From 57ab29103c9bcb20bf6326129186886493dfde88ca95dff86fe2b96960461310 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 7 Jun 2022 06:28:40 +0000 Subject: [PATCH] Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111 --- openssl-1.1.1o.tar.gz | 3 + openssl-1.1.1o.tar.gz.asc | 11 ++ openssl-1_1.changes | 14 ++ openssl-1_1.spec | 3 +- ...ack-add-OPENSSL_s390xcap-environment.patch | 63 +++---- ...ack-add-support-for-pcc-and-kma-inst.patch | 73 +++----- openssl-update_expired_certificates.patch | 163 ++++++++++++++++++ 7 files changed, 242 insertions(+), 88 deletions(-) create mode 100644 openssl-1.1.1o.tar.gz create mode 100644 openssl-1.1.1o.tar.gz.asc create mode 100644 openssl-update_expired_certificates.patch diff --git a/openssl-1.1.1o.tar.gz b/openssl-1.1.1o.tar.gz new file mode 100644 index 0000000..b2592c0 --- /dev/null +++ b/openssl-1.1.1o.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f +size 9856386 diff --git a/openssl-1.1.1o.tar.gz.asc b/openssl-1.1.1o.tar.gz.asc new file mode 100644 index 0000000..e10c8b1 --- /dev/null +++ b/openssl-1.1.1o.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmJxMQAACgkQ2cTSbQ5g +RJH/jwf+OG8lS+nwcyvXkHyXQ5epfnFcbfTLVptjl/t91QjpPgxOdIe58JTnad6H +awt0YY55rfhOwogGFesmdXlgo9fgi84dxyCIAr31+Eaq7NOOfsBqtZFroSccKrUV +rTNvbUdPcgK7FPQNoeLZosN8iNevAiZaQEY23KkG/l/8VYdP5ey11GBHgm8KtjzT +q3uESlKi1MUtHwATnADsz+8isEIm7cfCbWdwDmqqmMzxzSTbAtbEqt9wGEJT5XxQ +4KJZcuIAYNF2v7+29qmqlJMOM9V78JjFz+Ec1u7z1RS74ITOtbC1T3OpB+eb7X1B +h/hs/SZqMNhuY3QHl8leAMaeFbq6Ng== +=8uBM +-----END PGP SIGNATURE----- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 697a826..98fa0a4 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Jun 2 20:54:04 UTC 2022 - Jason Sikes + +- Update to 1.1.1o: [CVE-2022-1292, bsc#1199166] + * Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection. + * Rebased openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * Rebased openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch + +- Added openssl-update_expired_certificates.patch + * Openssl failed tests because of expired certificates. + * bsc#1185637 + * Sourced from https://github.com/openssl/openssl/pull/18446/commits + ------------------------------------------------------------------- Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 7e8946b..224554f 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -41,7 +41,7 @@ %define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" package! -Version: 1.1.1n +Version: 1.1.1o Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -120,6 +120,7 @@ Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch #PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes Patch73: openssl-1_1-FIPS-fix-error-reason-codes.patch +Patch74: openssl-update_expired_certificates.patch Requires: libopenssl1_1 = %{version}-%{release} BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) diff --git a/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch index dda6197..fd18ab3 100644 --- a/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch +++ b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch @@ -1,30 +1,9 @@ -From f39ad8dcaa75293968d2633d043de3f5fce4f37b Mon Sep 17 00:00:00 2001 -From: Patrick Steuer -Date: Mon, 30 Jan 2017 17:37:54 +0100 -Subject: [PATCH] s390x assembly pack: add OPENSSL_s390xcap environment - variable. - -The OPENSSL_s390xcap environment variable is used to set bits in the s390x -capability vector to zero. This simplifies testing of different code paths. - -Signed-off-by: Patrick Steuer - -Reviewed-by: Andy Polyakov -Reviewed-by: Rich Salz -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/6813) ---- - crypto/s390x_arch.h | 23 +- - crypto/s390xcap.c | 515 +++++++++++++++++++++++++++++++++++++++++++ - crypto/s390xcpuid.pl | 31 ++- - 3 files changed, 556 insertions(+), 13 deletions(-) - -Index: openssl-1.1.1e/crypto/s390x_arch.h -=================================================================== ---- openssl-1.1.1e.orig/crypto/s390x_arch.h 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/s390x_arch.h 2020-03-20 17:29:30.459520742 +0100 -@@ -49,6 +49,9 @@ struct OPENSSL_s390xcap_st { - +diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h +index 64e7ebb..34e04b4 100644 +--- a/crypto/s390x_arch.h ++++ b/crypto/s390x_arch.h +@@ -52,6 +52,9 @@ __attribute__ ((visibility("hidden"))) + #endif extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +/* Max number of 64-bit words currently returned by STFLE */ @@ -33,7 +12,7 @@ Index: openssl-1.1.1e/crypto/s390x_arch.h /* convert facility bit number or function code to bit mask */ # define S390X_CAPBIT(i) (1ULL << (63 - (i) % 64)) -@@ -68,9 +71,15 @@ extern struct OPENSSL_s390xcap_st OPENSS +@@ -71,9 +74,15 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_KMA 0xb0 /* Facility Bit Numbers */ @@ -52,7 +31,7 @@ Index: openssl-1.1.1e/crypto/s390x_arch.h /* Function Codes */ -@@ -78,6 +87,9 @@ extern struct OPENSSL_s390xcap_st OPENSS +@@ -81,6 +90,9 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_QUERY 0 /* kimd/klmd */ @@ -62,7 +41,7 @@ Index: openssl-1.1.1e/crypto/s390x_arch.h # define S390X_SHA3_224 32 # define S390X_SHA3_256 33 # define S390X_SHA3_384 34 -@@ -91,7 +103,12 @@ extern struct OPENSSL_s390xcap_st OPENSS +@@ -94,7 +106,12 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_AES_192 19 # define S390X_AES_256 20 @@ -75,10 +54,10 @@ Index: openssl-1.1.1e/crypto/s390x_arch.h # define S390X_TRNG 114 /* Register 0 Flags */ -Index: openssl-1.1.1e/crypto/s390xcap.c -=================================================================== ---- openssl-1.1.1e.orig/crypto/s390xcap.c 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/s390xcap.c 2020-03-20 17:29:58.011664305 +0100 +diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c +index 1097c70..da6af34 100644 +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c @@ -13,15 +13,51 @@ #include #include @@ -131,7 +110,7 @@ Index: openssl-1.1.1e/crypto/s390xcap.c void OPENSSL_vx_probe(void); struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; -@@ -30,6 +66,7 @@ void OPENSSL_cpuid_setup(void) +@@ -33,6 +69,7 @@ void OPENSSL_cpuid_setup(void) { sigset_t oset; struct sigaction ill_act, oact_ill, oact_fpe; @@ -139,7 +118,7 @@ Index: openssl-1.1.1e/crypto/s390xcap.c if (OPENSSL_s390xcap_P.stfle[0]) return; -@@ -37,6 +74,12 @@ void OPENSSL_cpuid_setup(void) +@@ -40,6 +77,12 @@ void OPENSSL_cpuid_setup(void) /* set a bit that will not be tested later */ OPENSSL_s390xcap_P.stfle[0] |= S390X_CAPBIT(0); @@ -152,7 +131,7 @@ Index: openssl-1.1.1e/crypto/s390xcap.c memset(&ill_act, 0, sizeof(ill_act)); ill_act.sa_handler = ill_handler; sigfillset(&ill_act.sa_mask); -@@ -51,6 +94,12 @@ void OPENSSL_cpuid_setup(void) +@@ -54,6 +97,12 @@ void OPENSSL_cpuid_setup(void) if (sigsetjmp(ill_jmp, 1) == 0) OPENSSL_s390x_facilities(); @@ -165,7 +144,7 @@ Index: openssl-1.1.1e/crypto/s390xcap.c /* protection against disabled vector facility */ if ((OPENSSL_s390xcap_P.stfle[2] & S390X_CAPBIT(S390X_VX)) && (sigsetjmp(ill_jmp, 1) == 0)) { -@@ -64,4 +113,470 @@ void OPENSSL_cpuid_setup(void) +@@ -67,4 +116,470 @@ void OPENSSL_cpuid_setup(void) sigaction(SIGFPE, &oact_fpe, NULL); sigaction(SIGILL, &oact_ill, NULL); sigprocmask(SIG_SETMASK, &oset, NULL); @@ -636,10 +615,10 @@ Index: openssl-1.1.1e/crypto/s390xcap.c + free(buff); + return rc; } -Index: openssl-1.1.1e/crypto/s390xcpuid.pl -=================================================================== ---- openssl-1.1.1e.orig/crypto/s390xcpuid.pl 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/s390xcpuid.pl 2020-03-20 17:29:30.459520742 +0100 +diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl +index 5cbb962..3602301 100755 +--- a/crypto/s390xcpuid.pl ++++ b/crypto/s390xcpuid.pl @@ -38,7 +38,26 @@ OPENSSL_s390x_facilities: stg %r0,S390X_STFLE+8(%r4) # wipe capability vectors stg %r0,S390X_STFLE+16(%r4) diff --git a/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch b/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch index 5b60e2b..26b21f5 100644 --- a/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch +++ b/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch @@ -1,25 +1,8 @@ -From e382f507fb67863be02bfa69b08533cc55f0cd96 Mon Sep 17 00:00:00 2001 -From: Patrick Steuer -Date: Thu, 27 Jun 2019 01:07:54 +0200 -Subject: [PATCH 08967/10000] s390x assembly pack: add support for pcc and kma - instructions - -Signed-off-by: Patrick Steuer - -Reviewed-by: Richard Levitte -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/9258) ---- - crypto/s390x_arch.h | 22 ++++++++ - crypto/s390xcap.c | 119 +++++++++++++++++++++++++++++++++++++++++++ - crypto/s390xcpuid.pl | 71 ++++++++++++++++++++++++++ - 3 files changed, 212 insertions(+) - -Index: openssl-1.1.1d/crypto/s390x_arch.h -=================================================================== ---- openssl-1.1.1d.orig/crypto/s390x_arch.h -+++ openssl-1.1.1d/crypto/s390x_arch.h -@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in, +diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h +index 34e04b4..a156c97 100644 +--- a/crypto/s390x_arch.h ++++ b/crypto/s390x_arch.h +@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in, size_t len, unsigned char *out, unsigned int fc, void *param); void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in, size_t len, unsigned char *out, unsigned int fc, void *param); @@ -37,8 +20,8 @@ Index: openssl-1.1.1d/crypto/s390x_arch.h + unsigned long long kdsa[2]; }; - extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; -@@ -69,6 +74,8 @@ extern struct OPENSSL_s390xcap_st OPENSS + #if defined(__GNUC__) && defined(__linux) +@@ -72,6 +77,8 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_KMF 0x90 # define S390X_PRNO 0xa0 # define S390X_KMA 0xb0 @@ -47,7 +30,7 @@ Index: openssl-1.1.1d/crypto/s390x_arch.h /* Facility Bit Numbers */ # define S390X_MSA 17 /* message-security-assist */ -@@ -80,6 +87,7 @@ extern struct OPENSSL_s390xcap_st OPENSS +@@ -83,6 +90,7 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_VXD 134 /* vector packed decimal */ # define S390X_VXE 135 /* vector enhancements 1 */ # define S390X_MSA8 146 /* message-security-assist-ext. 8 */ @@ -55,7 +38,7 @@ Index: openssl-1.1.1d/crypto/s390x_arch.h /* Function Codes */ -@@ -111,10 +119,24 @@ extern struct OPENSSL_s390xcap_st OPENSS +@@ -114,10 +122,24 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_SHA_512_DRNG 3 # define S390X_TRNG 114 @@ -80,11 +63,11 @@ Index: openssl-1.1.1d/crypto/s390x_arch.h +# define S390X_KDSA_D 0x80 #endif -Index: openssl-1.1.1d/crypto/s390xcap.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/s390xcap.c -+++ openssl-1.1.1d/crypto/s390xcap.c -@@ -137,6 +137,10 @@ void OPENSSL_cpuid_setup(void) +diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c +index da6af34..3d762fd 100644 +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -140,6 +140,10 @@ void OPENSSL_cpuid_setup(void) OPENSSL_s390xcap_P.prno[1] &= cap.prno[1]; OPENSSL_s390xcap_P.kma[0] &= cap.kma[0]; OPENSSL_s390xcap_P.kma[1] &= cap.kma[1]; @@ -95,7 +78,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c } } -@@ -163,6 +167,8 @@ static int parse_env(struct OPENSSL_s390 +@@ -166,6 +170,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) .kmf = {0ULL, 0ULL}, .prno = {0ULL, 0ULL}, .kma = {0ULL, 0ULL}, @@ -104,7 +87,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -189,6 +195,8 @@ static int parse_env(struct OPENSSL_s390 +@@ -192,6 +198,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) .kmf = {0ULL, 0ULL}, .prno = {0ULL, 0ULL}, .kma = {0ULL, 0ULL}, @@ -113,7 +96,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -220,6 +228,8 @@ static int parse_env(struct OPENSSL_s390 +@@ -223,6 +231,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) .kmf = {0ULL, 0ULL}, .prno = {0ULL, 0ULL}, .kma = {0ULL, 0ULL}, @@ -122,7 +105,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -257,6 +267,8 @@ static int parse_env(struct OPENSSL_s390 +@@ -260,6 +270,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) .kmf = {0ULL, 0ULL}, .prno = {0ULL, 0ULL}, .kma = {0ULL, 0ULL}, @@ -131,7 +114,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -313,6 +325,9 @@ static int parse_env(struct OPENSSL_s390 +@@ -316,6 +328,9 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) 0ULL}, .prno = {0ULL, 0ULL}, .kma = {0ULL, 0ULL}, @@ -141,7 +124,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -369,6 +384,9 @@ static int parse_env(struct OPENSSL_s390 +@@ -372,6 +387,9 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) 0ULL}, .prno = {0ULL, 0ULL}, .kma = {0ULL, 0ULL}, @@ -151,7 +134,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -429,6 +447,9 @@ static int parse_env(struct OPENSSL_s390 +@@ -432,6 +450,9 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) | S390X_CAPBIT(S390X_SHA_512_DRNG), 0ULL}, .kma = {0ULL, 0ULL}, @@ -161,7 +144,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; /*- -@@ -508,6 +529,101 @@ static int parse_env(struct OPENSSL_s390 +@@ -511,6 +532,101 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) | S390X_CAPBIT(S390X_AES_192) | S390X_CAPBIT(S390X_AES_256), 0ULL}, @@ -263,7 +246,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c }; char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1]; -@@ -551,6 +667,8 @@ static int parse_env(struct OPENSSL_s390 +@@ -554,6 +670,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) else if TOK_FUNC(kmf) else if TOK_FUNC(prno) else if TOK_FUNC(kma) @@ -272,7 +255,7 @@ Index: openssl-1.1.1d/crypto/s390xcap.c /* CPU model tokens */ else if TOK_CPU(z900) -@@ -561,6 +679,7 @@ static int parse_env(struct OPENSSL_s390 +@@ -564,6 +682,7 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) else if TOK_CPU(zEC12) else if TOK_CPU(z13) else if TOK_CPU(z14) @@ -280,10 +263,10 @@ Index: openssl-1.1.1d/crypto/s390xcap.c /* whitespace(ignored) or invalid tokens */ else { -Index: openssl-1.1.1d/crypto/s390xcpuid.pl -=================================================================== ---- openssl-1.1.1d.orig/crypto/s390xcpuid.pl -+++ openssl-1.1.1d/crypto/s390xcpuid.pl +diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl +index 3602301..344f4f6 100755 +--- a/crypto/s390xcpuid.pl ++++ b/crypto/s390xcpuid.pl @@ -77,8 +77,13 @@ OPENSSL_s390x_functions: stg %r0,S390X_PRNO+8(%r4) stg %r0,S390X_KMA(%r4) diff --git a/openssl-update_expired_certificates.patch b/openssl-update_expired_certificates.patch new file mode 100644 index 0000000..0ea5432 --- /dev/null +++ b/openssl-update_expired_certificates.patch @@ -0,0 +1,163 @@ +diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem +index e3e66d5..28dd206 100644 +--- a/test/certs/embeddedSCTs1-key.pem ++++ b/test/certs/embeddedSCTs1-key.pem +@@ -1,15 +1,27 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k +-WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X +-EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB +-AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g +-PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf +-flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU +-X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ +-pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA +-b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt +-9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR +-83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs +-n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ +-1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== ++MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw ++XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT ++48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ ++b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L ++eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG ++a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm ++tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf ++3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r ++zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF ++nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ ++XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw ++ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ ++S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi ++BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3 ++2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn ++MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU ++JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn ++j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA ++jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu ++ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk ++3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P ++o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI ++fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1 ++5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP ++RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4= + -----END RSA PRIVATE KEY----- +diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem +index d1e8512..d2a111f 100644 +--- a/test/certs/embeddedSCTs1.pem ++++ b/test/certs/embeddedSCTs1.pem +@@ -1,20 +1,21 @@ + -----BEGIN CERTIFICATE----- +-MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk ++MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk + MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX +-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw +-MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu +-c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G +-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ +-BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk +-EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw +-FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q +-Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD +-VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w +-DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK +-BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L +-vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw +-KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG +-SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE +-oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr +-5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg ++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy ++NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 ++DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK ++/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE ++FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI ++0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I ++QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S ++wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB ++CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I ++Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD ++ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI ++/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB ++u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ ++BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR ++RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 ++IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W ++YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== + -----END CERTIFICATE----- +diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct +index 59362dc..35c9eb9 100644 +--- a/test/certs/embeddedSCTs1.sct ++++ b/test/certs/embeddedSCTs1.sct +@@ -2,11 +2,11 @@ Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C: + 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64 +- Timestamp : Apr 5 17:04:16.275 2013 GMT ++ Timestamp : Jan 1 00:00:00.000 2020 GMT + Extensions: none + Signature : ecdsa-with-SHA256 +- 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F: +- D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3: +- E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2: +- F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1: +- 05:51:9D:89:ED:BF:08 +\ No newline at end of file ++ 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: ++ D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: ++ BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: ++ 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: ++ 60:EB:A8:AF:03:5E:C3 +\ No newline at end of file +diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem +index 1fa449d..6aa9455 100644 +--- a/test/certs/embeddedSCTs1_issuer.pem ++++ b/test/certs/embeddedSCTs1_issuer.pem +@@ -1,18 +1,18 @@ + -----BEGIN CERTIFICATE----- +-MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk ++MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk + MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX +-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw +-MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu +-c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf +-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 +-jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP +-KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL +-svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk +-tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG +-A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO +-MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB +-/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt +-OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy +-f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP +-OwqULg== ++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw ++ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy ++YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w ++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG ++0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 ++SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG ++acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw ++wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw ++CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB ++MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD ++AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq +++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo ++2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c ++Doud4XrO + -----END CERTIFICATE----- +diff --git a/test/ct_test.c b/test/ct_test.c +index 78d11ca..535897d 100644 +--- a/test/ct_test.c ++++ b/test/ct_test.c +@@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name) + if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) + goto end; + fixture->test_case_name = test_case_name; +- fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */ ++ fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ + if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) + || !TEST_int_eq( + CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))