Sync pki to chromium 8049b24a3fa617e66c5d3fc0e9322bb07c500f49

Change-Id: Ib65febca30ce312f2c8fd6d6dbc85f24987b50d8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62245 Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
1 year ago · 2e1191725f
parent dbd143c247
commit 2e1191725f
42 changed files with 1351 additions and 691 deletions
--- a/pki/cert_net_fetcher.h
+++ b/pki/cert_net_fetcher.h
@ -1,98 +0,0 @@
 // Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #ifndef BSSL_PKI_CERT_NET_FETCHER_H_
 #define BSSL_PKI_CERT_NET_FETCHER_H_
 #include "webutil/url/url.h"
 #include "fillins/openssl_util.h"
 #include <stdint.h>
 #include <memory>
 #include <vector>
 #include <memory>
 #include "fillins/log.h"
 #include "fillins/net_errors.h"
 class URL;
 namespace bssl {
 // CertNetFetcher is a synchronous interface for fetching AIA URLs and CRL
 // URLs. It is shared between a caller thread (which starts and waits for
 // fetches), and a network thread (which does the actual fetches). It can be
 // shutdown from the network thread to cancel outstanding requests.
 //
 // A Request object is returned when starting a fetch. The consumer can
 // use this as a handle for aborting the request (by freeing it), or reading
 // the result of the request (WaitForResult)
 class OPENSSL_EXPORT CertNetFetcher
     {
 public:
  class Request {
   public:
    virtual ~Request() = default;
    // WaitForResult() can be called at most once.
    //
    // It will block and wait for the (network) request to complete, and
    // then write the result into the provided out-parameters.
    virtual void WaitForResult(Error* error, std::vector<uint8_t>* bytes) = 0;
  };
  // This value can be used in place of timeout or max size limits.
  enum { DEFAULT = -1 };
  CertNetFetcher() = default;
  CertNetFetcher(const CertNetFetcher&) = delete;
  CertNetFetcher& operator=(const CertNetFetcher&) = delete;
  // Shuts down the CertNetFetcher and cancels outstanding network requests. It
  // is not guaranteed that any outstanding or subsequent
  // Request::WaitForResult() calls will be completed. Shutdown() must be called
  // from the network thread. It can be called more than once, but must be
  // called before the CertNetFetcher is destroyed.
  virtual void Shutdown() = 0;
  // The Fetch*() methods start a request which can be cancelled by
  // deleting the returned Request. Here is the meaning of the common
  // parameters:
  //
  //   * url -- The http:// URL to fetch.
  //   * timeout_seconds -- The maximum allowed duration for the fetch job. If
  //         this delay is exceeded then the request will fail. To use a default
  //         timeout pass DEFAULT.
  //   * max_response_bytes -- The maximum size of the response body. If this
  //     size is exceeded then the request will fail. To use a default timeout
  //     pass DEFAULT.
  [[nodiscard]] virtual std::unique_ptr<Request> FetchCaIssuers(
      const URL& url,
      int timeout_milliseconds,
      int max_response_bytes) = 0;
  [[nodiscard]] virtual std::unique_ptr<Request> FetchCrl(
      const URL& url,
      int timeout_milliseconds,
      int max_response_bytes) = 0;
  [[nodiscard]] virtual std::unique_ptr<Request> FetchOcsp(
      const URL& url,
      int timeout_milliseconds,
      int max_response_bytes) = 0;
 protected:
  virtual ~CertNetFetcher() = default;
 private:
 };
 }  // namespace net
 #endif  // BSSL_PKI_CERT_NET_FETCHER_H_
--- a/pki/certificate_policies_unittest.cc
+++ b/pki/certificate_policies_unittest.cc
@ -44,7 +44,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidEmpty) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -54,7 +54,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidIdentifierNotOid) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -64,7 +64,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, AnyPolicy) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
  ASSERT_EQ(1U, policies.size());
  EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]);
@ -76,7 +76,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, AnyPolicyWithQualifier) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
  ASSERT_EQ(1U, policies.size());
  EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]);
@ -90,7 +90,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -100,7 +100,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, OnePolicy) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
  ASSERT_EQ(1U, policies.size());
  EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -112,7 +112,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, OnePolicyWithQualifier) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
  ASSERT_EQ(1U, policies.size());
  EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -125,7 +125,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
  std::vector<der::Input> policies;
  CertErrors errors;
  bool result = ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors);
  if (fail_parsing_unknown_qualifier_oids()) {
@ -144,7 +144,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -156,7 +156,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -168,7 +168,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -180,7 +180,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest,
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
 }
@ -190,7 +190,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, TwoPolicies) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
  ASSERT_EQ(2U, policies.size());
  EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -203,7 +203,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, TwoPoliciesWithQualifiers) {
  std::vector<der::Input> policies;
  CertErrors errors;
  EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
-      der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+      der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
      &errors));
  ASSERT_EQ(2U, policies.size());
  EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@ -216,7 +216,7 @@ TEST(ParseCertificatePoliciesExtensionTest, InvalidEmpty) {
  std::vector<PolicyInformation> policies;
  CertErrors errors;
  EXPECT_FALSE(
-      ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+      ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
 }
 TEST(ParseCertificatePoliciesExtensionTest,
@ -226,7 +226,7 @@ TEST(ParseCertificatePoliciesExtensionTest,
  std::vector<PolicyInformation> policies;
  CertErrors errors;
  EXPECT_FALSE(
-      ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+      ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
 }
 TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) {
@ -235,7 +235,7 @@ TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) {
  std::vector<PolicyInformation> policies;
  CertErrors errors;
  EXPECT_TRUE(
-      ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+      ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
  ASSERT_EQ(1U, policies.size());
  PolicyInformation& policy = policies[0];
  EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid);
@ -256,7 +256,7 @@ TEST(ParseCertificatePoliciesExtensionTest, TwoPolicies) {
  std::vector<PolicyInformation> policies;
  CertErrors errors;
  EXPECT_TRUE(
-      ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+      ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
  ASSERT_EQ(2U, policies.size());
  {
    PolicyInformation& policy = policies[0];
@ -276,7 +276,7 @@ TEST(ParseCertificatePoliciesExtensionTest, TwoPoliciesWithQualifiers) {
  std::vector<PolicyInformation> policies;
  CertErrors errors;
  EXPECT_TRUE(
-      ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+      ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
  ASSERT_EQ(2U, policies.size());
  {
    PolicyInformation& policy = policies[0];
--- a/pki/crl.cc
+++ b/pki/crl.cc
@ -467,8 +467,9 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl,
  std::string normalized_crl_issuer;
  if (!NormalizeNameTLV(tbs_cert_list.issuer_tlv, &normalized_crl_issuer))
    return CRLRevocationStatus::UNKNOWN;
-  if (der::Input(&normalized_crl_issuer) != target_cert->normalized_issuer())
+  if (der::Input(normalized_crl_issuer) != target_cert->normalized_issuer()) {
    return CRLRevocationStatus::UNKNOWN;
  }
  if (tbs_cert_list.crl_extensions_tlv.has_value()) {
    std::map<der::Input, ParsedExtension> extensions;
@ -584,8 +585,10 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl,
    //
    // As the |issuer_cert| is from the already validated chain, it is already
    // known to chain to the same trust anchor as the target certificate.
-    if (der::Input(&normalized_crl_issuer) != issuer_cert->normalized_subject())
+    if (der::Input(normalized_crl_issuer) !=
        issuer_cert->normalized_subject()) {
      continue;
    }
    // 6.3.3 (f) If a key usage extension is present in the CRL issuer's
    //           certificate, verify that the cRLSign bit is set.
--- a/pki/fillins/log.h
+++ b/pki/fillins/log.h
@ -17,8 +17,10 @@
 #if defined(_BORINGSSL_LIBPKI_VERBOSE_)
 #define DVLOG(l) std::cerr
 #define LOG(l) std::cerr
 #else
 #define DVLOG(l) 0 && std::cerr
 #define LOG(l) 0 && std::cerr
 #endif  // _BORINGSSL_LIBPKI_VERBOSE_
 #endif  // BSSL_FILLINS_LOG_H_
--- a/pki/general_names_unittest.cc
+++ b/pki/general_names_unittest.cc
@ -44,7 +44,7 @@ TEST(GeneralNames, CreateFailsOnEmptySubjectAltName) {
  ASSERT_TRUE(
      LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der));
  CertErrors errors;
-  EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors));
+  EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors));
 }
 TEST(GeneralNames, OtherName) {
@ -53,7 +53,7 @@ TEST(GeneralNames, OtherName) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_OTHER_NAME, general_names->present_name_types);
  const uint8_t expected_der[] = {0x06, 0x04, 0x2a, 0x03, 0x04, 0x05,
@ -68,7 +68,7 @@ TEST(GeneralNames, RFC822Name) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->rfc822_names.size());
@ -80,7 +80,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiRFC822Name) {
  ASSERT_TRUE(LoadTestSubjectAltNameData("san-rfc822name.pem", &san_der));
  ReplaceFirstSubstring(&san_der, "foo@example.com", "f\xF6\xF6@example.com");
  CertErrors errors;
-  EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
+  EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
 }
 TEST(GeneralNames, DnsName) {
@ -89,7 +89,7 @@ TEST(GeneralNames, DnsName) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_DNS_NAME, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->dns_names.size());
@ -101,7 +101,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiDnsName) {
  ASSERT_TRUE(LoadTestSubjectAltNameData("san-dnsname.pem", &san_der));
  ReplaceFirstSubstring(&san_der, "foo.example.com", "f\xF6\xF6.example.com");
  CertErrors errors;
-  EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
+  EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
 }
 TEST(GeneralNames, X400Address) {
@ -110,7 +110,7 @@ TEST(GeneralNames, X400Address) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->x400_addresses.size());
@ -125,7 +125,7 @@ TEST(GeneralNames, DirectoryName) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->directory_names.size());
@ -140,7 +140,7 @@ TEST(GeneralNames, EDIPartyName) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->edi_party_names.size());
@ -154,7 +154,7 @@ TEST(GeneralNames, URI) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
            general_names->present_name_types);
@ -169,7 +169,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiURI) {
  ReplaceFirstSubstring(&san_der, "http://example.com",
                        "http://ex\xE4mple.com");
  CertErrors errors;
-  EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
+  EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
 }
 TEST(GeneralNames, IPAddress_v4) {
@ -178,7 +178,7 @@ TEST(GeneralNames, IPAddress_v4) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->ip_addresses.size());
@ -192,7 +192,7 @@ TEST(GeneralNames, IPAddress_v6) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->ip_addresses.size());
@ -207,7 +207,7 @@ TEST(GeneralNames, CreateFailsOnInvalidLengthIpAddress) {
  ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem",
                                         &invalid_san_der));
  CertErrors errors;
-  EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors));
+  EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors));
 }
 TEST(GeneralNames, RegisteredIDs) {
@ -216,7 +216,7 @@ TEST(GeneralNames, RegisteredIDs) {
  CertErrors errors;
  std::unique_ptr<GeneralNames> general_names =
-      GeneralNames::Create(der::Input(&san_der), &errors);
+      GeneralNames::Create(der::Input(san_der), &errors);
  ASSERT_TRUE(general_names);
  EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, general_names->present_name_types);
  ASSERT_EQ(1U, general_names->registered_ids.size());
--- a/pki/import_spec.json
+++ b/pki/import_spec.json
@ -244,7 +244,6 @@
    "files": [
    "net/cert/asn1_util.h",
    "net/cert/asn1_util.cc",
    "net/cert/cert_net_fetcher.h",
    "net/cert/cert_status_flags.h",
    "net/cert/cert_status_flags_list.h",
    "net/cert/cert_verify_proc_blocklist.inc",
--- a/pki/input.cc
+++ b/pki/input.cc
@ -10,21 +10,17 @@
 namespace bssl::der {
 Input::Input(std::string_view in)
    : data_(reinterpret_cast<const uint8_t*>(in.data())), len_(in.length()) {}
 Input::Input(const std::string* s) : Input(std::string_view(*s)) {}
 std::string Input::AsString() const {
-  return std::string(reinterpret_cast<const char*>(data_), len_);
+  return std::string(reinterpret_cast<const char*>(data_.data()), data_.size());
 }
 std::string_view Input::AsStringView() const {
-  return std::string_view(reinterpret_cast<const char*>(data_), len_);
+  return std::string_view(reinterpret_cast<const char*>(data_.data()),
                          data_.size());
 }
 bssl::Span<const uint8_t> Input::AsSpan() const {
-  return bssl::MakeSpan(data_, len_);
+  return data_;
 }
 bool operator==(const Input& lhs, const Input& rhs) {
--- a/pki/input.h
+++ b/pki/input.h
@ -10,9 +10,10 @@
 #include <stdint.h>
 #include <string>
 #include <string_view>
 #include <openssl/span.h>
 #include <openssl/span.h>
 namespace bssl::der {
@ -31,30 +32,30 @@ class OPENSSL_EXPORT Input {
  // Creates an empty Input, one from which no data can be read.
  constexpr Input() = default;
-  // Creates an Input from a constant array |data|.
+  // Creates an Input from a span. The constructed Input is only valid as long
-  template <size_t N>
+  // as |data| points to live memory. If constructed from, say, a
-  constexpr explicit Input(const uint8_t (&data)[N]) : data_(data), len_(N) {}
+  // |std::vector<uint8_t>|, mutating the vector will invalidate the Input.
  constexpr explicit Input(bssl::Span<const uint8_t> data) : data_(data) {}
  // Creates an Input from the given |data| and |len|.
  constexpr explicit Input(const uint8_t* data, size_t len)
-      : data_(data), len_(len) {}
+      : data_(bssl::MakeConstSpan(data, len)) {}
  // Creates an Input from a std::string_view
  explicit Input(std::string_view sp);
-  // Creates an Input from a std::string. The lifetimes are a bit subtle when
+  // Creates an Input from a std::string_view. The constructed Input is only
-  // using this function: The constructed Input is only valid so long as |s| is
+  // valid as long as |data| points to live memory. If constructed from, say, a
-  // still alive and not mutated.
+  // |std::string|, mutating the vector will invalidate the Input.
-  explicit Input(const std::string* s);
+  explicit Input(std::string_view str)
      : data_(bssl::MakeConstSpan(reinterpret_cast<const uint8_t*>(str.data()),
                                  str.size())) {}
  // Returns the length in bytes of an Input's data.
-  constexpr size_t Length() const { return len_; }
+  constexpr size_t Length() const { return data_.size(); }
  // Returns a pointer to the Input's data. This method is marked as "unsafe"
  // because access to the Input's data should be done through ByteReader
  // instead. This method should only be used where using a ByteReader truly
  // is not an option.
-  constexpr const uint8_t* UnsafeData() const { return data_; }
+  constexpr const uint8_t* UnsafeData() const { return data_.data(); }
  // Returns a copy of the data represented by this object as a std::string.
  std::string AsString() const;
@ -64,21 +65,13 @@ class OPENSSL_EXPORT Input {
  // this Input.
  std::string_view AsStringView() const;
-  // Returns a bssl::Span pointing to the same data as the Input. The resulting
+  // Returns a span pointing to the same data as the Input. The resulting span
-  // bssl::Span must not outlive the data that was used to construct this
+  // must not outlive the data that was used to construct this Input.
  // Input.
  bssl::Span<const uint8_t> AsSpan() const;
 private:
-  // This constructor is deleted to prevent constructing an Input from a
+  // TODO(crbug.com/770501): Replace this type with span altogether.
-  // std::string r-value. Since the Input points to memory owned by another
+  bssl::Span<const uint8_t> data_;
  // object, such an Input would point to invalid memory. Without this deleted
  // constructor, a std::string could be passed in to the std::string_view
  // constructor because of std::string_view's implicit constructor.
  Input(std::string) = delete;
  const uint8_t* data_ = nullptr;
  size_t len_ = 0;
 };
 // Return true if |lhs|'s data and |rhs|'s data are byte-wise equal.
--- a/pki/name_constraints.cc
+++ b/pki/name_constraints.cc
@ -653,19 +653,26 @@ bool NameConstraints::IsPermittedDirectoryName(
 }
 bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const {
  // fillins::IPAddressMatchesPrefix internally maps v4 addresses to/from v6 on type
  // mismatch. We don't wish to do this, so check the sizes match first.
  for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
-    if (fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second))
+    if (ip.size() == excluded_ip.first.size() &&
        fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) {
      return false;
    }
  }
  // If permitted subtrees are not constrained, any name that is not excluded is
  // allowed.
-  if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS))
+  if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS)) {
    return true;
  }
  for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
-    if (fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second))
+    if (ip.size() == permitted_ip.first.size() &&
        fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) {
      return true;
    }
  }
  return false;
--- a/pki/name_constraints_unittest.cc
+++ b/pki/name_constraints_unittest.cc
@ -10,7 +10,6 @@
 #include "common_cert_errors.h"
 #include "test_helpers.h"
 #include <gtest/gtest.h>
 #include <gtest/gtest.h>
 namespace bssl {
 namespace {
@ -49,12 +48,14 @@ namespace {
    std::string* result_der) {
  ::testing::AssertionResult load_result =
      LoadTestSubjectAltNameData(basename, result_der);
-  if (!load_result)
+  if (!load_result) {
    return load_result;
  }
  CertErrors errors;
-  *result = GeneralNames::Create(der::Input(result_der), &errors);
+  *result = GeneralNames::Create(der::Input(*result_der), &errors);
-  if (!*result)
+  if (!*result) {
    return ::testing::AssertionFailure() << "Create failed";
  }
  return ::testing::AssertionSuccess();
 }
@ -92,7 +93,7 @@ TEST_P(ParseNameConstraints, DNSNames) {
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
@ -181,7 +182,7 @@ TEST_P(ParseNameConstraints,
  ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // Matches permitted exactly.
@ -212,7 +213,7 @@ TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
      LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // A permitted dNSName constraint of ".bar.com" should only match subdomains
@ -230,7 +231,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
      LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // An excluded dNSName constraint of ".bar.com" should only match subdomains
@ -247,7 +248,7 @@ TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) {
  ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
@ -263,7 +264,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // Only "excluded.permitted.example.com" is excluded, and since permitted is
@ -283,7 +284,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // "permitted.example.com" is in the permitted section, but since "" is
@ -301,7 +302,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // "." is excluded, which should match nothing.
@ -320,7 +321,7 @@ TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
  a.replace(replace_location, 1, 1, -1);
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+  EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
 }
 TEST_P(ParseNameConstraints, DirectoryNames) {
@ -347,49 +348,49 @@ TEST_P(ParseNameConstraints, DirectoryNames) {
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // Not in any permitted subtree.
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_ca)));
+      SequenceValueFromString(name_ca)));
  // Within the permitted C=US subtree.
  EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us)));
+      SequenceValueFromString(name_us)));
  // Within the permitted C=US subtree.
  EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us_az)));
+      SequenceValueFromString(name_us_az)));
  // Within the permitted C=US subtree, however the excluded C=US,ST=California
  // subtree takes priority.
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us_ca)));
+      SequenceValueFromString(name_us_ca)));
  // Within the permitted C=US subtree as well as the permitted
  // C=US,ST=California,L=Mountain View subtree, however the excluded
  // C=US,ST=California subtree still takes priority.
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us_ca_mountain_view)));
+      SequenceValueFromString(name_us_ca_mountain_view)));
  // Not in any permitted subtree, and also inside the extraneous excluded C=DE
  // subtree.
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_de)));
+      SequenceValueFromString(name_de)));
  // Not in any permitted subtree.
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_jp)));
+      SequenceValueFromString(name_jp)));
  // Within the permitted C=JP,ST=Tokyo subtree.
  EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_jp_tokyo)));
+      SequenceValueFromString(name_jp_tokyo)));
  EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
            name_constraints->constrained_name_types());
  // Within the permitted C=US subtree.
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name_us),
+                              SequenceValueFromString(name_us),
                              nullptr /* subject_alt_names */));
  // Within the permitted C=US subtree, however the excluded C=US,ST=California
  // subtree takes priority.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name_us_ca),
+                               SequenceValueFromString(name_us_ca),
                               nullptr /* subject_alt_names */));
  std::string san_der;
@ -417,7 +418,7 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
      LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name_empty;
@ -433,13 +434,13 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
  // Only "C=US,ST=California" is excluded, and since permitted is empty,
  // any directoryName outside that is allowed.
  EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_empty)));
+      SequenceValueFromString(name_empty)));
  EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us)));
+      SequenceValueFromString(name_us)));
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us_ca)));
+      SequenceValueFromString(name_us_ca)));
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us_ca_mountain_view)));
+      SequenceValueFromString(name_us_ca_mountain_view)));
 }
 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
@ -448,7 +449,7 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
      LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name_empty;
@ -466,22 +467,22 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
  // "C=US" is in the permitted section, but since an empty
  // directoryName is excluded, nothing is permitted.
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_empty)));
+      SequenceValueFromString(name_empty)));
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us)));
+      SequenceValueFromString(name_us)));
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_us_ca)));
+      SequenceValueFromString(name_us_ca)));
  EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
-      SequenceValueFromString(&name_jp)));
+      SequenceValueFromString(name_jp)));
 }
-TEST_P(ParseNameConstraints, IPAdresses) {
+TEST_P(ParseNameConstraints, IPAddresses) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // IPv4 tests:
@ -597,13 +598,13 @@ TEST_P(ParseNameConstraints, IPAdresses) {
      IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
 }
-TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
+TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
@ -614,13 +615,13 @@ TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
      fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
 }
-TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
+TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // 192.168.0.0/255.255.0.0 and
@ -634,13 +635,13 @@ TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
      fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
 }
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -651,13 +652,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
 }
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -669,13 +670,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
 }
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -686,13 +687,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
      name_constraints->IsPermittedIP(fillins::IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
 }
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
-      NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@ -700,32 +701,65 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
  EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
 }
-TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
+TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+  EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
 }
-TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
+TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint(
      "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+  EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(LoadTestNameConstraint(
      "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+  EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(LoadTestNameConstraint(
      "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+  EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(LoadTestNameConstraint(
      "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+  EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
 }
 // Test that v4/v6 mapping is not applied when evaluating name constraints.
 TEST_P(ParseNameConstraints, IPAddressesMapped) {
  std::string a;
  ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(
      NameConstraints::Create(der::Input(a), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  // 192.168.1.0/24 is a permitted subtree.
  EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 0)));
  // This does not cover ::ffff:192.168.1.0.
  EXPECT_FALSE(name_constraints->IsPermittedIP(
      fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0)));
  // 192.168.1.1 is excluded.
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
  // ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
  EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
  // ::ffff:192.168.2.0/120 is a permitted subtree.
  EXPECT_TRUE(name_constraints->IsPermittedIP(
      fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0)));
  // This does not cover 192.168.2.0.
  EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 2, 0)));
  // ::ffff:192.168.2.1 is excluded.
  EXPECT_FALSE(name_constraints->IsPermittedIP(
      fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1)));
  // 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
  EXPECT_TRUE(name_constraints->IsPermittedIP(
      fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2)));
 }
 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
@ -734,7 +768,7 @@ TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
      LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -757,7 +791,7 @@ TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
      LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -780,7 +814,7 @@ TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
      LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -842,7 +876,7 @@ TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
      LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -892,7 +926,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameInPermitted) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -951,7 +985,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameInExcluded) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1000,7 +1034,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInPermitted) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1050,7 +1084,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInExcluded) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1100,7 +1134,7 @@ TEST_P(ParseNameConstraints, Rfc822NameSubdomainInPermitted) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1138,7 +1172,7 @@ TEST_P(ParseNameConstraints, Rfc822NameSubdomainInExcluded) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1177,7 +1211,7 @@ TEST_P(ParseNameConstraints, Rfc822NameEmptyPermitted) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1202,7 +1236,7 @@ TEST_P(ParseNameConstraints, Rfc822NameEmptyExcluded) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1227,7 +1261,7 @@ TEST_P(ParseNameConstraints, Rfc822NameIPv4Permitted) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1257,7 +1291,7 @@ TEST_P(ParseNameConstraints, Rfc822NameIPv4Excluded) {
      LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@ -1288,7 +1322,7 @@ TEST_P(ParseNameConstraints, QuotedRfc822SanWithNoRfc822Constraints) {
      LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string san_der;
@ -1306,7 +1340,7 @@ TEST_P(ParseNameConstraints, QuotedRfc822SanMatchesQuotedPermitted) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string san_der;
@ -1325,7 +1359,7 @@ TEST_P(ParseNameConstraints, UnquotedRfc822SanNotMatchingQuotedExcluded) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string san_der;
@ -1345,7 +1379,7 @@ TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
      LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1368,7 +1402,7 @@ TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
      LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1391,7 +1425,7 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
      LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1414,7 +1448,7 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
      LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1436,7 +1470,7 @@ TEST_P(ParseNameConstraints, URIsInPermitted) {
  ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1458,7 +1492,7 @@ TEST_P(ParseNameConstraints, URIsInExcluded) {
  ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1481,7 +1515,7 @@ TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
      LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1504,7 +1538,7 @@ TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
      LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  if (is_critical()) {
@ -1530,7 +1564,7 @@ TEST_P(ParseNameConstraints,
  // could be changed to allowed if there are buggy encoders out there that
  // include it anyway.
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1539,7 +1573,7 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
  ASSERT_TRUE(
      LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1549,7 +1583,7 @@ TEST_P(ParseNameConstraints,
  ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
                                     &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1558,7 +1592,7 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
  ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
                                     &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1566,14 +1600,14 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
  std::string constraints_der;
  ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
  std::string constraints_der = "";
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1582,7 +1616,7 @@ TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
  ASSERT_TRUE(
      LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1591,7 +1625,7 @@ TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
  ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
                                     &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1600,7 +1634,7 @@ TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
  ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
                                     &constraints_der));
  CertErrors errors;
-  EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+  EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
                                       is_critical(), &errors));
 }
@ -1610,7 +1644,7 @@ TEST_P(ParseNameConstraints,
  ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name;
@ -1618,14 +1652,14 @@ TEST_P(ParseNameConstraints,
  // Name constraints don't contain rfc822Name, so emailAddress in subject is
  // allowed regardless.
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name),
+                              SequenceValueFromString(name),
                              /*subject_alt_names=*/nullptr));
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
  // Name constraints don't contain rfc822Name, so emailAddress in subject is
  // allowed regardless.
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name),
+                              SequenceValueFromString(name),
                              /*subject_alt_names=*/nullptr));
 }
@ -1635,7 +1669,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name;
@ -1644,21 +1678,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
  // Name constraints contain rfc822Name, and the address matches the
  // constraint (which is all addresses on the hostname.)
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name),
+                              SequenceValueFromString(name),
                              /*subject_alt_names=*/nullptr));
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
  // The bytes of the name string match, but the string type is VISIBLESTRING
  // which is not supported, so this should fail.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name),
+                               SequenceValueFromString(name),
                               /*subject_alt_names=*/nullptr));
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
  // Subject contains multiple rfc822Names, and they all match the constraint
  // (which is all addresses on the hostname.)
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name),
+                              SequenceValueFromString(name),
                              /*subject_alt_names=*/nullptr));
 }
@ -1668,7 +1702,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
      LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name;
@ -1677,21 +1711,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
  // Name constraints contain rfc822Name, and the address does not match the
  // constraint.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name),
+                               SequenceValueFromString(name),
                               /*subject_alt_names=*/nullptr));
  // Address is a case-insensitive match, but name constraints (permitted) are
  // case-sensitive, so this fails.
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name),
+                               SequenceValueFromString(name),
                               /*subject_alt_names=*/nullptr));
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
  // Subject contains multiple rfc822Names, and only the first one matches the
  // constraint.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name),
+                               SequenceValueFromString(name),
                               /*subject_alt_names=*/nullptr));
 }
@ -1701,7 +1735,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
      LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name;
@ -1710,21 +1744,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
  // Name constraints contain excluded rfc822Name, and the address does not
  // match the constraint.
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name),
+                              SequenceValueFromString(name),
                              /*subject_alt_names=*/nullptr));
  // Name constraints for excluded are done case-insensitive in the local part,
  // so this is not allowed.
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name),
+                               SequenceValueFromString(name),
                               /*subject_alt_names=*/nullptr));
  ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
  // Subject contains multiple rfc822Names, and one of them is excluded by the
  // constraint.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name),
+                               SequenceValueFromString(name),
                               /*subject_alt_names=*/nullptr));
 }
@ -1737,7 +1771,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
                                     &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name_us_az_foocom;
@ -1746,7 +1780,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
  // (The commonName hostname is not within permitted dNSName constraints, so
  // this would not be permitted if hostnames in commonName were checked.)
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name_us_az_foocom),
+                              SequenceValueFromString(name_us_az_foocom),
                              nullptr /* subject_alt_names */));
  std::string name_us_az_permitted;
@ -1756,7 +1790,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
  // permitted dNSName constraints, so this should be permitted regardless if
  // hostnames in commonName are checked or not.
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name_us_az_permitted),
+                              SequenceValueFromString(name_us_az_permitted),
                              nullptr /* subject_alt_names */));
  std::string name_us_ca_permitted;
@ -1766,7 +1800,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
  // this should not be allowed, regardless of checking the
  // permitted.example.com in commonName.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name_us_ca_permitted),
+                               SequenceValueFromString(name_us_ca_permitted),
                               nullptr /* subject_alt_names */));
 }
@ -1779,7 +1813,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
      "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
  CertErrors errors;
  std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
-      der::Input(&constraints_der), is_critical(), &errors));
+      der::Input(constraints_der), is_critical(), &errors));
  ASSERT_TRUE(name_constraints);
  std::string name_us_az_1_1_1_1;
@ -1788,7 +1822,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
  // (The commonName IP address is not within permitted iPAddresses constraints,
  // so this would not be permitted if IP addresses in commonName were checked.)
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name_us_az_1_1_1_1),
+                              SequenceValueFromString(name_us_az_1_1_1_1),
                              nullptr /* subject_alt_names */));
  std::string name_us_az_192_168_1_1;
@ -1798,7 +1832,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
  // permitted iPAddress constraints, so this should be permitted regardless if
  // IP addresses in commonName are checked or not.
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name_us_az_192_168_1_1),
+                              SequenceValueFromString(name_us_az_192_168_1_1),
                              nullptr /* subject_alt_names */));
  std::string name_us_ca_192_168_1_1;
@ -1808,7 +1842,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
  // this should not be allowed, regardless of checking the
  // IP address in commonName.
  EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
-                               SequenceValueFromString(&name_us_ca_192_168_1_1),
+                               SequenceValueFromString(name_us_ca_192_168_1_1),
                               nullptr /* subject_alt_names */));
  std::string name_us_az_ipv6;
@ -1817,7 +1851,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
  // (The commonName is an ipv6 address which wasn't supported in the past, but
  // since commonName checking is ignored entirely, this is permitted.)
  EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
-                              SequenceValueFromString(&name_us_az_ipv6),
+                              SequenceValueFromString(name_us_az_ipv6),
                              nullptr /* subject_alt_names */));
 }
--- a/pki/ocsp.h
+++ b/pki/ocsp.h
@ -5,8 +5,8 @@
 #ifndef BSSL_PKI_OCSP_H_
 #define BSSL_PKI_OCSP_H_
 #include "webutil/url/url.h"
 #include "fillins/openssl_util.h"
 #include "webutil/url/url.h"
 #include <memory>
 #include <vector>
--- a/pki/ocsp_unittest.cc
+++ b/pki/ocsp_unittest.cc
@ -175,8 +175,7 @@ TEST_P(CheckOCSPTest, FromFile) {
  std::vector<uint8_t> encoded_request;
  ASSERT_TRUE(CreateOCSPRequest(cert.get(), issuer.get(), &encoded_request));
-  EXPECT_EQ(der::Input(encoded_request.data(), encoded_request.size()),
+  EXPECT_EQ(der::Input(encoded_request), der::Input(request_data));
            der::Input(&request_data));
 }
 std::string_view kGetURLTestParams[] = {
--- a/pki/parse_certificate_unittest.cc
+++ b/pki/parse_certificate_unittest.cc
@ -63,7 +63,7 @@ void RunCertificateTest(const std::string& file_name) {
  der::BitString signature_value;
  CertErrors errors;
  bool actual_result =
-      ParseCertificate(der::Input(&data), &tbs_certificate_tlv,
+      ParseCertificate(der::Input(data), &tbs_certificate_tlv,
                       &signature_algorithm_tlv, &signature_value, &errors);
  EXPECT_EQ(expected_result, actual_result);
@ -72,10 +72,10 @@ void RunCertificateTest(const std::string& file_name) {
  // Ensure that the parsed certificate matches expectations.
  if (expected_result && actual_result) {
    EXPECT_EQ(0, signature_value.unused_bits());
-    EXPECT_EQ(der::Input(&expected_signature), signature_value.bytes());
+    EXPECT_EQ(der::Input(expected_signature), signature_value.bytes());
-    EXPECT_EQ(der::Input(&expected_signature_algorithm),
+    EXPECT_EQ(der::Input(expected_signature_algorithm),
              signature_algorithm_tlv);
-    EXPECT_EQ(der::Input(&expected_tbs_certificate), tbs_certificate_tlv);
+    EXPECT_EQ(der::Input(expected_tbs_certificate), tbs_certificate_tlv);
  }
 }
@ -167,7 +167,7 @@ void RunTbsCertificateTestGivenVersion(const std::string& file_name,
  ParsedTbsCertificate parsed;
  CertErrors errors;
  bool actual_result =
-      ParseTbsCertificate(der::Input(&data), {}, &parsed, &errors);
+      ParseTbsCertificate(der::Input(data), {}, &parsed, &errors);
  EXPECT_EQ(expected_result, actual_result);
  VerifyCertErrors(expected_errors, errors, test_file_path);
@ -178,36 +178,36 @@ void RunTbsCertificateTestGivenVersion(const std::string& file_name,
  // Ensure that the ParsedTbsCertificate matches expectations.
  EXPECT_EQ(expected_version, parsed.version);
-  EXPECT_EQ(der::Input(&expected_serial_number), parsed.serial_number);
+  EXPECT_EQ(der::Input(expected_serial_number), parsed.serial_number);
-  EXPECT_EQ(der::Input(&expected_signature_algorithm),
+  EXPECT_EQ(der::Input(expected_signature_algorithm),
            parsed.signature_algorithm_tlv);
-  EXPECT_EQ(der::Input(&expected_issuer), parsed.issuer_tlv);
+  EXPECT_EQ(der::Input(expected_issuer), parsed.issuer_tlv);
  // In the test expectations PEM file, validity is described as a
  // textual string of the parsed value (rather than as DER).
  EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before));
  EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after));
-  EXPECT_EQ(der::Input(&expected_subject), parsed.subject_tlv);
+  EXPECT_EQ(der::Input(expected_subject), parsed.subject_tlv);
-  EXPECT_EQ(der::Input(&expected_spki), parsed.spki_tlv);
+  EXPECT_EQ(der::Input(expected_spki), parsed.spki_tlv);
  EXPECT_EQ(!expected_issuer_unique_id.empty(),
            parsed.issuer_unique_id.has_value());
  if (parsed.issuer_unique_id.has_value()) {
-    EXPECT_EQ(der::Input(&expected_issuer_unique_id),
+    EXPECT_EQ(der::Input(expected_issuer_unique_id),
              parsed.issuer_unique_id->bytes());
  }
  EXPECT_EQ(!expected_subject_unique_id.empty(),
            parsed.subject_unique_id.has_value());
  if (parsed.subject_unique_id.has_value()) {
-    EXPECT_EQ(der::Input(&expected_subject_unique_id),
+    EXPECT_EQ(der::Input(expected_subject_unique_id),
              parsed.subject_unique_id->bytes());
  }
  EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value());
  if (parsed.extensions_tlv) {
-    EXPECT_EQ(der::Input(&expected_extensions), parsed.extensions_tlv.value());
+    EXPECT_EQ(der::Input(expected_extensions), parsed.extensions_tlv.value());
  }
 }
@ -1008,7 +1008,7 @@ bool ParseAuthorityKeyIdentifierTestData(
      file_name;
  EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
-  return ParseAuthorityKeyIdentifier(der::Input(backing_bytes),
+  return ParseAuthorityKeyIdentifier(der::Input(*backing_bytes),
                                     authority_key_identifier);
 }
--- a/pki/parse_name_unittest.cc
+++ b/pki/parse_name_unittest.cc
@ -201,7 +201,7 @@ TEST(ParseNameTest, InvalidNameExtraData) {
  ASSERT_TRUE(
      LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid));
  RDNSequence atv;
-  ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+  ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
 }
 TEST(ParseNameTest, InvalidNameEmpty) {
@ -209,7 +209,7 @@ TEST(ParseNameTest, InvalidNameEmpty) {
  ASSERT_TRUE(
      LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid));
  RDNSequence atv;
-  ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+  ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
 }
 TEST(ParseNameTest, InvalidNameBadType) {
@ -217,7 +217,7 @@ TEST(ParseNameTest, InvalidNameBadType) {
  ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue",
                           "badAttributeType", &invalid));
  RDNSequence atv;
-  ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+  ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
 }
 TEST(ParseNameTest, InvalidNameNotSequence) {
@ -225,21 +225,21 @@ TEST(ParseNameTest, InvalidNameNotSequence) {
  ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue", "setNotSequence",
                           &invalid));
  RDNSequence atv;
-  ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+  ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
 }
 TEST(ParseNameTest, InvalidNameNotSet) {
  std::string invalid;
  ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid));
  RDNSequence atv;
-  ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+  ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
 }
 TEST(ParseNameTest, InvalidNameEmptyRdn) {
  std::string invalid;
  ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
  RDNSequence atv;
-  ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+  ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
 }
 TEST(ParseNameTest, RFC2253FormatBasic) {
--- a/pki/parsed_certificate.h
+++ b/pki/parsed_certificate.h
@ -110,7 +110,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Sequence tag). This is guaranteed to be valid DER, though the contents of
  // unhandled string types are treated as raw bytes.
  der::Input normalized_subject() const {
-    return der::Input(&normalized_subject_);
+    return der::Input(normalized_subject_);
  }
  // Returns the DER-encoded raw issuer value (including the outer sequence
  // tag). This is guaranteed to be valid DER, though the contents of unhandled
@ -120,7 +120,7 @@ class OPENSSL_EXPORT ParsedCertificate {
  // Sequence tag). This is guaranteed to be valid DER, though the contents of
  // unhandled string types are treated as raw bytes.
  der::Input normalized_issuer() const {
-    return der::Input(&normalized_issuer_);
+    return der::Input(normalized_issuer_);
  }
  // Returns true if the certificate has a BasicConstraints extension.
--- a/pki/path_builder_pkits_unittest.cc
+++ b/pki/path_builder_pkits_unittest.cc
@ -5,7 +5,6 @@
 #include "path_builder.h"
 #include <cstdint>
 #include <iostream>
 #include "fillins/log.h"
 #include "fillins/net_errors.h"
@ -237,7 +236,7 @@ class PathBuilderPkitsTestDelegate {
      for (size_t i = 0; i < result.paths.size(); ++i) {
        const CertPathBuilderResultPath* result_path =
            result.paths[i].get();
-        std::cerr << "path " << i << " errors:\n"
+        LOG(ERROR) << "path " << i << " errors:\n"
                   << result_path->errors.ToDebugString(result_path->certs);
      }
    }
--- a/pki/signature_algorithm_unittest.cc
+++ b/pki/signature_algorithm_unittest.cc
@ -1155,8 +1155,7 @@ TEST(SignatureAlgorithmTest, ParseRsaPss) {
        0x04, 0x02, 0x03, 0xa2, 0x03, 0x02, 0x01, 0x40},
       SignatureAlgorithm::kRsaPssSha512}};
  for (const auto& t : kValidTests) {
-    EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())),
+    EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data)), t.expected);
              t.expected);
  }
  struct {
@ -1346,8 +1345,7 @@ TEST(SignatureAlgorithmTest, ParseRsaPss) {
        0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x41}},
  };
  for (const auto& t : kInvalidTests) {
-    EXPECT_FALSE(
+    EXPECT_FALSE(ParseSignatureAlgorithm(der::Input(t.data)));
        ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())));
  }
 }
--- a/pki/simple_path_builder_delegate_unittest.cc
+++ b/pki/simple_path_builder_delegate_unittest.cc
@ -38,11 +38,11 @@ void ReadTestCase(const char* file_name,
  ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings));
  std::optional<SignatureAlgorithm> sigalg_opt =
-      ParseSignatureAlgorithm(der::Input(&algorithm_str));
+      ParseSignatureAlgorithm(der::Input(algorithm_str));
  ASSERT_TRUE(sigalg_opt);
  *signature_algorithm = *sigalg_opt;
-  ASSERT_TRUE(ParsePublicKey(der::Input(&public_key_str), public_key));
+  ASSERT_TRUE(ParsePublicKey(der::Input(public_key_str), public_key));
 }
 class SimplePathBuilderDelegate1024SuccessTest
--- a/pki/test_helpers.cc
+++ b/pki/test_helpers.cc
@ -110,7 +110,7 @@ void PrintTo(const Input& data, ::std::ostream* os) {
 }  // namespace der
-der::Input SequenceValueFromString(const std::string* s) {
+der::Input SequenceValueFromString(std::string_view s) {
  der::Parser parser((der::Input(s)));
  der::Input data;
  if (!parser.ReadTag(der::kSequence, &data)) {
@ -284,7 +284,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
      if (value == "DEFAULT") {
        value = "211005120000Z";
      }
-      if (!der::ParseUTCTime(der::Input(&value), &test->time)) {
+      if (!der::ParseUTCTime(der::Input(value), &test->time)) {
        ADD_FAILURE() << "Failed parsing UTC time";
        return false;
      }
--- a/pki/test_helpers.h
+++ b/pki/test_helpers.h
@ -9,6 +9,7 @@
 #include <ostream>
 #include <string>
 #include <string_view>
 #include <vector>
 #include "parsed_certificate.h"
@ -33,7 +34,7 @@ void PrintTo(const Input& data, ::std::ostream* os);
 //
 // The returned der::Input() is only valid so long as the input string is alive
 // and is not mutated.
-der::Input SequenceValueFromString(const std::string* s);
+der::Input SequenceValueFromString(std::string_view s);
 // Helper structure that maps a PEM block header (for instance "CERTIFICATE") to
 // the destination where the value for that block should be written.
--- a/pki/testdata/name_constraints_unittest/generate_name_constraints.py
+++ b/pki/testdata/name_constraints_unittest/generate_name_constraints.py
@ -317,6 +317,23 @@ def main():
                                 enforce_length=False))
  generate(c, "ipaddress-invalid_addr.pem")
  v4_mapped_prefix = (0, ) * 10 + (255, ) * 2
  v4_mapped_mask = (255, ) * 12
  c = NameConstraintsGenerator()
  c.add_permitted(ip_address_range((192, 168, 1, 0), (255, 255, 255, 0)))
  c.add_excluded(ip_address_range((192, 168, 1, 1), (255, 255, 255, 255)))
  c.add_excluded(
      ip_address_range(v4_mapped_prefix + (192, 168, 1, 2),
                       v4_mapped_mask + (255, 255, 255, 255)))
  c.add_permitted(
      ip_address_range(v4_mapped_prefix + (192, 168, 2, 0),
                       v4_mapped_mask + (255, 255, 255, 0)))
  c.add_excluded(
      ip_address_range(v4_mapped_prefix + (192, 168, 2, 1),
                       v4_mapped_mask + (255, 255, 255, 255)))
  c.add_excluded(ip_address_range((192, 168, 2, 2), (255, 255, 255, 255)))
  generate(c, "ipaddress-mapped_addrs.pem")
  n_us = generate_names.NameGenerator()
  n_us.add_rdn().add_attr('countryName', 'PRINTABLESTRING', 'US')
  generate(n_us, "name-us.pem")
--- a/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem
+++ b/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem
@ -0,0 +1,29 @@
 SEQUENCE {
  [0] {
    SEQUENCE {
      [7 PRIMITIVE] { `c0a80100ffffff00` }
    }
    SEQUENCE {
      [7 PRIMITIVE] { `00000000000000000000ffffc0a80200ffffffffffffffffffffffffffffff00` }
    }
  }
  [1] {
    SEQUENCE {
      [7 PRIMITIVE] { `c0a80101ffffffff` }
    }
    SEQUENCE {
      [7 PRIMITIVE] { `00000000000000000000ffffc0a80102ffffffffffffffffffffffffffffffff` }
    }
    SEQUENCE {
      [7 PRIMITIVE] { `00000000000000000000ffffc0a80201ffffffffffffffffffffffffffffffff` }
    }
    SEQUENCE {
      [7 PRIMITIVE] { `c0a80202ffffffff` }
    }
  }
 }
 -----BEGIN NAME CONSTRAINTS-----
 MIGUoDAwCocIwKgBAP///wAwIocgAAAAAAAAAAAAAP//wKgCAP///////////////////wChYDAK
 hwjAqAEB/////zAihyAAAAAAAAAAAAAA///AqAEC/////////////////////zAihyAAAAAAAAAA
 AAAA///AqAIB/////////////////////zAKhwjAqAIC/////w==
 -----END NAME CONSTRAINTS-----
--- a/pki/testdata/ssl/certificates/README
+++ b/pki/testdata/ssl/certificates/README
@ -46,10 +46,6 @@ unit tests.
     purposes is not recommended. This needs to be updated periodically so the
     server name the cert is valid for may change.
 - treadclimber.pem: A chain where the leaf does not contain embedded SCTs,
  and which has a notBefore date after 2018/10/15. Expires 2020/02/07.
 - treadclimber.sctlist: The TLS encoded SignedCertificateTimestampList for the
  treadclimber.pem leaf certificate.
 - lets-encrypt-dst-x3-root.pem: A chain that ends in the Lets encrypt DST X3
  root (https://crt.sh/?id=8395). Has the same leaf as
  lets-encrypt-isrg-x1-root.pem.
@ -193,18 +189,15 @@ unit tests.
     Certificates for testing EV display (including regression test for
     https://crbug.com/1069113).
-===== From net/data/ssl/scripts/generate-weak-test-chains.sh
+===== From net/data/ssl/scripts/generate-test-keys.sh
- 2048-rsa-root.pem
+- rsa-{768,1024,2048}-{1..3}.key
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
+- ec-prime256v1-{1..3}.key
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
+     Pre-generated keys of various types/sizes.
-      {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
+     Useful for tests that generate RSA certificates with CertBuilder without
-      Test certificates used to ensure that weak keys are detected and rejected
+     having to pay the cost of generating RSA keys at runtime. Multiple keys
-
+     of each size are provided. (EC keys are cheap to generate at runtime, but
-===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
+     having some as files simplifies test logic in cases where the test is
- cross-signed-leaf.pem
+     reading both RSA and EC keys from files.)
 - cross-signed-root-md5.pem
 - cross-signed-root-sha256.pem
     A certificate chain for regression testing http://crbug.com/108514
 ===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
 - redundant-validated-chain.pem
--- a/pki/testdata/ssl/certificates/ec-prime256v1-1.key
+++ b/pki/testdata/ssl/certificates/ec-prime256v1-1.key
@ -0,0 +1,5 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8YeFfq6kLtUZziTV
 eBxKf4sdzWhBIrmoa7R6IQ/L0g2hRANCAATwrGqIPnPdqDreHFlZqECUQ0AjHbyi
 NWFYmGc3FkPsCS1MWu2WhMYdw7UuLDdMKge7Q6IWMsHum/4G04hRdTYL
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/ec-prime256v1-2.key
+++ b/pki/testdata/ssl/certificates/ec-prime256v1-2.key
@ -0,0 +1,5 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSCf4GodSLqPExkQ0
 Ik8+89ysmrauzOM+YOw7a6XXxpOhRANCAASTFjEdz9MMLzVvqiKJ6hiEmG7+tfn1
 6r5Odwu8dkIr69J5RljzPLAbHXN4kXF/ohZbBvKnX+1cEUDO+kBtAHMB
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/ec-prime256v1-3.key
+++ b/pki/testdata/ssl/certificates/ec-prime256v1-3.key
@ -0,0 +1,5 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSFwCrUE0q+J8WdaB
 wuQtvtQuvSVy4xrVUVKbg/b8qmShRANCAAQ0MQNe+C3m+ZxRjUC2VHut66EhAqDQ
 EXOCJ3se7ctMpdmVa2ml/4cjz3lnrfbSYe/mM5v3hDN8u8dYmk7zDoL3
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/leaf_from_known_root.pem
+++ b/pki/testdata/ssl/certificates/leaf_from_known_root.pem
@ -1,274 +1,666 @@
 ===========================================
-Certificate0: c74f724a594ff8156228aa8d5b06c2335c45bcc0381cf16deb7ec0330cb454a0
+Certificate0: 43a7c7f7b28f92beac4b5e7e002c69801fd82c8656d9cb2993dba2bab0c4ec1e
 ===========================================
 Certificate:
    Data:
        Version: 3 (0x2)
-        Serial Number:
+        Serial Number: 5475531677529648189 (0x4bfcff0cd38dac3d)
            13:00:0f:ee:63:1b:df:c3:25:02:e3:e0:7e:a6:39:50
        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
+        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
        Validity
-            Not Before: Apr 10 00:00:00 2023 GMT
+            Not Before: Jul 25 02:05:05 2023 GMT
-            Not After : May 10 23:59:59 2024 GMT
+            Not After : Aug 24 00:14:22 2024 GMT
-        Subject: CN = horseweather.com
+        Subject: CN = tntpowerwashservices.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
-                    00:b5:4f:7d:c0:1a:22:1c:a6:88:a0:85:01:3e:4a:
+                    00:af:a6:20:2e:e2:8f:f6:61:ba:78:bd:8c:c9:b4:
-                    56:e3:3e:2a:f9:9c:f8:15:ce:6f:f7:44:74:00:41:
+                    84:6a:38:53:33:4a:28:e1:f6:9a:f8:be:45:14:18:
-                    0f:d9:54:ce:7b:51:70:95:0c:9b:35:b1:68:b9:a6:
+                    ef:0c:57:6c:ae:89:7b:8d:06:89:58:b4:76:21:2c:
-                    75:1a:28:93:4b:c9:64:9c:7e:ea:30:d4:4b:73:44:
+                    43:1f:b9:5d:e0:8d:4b:83:ad:3d:04:fb:e1:bf:76:
-                    62:fa:97:0d:5b:19:f6:6e:a3:44:b1:ea:67:7b:c6:
+                    f2:e9:1a:80:42:f7:24:65:6d:c9:90:fc:fd:8e:82:
-                    86:c6:1f:b8:1b:9b:ce:b1:9d:f7:f1:63:f4:63:03:
+                    0a:0e:5e:22:78:09:68:59:2a:4b:58:10:99:2d:f8:
-                    6b:07:72:f8:9c:f7:62:89:5d:15:2f:eb:ea:f8:18:
+                    57:56:d9:92:a6:58:7e:89:c2:12:ea:c6:e2:43:86:
-                    8f:55:1d:33:e7:2c:76:fd:3e:1a:16:fb:42:c1:02:
+                    07:6f:84:e2:c2:cd:1e:9d:4f:ee:62:58:35:a2:13:
-                    3a:03:82:f8:92:9a:a2:de:f1:8b:06:8e:cc:f9:ca:
+                    d5:bc:20:cf:69:65:c4:74:2a:4d:b1:c2:7b:03:85:
-                    1e:29:1c:48:7e:dc:0f:c1:5e:81:91:5c:36:eb:41:
+                    b2:fc:dd:c7:36:30:c2:d6:59:02:e8:7c:41:26:ce:
-                    1f:55:23:67:f2:b3:3b:10:73:fc:f0:48:2c:9e:8e:
+                    6b:f0:7a:55:1f:90:42:07:53:2e:a1:47:2e:53:42:
-                    1b:66:1e:52:38:09:0b:53:10:47:96:39:47:bb:81:
+                    a6:48:1c:d0:d2:bb:9c:76:bf:89:4b:39:9d:69:f5:
-                    67:c4:4f:33:f2:74:19:c8:b5:16:0b:27:1e:d2:0e:
+                    80:a4:38:b3:bd:e7:cd:41:0c:69:d7:3d:c1:78:27:
-                    09:c7:4e:c5:e3:a8:8f:aa:00:1a:3c:9a:19:45:09:
+                    88:05:ee:c7:f3:87:9d:01:e1:fd:70:e4:be:4d:97:
-                    c8:aa:74:e0:7e:a0:7f:e2:46:8e:27:42:d4:ee:80:
+                    d3:2b:61:f3:0a:d3:2f:63:a9:ce:61:22:08:2e:a3:
-                    60:5d:e1:b4:fc:23:9d:cb:70:be:d6:5b:88:ee:15:
+                    d6:ba:de:fe:6b:df:69:ed:2f:50:dd:b8:72:c4:d6:
-                    61:1d:f5:4b:8d:02:ae:2f:19:5c:20:fc:17:9f:fc:
+                    6b:00:5e:a4:8b:9b:58:c0:43:32:ab:cc:44:55:d7:
-                    5d:b9
+                    70:2f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
            X509v3 Subject Key Identifier: 
                DE:B8:1F:8D:E5:9F:B7:B7:F7:B6:96:56:D3:F4:2F:58:30:4C:36:0D
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.godaddy.com/gdig2s1-7257.crl
            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.6449.1.2.2.7
+                Policy: 2.16.840.1.114413.1.7.23.1
-                  CPS: https://sectigo.com/CPS
+                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1
            Authority Information Access: 
-                CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
+                OCSP - URI:http://ocsp.godaddy.com/
-                OCSP - URI:http://ocsp.sectigo.com
+                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
            X509v3 Authority Key Identifier: 
                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
            X509v3 Subject Alternative Name: 
-                DNS:horseweather.com, DNS:www.horseweather.com
+                DNS:tntpowerwashservices.com, DNS:www.tntpowerwashservices.com
            X509v3 Subject Key Identifier: 
                15:BE:40:63:3C:B1:6A:3C:27:52:B1:1E:43:06:A1:1C:0B:09:C7:C8
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
-                    Log ID    : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
+                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
-                                B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
+                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
-                    Timestamp : Apr 10 14:57:58.554 2023 GMT
+                    Timestamp : Jul 25 02:05:06.473 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
-                                30:44:02:20:2C:72:0F:4C:A5:E0:DE:BA:0F:50:D6:79:
+                                30:45:02:21:00:B6:D5:26:94:10:7C:69:75:D5:83:A6:
-                                57:BB:1E:4C:57:63:08:41:3E:CE:92:04:AF:1D:8B:43:
+                                4A:7F:4D:87:A3:86:3D:C6:AD:47:17:B7:04:9F:83:0B:
-                                AC:D3:E0:A9:02:20:73:BD:5A:86:55:76:F4:84:E5:71:
+                                51:7E:41:C5:06:02:20:1E:2C:1C:2F:03:D1:1B:AB:E2:
-                                CE:D4:3B:D4:2F:7F:9F:7F:E9:DB:10:8B:97:0B:A5:EC:
+                                F5:A0:65:BC:EC:BE:15:D2:05:ED:CC:AC:1A:44:70:DC:
-                                FB:B3:99:03:5A:DF
+                                19:B6:87:58:4E:DF:EA
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
-                    Log ID    : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
+                    Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
-                                91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
+                                1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
-                    Timestamp : Apr 10 14:57:58.648 2023 GMT
+                    Timestamp : Jul 25 02:05:06.771 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
-                                30:45:02:20:6A:FD:3F:78:6C:23:EE:5E:6D:6F:4C:67:
+                                30:45:02:20:6F:76:37:49:56:F0:9D:7F:F7:94:58:C9:
-                                D5:22:B0:9A:CB:78:01:D2:24:79:DF:56:44:40:23:4E:
+                                9E:D3:D6:36:7D:BD:56:F4:92:41:0B:3E:97:0B:95:84:
-                                8B:CE:B9:10:02:21:00:E7:15:11:84:48:04:FC:2C:CD:
+                                53:C6:68:24:02:21:00:87:45:7A:45:89:8E:C0:D9:44:
-                                F1:88:4E:79:31:19:4B:DC:E0:B3:74:12:49:3C:DD:4E:
+                                82:56:24:C1:0D:A3:C4:FC:F8:C8:8E:1D:71:CC:0C:B5:
-                                DB:E5:6D:D9:1B:B9:60
+                                6E:03:40:8D:3C:34:3A
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
-                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
+                    Log ID    : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
-                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
+                                91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
-                    Timestamp : Apr 10 14:57:58.679 2023 GMT
+                    Timestamp : Jul 25 02:05:06.882 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
-                                30:46:02:21:00:AF:8C:27:AC:66:5E:08:AC:BA:19:1D:
+                                30:46:02:21:00:A1:1F:15:0A:5A:5A:E7:ED:6D:61:5F:
-                                5A:CF:9A:F5:B8:28:A6:CC:9F:C4:99:45:59:10:2E:80:
+                                9C:13:0B:66:70:62:95:31:C8:ED:D0:8A:B9:58:B1:90:
-                                17:BA:BA:B0:5E:02:21:00:CD:4E:51:2B:C6:12:73:4D:
+                                97:63:21:C8:2B:02:21:00:F9:67:A5:79:88:32:96:48:
-                                7E:23:61:15:22:CB:08:CA:19:62:81:95:7E:31:08:B9:
+                                CB:6C:B9:27:76:0D:B6:7C:3A:AE:CB:65:40:87:E3:A5:
-                                64:F7:96:71:B0:1E:D2:A8
+                                A9:FA:03:CA:61:F3:C7:9D
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
-        3b:67:4e:46:c0:7f:d6:2f:4e:64:63:80:21:e4:ea:af:46:06:
+        26:c1:ee:ce:fb:7c:3d:bd:15:19:f7:6e:bc:f2:b0:d3:8b:a0:
-        e3:83:47:99:88:73:27:6c:96:ae:5e:eb:d3:36:60:4a:1d:b4:
+        d0:26:84:83:2c:06:65:50:68:0e:9a:1e:96:9e:2b:64:ae:7a:
-        28:57:7d:07:df:40:e2:87:54:d3:dd:bc:5a:e4:e7:9b:f7:72:
+        0a:05:e9:78:0a:cc:d5:0d:44:7a:d5:ae:4b:25:0c:a1:5d:a0:
-        4b:c7:5f:5d:50:da:c6:c0:6a:0d:36:c3:f9:ff:db:b5:d2:71:
+        b4:3a:1b:60:6c:6a:e2:30:7e:30:23:2e:eb:74:85:80:84:0f:
-        84:b6:66:0a:15:31:46:79:39:0f:b2:bc:c0:91:8f:d6:03:ab:
+        e6:cb:89:ee:b8:a9:9d:79:8a:da:dc:13:e1:6d:77:4f:81:7e:
-        10:7d:ea:7e:59:16:13:6c:3a:47:55:12:8b:c5:4a:1f:21:bc:
+        55:b4:0f:4f:41:6d:02:89:bf:73:95:7c:7f:b2:d8:9b:50:4a:
-        00:f1:a1:0a:0e:e5:e8:b5:af:38:47:78:44:e9:ab:d9:0c:94:
+        f8:60:36:11:e2:13:32:1f:e5:0f:3a:7d:0e:42:1e:b0:90:eb:
-        a1:af:a1:2c:18:5a:15:00:e1:4e:9f:c5:06:88:87:41:25:e7:
+        dd:41:57:0c:52:72:28:31:87:13:cb:39:9a:2f:23:66:9f:ca:
-        92:bf:9e:ee:66:93:88:4d:15:ae:c5:d8:1b:c4:58:e1:3c:fd:
+        a9:4a:d3:26:30:71:ad:72:e2:83:b7:00:29:92:2c:b9:9f:c9:
-        12:bc:8e:44:fa:74:4b:a3:37:bd:7d:49:f9:3e:90:a7:bd:2e:
+        a2:85:b2:90:29:c0:10:41:e4:6f:6e:d7:3c:ad:96:06:81:75:
-        dc:3d:24:5d:5b:9f:47:3e:6c:3a:7d:17:ab:dc:3b:3c:53:f1:
+        09:ff:7e:47:ff:3d:93:18:f5:e8:62:44:f9:8a:6c:37:db:5a:
-        ac:39:1b:74:51:a9:47:08:d2:af:c1:0c:5b:d3:4c:ed:85:97:
+        a6:66:78:ae:3a:84:9b:7c:d0:f0:c9:9d:99:ce:8d:4a:9f:ab:
-        5a:d6:75:1e:d7:d5:69:50:e3:1e:bd:26:cf:b9:94:1a:fb:74:
+        d6:e1:bd:7c:bc:9c:9d:f2:00:c9:17:aa:7d:97:9f:3f:27:9c:
-        0b:ac:18:48:6b:61:10:6a:4e:89:6e:b5:c6:eb:c3:90:64:ee:
+        6c:91:16:a6:8e:39:c8:86:db:0c:14:ea:20:3d:f7:aa:7d:a3:
-        38:5d:18:17
+        e2:67:9d:9a
 SEQUENCE {
  SEQUENCE {
    [0] {
      INTEGER { 2 }
    }
    INTEGER { `4bfcff0cd38dac3d` }
    SEQUENCE {
      # sha256WithRSAEncryption
      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
      NULL {}
    }
    SEQUENCE {
      SET {
        SEQUENCE {
          # countryName
          OBJECT_IDENTIFIER { 2.5.4.6 }
          PrintableString { "US" }
        }
      }
      SET {
        SEQUENCE {
          # stateOrProvinceName
          OBJECT_IDENTIFIER { 2.5.4.8 }
          PrintableString { "Arizona" }
        }
      }
      SET {
        SEQUENCE {
          # localityName
          OBJECT_IDENTIFIER { 2.5.4.7 }
          PrintableString { "Scottsdale" }
        }
      }
      SET {
        SEQUENCE {
          # organizationName
          OBJECT_IDENTIFIER { 2.5.4.10 }
          PrintableString { "GoDaddy.com, Inc." }
        }
      }
      SET {
        SEQUENCE {
          # organizationUnitName
          OBJECT_IDENTIFIER { 2.5.4.11 }
          PrintableString { "http://certs.godaddy.com/repository/" }
        }
      }
      SET {
        SEQUENCE {
          # commonName
          OBJECT_IDENTIFIER { 2.5.4.3 }
          PrintableString { "Go Daddy Secure Certificate Authority - G2" }
        }
      }
    }
    SEQUENCE {
      UTCTime { "230725020505Z" }
      UTCTime { "240824001422Z" }
    }
    SEQUENCE {
      SET {
        SEQUENCE {
          # commonName
          OBJECT_IDENTIFIER { 2.5.4.3 }
          PrintableString { "tntpowerwashservices.com" }
        }
      }
    }
    SEQUENCE {
      SEQUENCE {
        # rsaEncryption
        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
        NULL {}
      }
      BIT_STRING {
        `00`
        SEQUENCE {
          INTEGER { `00afa6202ee28ff661ba78bd8cc9b4846a3853334a28e1f69af8be451418ef0c576cae897b8d068958b476212c431fb95de08d4b83ad3d04fbe1bf76f2e91a8042f724656dc990fcfd8e820a0e5e22780968592a4b5810992df85756d992a6587e89c212eac6e24386076f84e2c2cd1e9d4fee625835a213d5bc20cf6965c4742a4db1c27b0385b2fcddc73630c2d65902e87c4126ce6bf07a551f904207532ea1472e5342a6481cd0d2bb9c76bf894b399d69f580a438b3bde7cd410c69d73dc178278805eec7f3879d01e1fd70e4be4d97d32b61f30ad32f63a9ce6122082ea3d6badefe6bdf69ed2f50ddb872c4d66b005ea48b9b58c04332abcc4455d7702f` }
          INTEGER { 65537 }
        }
      }
    }
    [3] {
      SEQUENCE {
        SEQUENCE {
          # basicConstraints
          OBJECT_IDENTIFIER { 2.5.29.19 }
          BOOLEAN { TRUE }
          OCTET_STRING {
            SEQUENCE {}
          }
        }
        SEQUENCE {
          # extKeyUsage
          OBJECT_IDENTIFIER { 2.5.29.37 }
          OCTET_STRING {
            SEQUENCE {
              # serverAuth
              OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.1 }
              # clientAuth
              OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.2 }
            }
          }
        }
        SEQUENCE {
          # keyUsage
          OBJECT_IDENTIFIER { 2.5.29.15 }
          BOOLEAN { TRUE }
          OCTET_STRING {
            BIT_STRING { b`101` }
          }
        }
        SEQUENCE {
          # cRLDistributionPoints
          OBJECT_IDENTIFIER { 2.5.29.31 }
          OCTET_STRING {
            SEQUENCE {
              SEQUENCE {
                [0] {
                  [0] {
                    [6 PRIMITIVE] { "http://crl.godaddy.com/gdig2s1-7257.crl" }
                  }
                }
              }
            }
          }
        }
        SEQUENCE {
          # certificatePolicies
          OBJECT_IDENTIFIER { 2.5.29.32 }
          OCTET_STRING {
            SEQUENCE {
              SEQUENCE {
                OBJECT_IDENTIFIER { 2.16.840.1.114413.1.7.23.1 }
                SEQUENCE {
                  SEQUENCE {
                    OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 }
                    IA5String { "http://certificates.godaddy.com/repository/" }
                  }
                }
              }
              SEQUENCE {
                # domain-validated
                OBJECT_IDENTIFIER { 2.23.140.1.2.1 }
              }
            }
          }
        }
        SEQUENCE {
          # authorityInfoAccess
          OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 }
          OCTET_STRING {
            SEQUENCE {
              SEQUENCE {
                # ocsp
                OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
                [6 PRIMITIVE] { "http://ocsp.godaddy.com/" }
              }
              SEQUENCE {
                # caIssuers
                OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
                [6 PRIMITIVE] { "http://certificates.godaddy.com/repository/gdig2.crt" }
              }
            }
          }
        }
        SEQUENCE {
          # authorityKeyIdentifier
          OBJECT_IDENTIFIER { 2.5.29.35 }
          OCTET_STRING {
            SEQUENCE {
              [0 PRIMITIVE] { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` }
            }
          }
        }
        SEQUENCE {
          # subjectAltName
          OBJECT_IDENTIFIER { 2.5.29.17 }
          OCTET_STRING {
            SEQUENCE {
              [2 PRIMITIVE] { "tntpowerwashservices.com" }
              [2 PRIMITIVE] { "www.tntpowerwashservices.com" }
            }
          }
        }
        SEQUENCE {
          # subjectKeyIdentifier
          OBJECT_IDENTIFIER { 2.5.29.14 }
          OCTET_STRING {
            OCTET_STRING { `15be40633cb16a3c2752b11e4306a11c0b09c7c8` }
          }
        }
        SEQUENCE {
          # embeddedSCTList
          OBJECT_IDENTIFIER { 1.3.6.1.4.1.11129.2.4.2 }
          OCTET_STRING {
            OCTET_STRING { `0169007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b000001898acafe290000040300473045022100b6d52694107c6975d583a64a7f4d87a3863dc6ad4717b7049f830b517e41c50602201e2c1c2f03d11babe2f5a065bcecbe15d205edccac1a4470dc19b687584edfea00760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d88473000001898acaff53000004030047304502206f76374956f09d7ff79458c99ed3d6367dbd56f492410b3e970b958453c6682402210087457a45898ec0d944825624c10da3c4fcf8c88e1d71cc0cb56e03408d3c343a007700dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab000001898acaffc20000040300483046022100a11f150a5a5ae7ed6d615f9c130b6670629531c8edd08ab958b190976321c82b022100f967a57988329648cb6cb927760db67c3aaecb654087e3a5a9fa03ca61f3c79d` }
          }
        }
      }
    }
  }
  SEQUENCE {
    # sha256WithRSAEncryption
    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
    NULL {}
  }
  BIT_STRING { `00` `26c1eecefb7c3dbd1519f76ebcf2b0d38ba0d02684832c066550680e9a1e969e2b64ae7a0a05e9780accd50d447ad5ae4b250ca15da0b43a1b606c6ae2307e30232eeb748580840fe6cb89eeb8a99d798adadc13e16d774f817e55b40f4f416d0289bf73957c7fb2d89b504af8603611e213321fe50f3a7d0e421eb090ebdd41570c527228318713cb399a2f23669fcaa94ad3263071ad72e283b70029922cb99fc9a285b29029c01041e46f6ed73cad9606817509ff7e47ff3d9318f5e86244f98a6c37db5aa66678ae3a849b7cd0f0c99d99ce8d4a9fabd6e1bd7cbc9c9df200c917aa7d979f3f279c6c9116a68e39c886db0c14ea203df7aa7da3e2679d9a` }
 }
 -----BEGIN CERTIFICATE-----
-MIIGPzCCBSegAwIBAgIQEwAP7mMb38MlAuPgfqY5UDANBgkqhkiG9w0BAQsFADCB
+MIIGtDCCBZygAwIBAgIIS/z/DNONrD0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
-jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
-A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
-Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
-MB4XDTIzMDQxMDAwMDAwMFoXDTI0MDUxMDIzNTk1OVowGzEZMBcGA1UEAxMQaG9y
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjMwNzI1MDIwNTA1WhcN
-c2V3ZWF0aGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVP
+MjQwODI0MDAxNDIyWjAjMSEwHwYDVQQDExh0bnRwb3dlcndhc2hzZXJ2aWNlcy5j
-fcAaIhymiKCFAT5KVuM+Kvmc+BXOb/dEdABBD9lUzntRcJUMmzWxaLmmdRook0vJ
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvpiAu4o/2Ybp4vYzJ
-ZJx+6jDUS3NEYvqXDVsZ9m6jRLHqZ3vGhsYfuBubzrGd9/Fj9GMDawdy+Jz3Yold
+tIRqOFMzSijh9pr4vkUUGO8MV2yuiXuNBolYtHYhLEMfuV3gjUuDrT0E++G/dvLp
-FS/r6vgYj1UdM+csdv0+Ghb7QsECOgOC+JKaot7xiwaOzPnKHikcSH7cD8FegZFc
+GoBC9yRlbcmQ/P2OggoOXiJ4CWhZKktYEJkt+FdW2ZKmWH6JwhLqxuJDhgdvhOLC
-NutBH1UjZ/KzOxBz/PBILJ6OG2YeUjgJC1MQR5Y5R7uBZ8RPM/J0Gci1FgsnHtIO
+zR6dT+5iWDWiE9W8IM9pZcR0Kk2xwnsDhbL83cc2MMLWWQLofEEmzmvwelUfkEIH
-CcdOxeOoj6oAGjyaGUUJyKp04H6gf+JGjidC1O6AYF3htPwjnctwvtZbiO4VYR31
+Uy6hRy5TQqZIHNDSu5x2v4lLOZ1p9YCkOLO9581BDGnXPcF4J4gF7sfzh50B4f1w
-S40Cri8ZXCD8F5/8XbkCAwEAAaOCAwgwggMEMB8GA1UdIwQYMBaAFI2MXsRUrYrh
+5L5Nl9MrYfMK0y9jqc5hIgguo9a63v5r32ntL1DduHLE1msAXqSLm1jAQzKrzERV
-d+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTeuB+N5Z+3t/e2llbT9C9YMEw2DTAOBgNV
+13AvAgMBAAGjggNYMIIDVDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
-HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn
-KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIB
+aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTcyNTcuY3JsMF0GA1UdIARW
-FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEB
+MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj
-BHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdv
+YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH
-UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcw
+AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI
-AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wMQYDVR0RBCowKIIQaG9yc2V3ZWF0
+KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
-aGVyLmNvbYIUd3d3LmhvcnNld2VhdGhlci5jb20wggF+BgorBgEEAdZ5AgQCBIIB
+dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w
-bgSCAWoBaAB1AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABh2us
+QQYDVR0RBDowOIIYdG50cG93ZXJ3YXNoc2VydmljZXMuY29tghx3d3cudG50cG93
-exoAAAQDAEYwRAIgLHIPTKXg3roPUNZ5V7seTFdjCEE+zpIErx2LQ6zT4KkCIHO9
+ZXJ3YXNoc2VydmljZXMuY29tMB0GA1UdDgQWBBQVvkBjPLFqPCdSsR5DBqEcCwnH
-WoZVdvSE5XHO1DvUL3+ff+nbEIuXC6Xs+7OZA1rfAHYA2ra/az+1tiKfm8K7XGvo
+yDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA7s3QZNXbGs7FXLedtM0TojKH
-cJFxbLtRhIU0vaQ9MEjX+6sAAAGHa6x7eAAABAMARzBFAiBq/T94bCPuXm1vTGfV
+Rny87N7DUUhZRnEftZsAAAGJisr+KQAABAMARzBFAiEAttUmlBB8aXXVg6ZKf02H
-IrCay3gB0iR531ZEQCNOi865EAIhAOcVEYRIBPwszfGITnkxGUvc4LN0Ekk83U7b
+o4Y9xq1HF7cEn4MLUX5BxQYCIB4sHC8D0Rur4vWgZbzsvhXSBe3MrBpEcNwZtodY
-5W3ZG7lgAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGHa6x7
+Tt/qAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGJisr/UwAA
-lwAABAMASDBGAiEAr4wnrGZeCKy6GR1az5r1uCimzJ/EmUVZEC6AF7q6sF4CIQDN
+BAMARzBFAiBvdjdJVvCdf/eUWMme09Y2fb1W9JJBCz6XC5WEU8ZoJAIhAIdFekWJ
-TlErxhJzTX4jYRUiywjKGWKBlX4xCLlk95ZxsB7SqDANBgkqhkiG9w0BAQsFAAOC
+jsDZRIJWJMENo8T8+MiOHXHMDLVuA0CNPDQ6AHcA2ra/az+1tiKfm8K7XGvocJFx
-AQEAO2dORsB/1i9OZGOAIeTqr0YG44NHmYhzJ2yWrl7r0zZgSh20KFd9B99A4odU
+bLtRhIU0vaQ9MEjX+6sAAAGJisr/wgAABAMASDBGAiEAoR8VClpa5+1tYV+cEwtm
-0928WuTnm/dyS8dfXVDaxsBqDTbD+f/btdJxhLZmChUxRnk5D7K8wJGP1gOrEH3q
+cGKVMcjt0Iq5WLGQl2MhyCsCIQD5Z6V5iDKWSMtsuSd2DbZ8Oq7LZUCH46Wp+gPK
-flkWE2w6R1USi8VKHyG8APGhCg7l6LWvOEd4ROmr2QyUoa+hLBhaFQDhTp/FBoiH
+YfPHnTANBgkqhkiG9w0BAQsFAAOCAQEAJsHuzvt8Pb0VGfduvPKw04ug0CaEgywG
-QSXnkr+e7maTiE0VrsXYG8RY4Tz9EryORPp0S6M3vX1J+T6Qp70u3D0kXVufRz5s
+ZVBoDpoelp4rZK56CgXpeArM1Q1EetWuSyUMoV2gtDobYGxq4jB+MCMu63SFgIQP
-On0Xq9w7PFPxrDkbdFGpRwjSr8EMW9NM7YWXWtZ1HtfVaVDjHr0mz7mUGvt0C6wY
+5suJ7ripnXmK2twT4W13T4F+VbQPT0FtAom/c5V8f7LYm1BK+GA2EeITMh/lDzp9
-SGthEGpOiW61xuvDkGTuOF0YFw==
+DkIesJDr3UFXDFJyKDGHE8s5mi8jZp/KqUrTJjBxrXLig7cAKZIsuZ/JooWykCnA
 EEHkb27XPK2WBoF1Cf9+R/89kxj16GJE+YpsN9tapmZ4rjqEm3zQ8Mmdmc6NSp+r
 1uG9fLycnfIAyReqfZefPyecbJEWpo45yIbbDBTqID33qn2j4medmg==
 -----END CERTIFICATE-----
 ===========================================
-Certificate1: 7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
+Certificate1: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
 ===========================================
 Certificate:
    Data:
        Version: 3 (0x2)
-        Serial Number:
+        Serial Number: 7 (0x7)
-            7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
+        Signature Algorithm: sha256WithRSAEncryption
-        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
        Validity
-            Not Before: Nov  2 00:00:00 2018 GMT
+            Not Before: May  3 07:00:00 2011 GMT
-            Not After : Dec 31 23:59:59 2030 GMT
+            Not After : May  3 07:00:00 2031 GMT
-        Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
+        Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
-                    00:d6:73:33:d6:d7:3c:20:d0:00:d2:17:45:b8:d6:
+                    00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
-                    3e:07:a2:3f:c7:41:ee:32:30:c9:b0:6c:fd:f4:9f:
+                    b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
-                    cb:12:98:0f:2d:3f:8d:4d:01:0c:82:0f:17:7f:62:
+                    8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
-                    2e:e9:b8:48:79:fb:16:83:4e:ad:d7:32:25:93:b7:
+                    63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
-                    07:bf:b9:50:3f:a9:4c:c3:40:2a:e9:39:ff:d9:81:
+                    45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
-                    ca:1f:16:32:41:da:80:26:b9:23:7a:87:20:1e:e3:
+                    c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
-                    ff:20:9a:3c:95:44:6f:87:75:06:90:40:b4:32:93:
+                    96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
-                    16:09:10:08:23:3e:d2:dd:87:0f:6f:5d:51:14:6a:
+                    38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
-                    0a:69:c5:4f:01:72:69:cf:d3:93:4c:6d:04:a0:a3:
+                    38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
-                    1b:82:7e:b1:9a:b9:ed:c5:9e:c5:37:78:9f:9a:08:
+                    71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
-                    34:fb:56:2e:58:c4:09:0e:06:64:5b:bc:37:dc:f1:
+                    f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
-                    9f:28:68:a8:56:b0:92:a3:5c:9f:bb:88:98:08:1b:
+                    33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
-                    24:1d:ab:30:85:ae:af:b0:2e:9e:7a:9d:c1:c0:42:
+                    a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
-                    1c:e2:02:f0:ea:e0:4a:d2:ef:90:0e:b4:c1:40:16:
+                    f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
-                    f0:6f:85:42:4a:64:f7:a4:30:a0:fe:bf:2e:a3:27:
+                    ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
-                    5a:8e:8b:58:b8:ad:c3:19:17:84:63:ed:6f:56:fd:
+                    02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
-                    83:cb:60:34:c4:74:be:e6:9d:db:e1:e4:e5:ca:0c:
+                    50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
-                    5f:15
+                    52:fb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
            X509v3 Subject Key Identifier: 
                8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
+                CA:TRUE
-            X509v3 Extended Key Usage: 
+            X509v3 Key Usage: critical
-                TLS Web Server Authentication, TLS Web Client Authentication
+                Certificate Sign, CRL Sign
-            X509v3 Certificate Policies: 
+            X509v3 Subject Key Identifier: 
-                Policy: X509v3 Any Policy
+                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
-                Policy: 2.23.140.1.2.1
+            X509v3 Authority Key Identifier: 
                3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
            X509v3 CRL Distribution Points: 
                Full Name:
-                  URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
+                  URI:http://crl.godaddy.com/gdroot-g2.crl
-            Authority Information Access: 
+            X509v3 Certificate Policies: 
-                CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
+                Policy: X509v3 Any Policy
-                OCSP - URI:http://ocsp.usertrust.com
+                  CPS: https://certs.godaddy.com/repository/
-    Signature Algorithm: sha384WithRSAEncryption
+    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
-        32:bf:61:bd:0e:48:c3:4f:c7:ba:47:4d:f8:9c:78:19:01:dc:
+        08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
-        13:1d:80:6f:fc:c3:70:b4:52:9a:31:33:9a:57:52:fb:31:9e:
+        6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
-        6b:a4:ef:54:aa:89:8d:40:17:68:f8:11:10:7c:d2:ca:b1:f1:
+        db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
-        55:86:c7:ee:b3:36:91:86:f6:39:51:bf:46:bf:0f:a0:ba:b4:
+        31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
-        f7:7e:49:c4:2a:36:17:9e:e4:68:39:7a:af:94:4e:56:6f:b2:
+        56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
-        7b:3b:bf:0a:86:bd:cd:c5:77:1c:03:b8:38:b1:a2:1f:5f:7e:
+        2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
-        db:8a:dc:46:48:b6:68:0a:cf:b2:b5:b4:e2:34:e4:67:a9:38:
+        f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
-        66:09:5e:d2:b8:fc:9d:28:3a:17:40:27:c2:72:4e:29:fd:21:
+        17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
-        3c:7c:cf:13:fb:96:2c:c5:31:44:fd:13:ed:d5:9b:a9:69:68:
+        b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
-        77:7c:ee:e1:ff:a4:f9:36:38:08:53:39:a2:84:34:9c:19:f3:
+        ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
-        be:0e:ac:d5:24:37:eb:23:a8:78:d0:d3:e7:ef:92:47:64:62:
+        5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
-        39:22:ef:c6:f7:11:be:22:85:c6:66:44:24:26:8e:10:32:8d:
+        c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
-        c8:93:ae:07:9e:83:3e:2f:d9:f9:f5:46:8e:63:be:c1:e6:b4:
+        8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
-        dc:a6:cd:21:a8:86:0a:95:d9:2e:85:26:1a:fd:fc:b1:b6:57:
+        6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
-        42:6d:95:d1:33:f6:39:14:06:82:41:38:f5:8f:58:dc:80:5b:
+        bc:04:30:01
-        a4:d5:7d:95:78:fd:a7:9b:ff:fd:c5:a8:69:ab:26:e7:a7:a4:
+
-        05:87:5b:a9:b7:b8:a3:20:0b:97:a9:45:85:dd:b3:8b:e5:89:
+SEQUENCE {
-        37:8e:29:0d:fc:06:17:f6:38:40:0e:42:e4:12:06:fb:7b:f3:
+  SEQUENCE {
-        c6:11:68:62:df:e3:98:f4:13:d8:15:4f:8b:b1:69:d9:10:60:
+    [0] {
-        bc:64:2a:ea:31:b7:e4:b5:a3:3a:14:9b:26:e3:0b:7b:fd:02:
+      INTEGER { 2 }
-        8e:b6:99:c1:38:97:59:36:f6:a8:74:a2:86:b6:5e:eb:c6:64:
+    }
-        ea:cf:a0:a3:f9:6e:9e:ba:2d:11:b6:86:98:08:58:2d:c9:ac:
+    INTEGER { 7 }
-        25:64:f2:5e:75:b4:38:c1:ae:7f:5a:46:83:ea:51:ca:b6:f1:
+    SEQUENCE {
-        99:11:35:6b:a5:6a:7b:c6:00:b0:e7:f8:be:64:b2:ad:c8:c2:
+      # sha256WithRSAEncryption
-        f1:ac:e3:51:ea:a4:93:e0:79:c8:e1:81:40:c9:0a:5b:e1:12:
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
-        3c:c1:60:2a:e3:97:c0:89:42:ca:94:cf:46:98:12:69:bb:98:
+      NULL {}
-        d0:c2:d3:0d:72:4b:47:6e:e5:93:c4:32:28:63:87:43:e4:b0:
+    }
-        32:3e:0a:d3:4b:bf:23:9b:14:29:41:2b:9a:04:1f:93:2d:f1:
+    SEQUENCE {
-        c7:39:48:3c:ad:5a:12:7f
+      SET {
        SEQUENCE {
          # countryName
          OBJECT_IDENTIFIER { 2.5.4.6 }
          PrintableString { "US" }
        }
      }
      SET {
        SEQUENCE {
          # stateOrProvinceName
          OBJECT_IDENTIFIER { 2.5.4.8 }
          PrintableString { "Arizona" }
        }
      }
      SET {
        SEQUENCE {
          # localityName
          OBJECT_IDENTIFIER { 2.5.4.7 }
          PrintableString { "Scottsdale" }
        }
      }
      SET {
        SEQUENCE {
          # organizationName
          OBJECT_IDENTIFIER { 2.5.4.10 }
          PrintableString { "GoDaddy.com, Inc." }
        }
      }
      SET {
        SEQUENCE {
          # commonName
          OBJECT_IDENTIFIER { 2.5.4.3 }
          PrintableString { "Go Daddy Root Certificate Authority - G2" }
        }
      }
    }
    SEQUENCE {
      UTCTime { "110503070000Z" }
      UTCTime { "310503070000Z" }
    }
    SEQUENCE {
      SET {
        SEQUENCE {
          # countryName
          OBJECT_IDENTIFIER { 2.5.4.6 }
          PrintableString { "US" }
        }
      }
      SET {
        SEQUENCE {
          # stateOrProvinceName
          OBJECT_IDENTIFIER { 2.5.4.8 }
          PrintableString { "Arizona" }
        }
      }
      SET {
        SEQUENCE {
          # localityName
          OBJECT_IDENTIFIER { 2.5.4.7 }
          PrintableString { "Scottsdale" }
        }
      }
      SET {
        SEQUENCE {
          # organizationName
          OBJECT_IDENTIFIER { 2.5.4.10 }
          PrintableString { "GoDaddy.com, Inc." }
        }
      }
      SET {
        SEQUENCE {
          # organizationUnitName
          OBJECT_IDENTIFIER { 2.5.4.11 }
          PrintableString { "http://certs.godaddy.com/repository/" }
        }
      }
      SET {
        SEQUENCE {
          # commonName
          OBJECT_IDENTIFIER { 2.5.4.3 }
          PrintableString { "Go Daddy Secure Certificate Authority - G2" }
        }
      }
    }
    SEQUENCE {
      SEQUENCE {
        # rsaEncryption
        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
        NULL {}
      }
      BIT_STRING {
        `00`
        SEQUENCE {
          INTEGER { `00b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb` }
          INTEGER { 65537 }
        }
      }
    }
    [3] {
      SEQUENCE {
        SEQUENCE {
          # basicConstraints
          OBJECT_IDENTIFIER { 2.5.29.19 }
          BOOLEAN { TRUE }
          OCTET_STRING {
            SEQUENCE {
              BOOLEAN { TRUE }
            }
          }
        }
        SEQUENCE {
          # keyUsage
          OBJECT_IDENTIFIER { 2.5.29.15 }
          BOOLEAN { TRUE }
          OCTET_STRING {
            BIT_STRING { b`0000011` }
          }
        }
        SEQUENCE {
          # subjectKeyIdentifier
          OBJECT_IDENTIFIER { 2.5.29.14 }
          OCTET_STRING {
            OCTET_STRING { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` }
          }
        }
        SEQUENCE {
          # authorityKeyIdentifier
          OBJECT_IDENTIFIER { 2.5.29.35 }
          OCTET_STRING {
            SEQUENCE {
              [0 PRIMITIVE] { `3a9a8507106728b6eff6bd05416e20c194da0fde` }
            }
          }
        }
        SEQUENCE {
          # authorityInfoAccess
          OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 }
          OCTET_STRING {
            SEQUENCE {
              SEQUENCE {
                # ocsp
                OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
                [6 PRIMITIVE] { "http://ocsp.godaddy.com/" }
              }
            }
          }
        }
        SEQUENCE {
          # cRLDistributionPoints
          OBJECT_IDENTIFIER { 2.5.29.31 }
          OCTET_STRING {
            SEQUENCE {
              SEQUENCE {
                [0] {
                  [0] {
                    [6 PRIMITIVE] { "http://crl.godaddy.com/gdroot-g2.crl" }
                  }
                }
              }
            }
          }
        }
        SEQUENCE {
          # certificatePolicies
          OBJECT_IDENTIFIER { 2.5.29.32 }
          OCTET_STRING {
            SEQUENCE {
              SEQUENCE {
                # anyPolicy
                OBJECT_IDENTIFIER { 2.5.29.32.0 }
                SEQUENCE {
                  SEQUENCE {
                    OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 }
                    IA5String { "https://certs.godaddy.com/repository/" }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
  SEQUENCE {
    # sha256WithRSAEncryption
    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
    NULL {}
  }
  BIT_STRING { `00` `087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001` }
 }
 -----BEGIN CERTIFICATE-----
-MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
-MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
-ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
-VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
-AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
-TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
-eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
-oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
-Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
-uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
-BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
-A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
-CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
-LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
-BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
-bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
-L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
-ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
-7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
-H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
-RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
 xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
 sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
 l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
 LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
 yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
 -----END CERTIFICATE-----
--- a/pki/testdata/ssl/certificates/rsa-1024-1.key
+++ b/pki/testdata/ssl/certificates/rsa-1024-1.key
@ -0,0 +1,16 @@
 -----BEGIN PRIVATE KEY-----
 MIICeQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBAL7mb78RnGZpGth3
 z5ilQTmz77Cc6YOqZPulE83+Vnjy39YzK0csTluvbWqVMUHtYGsRF8h+gYvywt8l
 zITocpE0UyeXlzsoOI8h7SgUCrYPAl9l6VydsUQ3F14uJ4LWaQcz/R601LhYrvQc
 XgpDr4U1rp108EAFG01BVFFiInCVAgMBAAECgYEAtGnxuCC7r+mrTmNE1d1wHEma
 wE47Po0d7NlhMzAopxvaQYSQZS5RS8MqZC1lpQnjMqyvznMImauvUddWR1GrWz6T
 jU7YJiq/NJZ26qzACKCJWj9UG37fzC3L7JDMz4Yz3K/iISH7iDLIrh4JWw8A6xQL
 +cq8/u4ZhjtODbxYHu0CQQDuPMkrqPolGpy6mo18jP8QuNooZmpZ5z5C72GtqqRz
 AMcfIOtluBBcFef7iZoKa+YcEldjpdiCK0I3qy86G9JLAkEAzSIg3A8qta3o/U2d
 TwUq5BMGUotHmG/A1MwEK5GnRHj3L0nu/HpE3tjrKrkMC4i+zVTYBop90XFBPdy6
 d+v8nwJBAM6Qdf0dLoctY+eISlVMC3x8SuvsoRoCnsF6vb7OznfInN4otPIlfknZ
 1KMM1DtlAsgkPxFvoyJ6T5flHbXMmbECQQCaKR/QwYUzbDNAyeeCzztgk/uYZRu1
 L6cXRQuNQrUV/GKno0R7cdf4McTqIo8uy+G4ph6DK+lKUXbaatun7C25AkEAsr/A
 yOyChfU16iQMa45LhT9FoplbNbDvczJ3EUUsf8i1I/8FG/GM4AaUMUshdwCf7hdh
 ZBHFE6S2PIUV9iZVbA==
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-1024-2.key
+++ b/pki/testdata/ssl/certificates/rsa-1024-2.key
@ -0,0 +1,16 @@
 -----BEGIN PRIVATE KEY-----
 MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM3oM+IGvDDamzE+
 5cZRkeoH8PBYH5HSChJOcRepGpPMxsOjR3aomPCi0eI3cR4IOqaakpxDJswp+ioA
 H4hEMDMoVZijvpXEto0QAy/2O7K7QzhQ1ylFNM8k6WD4xfM8W6PlrlxFHjH47QDq
 k/njjASgxTfj6zHCwauQG4FYTmZNAgMBAAECgYBuds82yDQ35V9yuPKeRW6JZj89
 QZmWKl+a2JhVgDQw7KAJntQc9XAvULpWqTW3TeThMnXK/T+YMkDyPWStPx+3q9PR
 AQS65Bz8BltepO5sdy2QWGnOss97fLG5DJgTHrAZYDKLxJah9hDOf5Tjq4d9GYka
 D6cOgWErS3wv+ERZhQJBAOuVmTnEywk0TIGjIOWud+Yv2TUIc3IqBZnyF1RN8y1y
 NFVGwpCb8aKLRawfDta/kNkQVOkYZCtZRdYb1NHqBJMCQQDfwDel33a3OnVdQNoB
 GbfEJYqmgY7JCzFfH9EVzqB45x6yYvwAHStp1r5dYmwMUSIVs5B8SFA4bUN6cAMr
 BJWfAkEA4xGOXuAP0w9Vrp5NVxSS/IuiEDvVCnT2cSum0NtRSLyLNKa/YiLtBH64
 6O4Gn3aFZrMXJJUd96pUZcrtlma5gQJAaUR0qdxNbPza1Km7JwNjequy5I1VkO5s
 JvXAF8Njqh4KSiDZsHAIyb2XSDYS4WSWZaFaW65l13ZIZeUnCGkavwJAMn0mC5e4
 idlSe3QqaOa3haxAXquQkImH6pSI4jRPzTJxPd8BlShlZeVC4IyCwfz/o6Azce+W
 w+5b/8VIMO2s9g==
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-1024-3.key
+++ b/pki/testdata/ssl/certificates/rsa-1024-3.key
@ -0,0 +1,16 @@
 -----BEGIN PRIVATE KEY-----
 MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMqUxHtJfHQ6709j
 T1yMqY/JH/dg0Kl3DaddDScaVRiv2X+0mhxkFu4/rWEYslj1aSS8CgcdVxSdHsI0
 dXEsumoRFJl/EmfBAwQkukgpkjuE5uUORuxt2vzT1zGPutX0UlMiLINdZ1AB45D6
 c78SBTiIoXai7FZ+SayOf/3MQsYpAgMBAAECgYB7nbITpTD7X+cd43TO/cqOQeVu
 t7Y8YriDMyXOgaQBr3SiF9uejXjsoxCyWjaiUAZ78v6PftjfbE0Tpp0vlWKeNo0q
 iJ0rjbxf04bIpU7+Q+/I4hkXngu7WvmXS8ZjmamEvT1a9XN8bZ1QD+lglYAkZKj5
 iwlVpZfYokj+4sMIgQJBAOnkLBrmlaXhh3KbzLcKPMtmOlm8y2PuSziJN7JTdkb7
 gwaQAa1+5ToOEjAS64qP+BRp9uLTnPuVnbyd27nDElkCQQDduu9KbS2o9IazrVeR
 FMqAitIWb9v/k98IfOc7/LKeyA7oVCzqAsq0nlYM4unGYSiIdlJLLnQCtbVABB4D
 6rhRAkEApM49cbsWqWsQCObVSgixq9Tdusu4OTL4196AW2xKBFxHCAHC3OB0XwL5
 N9ytEda+RIwiBdR8Yh4bpoNJB0z4CQJBAI9yo+LztUmMQSU3LOK4n7X/maFYZuz3
 HqDgJb0iY/Djnvlhk9klSz0E/sjBeNqV+uImImFvQTCLnCI5R63jCbECQQDpeDiP
 DcKOL773vayJixOvvSqruHGvM87KMkpW2zsLbxrlN2gKyf3iMkQX1Kat945qPD98
 kpnDpyVRVRxIc6Sg
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-2048-1.key
+++ b/pki/testdata/ssl/certificates/rsa-2048-1.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvBAyWDWogcaoH
 kjhp9fmm7OognM/SNfIuEKMiqmFLz4GsiNa1I4By8kPqcI8u0KRBvX0F/DDfBvDy
 8nm7gbfMliILkPTKlDqAKY51kV1qBkSQhhiQ7Tl3KXjB4tbdjJemv9TrXfwfr+k4
 9dP8oYLmVmyYRWMGybW7tA6MJewLYeAIBZpbcz0okrKD7izMEi7eCWvQ9O6PdVMG
 atBfUbGrZ0oX0XzsJQgI6iJNq88WQCbfybQLDvXleneem8NHVYO8fCmgVzgsiVw5
 fgaeYWBfCVOGUHsoVwxTDThAfoIGHX1ldQ+3YP+pyph43h5e9jWHHwAjg45SFqkI
 XRTu4I/HAgMBAAECggEASmt63J10qLocdl63TVtSXqg0QEzd1AGrauoZLGbtu3pP
 pimDvv+LIZWhyoE1aU8/4VJtZMuhjlyZvXzcxZ45pS2b6XYomTGhlJjXImf/JFPo
 +NmEfa/Z9TE1z6AhBJFBdR7yL2lGCcVX8ygZDb4x9rb+M1uh6aOA+wFsBC0l64pt
 YNGaOtgR1DCqn6mtxFcUOMt6gWEbgu2gwieo4qSGPmGOwNxhEbMWPL+0CPemW+li
 K+fB2RrYpGdSD8kyWHWqZTUT7SegcT2mO3F+eNwwy69srb/R/MAUfbYXbQhTrPuI
 vavor2vT7++Ha2Z7FV+715Jsn2f8OkW0UyFzb7PQsQKBgQDUG5H0XR34wqAfNgaZ
 lzJqDeh6Tg0v991t4imNd/yFBJEa4PyonM9m9ka9o13ySPyIuUyqvUDm0/geVH1g
 dn7o3rTVCKbfeCeDWaU00elMjtCezeDUlnsTgcHpLEpb/5uxJhAL2/KcMlOvHzGv
 ima5zj2tB0dvUfkCtzLthb/etwKBgQDTO4hNrTcNQBTg/XUG2TSERo6WslVOZjJ5
 70AlE9PYgqmoNUONg8XxGwj8n7lx+AY2BB0kfM9ANVc+BNjI2fqFLba2DYDGMpsq
 XrxR2SiRe8UCjftFgHSElIx/mGplgAbElGrSd+pkONwnxtE3E0JD/+y+/dKQeg9z
 iVraymnHcQKBgQC8/9gdU3/qcpo1VXGqGGTuxXfay4PKs2WWjUkTatATQw99UO8x
 25CfoWFFh7Wlt812kw6ysTKMvGJBvG1/r/bDz/Z4QV5Yj/s9enrQRx9IfZV9e9wT
 8ga3Sg8ck7+qnGgCAPWZa6KR9fJFgFlInt2MQS8J6AuKMRPejJmPtndSnwKBgFPP
 dCZ1yrkMKvyWNB+ygL7XC+5I9cX0kKSGxCmx80UdmtktwQ7eMOSYOHmbmkXZBgXa
 ngGDL+wm/eWSoL0Yl+jNmYgkVWrOW3h1PD0xb4JB3IpF8WPDMvgDxLc/rz90i7rl
 tHirsalwUhHKNeqnToySd8nUBf7jH0xVPGJBG7VRAoGBAIty6nRYERJkdWgzrrU+
 TmSxTAFi4hqc/RXMa7kda40SBp3339+/KxaNCQ5YUJjDI/cggEc/Tnm2MjkheH5W
 nBC1iP1A1g9wlk6Ak/RQIq8FRiQFdVwGU2Xa+dRQAyEj8Xq2KudmKkj1M630/kSg
 3qCwc3kKPf2N5fjAtHUwLLHP
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-2048-2.key
+++ b/pki/testdata/ssl/certificates/rsa-2048-2.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCncOKXlHiC4cH7
 YiXsOMc3Vh3OBN26dK/c9tiVG7zQU9EbXbUWz9NNI8+wUDwyBtrR54zH+5R9+cj/
 9QOPd2Vsv3wfaSIaR3qfsag/TK2rooYAis11F17lUHx02KZlZodagEuLCMgdlyIL
 F0RTW4+Nt9ZklEFMXHYxZW2odDiimaUl0tJ3//jGNEBQwHSS7BbA88vKBknjRP4d
 0lFZGJPM7VyEkYElp4qcTBvn4VY89lbgUdVcZjaMOtoUnK6DUZN7GAsWr222y7kc
 BEH5fFOWB2PrgKY//tb41fujm16u2r4jjHngZ8FSs5md3A7z1CP4ChpNF33k9z6s
 AzWb+GNhAgMBAAECggEAFFJdDeyVG71un6Xv2FWjyBGJmIF6r7CNz5GeA6rUJaym
 il27JsOeb5RTFqEGTUQLtsIVkgf0o713KamA/x6MjsBGvkEyRGI8fblAJD6YLWaS
 QOqXuQhXGhnEoSHSQChLcS50/LDaKM048oOmZT+NkrOnL5nWuv/V0HTw9Cr23LT6
 wMuefBrN9cr8ZMmlOMNvJaoTKbCxr6bg4bKjfGr40QX05GnLXaOhg74wWPWMCFZQ
 CfyFhCJvBcXk9Xifb2pMTk9GezfSd28JKy3XKjd2bUTD8KGStgnKvIB7FXVqaQb/
 QOTE0USkYn3l6g53fXWdgk9i87ZRHmMarTv4K8wvaQKBgQDbe6v0CS6ui5A4bliC
 z8EoZVmxxT+vgOf56ZOE65lGcPHOtTMDDL2u8MxqyjnWc7dXrw8FvfpurIe/TEU9
 Y5kCj9NUA08940RKX/5u5RDaW9X2cGVlv7yJSDbA1JxpUjSzc98VFWQJrFkhHBfI
 3eLdVLp+dHBBpGCgZuVQD2ymGwKBgQDDTJwspscuh9q9SWWgcyJv5ke+4MwosgkP
 g8IC2dFFHr3j3GoFnVrrVP6w8zzezNb2ba+9xGaohNgHjmwC203ZcdDCUxem3t/L
 GUM4+dCUC87nB/bGd772pu1jbZZ9bRUBvgf4x1zhlShQNnD+UL2/p/stzWl6SE47
 Yva2416kMwKBgCBZ7lKeN99KewuWWD2P2ezWY44sgOKhoY/YugHRqFoVs87ALrC4
 ZA0xOTBUdooBrHikORajlhJSJAAygdI2qAsUoBW2FywMH7jGxX4bDYziFHuqvYdt
 56BkoI1zyUpM76+z2KIG8SPr34dd2LOm4RW2s3aIOzOxwvxhrlNKsr0ZAoGBALTH
 4LUweKYo2aFoJKueiB0fBAC75CAzlVGIPHoZGK8r4sjfCkFCRJwcpFo1/n2bDc01
 AX3fJMwPlE2CV5dZW7nRslV/RyCPpIdDTkeab6nrOE4BwDw9MkbthEcKdUiLRevD
 9WsjWGX0hUmi63tuUAbuPwNJ5r5r2gb897WZyMyjAoGAYcNgSL1udQE7pEqrAl0t
 ffTbbTJQ487sZm3qhFNXtuitC3h6eXpJecsWRoB/Jnhi4cpSjWgYJzjV4rkZSF79
 es031jtdnPf6G94ZzjTKnkr4z34reDQusukuuD1SSsbURBGVacgZxkq0UaRAROfT
 BTPraf9GfA9BnUEIFdjeKwI=
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-2048-3.key
+++ b/pki/testdata/ssl/certificates/rsa-2048-3.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDW8jowfwvUgEye
 CyzXw4rrlw1+liz+s9nWucRN5t8dia9L9dQhT0aBg7mUKOQ7L1wcRwzPMVoyFF3G
 KsJw829iMm65P4fy+L9/C1XFfJ9x4rMeya9bHZuKxr29Ieia9KFAaWtASSngF6Uc
 zwvGJ4AZQzUIiE6Ku/ZpGBjki9k36LsufQIeOaEaoHlSPS1K6pMh9Br40xQ+FkB4
 OwFt7zNQygiSJt6NHvET4ib2i+0lZXRa32yl/dEJyf3aWT3iMxm4wLslLOI7Bud+
 y04bVYi6hw+JFUFmFCLkrMW/iZ69S3lUPoUO9xz8fuCR64KjwjSR4FFawZ7ZQUKf
 OUOu3dcXAgMBAAECggEAMss1AwbSxdm3wVVEuIwmBPxCHRrh8SKRJNPrVrlrGjDS
 MvIZufFg6PQ245MyM+ZCLxB/L2srNFBpxI2QO17bgGoIjlA8ESfFIQGNuEh16VS4
 HVtty+tYOVgzuEEOFagffvgqdxuTALi1tPQchSwKcm3WV3jWjqRSW41tPHzrzPEM
 gNw6mlLIUxgaxJ31SytDPfLcCxhjyY1cLOseAtD37x8HZVw52cojmjn0Uy2+TeLu
 6e34KqWzTcO8U7w4mBu6KyQYS5Q2GxR4eMfrja2nmQEJjjtL/MjPCr1RavzRmeO8
 j2w0GbTZaM2otzI21VbNpM+OmX3OkGmKiPNIm0HVKQKBgQDufzscdRfcJSng9Wb/
 kB1mr+AYZubzhHIVgN50UWnzqiLsVBWRGT6+y49z7dN3+4aGHXKjmV0Ceimi/6uC
 nNsZ1kfJrHWXmTbTslQlBxOwyMuBsolWBSZdaqoX3dhDNu7EbUPgWqWjrv412EhH
 UIH/mpmu8TgyA/SPT7BiHjuDcwKBgQDmuIkAYWseZ5iEWXPX2rH1XTtvKAHuzjf7
 yPk5QX+ZeTZiPZPzvn4I6x4kMjnpn5wrVkm5QMQVK2NKpaQwMtdkQcevVybXVJ/u
 0SMRHgXiesF6pG4YgREEJjbHdwmRgAaLffOPVSOvEGPc8ha1tEE7ZwgpKfjnCStC
 2VkmWpcczQKBgQDsn3MIUuxvULfyJ8ge+t8QyKIv07iEFv4Rc6BCC5xxUnX/v5T+
 NuvX5KLZRDaxLe5UFddtlXWARbAVtlB18CY5xi3HW8H3vN12v9FYQ2M33KB8d6Rm
 oglkWbWUpFgyp8fRPw8/AvCgK7ivt3xOtQOlk7+yoEU+6kmz/j5jutcVHQKBgQDP
 +ocdPbP3C4GzxIMlkHGc8fcyo0jiwSg8IxVuJHnmmhqJAmNNdGlelrtr+46y53s6
 oaUBhr17K8psrtZL0HjTWmyrxY8wyosFF6dZtcuuNeQVLwZDtozlRaFZuxd3/oVn
 1xjoGuJ42/h5Yg1QrHWlG6KCoOBLO7uwnga8CStw/QKBgQDSzUAJaak3XFAfdou3
 GxWLQJcOXB/WxrZA7gq6K2aWvkY80AOPMGLhVFXA8k1fLI7jn2f9x7Ff6PNrzclf
 mvvN6g6YH0vH9k+W6aHBnen8oGjW3XU4MHn7dPxfxPJ/MDT3toVAvD+6QnKFdd7o
 xCDad5+lKr6f0yyPije/ZDkSSA==
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-768-1.key
+++ b/pki/testdata/ssl/certificates/rsa-768-1.key
@ -0,0 +1,13 @@
 -----BEGIN PRIVATE KEY-----
 MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAn8Be4Q88Bif6duPK
 vG+iyt96BFtCTUgjuNEwhcWoeSO6BeZPeu1VRqOHI7/GE4jHO6iVRCnhw9DJg5eb
 +p6zX1IWytyhke/psWBl3RNGXOvLucVWUJctS5pgKN1FNsILAgMBAAECYQCDjRaU
 nsb/CszmOo8ovYWBKqaAD+Z5XX6NIzah8jLaDuGRGic5Q1eF5APVHIcwbuDU2Fyv
 NIJqf768Gx/lUzmAlcGjF9hIRh5vrE4zfeCa2wSUjWNZPmqdTzjkM3r0NYECMQDM
 1ORCXgP/DYHQbCTRFvNA/jYaIXRjUs+HXefXe27jJD32W3Mf+lyIcBV/mR7lRkUC
 MQDHqJMkx3TiRsP2cYmG8citPrEjEA0TwPg181Kvi3N6aE5QzNHHLvl2nVJi7VPl
 VA8CMQCayYKY2J0if52K2D5WN4appbFSu9dNO4YSYJdT0jYwtfGRGvh7wOFuRW0p
 mJetYRUCMQCN9fiZoBAli3duVRAaGPQ86mR8r778mqphgd763kZ/dIaqwNcvruDF
 S9r2aBTM7FUCMD46f/dAx2EfxsAfn3lYQWVpuxFQpK+tIqYzjeKsu/zRaqEkcog5
 BOq06OV3qPYsVA==
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-768-2.key
+++ b/pki/testdata/ssl/certificates/rsa-768-2.key
@ -0,0 +1,13 @@
 -----BEGIN PRIVATE KEY-----
 MIIB5wIBADANBgkqhkiG9w0BAQEFAASCAdEwggHNAgEAAmEA4SDrD2C751/n+lHQ
 UBn5YynSU9hrO9ttTcnvMgqiL0gv2lAsx0N9QM0dg8rHsQodUYZotUQ0qbzCxzEw
 pRVTHcEYHSnjaO7OfsqpGke+66jK0VhsQBkGbU2RznY3at3fAgMBAAECYQCRzs4v
 QYmxy03ltENk/c2lyhptL4gUVoOulBEVqgls8iX8EV1PGYjwBWkOSLGZGmC3u4KI
 le1z9L9iZxO5GGO0SJ/bLW/pGofgHCikBjLmhhyLuV0oFsY6te/q21fWu2ECMQD0
 nbX+qhNgXYsZ96cb71ZfD80yGtu7dCVEYL/iC30P3BEztLabEIdVwmoUyBFfCDkC
 MQDrmwnyqGx431YH3uyBrlwbJhRvAFfwACMy+6sY54BZdaPni9hHcQoKrAiQOe92
 ptcCMQDcS5AUefybQ4M7bpIbkU7aq7NjVVbgGbhaPTtximElwE3pn+z390m6TS0V
 7Bvg1tkCMQCDkPdUJ1MziFvtV0IxBKHwkyoz9jglEJ6XWMxpwtT8n+HgakpjUq9t
 2DWL/J5JXs8CMQDsP+WjN9GzsQtuUMXEUxc1wgMVRFwvQ55hmXfeWaT2bgX+jpAn
 +SreMT1bErrH2M8=
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-768-3.key
+++ b/pki/testdata/ssl/certificates/rsa-768-3.key
@ -0,0 +1,13 @@
 -----BEGIN PRIVATE KEY-----
 MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEAtngFrnpogJ4DAPMt
 Jvxxl3vSNFdnNMlpRGlHpPqhtOHTzYzXvRvSmSGzpYhvzVCFujjTvtszd86yehxr
 +081ZtQbhHGhPKnudoPfqfYGUB6djJX4+I1pm2cWTOIXiGL7AgMBAAECYE7lbId5
 tA/Qwrm5a8+Mnc0DI+uv0xc280Y6Q1kpaZwdfQhGms3Q5umBcfzkFntvEfgMJstC
 KDWgH5Vo6v7oR/Hk8D0NzOyFNfEU10g72EG47PF2qFMlCZ3dTV5U3lPtOQIxAOfC
 NB/LuHFiMA5LeFlfbV0Fyj4Kr+lqtGdwClmX3+KgfTUj9RcEMs+34z+UpYXt3wIx
 AMmN/LkrZpwktp/iZuaKDvkA5foN660LguOt87/NdIN4l2hn8auEhwmh0Vno5gu2
 ZQIwf6kWFT2eh7ZSSk2AKZrLHyaFVM+GPsksPp4U1W03QhqtXYxFATyq0Ii2gNtc
 of15AjEAvCh2HnM61lebuYTE5UFLGv/QsfBe7GvLpDsXSx5FQBrK1ef7f1A4NDDB
 XLsETzjVAjAegTa8Fk65Qc3YODZhIcDRbJ195DLUaw7ETgpT0utLPH7Kkn1GNyZf
 wzlUtrz3r58=
 -----END PRIVATE KEY-----
--- a/pki/testdata/ssl/certificates/rsa-8200-1.key
+++ b/pki/testdata/ssl/certificates/rsa-8200-1.key
@ -0,0 +1,100 @@
 -----BEGIN PRIVATE KEY-----
 MIISRQIBADANBgkqhkiG9w0BAQEFAASCEi8wghIrAgEAAoIEAgCryOGbBSSQ/E53
 duYJ8JpWms7zJk8+FpvZGW8CwGH2Qjs9UQmqMhGKTNySND6Gfk+tAGxd8zWGayyJ
 rVhi5Sigr3+lPieGLt3TLke8LKysm0sSJU+xUUdZUTRjE3eff9Qb2NmgJ0uQIYic
 jSUDznRiOpblzEhX4Rw1Kiw+fkqqsnXRg1+gonL9EmWl28zoeQFvcGRyknZCDpyR
 K4Z667TuPoLk6F8S1IxyIEQPZciFbUnUTABbZTHQWZ33y7HmB3vc/P98PFilXsXH
 41h4AdxzN/5pTI7flRP/bu+4NiVHE/rM1h+ag29R1McxzxoOi9ToYgVRenjSSkgs
 /kjOELvBtIyivHNCwJjRrSXZi9fpZjgGTCqOg2mebU3qWDe0zL97jt9wGG612oFu
 pqCBFnBSn6L/dc03K9Ckx9xuRYv3upc4xOMQnOXKLb9/k/TPpTmSQEk1qhEGOoKw
 NC769IiTo69IxhJbB67gBVQzgJ5CVHfEzFid2SM1g59N3gNezjPb3y44ESlPJSfm
 I/S9Yg/divrE7F4BvFGDP5TIaN3sYZf0IEN6140bz3gNhCP5vD64xFt+Mn3sUfWo
 pAmUpKWY7u7YCn2B3XWg65jHelgzC+itLKHRMt0nSlKCLmIKS/UC/PnmRdNIekBh
 46tS29d3vC9cbeTpeZwneOEP789KO0yqeckGmZyktw6VvF7bFKDyrFQONeYz85No
 +dw3L54jnv4BV0bTwuv3CoU6MQI+DSfqaGxv5kmVxMDlLGpGJsezarUyrTseJBSE
 DxungNAGktEawqkyk7ZRWdAUSZlgX/qanVenJ3pwrWWagqkyW5BKmzh+EhnGXnoM
 t23+a2FjyoQRKYFhKL8pJ1QLBYJMNvqK+j2tUWHzgwwYV5YlOdDYz+U3+mQH7xOC
 d0Egg61ci0RmRBRTwLqHWvKhMpOD6JEFhuCEALSe6b73faNkaTvUFV6y7SDkkAea
 fLpBFosHCtGoC5ZwklD9rCKKxcdjJJESMi5RutOMYzA4Y9dayUBN7k1LVx0dw8ei
 ZbWBvETGT3qIbMI9hjvRnJ3x35KyoKbvFXDtbKCQ58HbfO5kk4BAEoFhete+UsFO
 KgMQoKue4Ps9sPNWVWwg7ZxrTKsHMje3dpklMNHdqtgHt69eio88z7zX4ZQPUEN6
 PVUPosX0qWtW/sHVet0iDt0BANKD9T8/iwrns9HbPd2d/LwAOyU0kywdNkplCFOP
 vNHaeSjbrIQq5/SEszLSmbh1kaNOimVBFwjie5Ju5q+4n2FahMtKkEqBajj1f4eT
 dR8hs4evuZaKkzs6jGvQyuI28lBfkz3M9cfumHAShfXoihZcwrb53CBmjN+UBe8l
 LaV0kGIknQIDAQABAoIEAR7kr337fMn+NfZSEaiz9m2gxZsAxrt5wWlXo5kxE+z/
 mDu8uSo8et8OV5SLhLsXOCj6rIJw3K1h1M6luAGBCL9tEF2dQeplv0rdRdVXi243
 N1b6Eszmuxga/Hrc42Rxzql7ZBfjOTmgbjsJPyDiHhgURVLqXBBB0ZrWDMLoX3E3
 Suz03Vu8G0Xb6x/a2YztRg7OfaIFKPNUQV/yHes5PH6kC1IzX/W499EGcHb8bQVh
 1Cczy9Sj7EN1+my32zRtIB9r+F5VU/PZiWQbRKvAWe72oPA67m7TFpeXUdElG6se
 srnnwCM/g+OJipEwl5UKHK32AtLWXagj57r/uAQnCj0ZxTj2/xuAG3uJ0ga/mYLF
 +UlYpUaf53ywV5TPbKU9NSp5VUGJg099Dk3h9XeBm42gW+XpP5CudoVL1B6Yr0VL
 7yosblFshf7IH2pIJ3y4UBQ3L3NRNGKUXzBlEhXbqDw08a76wA5S4WY0TyI7/Toc
 irV/smggxq43D40nYh/IoZbnGh7HJ1Cuc/B1guwUGJpVBigoAff58AbUhmNMSKzc
 GEG1E62h2iSoOQTlQLsG2ZjM509YsUCwtKcxaO+sdIN+ZMHBkTSrqR3ZgM5O+FGl
 0KBkKG3A4fjQ6umygbssUdHJwP9ii067fZydHxB1rNhBpZrPwJ0kW6rVmFQPYo4M
 +1ENsX0AIz8hLx+10G602hcWu8MVgqO+E1Yoo5n6eNxCbKootZwSRQSwcUXgE9m0
 Q1NHKHsK+pvjR/QyvoEr7SRmcox4PHcYID7EMfPMu2UtsIdRKi4NkIvmzE9a52s1
 MPoanT+t9a4Zte4nQ+htFFFQFt10ue8Vqm16wPJ97gnpEM8keQhVYrttIKDVr2vs
 QEcHJ/PgDeIihy44AbPTQKUYzZ4YEMAkDgoVsBq3Ktk8DTjxOZrZw7xq9xJPS9N3
 5oLaTcUX2670SZUpRAg4/wArQncuE2pfsYP+beaGnUATiYRd8GoDSYtPOSa7BcyN
 Eexo8tB5Kzmvgcypk5N5jefLaVdUdczroIlSDlUcdAQb35Yvnd7F3HLWXJtUIPbh
 LZTJwJWooQVJLDt2lzrg/HQnD+UaYNI1Z8/oMaZ+zUBvQ8gBzArO3SRGfRI7lzvk
 wcJM4LqBO0pIO67NzhVCyhJn7Ua3P++W9d7LULb5fqy/O64W2J2o2Xd9hZEdA47A
 6JidJ2yNsv0p3AUgtVebEhBRQs6bPX4/siYif3xgT1ZZb8fTtQBYWsW8LS4Itdf9
 WaJuUlfI7xdHpQnMVd5qiEjrDk02/x4JI4DmveO/pLyQAJ3qQpvGxXUZ70ecfSAk
 ASn2OADu76TclVlQ4hvZ5913jxx8PWHFykK3w7N82xGZAoICAQ4FzISY+EaKydn8
 jOfOirjfct+0x0PYeDZ3XFEq1CcW7nHARMxlGBe9IwEgoAn/RtLmHtSrscPLpN+8
 mXS8ucPZwxIrbg2tCTZ2FktxAHldz3Fr7aGGeT4F7jE3e0gwYgU1h+CIMyDZZY/H
 j/hANx1a+mAkDr7jafEuOe6nOfnWSuCaTPbyYcyGQ4pIe2Z5A0A6MFATT2Z2YOC6
 tW98BNtw9ucOFNo9ZNakB8ZZ4WOG4vpFSSoSO3xJ2STn5HwuO+j2UF0ptmt5H6Pc
 LzYnbbengq5H0dsnyw/sKbTO4jzXfORjxPhwpvrwNlNvs9hmLB6IKzfiN1PXKITS
 updr+Ts72zD1I95dF3F0TsefncBSY9qq8D0Nq08zF4yYanxPLOmqjc1iCoSWyx95
 RjNTiAoTWqmXvbtd4Z6OBU3M2m5QQYLu1mGcfKveRvW6KdueBhZwXEcY7Vb+pU3q
 1J+Omh4wCQiyuuwsGu6QXmfkcVBOhLDoKxzAQJlch1l3zJdAQoul3iCYnptz6weR
 47Ceg4cdP50KLvgboq4N1VJgI7ivMB9gfP+J/J7JogjUigoQNOLqb/X7Zwmv5ZIX
 ZaKIB39HtKFvo1b/zpZagnx4y1K39pUFY8Nm3v0xZNU+keT3FCjOk44L+sXhdu5F
 tbA81qb+7kBhZn9LMfz9sDTIUXq3OwKCAgEMQCGtq+7q0Scml0Ds5ORrymYX/zhh
 xrkc/jbEHefvq50cCE7Sxmvm+NdFDz3JEpenWR4zPR0+39j8lNCWUK6azUhvqSK/
 HYLLI2EDeUyeCQyULoNT4qva6wnJNuufjaNsOOmwwuBAIgurFKYaTEMD+m+1hYG9
 Pe4drKMm3e3Xdg9IlJdKmY7MY+chxeCuiPfGO/MAm0Rz8pcKo1/cd308HuDL+CnE
 LAFDYc7fa7oaj8i698m6QGeadltIPoggOTntoto659SK8ZLWOHsD3E2YC4Iq6dtQ
 U8p8qWqn2kdWbLPnRhy5BXFcxeVFAbJOvgFMlSw1cCpoOySczBDlSpRjZV3ZP0R3
 gCG6Hjh5N8S+N7aLtQQvurMa/9qz6e1p54LCkXqevDp52wwM2DnjC05J+FaevvWW
 FjIaE8SU+Que77xakQYu7Vk1T2MoTimDAjduqtSTIvDb4uX1WNjgkX66AWUCzbEt
 Gp67cMYh0DjwaLgos6t9XdRp5964m4YPewhAcpVppFV45MOKcBWD99d3nYgOGYs1
 D8+4wXHpEJoU7r0pdz0buljZ1+bPmOiViShWmQgxIrKOCpOMuLKQJl2zJyVam8MN
 dy8xYm3RZF3hCNyROeHp8lEt5dSOpw82LchW2f5ErVYatYzJu/opdu9ToczNuvdU
 /U0liMxSEBr3RgcCggIBBHQzEarEsSNEGcjtuHMR/MZ8ZjG1WQdYp3QiDmXcHM5b
 ziWTtJgnnuKkS6dhLcu3YyVUhZhDTj1QkQAGfd2z41E3dH325sEfO/0l97Bcxi/V
 w+DUCYn82IZpsZg9wCAeAimOjvKzyqtCZvir8d3zo49SF1dcl6UD8WcNX5AeCgzW
 m6Bm8cjq51t9+F4tU878CVpyHf0EKzdObhLfrhlmMY0f3yPJ28fET6iqD4Zc4I/n
 aDa5lnNUEZYjMmW1XPwSa1xRCkZFer1uH03AcSL05nB+QXzuWv24scYBOTy8/zYy
 pRhLZ93gK7RAjR/dr85EFS6LC6T+jdK5O/by7UWOVBIe/N3gFrDa0V5v51f7cyq4
 LKw+wiWlU/KWeEGxEOrVCSLzB1ksnhCHU+fhNExD2W9sTJG14d1f3EyfwqZeestj
 A4N49GgP8UcYotQOl4MJy/bEWJDCUe9v8d+0yTkyGoSHWgvq8zjPFRcl5TnaA/fs
 jYQwrWEjI5MQKoqyoRf4CwMUGqZfOmEHNdBQ0biHblML8YVahdPBSCd8qj1/GxoJ
 3u12xnO9mXHR1ZwsfCXJpolwJmFDyP/lmxFzZrxuJS9RYDVlXCzEIV1+NKrpacyk
 tZCQr2/tQ958eH73OBKChLOYinWjoVaLwALEQsYQJ9qxMiG9vJDVv9WUMi+uMZwh
 AoICAQeazA1OfPrBqWcYX9Ju6KlNNIFTCsIPpZws5vxpgDBUvSvIsH3BdPwlnySc
 qIMoioH1HX07Q+ti9AUfsDiPj0RDiOLgANTY0feeV7vbUceM4IUgNqAdRweX/jQt
 ZqleOIOW9OKopqLJP6sNH2uVycgvb6ckYHyEdEtxfrpC7EFjZWtt6lkB6BZTMgjS
 GH7gQceKMXg/6od7oW2WK4zllBV9KZkUzYCcvJACqHQjIJ0agsYlydFX57iIHnRD
 dSdjvuUYwhXtEhDKk5dt6ldkK7rl8gEHuQAtc7ZdSPs30i8BPdCkwnHMwimQI5np
 yrF827uZop7tqTWY+Upol1hvKpxlMZQJ5Uu1e7pYxj/hcb2PQj+JuDaU1Fg/WZlz
 7tBeSdrUimT9feNlKh7TH2QlAY2Dnuneqv9neeScPt0nmKIqOieSfV8mMcmZJXnA
 w54zAwws+db4ysIFITFj3QXS6/M1qGnMHF9edgjvod8drir3JtMFbcBePd0cdjLt
 QJRdkKrJNp0kyXZJtGU83O5WLShw3yO5kaP307/iPf8rMisqZLzX61RKIpvgncRj
 LIafZS4Uw3QVEPiB8kRZ52b6mhH7jAGqTbQPN3mVm4xvnKN0Z8+zOd2Lcf9m+8Mu
 S5AbbZEUs/YYECp2ZxZYHZwd28Vz3HodxSm6MGjLeeK7YrH7gwKCAgBm0zD2DvKK
 EfDQOk2DpnScdNkuYlRD7WADQfgKg6GheSWIvAi9Dh/Ks3ZIcVAcpQgWQoMlhTie
 ZudfSjWxfFwlTAYKfF1kUnlrOACz04ZqsFMzx7Ks1HkvG1KEBTenAetcDPcL1b79
 U01tql7T6NIkxwtOR/nr1CvxgJa2wuuLYiUIAyIQYY0c18FkyFii1nJuneGb/Zvf
 ctf+S5O+GuSOc+LjDSGIa8RZf5ScxRmKGj6OSrYRGrM7ZoS/psvGQSOJeITN5SNJ
 umAA89mfpz8V87HHn520Vo7G9vmm5pQr27Nu1RBQJBXgrhC5fWXBXk/zmnyqskDM
 Bcb1h3nppB6dr5263iy+HHMxS/L0m6kCUfxfj6A4d1/fTGbv1tRCtlR9Rq4EJxWr
 8n49pbluSvL5XZoJJH2PGjjxNurSpnXVRFFOjpvl73wE/X/bH/Gs8AMtIrpnBRmM
 viaX/AOym3DFU2RTgNIt8zmNtqq/NhAuQmYEhodODXtnzzquh4Z4EZmhfzq/do5e
 nGTfN4hN7a9ODtP9Gt+w2CBCnE+7OnWo6Asj+wK0H59c2wfSD68d5n+V7U+BHHkN
 E8uwIjFNZ+n3LRdH/iY7w4ujgIdZRcQuOMf00a3950mcJM0hz278FuDIipbMFCxG
 qrLjqBtCTH9vu/Df2F0JNICD6Ro21WM/YQ==
 -----END PRIVATE KEY-----
--- a/pki/verify_name_match_fuzzer.cc
+++ b/pki/verify_name_match_fuzzer.cc
@ -6,6 +6,7 @@
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <fuzzer/FuzzedDataProvider.h>
@ -24,11 +25,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  std::vector<uint8_t> second_part =
      fuzzed_data.ConsumeRemainingBytes<uint8_t>();
-  bssl::der::Input in1(first_part.data(), first_part.size());
+  bssl::der::Input in1(first_part);
-  bssl::der::Input in2(second_part.data(), second_part.size());
+  bssl::der::Input in2(second_part);
  bool match = net::VerifyNameMatch(in1, in2);
  bool reverse_order_match = net::VerifyNameMatch(in2, in1);
  // Result should be the same regardless of argument order.
-  CHECK_EQ(match, reverse_order_match);
+  if (match != reverse_order_match) {
    abort();
  }
  return 0;
 }
--- a/pki/verify_name_match_normalizename_fuzzer.cc
+++ b/pki/verify_name_match_normalizename_fuzzer.cc
@ -18,9 +18,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    // produce the same output again.
    std::string renormalized_der;
    bool renormalize_success = net::NormalizeName(
-        bssl::der::Input(&normalized_der), &renormalized_der, &errors);
+        bssl::der::Input(normalized_der), &renormalized_der, &errors);
-    CHECK(renormalize_success);
+    if (!renormalize_success) {
-    CHECK_EQ(normalized_der, renormalized_der);
+      abort();
    }
    if (normalized_der != renormalized_der) {
      abort();
    }
  }
  return 0;
 }
--- a/pki/verify_name_match_unittest.cc
+++ b/pki/verify_name_match_unittest.cc
@ -71,20 +71,20 @@ class VerifyNameMatchSimpleTest
 TEST_P(VerifyNameMatchSimpleTest, ExactEquality) {
  std::string der;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix(), &der));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der),
+  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der),
-                              SequenceValueFromString(&der)));
+                              SequenceValueFromString(der)));
  std::string der_extra_attr;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
                           &der_extra_attr));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
+  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
-                              SequenceValueFromString(&der_extra_attr)));
+                              SequenceValueFromString(der_extra_attr)));
  std::string der_extra_rdn;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn",
                           &der_extra_rdn));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn),
+  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn),
-                              SequenceValueFromString(&der_extra_rdn)));
+                              SequenceValueFromString(der_extra_rdn)));
 }
 // Ensure that a Name does not match another Name which is exactly the same but
@ -95,10 +95,10 @@ TEST_P(VerifyNameMatchSimpleTest, ExtraAttrDoesNotMatch) {
  std::string der_extra_attr;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
                           &der_extra_attr));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
-                               SequenceValueFromString(&der_extra_attr)));
+                               SequenceValueFromString(der_extra_attr)));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
-                               SequenceValueFromString(&der)));
+                               SequenceValueFromString(der)));
 }
 // Ensure that a Name does not match another Name which has the same number of
@ -111,13 +111,13 @@ TEST_P(VerifyNameMatchSimpleTest, DupeAttrDoesNotMatch) {
  std::string der_extra_attr;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
                           &der_extra_attr));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr),
-                               SequenceValueFromString(&der_extra_attr)));
+                               SequenceValueFromString(der_extra_attr)));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
-                               SequenceValueFromString(&der_dupe_attr)));
+                               SequenceValueFromString(der_dupe_attr)));
  // However, the name with a dupe attribute should match itself.
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr),
+  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr),
-                              SequenceValueFromString(&der_dupe_attr)));
+                              SequenceValueFromString(der_dupe_attr)));
 }
 // Ensure that a Name does not match another Name which is exactly the same but
@ -128,10 +128,10 @@ TEST_P(VerifyNameMatchSimpleTest, ExtraRdnDoesNotMatch) {
  std::string der_extra_rdn;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn",
                           &der_extra_rdn));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
-                               SequenceValueFromString(&der_extra_rdn)));
+                               SequenceValueFromString(der_extra_rdn)));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn),
-                               SequenceValueFromString(&der)));
+                               SequenceValueFromString(der)));
 }
 // Runs VerifyNameMatchSimpleTest for all combinations of value_type and and
@ -156,11 +156,11 @@ TEST_P(VerifyNameMatchNormalizationTest, CaseInsensitivity) {
  std::string case_swap;
  ASSERT_TRUE(LoadTestData("ascii", value_type(), "case_swap", &case_swap));
  EXPECT_EQ(expected_result(),
-            VerifyNameMatch(SequenceValueFromString(&normal),
+            VerifyNameMatch(SequenceValueFromString(normal),
-                            SequenceValueFromString(&case_swap)));
+                            SequenceValueFromString(case_swap)));
  EXPECT_EQ(expected_result(),
-            VerifyNameMatch(SequenceValueFromString(&case_swap),
+            VerifyNameMatch(SequenceValueFromString(case_swap),
-                            SequenceValueFromString(&normal)));
+                            SequenceValueFromString(normal)));
 }
 // Verify matching folds whitespace (for the types which currently support
@ -172,11 +172,11 @@ TEST_P(VerifyNameMatchNormalizationTest, CollapseWhitespace) {
  ASSERT_TRUE(
      LoadTestData("ascii", value_type(), "extra_whitespace", &whitespace));
  EXPECT_EQ(expected_result(),
-            VerifyNameMatch(SequenceValueFromString(&normal),
+            VerifyNameMatch(SequenceValueFromString(normal),
-                            SequenceValueFromString(&whitespace)));
+                            SequenceValueFromString(whitespace)));
  EXPECT_EQ(expected_result(),
-            VerifyNameMatch(SequenceValueFromString(&whitespace),
+            VerifyNameMatch(SequenceValueFromString(whitespace),
-                            SequenceValueFromString(&normal)));
+                            SequenceValueFromString(normal)));
 }
 // Runs VerifyNameMatchNormalizationTest for each (expected_result, value_type)
@ -207,11 +207,11 @@ TEST_P(VerifyNameMatchDifferingTypesTest, NormalizableTypesAreEqual) {
  std::string der_2;
  ASSERT_TRUE(LoadTestData("ascii", value_type_2(), "unmangled", &der_2));
  if (TypesAreComparable(value_type_1(), value_type_2())) {
-    EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1),
+    EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1),
-                                SequenceValueFromString(&der_2)));
+                                SequenceValueFromString(der_2)));
  } else {
-    EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_1),
+    EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_1),
-                                 SequenceValueFromString(&der_2)));
+                                 SequenceValueFromString(der_2)));
  }
 }
@ -234,37 +234,37 @@ TEST_P(VerifyNameMatchDifferingTypesTest, NormalizableTypesInSubtrees) {
                           &der_2_extra_attr));
  if (TypesAreComparable(value_type_1(), value_type_2())) {
-    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
+    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1),
-                                    SequenceValueFromString(&der_2)));
+                                    SequenceValueFromString(der_2)));
-    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
+    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2),
-                                    SequenceValueFromString(&der_1)));
+                                    SequenceValueFromString(der_1)));
-    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn),
+    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn),
-                                    SequenceValueFromString(&der_2)));
+                                    SequenceValueFromString(der_2)));
-    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn),
+    EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn),
-                                    SequenceValueFromString(&der_1)));
+                                    SequenceValueFromString(der_1)));
  } else {
-    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
+    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
-                                     SequenceValueFromString(&der_2)));
+                                     SequenceValueFromString(der_2)));
-    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
+    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
-                                     SequenceValueFromString(&der_1)));
+                                     SequenceValueFromString(der_1)));
-    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn),
+    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn),
-                                     SequenceValueFromString(&der_2)));
+                                     SequenceValueFromString(der_2)));
-    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn),
+    EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn),
-                                     SequenceValueFromString(&der_1)));
+                                     SequenceValueFromString(der_1)));
  }
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
-                                   SequenceValueFromString(&der_2_extra_rdn)));
+                                   SequenceValueFromString(der_2_extra_rdn)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
-                                   SequenceValueFromString(&der_1_extra_rdn)));
+                                   SequenceValueFromString(der_1_extra_rdn)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_attr),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_attr),
-                                   SequenceValueFromString(&der_2)));
+                                   SequenceValueFromString(der_2)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_attr),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_attr),
-                                   SequenceValueFromString(&der_1)));
+                                   SequenceValueFromString(der_1)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
-                                   SequenceValueFromString(&der_2_extra_attr)));
+                                   SequenceValueFromString(der_2_extra_attr)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
-                                   SequenceValueFromString(&der_1_extra_attr)));
+                                   SequenceValueFromString(der_1_extra_attr)));
 }
 // Runs VerifyNameMatchDifferingTypesTest for all combinations of value types in
@ -293,8 +293,8 @@ TEST_P(VerifyNameMatchUnicodeConversionTest, UnicodeConversionsAreEqual) {
  ASSERT_TRUE(LoadTestData(prefix(), value_type_1(), "unmangled", &der_1));
  std::string der_2;
  ASSERT_TRUE(LoadTestData(prefix(), value_type_2(), "unmangled", &der_2));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1),
+  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1),
-                              SequenceValueFromString(&der_2)));
+                              SequenceValueFromString(der_2)));
 }
 // Runs VerifyNameMatchUnicodeConversionTest with prefix="unicode_bmp" for all
@ -351,12 +351,12 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidPrintableStringChars) {
    }
    der.replace(replace_location, 1, 1, c);
    // Verification should fail due to the invalid character.
-    EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
+    EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
-                                 SequenceValueFromString(&der)));
+                                 SequenceValueFromString(der)));
    std::string normalized_der;
    CertErrors errors;
    EXPECT_FALSE(
-        NormalizeName(SequenceValueFromString(&der), &normalized_der, &errors));
+        NormalizeName(SequenceValueFromString(der), &normalized_der, &errors));
  }
 }
@ -371,11 +371,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidIA5StringChars) {
    SCOPED_TRACE(c);
    der.replace(replace_location, 1, 1, c);
    bool expected_result = (c <= 127);
-    EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(&der),
+    EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(der),
-                                               SequenceValueFromString(&der)));
+                                               SequenceValueFromString(der)));
    std::string normalized_der;
    CertErrors errors;
-    EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(&der),
+    EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(der),
                                             &normalized_der, &errors));
  }
 }
@ -386,11 +386,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueExtraData) {
      LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid));
  // Verification should fail due to extra element in AttributeTypeAndValue
  // sequence.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -400,11 +400,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueShort) {
                           &invalid));
  // Verification should fail due to AttributeTypeAndValue sequence having only
  // one element.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -413,11 +413,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueEmpty) {
  ASSERT_TRUE(
      LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid));
  // Verification should fail due to empty AttributeTypeAndValue sequence.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -426,11 +426,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnBadAttributeType) {
  ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue",
                           "badAttributeType", &invalid));
  // Verification should fail due to Attribute Type not being an OID.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -440,11 +440,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueNotSequence) {
                           &invalid));
  // Verification should fail due to AttributeTypeAndValue being a Set instead
  // of a Sequence.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -452,11 +452,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnRdnNotSet) {
  std::string invalid;
  ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid));
  // Verification should fail due to RDN being a Sequence instead of a Set.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -464,11 +464,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnEmptyRdn) {
  std::string invalid;
  ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
  // Verification should fail due to RDN having zero AttributeTypeAndValues.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -484,11 +484,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnBmpStringSurrogates) {
  std::string invalid =
      normal.replace(replace_location, 4, std::string("\xd8\x35\xdc\x00", 4));
  // Verification should fail due to the invalid codepoints.
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
-                               SequenceValueFromString(&invalid)));
+                               SequenceValueFromString(invalid)));
  std::string normalized_der;
  CertErrors errors;
-  EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+  EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
                             &errors));
 }
@ -496,23 +496,23 @@ TEST(VerifyNameMatchTest, EmptyNameMatching) {
  std::string empty;
  ASSERT_TRUE(LoadTestData("valid", "Name", "empty", &empty));
  // Empty names are equal.
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&empty),
+  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(empty),
-                              SequenceValueFromString(&empty)));
+                              SequenceValueFromString(empty)));
  // An empty name normalized is unchanged.
  std::string normalized_empty_der;
  CertErrors errors;
-  EXPECT_TRUE(NormalizeName(SequenceValueFromString(&empty),
+  EXPECT_TRUE(NormalizeName(SequenceValueFromString(empty),
                            &normalized_empty_der, &errors));
-  EXPECT_EQ(SequenceValueFromString(&empty), der::Input(&normalized_empty_der));
+  EXPECT_EQ(SequenceValueFromString(empty), der::Input(normalized_empty_der));
  // An empty name is not equal to non-empty name.
  std::string non_empty;
  ASSERT_TRUE(
      LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&empty),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(empty),
-                               SequenceValueFromString(&non_empty)));
+                               SequenceValueFromString(non_empty)));
-  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&non_empty),
+  EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(non_empty),
-                               SequenceValueFromString(&empty)));
+                               SequenceValueFromString(empty)));
 }
 // Matching should succeed when the RDNs are sorted differently but are still
@ -522,10 +522,10 @@ TEST(VerifyNameMatchRDNSorting, Simple) {
  ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_1", &a));
  std::string b;
  ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_2", &b));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a),
+  EXPECT_TRUE(
-                              SequenceValueFromString(&b)));
+      VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b)));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b),
+  EXPECT_TRUE(
-                              SequenceValueFromString(&a)));
+      VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a)));
 }
 // Matching should succeed when the RDNs are sorted differently but are still
@ -536,10 +536,10 @@ TEST(VerifyNameMatchRDNSorting, DuplicateTypes) {
  ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_1", &a));
  std::string b;
  ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_2", &b));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a),
+  EXPECT_TRUE(
-                              SequenceValueFromString(&b)));
+      VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b)));
-  EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b),
+  EXPECT_TRUE(
-                              SequenceValueFromString(&a)));
+      VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a)));
 }
 TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) {
@ -549,12 +549,12 @@ TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) {
  ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
  // For both |name| and |parent|, a RelativeDistinguishedName must have at
  // least one AttributeTypeAndValue.
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&valid),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(valid),
-                                   SequenceValueFromString(&invalid)));
+                                   SequenceValueFromString(invalid)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid),
-                                   SequenceValueFromString(&valid)));
+                                   SequenceValueFromString(valid)));
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid),
-                                   SequenceValueFromString(&invalid)));
+                                   SequenceValueFromString(invalid)));
 }
 TEST(VerifyNameInSubtreeTest, EmptyNameMatching) {
@ -564,14 +564,14 @@ TEST(VerifyNameInSubtreeTest, EmptyNameMatching) {
  ASSERT_TRUE(
      LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty));
  // Empty name is in the subtree defined by empty name.
-  EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&empty),
+  EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(empty),
-                                  SequenceValueFromString(&empty)));
+                                  SequenceValueFromString(empty)));
  // Any non-empty name is in the subtree defined by empty name.
-  EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&non_empty),
+  EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(non_empty),
-                                  SequenceValueFromString(&empty)));
+                                  SequenceValueFromString(empty)));
  // Empty name is not in the subtree defined by non-empty name.
-  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&empty),
+  EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(empty),
-                                   SequenceValueFromString(&non_empty)));
+                                   SequenceValueFromString(non_empty)));
 }
 // Verify that the normalized output matches the pre-generated expected value
@ -587,14 +587,14 @@ TEST(NameNormalizationTest, TestEverything) {
  ASSERT_TRUE(LoadTestData("unicode", "mixed", "unnormalized", &raw_der));
  std::string normalized_der;
  CertErrors errors;
-  ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der,
+  ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der,
                            &errors));
-  EXPECT_EQ(SequenceValueFromString(&expected_normalized_der),
+  EXPECT_EQ(SequenceValueFromString(expected_normalized_der),
-            der::Input(&normalized_der));
+            der::Input(normalized_der));
  // Re-normalizing an already normalized Name should not change it.
  std::string renormalized_der;
  ASSERT_TRUE(
-      NormalizeName(der::Input(&normalized_der), &renormalized_der, &errors));
+      NormalizeName(der::Input(normalized_der), &renormalized_der, &errors));
  EXPECT_EQ(normalized_der, renormalized_der);
 }
@ -605,9 +605,9 @@ TEST(NameNormalizationTest, NormalizeCustom) {
  std::string normalized_der;
  CertErrors errors;
-  ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der,
+  ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der,
                            &errors));
-  EXPECT_EQ(SequenceValueFromString(&raw_der), der::Input(&normalized_der));
+  EXPECT_EQ(SequenceValueFromString(raw_der), der::Input(normalized_der));
 }
 }  // namespace net
--- a/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
+++ b/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
@ -24,12 +24,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  std::vector<uint8_t> second_part =
      fuzzed_data.ConsumeRemainingBytes<uint8_t>();
-  bssl::der::Input in1(first_part.data(), first_part.size());
+  bssl::der::Input in1(first_part);
-  bssl::der::Input in2(second_part.data(), second_part.size());
+  bssl::der::Input in2(second_part);
  bool match = net::VerifyNameInSubtree(in1, in2);
  bool reverse_order_match = net::VerifyNameInSubtree(in2, in1);
  // If both InSubtree matches are true, then in1 == in2 (modulo normalization).
-  if (match && reverse_order_match)
+  if (match && reverse_order_match) {
-    CHECK(net::VerifyNameMatch(in1, in2));
+    if (!net::VerifyNameMatch(in1, in2)) {
      abort();
    }
  }
  return 0;
 }
--- a/pki/verify_signed_data_unittest.cc
+++ b/pki/verify_signed_data_unittest.cc
@ -55,10 +55,10 @@ void RunTestCase(VerifyResult expected_result,
  ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings));
  std::optional<SignatureAlgorithm> signature_algorithm =
-      ParseSignatureAlgorithm(der::Input(&algorithm));
+      ParseSignatureAlgorithm(der::Input(algorithm));
  ASSERT_TRUE(signature_algorithm);
-  der::Parser signature_value_parser((der::Input(&signature_value)));
+  der::Parser signature_value_parser((der::Input(signature_value)));
  std::optional<der::BitString> signature_value_bit_string =
      signature_value_parser.ReadBitString();
  ASSERT_TRUE(signature_value_bit_string.has_value())
@ -66,9 +66,9 @@ void RunTestCase(VerifyResult expected_result,
  bool expected_result_bool = expected_result == SUCCESS;
-  bool result = VerifySignedData(*signature_algorithm, der::Input(&signed_data),
+  bool result = VerifySignedData(*signature_algorithm, der::Input(signed_data),
                                 signature_value_bit_string.value(),
-                                 der::Input(&public_key), cache);
+                                 der::Input(public_key), cache);
  EXPECT_EQ(expected_result_bool, result);
 }