37db5aa66678ae3a849b7cd0f0c99d99ce8d4a9fabd6e1bd7cbc9c9df200c917aa7d979f3f279c6c9116a68e39c886db0c14ea203df7aa7da3e2679d9a` }
}
-----BEGIN CERTIFICATE-----
MIIGPzCCBSegAwIBAgIQEwAP7mMb38MlAuPgfqY5UDANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIzMDQxMDAwMDAwMFoXDTI0MDUxMDIzNTk1OVowGzEZMBcGA1UEAxMQaG9y
c2V3ZWF0aGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVP
fcAaIhymiKCFAT5KVuM+Kvmc+BXOb/dEdABBD9lUzntRcJUMmzWxaLmmdRook0vJ
ZJx+6jDUS3NEYvqXDVsZ9m6jRLHqZ3vGhsYfuBubzrGd9/Fj9GMDawdy+Jz3Yold
FS/r6vgYj1UdM+csdv0+Ghb7QsECOgOC+JKaot7xiwaOzPnKHikcSH7cD8FegZFc
NutBH1UjZ/KzOxBz/PBILJ6OG2YeUjgJC1MQR5Y5R7uBZ8RPM/J0Gci1FgsnHtIO
CcdOxeOoj6oAGjyaGUUJyKp04H6gf+JGjidC1O6AYF3htPwjnctwvtZbiO4VYR31
S40Cri8ZXCD8F5/8XbkCAwEAAaOCAwgwggMEMB8GA1UdIwQYMBaAFI2MXsRUrYrh
d+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTeuB+N5Z+3t/e2llbT9C9YMEw2DTAOBgNV
HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIB
FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEB
BHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdv
UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcw
AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wMQYDVR0RBCowKIIQaG9yc2V3ZWF0
aGVyLmNvbYIUd3d3LmhvcnNld2VhdGhlci5jb20wggF+BgorBgEEAdZ5AgQCBIIB
bgSCAWoBaAB1AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABh2us
exoAAAQDAEYwRAIgLHIPTKXg3roPUNZ5V7seTFdjCEE+zpIErx2LQ6zT4KkCIHO9
WoZVdvSE5XHO1DvUL3+ff+nbEIuXC6Xs+7OZA1rfAHYA2ra/az+1tiKfm8K7XGvo
cJFxbLtRhIU0vaQ9MEjX+6sAAAGHa6x7eAAABAMARzBFAiBq/T94bCPuXm1vTGfV
IrCay3gB0iR531ZEQCNOi865EAIhAOcVEYRIBPwszfGITnkxGUvc4LN0Ekk83U7b
5W3ZG7lgAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGHa6x7
lwAABAMASDBGAiEAr4wnrGZeCKy6GR1az5r1uCimzJ/EmUVZEC6AF7q6sF4CIQDN
TlErxhJzTX4jYRUiywjKGWKBlX4xCLlk95ZxsB7SqDANBgkqhkiG9w0BAQsFAAOC
AQEAO2dORsB/1i9OZGOAIeTqr0YG44NHmYhzJ2yWrl7r0zZgSh20KFd9B99A4odU
0928WuTnm/dyS8dfXVDaxsBqDTbD+f/btdJxhLZmChUxRnk5D7K8wJGP1gOrEH3q
flkWE2w6R1USi8VKHyG8APGhCg7l6LWvOEd4ROmr2QyUoa+hLBhaFQDhTp/FBoiH
QSXnkr+e7maTiE0VrsXYG8RY4Tz9EryORPp0S6M3vX1J+T6Qp70u3D0kXVufRz5s
On0Xq9w7PFPxrDkbdFGpRwjSr8EMW9NM7YWXWtZ1HtfVaVDjHr0mz7mUGvt0C6wY
SGthEGpOiW61xuvDkGTuOF0YFw==
MIIGtDCCBZygAwIBAgIIS/z/DNONrD0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjMwNzI1MDIwNTA1WhcN
MjQwODI0MDAxNDIyWjAjMSEwHwYDVQQDExh0bnRwb3dlcndhc2hzZXJ2aWNlcy5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvpiAu4o/2Ybp4vYzJ
tIRqOFMzSijh9pr4vkUUGO8MV2yuiXuNBolYtHYhLEMfuV3gjUuDrT0E++G/dvLp
GoBC9yRlbcmQ/P2OggoOXiJ4CWhZKktYEJkt+FdW2ZKmWH6JwhLqxuJDhgdvhOLC
zR6dT+5iWDWiE9W8IM9pZcR0Kk2xwnsDhbL83cc2MMLWWQLofEEmzmvwelUfkEIH
Uy6hRy5TQqZIHNDSu5x2v4lLOZ1p9YCkOLO9581BDGnXPcF4J4gF7sfzh50B4f1w
5L5Nl9MrYfMK0y9jqc5hIgguo9a63v5r32ntL1DduHLE1msAXqSLm1jAQzKrzERV
13AvAgMBAAGjggNYMIIDVDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn
aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTcyNTcuY3JsMF0GA1UdIARW
MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj
YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH
AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI
KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w
QQYDVR0RBDowOIIYdG50cG93ZXJ3YXNoc2VydmljZXMuY29tghx3d3cudG50cG93
ZXJ3YXNoc2VydmljZXMuY29tMB0GA1UdDgQWBBQVvkBjPLFqPCdSsR5DBqEcCwnH
yDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA7s3QZNXbGs7FXLedtM0TojKH
Rny87N7DUUhZRnEftZsAAAGJisr+KQAABAMARzBFAiEAttUmlBB8aXXVg6ZKf02H
o4Y9xq1HF7cEn4MLUX5BxQYCIB4sHC8D0Rur4vWgZbzsvhXSBe3MrBpEcNwZtodY
Tt/qAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGJisr/UwAA
BAMARzBFAiBvdjdJVvCdf/eUWMme09Y2fb1W9JJBCz6XC5WEU8ZoJAIhAIdFekWJ
jsDZRIJWJMENo8T8+MiOHXHMDLVuA0CNPDQ6AHcA2ra/az+1tiKfm8K7XGvocJFx
bLtRhIU0vaQ9MEjX+6sAAAGJisr/wgAABAMASDBGAiEAoR8VClpa5+1tYV+cEwtm
cGKVMcjt0Iq5WLGQl2MhyCsCIQD5Z6V5iDKWSMtsuSd2DbZ8Oq7LZUCH46Wp+gPK
YfPHnTANBgkqhkiG9w0BAQsFAAOCAQEAJsHuzvt8Pb0VGfduvPKw04ug0CaEgywG
ZVBoDpoelp4rZK56CgXpeArM1Q1EetWuSyUMoV2gtDobYGxq4jB+MCMu63SFgIQP
5suJ7ripnXmK2twT4W13T4F+VbQPT0FtAom/c5V8f7LYm1BK+GA2EeITMh/lDzp9
DkIesJDr3UFXDFJyKDGHE8s5mi8jZp/KqUrTJjBxrXLig7cAKZIsuZ/JooWykCnA
EEHkb27XPK2WBoF1Cf9+R/89kxj16GJE+YpsN9tapmZ4rjqEm3zQ8Mmdmc6NSp+r
1uG9fLycnfIAyReqfZefPyecbJEWpo45yIbbDBTqID33qn2j4medmg==
-----END CERTIFICATE-----
===========================================
Certificate1: 7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
Certificate1: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
===========================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Validity
Not Before: Nov 2 00:00:00 2018 GMT
Not After : Dec 31 23:59:59 2030 GMT
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Not Before: May 3 07:00:00 2011 GMT
Not After : May 3 07:00:00 2031 GMT
Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:73:33:d6:d7:3c:20:d0:00:d2:17:45:b8:d6:
3e:07:a2:3f:c7:41:ee:32:30:c9:b0:6c:fd:f4:9f:
cb:12:98:0f:2d:3f:8d:4d:01:0c:82:0f:17:7f:62:
2e:e9:b8:48:79:fb:16:83:4e:ad:d7:32:25:93:b7:
07:bf:b9:50:3f:a9:4c:c3:40:2a:e9:39:ff:d9:81:
ca:1f:16:32:41:da:80:26:b9:23:7a:87:20:1e:e3:
ff:20:9a:3c:95:44:6f:87:75:06:90:40:b4:32:93:
16:09:10:08:23:3e:d2:dd:87:0f:6f:5d:51:14:6a:
0a:69:c5:4f:01:72:69:cf:d3:93:4c:6d:04:a0:a3:
1b:82:7e:b1:9a:b9:ed:c5:9e:c5:37:78:9f:9a:08:
34:fb:56:2e:58:c4:09:0e:06:64:5b:bc:37:dc:f1:
9f:28:68:a8:56:b0:92:a3:5c:9f:bb:88:98:08:1b:
24:1d:ab:30:85:ae:af:b0:2e:9e:7a:9d:c1:c0:42:
1c:e2:02:f0:ea:e0:4a:d2:ef:90:0e:b4:c1:40:16:
f0:6f:85:42:4a:64:f7:a4:30:a0:fe:bf:2e:a3:27:
5a:8e:8b:58:b8:ad:c3:19:17:84:63:ed:6f:56:fd:
83:cb:60:34:c4:74:be:e6:9d:db:e1:e4:e5:ca:0c:
5f:15
00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
52:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
X509v3 Subject Key Identifier:
8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Policy: 2.23.140.1.2.1
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Authority Key Identifier:
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
Authority Information Access:
CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
OCSP - URI:http://ocsp.usertrust.com
Signature Algorithm: sha384WithRSAEncryption
URI:http://crl.godaddy.com/gdroot-g2.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://certs.godaddy.com/repository/
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
32:bf:61:bd:0e:48:c3:4f:c7:ba:47:4d:f8:9c:78:19:01:dc:
13:1d:80:6f:fc:c3:70:b4:52:9a:31:33:9a:57:52:fb:31:9e:
6b:a4:ef:54:aa:89:8d:40:17:68:f8:11:10:7c:d2:ca:b1:f1:
55:86:c7:ee:b3:36:91:86:f6:39:51:bf:46:bf:0f:a0:ba:b4:
f7:7e:49:c4:2a:36:17:9e:e4:68:39:7a:af:94:4e:56:6f:b2:
7b:3b:bf:0a:86:bd:cd:c5:77:1c:03:b8:38:b1:a2:1f:5f:7e:
db:8a:dc:46:48:b6:68:0a:cf:b2:b5:b4:e2:34:e4:67:a9:38:
66:09:5e:d2:b8:fc:9d:28:3a:17:40:27:c2:72:4e:29:fd:21:
3c:7c:cf:13:fb:96:2c:c5:31:44:fd:13:ed:d5:9b:a9:69:68:
77:7c:ee:e1:ff:a4:f9:36:38:08:53:39:a2:84:34:9c:19:f3:
be:0e:ac:d5:24:37:eb:23:a8:78:d0:d3:e7:ef:92:47:64:62:
39:22:ef:c6:f7:11:be:22:85:c6:66:44:24:26:8e:10:32:8d:
c8:93:ae:07:9e:83:3e:2f:d9:f9:f5:46:8e:63:be:c1:e6:b4:
dc:a6:cd:21:a8:86:0a:95:d9:2e:85:26:1a:fd:fc:b1:b6:57:
42:6d:95:d1:33:f6:39:14:06:82:41:38:f5:8f:58:dc:80:5b:
a4:d5:7d:95:78:fd:a7:9b:ff:fd:c5:a8:69:ab:26:e7:a7:a4:
05:87:5b:a9:b7:b8:a3:20:0b:97:a9:45:85:dd:b3:8b:e5:89:
37:8e:29:0d:fc:06:17:f6:38:40:0e:42:e4:12:06:fb:7b:f3:
c6:11:68:62:df:e3:98:f4:13:d8:15:4f:8b:b1:69:d9:10:60:
bc:64:2a:ea:31:b7:e4:b5:a3:3a:14:9b:26:e3:0b:7b:fd:02:
8e:b6:99:c1:38:97:59:36:f6:a8:74:a2:86:b6:5e:eb:c6:64:
ea:cf:a0:a3:f9:6e:9e:ba:2d:11:b6:86:98:08:58:2d:c9:ac:
25:64:f2:5e:75:b4:38:c1:ae:7f:5a:46:83:ea:51:ca:b6:f1:
99:11:35:6b:a5:6a:7b:c6:00:b0:e7:f8:be:64:b2:ad:c8:c2:
f1:ac:e3:51:ea:a4:93:e0:79:c8:e1:81:40:c9:0a:5b:e1:12:
3c:c1:60:2a:e3:97:c0:89:42:ca:94:cf:46:98:12:69:bb:98:
d0:c2:d3:0d:72:4b:47:6e:e5:93:c4:32:28:63:87:43:e4:b0:
32:3e:0a:d3:4b:bf:23:9b:14:29:41:2b:9a:04:1f:93:2d:f1:
c7:39:48:3c:ad:5a:12:7f
08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
bc:04:30:01
SEQUENCE {
SEQUENCE {
[0] {
INTEGER { 2 }
}
INTEGER { 7 }
SEQUENCE {
# sha256WithRSAEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
NULL {}
}
SEQUENCE {
SET {
SEQUENCE {
# countryName
OBJECT_IDENTIFIER { 2.5.4.6 }
PrintableString { "US" }
}
}
SET {
SEQUENCE {
# stateOrProvinceName
OBJECT_IDENTIFIER { 2.5.4.8 }
PrintableString { "Arizona" }
}
}
SET {
SEQUENCE {
# localityName
OBJECT_IDENTIFIER { 2.5.4.7 }
PrintableString { "Scottsdale" }
}
}
SET {
SEQUENCE {
# organizationName
OBJECT_IDENTIFIER { 2.5.4.10 }
PrintableString { "GoDaddy.com, Inc." }
}
}
SET {
SEQUENCE {
# commonName
OBJECT_IDENTIFIER { 2.5.4.3 }
PrintableString { "Go Daddy Root Certificate Authority - G2" }
}
}
}
SEQUENCE {
UTCTime { "110503070000Z" }
UTCTime { "310503070000Z" }
}
SEQUENCE {
SET {
SEQUENCE {
# countryName
OBJECT_IDENTIFIER { 2.5.4.6 }
PrintableString { "US" }
}
}
SET {
SEQUENCE {
# stateOrProvinceName
OBJECT_IDENTIFIER { 2.5.4.8 }
PrintableString { "Arizona" }
}
}
SET {
SEQUENCE {
# localityName
OBJECT_IDENTIFIER { 2.5.4.7 }
PrintableString { "Scottsdale" }
}
}
SET {
SEQUENCE {
# organizationName
OBJECT_IDENTIFIER { 2.5.4.10 }
PrintableString { "GoDaddy.com, Inc." }
}
}
SET {
SEQUENCE {
# organizationUnitName
OBJECT_IDENTIFIER { 2.5.4.11 }
PrintableString { "http://certs.godaddy.com/repository/" }
}
}
SET {
SEQUENCE {
# commonName
OBJECT_IDENTIFIER { 2.5.4.3 }
PrintableString { "Go Daddy Secure Certificate Authority - G2" }
}
}
}
SEQUENCE {
SEQUENCE {
# rsaEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
NULL {}
}
BIT_STRING {
`00`
SEQUENCE {
INTEGER { `00b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb` }
INTEGER { 65537 }
}
}
}
[3] {
SEQUENCE {
SEQUENCE {
# basicConstraints
OBJECT_IDENTIFIER { 2.5.29.19 }
BOOLEAN { TRUE }
OCTET_STRING {
SEQUENCE {
BOOLEAN { TRUE }
}
}
}
SEQUENCE {
# keyUsage
OBJECT_IDENTIFIER { 2.5.29.15 }
BOOLEAN { TRUE }
OCTET_STRING {
BIT_STRING { b`0000011` }
}
}
SEQUENCE {
# subjectKeyIdentifier
OBJECT_IDENTIFIER { 2.5.29.14 }
OCTET_STRING {
OCTET_STRING { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` }
}
}
SEQUENCE {
# authorityKeyIdentifier
OBJECT_IDENTIFIER { 2.5.29.35 }
OCTET_STRING {
SEQUENCE {
[0 PRIMITIVE] { `3a9a8507106728b6eff6bd05416e20c194da0fde` }
}
}
}
SEQUENCE {
# authorityInfoAccess
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 }
OCTET_STRING {
SEQUENCE {
SEQUENCE {
# ocsp
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
[6 PRIMITIVE] { "http://ocsp.godaddy.com/" }
}
}
}
}
SEQUENCE {
# cRLDistributionPoints
OBJECT_IDENTIFIER { 2.5.29.31 }
OCTET_STRING {
SEQUENCE {
SEQUENCE {
[0] {
[0] {
[6 PRIMITIVE] { "http://crl.godaddy.com/gdroot-g2.crl" }
}
}
}
}
}
}
SEQUENCE {
# certificatePolicies
OBJECT_IDENTIFIER { 2.5.29.32 }
OCTET_STRING {
SEQUENCE {
SEQUENCE {
# anyPolicy
OBJECT_IDENTIFIER { 2.5.29.32.0 }
SEQUENCE {
SEQUENCE {
OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 }
IA5String { "https://certs.godaddy.com/repository/" }
}
}
}
}
}
}
}
}
}
SEQUENCE {
# sha256WithRSAEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
NULL {}
}
BIT_STRING { `00` `087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001` }
}
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----

@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICeQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBAL7mb78RnGZpGth3
z5ilQTmz77Cc6YOqZPulE83+Vnjy39YzK0csTluvbWqVMUHtYGsRF8h+gYvywt8l
zITocpE0UyeXlzsoOI8h7SgUCrYPAl9l6VydsUQ3F14uJ4LWaQcz/R601LhYrvQc
XgpDr4U1rp108EAFG01BVFFiInCVAgMBAAECgYEAtGnxuCC7r+mrTmNE1d1wHEma
wE47Po0d7NlhMzAopxvaQYSQZS5RS8MqZC1lpQnjMqyvznMImauvUddWR1GrWz6T
jU7YJiq/NJZ26qzACKCJWj9UG37fzC3L7JDMz4Yz3K/iISH7iDLIrh4JWw8A6xQL
+cq8/u4ZhjtODbxYHu0CQQDuPMkrqPolGpy6mo18jP8QuNooZmpZ5z5C72GtqqRz
AMcfIOtluBBcFef7iZoKa+YcEldjpdiCK0I3qy86G9JLAkEAzSIg3A8qta3o/U2d
TwUq5BMGUotHmG/A1MwEK5GnRHj3L0nu/HpE3tjrKrkMC4i+zVTYBop90XFBPdy6
d+v8nwJBAM6Qdf0dLoctY+eISlVMC3x8SuvsoRoCnsF6vb7OznfInN4otPIlfknZ
1KMM1DtlAsgkPxFvoyJ6T5flHbXMmbECQQCaKR/QwYUzbDNAyeeCzztgk/uYZRu1
L6cXRQuNQrUV/GKno0R7cdf4McTqIo8uy+G4ph6DK+lKUXbaatun7C25AkEAsr/A
yOyChfU16iQMa45LhT9FoplbNbDvczJ3EUUsf8i1I/8FG/GM4AaUMUshdwCf7hdh
ZBHFE6S2PIUV9iZVbA==
-----END PRIVATE KEY-----

@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM3oM+IGvDDamzE+
5cZRkeoH8PBYH5HSChJOcRepGpPMxsOjR3aomPCi0eI3cR4IOqaakpxDJswp+ioA
H4hEMDMoVZijvpXEto0QAy/2O7K7QzhQ1ylFNM8k6WD4xfM8W6PlrlxFHjH47QDq
k/njjASgxTfj6zHCwauQG4FYTmZNAgMBAAECgYBuds82yDQ35V9yuPKeRW6JZj89
QZmWKl+a2JhVgDQw7KAJntQc9XAvULpWqTW3TeThMnXK/T+YMkDyPWStPx+3q9PR
AQS65Bz8BltepO5sdy2QWGnOss97fLG5DJgTHrAZYDKLxJah9hDOf5Tjq4d9GYka
D6cOgWErS3wv+ERZhQJBAOuVmTnEywk0TIGjIOWud+Yv2TUIc3IqBZnyF1RN8y1y
NFVGwpCb8aKLRawfDta/kNkQVOkYZCtZRdYb1NHqBJMCQQDfwDel33a3OnVdQNoB
GbfEJYqmgY7JCzFfH9EVzqB45x6yYvwAHStp1r5dYmwMUSIVs5B8SFA4bUN6cAMr
BJWfAkEA4xGOXuAP0w9Vrp5NVxSS/IuiEDvVCnT2cSum0NtRSLyLNKa/YiLtBH64
6O4Gn3aFZrMXJJUd96pUZcrtlma5gQJAaUR0qdxNbPza1Km7JwNjequy5I1VkO5s
JvXAF8Njqh4KSiDZsHAIyb2XSDYS4WSWZaFaW65l13ZIZeUnCGkavwJAMn0mC5e4
idlSe3QqaOa3haxAXquQkImH6pSI4jRPzTJxPd8BlShlZeVC4IyCwfz/o6Azce+W
w+5b/8VIMO2s9g==
-----END PRIVATE KEY-----

@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMqUxHtJfHQ6709j
T1yMqY/JH/dg0Kl3DaddDScaVRiv2X+0mhxkFu4/rWEYslj1aSS8CgcdVxSdHsI0
dXEsumoRFJl/EmfBAwQkukgpkjuE5uUORuxt2vzT1zGPutX0UlMiLINdZ1AB45D6
c78SBTiIoXai7FZ+SayOf/3MQsYpAgMBAAECgYB7nbITpTD7X+cd43TO/cqOQeVu
t7Y8YriDMyXOgaQBr3SiF9uejXjsoxCyWjaiUAZ78v6PftjfbE0Tpp0vlWKeNo0q
iJ0rjbxf04bIpU7+Q+/I4hkXngu7WvmXS8ZjmamEvT1a9XN8bZ1QD+lglYAkZKj5
iwlVpZfYokj+4sMIgQJBAOnkLBrmlaXhh3KbzLcKPMtmOlm8y2PuSziJN7JTdkb7
gwaQAa1+5ToOEjAS64qP+BRp9uLTnPuVnbyd27nDElkCQQDduu9KbS2o9IazrVeR
FMqAitIWb9v/k98IfOc7/LKeyA7oVCzqAsq0nlYM4unGYSiIdlJLLnQCtbVABB4D
6rhRAkEApM49cbsWqWsQCObVSgixq9Tdusu4OTL4196AW2xKBFxHCAHC3OB0XwL5
N9ytEda+RIwiBdR8Yh4bpoNJB0z4CQJBAI9yo+LztUmMQSU3LOK4n7X/maFYZuz3
HqDgJb0iY/Djnvlhk9klSz0E/sjBeNqV+uImImFvQTCLnCI5R63jCbECQQDpeDiP
DcKOL773vayJixOvvSqruHGvM87KMkpW2zsLbxrlN2gKyf3iMkQX1Kat945qPD98
kpnDpyVRVRxIc6Sg
-----END PRIVATE KEY-----

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvBAyWDWogcaoH
kjhp9fmm7OognM/SNfIuEKMiqmFLz4GsiNa1I4By8kPqcI8u0KRBvX0F/DDfBvDy
8nm7gbfMliILkPTKlDqAKY51kV1qBkSQhhiQ7Tl3KXjB4tbdjJemv9TrXfwfr+k4
9dP8oYLmVmyYRWMGybW7tA6MJewLYeAIBZpbcz0okrKD7izMEi7eCWvQ9O6PdVMG
atBfUbGrZ0oX0XzsJQgI6iJNq88WQCbfybQLDvXleneem8NHVYO8fCmgVzgsiVw5
fgaeYWBfCVOGUHsoVwxTDThAfoIGHX1ldQ+3YP+pyph43h5e9jWHHwAjg45SFqkI
XRTu4I/HAgMBAAECggEASmt63J10qLocdl63TVtSXqg0QEzd1AGrauoZLGbtu3pP
pimDvv+LIZWhyoE1aU8/4VJtZMuhjlyZvXzcxZ45pS2b6XYomTGhlJjXImf/JFPo
+NmEfa/Z9TE1z6AhBJFBdR7yL2lGCcVX8ygZDb4x9rb+M1uh6aOA+wFsBC0l64pt
YNGaOtgR1DCqn6mtxFcUOMt6gWEbgu2gwieo4qSGPmGOwNxhEbMWPL+0CPemW+li
K+fB2RrYpGdSD8kyWHWqZTUT7SegcT2mO3F+eNwwy69srb/R/MAUfbYXbQhTrPuI
vavor2vT7++Ha2Z7FV+715Jsn2f8OkW0UyFzb7PQsQKBgQDUG5H0XR34wqAfNgaZ
lzJqDeh6Tg0v991t4imNd/yFBJEa4PyonM9m9ka9o13ySPyIuUyqvUDm0/geVH1g
dn7o3rTVCKbfeCeDWaU00elMjtCezeDUlnsTgcHpLEpb/5uxJhAL2/KcMlOvHzGv
ima5zj2tB0dvUfkCtzLthb/etwKBgQDTO4hNrTcNQBTg/XUG2TSERo6WslVOZjJ5
70AlE9PYgqmoNUONg8XxGwj8n7lx+AY2BB0kfM9ANVc+BNjI2fqFLba2DYDGMpsq
XrxR2SiRe8UCjftFgHSElIx/mGplgAbElGrSd+pkONwnxtE3E0JD/+y+/dKQeg9z
iVraymnHcQKBgQC8/9gdU3/qcpo1VXGqGGTuxXfay4PKs2WWjUkTatATQw99UO8x
25CfoWFFh7Wlt812kw6ysTKMvGJBvG1/r/bDz/Z4QV5Yj/s9enrQRx9IfZV9e9wT
8ga3Sg8ck7+qnGgCAPWZa6KR9fJFgFlInt2MQS8J6AuKMRPejJmPtndSnwKBgFPP
dCZ1yrkMKvyWNB+ygL7XC+5I9cX0kKSGxCmx80UdmtktwQ7eMOSYOHmbmkXZBgXa
ngGDL+wm/eWSoL0Yl+jNmYgkVWrOW3h1PD0xb4JB3IpF8WPDMvgDxLc/rz90i7rl
tHirsalwUhHKNeqnToySd8nUBf7jH0xVPGJBG7VRAoGBAIty6nRYERJkdWgzrrU+
TmSxTAFi4hqc/RXMa7kda40SBp3339+/KxaNCQ5YUJjDI/cggEc/Tnm2MjkheH5W
nBC1iP1A1g9wlk6Ak/RQIq8FRiQFdVwGU2Xa+dRQAyEj8Xq2KudmKkj1M630/kSg
3qCwc3kKPf2N5fjAtHUwLLHP
-----END PRIVATE KEY-----

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCncOKXlHiC4cH7
YiXsOMc3Vh3OBN26dK/c9tiVG7zQU9EbXbUWz9NNI8+wUDwyBtrR54zH+5R9+cj/
9QOPd2Vsv3wfaSIaR3qfsag/TK2rooYAis11F17lUHx02KZlZodagEuLCMgdlyIL
F0RTW4+Nt9ZklEFMXHYxZW2odDiimaUl0tJ3//jGNEBQwHSS7BbA88vKBknjRP4d
0lFZGJPM7VyEkYElp4qcTBvn4VY89lbgUdVcZjaMOtoUnK6DUZN7GAsWr222y7kc
BEH5fFOWB2PrgKY//tb41fujm16u2r4jjHngZ8FSs5md3A7z1CP4ChpNF33k9z6s
AzWb+GNhAgMBAAECggEAFFJdDeyVG71un6Xv2FWjyBGJmIF6r7CNz5GeA6rUJaym
il27JsOeb5RTFqEGTUQLtsIVkgf0o713KamA/x6MjsBGvkEyRGI8fblAJD6YLWaS
QOqXuQhXGhnEoSHSQChLcS50/LDaKM048oOmZT+NkrOnL5nWuv/V0HTw9Cr23LT6
wMuefBrN9cr8ZMmlOMNvJaoTKbCxr6bg4bKjfGr40QX05GnLXaOhg74wWPWMCFZQ
CfyFhCJvBcXk9Xifb2pMTk9GezfSd28JKy3XKjd2bUTD8KGStgnKvIB7FXVqaQb/
QOTE0USkYn3l6g53fXWdgk9i87ZRHmMarTv4K8wvaQKBgQDbe6v0CS6ui5A4bliC
z8EoZVmxxT+vgOf56ZOE65lGcPHOtTMDDL2u8MxqyjnWc7dXrw8FvfpurIe/TEU9
Y5kCj9NUA08940RKX/5u5RDaW9X2cGVlv7yJSDbA1JxpUjSzc98VFWQJrFkhHBfI
3eLdVLp+dHBBpGCgZuVQD2ymGwKBgQDDTJwspscuh9q9SWWgcyJv5ke+4MwosgkP
g8IC2dFFHr3j3GoFnVrrVP6w8zzezNb2ba+9xGaohNgHjmwC203ZcdDCUxem3t/L
GUM4+dCUC87nB/bGd772pu1jbZZ9bRUBvgf4x1zhlShQNnD+UL2/p/stzWl6SE47
Yva2416kMwKBgCBZ7lKeN99KewuWWD2P2ezWY44sgOKhoY/YugHRqFoVs87ALrC4
ZA0xOTBUdooBrHikORajlhJSJAAygdI2qAsUoBW2FywMH7jGxX4bDYziFHuqvYdt
56BkoI1zyUpM76+z2KIG8SPr34dd2LOm4RW2s3aIOzOxwvxhrlNKsr0ZAoGBALTH
4LUweKYo2aFoJKueiB0fBAC75CAzlVGIPHoZGK8r4sjfCkFCRJwcpFo1/n2bDc01
AX3fJMwPlE2CV5dZW7nRslV/RyCPpIdDTkeab6nrOE4BwDw9MkbthEcKdUiLRevD
9WsjWGX0hUmi63tuUAbuPwNJ5r5r2gb897WZyMyjAoGAYcNgSL1udQE7pEqrAl0t
ffTbbTJQ487sZm3qhFNXtuitC3h6eXpJecsWRoB/Jnhi4cpSjWgYJzjV4rkZSF79
es031jtdnPf6G94ZzjTKnkr4z34reDQusukuuD1SSsbURBGVacgZxkq0UaRAROfT
BTPraf9GfA9BnUEIFdjeKwI=
-----END PRIVATE KEY-----

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDW8jowfwvUgEye
CyzXw4rrlw1+liz+s9nWucRN5t8dia9L9dQhT0aBg7mUKOQ7L1wcRwzPMVoyFF3G
KsJw829iMm65P4fy+L9/C1XFfJ9x4rMeya9bHZuKxr29Ieia9KFAaWtASSngF6Uc
zwvGJ4AZQzUIiE6Ku/ZpGBjki9k36LsufQIeOaEaoHlSPS1K6pMh9Br40xQ+FkB4
OwFt7zNQygiSJt6NHvET4ib2i+0lZXRa32yl/dEJyf3aWT3iMxm4wLslLOI7Bud+
y04bVYi6hw+JFUFmFCLkrMW/iZ69S3lUPoUO9xz8fuCR64KjwjSR4FFawZ7ZQUKf
OUOu3dcXAgMBAAECggEAMss1AwbSxdm3wVVEuIwmBPxCHRrh8SKRJNPrVrlrGjDS
MvIZufFg6PQ245MyM+ZCLxB/L2srNFBpxI2QO17bgGoIjlA8ESfFIQGNuEh16VS4
HVtty+tYOVgzuEEOFagffvgqdxuTALi1tPQchSwKcm3WV3jWjqRSW41tPHzrzPEM
gNw6mlLIUxgaxJ31SytDPfLcCxhjyY1cLOseAtD37x8HZVw52cojmjn0Uy2+TeLu
6e34KqWzTcO8U7w4mBu6KyQYS5Q2GxR4eMfrja2nmQEJjjtL/MjPCr1RavzRmeO8
j2w0GbTZaM2otzI21VbNpM+OmX3OkGmKiPNIm0HVKQKBgQDufzscdRfcJSng9Wb/
kB1mr+AYZubzhHIVgN50UWnzqiLsVBWRGT6+y49z7dN3+4aGHXKjmV0Ceimi/6uC
nNsZ1kfJrHWXmTbTslQlBxOwyMuBsolWBSZdaqoX3dhDNu7EbUPgWqWjrv412EhH
UIH/mpmu8TgyA/SPT7BiHjuDcwKBgQDmuIkAYWseZ5iEWXPX2rH1XTtvKAHuzjf7
yPk5QX+ZeTZiPZPzvn4I6x4kMjnpn5wrVkm5QMQVK2NKpaQwMtdkQcevVybXVJ/u
0SMRHgXiesF6pG4YgREEJjbHdwmRgAaLffOPVSOvEGPc8ha1tEE7ZwgpKfjnCStC
2VkmWpcczQKBgQDsn3MIUuxvULfyJ8ge+t8QyKIv07iEFv4Rc6BCC5xxUnX/v5T+
NuvX5KLZRDaxLe5UFddtlXWARbAVtlB18CY5xi3HW8H3vN12v9FYQ2M33KB8d6Rm
oglkWbWUpFgyp8fRPw8/AvCgK7ivt3xOtQOlk7+yoEU+6kmz/j5jutcVHQKBgQDP
+ocdPbP3C4GzxIMlkHGc8fcyo0jiwSg8IxVuJHnmmhqJAmNNdGlelrtr+46y53s6
oaUBhr17K8psrtZL0HjTWmyrxY8wyosFF6dZtcuuNeQVLwZDtozlRaFZuxd3/oVn
1xjoGuJ42/h5Yg1QrHWlG6KCoOBLO7uwnga8CStw/QKBgQDSzUAJaak3XFAfdou3
GxWLQJcOXB/WxrZA7gq6K2aWvkY80AOPMGLhVFXA8k1fLI7jn2f9x7Ff6PNrzclf
mvvN6g6YH0vH9k+W6aHBnen8oGjW3XU4MHn7dPxfxPJ/MDT3toVAvD+6QnKFdd7o
xCDad5+lKr6f0yyPije/ZDkSSA==
-----END PRIVATE KEY-----

@ -0,0 +1,13 @@
-----BEGIN PRIVATE KEY-----
MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAn8Be4Q88Bif6duPK
vG+iyt96BFtCTUgjuNEwhcWoeSO6BeZPeu1VRqOHI7/GE4jHO6iVRCnhw9DJg5eb
+p6zX1IWytyhke/psWBl3RNGXOvLucVWUJctS5pgKN1FNsILAgMBAAECYQCDjRaU
nsb/CszmOo8ovYWBKqaAD+Z5XX6NIzah8jLaDuGRGic5Q1eF5APVHIcwbuDU2Fyv
NIJqf768Gx/lUzmAlcGjF9hIRh5vrE4zfeCa2wSUjWNZPmqdTzjkM3r0NYECMQDM
1ORCXgP/DYHQbCTRFvNA/jYaIXRjUs+HXefXe27jJD32W3Mf+lyIcBV/mR7lRkUC
MQDHqJMkx3TiRsP2cYmG8citPrEjEA0TwPg181Kvi3N6aE5QzNHHLvl2nVJi7VPl
VA8CMQCayYKY2J0if52K2D5WN4appbFSu9dNO4YSYJdT0jYwtfGRGvh7wOFuRW0p
mJetYRUCMQCN9fiZoBAli3duVRAaGPQ86mR8r778mqphgd763kZ/dIaqwNcvruDF
S9r2aBTM7FUCMD46f/dAx2EfxsAfn3lYQWVpuxFQpK+tIqYzjeKsu/zRaqEkcog5
BOq06OV3qPYsVA==
-----END PRIVATE KEY-----

@ -0,0 +1,13 @@
-----BEGIN PRIVATE KEY-----
MIIB5wIBADANBgkqhkiG9w0BAQEFAASCAdEwggHNAgEAAmEA4SDrD2C751/n+lHQ
UBn5YynSU9hrO9ttTcnvMgqiL0gv2lAsx0N9QM0dg8rHsQodUYZotUQ0qbzCxzEw
pRVTHcEYHSnjaO7OfsqpGke+66jK0VhsQBkGbU2RznY3at3fAgMBAAECYQCRzs4v
QYmxy03ltENk/c2lyhptL4gUVoOulBEVqgls8iX8EV1PGYjwBWkOSLGZGmC3u4KI
le1z9L9iZxO5GGO0SJ/bLW/pGofgHCikBjLmhhyLuV0oFsY6te/q21fWu2ECMQD0
nbX+qhNgXYsZ96cb71ZfD80yGtu7dCVEYL/iC30P3BEztLabEIdVwmoUyBFfCDkC
MQDrmwnyqGx431YH3uyBrlwbJhRvAFfwACMy+6sY54BZdaPni9hHcQoKrAiQOe92
ptcCMQDcS5AUefybQ4M7bpIbkU7aq7NjVVbgGbhaPTtximElwE3pn+z390m6TS0V
7Bvg1tkCMQCDkPdUJ1MziFvtV0IxBKHwkyoz9jglEJ6XWMxpwtT8n+HgakpjUq9t
2DWL/J5JXs8CMQDsP+WjN9GzsQtuUMXEUxc1wgMVRFwvQ55hmXfeWaT2bgX+jpAn
+SreMT1bErrH2M8=
-----END PRIVATE KEY-----

@ -0,0 +1,13 @@
-----BEGIN PRIVATE KEY-----
MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEAtngFrnpogJ4DAPMt
Jvxxl3vSNFdnNMlpRGlHpPqhtOHTzYzXvRvSmSGzpYhvzVCFujjTvtszd86yehxr
+081ZtQbhHGhPKnudoPfqfYGUB6djJX4+I1pm2cWTOIXiGL7AgMBAAECYE7lbId5
tA/Qwrm5a8+Mnc0DI+uv0xc280Y6Q1kpaZwdfQhGms3Q5umBcfzkFntvEfgMJstC
KDWgH5Vo6v7oR/Hk8D0NzOyFNfEU10g72EG47PF2qFMlCZ3dTV5U3lPtOQIxAOfC
NB/LuHFiMA5LeFlfbV0Fyj4Kr+lqtGdwClmX3+KgfTUj9RcEMs+34z+UpYXt3wIx
AMmN/LkrZpwktp/iZuaKDvkA5foN660LguOt87/NdIN4l2hn8auEhwmh0Vno5gu2
ZQIwf6kWFT2eh7ZSSk2AKZrLHyaFVM+GPsksPp4U1W03QhqtXYxFATyq0Ii2gNtc
of15AjEAvCh2HnM61lebuYTE5UFLGv/QsfBe7GvLpDsXSx5FQBrK1ef7f1A4NDDB
XLsETzjVAjAegTa8Fk65Qc3YODZhIcDRbJ195DLUaw7ETgpT0utLPH7Kkn1GNyZf
wzlUtrz3r58=
-----END PRIVATE KEY-----

@ -0,0 +1,100 @@
-----BEGIN PRIVATE KEY-----
MIISRQIBADANBgkqhkiG9w0BAQEFAASCEi8wghIrAgEAAoIEAgCryOGbBSSQ/E53
duYJ8JpWms7zJk8+FpvZGW8CwGH2Qjs9UQmqMhGKTNySND6Gfk+tAGxd8zWGayyJ
rVhi5Sigr3+lPieGLt3TLke8LKysm0sSJU+xUUdZUTRjE3eff9Qb2NmgJ0uQIYic
jSUDznRiOpblzEhX4Rw1Kiw+fkqqsnXRg1+gonL9EmWl28zoeQFvcGRyknZCDpyR
K4Z667TuPoLk6F8S1IxyIEQPZciFbUnUTABbZTHQWZ33y7HmB3vc/P98PFilXsXH
41h4AdxzN/5pTI7flRP/bu+4NiVHE/rM1h+ag29R1McxzxoOi9ToYgVRenjSSkgs
/kjOELvBtIyivHNCwJjRrSXZi9fpZjgGTCqOg2mebU3qWDe0zL97jt9wGG612oFu
pqCBFnBSn6L/dc03K9Ckx9xuRYv3upc4xOMQnOXKLb9/k/TPpTmSQEk1qhEGOoKw
NC769IiTo69IxhJbB67gBVQzgJ5CVHfEzFid2SM1g59N3gNezjPb3y44ESlPJSfm
I/S9Yg/divrE7F4BvFGDP5TIaN3sYZf0IEN6140bz3gNhCP5vD64xFt+Mn3sUfWo
pAmUpKWY7u7YCn2B3XWg65jHelgzC+itLKHRMt0nSlKCLmIKS/UC/PnmRdNIekBh
46tS29d3vC9cbeTpeZwneOEP789KO0yqeckGmZyktw6VvF7bFKDyrFQONeYz85No
+dw3L54jnv4BV0bTwuv3CoU6MQI+DSfqaGxv5kmVxMDlLGpGJsezarUyrTseJBSE
DxungNAGktEawqkyk7ZRWdAUSZlgX/qanVenJ3pwrWWagqkyW5BKmzh+EhnGXnoM
t23+a2FjyoQRKYFhKL8pJ1QLBYJMNvqK+j2tUWHzgwwYV5YlOdDYz+U3+mQH7xOC
d0Egg61ci0RmRBRTwLqHWvKhMpOD6JEFhuCEALSe6b73faNkaTvUFV6y7SDkkAea
fLpBFosHCtGoC5ZwklD9rCKKxcdjJJESMi5RutOMYzA4Y9dayUBN7k1LVx0dw8ei
ZbWBvETGT3qIbMI9hjvRnJ3x35KyoKbvFXDtbKCQ58HbfO5kk4BAEoFhete+UsFO
KgMQoKue4Ps9sPNWVWwg7ZxrTKsHMje3dpklMNHdqtgHt69eio88z7zX4ZQPUEN6
PVUPosX0qWtW/sHVet0iDt0BANKD9T8/iwrns9HbPd2d/LwAOyU0kywdNkplCFOP
vNHaeSjbrIQq5/SEszLSmbh1kaNOimVBFwjie5Ju5q+4n2FahMtKkEqBajj1f4eT
dR8hs4evuZaKkzs6jGvQyuI28lBfkz3M9cfumHAShfXoihZcwrb53CBmjN+UBe8l
LaV0kGIknQIDAQABAoIEAR7kr337fMn+NfZSEaiz9m2gxZsAxrt5wWlXo5kxE+z/
mDu8uSo8et8OV5SLhLsXOCj6rIJw3K1h1M6luAGBCL9tEF2dQeplv0rdRdVXi243
N1b6Eszmuxga/Hrc42Rxzql7ZBfjOTmgbjsJPyDiHhgURVLqXBBB0ZrWDMLoX3E3
Suz03Vu8G0Xb6x/a2YztRg7OfaIFKPNUQV/yHes5PH6kC1IzX/W499EGcHb8bQVh
1Cczy9Sj7EN1+my32zRtIB9r+F5VU/PZiWQbRKvAWe72oPA67m7TFpeXUdElG6se
srnnwCM/g+OJipEwl5UKHK32AtLWXagj57r/uAQnCj0ZxTj2/xuAG3uJ0ga/mYLF
+UlYpUaf53ywV5TPbKU9NSp5VUGJg099Dk3h9XeBm42gW+XpP5CudoVL1B6Yr0VL
7yosblFshf7IH2pIJ3y4UBQ3L3NRNGKUXzBlEhXbqDw08a76wA5S4WY0TyI7/Toc
irV/smggxq43D40nYh/IoZbnGh7HJ1Cuc/B1guwUGJpVBigoAff58AbUhmNMSKzc
GEG1E62h2iSoOQTlQLsG2ZjM509YsUCwtKcxaO+sdIN+ZMHBkTSrqR3ZgM5O+FGl
0KBkKG3A4fjQ6umygbssUdHJwP9ii067fZydHxB1rNhBpZrPwJ0kW6rVmFQPYo4M
+1ENsX0AIz8hLx+10G602hcWu8MVgqO+E1Yoo5n6eNxCbKootZwSRQSwcUXgE9m0
Q1NHKHsK+pvjR/QyvoEr7SRmcox4PHcYID7EMfPMu2UtsIdRKi4NkIvmzE9a52s1
MPoanT+t9a4Zte4nQ+htFFFQFt10ue8Vqm16wPJ97gnpEM8keQhVYrttIKDVr2vs
QEcHJ/PgDeIihy44AbPTQKUYzZ4YEMAkDgoVsBq3Ktk8DTjxOZrZw7xq9xJPS9N3
5oLaTcUX2670SZUpRAg4/wArQncuE2pfsYP+beaGnUATiYRd8GoDSYtPOSa7BcyN
Eexo8tB5Kzmvgcypk5N5jefLaVdUdczroIlSDlUcdAQb35Yvnd7F3HLWXJtUIPbh
LZTJwJWooQVJLDt2lzrg/HQnD+UaYNI1Z8/oMaZ+zUBvQ8gBzArO3SRGfRI7lzvk
wcJM4LqBO0pIO67NzhVCyhJn7Ua3P++W9d7LULb5fqy/O64W2J2o2Xd9hZEdA47A
6JidJ2yNsv0p3AUgtVebEhBRQs6bPX4/siYif3xgT1ZZb8fTtQBYWsW8LS4Itdf9
WaJuUlfI7xdHpQnMVd5qiEjrDk02/x4JI4DmveO/pLyQAJ3qQpvGxXUZ70ecfSAk
ASn2OADu76TclVlQ4hvZ5913jxx8PWHFykK3w7N82xGZAoICAQ4FzISY+EaKydn8
jOfOirjfct+0x0PYeDZ3XFEq1CcW7nHARMxlGBe9IwEgoAn/RtLmHtSrscPLpN+8
mXS8ucPZwxIrbg2tCTZ2FktxAHldz3Fr7aGGeT4F7jE3e0gwYgU1h+CIMyDZZY/H
j/hANx1a+mAkDr7jafEuOe6nOfnWSuCaTPbyYcyGQ4pIe2Z5A0A6MFATT2Z2YOC6
tW98BNtw9ucOFNo9ZNakB8ZZ4WOG4vpFSSoSO3xJ2STn5HwuO+j2UF0ptmt5H6Pc
LzYnbbengq5H0dsnyw/sKbTO4jzXfORjxPhwpvrwNlNvs9hmLB6IKzfiN1PXKITS
updr+Ts72zD1I95dF3F0TsefncBSY9qq8D0Nq08zF4yYanxPLOmqjc1iCoSWyx95
RjNTiAoTWqmXvbtd4Z6OBU3M2m5QQYLu1mGcfKveRvW6KdueBhZwXEcY7Vb+pU3q
1J+Omh4wCQiyuuwsGu6QXmfkcVBOhLDoKxzAQJlch1l3zJdAQoul3iCYnptz6weR
47Ceg4cdP50KLvgboq4N1VJgI7ivMB9gfP+J/J7JogjUigoQNOLqb/X7Zwmv5ZIX
ZaKIB39HtKFvo1b/zpZagnx4y1K39pUFY8Nm3v0xZNU+keT3FCjOk44L+sXhdu5F
tbA81qb+7kBhZn9LMfz9sDTIUXq3OwKCAgEMQCGtq+7q0Scml0Ds5ORrymYX/zhh
xrkc/jbEHefvq50cCE7Sxmvm+NdFDz3JEpenWR4zPR0+39j8lNCWUK6azUhvqSK/
HYLLI2EDeUyeCQyULoNT4qva6wnJNuufjaNsOOmwwuBAIgurFKYaTEMD+m+1hYG9
Pe4drKMm3e3Xdg9IlJdKmY7MY+chxeCuiPfGO/MAm0Rz8pcKo1/cd308HuDL+CnE
LAFDYc7fa7oaj8i698m6QGeadltIPoggOTntoto659SK8ZLWOHsD3E2YC4Iq6dtQ
U8p8qWqn2kdWbLPnRhy5BXFcxeVFAbJOvgFMlSw1cCpoOySczBDlSpRjZV3ZP0R3
gCG6Hjh5N8S+N7aLtQQvurMa/9qz6e1p54LCkXqevDp52wwM2DnjC05J+FaevvWW
FjIaE8SU+Que77xakQYu7Vk1T2MoTimDAjduqtSTIvDb4uX1WNjgkX66AWUCzbEt
Gp67cMYh0DjwaLgos6t9XdRp5964m4YPewhAcpVppFV45MOKcBWD99d3nYgOGYs1
D8+4wXHpEJoU7r0pdz0buljZ1+bPmOiViShWmQgxIrKOCpOMuLKQJl2zJyVam8MN
dy8xYm3RZF3hCNyROeHp8lEt5dSOpw82LchW2f5ErVYatYzJu/opdu9ToczNuvdU
/U0liMxSEBr3RgcCggIBBHQzEarEsSNEGcjtuHMR/MZ8ZjG1WQdYp3QiDmXcHM5b
ziWTtJgnnuKkS6dhLcu3YyVUhZhDTj1QkQAGfd2z41E3dH325sEfO/0l97Bcxi/V
w+DUCYn82IZpsZg9wCAeAimOjvKzyqtCZvir8d3zo49SF1dcl6UD8WcNX5AeCgzW
m6Bm8cjq51t9+F4tU878CVpyHf0EKzdObhLfrhlmMY0f3yPJ28fET6iqD4Zc4I/n
aDa5lnNUEZYjMmW1XPwSa1xRCkZFer1uH03AcSL05nB+QXzuWv24scYBOTy8/zYy
pRhLZ93gK7RAjR/dr85EFS6LC6T+jdK5O/by7UWOVBIe/N3gFrDa0V5v51f7cyq4
LKw+wiWlU/KWeEGxEOrVCSLzB1ksnhCHU+fhNExD2W9sTJG14d1f3EyfwqZeestj
A4N49GgP8UcYotQOl4MJy/bEWJDCUe9v8d+0yTkyGoSHWgvq8zjPFRcl5TnaA/fs
jYQwrWEjI5MQKoqyoRf4CwMUGqZfOmEHNdBQ0biHblML8YVahdPBSCd8qj1/GxoJ
3u12xnO9mXHR1ZwsfCXJpolwJmFDyP/lmxFzZrxuJS9RYDVlXCzEIV1+NKrpacyk
tZCQr2/tQ958eH73OBKChLOYinWjoVaLwALEQsYQJ9qxMiG9vJDVv9WUMi+uMZwh
AoICAQeazA1OfPrBqWcYX9Ju6KlNNIFTCsIPpZws5vxpgDBUvSvIsH3BdPwlnySc
qIMoioH1HX07Q+ti9AUfsDiPj0RDiOLgANTY0feeV7vbUceM4IUgNqAdRweX/jQt
ZqleOIOW9OKopqLJP6sNH2uVycgvb6ckYHyEdEtxfrpC7EFjZWtt6lkB6BZTMgjS
GH7gQceKMXg/6od7oW2WK4zllBV9KZkUzYCcvJACqHQjIJ0agsYlydFX57iIHnRD
dSdjvuUYwhXtEhDKk5dt6ldkK7rl8gEHuQAtc7ZdSPs30i8BPdCkwnHMwimQI5np
yrF827uZop7tqTWY+Upol1hvKpxlMZQJ5Uu1e7pYxj/hcb2PQj+JuDaU1Fg/WZlz
7tBeSdrUimT9feNlKh7TH2QlAY2Dnuneqv9neeScPt0nmKIqOieSfV8mMcmZJXnA
w54zAwws+db4ysIFITFj3QXS6/M1qGnMHF9edgjvod8drir3JtMFbcBePd0cdjLt
QJRdkKrJNp0kyXZJtGU83O5WLShw3yO5kaP307/iPf8rMisqZLzX61RKIpvgncRj
LIafZS4Uw3QVEPiB8kRZ52b6mhH7jAGqTbQPN3mVm4xvnKN0Z8+zOd2Lcf9m+8Mu
S5AbbZEUs/YYECp2ZxZYHZwd28Vz3HodxSm6MGjLeeK7YrH7gwKCAgBm0zD2DvKK
EfDQOk2DpnScdNkuYlRD7WADQfgKg6GheSWIvAi9Dh/Ks3ZIcVAcpQgWQoMlhTie
ZudfSjWxfFwlTAYKfF1kUnlrOACz04ZqsFMzx7Ks1HkvG1KEBTenAetcDPcL1b79
U01tql7T6NIkxwtOR/nr1CvxgJa2wuuLYiUIAyIQYY0c18FkyFii1nJuneGb/Zvf
ctf+S5O+GuSOc+LjDSGIa8RZf5ScxRmKGj6OSrYRGrM7ZoS/psvGQSOJeITN5SNJ
umAA89mfpz8V87HHn520Vo7G9vmm5pQr27Nu1RBQJBXgrhC5fWXBXk/zmnyqskDM
Bcb1h3nppB6dr5263iy+HHMxS/L0m6kCUfxfj6A4d1/fTGbv1tRCtlR9Rq4EJxWr
8n49pbluSvL5XZoJJH2PGjjxNurSpnXVRFFOjpvl73wE/X/bH/Gs8AMtIrpnBRmM
viaX/AOym3DFU2RTgNIt8zmNtqq/NhAuQmYEhodODXtnzzquh4Z4EZmhfzq/do5e
nGTfN4hN7a9ODtP9Gt+w2CBCnE+7OnWo6Asj+wK0H59c2wfSD68d5n+V7U+BHHkN
E8uwIjFNZ+n3LRdH/iY7w4ujgIdZRcQuOMf00a3950mcJM0hz278FuDIipbMFCxG
qrLjqBtCTH9vu/Df2F0JNICD6Ro21WM/YQ==
-----END PRIVATE KEY-----

@ -6,6 +6,7 @@
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <fuzzer/FuzzedDataProvider.h>
@ -24,11 +25,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
std::vector<uint8_t> second_part =
fuzzed_data.ConsumeRemainingBytes<uint8_t>();
bssl::der::Input in1(first_part.data(), first_part.size());
bssl::der::Input in2(second_part.data(), second_part.size());
bssl::der::Input in1(first_part);
bssl::der::Input in2(second_part);
bool match = net::VerifyNameMatch(in1, in2);
bool reverse_order_match = net::VerifyNameMatch(in2, in1);
// Result should be the same regardless of argument order.
CHECK_EQ(match, reverse_order_match);
if (match != reverse_order_match) {
abort();
}
return 0;
}

@ -18,9 +18,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// produce the same output again.
std::string renormalized_der;
bool renormalize_success = net::NormalizeName(
bssl::der::Input(&normalized_der), &renormalized_der, &errors);
CHECK(renormalize_success);
CHECK_EQ(normalized_der, renormalized_der);
bssl::der::Input(normalized_der), &renormalized_der, &errors);
if (!renormalize_success) {
abort();
}
if (normalized_der != renormalized_der) {
abort();
}
}
return 0;
}

@ -71,20 +71,20 @@ class VerifyNameMatchSimpleTest
TEST_P(VerifyNameMatchSimpleTest, ExactEquality) {
std::string der;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix(), &der));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der),
SequenceValueFromString(&der)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der),
SequenceValueFromString(der)));
std::string der_extra_attr;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
&der_extra_attr));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
SequenceValueFromString(&der_extra_attr)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
SequenceValueFromString(der_extra_attr)));
std::string der_extra_rdn;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn",
&der_extra_rdn));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn),
SequenceValueFromString(&der_extra_rdn)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn),
SequenceValueFromString(der_extra_rdn)));
}
// Ensure that a Name does not match another Name which is exactly the same but
@ -95,10 +95,10 @@ TEST_P(VerifyNameMatchSimpleTest, ExtraAttrDoesNotMatch) {
std::string der_extra_attr;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
&der_extra_attr));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
SequenceValueFromString(&der_extra_attr)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
SequenceValueFromString(&der)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
SequenceValueFromString(der_extra_attr)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
SequenceValueFromString(der)));
}
// Ensure that a Name does not match another Name which has the same number of
@ -111,13 +111,13 @@ TEST_P(VerifyNameMatchSimpleTest, DupeAttrDoesNotMatch) {
std::string der_extra_attr;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
&der_extra_attr));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr),
SequenceValueFromString(&der_extra_attr)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
SequenceValueFromString(&der_dupe_attr)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr),
SequenceValueFromString(der_extra_attr)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
SequenceValueFromString(der_dupe_attr)));
// However, the name with a dupe attribute should match itself.
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr),
SequenceValueFromString(&der_dupe_attr)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr),
SequenceValueFromString(der_dupe_attr)));
}
// Ensure that a Name does not match another Name which is exactly the same but
@ -128,10 +128,10 @@ TEST_P(VerifyNameMatchSimpleTest, ExtraRdnDoesNotMatch) {
std::string der_extra_rdn;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn",
&der_extra_rdn));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
SequenceValueFromString(&der_extra_rdn)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn),
SequenceValueFromString(&der)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
SequenceValueFromString(der_extra_rdn)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn),
SequenceValueFromString(der)));
}
// Runs VerifyNameMatchSimpleTest for all combinations of value_type and and
@ -156,11 +156,11 @@ TEST_P(VerifyNameMatchNormalizationTest, CaseInsensitivity) {
std::string case_swap;
ASSERT_TRUE(LoadTestData("ascii", value_type(), "case_swap", &case_swap));
EXPECT_EQ(expected_result(),
VerifyNameMatch(SequenceValueFromString(&normal),
SequenceValueFromString(&case_swap)));
VerifyNameMatch(SequenceValueFromString(normal),
SequenceValueFromString(case_swap)));
EXPECT_EQ(expected_result(),
VerifyNameMatch(SequenceValueFromString(&case_swap),
SequenceValueFromString(&normal)));
VerifyNameMatch(SequenceValueFromString(case_swap),
SequenceValueFromString(normal)));
}
// Verify matching folds whitespace (for the types which currently support
@ -172,11 +172,11 @@ TEST_P(VerifyNameMatchNormalizationTest, CollapseWhitespace) {
ASSERT_TRUE(
LoadTestData("ascii", value_type(), "extra_whitespace", &whitespace));
EXPECT_EQ(expected_result(),
VerifyNameMatch(SequenceValueFromString(&normal),
SequenceValueFromString(&whitespace)));
VerifyNameMatch(SequenceValueFromString(normal),
SequenceValueFromString(whitespace)));
EXPECT_EQ(expected_result(),
VerifyNameMatch(SequenceValueFromString(&whitespace),
SequenceValueFromString(&normal)));
VerifyNameMatch(SequenceValueFromString(whitespace),
SequenceValueFromString(normal)));
}
// Runs VerifyNameMatchNormalizationTest for each (expected_result, value_type)
@ -207,11 +207,11 @@ TEST_P(VerifyNameMatchDifferingTypesTest, NormalizableTypesAreEqual) {
std::string der_2;
ASSERT_TRUE(LoadTestData("ascii", value_type_2(), "unmangled", &der_2));
if (TypesAreComparable(value_type_1(), value_type_2())) {
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1),
SequenceValueFromString(der_2)));
} else {
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_1),
SequenceValueFromString(der_2)));
}
}
@ -234,37 +234,37 @@ TEST_P(VerifyNameMatchDifferingTypesTest, NormalizableTypesInSubtrees) {
&der_2_extra_attr));
if (TypesAreComparable(value_type_1(), value_type_2())) {
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
SequenceValueFromString(&der_1)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn),
SequenceValueFromString(&der_2)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn),
SequenceValueFromString(&der_1)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1),
SequenceValueFromString(der_2)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2),
SequenceValueFromString(der_1)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn),
SequenceValueFromString(der_2)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn),
SequenceValueFromString(der_1)));
} else {
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
SequenceValueFromString(&der_1)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn),
SequenceValueFromString(&der_2)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn),
SequenceValueFromString(&der_1)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
SequenceValueFromString(der_2)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
SequenceValueFromString(der_1)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn),
SequenceValueFromString(der_2)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn),
SequenceValueFromString(der_1)));
}
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2_extra_rdn)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
SequenceValueFromString(&der_1_extra_rdn)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_attr),
SequenceValueFromString(&der_2)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_attr),
SequenceValueFromString(&der_1)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2_extra_attr)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
SequenceValueFromString(&der_1_extra_attr)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
SequenceValueFromString(der_2_extra_rdn)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
SequenceValueFromString(der_1_extra_rdn)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_attr),
SequenceValueFromString(der_2)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_attr),
SequenceValueFromString(der_1)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
SequenceValueFromString(der_2_extra_attr)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
SequenceValueFromString(der_1_extra_attr)));
}
// Runs VerifyNameMatchDifferingTypesTest for all combinations of value types in
@ -293,8 +293,8 @@ TEST_P(VerifyNameMatchUnicodeConversionTest, UnicodeConversionsAreEqual) {
ASSERT_TRUE(LoadTestData(prefix(), value_type_1(), "unmangled", &der_1));
std::string der_2;
ASSERT_TRUE(LoadTestData(prefix(), value_type_2(), "unmangled", &der_2));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1),
SequenceValueFromString(&der_2)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1),
SequenceValueFromString(der_2)));
}
// Runs VerifyNameMatchUnicodeConversionTest with prefix="unicode_bmp" for all
@ -351,12 +351,12 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidPrintableStringChars) {
}
der.replace(replace_location, 1, 1, c);
// Verification should fail due to the invalid character.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
SequenceValueFromString(&der)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
SequenceValueFromString(der)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(
NormalizeName(SequenceValueFromString(&der), &normalized_der, &errors));
NormalizeName(SequenceValueFromString(der), &normalized_der, &errors));
}
}
@ -371,11 +371,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidIA5StringChars) {
SCOPED_TRACE(c);
der.replace(replace_location, 1, 1, c);
bool expected_result = (c <= 127);
EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(&der),
SequenceValueFromString(&der)));
EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(der),
SequenceValueFromString(der)));
std::string normalized_der;
CertErrors errors;
EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(&der),
EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(der),
&normalized_der, &errors));
}
}
@ -386,11 +386,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueExtraData) {
LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid));
// Verification should fail due to extra element in AttributeTypeAndValue
// sequence.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -400,11 +400,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueShort) {
&invalid));
// Verification should fail due to AttributeTypeAndValue sequence having only
// one element.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -413,11 +413,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueEmpty) {
ASSERT_TRUE(
LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid));
// Verification should fail due to empty AttributeTypeAndValue sequence.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -426,11 +426,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnBadAttributeType) {
ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue",
"badAttributeType", &invalid));
// Verification should fail due to Attribute Type not being an OID.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -440,11 +440,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueNotSequence) {
&invalid));
// Verification should fail due to AttributeTypeAndValue being a Set instead
// of a Sequence.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -452,11 +452,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnRdnNotSet) {
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid));
// Verification should fail due to RDN being a Sequence instead of a Set.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -464,11 +464,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnEmptyRdn) {
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
// Verification should fail due to RDN having zero AttributeTypeAndValues.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -484,11 +484,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnBmpStringSurrogates) {
std::string invalid =
normal.replace(replace_location, 4, std::string("\xd8\x35\xdc\x00", 4));
// Verification should fail due to the invalid codepoints.
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@ -496,23 +496,23 @@ TEST(VerifyNameMatchTest, EmptyNameMatching) {
std::string empty;
ASSERT_TRUE(LoadTestData("valid", "Name", "empty", &empty));
// Empty names are equal.
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&empty),
SequenceValueFromString(&empty)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(empty),
SequenceValueFromString(empty)));
// An empty name normalized is unchanged.
std::string normalized_empty_der;
CertErrors errors;
EXPECT_TRUE(NormalizeName(SequenceValueFromString(&empty),
EXPECT_TRUE(NormalizeName(SequenceValueFromString(empty),
&normalized_empty_der, &errors));
EXPECT_EQ(SequenceValueFromString(&empty), der::Input(&normalized_empty_der));
EXPECT_EQ(SequenceValueFromString(empty), der::Input(normalized_empty_der));
// An empty name is not equal to non-empty name.
std::string non_empty;
ASSERT_TRUE(
LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&empty),
SequenceValueFromString(&non_empty)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&non_empty),
SequenceValueFromString(&empty)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(empty),
SequenceValueFromString(non_empty)));
EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(non_empty),
SequenceValueFromString(empty)));
}
// Matching should succeed when the RDNs are sorted differently but are still
@ -522,10 +522,10 @@ TEST(VerifyNameMatchRDNSorting, Simple) {
ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_1", &a));
std::string b;
ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_2", &b));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a),
SequenceValueFromString(&b)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b),
SequenceValueFromString(&a)));
EXPECT_TRUE(
VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b)));
EXPECT_TRUE(
VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a)));
}
// Matching should succeed when the RDNs are sorted differently but are still
@ -536,10 +536,10 @@ TEST(VerifyNameMatchRDNSorting, DuplicateTypes) {
ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_1", &a));
std::string b;
ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_2", &b));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a),
SequenceValueFromString(&b)));
EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b),
SequenceValueFromString(&a)));
EXPECT_TRUE(
VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b)));
EXPECT_TRUE(
VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a)));
}
TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) {
@ -549,12 +549,12 @@ TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) {
ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
// For both |name| and |parent|, a RelativeDistinguishedName must have at
// least one AttributeTypeAndValue.
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&valid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid),
SequenceValueFromString(&valid)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid),
SequenceValueFromString(&invalid)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(valid),
SequenceValueFromString(invalid)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid),
SequenceValueFromString(valid)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid),
SequenceValueFromString(invalid)));
}
TEST(VerifyNameInSubtreeTest, EmptyNameMatching) {
@ -564,14 +564,14 @@ TEST(VerifyNameInSubtreeTest, EmptyNameMatching) {
ASSERT_TRUE(
LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty));
// Empty name is in the subtree defined by empty name.
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&empty),
SequenceValueFromString(&empty)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(empty),
SequenceValueFromString(empty)));
// Any non-empty name is in the subtree defined by empty name.
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&non_empty),
SequenceValueFromString(&empty)));
EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(non_empty),
SequenceValueFromString(empty)));
// Empty name is not in the subtree defined by non-empty name.
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&empty),
SequenceValueFromString(&non_empty)));
EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(empty),
SequenceValueFromString(non_empty)));
}
// Verify that the normalized output matches the pre-generated expected value
@ -587,14 +587,14 @@ TEST(NameNormalizationTest, TestEverything) {
ASSERT_TRUE(LoadTestData("unicode", "mixed", "unnormalized", &raw_der));
std::string normalized_der;
CertErrors errors;
ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der,
ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der,
&errors));
EXPECT_EQ(SequenceValueFromString(&expected_normalized_der),
der::Input(&normalized_der));
EXPECT_EQ(SequenceValueFromString(expected_normalized_der),
der::Input(normalized_der));
// Re-normalizing an already normalized Name should not change it.
std::string renormalized_der;
ASSERT_TRUE(
NormalizeName(der::Input(&normalized_der), &renormalized_der, &errors));
NormalizeName(der::Input(normalized_der), &renormalized_der, &errors));
EXPECT_EQ(normalized_der, renormalized_der);
}
@ -605,9 +605,9 @@ TEST(NameNormalizationTest, NormalizeCustom) {
std::string normalized_der;
CertErrors errors;
ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der,
ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der,
&errors));
EXPECT_EQ(SequenceValueFromString(&raw_der), der::Input(&normalized_der));
EXPECT_EQ(SequenceValueFromString(raw_der), der::Input(normalized_der));
}
} // namespace net

@ -24,12 +24,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
std::vector<uint8_t> second_part =
fuzzed_data.ConsumeRemainingBytes<uint8_t>();
bssl::der::Input in1(first_part.data(), first_part.size());
bssl::der::Input in2(second_part.data(), second_part.size());
bssl::der::Input in1(first_part);
bssl::der::Input in2(second_part);
bool match = net::VerifyNameInSubtree(in1, in2);
bool reverse_order_match = net::VerifyNameInSubtree(in2, in1);
// If both InSubtree matches are true, then in1 == in2 (modulo normalization).
if (match && reverse_order_match)
CHECK(net::VerifyNameMatch(in1, in2));
if (match && reverse_order_match) {
if (!net::VerifyNameMatch(in1, in2)) {
abort();
}
}
return 0;
}

@ -55,10 +55,10 @@ void RunTestCase(VerifyResult expected_result,
ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings));
std::optional<SignatureAlgorithm> signature_algorithm =
ParseSignatureAlgorithm(der::Input(&algorithm));
ParseSignatureAlgorithm(der::Input(algorithm));
ASSERT_TRUE(signature_algorithm);
der::Parser signature_value_parser((der::Input(&signature_value)));
der::Parser signature_value_parser((der::Input(signature_value)));
std::optional<der::BitString> signature_value_bit_string =
signature_value_parser.ReadBitString();
ASSERT_TRUE(signature_value_bit_string.has_value())
@ -66,9 +66,9 @@ void RunTestCase(VerifyResult expected_result,
bool expected_result_bool = expected_result == SUCCESS;
bool result = VerifySignedData(*signature_algorithm, der::Input(&signed_data),
bool result = VerifySignedData(*signature_algorithm, der::Input(signed_data),
signature_value_bit_string.value(),
der::Input(&public_key), cache);
der::Input(public_key), cache);
EXPECT_EQ(expected_result_bool, result);
}

Loading…
Cancel
Save