forked from pool/openssl-1_1
Accepting request 613477 from security:tls
OBS-URL: https://build.opensuse.org/request/show/613477 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=4
This commit is contained in:
commit
e46d77e829
802
0001-Limit-scope-of-CN-name-constraints.patch
Normal file
802
0001-Limit-scope-of-CN-name-constraints.patch
Normal file
@ -0,0 +1,802 @@
|
|||||||
|
From c2c2c7b3f1df94f9a447cc3cf8196579543cc57e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
||||||
|
Date: Fri, 18 May 2018 09:09:51 -0400
|
||||||
|
Subject: [PATCH 1/2] Limit scope of CN name constraints
|
||||||
|
|
||||||
|
Don't apply DNS name constraints to the subject CN when there's a
|
||||||
|
least one DNS-ID subjectAlternativeName.
|
||||||
|
|
||||||
|
Don't apply DNS name constraints to subject CN's that are sufficiently
|
||||||
|
unlike DNS names. Checked name must have at least two labels, with
|
||||||
|
all labels non-empty, no trailing '.' and all hyphens must be
|
||||||
|
internal in each label. In addition to the usual LDH characters,
|
||||||
|
we also allow "_", since some sites use these for hostnames despite
|
||||||
|
all the standards.
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/asn1/a_strex.c | 50 -----------
|
||||||
|
crypto/include/internal/asn1_int.h | 2 -
|
||||||
|
crypto/x509v3/v3_ncons.c | 140 +++++++++++++++++++++++++----
|
||||||
|
test/certs/alt1-cert.pem | 39 ++++----
|
||||||
|
test/certs/alt1-key.pem | 52 +++++------
|
||||||
|
test/certs/badalt6-cert.pem | 35 ++++----
|
||||||
|
test/certs/badalt6-key.pem | 52 +++++------
|
||||||
|
test/certs/badalt7-cert.pem | 33 ++++---
|
||||||
|
test/certs/badalt7-key.pem | 52 +++++------
|
||||||
|
test/certs/badcn1-cert.pem | 20 +++++
|
||||||
|
test/certs/badcn1-key.pem | 28 ++++++
|
||||||
|
test/certs/goodcn1-cert.pem | 22 +++++
|
||||||
|
test/certs/goodcn1-key.pem | 28 ++++++
|
||||||
|
test/certs/setup.sh | 25 ++++--
|
||||||
|
test/recipes/25-test_verify.t | 8 +-
|
||||||
|
15 files changed, 376 insertions(+), 210 deletions(-)
|
||||||
|
create mode 100644 test/certs/badcn1-cert.pem
|
||||||
|
create mode 100644 test/certs/badcn1-key.pem
|
||||||
|
create mode 100644 test/certs/goodcn1-cert.pem
|
||||||
|
create mode 100644 test/certs/goodcn1-key.pem
|
||||||
|
|
||||||
|
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
|
||||||
|
index 75bc4319c7..ec7ac5a30c 100644
|
||||||
|
--- a/crypto/asn1/a_strex.c
|
||||||
|
+++ b/crypto/asn1/a_strex.c
|
||||||
|
@@ -613,53 +613,3 @@ int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in)
|
||||||
|
*out = stmp.data;
|
||||||
|
return stmp.length;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
-/* Return 1 if host is a valid hostname and 0 otherwise */
|
||||||
|
-int asn1_valid_host(const ASN1_STRING *host)
|
||||||
|
-{
|
||||||
|
- int hostlen = host->length;
|
||||||
|
- const unsigned char *hostptr = host->data;
|
||||||
|
- int type = host->type;
|
||||||
|
- int i;
|
||||||
|
- signed char width = -1;
|
||||||
|
- unsigned short chflags = 0, prevchflags;
|
||||||
|
-
|
||||||
|
- if (type > 0 && type < 31)
|
||||||
|
- width = tag2nbyte[type];
|
||||||
|
- if (width == -1 || hostlen == 0)
|
||||||
|
- return 0;
|
||||||
|
- /* Treat UTF8String as width 1 as any MSB set is invalid */
|
||||||
|
- if (width == 0)
|
||||||
|
- width = 1;
|
||||||
|
- for (i = 0 ; i < hostlen; i+= width) {
|
||||||
|
- prevchflags = chflags;
|
||||||
|
- /* Value must be <= 0x7F: check upper bytes are all zeroes */
|
||||||
|
- if (width == 4) {
|
||||||
|
- if (*hostptr++ != 0 || *hostptr++ != 0 || *hostptr++ != 0)
|
||||||
|
- return 0;
|
||||||
|
- } else if (width == 2) {
|
||||||
|
- if (*hostptr++ != 0)
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- if (*hostptr > 0x7f)
|
||||||
|
- return 0;
|
||||||
|
- chflags = char_type[*hostptr++];
|
||||||
|
- if (!(chflags & (CHARTYPE_HOST_ANY | CHARTYPE_HOST_WILD))) {
|
||||||
|
- /* Nothing else allowed at start or end of string */
|
||||||
|
- if (i == 0 || i == hostlen - 1)
|
||||||
|
- return 0;
|
||||||
|
- /* Otherwise invalid if not dot or hyphen */
|
||||||
|
- if (!(chflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN)))
|
||||||
|
- return 0;
|
||||||
|
- /*
|
||||||
|
- * If previous is dot or hyphen then illegal unless both
|
||||||
|
- * are hyphens: as .- -. .. are all illegal
|
||||||
|
- */
|
||||||
|
- if (prevchflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN)
|
||||||
|
- && ((prevchflags & CHARTYPE_HOST_DOT)
|
||||||
|
- || (chflags & CHARTYPE_HOST_DOT)))
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- return 1;
|
||||||
|
-}
|
||||||
|
diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h
|
||||||
|
index f70e3b47ba..a0c65318d5 100644
|
||||||
|
--- a/crypto/include/internal/asn1_int.h
|
||||||
|
+++ b/crypto/include/internal/asn1_int.h
|
||||||
|
@@ -90,5 +90,3 @@ struct asn1_pctx_st {
|
||||||
|
unsigned long oid_flags;
|
||||||
|
unsigned long str_flags;
|
||||||
|
} /* ASN1_PCTX */ ;
|
||||||
|
-
|
||||||
|
-int asn1_valid_host(const ASN1_STRING *host);
|
||||||
|
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
|
||||||
|
index 2eec405a36..c4b0551a03 100644
|
||||||
|
--- a/crypto/x509v3/v3_ncons.c
|
||||||
|
+++ b/crypto/x509v3/v3_ncons.c
|
||||||
|
@@ -297,47 +297,151 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
|
||||||
|
+{
|
||||||
|
+ int utf8_length; /* Return type of ASN1_STRING_to_UTF8 */
|
||||||
|
+ int i;
|
||||||
|
+ unsigned char *utf8_value;
|
||||||
|
+ int isdnsname = 0;
|
||||||
|
+
|
||||||
|
+ /* Don't leave outputs uninitialized */
|
||||||
|
+ *dnsid = NULL;
|
||||||
|
+ *idlen = 0;
|
||||||
|
+
|
||||||
|
+ /*-
|
||||||
|
+ * Per RFC 6125, DNS-IDs representing internationalized domain names appear
|
||||||
|
+ * in certificates in A-label encoded form:
|
||||||
|
+ *
|
||||||
|
+ * https://tools.ietf.org/html/rfc6125#section-6.4.2
|
||||||
|
+ *
|
||||||
|
+ * The same applies to CNs which are intended to represent DNS names.
|
||||||
|
+ * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be
|
||||||
|
+ * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8
|
||||||
|
+ * to ensure that we get an ASCII representation of any CNs that are
|
||||||
|
+ * representable as ASCII, but just not encoded as ASCII. The UTF-8 form
|
||||||
|
+ * may contain some non-ASCII octets, and that's fine, such CNs are not
|
||||||
|
+ * valid legacy DNS names.
|
||||||
|
+ *
|
||||||
|
+ * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what
|
||||||
|
+ * we must use for 'utf8_length'.
|
||||||
|
+ */
|
||||||
|
+ if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0)
|
||||||
|
+ return X509_V_ERR_OUT_OF_MEM;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Some certificates have had names that include a *trailing* NUL byte.
|
||||||
|
+ * Remove these harmless NUL characters. They would otherwise yield false
|
||||||
|
+ * alarms with the following embedded NUL check.
|
||||||
|
+ */
|
||||||
|
+ while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0')
|
||||||
|
+ --utf8_length;
|
||||||
|
+
|
||||||
|
+ /* Reject *embedded* NULs */
|
||||||
|
+ if ((size_t)utf8_length != strlen((char *)utf8_value))
|
||||||
|
+ return X509_V_ERR_UNSPECIFIED;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * XXX: Deviation from strict DNS name syntax, also check names with '_'
|
||||||
|
+ * Check DNS name syntax, any '-' or '.' must be internal,
|
||||||
|
+ * and on either side of each '.' we can't have a '-' or '.'.
|
||||||
|
+ *
|
||||||
|
+ * If the name has just one label, we don't consider it a DNS name. This
|
||||||
|
+ * means that "CN=sometld" cannot be precluded by DNS name constraints, but
|
||||||
|
+ * that is not a problem.
|
||||||
|
+ */
|
||||||
|
+ for (i = 0; i < utf8_length; ++i) {
|
||||||
|
+ unsigned char c = utf8_value[i];
|
||||||
|
+
|
||||||
|
+ if ((c >= 'a' && c <= 'z')
|
||||||
|
+ || (c >= 'A' && c <= 'Z')
|
||||||
|
+ || (c >= '0' && c <= '9')
|
||||||
|
+ || c == '_')
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ /* Dot and hyphen cannot be first or last. */
|
||||||
|
+ if (i > 0 && i < utf8_length - 1) {
|
||||||
|
+ if (c == '-')
|
||||||
|
+ continue;
|
||||||
|
+ /*
|
||||||
|
+ * Next to a dot the preceding and following characters must not be
|
||||||
|
+ * another dot or a hyphen. Otherwise, record that the name is
|
||||||
|
+ * plausible, since it has two or more labels.
|
||||||
|
+ */
|
||||||
|
+ if (c == '.'
|
||||||
|
+ && utf8_value[i + 1] != '.'
|
||||||
|
+ && utf8_value[i - 1] != '-'
|
||||||
|
+ && utf8_value[i + 1] != '-') {
|
||||||
|
+ isdnsname = 1;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ isdnsname = 0;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (isdnsname) {
|
||||||
|
+ *dnsid = utf8_value;
|
||||||
|
+ *idlen = (size_t)utf8_length;
|
||||||
|
+ return X509_V_OK;
|
||||||
|
+ }
|
||||||
|
+ OPENSSL_free(utf8_value);
|
||||||
|
+ return X509_V_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
|
||||||
|
{
|
||||||
|
int r, i;
|
||||||
|
+ GENERAL_NAMES *gens = NULL;
|
||||||
|
X509_NAME *nm;
|
||||||
|
-
|
||||||
|
ASN1_STRING stmp;
|
||||||
|
GENERAL_NAME gntmp;
|
||||||
|
+
|
||||||
|
stmp.flags = 0;
|
||||||
|
stmp.type = V_ASN1_IA5STRING;
|
||||||
|
gntmp.type = GEN_DNS;
|
||||||
|
gntmp.d.dNSName = &stmp;
|
||||||
|
|
||||||
|
+ gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
||||||
|
+ if (gens != NULL) {
|
||||||
|
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
||||||
|
+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
|
||||||
|
+
|
||||||
|
+ if (gen->type == GEN_DNS) {
|
||||||
|
+ GENERAL_NAMES_free(gens);
|
||||||
|
+ return X509_V_OK;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ GENERAL_NAMES_free(gens);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
nm = X509_get_subject_name(x);
|
||||||
|
|
||||||
|
/* Process any commonName attributes in subject name */
|
||||||
|
|
||||||
|
for (i = -1;;) {
|
||||||
|
X509_NAME_ENTRY *ne;
|
||||||
|
- ASN1_STRING *hn;
|
||||||
|
+ ASN1_STRING *cn;
|
||||||
|
+ unsigned char *idval;
|
||||||
|
+ size_t idlen;
|
||||||
|
+
|
||||||
|
i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);
|
||||||
|
if (i == -1)
|
||||||
|
break;
|
||||||
|
ne = X509_NAME_get_entry(nm, i);
|
||||||
|
- hn = X509_NAME_ENTRY_get_data(ne);
|
||||||
|
- /* Only process attributes that look like host names */
|
||||||
|
- if (asn1_valid_host(hn)) {
|
||||||
|
- unsigned char *h;
|
||||||
|
- int hlen = ASN1_STRING_to_UTF8(&h, hn);
|
||||||
|
- if (hlen <= 0)
|
||||||
|
- return X509_V_ERR_OUT_OF_MEM;
|
||||||
|
+ cn = X509_NAME_ENTRY_get_data(ne);
|
||||||
|
|
||||||
|
- stmp.length = hlen;
|
||||||
|
- stmp.data = h;
|
||||||
|
-
|
||||||
|
- r = nc_match(&gntmp, nc);
|
||||||
|
-
|
||||||
|
- OPENSSL_free(h);
|
||||||
|
+ /* Only process attributes that look like host names */
|
||||||
|
+ if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK)
|
||||||
|
+ return r;
|
||||||
|
+ if (idlen == 0)
|
||||||
|
+ continue;
|
||||||
|
|
||||||
|
- if (r != X509_V_OK)
|
||||||
|
- return r;
|
||||||
|
- }
|
||||||
|
+ stmp.length = idlen;
|
||||||
|
+ stmp.data = idval;
|
||||||
|
+ r = nc_match(&gntmp, nc);
|
||||||
|
+ OPENSSL_free(idval);
|
||||||
|
+ if (r != X509_V_OK)
|
||||||
|
+ return r;
|
||||||
|
}
|
||||||
|
return X509_V_OK;
|
||||||
|
}
|
||||||
|
diff --git a/test/certs/alt1-cert.pem b/test/certs/alt1-cert.pem
|
||||||
|
index b94d0eaf9d..d68b0e5193 100644
|
||||||
|
--- a/test/certs/alt1-cert.pem
|
||||||
|
+++ b/test/certs/alt1-cert.pem
|
||||||
|
@@ -1,22 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
-MIIDlTCCAn2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGgxIzAh
|
||||||
|
-BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
|
||||||
|
-Z29vZC5vcmcxEzARBgNVBAMMCkpvZSBCbG9nZ3MxFTATBgNVBAMMDGFueS5nb29k
|
||||||
|
-LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAv1X8S8uUpnjTa
|
||||||
|
-3bv7m1jJbbX7bC9w7k4TfxiU5XL/m3EhN//EUBJSoamy6vFC6oy/6jA8XmptlVrY
|
||||||
|
-Sp3ZKFdjdZh+CyYZKcrv4JReF2lfRIINn6d6EgcAobGTNwdcv67xuNtMi0meAvmK
|
||||||
|
-gLjOa/IhCHNC+l8vNDJx/a+7mxH+yNxPL6lC/kJMja6oaYndx74WJpPC22LJ/cCp
|
||||||
|
-xspKKsoPYYjk0BX9RvbKO8s4b86Wjzzntht+NpQ4LLh9XwPZog11qGE4UIrsV8XA
|
||||||
|
-YxJrMGQNZd69cnCOz8vnOVCszFOa4qVvXeAGr0iFlZAXbQJevpiiXaXHMEt8C1qH
|
||||||
|
-xpcW8DcCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUw8nB25NP0gUaFCrOwAO5KzllnREw
|
||||||
|
-HwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMwCQYDVR0TBAIwADBIBgNV
|
||||||
|
-HREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNvbYENZ29vZEBnb29kLm9y
|
||||||
|
-Z4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBUnDMrg1py
|
||||||
|
-8/iYXzs11Qbw7bBhc/HQDpu5QVgriaX2zDUpTLSEUV7qZFSHmwWm91ILw2VA1Xni
|
||||||
|
-ua2sF19o/tJT0ZHpapkfqGpfsym2H04NDMKy0l0fSZhlCB5Kv5wpiFt9hBUrxS/2
|
||||||
|
-Dd6Kg+Ka02nD5QBXSAk/xz0FmgezzGGCLjg85/Sfe9Y7tNhQXh3HuGXuJizYccdQ
|
||||||
|
-Fh1IAFYW3DZoDKS7dDTCltvDEma/2IE684+CRJiA6PH9rYfJ1CCUfAMpyA85CxKT
|
||||||
|
-P68GDKI++WoUgM8LDfxS0KOL7A9cqcpM2L27hjyEgnqIBPHFfm9fxztBotuCTl5L
|
||||||
|
-vRlTFVjv65nn
|
||||||
|
+MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
+IE5DIENBIDEwIBcNMTgwNTE2MDIzODEzWhgPMjExODA1MTcwMjM4MTNaMFQxIzAh
|
||||||
|
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRgwFgYDVQQDDA93d3cu
|
||||||
|
+ZXhhbXBsZS5uZXQxEzARBgNVBAMMCkpvZSBCbG9nZ3MwggEiMA0GCSqGSIb3DQEB
|
||||||
|
+AQUAA4IBDwAwggEKAoIBAQDTqvf6j+WxCtn4RU8/6uXXgCTcksv6NDXCZ9JAz4Vv
|
||||||
|
+cQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzPlrt36cevsoPmpuqGbHrUaOLneme2
|
||||||
|
+x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awcid4SiotLOY2F1jBazmqprqKZBUiyQ
|
||||||
|
+XqpSp+9uSav77ydwDXCrQozBdns1YRshgU9omQrTcIqHCj1f9Lo+A2y4+TZYZkvS
|
||||||
|
+DuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24N+zz3O3jwH82BZEjzavw92J9npJB
|
||||||
|
+UXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnVpchwr3VHAgMBAAGjgZgwgZUwHQYD
|
||||||
|
+VR0OBBYEFHvLhGWckFjVXdDI3ds9Wti6zgXAMB8GA1UdIwQYMBaAFAjRm/nm1WRw
|
||||||
|
+oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYDVR0RBEEwP4IMd3d3Lmdvb2Qub3Jn
|
||||||
|
+ggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgA
|
||||||
|
+ATANBgkqhkiG9w0BAQsFAAOCAQEATVcTyrAxsehdQNrkL6kquXxWlyegJcxvVxUe
|
||||||
|
+hfh9+Lw4620b2S1/l2YxFM3peLAsRgJOznmJOeG18+y7/kx/3UNqYGY7e8iJQ3Gl
|
||||||
|
+JwDIJp5JCaUOlodjhMJtRc7jn9RcsL97oizXdcryyWT0vSlM9Pie9NtHG5iq5X4+
|
||||||
|
+oL3X8+OG25MOkF2h3YVCEG3vDu7quyTlHc2ebwpdLZRndcOewO2Cap1ettyWXUPP
|
||||||
|
+Mha6wyJE8LJhrGmrI8Lw+i7gGscP0xYZn3yCLk5BtOabn4dvCiDmb+TPruKQQARw
|
||||||
|
+BG45LEZzGxz+Ad3xRdZyVi1I67v9YShoYTCpMTSxJaR0erH74g==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
diff --git a/test/certs/alt1-key.pem b/test/certs/alt1-key.pem
|
||||||
|
index b5d4d326c5..6df050a38f 100644
|
||||||
|
--- a/test/certs/alt1-key.pem
|
||||||
|
+++ b/test/certs/alt1-key.pem
|
||||||
|
@@ -1,28 +1,28 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwL9V/EvLlKZ40
|
||||||
|
-2t27+5tYyW21+2wvcO5OE38YlOVy/5txITf/xFASUqGpsurxQuqMv+owPF5qbZVa
|
||||||
|
-2Eqd2ShXY3WYfgsmGSnK7+CUXhdpX0SCDZ+nehIHAKGxkzcHXL+u8bjbTItJngL5
|
||||||
|
-ioC4zmvyIQhzQvpfLzQycf2vu5sR/sjcTy+pQv5CTI2uqGmJ3ce+FiaTwttiyf3A
|
||||||
|
-qcbKSirKD2GI5NAV/Ub2yjvLOG/Olo8857YbfjaUOCy4fV8D2aINdahhOFCK7FfF
|
||||||
|
-wGMSazBkDWXevXJwjs/L5zlQrMxTmuKlb13gBq9IhZWQF20CXr6Yol2lxzBLfAta
|
||||||
|
-h8aXFvA3AgMBAAECggEAa073DcqQvhq3DSIw4wm/+DfW5nwXzF1QB6XAR0yI453j
|
||||||
|
-IuhEnzcGPeKuLBmZFxDWoptRG8fpCZFs4kPSTomxFGizewlp6O5ykfPAKR2VzMwF
|
||||||
|
-geCiWPL0f+dWlD1Byu4moXsASDE6tL/UuAAvnl+7R2HvL6SfsdGiTQc4qAvvyukM
|
||||||
|
-szks+MePHSlXmL5Eld7HfKgpvxY1SbYOQU0aPXAQAnLaOT931q+tgZMG6nBWN+pu
|
||||||
|
-w5bgKCA26BMAAaUAdIIDEa9fjzkpXjElCT4qhJYVKQn9Pb7aSc4jihSpCknqbb9c
|
||||||
|
-55nW5PWMZJyCbCOUG/SVTblXV+NmhdtwrgUbHImXIQKBgQDcb/7vp+rq06uNx3b4
|
||||||
|
-AjTZdzCVbHM8gp7b1GkGD0SncrzX6RxPSzNn7d4AUKY065bwa89A+TRwV8DSo7G8
|
||||||
|
-hxjzdU/FKCg8ce0eqoCtWjIT2r+rV2P9dFhfRT5jdOwHrym8LeSGzANjIBNV7FOf
|
||||||
|
-FIRkQ1BVD0QSPla+26ASqsw60wKBgQDMnEzChQWgAsBelALmGaj/wDdWDUXK8xRg
|
||||||
|
-s7dG1Sx41SLk39SAjCUYXPyy8IHBitJtPZNDp23tR4/m8Ui1pB2T0EnlzBsuzrZ/
|
||||||
|
-0aCbJnQ08FXE8iVajrgce4ZCdT8vkeH8EVhqDpJIlAhoKy3HaoAr4o2/uRoGDpHZ
|
||||||
|
-iAbDLTEOjQKBgFrp4dXLhkqFNArMShetKUjLLIFj8f7xzDzT1ODH6UO6QYI2xRM6
|
||||||
|
-65+gbd/pYzMOOvk7LYYZgXQX7RGyq3oaqcK3Dkg88KNFRUtRfLKCMYcYv9YVu8pr
|
||||||
|
-cosQTtPMBBCDQI44yziA6aC3OOJGDpLcbmG/lWEPY762cSZUBCfOw147AoGAd8S+
|
||||||
|
-AdcPtdwmcrY9BCfdDuea/JoEUon7UaehDqtVvt0z8bk7kIt4Y0x69ttleL8j8aHr
|
||||||
|
-g9yLsisDhvGR2BFa5t0zhHn3J20E0skINAlMWHieHAyJ5PpJtxJvQpOTCutf1sbo
|
||||||
|
-dBxXcHiGe0NbJrGmmQmiY6mcHBOHOEgxfSoE3zkCgYAc+ozIr3xmUcooUeA7uqpd
|
||||||
|
-LvGGqHThGrtXVFIErOIcajC9bHEeZw4Do/oT5L7Wr7pOZ20VUmuRvwytd7IYYTVV
|
||||||
|
-g+nIyKaMttEaCzHEsO0CQUHexOkJbL4rpc3HiK5hIhL8Yo2L/obQgCxYmvyChpo3
|
||||||
|
-sXJAoFllBNfAK3aanFOR1Q==
|
||||||
|
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDTqvf6j+WxCtn4
|
||||||
|
+RU8/6uXXgCTcksv6NDXCZ9JAz4VvcQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzP
|
||||||
|
+lrt36cevsoPmpuqGbHrUaOLneme2x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awci
|
||||||
|
+d4SiotLOY2F1jBazmqprqKZBUiyQXqpSp+9uSav77ydwDXCrQozBdns1YRshgU9o
|
||||||
|
+mQrTcIqHCj1f9Lo+A2y4+TZYZkvSDuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24
|
||||||
|
+N+zz3O3jwH82BZEjzavw92J9npJBUXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnV
|
||||||
|
+pchwr3VHAgMBAAECggEACPTB+1sdV+lioaulF8pDoWOtq5uWf+a3o5sq/U0Kk1WP
|
||||||
|
++PSZnWWq6oGZyzxUKhf8CFjxt+qJUKY6Zbo2AnPk3B1MkXTclYV/iP9LIoo+WzCH
|
||||||
|
+EoYaBB6MTd+ycg/jri8oqEnxHgo/681yhtXRyePj0ZHI7OVZjI3tyhJfvoHQmuci
|
||||||
|
+u6qYYUP0GWuyM+kHS11vn6Q1U8nOZWvXpEDXDDdJ7+2QRuv01AXcjFxpbFzkMn2W
|
||||||
|
+JkhKkCTIQpUU66VMRHwNexi+TR2rRESq0G+fa+6gaVFVIs0vBukq48IeC5W21j1L
|
||||||
|
+zyftHxci67FlYC9iaiUxDVt3KB+lcukx6Cz5mjtzqQKBgQD/GrAtFfjiXKj9O5ld
|
||||||
|
+K7dnnBHE8fzyWQWyOfwpVjNAC1J7tgwFvDpBpTHOwS5JnCwMWWM3rkBPRhCusmrF
|
||||||
|
+AtfE8b643G+cJbTgDuEhGh11QR0p9VWMVFQL9kZxx12PegDtFBfzcfcI3XQwKVKL
|
||||||
|
+ZbQn4ibW3BKSt9+Nh3APa0s5iwKBgQDUaTxZBajTdzoDd6Pg3warL5BhsxWr2tUQ
|
||||||
|
+qf+iVoba2Y9NTBdxBht2whSaYweU9kxmeNZvnCu95B8HeRGE69Dxb7IWwpsaxoaf
|
||||||
|
+ND0NcCF7aPZgx7hvhbHF7duzt3nuv+q5sOuuyHPzm+nF2snAuY3Zg+Bpv3nlYekf
|
||||||
|
+18aXZdwStQKBgEpF8e9ei1UUl1sLZC6dUMvIw9+sePHye1cVzNYYM9m8sio0qbFt
|
||||||
|
+ySRdvW+uDRT/dE+wItQOVsj95FOIvM9ZcYr0u4vFGnXDALOPgXqKyPLfn2cc9+hg
|
||||||
|
+kQvei0oLOrFQWz6rcAHAN6WMHIz9KvxNAzPtg1NhRcMT5/Gj8jt7CK7bAoGAIeKz
|
||||||
|
+7OO5Phr8F0eDzkDmGHMbDmr6XxMnAGSOUoCJPOqOMN+dsbsusHBfxw1bTUlJgONw
|
||||||
|
+GhgI5l85EAEhaVoRWCLgfz8GbWwUV9uGjdlAjiZ9f4z9AFWMua2rae0wN4VIVd1C
|
||||||
|
+i/yQeuF5lsXDf8paNcQTDeus74oCHcFXfhmS1S0CgYB2q8E+H0kFHbUxkIZYwhsM
|
||||||
|
+r0lTecn+kVsyPPje2UlzfTwvcC9dFIC4ppCdJGUJAwi/PJnr6xNyOH6I1pjUA8ER
|
||||||
|
+Aofm4Oj2DwX8W+81oO71/RXSfEFUjdOw0H6iRDyvWa1gqftj2/aWjV7Ifdo49thx
|
||||||
|
+EzX/9GdsRInifN6FfOfo/A==
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
diff --git a/test/certs/badalt6-cert.pem b/test/certs/badalt6-cert.pem
|
||||||
|
index fbe040b52c..f41568f6ee 100644
|
||||||
|
--- a/test/certs/badalt6-cert.pem
|
||||||
|
+++ b/test/certs/badalt6-cert.pem
|
||||||
|
@@ -1,22 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
-MIIDljCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGkxIjAg
|
||||||
|
+MIIDeDCCAmCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
+IE5DIENBIDEwIBcNMTgwNTE2MDMyNjMyWhgPMjExODA1MTcwMzI2MzJaMGkxIjAg
|
||||||
|
BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDYxFzAVBgNVBAMMDm90aGVy
|
||||||
|
Lmdvb2Qub3JnMRMwEQYDVQQDDApKb2UgQmxvZ2dzMRUwEwYDVQQDDAxhbnkuZ29v
|
||||||
|
-ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKz8F/ndKz0vuv
|
||||||
|
-BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu
|
||||||
|
-9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd
|
||||||
|
-7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+
|
||||||
|
-6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb
|
||||||
|
-jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8
|
||||||
|
-1L6m8ngXAgMBAAGjgZgwgZUwHQYDVR0OBBYEFBIKyD5bUUNIFxlQJl/rBvvIm0XZ
|
||||||
|
-MB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYD
|
||||||
|
-VR0RBEEwP4IMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5v
|
||||||
|
-cmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG9w0BAQsFAAOCAQEAa2lydA7a
|
||||||
|
-YgRhYeIuPEtR+bKyDkIKNjvx2IRL/FL70s/IWFWDK1rpsMYLGNa7rWpW5gq4T6zb
|
||||||
|
-JIwC/770Rw1p+0j9eAC95d2wCEhyNcLdoP4ch7whr0MhxYHUJ8zQGPdQ97DWGoEB
|
||||||
|
-2seLjrhMrX004TM4UlM+lpjsb88QEcD+kOEhdDTKm0ABUygOr1KRay437mtUhAzb
|
||||||
|
-WyUbAjKbhgyv6IFRNHKy6YtCMugPihn+Pd1NY6c2ACRVOAUS/+rvVyjxBCATW5Wk
|
||||||
|
-zAtNIxYgcm3rYRroGYT2BGj8Ic7oqPOWPdGWhsieX0c+y2ZnS727Kwc5tXFfW9By
|
||||||
|
-GH32QmEN5o5jZQ==
|
||||||
|
+ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl46xhstHmmYhp
|
||||||
|
+XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ
|
||||||
|
+E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP
|
||||||
|
+DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc
|
||||||
|
+qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg
|
||||||
|
+gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2
|
||||||
|
+KRL2Le8jAgMBAAGjezB5MB0GA1UdDgQWBBRJJljvheyfKr9neNplhIMIFx25QjAf
|
||||||
|
+BgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMCwGA1Ud
|
||||||
|
+EQQlMCOBDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG
|
||||||
|
+9w0BAQsFAAOCAQEAPfRFkpkTsPlH54n/i3kxR8Hw17kUOV0/v39fnNzV+PXS/IIU
|
||||||
|
+9OFfP7qNeuoWVQKXCwNWGWYXb7O0LNJMJQWWtyXtzWH3rOSxdSRIrTsCVHA41Lbo
|
||||||
|
+te2nrfnGMtg6em51Do6Kk0JM304sVAWl5OY/eckBmuDgN/5WfZudOLd8Ohv8vZ6U
|
||||||
|
+ZNoSBNpu1x5gfEPywMUGAgbkNZVpzNAfulx3/D2kWk0qwEKqnphUyaXiTVqO49gr
|
||||||
|
+n1LwSVdqBcmapBmEO3puV4TBWFwM49iMMNGn0fp/JBVsLjt+q7TK96qGBo/BSEL+
|
||||||
|
+e2TXTNpdkn3l+ZK2FYdf7s8fytoe+6o92dN+fA==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
diff --git a/test/certs/badalt6-key.pem b/test/certs/badalt6-key.pem
|
||||||
|
index 203a4c7a00..782d69334a 100644
|
||||||
|
--- a/test/certs/badalt6-key.pem
|
||||||
|
+++ b/test/certs/badalt6-key.pem
|
||||||
|
@@ -1,28 +1,28 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKz8F/ndKz0vuv
|
||||||
|
-BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu
|
||||||
|
-9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd
|
||||||
|
-7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+
|
||||||
|
-6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb
|
||||||
|
-jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8
|
||||||
|
-1L6m8ngXAgMBAAECggEBAJNMHK8BAvzTqTPPsfAGu4bTvgxRdKGy609FFAiqxUF3
|
||||||
|
-UmQsCZEfgwyqCszFPfSeS43xuPRukObE6L6MV4ls8GwWqvp1nKfCClJX3/9jK6tq
|
||||||
|
-2tDQ416a7Wb+FvfgW0tDEg7oLKfcqRyAoQFNuxWHbGDiTQlz2dzzFYkzhlzBDUYH
|
||||||
|
-/pu9qkNFGfYMFwsBUd8pp8zMnv552CCIgalBBFr1hy9q47HBaJPaF2/CjZJmsqkp
|
||||||
|
-rVMBH7+j0y1DW3JO5rSKcRdz+mgEd9m/yQIazvBPJKxeGza8JfLBuACYFLIoO1S+
|
||||||
|
-b8s/zmQPHeZwTxSsM64M1uYi4dmJy0viozLlWsjrE1ECgYEA/GxGG/lB1mL+Hzmc
|
||||||
|
-kXzWmA2nLPxZXGxMBOYH/n8l4OyDmKi2Bmly7kS0kLdY6gYTVBWFCRcvPxf+UJu9
|
||||||
|
-x4NcKDkjXVXSg7Muux3Bh1JoRCOKB2Hk3pqdDe55GcT5bSikkd5PYCNobcnqzSK1
|
||||||
|
-HzKveDdukraZxIPFpVs1VM9/gxMCgYEAza+BJUAEWoq925a1RKlMwdXW1ONBhFqU
|
||||||
|
-fXon15fgycHkiYIBGbGE65Oyz8BwE6jNAT+SwKlNCc6jPAkXvEUpczEi5Rcox8Ec
|
||||||
|
-hNoXBHcBxHEhtfV2VKX5I9JFAadmvnfS5St7HjRLzE2Y6xym1+fKfnAlSLpdb3W2
|
||||||
|
-eRqVBi3F020CgYEA6K/yrQTHwRX+BdC42JCIzSAA1IJG6eDW7skR43NX+pBr+sTD
|
||||||
|
-DwQTszrYbHLnXst888zmluutXO8EO1Bl0E3yHQ4W4IolhcweLtUOOm0nunA8Y/PE
|
||||||
|
-48MJNfd34N5nw01s7x5Mc2YQdOxmKvVsmzbA9AO9RTdYZgPGpVh/wA+LDssCgYBh
|
||||||
|
-F2+G/ekQNF3awhFfD+vDtAVtCLlsmLVvZbJY+sCJfJU8s7mBP2LXMSk/GD/Ph+b9
|
||||||
|
-p9zGRSSwdHJpbIFfxeYDEja+nWgKowWrUKd83BBhgmW/Vtc8rfwlBKS+Wx8M2dMb
|
||||||
|
-iqLbZyRAlICSuzumvyu+84EmC5L/gjlYgUvHVuQDIQKBgHH7q3hrKI5mQ0BR9h75
|
||||||
|
-4yP98c+Duz8IsQllIG0gzCiiOYIVTl3uzTCa/E9Sa+jG+kFsCeUDchmC6LmHdF/Z
|
||||||
|
-ZHfECcQT4B37xMMwvjwNW7E6/FyRx3XC762Fd5vlz3fBuVKburfh1JpfpcO85Wvo
|
||||||
|
-R1UfsJugW9Yetsqd9WB6q3ln
|
||||||
|
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl46xhstHmmYhp
|
||||||
|
+XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ
|
||||||
|
+E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP
|
||||||
|
+DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc
|
||||||
|
+qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg
|
||||||
|
+gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2
|
||||||
|
+KRL2Le8jAgMBAAECggEBAMcDjTTa2GmYWoZUr+UPizqyvsTnMmg/NoFBhy9WJVne
|
||||||
|
+kpR3kJvvm30XNiEGbCV1GGryL5p7w5UVuPXjhQ7xIkY3feQNC4H361iP93HK7dXJ
|
||||||
|
+i9V9AfGCdLzSuILsT2Wpm88MifUQIpqrRmqtqakKHkyMFG655409rpYlZNVogl9H
|
||||||
|
+vzrTE8rjysNMjP+bpbgkxUJfeATw8OYhEwd9ahj/E0r0r2enYhGEP3j+1zYsGdmM
|
||||||
|
+L2Uy4M+modaAWpZg5pUWpFjxl+V2cSJHdaQc8KYg8Z8RUyzYipFk3YzjP5jtprq5
|
||||||
|
+dHf9FqlcXk+MtzcYe+x8mIb3uwZhOtdpnUqe5l+GTyECgYEA9j++rS9sajQzMqp0
|
||||||
|
+p+EptacD/p7A3wldIDGEpPJsSQL+vhcigyn4iPCM1pGWR4iuR7Od9RpQSf3Tfnqc
|
||||||
|
+ZwUJQOpiYpxo1+QlqlBJkDjDRztp+kETZAgzc084ZhwQv9PfYyxa+8layQFhnClt
|
||||||
|
+Z9G0o4AV1povVeQLO5+9CQZQ4VMCgYEA7v4WuydzlLGKppsJEG8vvieR64mjOfO4
|
||||||
|
+gHBMEYnzEeTZPDvIfEfguM1upJCvt5GXp3huVHCAsFgs6kDjVbpIL1A2HzrMPtOa
|
||||||
|
+MNDSOrpuLcakAgEgx2VFv4TMnA1QKPg3//YCqEqqTJyX0C4OwaADRZJS7YfHp9lg
|
||||||
|
+mpv90baE8PECgYAv3oxulj15F9SsEL7Es9yr11/La4kK0oMr8vRaLFYoi1CCG3U2
|
||||||
|
+Ej6iQEDgpUSVe1iFz8DxGMBq4dDvUV5+GFiIKggeK1GmRk+cICdsxdwQSNh9MZFX
|
||||||
|
+bNCzpb7M+r+2yrUuTj0RnT7svDwBY3xFJlr7PbcBFNAG3mHgoVjaHEQ0yQKBgHbS
|
||||||
|
+zepvSv/65bzACFmrbklU0zAQVp9RlcIGE0wFEl0rMvbHon5oHkrDmOcpKLRUJtqU
|
||||||
|
+/gXtiY4jyPEPIfhVjd44OzB7w2DZRChRKrUYS/9ma9SzSuDYcT0vgat00w4Lm4wf
|
||||||
|
+fGK//Lvqf3B59cw/CmFkxuZiQ9ooMees9x11adOBAoGBAMdb0r8sAtgh+KTbA8Kq
|
||||||
|
+guIWiknOk6/LYUTuT3fidPIPbErrUQQR9WWHuXjrj2RyHI/RLjYLFamikvhU7PmE
|
||||||
|
+jPjPAo4p1a0WBwrYgjGDIRjTVjbUK282vuYkunGWYfgnZurAyjJCndL/eNZuX2F5
|
||||||
|
+m1rTfab8O+tOOGKGyzfouD2A
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
diff --git a/test/certs/badalt7-cert.pem b/test/certs/badalt7-cert.pem
|
||||||
|
index b515ba43d9..4fa81b3c6f 100644
|
||||||
|
--- a/test/certs/badalt7-cert.pem
|
||||||
|
+++ b/test/certs/badalt7-cert.pem
|
||||||
|
@@ -1,23 +1,22 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
-MIID1DCCArygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
-IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMIGmMTsw
|
||||||
|
+MIIDtjCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
+IE5DIENBIDEwIBcNMTgwNTE2MDMyNzA5WhgPMjExODA1MTcwMzI3MDlaMIGmMTsw
|
||||||
|
OQYDVQQKHjIAQgBhAGQAIABOAEMAIABUAGUAcwB0ACAAQwBlAHIAdABpAGYAaQBj
|
||||||
|
AGEAdABlACAANzElMCMGA1UEAx4cAG8AdABoAGUAcgAuAGcAbwBvAGQALgBvAHIA
|
||||||
|
ZzEdMBsGA1UEAx4UAEoAbwBlACAAQgBsAG8AZwBnAHMxITAfBgNVBAMeGABhAG4A
|
||||||
|
eQAuAGcAbwBvAGQALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
|
||||||
|
-ggEBANStByWr70u2A49OO+LYu0ivQP+uBu2n3E6RoEYf+op/+JF3clwfMQCGqiSg
|
||||||
|
-QxOJMHkcu4gJDudRLCSXqHPnR0hOd+mQ5wQQJmLj8A99ImcD2oN5R3V5I4bSlXP9
|
||||||
|
-GCq2pFDnwXuEcJ3d2Dt1HYO4jA4Ol/RBT3NIqmwSnQzXv98mjYFpy6AuAIaYGmbh
|
||||||
|
-1DLWxsTPI2NjNafJYS85NrQDLkTpq48nCmQCJ+ly6Zzu7WuJiDKD1Rxs7ZwgNtLi
|
||||||
|
-Zhp41TeFHxCbfSFKe9u4rnUmImKxwgc9KuzOLpLAzD9avWpPGHtkCsLFsiw/EJYf
|
||||||
|
-UdeCXc7tz9WhXZzOk/ffLOcrorMCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUwYsR1XfZ
|
||||||
|
-2cPcAR7i5i9obalnJcIwHwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMw
|
||||||
|
-CQYDVR0TBAIwADBIBgNVHREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNv
|
||||||
|
-bYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEB
|
||||||
|
-CwUAA4IBAQAN/klfzMLi2acp5KdH9UZR4XCk3cZBOuMuI0vU+wrU/ETgY6rFhAwY
|
||||||
|
-gSZsO6vX0mt/G6QfOmY5+kW4FY5XavGhhNVY2x5ATZKvQCf+orIsUHOBxVTjH6az
|
||||||
|
-uEnxGDRTbjXSkBTCTSoOqdJNeOmEwiaHEVy/atumUW2B2KP5FeBGdud/94c4Q9/O
|
||||||
|
-WBJ0EICGF6hYTDra63lAjxyARTvocVakIE8zytT1SbU4yO05mYPyNdXxiXikepFE
|
||||||
|
-phPQWNSLx4EPBIorGCFj7MPDmFCH/+EjDjGz3SNUvqsak6MstzK94KVriQyIHKex
|
||||||
|
-IL5WuKFm0XSGKTX8SzyMGErMGeriveL2
|
||||||
|
+ggEBAOG4PegItzkmJDwlSA/FyVHWLWUIQrnxgS0KSds3On2CMsjDJ+X77B4s1IPI
|
||||||
|
+yKHuqNbXqV/hJGAxKnZRZe0D6VsmKlYOYpz9QtFxvpo5DwA3q6BTx6sIElFn/lip
|
||||||
|
+Pbu5ZeIMNeN4bot7x5sBobr6OgidAVaAuqQHHJnD7mQ1s22qY0UqkBqNBhhJWOmx
|
||||||
|
+YC0Q56WDi9+C7Cy2+kiiSlT4jCZ8m1K0F7tTK5mF0p4HppXmXLzcecZ/Sw8jOqQK
|
||||||
|
+JM/4UCj/nxWCGYKWkv8zLJtG+ryfZMf15/0Cd1dzHAS9mYU4mFssPdFyT+WFpw7b
|
||||||
|
+K3TOTXkS/tAPbj0xin2wqBJz8m8CAwEAAaN7MHkwHQYDVR0OBBYEFOWYNq+H1LH6
|
||||||
|
+lZUpgijb/S/sAiDsMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkG
|
||||||
|
+A1UdEwQCMAAwLAYDVR0RBCUwI4ENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29t
|
||||||
|
+hwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQAwUxnqq0gBgKmEHIRgZVu10KtOknjt
|
||||||
|
+p/wEcqQ9METvXb+4/a4U6ftjTgaOrPVjamNFlaoUcTgx2nk2zRsjM+e+tpnxDgRR
|
||||||
|
+/yoVB3HsISpdeN70s/WYAgvev/FdV3O+JWhUYHdKrDB4DMfPhlRIfSgOymJljo6+
|
||||||
|
+wL8qa7lVonF91Im4SCbq4dqtAnbg4ttblQ3yjFfQtuwzyJD/3ism6FQPLbg1K4eu
|
||||||
|
+1Si0EDL4Fct581Gb5D+NU8PYiwg7Nk8ubNlRHXydoVGDLmT0hLE+/IsPd1M8tMqm
|
||||||
|
+sifRl2Is+lGVeg4pPHFjB0npTNkaYafu89dz/3PNRRr5If06B+apk4AX
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
diff --git a/test/certs/badalt7-key.pem b/test/certs/badalt7-key.pem
|
||||||
|
index 50557e8968..b453f1ff30 100644
|
||||||
|
--- a/test/certs/badalt7-key.pem
|
||||||
|
+++ b/test/certs/badalt7-key.pem
|
||||||
|
@@ -1,28 +1,28 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUrQclq+9LtgOP
|
||||||
|
-Tjvi2LtIr0D/rgbtp9xOkaBGH/qKf/iRd3JcHzEAhqokoEMTiTB5HLuICQ7nUSwk
|
||||||
|
-l6hz50dITnfpkOcEECZi4/APfSJnA9qDeUd1eSOG0pVz/RgqtqRQ58F7hHCd3dg7
|
||||||
|
-dR2DuIwODpf0QU9zSKpsEp0M17/fJo2BacugLgCGmBpm4dQy1sbEzyNjYzWnyWEv
|
||||||
|
-OTa0Ay5E6auPJwpkAifpcumc7u1riYgyg9UcbO2cIDbS4mYaeNU3hR8Qm30hSnvb
|
||||||
|
-uK51JiJiscIHPSrszi6SwMw/Wr1qTxh7ZArCxbIsPxCWH1HXgl3O7c/VoV2czpP3
|
||||||
|
-3yznK6KzAgMBAAECggEADjQ0Kv7tr3fLixGljEP/Vh5mT+02hz7TxueQ9b4DBKcB
|
||||||
|
-We3JVH+8zRUxXdraP/7EnwIdQDuipC5WrWb3mC4VI64h8hZ8Z1gQyEAC83XfC1RF
|
||||||
|
-jsxVynG5vrJnyuRXbdre5Ixl7rLsto5vd6EdxINZz0KIQYbvIHr07tzbYlUyelvA
|
||||||
|
-mu0kYdtbjm2p2AGJJ99zN3EiQ9lZDyiFirOXEA9P/YdKKVlIwpDPbn/TmNY/k6Ul
|
||||||
|
-mRxgAJKwKiR6Gg3QMdTUKeaXBpKf/pa+5rzR7zxNbiQO3IXOVx7ZzQ2R0Wuivpqk
|
||||||
|
-yjMaqUa7dDuvtIHJBpJB7TIL6SlQkiS1lEQFhO7EAQKBgQDz30obdymxqQVy7IsH
|
||||||
|
-NLo5xRX1hRRN9h34Y4qC0JXkCTG1fWJ19KYHod0S5peaIo/ThDVf1UXln6amdCjM
|
||||||
|
-oIfhmo0baNIdMMpxxBdsdLfUKwyVh8qROaBscPE4FGBUrfEW/wSn1WRYcWh+oda3
|
||||||
|
-LuLVf5Qt9a9f6ZYuy1X6dDi8swKBgQDfQJTSFUNkV8yKfMX54x0DcUkiWOu3LaET
|
||||||
|
-GSu0UXqBVn1Q+u6CUAkh5jA9fpyM5sp9+t5FuwjO+ITHfiNFoD/LCeMUfYVDF7O2
|
||||||
|
-uCLTsN+7gTGpKMnfL/rg9exrsfDdsmbQe4BhrUFBsYfKgBlBraL0QGD+25qgU8CS
|
||||||
|
-CQ6toGCCAQKBgQDCYJskwRoObPXW4AsAN1qnaRtTkjrY2O6SaGSiV7bhByMD0WiF
|
||||||
|
-M/aR5sXapsj3Jc0Vfi88rzUDDPk7eyJ51wn3G8SUsDuo4Ja7jtxMqctL5PQmyxD+
|
||||||
|
-J7xiMrNRS4xscifTeHgxfbh5dgsfw8bsQwaxvPpSl5ytCfWWXqOs+K2wWQKBgBM4
|
||||||
|
-Mher8PNQg7FgcILExJipRgyI7zID4ZwNTK/nW86KrZstHx9k2IRslraUkdGnhMM3
|
||||||
|
-t671HRsEVhn+h/bUhulp3nzDGZffEH+odocW8QvpYWcYtdha/xQi18mltgC//Q3x
|
||||||
|
-s+m0yqtnJzONt57p3d99M1x9d2BaFXf9A6B68BQBAoGBAOatu9+wGaIEB//fpaQt
|
||||||
|
-mnsS2XBJco5gHTjOegCSNe3gQQsB5mhTEekOeMzJ8WLTMVXQVCXx9/8HxKoycbq8
|
||||||
|
-M/7ScH1iT/wJTkSsjyeycUgH31GPeRvmo9YU2PsW3NN6ZyNpxWJFdcPYHAzZqJeA
|
||||||
|
-cZtQWiEyaf026DdR8YBYn6tf
|
||||||
|
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhuD3oCLc5JiQ8
|
||||||
|
+JUgPxclR1i1lCEK58YEtCknbNzp9gjLIwyfl++weLNSDyMih7qjW16lf4SRgMSp2
|
||||||
|
+UWXtA+lbJipWDmKc/ULRcb6aOQ8AN6ugU8erCBJRZ/5YqT27uWXiDDXjeG6Le8eb
|
||||||
|
+AaG6+joInQFWgLqkBxyZw+5kNbNtqmNFKpAajQYYSVjpsWAtEOelg4vfguwstvpI
|
||||||
|
+okpU+IwmfJtStBe7UyuZhdKeB6aV5ly83HnGf0sPIzqkCiTP+FAo/58VghmClpL/
|
||||||
|
+MyybRvq8n2TH9ef9AndXcxwEvZmFOJhbLD3Rck/lhacO2yt0zk15Ev7QD249MYp9
|
||||||
|
+sKgSc/JvAgMBAAECggEAZG2cJawTEXtV7ejMii//Jck8g1JMlfzM86Q7Pizxejw+
|
||||||
|
+qjKiguI2qSpbF5NzKRFNz+E+e+lpTN8zPFd1GSJ/Zk2x0n4uBBlu7E9GdcnjUb5z
|
||||||
|
+Py9njEJYHB4//WS3kdmoag3ywBWqYaceJWpxcga5YXGx0bIO2MJNSGDzpWR7Q9QQ
|
||||||
|
+tG/lWmno5goY2BxI08BTKSlqNIBkg/rr9jJo3axRcEmbx7hj4vUkAlypFKtmR4dW
|
||||||
|
+bNo0f6VAd5Y6c9YbnKybR/44lScBksuSkZjm076cbbbp5PpsiLGe/12bqUcwCH+T
|
||||||
|
+8hRVndmOLdOxC11OZOvMbX6x2uXNh3/Qr/GMyfzZcQKBgQD4we7E9vOygk1J5Vbl
|
||||||
|
+1zETR9x3dujpBBx3xaHXUSJNUTNwmnZ+0JoFTqPkRmmPMNK7XfZuPymBehtk8WYt
|
||||||
|
+NnezM2UNTdbfVOnJWnU6igRNGBaDW6F9AezlADBNwIbFVw6RqP4fTUFsmm9TQ/8M
|
||||||
|
+4kZmmlW4uLZyX0WQO+AJa7NShwKBgQDoSpnQgmWqXMcaHwY2l8fEDuDc41nDoJIm
|
||||||
|
+/CMppPbr7GkUX4OU785p6E0N0o1ONt+xCBT1lxHwWEeMAKZXrNC1XGpfvhpVZ72v
|
||||||
|
+VruATDFs1rcL3S2Sty7A+jhFKKXlGeDWNcpaKY8nDvv2uJG0+J3bLprdMqnY/gQ1
|
||||||
|
+C+FzyQ6S2QKBgDnHIaRSD6xoo3cEc7iS0O0/ha+hyNtGfy46kyqlx6fZsm73EYrG
|
||||||
|
+/N86ssp0qFP/7RJj8rcMqKFQMUiy4R6jRg4zY8dBSyU4XczM2+mq4PDfJWuBPvMA
|
||||||
|
+HXvbHV0R2LvBSrr+W3f9w7Jr9GuMoZLmg5+VPU/YZ1gNVOT5Y0IM5+vFAoGBANx9
|
||||||
|
+CzlGvLeTrw1VS3GAaobn1Hr2dlrhTDki9UFvK03PLgK/ksdJRLV0YcdwBt6p6XRB
|
||||||
|
+hpuC1O087lSuvTXVfJnZacMNUDOm7/7BpeJm8DcuK7tgKwTrSb61A7ppleY7xRWv
|
||||||
|
+Iy6n6hCaAYIzuWJ85mGJAEhb8apdmqK7bzmXK3UpAoGBALdOvJfqbF0YlHbdQCVi
|
||||||
|
+ftjtxs/dZKdF1rNARR0VMqUtZX+WP2b6OPXlwux94Cr//iNv5ih3B4Z4LIgTpgBJ
|
||||||
|
+AKGXEBGMMthAlptC4BcOAEs9cYeWGLAoYk8jpNmXvXjhGqvzhPO2YrX5xy46dVOG
|
||||||
|
+iiCseyA7Kr8Axt9QhUzoi5f7
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
diff --git a/test/certs/badcn1-cert.pem b/test/certs/badcn1-cert.pem
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..3b3bad658b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/certs/badcn1-cert.pem
|
||||||
|
@@ -0,0 +1,20 @@
|
||||||
|
+-----BEGIN CERTIFICATE-----
|
||||||
|
+MIIDQDCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
+IE5DIENBIDEwIBcNMTgwNTE2MDI0MTMyWhgPMjExODA1MTcwMjQxMzJaME4xIzAh
|
||||||
|
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
|
||||||
|
+Z29vZC5vcmcxEDAOBgNVBAMMB2JhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|
||||||
|
+DwAwggEKAoIBAQDN9WI6OyxnW+R98FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh
|
||||||
|
+8wFR9gfNrKhqXubJ3lCHKgaApTXNKM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R
|
||||||
|
+03Yn+dJnZLDz7BDpnuhORp8XzQqfxSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos
|
||||||
|
+/LIDvjzye5GaPXqXkAkcBcLBpWlgMm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+A
|
||||||
|
+jSbT522yHy1r6WeElbSY7WOFvnmgbZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh
|
||||||
|
+/YuRhCgRExvdQ6kImwdKAfO7RLkxho6jny1HAgMBAAGjXjBcMB0GA1UdDgQWBBT5
|
||||||
|
+fenRjyFKUb1XvUnm4GV9kZmONDAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa
|
||||||
|
+3fVQQzAJBgNVHRMEAjAAMA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQAD
|
||||||
|
+ggEBACKtfZCcP/pY8Bu+lb/pGZj5txsmNbJ1l2RVACQA7CGjwfUr7VaQGMuT+FuA
|
||||||
|
+Erlh+UnEC3R/e1xQwgJeuAXBOWFkxA61isVSrmM7YM6vDB0+t8N9lMUFjPbRyEkM
|
||||||
|
+A5kaSLPrgSOg7ONsO6YGbaWm1XCoUC6Ilrdzy+ckzklgjYRth99b2d5WrjIxEWIq
|
||||||
|
+BX2DI2ruetjXYGRzsqSK+O9d4fsqrb5M0ZCNWQZ4WnrMNaAeHWpW6NqSvof/N21x
|
||||||
|
+WC5zcU7GXLrDigwWPMDLQhVtu4OihWjsqugh6Jl7DxDBhi8JKO6tJQAISHjKaL98
|
||||||
|
+yXZFsQ//q7ATwlcHyB81B+X16AI=
|
||||||
|
+-----END CERTIFICATE-----
|
||||||
|
diff --git a/test/certs/badcn1-key.pem b/test/certs/badcn1-key.pem
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..dbcf4b5d44
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/certs/badcn1-key.pem
|
||||||
|
@@ -0,0 +1,28 @@
|
||||||
|
+-----BEGIN PRIVATE KEY-----
|
||||||
|
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN9WI6OyxnW+R9
|
||||||
|
+8FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh8wFR9gfNrKhqXubJ3lCHKgaApTXN
|
||||||
|
+KM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R03Yn+dJnZLDz7BDpnuhORp8XzQqf
|
||||||
|
+xSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos/LIDvjzye5GaPXqXkAkcBcLBpWlg
|
||||||
|
+Mm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+AjSbT522yHy1r6WeElbSY7WOFvnmg
|
||||||
|
+bZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh/YuRhCgRExvdQ6kImwdKAfO7RLkx
|
||||||
|
+ho6jny1HAgMBAAECggEBAKDxiUHx7cATShm0ElZnd6+dtQfKwv8zsuIpm+hk62Ef
|
||||||
|
+d0zYI+UhrT1sIiryKmV9JaJITOtixtQOxl088D+Obrx8cnC4B84rUTVXpnfgVf9j
|
||||||
|
+FljDtjpxIZsZmPbc836ZUZoOaICKpVYHD69Mb+NWG+mN2oaLc8VP0L4FXKLzvl7u
|
||||||
|
+69NQlTPG2CS61BktVqMtWWc/9CvdOwqwVbckyISj9QLUgSXIyB4IP3bjp0RYSpOu
|
||||||
|
+m3nhuhil1G3c05R4UfiE2d9Er7SBBoQ304ld892YRinSgtZqC1G25uZmWJ3ekAAM
|
||||||
|
+bg6P0hBd86F/G2TxNdelYrxTazjqZShYi1N48SK6kUECgYEA+51O19Q5XkskD/Dn
|
||||||
|
+VfaCjSOTFwDlb5ATmVCrJu+13/5IJfmJgWA6xdqfWoqxSOsJzXBEETKWgkahoo4K
|
||||||
|
+OU1UaBTHEJ588xOpoMzbJkKlb5hPseEQsvu055Ky0euMgmlrALPQQ9e1DUSlowui
|
||||||
|
+Cq9wCak4dqq9NNs6FMIeGhqczGECgYEA0YxcajJFxPHJsdFCVa4tdy9jgfC64t4Y
|
||||||
|
+CWDzRfUnuX24ILbW9+olvvoZkMSzoVpiQ9YU8kPJUaOyFrw6jUV5GRHUCMgfkx2Y
|
||||||
|
+nqe+7aSFmv0Nlo0RMV2PqaOZzlxnG9FzyNE+4PygZqtFhN21b5Idc69k2Ltu7K4J
|
||||||
|
+J4MG1kMUGqcCgYEA0ttUPEisPtoHgZhntUFczHx4gnmMzH5X/k5876dIqkrFGZXR
|
||||||
|
+5urGthHtIwpBYZMeZtxjHmpfeRNJ1xjjdnvYdVScMdAvc+ERcSDbsmd9jlR8zNuI
|
||||||
|
+jAWl576nPoX//TXspu0JZiE5p8HUcRuJkxzMbjwyhje1Ubs6JDU81rFgn2ECgYAG
|
||||||
|
+3WVNqVX1zMIBzEwzCGC+7dOBt0Q4GHSLIhz2JsDlZ8P3dmX2ezo/Vmwt/POxjod3
|
||||||
|
+l3TaNvRKc2VrL0FvzV3ZP2dF3mCCbk7Iq9AqcuBZon6mdvqgNmN1eEGarBZIqAT2
|
||||||
|
+CDzaHAyZMHU3lBfUjuHeH1nba9CHenAcVkOME2h+MwKBgQDiHAnTK4ovCNmT5E9i
|
||||||
|
+03x/wPSH8FZ3Wrb1GMtNlTc7lOtB5eYIvwkaloJkNKHbUDv57V66hnYT6CyH4u45
|
||||||
|
+dPtuohtafL9mdScYqmicGLtbLLglSQpJYt4J59hffNZ30E84dKXtyDN7E5P5Z00Z
|
||||||
|
+8PbOMUy3oK6j+GMP/xRNI76RtA==
|
||||||
|
+-----END PRIVATE KEY-----
|
||||||
|
diff --git a/test/certs/goodcn1-cert.pem b/test/certs/goodcn1-cert.pem
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..d9205e03b0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/certs/goodcn1-cert.pem
|
||||||
|
@@ -0,0 +1,22 @@
|
||||||
|
+-----BEGIN CERTIFICATE-----
|
||||||
|
+MIIDkTCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
|
||||||
|
+IE5DIENBIDEwIBcNMTgwNTE2MDI0MDA0WhgPMjExODA1MTcwMjQwMDRaMIGeMSMw
|
||||||
|
+IQYDVQQKDBpHb29kIE5DIFRlc3QgQ2VydGlmaWNhdGUgMTEVMBMGA1UEAwwMd3d3
|
||||||
|
+Lmdvb2Qub3JnMRUwEwYDVQQDDAxhbnkuZ29vZC5jb20xETAPBgNVBAMMCG5vdC4u
|
||||||
|
+ZG5zMRAwDgYDVQQDDAdub3RAZG5zMREwDwYDVQQDDAhub3QtLmRuczERMA8GA1UE
|
||||||
|
+AwwIbm90LmRucy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDigxI
|
||||||
|
+nlYVjHtrFI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7
|
||||||
|
+jZe+gMX+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADe
|
||||||
|
+mD/YdekRf3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9Txa
|
||||||
|
+ZeFvWvvc6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLs
|
||||||
|
+FPkw4yUtJHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLT
|
||||||
|
+OKw6dm1UG2J7iuqtAgMBAAGjXjBcMB0GA1UdDgQWBBSTKvqap2ab0z/UPrdDgc0V
|
||||||
|
+m88R3TAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAA
|
||||||
|
+MA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQADggEBADcdm62qaOHbIDoa
|
||||||
|
+5oUjXGHSQjV1g4BFe6DLH5/CZ0wOws3QzfQbPIxJrp3yJgDcQyZNOE/xQlq/nASS
|
||||||
|
+thU6cUTB07voFVnbotB8YQuNU1wM9TAJOHC9LT1Y0J2GIP6QeXts6Cz6aBlqaQEZ
|
||||||
|
+IrGRLuKVZePTO0Haup0mZ91XoXs3CBzkSerl0XpFL7BeugSigrhprFRPB4UC3IWb
|
||||||
|
+pdNar61Wk4bN/COb6utRkK3iYk5YUTqYFib9EG4VBdxYfXv/tiBIGqQLnqPbId6w
|
||||||
|
+q+McpSEPF1DIcCyL0vEDdIVN0SzxMfnfHMx0Qp0sh2aydIZk4xfEqXHZgZthSrse
|
||||||
|
+u7nhn7s=
|
||||||
|
+-----END CERTIFICATE-----
|
||||||
|
diff --git a/test/certs/goodcn1-key.pem b/test/certs/goodcn1-key.pem
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..2ad660c6db
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/certs/goodcn1-key.pem
|
||||||
|
@@ -0,0 +1,28 @@
|
||||||
|
+-----BEGIN PRIVATE KEY-----
|
||||||
|
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDigxInlYVjHtr
|
||||||
|
+FI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7jZe+gMX+
|
||||||
|
+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADemD/YdekR
|
||||||
|
+f3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9TxaZeFvWvvc
|
||||||
|
+6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLsFPkw4yUt
|
||||||
|
+JHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLTOKw6dm1U
|
||||||
|
+G2J7iuqtAgMBAAECggEAeQ1xZVOAf36kuTnVUhdplTii6v3JcQIIUjG0dG/U/P8M
|
||||||
|
+otS45uNZ36CelvaVStwHaJEvcVzK4EjgSjiSNJvwkxzPbkA3XkgNVptPmdcG5yqO
|
||||||
|
+RLNOChVeqYdOurdcR1XXbXv57dPbUqpMS2TWjdzieW/QXKuTRsbjTo3D75tJqUO6
|
||||||
|
+1Bm4sSM3PogmsQwTP8HlZAmJXuSD+ZSB22Np5pT1dn5TvQU6xeA3NJR4ZO/HEZz4
|
||||||
|
+CHJEiOx2BuGD6M0V1ZL6DzEsyIS/KKsvj4I2F4ROAK1j3lSD5VqrYPXn3oEsQdlm
|
||||||
|
+OW8aVnHPYO6FI0LVLgcIEKxhdwGV3i6v/GRUe0Y9kQKBgQD0Zqn1trAuP5Peiy1K
|
||||||
|
+Wc91yRjQxQTwSD00hzXMtvKzkEIiLEuVZq9qrqQ2TRRa5xneDGHDuUY9eZY8JwEr
|
||||||
|
+l7f8CcfYC93PXLyRM2Gaz0jMxZxVPz5w7zssK3DZ+7JvH3nKkCUl7+Y0tH26qTO0
|
||||||
|
+wTD9w9jd9bf85SLVgk3zSbUDwwKBgQDM0b2ffZpxyA16h7w8ZBuk1Z+iumrxnn5/
|
||||||
|
+lKtffR2b4dZN37KiWw2c265vYhRfe/ANnVuagXb9aRM97yeQloRlWR10AaXJz3EB
|
||||||
|
+sromqFShkorYRhwZoRiJC0laLG3W76wKMRr2T6TM1UG9gJ0szdGFG/yUDU+9pTRo
|
||||||
|
+uq514rGgzwKBgQCGtsAgLF7YXzsGg/im7vInnn0LNk4OlAMInS7OdFk7GN0bMQdI
|
||||||
|
+hp1SVIk3VS1PHetoNbL9y3YoFIj3BxjiCnLjfhClyYSt9BQMhSHbzz31gUc2xfGJ
|
||||||
|
+FpSrOBawUMh97/+V4/ZV/vIJQyO6a+GQVJzIg9daIUMVJsgYoAaPf6VDOQKBgFyH
|
||||||
|
+eHnf/XDfpq8vOOuzcgWieG7EduHW72DlohIObNzqRq2BnKraJakyWXh6P6fvTsBn
|
||||||
|
+0WVYjY/n80hsjVw1k3RRsQuiXupv66aPvqcOLsWbdVxFOBaf/3yR+75gCfMq7Xbh
|
||||||
|
+PkP+MP5UbVGWE+uUw821mgKsjNSpGKcjhwM8uXBjAoGAFEU3O8gQXfocVB8lxUeU
|
||||||
|
+c0inLdAIgiw/36NPuW4NwKxzLOmHzlmvn7C98ihnbnGoQ0XBRfLw8siTbD3INgHY
|
||||||
|
+NA0JeK8Qrt56b6wK14w9RzLQTu9gy1pULW21p1wswdNK4tlxfnnnozISZAYxeqAx
|
||||||
|
+YMTtYZN77nb+yY4oE6XEugQ=
|
||||||
|
+-----END PRIVATE KEY-----
|
||||||
|
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
||||||
|
index 7e1086a224..018e5fc690 100755
|
||||||
|
--- a/test/certs/setup.sh
|
||||||
|
+++ b/test/certs/setup.sh
|
||||||
|
@@ -241,15 +241,30 @@ NC="$NC excluded;DNS:bad.ok.good.com"
|
||||||
|
NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
|
||||||
|
ncca1-key ncca1-cert
|
||||||
|
|
||||||
|
-# all subjectAltNames allowed by CA1.
|
||||||
|
+# all subjectAltNames allowed by CA1. Some CNs are not!
|
||||||
|
|
||||||
|
./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
|
||||||
|
- "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
|
||||||
|
+ "1.CN=www.example.net" "2.CN=Joe Bloggs" | \
|
||||||
|
./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \
|
||||||
|
"DNS.1 = www.good.org" "DNS.2 = any.good.com" \
|
||||||
|
"email.1 = good@good.org" "email.2 = any@good.com" \
|
||||||
|
"IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||||
|
|
||||||
|
+# all DNS-like CNs allowed by CA1, no DNS SANs.
|
||||||
|
+
|
||||||
|
+./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \
|
||||||
|
+ "1.CN=www.good.org" "2.CN=any.good.com" \
|
||||||
|
+ "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \
|
||||||
|
+ ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
|
||||||
|
+ "IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||||
|
+
|
||||||
|
+# Some DNS-like CNs not permitted by CA1, no DNS SANs.
|
||||||
|
+
|
||||||
|
+./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \
|
||||||
|
+ "1.CN=www.good.org" "3.CN=bad.net" | \
|
||||||
|
+ ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \
|
||||||
|
+ "IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||||
|
+
|
||||||
|
# no subjectAltNames excluded by CA2.
|
||||||
|
|
||||||
|
./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \
|
||||||
|
@@ -293,19 +308,17 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
|
||||||
|
"email.1 = good@good.org" "email.2 = any@good.com" \
|
||||||
|
"IP = 127.0.0.2"
|
||||||
|
|
||||||
|
-# all subject alt names OK but subject CN not allowed by CA1.
|
||||||
|
+# No DNS-ID SANs and subject CN not allowed by CA1.
|
||||||
|
./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \
|
||||||
|
"1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
|
||||||
|
./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \
|
||||||
|
- "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
|
||||||
|
"email.1 = good@good.org" "email.2 = any@good.com" \
|
||||||
|
"IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||||
|
|
||||||
|
-# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING
|
||||||
|
+# No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING
|
||||||
|
REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
|
||||||
|
"1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \
|
||||||
|
./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \
|
||||||
|
- "DNS.1 = www.good.org" "DNS.2 = any.good.com" \
|
||||||
|
"email.1 = good@good.org" "email.2 = any@good.com" \
|
||||||
|
"IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||||
|
|
||||||
|
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||||
|
index 11bd43090f..c23e114e06 100644
|
||||||
|
--- a/test/recipes/25-test_verify.t
|
||||||
|
+++ b/test/recipes/25-test_verify.t
|
||||||
|
@@ -30,7 +30,7 @@ sub verify {
|
||||||
|
run(app([@args]));
|
||||||
|
}
|
||||||
|
|
||||||
|
-plan tests => 127;
|
||||||
|
+plan tests => 129;
|
||||||
|
|
||||||
|
# Canonical success
|
||||||
|
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||||
|
@@ -326,6 +326,12 @@ ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ),
|
||||||
|
ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
||||||
|
"Name Constraints nested test all permitted");
|
||||||
|
|
||||||
|
+ok(verify("goodcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
|
||||||
|
+ "Name Constraints CNs permitted");
|
||||||
|
+
|
||||||
|
+ok(!verify("badcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
|
||||||
|
+ "Name Constraints CNs not permitted");
|
||||||
|
+
|
||||||
|
ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
|
||||||
|
"Name Constraints hostname not permitted");
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.0
|
||||||
|
|
212
0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
Normal file
212
0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
Normal file
@ -0,0 +1,212 @@
|
|||||||
|
From 6d3cfd13a904a03fc3522da935136dcdd12e9014 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
||||||
|
Date: Tue, 22 May 2018 14:46:02 -0400
|
||||||
|
Subject: [PATCH 2/2] Skip CN DNS name constraint checks when not needed
|
||||||
|
|
||||||
|
Only check the CN against DNS name contraints if the
|
||||||
|
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
|
||||||
|
certificate has no DNS subject alternative names or the
|
||||||
|
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.
|
||||||
|
|
||||||
|
Add pertinent documentation, and touch up some stale text about
|
||||||
|
name checks and DANE.
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/x509/x509_vfy.c | 28 ++++++++++++++++++-
|
||||||
|
crypto/x509v3/v3_ncons.c | 31 +++++++---------------
|
||||||
|
doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 21 ++++++++++++---
|
||||||
|
doc/crypto/X509_check_host.pod | 7 +++--
|
||||||
|
doc/ssl/SSL_set1_host.pod | 2 +-
|
||||||
|
5 files changed, 61 insertions(+), 28 deletions(-)
|
||||||
|
|
||||||
|
Index: openssl-1.1.0h/crypto/x509/x509_vfy.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.0h.orig/crypto/x509/x509_vfy.c 2018-03-27 15:50:39.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/crypto/x509/x509_vfy.c 2018-05-29 10:52:23.753159887 +0200
|
||||||
|
@@ -557,6 +557,27 @@ static int check_chain_extensions(X509_S
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int has_san_id(X509 *x, int gtype)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ int ret = 0;
|
||||||
|
+ GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
||||||
|
+
|
||||||
|
+ if (gs == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
|
||||||
|
+ GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
|
||||||
|
+
|
||||||
|
+ if (g->type == gtype) {
|
||||||
|
+ ret = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ GENERAL_NAMES_free(gs);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int check_name_constraints(X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
@@ -655,7 +676,12 @@ static int check_name_constraints(X509_S
|
||||||
|
int rv = NAME_CONSTRAINTS_check(x, nc);
|
||||||
|
|
||||||
|
/* If EE certificate check commonName too */
|
||||||
|
- if (rv == X509_V_OK && i == 0)
|
||||||
|
+ if (rv == X509_V_OK && i == 0
|
||||||
|
+ && (ctx->param->hostflags
|
||||||
|
+ & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0
|
||||||
|
+ && ((ctx->param->hostflags
|
||||||
|
+ & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0
|
||||||
|
+ || !has_san_id(x, GEN_DNS)))
|
||||||
|
rv = NAME_CONSTRAINTS_check_CN(x, nc);
|
||||||
|
|
||||||
|
switch (rv) {
|
||||||
|
Index: openssl-1.1.0h/crypto/x509v3/v3_ncons.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.0h.orig/crypto/x509v3/v3_ncons.c 2018-05-29 10:52:23.733159579 +0200
|
||||||
|
+++ openssl-1.1.0h/crypto/x509v3/v3_ncons.c 2018-05-29 10:52:23.753159887 +0200
|
||||||
|
@@ -299,9 +299,9 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME
|
||||||
|
|
||||||
|
static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
|
||||||
|
{
|
||||||
|
- int utf8_length; /* Return type of ASN1_STRING_to_UTF8 */
|
||||||
|
- int i;
|
||||||
|
+ int utf8_length;
|
||||||
|
unsigned char *utf8_value;
|
||||||
|
+ int i;
|
||||||
|
int isdnsname = 0;
|
||||||
|
|
||||||
|
/* Don't leave outputs uninitialized */
|
||||||
|
@@ -337,8 +337,10 @@ static int cn2dnsid(ASN1_STRING *cn, uns
|
||||||
|
--utf8_length;
|
||||||
|
|
||||||
|
/* Reject *embedded* NULs */
|
||||||
|
- if ((size_t)utf8_length != strlen((char *)utf8_value))
|
||||||
|
- return X509_V_ERR_UNSPECIFIED;
|
||||||
|
+ if ((size_t)utf8_length != strlen((char *)utf8_value)) {
|
||||||
|
+ OPENSSL_free(utf8_value);
|
||||||
|
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* XXX: Deviation from strict DNS name syntax, also check names with '_'
|
||||||
|
@@ -388,11 +390,13 @@ static int cn2dnsid(ASN1_STRING *cn, uns
|
||||||
|
return X509_V_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Check CN against DNS-ID name constraints.
|
||||||
|
+ */
|
||||||
|
int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
|
||||||
|
{
|
||||||
|
int r, i;
|
||||||
|
- GENERAL_NAMES *gens = NULL;
|
||||||
|
- X509_NAME *nm;
|
||||||
|
+ X509_NAME *nm = X509_get_subject_name(x);
|
||||||
|
ASN1_STRING stmp;
|
||||||
|
GENERAL_NAME gntmp;
|
||||||
|
|
||||||
|
@@ -401,21 +405,6 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, N
|
||||||
|
gntmp.type = GEN_DNS;
|
||||||
|
gntmp.d.dNSName = &stmp;
|
||||||
|
|
||||||
|
- gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
|
||||||
|
- if (gens != NULL) {
|
||||||
|
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
||||||
|
- GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
|
||||||
|
-
|
||||||
|
- if (gen->type == GEN_DNS) {
|
||||||
|
- GENERAL_NAMES_free(gens);
|
||||||
|
- return X509_V_OK;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- GENERAL_NAMES_free(gens);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- nm = X509_get_subject_name(x);
|
||||||
|
-
|
||||||
|
/* Process any commonName attributes in subject name */
|
||||||
|
|
||||||
|
for (i = -1;;) {
|
||||||
|
Index: openssl-1.1.0h/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.0h.orig/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2018-03-27 15:50:40.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2018-05-29 10:52:23.753159887 +0200
|
||||||
|
@@ -130,14 +130,29 @@ B<name> clearing any previously specifie
|
||||||
|
B<name> is NULL, or empty the list of hostnames is cleared, and
|
||||||
|
name checks are not performed on the peer certificate. If B<name>
|
||||||
|
is NUL-terminated, B<namelen> may be zero, otherwise B<namelen>
|
||||||
|
-must be set to the length of B<name>. When a hostname is specified,
|
||||||
|
+must be set to the length of B<name>.
|
||||||
|
+
|
||||||
|
+When a hostname is specified,
|
||||||
|
certificate verification automatically invokes L<X509_check_host(3)>
|
||||||
|
with flags equal to the B<flags> argument given to
|
||||||
|
X509_VERIFY_PARAM_set_hostflags() (default zero). Applications
|
||||||
|
are strongly advised to use this interface in preference to explicitly
|
||||||
|
-calling L<X509_check_host(3)>, hostname checks are out of scope
|
||||||
|
+calling L<X509_check_host(3)>, hostname checks may be out of scope
|
||||||
|
with the DANE-EE(3) certificate usage, and the internal check will
|
||||||
|
-be suppressed as appropriate when DANE support is added to OpenSSL.
|
||||||
|
+be suppressed as appropriate when DANE verification is enabled.
|
||||||
|
+
|
||||||
|
+When the subject CommonName will not be ignored, whether as a result of the
|
||||||
|
+B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> host flag, or because no DNS subject
|
||||||
|
+alternative names are present in the certificate, any DNS name constraints in
|
||||||
|
+issuer certificates apply to the subject CommonName as well as the subject
|
||||||
|
+alternative name extension.
|
||||||
|
+
|
||||||
|
+When the subject CommonName will be ignored, whether as a result of the
|
||||||
|
+B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> host flag, or because some DNS subject
|
||||||
|
+alternative names are present in the certificate, DNS name constraints in
|
||||||
|
+issuer certificates will not be applied to the subject DN.
|
||||||
|
+As described in X509_check_host(3) the B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>
|
||||||
|
+flag takes precendence over the B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag.
|
||||||
|
|
||||||
|
X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference
|
||||||
|
identifier that can match the peer's certificate. Any previous names
|
||||||
|
Index: openssl-1.1.0h/doc/crypto/X509_check_host.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.0h.orig/doc/crypto/X509_check_host.pod 2018-03-27 15:50:40.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/doc/crypto/X509_check_host.pod 2018-05-29 10:52:23.753159887 +0200
|
||||||
|
@@ -93,6 +93,9 @@ consider the subject DN even if the cert
|
||||||
|
names of the right type (DNS name or email address as appropriate); the default
|
||||||
|
is to use the subject DN when no corresponding subject alternative names are
|
||||||
|
present.
|
||||||
|
+If both B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> and
|
||||||
|
+B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> are specified, the latter takes
|
||||||
|
+precedence and the subject DN is not checked for matching names.
|
||||||
|
|
||||||
|
If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
|
||||||
|
expansion; this only applies to B<X509_check_host>.
|
||||||
|
@@ -128,9 +131,9 @@ NULs.
|
||||||
|
|
||||||
|
Applications are encouraged to use X509_VERIFY_PARAM_set1_host()
|
||||||
|
rather than explicitly calling L<X509_check_host(3)>. Host name
|
||||||
|
-checks are out of scope with the DANE-EE(3) certificate usage,
|
||||||
|
+checks may be out of scope with the DANE-EE(3) certificate usage,
|
||||||
|
and the internal checks will be suppressed as appropriate when
|
||||||
|
-DANE support is added to OpenSSL.
|
||||||
|
+DANE support is enabled.
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
Index: openssl-1.1.0h/doc/ssl/SSL_set1_host.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.0h.orig/doc/ssl/SSL_set1_host.pod 2018-03-27 15:50:40.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/doc/ssl/SSL_set1_host.pod 2018-05-29 10:52:23.753159887 +0200
|
||||||
|
@@ -56,7 +56,7 @@ is cleared or freed, or a renegotiation
|
||||||
|
must not free the return value.
|
||||||
|
|
||||||
|
SSL clients are advised to use these functions in preference to
|
||||||
|
-explicitly calling L<X509_check_host(3)>. Hostname checks are out
|
||||||
|
+explicitly calling L<X509_check_host(3)>. Hostname checks may be out
|
||||||
|
of scope with the RFC7671 DANE-EE(3) certificate usage, and the
|
||||||
|
internal check will be suppressed as appropriate when DANE is
|
||||||
|
enabled.
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 1 11:37:06 UTC 2018 - vcizek@suse.com
|
||||||
|
|
||||||
|
- Suggest libopenssl1_1-hmac from libopenssl1_1 package to avoid
|
||||||
|
dependency issues during updates (bsc#1090765)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 29 08:53:01 UTC 2018 - vcizek@suse.com
|
||||||
|
|
||||||
|
- Relax CN name restrictions (bsc#1084011)
|
||||||
|
* added patches:
|
||||||
|
0001-Limit-scope-of-CN-name-constraints.patch
|
||||||
|
0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 10 09:37:19 UTC 2018 - vcizek@suse.com
|
Thu May 10 09:37:19 UTC 2018 - vcizek@suse.com
|
||||||
|
|
||||||
|
@ -79,6 +79,9 @@ Patch73: 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
|
|||||||
# PATCH-FIX-UPSTREAM (boo#1091961)
|
# PATCH-FIX-UPSTREAM (boo#1091961)
|
||||||
Patch74: 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
|
Patch74: 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
|
||||||
Patch75: openssl-CVE-2018-0737.patch
|
Patch75: openssl-CVE-2018-0737.patch
|
||||||
|
# PATCH-FIX-UPSTREAM (bsc#1084011)
|
||||||
|
Patch76: 0001-Limit-scope-of-CN-name-constraints.patch
|
||||||
|
Patch77: 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
|
||||||
BuildRequires: bc
|
BuildRequires: bc
|
||||||
BuildRequires: ed
|
BuildRequires: ed
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
@ -101,6 +104,7 @@ Summary: Secure Sockets and Transport Layer Security
|
|||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Recommends: ca-certificates-mozilla
|
Recommends: ca-certificates-mozilla
|
||||||
|
Suggests: libopenssl1_1-hmac = %{version}-%{release}
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||||
Obsoletes: libopenssl1_1_0
|
Obsoletes: libopenssl1_1_0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user