forked from pool/openssl-3
Accepting request 1089847 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/1089847 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=62
This commit is contained in:
Otto Hollmann
Git OBS Bridge
parent
0ddca788f5
commit
a451b8be27
@ -1,7 +1,7 @@
|
|||||||
libopenssl3
|
libopenssl3
|
||||||
obsoletes "libopenssl1_1_0-<targettype>"
|
obsoletes "libopenssl1_1_0-<targettype>"
|
||||||
libopenssl3-hmac
|
provides "libopenssl3-hmac-<targettype> = <version>-%release"
|
||||||
requires "libopenssl3-<targettype> = <version>-%release"
|
obsoletes "libopenssl3-hmac-<targettype> < <version>-%release"
|
||||||
libopenssl-3-devel
|
libopenssl-3-devel
|
||||||
provides "libopenssl-devel-<targettype> = <version>"
|
provides "libopenssl-devel-<targettype> = <version>"
|
||||||
conflicts "otherproviders(libopenssl-devel-<targettype>)"
|
conflicts "otherproviders(libopenssl-devel-<targettype>)"
|
||||||
|
|||||||
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:aaa925ad9828745c4cad9d9efeb273deca820f2cdcf2c3ac7d7c1212b7c497b4
|
|
||||||
size 15525381
|
|
||||||
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmQQb54ACgkQ2cTSbQ5g
|
|
||||||
RJGINAf9EsijdAcZ3BlsmP+HAt0oOhq2hrRru1Wd/KZ7pGJBVtitmVPPKiegRyL3
|
|
||||||
/Y0zgnQvGQvBTQhTWRsT7Rp1LJc8q6P7KPMfh3jDYIk9p/bjI9w7LXOglXmUJQQ1
|
|
||||||
aUu++AoVTxGjr7dpdLP80W+MJmdhp9Z3EqDU3Jrumada8JX/v25Y6V7nBX+e6xmB
|
|
||||||
xn6acau1eKDFLOFgJ9aXTXwmHk17xWUw7dcW6RB9bQAMlLB3p/7Jkk4bJZU8eQ7t
|
|
||||||
eCCZVSudH4kILogoPHGjU7XETYRa27b+djpWguGRIv2faqr65KP7JZUpl6LFiH1M
|
|
||||||
087Nc1+uKdHfpps3OO6HIGcmf+ZrLQ==
|
|
||||||
=bdJW
|
|
||||||
-----END PGP SIGNATURE-----
|
|
||||||
3
openssl-3.1.1.tar.gz
Normal file
3
openssl-3.1.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674
|
||||||
|
size 15544757
|
||||||
16
openssl-3.1.1.tar.gz.asc
Normal file
16
openssl-3.1.1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR16IIACgkQUnRmohyn
|
||||||
|
nm0XXw/+NcoUTEDzBQvoRmR+y0GFU6eobgkbiL3Iu/whTD1xljm0YLAP8mWzWhzt
|
||||||
|
AOGMJLpQ+lBczSow4zXaHT3xky+2fYqUNjccGBF5oWyY/nUFE7+qUG/1yUcXy6Ca
|
||||||
|
2q6gYX2qAxpHUAjfKfQfYtogkVqIiUnqjaxJX/RgC/FEJTqCN7zq309LF7FaFr7s
|
||||||
|
IJxkHXRAcjzwXFopTfiKkSQRm1W0bV8xht29kzjXJlSviCnhWFoY/hQdtDr/vcnP
|
||||||
|
X9GobFyn0n7DPI7B62P1TKGtK755RXztymUnIkNvOUW+TmyuPSBL523jB8SrPfw2
|
||||||
|
sasQ1G51IqKwAKhDEawDrJ4QAlfZXYJn1REoSpVWPLoGMfM5Aby0OBbzr0eYIJGp
|
||||||
|
92RMcWjfnUd5Xiw2sW97eRwdAF9WXdcH8Dz650z3bSstc2JeQq49cn9pZ6jG2Yxb
|
||||||
|
yuXJgkyWWFhBRRax/7FI065vdMFssB0xEHm4u/y8XJ4k/cQR8GZG9JPSwjVapb3X
|
||||||
|
3TTpDDV/wBFekfHHGJjM9ljuB5NXxYKficDsbHTDaC3ysg3kKzZN5cve0jdSf+P+
|
||||||
|
v9JLDgk5HZJ3r50/fMrLptzzpjFwToOS0qQV0/X8FpGRxHGjENh9gw3y+IsDEeY1
|
||||||
|
LVZKq1kkFhYz32h0m+E8OSA/gFcsNY+BG1Y7svtf9sewL84+a/Y=
|
||||||
|
=JKq4
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
@ -1,3 +1,58 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 30 15:14:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.1.0:
|
||||||
|
* Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
|
||||||
|
(CVE-2023-2650, bsc#1211430)
|
||||||
|
* Multiple algorithm implementation fixes for ARM BE platforms.
|
||||||
|
* Added a -pedantic option to fipsinstall that adjusts the various settings
|
||||||
|
to ensure strict FIPS compliance rather than backwards compatibility.
|
||||||
|
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
|
||||||
|
happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
|
||||||
|
trigger a crash of an application using AES-XTS decryption if the memory
|
||||||
|
just after the buffer being decrypted is not mapped. Thanks to Anton
|
||||||
|
Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714)
|
||||||
|
* Add FIPS provider configuration option to disallow the use of truncated
|
||||||
|
digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The
|
||||||
|
option '-no_drbg_truncated_digests' can optionally be supplied
|
||||||
|
to 'openssl fipsinstall'.
|
||||||
|
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that
|
||||||
|
it does not enable policy checking. Thanks to David Benjamin for
|
||||||
|
discovering this issue. (CVE-2023-0466, bsc#1209873)
|
||||||
|
* Fixed an issue where invalid certificate policies in leaf certificates are
|
||||||
|
silently ignored by OpenSSL and other certificate policy checks are
|
||||||
|
skipped for that certificate. A malicious CA could use this to
|
||||||
|
deliberately assert invalid certificate policies in order to circumvent
|
||||||
|
policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878)
|
||||||
|
* Limited the number of nodes created in a policy tree to mitigate against
|
||||||
|
CVE-2023-0464. The default limit is set to 1000 nodes, which should be
|
||||||
|
sufficient for most installations. If required, the limit can be adjusted
|
||||||
|
by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a
|
||||||
|
desired maximum number of nodes or zero to allow unlimited growth.
|
||||||
|
(CVE-2023-0464, bsc#1209624)
|
||||||
|
* Update openssl.keyring with key
|
||||||
|
A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz)
|
||||||
|
* Rebased patches:
|
||||||
|
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
|
- openssl-Add_support_for_Windows_CA_certificate_store.patch
|
||||||
|
* Removed patches:
|
||||||
|
- openssl-CVE-2023-0464.patch
|
||||||
|
- openssl-Fix-OBJ_nid2obj-regression.patch
|
||||||
|
- openssl-CVE-2023-0465.patch
|
||||||
|
- openssl-CVE-2023-0466.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 29 07:31:07 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 15 09:00:04 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
- Add support for Windows CA certificate store [bsc#1209430]
|
||||||
|
https://github.com/openssl/openssl/pull/18070
|
||||||
|
* Add openssl-Add_support_for_Windows_CA_certificate_store.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -22,7 +22,7 @@
|
|||||||
%define man_suffix 3ssl
|
%define man_suffix 3ssl
|
||||||
Name: openssl-3
|
Name: openssl-3
|
||||||
# Don't forget to update the version in the "openssl" meta-package!
|
# Don't forget to update the version in the "openssl" meta-package!
|
||||||
Version: 3.1.0
|
Version: 3.1.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Sockets and Transport Layer Security
|
Summary: Secure Sockets and Transport Layer Security
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -46,16 +46,11 @@ Patch6: openssl-no-date.patch
|
|||||||
# Add crypto-policies support
|
# Add crypto-policies support
|
||||||
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
# PATCH-FIX-UPSTREAM: bsc#1209624, CVE-2023-0464
|
|
||||||
Patch9: openssl-CVE-2023-0464.patch
|
|
||||||
# PATCH-FIX-OPENSUSE: Fix compiler error "initializer element is not constant" on s390
|
# PATCH-FIX-OPENSUSE: Fix compiler error "initializer element is not constant" on s390
|
||||||
Patch10: openssl-z16-s390x.patch
|
Patch9: openssl-z16-s390x.patch
|
||||||
# PATCH-FIX-UPSTREAM: bsc#1209430 Fix regression in OBJ_nid2obj
|
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
|
||||||
Patch11: openssl-Fix-OBJ_nid2obj-regression.patch
|
Patch10: openssl-Add_support_for_Windows_CA_certificate_store.patch
|
||||||
# PATCH-FIX-UPSTREAM: bsc#1209878, CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored
|
|
||||||
Patch12: openssl-CVE-2023-0465.patch
|
|
||||||
# PATCH-FIX-UPSTREAM: bsc#1209873, CVE-2023-0466 Certificate policy check not enabled
|
|
||||||
Patch13: openssl-CVE-2023-0466.patch
|
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: pkgconfig(zlib)
|
BuildRequires: pkgconfig(zlib)
|
||||||
Requires: libopenssl3 = %{version}-%{release}
|
Requires: libopenssl3 = %{version}-%{release}
|
||||||
@ -80,16 +75,21 @@ OpenSSL contains an implementation of the SSL and TLS protocols.
|
|||||||
|
|
||||||
%package -n libopenssl3
|
%package -n libopenssl3
|
||||||
Summary: Secure Sockets and Transport Layer Security
|
Summary: Secure Sockets and Transport Layer Security
|
||||||
License: Apache-2.0
|
BuildRequires: fipscheck
|
||||||
Recommends: ca-certificates-mozilla
|
Recommends: ca-certificates-mozilla
|
||||||
# install libopenssl and libopenssl-hmac close together (bsc#1090765)
|
|
||||||
Suggests: libopenssl3-hmac = %{version}-%{release}
|
|
||||||
Conflicts: %{name} < %{version}-%{release}
|
Conflicts: %{name} < %{version}-%{release}
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||||
Obsoletes: libopenssl1_1_0
|
Obsoletes: libopenssl1_1_0
|
||||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||||
Requires: crypto-policies
|
Requires: crypto-policies
|
||||||
%endif
|
%endif
|
||||||
|
# Merge back the hmac files bsc#1185116
|
||||||
|
Provides: libopenssl3-hmac = %{version}-%{release}
|
||||||
|
Obsoletes: libopenssl3-hmac < %{version}-%{release}
|
||||||
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||||
|
Obsoletes: libopenssl1_1_0-hmac
|
||||||
|
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
||||||
|
Obsoletes: libopenssl-1_0_0-hmac
|
||||||
|
|
||||||
%description -n libopenssl3
|
%description -n libopenssl3
|
||||||
OpenSSL is a software library to be used in applications that need to
|
OpenSSL is a software library to be used in applications that need to
|
||||||
@ -99,7 +99,6 @@ OpenSSL contains an implementation of the SSL and TLS protocols.
|
|||||||
|
|
||||||
%package -n libopenssl-3-devel
|
%package -n libopenssl-3-devel
|
||||||
Summary: Development files for OpenSSL
|
Summary: Development files for OpenSSL
|
||||||
License: Apache-2.0
|
|
||||||
Requires: libopenssl3 = %{version}
|
Requires: libopenssl3 = %{version}
|
||||||
Requires: pkgconfig(zlib)
|
Requires: pkgconfig(zlib)
|
||||||
Recommends: %{name} = %{version}
|
Recommends: %{name} = %{version}
|
||||||
@ -117,7 +116,6 @@ that want to make use of the OpenSSL C API.
|
|||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: Additional Package Documentation
|
Summary: Additional Package Documentation
|
||||||
License: Apache-2.0
|
|
||||||
Conflicts: openssl-doc
|
Conflicts: openssl-doc
|
||||||
Provides: openssl-doc = %{version}
|
Provides: openssl-doc = %{version}
|
||||||
Obsoletes: openssl-doc < %{version}
|
Obsoletes: openssl-doc < %{version}
|
||||||
@ -127,20 +125,6 @@ BuildArch: noarch
|
|||||||
This package contains optional documentation provided in addition to
|
This package contains optional documentation provided in addition to
|
||||||
this package's base documentation.
|
this package's base documentation.
|
||||||
|
|
||||||
%package -n libopenssl3-hmac
|
|
||||||
Summary: HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries
|
|
||||||
License: BSD-3-Clause
|
|
||||||
BuildRequires: fipscheck
|
|
||||||
Requires: libopenssl3 = %{version}-%{release}
|
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
||||||
Obsoletes: libopenssl1_1_0-hmac
|
|
||||||
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
|
||||||
Obsoletes: libopenssl-1_0_0-hmac
|
|
||||||
|
|
||||||
%description -n libopenssl3-hmac
|
|
||||||
The FIPS compliant operation of the openssl shared libraries is NOT
|
|
||||||
possible without the HMAC hashes contained in this package!
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1 -n %{_rname}-%{version}
|
%autosetup -p1 -n %{_rname}-%{version}
|
||||||
|
|
||||||
@ -272,8 +256,6 @@ fi
|
|||||||
%dir %{_libdir}/ossl-modules
|
%dir %{_libdir}/ossl-modules
|
||||||
%{_libdir}/ossl-modules/fips.so
|
%{_libdir}/ossl-modules/fips.so
|
||||||
%{_libdir}/ossl-modules/legacy.so
|
%{_libdir}/ossl-modules/legacy.so
|
||||||
|
|
||||||
%files -n libopenssl3-hmac
|
|
||||||
%{_libdir}/.libssl.so.%{sover}.hmac
|
%{_libdir}/.libssl.so.%{sover}.hmac
|
||||||
%{_libdir}/.libcrypto.so.%{sover}.hmac
|
%{_libdir}/.libcrypto.so.%{sover}.hmac
|
||||||
|
|
||||||
|
|||||||
@ -97,7 +97,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
"High" encryption cipher suites. This currently means those with key lengths
|
"High" encryption cipher suites. This currently means those with key lengths
|
||||||
--- a/include/openssl/ssl.h.in
|
--- a/include/openssl/ssl.h.in
|
||||||
+++ b/include/openssl/ssl.h.in
|
+++ b/include/openssl/ssl.h.in
|
||||||
@@ -210,6 +210,11 @@ extern "C" {
|
@@ -213,6 +213,11 @@ extern "C" {
|
||||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||||
*/
|
*/
|
||||||
@ -111,7 +111,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
# define SSL_SENT_SHUTDOWN 1
|
# define SSL_SENT_SHUTDOWN 1
|
||||||
--- a/ssl/ssl_ciph.c
|
--- a/ssl/ssl_ciph.c
|
||||||
+++ b/ssl/ssl_ciph.c
|
+++ b/ssl/ssl_ciph.c
|
||||||
@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -165,7 +165,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||||
@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||||
const SSL_CIPHER **ca_list = NULL;
|
const SSL_CIPHER **ca_list = NULL;
|
||||||
const SSL_METHOD *ssl_method = ctx->method;
|
const SSL_METHOD *ssl_method = ctx->method;
|
||||||
@ -193,7 +193,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* To reduce the work to do we only want to process the compiled
|
* To reduce the work to do we only want to process the compiled
|
||||||
@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||||
if (co_list == NULL) {
|
if (co_list == NULL) {
|
||||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||||
@ -202,7 +202,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
|
|
||||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||||
@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
* in force within each class
|
* in force within each class
|
||||||
*/
|
*/
|
||||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||||
@ -212,7 +212,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||||
if (ca_list == NULL) {
|
if (ca_list == NULL) {
|
||||||
@ -223,7 +223,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
disabled_mkey, disabled_auth, disabled_enc,
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
@@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
if (!ok) { /* Rule processing failure */
|
if (!ok) { /* Rule processing failure */
|
||||||
@ -233,7 +233,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
* if we cannot get one.
|
* if we cannot get one.
|
||||||
*/
|
*/
|
||||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||||
@ -249,7 +249,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||||
@@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
*cipher_list = cipherstack;
|
*cipher_list = cipherstack;
|
||||||
|
|
||||||
return cipherstack;
|
return cipherstack;
|
||||||
@ -266,7 +266,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||||
--- a/ssl/ssl_lib.c
|
--- a/ssl/ssl_lib.c
|
||||||
+++ b/ssl/ssl_lib.c
|
+++ b/ssl/ssl_lib.c
|
||||||
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||||
ctx->tls13_ciphersuites,
|
ctx->tls13_ciphersuites,
|
||||||
&(ctx->cipher_list),
|
&(ctx->cipher_list),
|
||||||
&(ctx->cipher_list_by_id),
|
&(ctx->cipher_list_by_id),
|
||||||
@ -275,7 +275,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||||
return 0;
|
return 0;
|
||||||
@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
||||||
if (!ssl_create_cipher_list(ret,
|
if (!ssl_create_cipher_list(ret,
|
||||||
ret->tls13_ciphersuites,
|
ret->tls13_ciphersuites,
|
||||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
@ -298,8 +298,8 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
return 1;
|
return 1;
|
||||||
--- a/util/libcrypto.num
|
--- a/util/libcrypto.num
|
||||||
+++ b/util/libcrypto.num
|
+++ b/util/libcrypto.num
|
||||||
@@ -5434,3 +5434,4 @@ RAND_set0_private
|
@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup
|
||||||
EVP_MD_CTX_dup 5562 3_1_0 EXIST::FUNCTION:
|
|
||||||
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
||||||
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
||||||
|
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
|
||||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
|||||||
743
openssl-Add_support_for_Windows_CA_certificate_store.patch
Normal file
743
openssl-Add_support_for_Windows_CA_certificate_store.patch
Normal file
@ -0,0 +1,743 @@
|
|||||||
|
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hugo Landau <hlandau@openssl.org>
|
||||||
|
Date: Fri, 8 Apr 2022 13:10:52 +0100
|
||||||
|
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
|
||||||
|
env
|
||||||
|
|
||||||
|
Fixes #18068.
|
||||||
|
---
|
||||||
|
CHANGES.md | 21
|
||||||
|
Configure | 7
|
||||||
|
crypto/x509/by_dir.c | 17
|
||||||
|
crypto/x509/by_store.c | 14
|
||||||
|
crypto/x509/x509_def.c | 15
|
||||||
|
doc/build.info | 6
|
||||||
|
doc/man3/X509_get_default_cert_file.pod | 113 +++++
|
||||||
|
include/internal/cryptlib.h | 11
|
||||||
|
include/internal/e_os.h | 2
|
||||||
|
include/openssl/x509.h.in | 3
|
||||||
|
providers/implementations/include/prov/implementations.h | 1
|
||||||
|
providers/implementations/storemgmt/build.info | 3
|
||||||
|
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
|
||||||
|
providers/stores.inc | 3
|
||||||
|
util/libcrypto.num | 3
|
||||||
|
util/missingcrypto.txt | 4
|
||||||
|
16 files changed, 536 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
--- a/CHANGES.md
|
||||||
|
+++ b/CHANGES.md
|
||||||
|
@@ -24,6 +24,27 @@ OpenSSL 3.1
|
||||||
|
|
||||||
|
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
|
||||||
|
|
||||||
|
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
|
||||||
|
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
|
||||||
|
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
|
||||||
|
+ paths which are searched for root certificates.
|
||||||
|
+
|
||||||
|
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
|
||||||
|
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
|
||||||
|
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
|
||||||
|
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
|
||||||
|
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
|
||||||
|
+ for the purposes of determining root certificate stores.
|
||||||
|
+
|
||||||
|
+ *Hugo Landau*
|
||||||
|
+
|
||||||
|
+ * Support for loading root certificates from the Windows certificate store
|
||||||
|
+ has been added. The support is in the form of a store which recognises the
|
||||||
|
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
|
||||||
|
+ can be disabled using the new compile-time option `no-winstore`.
|
||||||
|
+
|
||||||
|
+ *Hugo Landau*
|
||||||
|
+
|
||||||
|
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
|
||||||
|
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
|
||||||
|
|
||||||
|
--- a/Configure
|
||||||
|
+++ b/Configure
|
||||||
|
@@ -420,6 +420,7 @@ my @disablables = (
|
||||||
|
"cached-fetch",
|
||||||
|
"camellia",
|
||||||
|
"capieng",
|
||||||
|
+ "winstore",
|
||||||
|
"cast",
|
||||||
|
"chacha",
|
||||||
|
"cmac",
|
||||||
|
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+unless ($disabled{winstore}) {
|
||||||
|
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
|
||||||
|
+ disable('not-windows', 'winstore');
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
|
||||||
|
|
||||||
|
# Get the extra flags used when building shared libraries and modules. We
|
||||||
|
--- a/crypto/x509/by_dir.c
|
||||||
|
+++ b/crypto/x509/by_dir.c
|
||||||
|
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||||
|
switch (cmd) {
|
||||||
|
case X509_L_ADD_DIR:
|
||||||
|
if (argl == X509_FILETYPE_DEFAULT) {
|
||||||
|
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||||
|
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
|
||||||
|
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
|
||||||
|
|
||||||
|
- if (dir)
|
||||||
|
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||||
|
- else
|
||||||
|
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
|
||||||
|
- X509_FILETYPE_PEM);
|
||||||
|
+ /* Fallback to SSL_CERT_DIR. */
|
||||||
|
+ if (dir == NULL)
|
||||||
|
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||||
|
+
|
||||||
|
+ /* Fallback to built-in default. */
|
||||||
|
+ if (dir == NULL)
|
||||||
|
+ dir = X509_get_default_cert_dir();
|
||||||
|
+
|
||||||
|
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||||
|
if (!ret) {
|
||||||
|
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
|
||||||
|
}
|
||||||
|
--- a/crypto/x509/by_store.c
|
||||||
|
+++ b/crypto/x509/by_store.c
|
||||||
|
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
|
||||||
|
{
|
||||||
|
switch (cmd) {
|
||||||
|
case X509_L_ADD_STORE:
|
||||||
|
- /* If no URI is given, use the default cert dir as default URI */
|
||||||
|
+ /* First try the newer default cert URI envvar. */
|
||||||
|
+ if (argp == NULL)
|
||||||
|
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
|
||||||
|
+
|
||||||
|
+ /* If not set, see if we have a URI in the older cert dir envvar. */
|
||||||
|
if (argp == NULL)
|
||||||
|
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||||
|
+
|
||||||
|
+ /* Fallback to default store URI. */
|
||||||
|
if (argp == NULL)
|
||||||
|
- argp = X509_get_default_cert_dir();
|
||||||
|
+ argp = X509_get_default_cert_uri();
|
||||||
|
+
|
||||||
|
+ /* No point adding an empty URI. */
|
||||||
|
+ if (!*argp)
|
||||||
|
+ return 1;
|
||||||
|
|
||||||
|
{
|
||||||
|
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
|
||||||
|
--- a/crypto/x509/x509_def.c
|
||||||
|
+++ b/crypto/x509/x509_def.c
|
||||||
|
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
|
||||||
|
return X509_CERT_AREA;
|
||||||
|
}
|
||||||
|
|
||||||
|
+const char *X509_get_default_cert_uri(void)
|
||||||
|
+{
|
||||||
|
+ return X509_CERT_URI;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const char *X509_get_default_cert_dir(void)
|
||||||
|
{
|
||||||
|
return X509_CERT_DIR;
|
||||||
|
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
|
||||||
|
return X509_CERT_FILE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+const char *X509_get_default_cert_uri_env(void)
|
||||||
|
+{
|
||||||
|
+ return X509_CERT_URI_EVP;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+const char *X509_get_default_cert_path_env(void)
|
||||||
|
+{
|
||||||
|
+ return X509_CERT_PATH_EVP;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const char *X509_get_default_cert_dir_env(void)
|
||||||
|
{
|
||||||
|
return X509_CERT_DIR_EVP;
|
||||||
|
--- a/doc/build.info
|
||||||
|
+++ b/doc/build.info
|
||||||
|
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
|
||||||
|
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
|
||||||
|
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
|
||||||
|
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
|
||||||
|
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
|
||||||
|
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
|
||||||
|
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
|
||||||
|
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
|
||||||
|
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
|
||||||
|
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
|
||||||
|
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
|
||||||
|
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
|
||||||
|
html/man3/X509_get0_notBefore.html \
|
||||||
|
html/man3/X509_get0_signature.html \
|
||||||
|
html/man3/X509_get0_uids.html \
|
||||||
|
+html/man3/X509_get_default_cert_file.html \
|
||||||
|
html/man3/X509_get_extension_flags.html \
|
||||||
|
html/man3/X509_get_pubkey.html \
|
||||||
|
html/man3/X509_get_serialNumber.html \
|
||||||
|
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
|
||||||
|
man/man3/X509_get0_notBefore.3 \
|
||||||
|
man/man3/X509_get0_signature.3 \
|
||||||
|
man/man3/X509_get0_uids.3 \
|
||||||
|
+man/man3/X509_get_default_cert_file.3 \
|
||||||
|
man/man3/X509_get_extension_flags.3 \
|
||||||
|
man/man3/X509_get_pubkey.3 \
|
||||||
|
man/man3/X509_get_serialNumber.3 \
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/doc/man3/X509_get_default_cert_file.pod
|
||||||
|
@@ -0,0 +1,113 @@
|
||||||
|
+=pod
|
||||||
|
+
|
||||||
|
+=head1 NAME
|
||||||
|
+
|
||||||
|
+X509_get_default_cert_file, X509_get_default_cert_file_env,
|
||||||
|
+X509_get_default_cert_path_env,
|
||||||
|
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
|
||||||
|
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
|
||||||
|
+retrieve default locations for trusted CA certificates
|
||||||
|
+
|
||||||
|
+=head1 SYNOPSIS
|
||||||
|
+
|
||||||
|
+ #include <openssl/x509.h>
|
||||||
|
+
|
||||||
|
+ const char *X509_get_default_cert_file(void);
|
||||||
|
+ const char *X509_get_default_cert_dir(void);
|
||||||
|
+ const char *X509_get_default_cert_uri(void);
|
||||||
|
+
|
||||||
|
+ const char *X509_get_default_cert_file_env(void);
|
||||||
|
+ const char *X509_get_default_cert_path_env(void);
|
||||||
|
+ const char *X509_get_default_cert_dir_env(void);
|
||||||
|
+ const char *X509_get_default_cert_uri_env(void);
|
||||||
|
+
|
||||||
|
+=head1 DESCRIPTION
|
||||||
|
+
|
||||||
|
+The X509_get_default_cert_file() function returns the default path
|
||||||
|
+to a file containing trusted CA certificates. OpenSSL will use this as
|
||||||
|
+the default path when it is asked to load trusted CA certificates
|
||||||
|
+from a file and no other path is specified. If the file exists, CA certificates
|
||||||
|
+are loaded from the file.
|
||||||
|
+
|
||||||
|
+The X509_get_default_cert_dir() function returns a default delimeter-separated
|
||||||
|
+list of paths to a directories containing trusted CA certificates named in the
|
||||||
|
+hashed format. OpenSSL will use this as the default list of paths when it is
|
||||||
|
+asked to load trusted CA certificates from a directory and no other path is
|
||||||
|
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
|
||||||
|
+CA certificates in this directory by calculating a filename based on a hash of
|
||||||
|
+the certificate's subject name.
|
||||||
|
+
|
||||||
|
+The X509_get_default_cert_uri() function returns the default URI for a
|
||||||
|
+certificate store accessed programmatically via an OpenSSL provider. If there is
|
||||||
|
+no default store applicable to the system for which OpenSSL was compiled, this
|
||||||
|
+returns an empty string.
|
||||||
|
+
|
||||||
|
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
|
||||||
|
+environment variable names which are recommended to specify nondefault values to
|
||||||
|
+be used instead of the values returned by X509_get_default_cert_file() and
|
||||||
|
+X509_get_default_cert_uri() respectively. The values returned by the latter
|
||||||
|
+functions are not affected by these environment variables; you must check for
|
||||||
|
+these environment variables yourself, using these functions to retrieve the
|
||||||
|
+correct environment variable names. If an environment variable is not set, the
|
||||||
|
+value returned by the corresponding function above should be used.
|
||||||
|
+
|
||||||
|
+X509_get_default_cert_path_env() returns the environment variable name which is
|
||||||
|
+recommended to specify a nondefault value to be used instead of the value
|
||||||
|
+returned by X509_get_default_cert_dir(). This environment variable supercedes
|
||||||
|
+the deprecated environment variable whose name is returned by
|
||||||
|
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
|
||||||
|
+contents can be interpreted ambiguously; see NOTES.
|
||||||
|
+
|
||||||
|
+By default, OpenSSL uses the path list specified in the environment variable
|
||||||
|
+whose name is returned by X509_get_default_cert_path_env() if it is set;
|
||||||
|
+otherwise, it uses the path list specified in the environment variable whose
|
||||||
|
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
|
||||||
|
+uses the value returned by X509_get_default_cert_dir()).
|
||||||
|
+
|
||||||
|
+=head1 NOTES
|
||||||
|
+
|
||||||
|
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
|
||||||
|
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
|
||||||
|
+release, store URIs were expressed via the environment variable returned by
|
||||||
|
+X509_get_default_cert_dir_env(); this environment variable could be used to
|
||||||
|
+specify either a list of directories or a store URI. This creates an ambiguity
|
||||||
|
+in which the environment variable returned by X509_get_default_cert_dir_env() is
|
||||||
|
+interpreted both as a list of directories and as a store URI.
|
||||||
|
+
|
||||||
|
+This usage and the environment variable returned by
|
||||||
|
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
|
||||||
|
+the environment variable returned by X509_get_default_cert_uri_env(), and to
|
||||||
|
+specify a list of directories, use the environment variable returned by
|
||||||
|
+X509_get_default_cert_path_env().
|
||||||
|
+
|
||||||
|
+=head1 RETURN VALUES
|
||||||
|
+
|
||||||
|
+These functions return pointers to constant strings with static storage
|
||||||
|
+duration.
|
||||||
|
+
|
||||||
|
+=head1 SEE ALSO
|
||||||
|
+
|
||||||
|
+L<X509_LOOKUP(3)>,
|
||||||
|
+L<SSL_CTX_set_default_verify_file(3)>,
|
||||||
|
+L<SSL_CTX_set_default_verify_dir(3)>,
|
||||||
|
+L<SSL_CTX_set_default_verify_store(3)>,
|
||||||
|
+L<SSL_CTX_load_verify_file(3)>,
|
||||||
|
+L<SSL_CTX_load_verify_dir(3)>,
|
||||||
|
+L<SSL_CTX_load_verify_store(3)>,
|
||||||
|
+L<SSL_CTX_load_verify_locations(3)>
|
||||||
|
+
|
||||||
|
+=head1 HISTORY
|
||||||
|
+
|
||||||
|
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
|
||||||
|
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
|
||||||
|
+
|
||||||
|
+=head1 COPYRIGHT
|
||||||
|
+
|
||||||
|
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+
|
||||||
|
+Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
+this file except in compliance with the License. You can obtain a copy
|
||||||
|
+in the file LICENSE in the source distribution or at
|
||||||
|
+L<https://www.openssl.org/source/license.html>.
|
||||||
|
+
|
||||||
|
+=cut
|
||||||
|
--- a/include/internal/cryptlib.h
|
||||||
|
+++ b/include/internal/cryptlib.h
|
||||||
|
@@ -13,6 +13,8 @@
|
||||||
|
|
||||||
|
# include <stdlib.h>
|
||||||
|
# include <string.h>
|
||||||
|
+# include "openssl/configuration.h"
|
||||||
|
+# include "internal/e_os.h" /* ossl_inline in many files */
|
||||||
|
|
||||||
|
# ifdef OPENSSL_USE_APPLINK
|
||||||
|
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
|
||||||
|
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
|
||||||
|
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
|
||||||
|
# endif
|
||||||
|
|
||||||
|
+#ifndef OPENSSL_NO_WINSTORE
|
||||||
|
+# define X509_CERT_URI "org.openssl.winstore://"
|
||||||
|
+#else
|
||||||
|
+# define X509_CERT_URI ""
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
|
||||||
|
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
|
||||||
|
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
|
||||||
|
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
|
||||||
|
# define CTLOG_FILE_EVP "CTLOG_FILE"
|
||||||
|
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
|
||||||
|
# endif
|
||||||
|
return path[0] == '/';
|
||||||
|
}
|
||||||
|
-
|
||||||
|
#endif
|
||||||
|
--- a/include/internal/e_os.h
|
||||||
|
+++ b/include/internal/e_os.h
|
||||||
|
@@ -249,7 +249,7 @@ FILE *__iob_func();
|
||||||
|
/***********************************************/
|
||||||
|
|
||||||
|
# if defined(OPENSSL_SYS_WINDOWS)
|
||||||
|
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
|
||||||
|
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
|
||||||
|
# define open _open
|
||||||
|
# define fdopen _fdopen
|
||||||
|
# define close _close
|
||||||
|
--- a/include/openssl/x509.h.in
|
||||||
|
+++ b/include/openssl/x509.h.in
|
||||||
|
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
|
||||||
|
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
|
||||||
|
|
||||||
|
const char *X509_get_default_cert_area(void);
|
||||||
|
+const char *X509_get_default_cert_uri(void);
|
||||||
|
const char *X509_get_default_cert_dir(void);
|
||||||
|
const char *X509_get_default_cert_file(void);
|
||||||
|
+const char *X509_get_default_cert_uri_env(void);
|
||||||
|
+const char *X509_get_default_cert_path_env(void);
|
||||||
|
const char *X509_get_default_cert_dir_env(void);
|
||||||
|
const char *X509_get_default_cert_file_env(void);
|
||||||
|
const char *X509_get_default_private_dir(void);
|
||||||
|
--- a/providers/implementations/include/prov/implementations.h
|
||||||
|
+++ b/providers/implementations/include/prov/implementations.h
|
||||||
|
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
|
||||||
|
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
|
||||||
|
|
||||||
|
extern const OSSL_DISPATCH ossl_file_store_functions[];
|
||||||
|
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
|
||||||
|
--- a/providers/implementations/storemgmt/build.info
|
||||||
|
+++ b/providers/implementations/storemgmt/build.info
|
||||||
|
@@ -4,3 +4,6 @@
|
||||||
|
$STORE_GOAL=../../libdefault.a
|
||||||
|
|
||||||
|
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
|
||||||
|
+IF[{- !$disabled{winstore} -}]
|
||||||
|
+ SOURCE[$STORE_GOAL]=winstore_store.c
|
||||||
|
+ENDIF
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/providers/implementations/storemgmt/winstore_store.c
|
||||||
|
@@ -0,0 +1,327 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ *
|
||||||
|
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
+ * this file except in compliance with the License. You can obtain a copy
|
||||||
|
+ * in the file LICENSE in the source distribution or at
|
||||||
|
+ * https://www.openssl.org/source/license.html
|
||||||
|
+ */
|
||||||
|
+#include <openssl/store.h>
|
||||||
|
+#include <openssl/core_dispatch.h>
|
||||||
|
+#include <openssl/core_names.h>
|
||||||
|
+#include <openssl/core_object.h>
|
||||||
|
+#include <openssl/bio.h>
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
+#include <openssl/params.h>
|
||||||
|
+#include <openssl/decoder.h>
|
||||||
|
+#include <openssl/proverr.h>
|
||||||
|
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
|
||||||
|
+#include "internal/cryptlib.h"
|
||||||
|
+#include "internal/o_dir.h"
|
||||||
|
+#include "crypto/decoder.h"
|
||||||
|
+#include "crypto/ctype.h" /* ossl_isdigit() */
|
||||||
|
+#include "prov/implementations.h"
|
||||||
|
+#include "prov/bio.h"
|
||||||
|
+#include "file_store_local.h"
|
||||||
|
+
|
||||||
|
+#include <wincrypt.h>
|
||||||
|
+
|
||||||
|
+enum {
|
||||||
|
+ STATE_IDLE,
|
||||||
|
+ STATE_READ,
|
||||||
|
+ STATE_EOF,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct winstore_ctx_st {
|
||||||
|
+ void *provctx;
|
||||||
|
+ char *propq;
|
||||||
|
+ unsigned char *subject;
|
||||||
|
+ size_t subject_len;
|
||||||
|
+
|
||||||
|
+ HCERTSTORE win_store;
|
||||||
|
+ const CERT_CONTEXT *win_ctx;
|
||||||
|
+ int state;
|
||||||
|
+
|
||||||
|
+ OSSL_DECODER_CTX *dctx;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
|
||||||
|
+{
|
||||||
|
+ if (ctx->win_ctx != NULL) {
|
||||||
|
+ CertFreeCertificateContext(ctx->win_ctx);
|
||||||
|
+ ctx->win_ctx = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ctx->state = STATE_IDLE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
|
||||||
|
+{
|
||||||
|
+ CERT_NAME_BLOB name = {0};
|
||||||
|
+
|
||||||
|
+ if (ctx->state == STATE_EOF)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ name.cbData = ctx->subject_len;
|
||||||
|
+ name.pbData = ctx->subject;
|
||||||
|
+
|
||||||
|
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
|
||||||
|
+ CertFindCertificateInStore(ctx->win_store,
|
||||||
|
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
||||||
|
+ 0, CERT_FIND_SUBJECT_NAME,
|
||||||
|
+ &name, ctx->win_ctx));
|
||||||
|
+
|
||||||
|
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void *winstore_open(void *provctx, const char *uri)
|
||||||
|
+{
|
||||||
|
+ struct winstore_ctx_st *ctx = NULL;
|
||||||
|
+
|
||||||
|
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
|
||||||
|
+ if (ctx == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ ctx->provctx = provctx;
|
||||||
|
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
|
||||||
|
+ if (ctx->win_store == NULL) {
|
||||||
|
+ OPENSSL_free(ctx);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ winstore_win_reset(ctx);
|
||||||
|
+ return ctx;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
|
||||||
|
+{
|
||||||
|
+ return NULL; /* not supported */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
|
||||||
|
+{
|
||||||
|
+ static const OSSL_PARAM known_settable_ctx_params[] = {
|
||||||
|
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
|
||||||
|
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
|
||||||
|
+ OSSL_PARAM_END
|
||||||
|
+ };
|
||||||
|
+ return known_settable_ctx_params;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
|
||||||
|
+{
|
||||||
|
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||||
|
+ const OSSL_PARAM *p;
|
||||||
|
+ int do_reset = 0;
|
||||||
|
+
|
||||||
|
+ if (params == NULL)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ do_reset = 1;
|
||||||
|
+ OPENSSL_free(ctx->propq);
|
||||||
|
+ ctx->propq = NULL;
|
||||||
|
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ const unsigned char *der = NULL;
|
||||||
|
+ size_t der_len = 0;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ do_reset = 1;
|
||||||
|
+
|
||||||
|
+ OPENSSL_free(ctx->subject);
|
||||||
|
+
|
||||||
|
+ ctx->subject = OPENSSL_malloc(der_len);
|
||||||
|
+ if (ctx->subject == NULL) {
|
||||||
|
+ ctx->subject_len = 0;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ctx->subject_len = der_len;
|
||||||
|
+ memcpy(ctx->subject, der, der_len);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (do_reset) {
|
||||||
|
+ winstore_win_reset(ctx);
|
||||||
|
+ winstore_win_advance(ctx);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct load_data_st {
|
||||||
|
+ OSSL_CALLBACK *object_cb;
|
||||||
|
+ void *object_cbarg;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
|
||||||
|
+ const OSSL_PARAM *params, void *construct_data)
|
||||||
|
+{
|
||||||
|
+ struct load_data_st *data = construct_data;
|
||||||
|
+ return data->object_cb(params, data->object_cbarg);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void load_cleanup(void *construct_data)
|
||||||
|
+{
|
||||||
|
+ /* No-op. */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int setup_decoder(struct winstore_ctx_st *ctx)
|
||||||
|
+{
|
||||||
|
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
|
||||||
|
+ const OSSL_ALGORITHM *to_algo = NULL;
|
||||||
|
+
|
||||||
|
+ if (ctx->dctx != NULL)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ ctx->dctx = OSSL_DECODER_CTX_new();
|
||||||
|
+ if (ctx->dctx == NULL) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (to_algo = ossl_any_to_obj_algorithm;
|
||||||
|
+ to_algo->algorithm_names != NULL;
|
||||||
|
+ to_algo++) {
|
||||||
|
+ OSSL_DECODER *to_obj = NULL;
|
||||||
|
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Create the internal last resort decoder implementation
|
||||||
|
+ * together with a "decoder instance".
|
||||||
|
+ * The decoder doesn't need any identification or to be
|
||||||
|
+ * attached to any provider, since it's only used locally.
|
||||||
|
+ */
|
||||||
|
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
|
||||||
|
+ if (to_obj != NULL)
|
||||||
|
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
|
||||||
|
+
|
||||||
|
+ OSSL_DECODER_free(to_obj);
|
||||||
|
+ if (to_obj_inst == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
|
||||||
|
+ to_obj_inst)) {
|
||||||
|
+ ossl_decoder_instance_free(to_obj_inst);
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ OSSL_DECODER_CTX_free(ctx->dctx);
|
||||||
|
+ ctx->dctx = NULL;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int winstore_load_using(struct winstore_ctx_st *ctx,
|
||||||
|
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
|
||||||
|
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
|
||||||
|
+ const void *der, size_t der_len)
|
||||||
|
+{
|
||||||
|
+ struct load_data_st data;
|
||||||
|
+ const unsigned char *der_ = der;
|
||||||
|
+ size_t der_len_ = der_len;
|
||||||
|
+
|
||||||
|
+ if (setup_decoder(ctx) == 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ data.object_cb = object_cb;
|
||||||
|
+ data.object_cbarg = object_cbarg;
|
||||||
|
+
|
||||||
|
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
|
||||||
|
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
|
||||||
|
+
|
||||||
|
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int winstore_load(void *loaderctx,
|
||||||
|
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
|
||||||
|
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||||
|
+
|
||||||
|
+ if (ctx->state != STATE_READ)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
|
||||||
|
+ ctx->win_ctx->pbCertEncoded,
|
||||||
|
+ ctx->win_ctx->cbCertEncoded);
|
||||||
|
+
|
||||||
|
+ if (ret == 1)
|
||||||
|
+ winstore_win_advance(ctx);
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int winstore_eof(void *loaderctx)
|
||||||
|
+{
|
||||||
|
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||||
|
+
|
||||||
|
+ return ctx->state != STATE_READ;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int winstore_close(void *loaderctx)
|
||||||
|
+{
|
||||||
|
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||||
|
+
|
||||||
|
+ winstore_win_reset(ctx);
|
||||||
|
+ CertCloseStore(ctx->win_store, 0);
|
||||||
|
+ OSSL_DECODER_CTX_free(ctx->dctx);
|
||||||
|
+ OPENSSL_free(ctx->propq);
|
||||||
|
+ OPENSSL_free(ctx->subject);
|
||||||
|
+ OPENSSL_free(ctx);
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
|
||||||
|
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
|
||||||
|
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
|
||||||
|
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
|
||||||
|
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
|
||||||
|
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
|
||||||
|
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
|
||||||
|
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
|
||||||
|
+ { 0, NULL },
|
||||||
|
+};
|
||||||
|
--- a/providers/stores.inc
|
||||||
|
+++ b/providers/stores.inc
|
||||||
|
@@ -12,3 +12,6 @@
|
||||||
|
#endif
|
||||||
|
|
||||||
|
STORE("file", "yes", ossl_file_store_functions)
|
||||||
|
+#ifndef OPENSSL_NO_WINSTORE
|
||||||
|
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
|
||||||
|
+#endif
|
||||||
|
--- a/util/libcrypto.num
|
||||||
|
+++ b/util/libcrypto.num
|
||||||
|
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
|
||||||
|
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
||||||
|
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
||||||
|
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
|
||||||
|
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
|
||||||
|
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
|
||||||
|
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
|
||||||
|
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
--- a/util/missingcrypto.txt
|
||||||
|
+++ b/util/missingcrypto.txt
|
||||||
|
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
|
||||||
|
X509_get1_email(3)
|
||||||
|
X509_get1_ocsp(3)
|
||||||
|
X509_get_default_cert_area(3)
|
||||||
|
-X509_get_default_cert_dir(3)
|
||||||
|
-X509_get_default_cert_dir_env(3)
|
||||||
|
-X509_get_default_cert_file(3)
|
||||||
|
-X509_get_default_cert_file_env(3)
|
||||||
|
X509_get_default_private_dir(3)
|
||||||
|
X509_get_pubkey_parameters(3)
|
||||||
|
X509_get_signature_type(3)
|
||||||
@ -1,817 +0,0 @@
|
|||||||
From f7109ee5aa1f93fc4d52d7c2f64b0a134841f1a3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Pauli <pauli@openssl.org>
|
|
||||||
Date: Wed, 8 Mar 2023 15:28:20 +1100
|
|
||||||
Subject: [PATCH 1/3] x509: excessive resource use verifying policy constraints
|
|
||||||
|
|
||||||
A security vulnerability has been identified in all supported versions
|
|
||||||
of OpenSSL related to the verification of X.509 certificate chains
|
|
||||||
that include policy constraints. Attackers may be able to exploit this
|
|
||||||
vulnerability by creating a malicious certificate chain that triggers
|
|
||||||
exponential use of computational resources, leading to a denial-of-service
|
|
||||||
(DoS) attack on affected systems.
|
|
||||||
|
|
||||||
Fixes CVE-2023-0464
|
|
||||||
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
---
|
|
||||||
CHANGES.md | 9
|
|
||||||
crypto/x509/pcy_local.h | 8
|
|
||||||
crypto/x509/pcy_node.c | 12
|
|
||||||
crypto/x509/pcy_tree.c | 36
|
|
||||||
test/recipes/80-test_policy_tree.t | 41 +
|
|
||||||
test/recipes/80-test_policy_tree_data/large_leaf.pem | 11
|
|
||||||
test/recipes/80-test_policy_tree_data/large_policy_tree.pem | 434 ++++++++++++
|
|
||||||
test/recipes/80-test_policy_tree_data/small_leaf.pem | 11
|
|
||||||
test/recipes/80-test_policy_tree_data/small_policy_tree.pem | 70 +
|
|
||||||
9 files changed, 618 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
--- a/CHANGES.md
|
|
||||||
+++ b/CHANGES.md
|
|
||||||
@@ -24,6 +24,15 @@ OpenSSL 3.1
|
|
||||||
|
|
||||||
### Changes between 3.0 and 3.1.0 [14 Mar 2023]
|
|
||||||
|
|
||||||
+ * Limited the number of nodes created in a policy tree to mitigate
|
|
||||||
+ against CVE-2023-0464. The default limit is set to 1000 nodes, which
|
|
||||||
+ should be sufficient for most installations. If required, the limit
|
|
||||||
+ can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
|
|
||||||
+ time define to a desired maximum number of nodes or zero to allow
|
|
||||||
+ unlimited growth.
|
|
||||||
+
|
|
||||||
+ *Paul Dale*
|
|
||||||
+
|
|
||||||
* Add FIPS provider configuration option to enforce the
|
|
||||||
Extended Master Secret (EMS) check during the TLS1_PRF KDF.
|
|
||||||
The option '-ems-check' can optionally be supplied to
|
|
||||||
--- a/crypto/x509/pcy_local.h
|
|
||||||
+++ b/crypto/x509/pcy_local.h
|
|
||||||
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
|
|
||||||
};
|
|
||||||
|
|
||||||
struct X509_POLICY_TREE_st {
|
|
||||||
+ /* The number of nodes in the tree */
|
|
||||||
+ size_t node_count;
|
|
||||||
+ /* The maximum number of nodes in the tree */
|
|
||||||
+ size_t node_maximum;
|
|
||||||
+
|
|
||||||
/* This is the tree 'level' data */
|
|
||||||
X509_POLICY_LEVEL *levels;
|
|
||||||
int nlevel;
|
|
||||||
@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_
|
|
||||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
|
||||||
X509_POLICY_DATA *data,
|
|
||||||
X509_POLICY_NODE *parent,
|
|
||||||
- X509_POLICY_TREE *tree);
|
|
||||||
+ X509_POLICY_TREE *tree,
|
|
||||||
+ int extra_data);
|
|
||||||
void ossl_policy_node_free(X509_POLICY_NODE *node);
|
|
||||||
int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
|
|
||||||
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
|
|
||||||
--- a/crypto/x509/pcy_node.c
|
|
||||||
+++ b/crypto/x509/pcy_node.c
|
|
||||||
@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find
|
|
||||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
|
||||||
X509_POLICY_DATA *data,
|
|
||||||
X509_POLICY_NODE *parent,
|
|
||||||
- X509_POLICY_TREE *tree)
|
|
||||||
+ X509_POLICY_TREE *tree,
|
|
||||||
+ int extra_data)
|
|
||||||
{
|
|
||||||
X509_POLICY_NODE *node;
|
|
||||||
|
|
||||||
+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
|
|
||||||
+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
node = OPENSSL_zalloc(sizeof(*node));
|
|
||||||
if (node == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
|
||||||
@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_
|
|
||||||
}
|
|
||||||
node->data = data;
|
|
||||||
node->parent = parent;
|
|
||||||
- if (level) {
|
|
||||||
+ if (level != NULL) {
|
|
||||||
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
|
|
||||||
if (level->anyPolicy)
|
|
||||||
goto node_error;
|
|
||||||
@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (tree) {
|
|
||||||
+ if (extra_data) {
|
|
||||||
if (tree->extra_data == NULL)
|
|
||||||
tree->extra_data = sk_X509_POLICY_DATA_new_null();
|
|
||||||
if (tree->extra_data == NULL){
|
|
||||||
@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ tree->node_count++;
|
|
||||||
if (parent)
|
|
||||||
parent->nchild++;
|
|
||||||
|
|
||||||
--- a/crypto/x509/pcy_tree.c
|
|
||||||
+++ b/crypto/x509/pcy_tree.c
|
|
||||||
@@ -14,6 +14,17 @@
|
|
||||||
|
|
||||||
#include "pcy_local.h"
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * If the maximum number of nodes in the policy tree isn't defined, set it to
|
|
||||||
+ * a generous default of 1000 nodes.
|
|
||||||
+ *
|
|
||||||
+ * Defining this to be zero means unlimited policy tree growth which opens the
|
|
||||||
+ * door on CVE-2023-0464.
|
|
||||||
+ */
|
|
||||||
+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
|
|
||||||
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static void expected_print(BIO *channel,
|
|
||||||
X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
|
|
||||||
int indent)
|
|
||||||
@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **
|
|
||||||
return X509_PCY_TREE_INTERNAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
|
|
||||||
+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
|
|
||||||
*
|
|
||||||
@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **
|
|
||||||
if ((data = ossl_policy_data_new(NULL,
|
|
||||||
OBJ_nid2obj(NID_any_policy), 0)) == NULL)
|
|
||||||
goto bad_tree;
|
|
||||||
- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
|
|
||||||
+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
|
|
||||||
ossl_policy_data_free(data);
|
|
||||||
goto bad_tree;
|
|
||||||
}
|
|
||||||
@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **
|
|
||||||
* Return value: 1 on success, 0 otherwise
|
|
||||||
*/
|
|
||||||
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
|
||||||
- X509_POLICY_DATA *data)
|
|
||||||
+ X509_POLICY_DATA *data,
|
|
||||||
+ X509_POLICY_TREE *tree)
|
|
||||||
{
|
|
||||||
X509_POLICY_LEVEL *last = curr - 1;
|
|
||||||
int i, matched = 0;
|
|
||||||
@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509
|
|
||||||
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
|
|
||||||
|
|
||||||
if (ossl_policy_node_match(last, node, data->valid_policy)) {
|
|
||||||
- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
|
|
||||||
+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
|
|
||||||
return 0;
|
|
||||||
matched = 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!matched && last->anyPolicy) {
|
|
||||||
- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
|
|
||||||
+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509
|
|
||||||
* Return value: 1 on success, 0 otherwise.
|
|
||||||
*/
|
|
||||||
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
|
||||||
- const X509_POLICY_CACHE *cache)
|
|
||||||
+ const X509_POLICY_CACHE *cache,
|
|
||||||
+ X509_POLICY_TREE *tree)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
|
|
||||||
@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_L
|
|
||||||
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
|
|
||||||
|
|
||||||
/* Look for matching nodes in previous level */
|
|
||||||
- if (!tree_link_matching_nodes(curr, data))
|
|
||||||
+ if (!tree_link_matching_nodes(curr, data, tree))
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLIC
|
|
||||||
/* Curr may not have anyPolicy */
|
|
||||||
data->qualifier_set = cache->anyPolicy->qualifier_set;
|
|
||||||
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
|
|
||||||
- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
|
|
||||||
+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
|
|
||||||
ossl_policy_data_free(data);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEV
|
|
||||||
/* Finally add link to anyPolicy */
|
|
||||||
if (last->anyPolicy &&
|
|
||||||
ossl_policy_level_add_node(curr, cache->anyPolicy,
|
|
||||||
- last->anyPolicy, NULL) == NULL)
|
|
||||||
+ last->anyPolicy, tree, 0) == NULL)
|
|
||||||
return 0;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_
|
|
||||||
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
|
|
||||||
| POLICY_DATA_FLAG_EXTRA_NODE;
|
|
||||||
node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
|
|
||||||
- tree);
|
|
||||||
+ tree, 1);
|
|
||||||
}
|
|
||||||
if (!tree->user_policies) {
|
|
||||||
tree->user_policies = sk_X509_POLICY_NODE_new_null();
|
|
||||||
@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TRE
|
|
||||||
|
|
||||||
for (i = 1; i < tree->nlevel; i++, curr++) {
|
|
||||||
cache = ossl_policy_cache_set(curr->cert);
|
|
||||||
- if (!tree_link_nodes(curr, cache))
|
|
||||||
+ if (!tree_link_nodes(curr, cache, tree))
|
|
||||||
return X509_PCY_TREE_INTERNAL;
|
|
||||||
|
|
||||||
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/80-test_policy_tree.t
|
|
||||||
@@ -0,0 +1,41 @@
|
|
||||||
+#! /usr/bin/env perl
|
|
||||||
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+
|
|
||||||
+use POSIX;
|
|
||||||
+use OpenSSL::Test qw/:DEFAULT srctop_file with data_file/;
|
|
||||||
+
|
|
||||||
+use OpenSSL::Test::Utils;
|
|
||||||
+use OpenSSL::Glob;
|
|
||||||
+
|
|
||||||
+setup("test_policy_tree");
|
|
||||||
+
|
|
||||||
+plan tests => 2;
|
|
||||||
+
|
|
||||||
+# The small pathological tree is expected to work
|
|
||||||
+my $small_chain = srctop_file("test", "recipes", "80-test_policy_tree_data",
|
|
||||||
+ "small_policy_tree.pem");
|
|
||||||
+my $small_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data",
|
|
||||||
+ "small_leaf.pem");
|
|
||||||
+
|
|
||||||
+ok(run(app(["openssl", "verify", "-CAfile", $small_chain,
|
|
||||||
+ "-policy_check", $small_leaf])),
|
|
||||||
+ "test small policy tree");
|
|
||||||
+
|
|
||||||
+# The large pathological tree is expected to fail
|
|
||||||
+my $large_chain = srctop_file("test", "recipes", "80-test_policy_tree_data",
|
|
||||||
+ "large_policy_tree.pem");
|
|
||||||
+my $large_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data",
|
|
||||||
+ "large_leaf.pem");
|
|
||||||
+
|
|
||||||
+ok(!run(app(["openssl", "verify", "-CAfile", $large_chain,
|
|
||||||
+ "-policy_check", $large_leaf])),
|
|
||||||
+ "test large policy tree");
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/80-test_policy_tree_data/large_leaf.pem
|
|
||||||
@@ -0,0 +1,11 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIBmTCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
|
|
||||||
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp6Qe
|
|
||||||
+jrN6A0ZjqaFbX/zO01aVYXH5kthBDTEO/fU4H0CdwqrfyMsFrObwssrTJcsmSFKP
|
|
||||||
+x1FYr8wT2wCACs19lqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
|
|
||||||
+MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49
|
|
||||||
+BAMCA0gAMEUCIDGT8SVBkWJEZ2EzXm8M895NrNRmfc8uoheP0KKv+ndHAiEA2Onr
|
|
||||||
+20J+zTaR7vONY/1DleMm7fGY3UxTobSHSvOKbfY=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/80-test_policy_tree_data/large_policy_tree.pem
|
|
||||||
@@ -0,0 +1,434 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgyLz1C0dD
|
|
||||||
+ib5J/QmoE4d+Nf5yvvlzjVZHWIu7iCMEqK67cnA1RtMp1d0xdiNQS6si3ExNPBF+
|
|
||||||
+ELdkP0E6x26Jo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSs+ml5upH1h25oUB0Ep4vd
|
|
||||||
+SUdZ/DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAOME8j1/cMogNnuNCb0O
|
|
||||||
+RIOE9pLP4je78KJiP8CZm0iOAiALr8NI67orD/VpfRptkjCmOd7rTWMVOOJfBr6N
|
|
||||||
+VJFLjw==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIdzU/FF3Y
|
|
||||||
+rTsTX04fRIN2yrZwxvOAfZ6DuEgKRxEimJx1nCyETuMmfDowm52mx/Cyk08xorp8
|
|
||||||
+PhGEbacMd9kio4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSwok/8RfJbVGTzyF5jhWLc
|
|
||||||
+hO7pcDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgYVF7bXxUuOzAZF6SmeIJ
|
|
||||||
+s+iL15bLSQ2rW7QDc6QYp9MCIAup6YokIcr8JaGttHmLaKbASQLxYDGHhfFIVZuI
|
|
||||||
+BDvT
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ38Llxxj32
|
|
||||||
+H3NN4Z1V8IuRKXLNhdU4z+NbT1rahusEyAHF+z9VTjim+HHfqFKV1QyNOJZ4rMA9
|
|
||||||
+J/gODWsNCT4po4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS11YgFNKTx3a6kssIijnA9
|
|
||||||
+DiOhoTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAJXNZHMpvlnMfxhcG6EF
|
|
||||||
+Vw1pEXJ+iZnWT+Yu02a2zhamAiAiOKNhALBw/iKhQrwLo0cdx6UEfUKbaqTSGiax
|
|
||||||
+tHUylA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATo81HWQ/we
|
|
||||||
+egmoO/LMntQK1VQ9YzU627nblv/XWoOjEd/tBeE8+Un4jUnhZqNrP2TAzy48jEaT
|
|
||||||
+1DShCQNQGek7o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS6/F38QgbZSHib0W1XtMfs
|
|
||||||
+4O5DTDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgXMYCQWi5/6iQw+zqyEav
|
|
||||||
+CE7kOfTpm9GN4bZX5Eau5AACIQD0rDZwsjWf6hI2Hn8IlpwYVVC9bpxrAM/JmYuu
|
|
||||||
+79V/uw==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARsPMjOkmzJ
|
|
||||||
+2jwT30mKUvAFYVgOlgcoXxYr61p54mbQMmmH49ABmJQMu5rjwjwYlYA3UzbEN9ki
|
|
||||||
+hMsJz/4JIrJGo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeflZRWUze+7jne9MkYYy5
|
|
||||||
+iWFgJDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAIN6BjMnPlixl3i6Z1Xa
|
|
||||||
+pZQt52MOCHPm0XzXDn2XlC9+AiAn146u8rbppdEGMFr21vfFZaktwEb0cZkC9fBp
|
|
||||||
+S1uKwQ==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBBjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVmpozZzxX
|
|
||||||
+f6rFinkqS0y8sfbOwcM0gNuR0x83mmZH5+a8W4ug5W80QiBaS3rHtwTsFHpCeQKq
|
|
||||||
+eJvfb/esgJu8o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQPuF2sXR0vOHJynh57qefK
|
|
||||||
++h7RGDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgDX0jHPq1alZoMbPDmbZp
|
|
||||||
+QYuM9UQagQ5KJgVU1B0Mh2ECIQCtdyfT2h5jZvz3lLKkQ9a6LddIuqsyNKDAxbpb
|
|
||||||
+PlBOOA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgODAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASb+9fN9RLe
|
|
||||||
+SHGynsKXhLWGhIS/kZ6Yl97+h23xpjLaZUOzhn5VafXdmLrQ4BmqSMHqIKzcc8IB
|
|
||||||
+STV3NwO4NxPBo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTBF9x+MrsyqoCaTQ2kB7Bn
|
|
||||||
+tpK2qDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAI37Di/5MrSj2clr+2pX
|
|
||||||
+iXzeDIvlaxzVetyH3ibUZZBSAiA41aPIssHi9evv2mZonEvXY8g+DKbh/3L2mSub
|
|
||||||
+/AyLoA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICETCCAbagAwIBAgIBCDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgOTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrRS12/zEP
|
|
||||||
+RUNye9SLadN4xK+xfTwyXfxeC+jam+J98lOMcHz6abnLpk5tJ7wab4Pkygsbj1V2
|
|
||||||
+STxeW+YH23dto4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQYpYFLhosbir7KoyYdehsQ
|
|
||||||
+6DdLfzAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAPTCN+zWFG2cFzJ+nlfg
|
|
||||||
+JMY4U2e3vqTQmFeBXYlBASb9AiEA0KvsyNwloF1YeeaYcP5iHoRGRo8UMD3QWKEE
|
|
||||||
+vWI14Uk=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbegAwIBAgIBCTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBYxFDASBgNV
|
|
||||||
+BAMTC1BvbGljeSBDQSA5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoR4udEgt
|
|
||||||
+usb9f946+Xznm7Q3OaW4DTZjO7wqX1I+27zDp0JrUbCZwtm0Cw+pYkG5kPpNcFTK
|
|
||||||
+7yG3YgqM1sT+6aOB8jCB7zAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYB
|
|
||||||
+BQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjgtOHvFBcUQ03AKUbvuJ
|
|
||||||
+IWO5lzUwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFlAwIBMAIwcQYD
|
|
||||||
+VR0hBGowaDAYBgpghkgBZQMCATABBgpghkgBZQMCATABMBgGCmCGSAFlAwIBMAEG
|
|
||||||
+CmCGSAFlAwIBMAIwGAYKYIZIAWUDAgEwAgYKYIZIAWUDAgEwATAYBgpghkgBZQMC
|
|
||||||
+ATACBgpghkgBZQMCATACMAoGCCqGSM49BAMCA0cAMEQCICIboTAzG1DvCY/0tA/o
|
|
||||||
+l18zrW9qKVnt4mxih5JQe4fOAiBOF2ZeUT2/ZtdFhZmg+zl/fGrQ1xEx09/S956k
|
|
||||||
+Ig4S9Q==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBCjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLxetqJp
|
|
||||||
+VR6apJytboxFCCooQ7jVcc7yoHhjlH8HsaJS3GrWpyMgiqOfyWt4KFMynKkgCU1K
|
|
||||||
+1QcU9aC5BfRQpyWjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD6etMtD6Qpa7TjVQBgV
|
|
||||||
+/4PhZP4DMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA+5uiOjJoq5nU7lKN
|
|
||||||
+rZtBdYNqUKvHuYB+jiNEfWvxx2cCIFZEJCGw8fzqkAyGWkLe10w8PUzPM64nh757
|
|
||||||
+pEtxCzZh
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBCzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPQuXEeo
|
|
||||||
+BrbyENdz9HqAoWMSQx1BErsUcQaneq3L0/VHHJBPKihb8s4nB/2yZaEarr8LFAvi
|
|
||||||
+ofx+4egydkP0mJ+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIoC4qL79Uy3+m26Y+ch
|
|
||||||
++sE6gCOMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAx/vMDhaH4EYTM2v9
|
|
||||||
+GeM1xTP9pNRgak69JQLKLu1VM1YCIF1RYC8Fma5Bc0cZAYY+Gj7dEf9qHj1TODA5
|
|
||||||
+C9es2CPY
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICETCCAbigAwIBAgIBDDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDlEv73o
|
|
||||||
+ej8Xvc3UodhSHkech80DbuBKdeldOTrRp6ZaVUP3vMgjNUJkh4WkvP3UVTe5SV4D
|
|
||||||
+zQXDIiwAEJu+zdmjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCAn0wYXyRdliJOBFvvJ
|
|
||||||
+eZoGTiyOMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiAo2PPmLBZpcT0bst/C
|
|
||||||
+SXvnl3gztIZu89O1MKsNwFcM9QIgIzqZx/o9MF/fP7zbLWErVcUQViOGiCRBLVh7
|
|
||||||
+ppb7CoA=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBDTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8mgAoN
|
|
||||||
+rmFo937IBKXKuxHedUjOL7y3cpDYD1H3C4HRDBQDVOL31lC5kJUhS4HBLvJQwebR
|
|
||||||
+2kW35E3AnhbY/oKjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBGbO20Xp/q0fPChjLHL
|
|
||||||
+WuJwSNc1MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA3qGzdevdYfmiSBj9
|
|
||||||
+t9oE8hfEP+APqGiStlOLKD6xVK0CIQDq9cVa2KXMEz7YwmMO3lxoQFDPEXftbRaC
|
|
||||||
+edFB7q/YXg==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBDjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHDiOMtx
|
|
||||||
+5sfJs/WDnw0xS5NYlkbgy2eOZHAmC/jhRp6cjShZrr2/S4IJsH8B2VMcYAHgum6a
|
|
||||||
+eMjqWFIMxIjN5xyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOWtYUeAPk66m0o6Z7ax
|
|
||||||
+1RN42wmkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA+AcazVKKPfqkpcJw
|
|
||||||
+rkXWIyZrTe+1PNETQzaJCooGNGkCIQDdfHf1I78e+ogaDcjkDe0s3R9VhkvjCty6
|
|
||||||
+uKKFtNGHMQ==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBDzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKCkdSYz
|
|
||||||
++zyHItG2rQSyCh018b4bu9Zrw8nzkCBgkT2IyycNtpabYkWhxcEL29ZFqBnB+l7N
|
|
||||||
+5fYmHl5CmflJPh+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNanrmjMEN3PndPGeucm
|
|
||||||
+mST9ucNWMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiAFt48yhTTv0rP29N8H
|
|
||||||
+yRhAQGfnV4t1b8JucixLSfe32QIhAOef6iiwLxbBOMUn5ZN/WAK5TERem6DLSzWN
|
|
||||||
+/PTXHAAt
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICETCCAbigAwIBAgIBEDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH5txyDp
|
|
||||||
+DfRsIyYPTAQ+fuxk08E3/tpChVWoog4XQvod61wcUO1/nhoTGNKZZOhN5uhKWJWb
|
|
||||||
+1futz+XxV2QxTCyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHSlcxgh3gxgVag1JvAk
|
|
||||||
+zbHlgMbEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiA9Ee47PnxqW0QmELB+
|
|
||||||
+dd90Fz8wcQFZlNmkPW4Oq2xr/wIgGlxfutQq7l3TU5hyyO0Lh01AHn2DC5KPFPwE
|
|
||||||
+l8S9VeY=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBETAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJvlQKB
|
|
||||||
+gJZ+Tysa6iwhllPXCeJrkan6WUm+oqOIY02/SpI5Mba1Kwg73Fsswx3Eywt8sxA2
|
|
||||||
+4fiaqwg+xZoil06jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM/udZ1ib8qDfShdfdfX
|
|
||||||
+8gL6w7VMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA6kK7vAYF2TPXzywn
|
|
||||||
++SDLsiGbU6Sj8aTtsJZf9DmhKr4CIQCt4FfI7IWinqNlURXe4HSBPsekcQkOpwjK
|
|
||||||
+PuJRx3fuFw==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBEjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMTkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEerejCw
|
|
||||||
+gAy7GecLVbQw6eL8k1cGWwLt+wl3sn8he8fA0I+KoFfcOCgtvOF59RMXnjZ1+7OC
|
|
||||||
+kz3mNDVSbKY6KO2jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM0OUOtOKTcTMRXGQwbw
|
|
||||||
+GOoLCOEYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAziPsm2dArB/3ILqm
|
|
||||||
+04mZl8/DX6dB4EmU+FPF2UpAeLwCIQCofc27tisg3L1mPNeiwZ26+rDe5SdixiUc
|
|
||||||
+S3KWOJ1cTg==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBEzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAxOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPmB5spr
|
|
||||||
+C64/21ssufcbshGnQtAWbk2o2l+ej6pMMPIZhmNyvM450L3dFX12UBNcaERCABmr
|
|
||||||
+BEJL7IubGWE9CVOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJCh/1mh0Hl2+LE0osUv
|
|
||||||
+OJCmV3IYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAtxMIkO4xCRSQCU6d
|
|
||||||
+0jt+Go4xj/R4bQFWbZrlS9+fYUECICuWAgT3evhoo34o04pU84UaYOvO5V0GJsTt
|
|
||||||
+hrS1v3hT
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBFDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHdvTDYo
|
|
||||||
+M/padIV3LdTnrzwMy1HSTeJ2aTUalkVV17uL2i3C51rWM2pl+qlRordq6W2GboMz
|
|
||||||
+/+78HhKMcCrMWKCjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAbZN0eSPw3MyvWIEix6
|
|
||||||
+GnYRIiFkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAlaapLXHwGNkeEwc0
|
|
||||||
+jsY2XhuR3RlVhD4T2k/QyJRQ0s0CIQD5E+e+5QTe5s+534Lwcxe2iFb3oFm+8g81
|
|
||||||
+OBVtfmSMGg==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBFTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLTu8R5Y
|
|
||||||
+7Po4W05hWperfod6mXezwWgAVk2RW2EG2vy4NeZeML2EFhg2geNc6N5Goep9t7pn
|
|
||||||
+d+BtORRvR75oCDijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNs0d2vXsRj3YYsBrWDo
|
|
||||||
+jrvcEA+eMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBB603Ui+L60FcUWPrB
|
|
||||||
+Ch06hmgle2u0P07Go/XjTk00ZQIhALGhNArJFEY0gu+XUtyKEZt7BZ0/sh5dtLDP
|
|
||||||
+xkRgR6Wh
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBFjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPXpzC9/
|
|
||||||
+KGblQyjhdcS0a8KBPAiS7c0n+V0i9JItbyze38Ncrctp0wIGHZLjRoB4DZYX1I8e
|
|
||||||
+K5C7KVeUPEE9eOGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFISsw9orkX/cBVWcK5KA
|
|
||||||
+//kldz8HMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA1gazdApLS91ql8Am
|
|
||||||
+4gb4Ku7Lgll4jV+BrLkbABE2cI0CIQCEH1GUJ6ARJB1GdcHrPyaLgeZ5jV2p63UW
|
|
||||||
+UV2QL6aETA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBFzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKdweprb
|
|
||||||
+RZmuUk4og1Xa9Skb1vu7jsLozlm9CtDhKLbJ+cDX/VeKj/b8FuvakBO3L1QV5XU0
|
|
||||||
+iFswsIVBVZ3m+TyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPgcEbHfKHt0o/PCS0kD
|
|
||||||
+XWW9XkqMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA9XDj0w5qMS/tLlr9
|
|
||||||
+Z2j8JtVR4M7pF/Wx2U43vmPFJEACIBAlAiUnCm1Nfj16t2cojrW+m2t1cU80ihmj
|
|
||||||
+Ld1U+dRD
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICETCCAbigAwIBAgIBGDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAq2PphK
|
|
||||||
+4oVsc+ml3zskBLiMa+dz64k+PrrfKIGSG2Ri5Du/orj0dO9639LeCkkMwWpXAfSx
|
|
||||||
+wxHHQX0I1KwsudGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEqcfkso+ynKq2eFaJy8
|
|
||||||
+mzNBdN2PMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiBZ71jDD33HFFqMkLAW
|
|
||||||
+gTAGMmzh9b/vZ8jAclPDKHRghQIgf2GBOF1eEF8Ino9F1n1ia5c3EryvXnvVoklw
|
|
||||||
+cjMIQ5g=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBGTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJRoDkj7
|
|
||||||
+iDlIygt4YmMgw4pizu2sx4436MGtw5fFHhjy7T+pPMGjYFg3dixxUOu1NHORpdJq
|
|
||||||
+8Y7SN8p8Y0XsDpijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOutMoKSOv5lEGZaqYZM
|
|
||||||
+zNFwpX3KMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAks62lsAHmN6xkZsF
|
|
||||||
+6ocGONpH/XmHLpoO6RfMoRCnWkICIFNFD+W6pSSvdDB96sn8jnZ7W/Y0hyLzscBO
|
|
||||||
+WtkzqqJJ
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBGjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE3seRj5
|
|
||||||
+LVNKi9sZk7qv5cBVUG8BLXXfDRUhCUzT10YAU1J0yd2wmLTbwPyYm65GaecvAHSR
|
|
||||||
+SExOzX6bC35nNt6jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNx5XhDdoflDgPrW/HyU
|
|
||||||
+tCokuJ0AMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEApAQVb0KQedyAw1SJ
|
|
||||||
+J8At4uxxm2b8W13s6ENapxw+lwwCIQC7326NFPsDjbfBKhFDQhCIMkAkYq2wzRJ7
|
|
||||||
+ubTwkdT19g==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBGzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC+FQF2E
|
|
||||||
+TrZ4YGNyxFxzpTQBjlu9QUrwgHzabAn47toqRkWUGAS68jBfSdR+j2c7/oehQHhO
|
|
||||||
+relHcbQilhZnh4ijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIOlwsa4FjZWhzQYTAY3
|
|
||||||
+c2TSYhsEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAwxNBi+8baAU76yng
|
|
||||||
++XvMpY62aqPO4bAe/uedaxBb2jMCIQDJHXqibgIAm1T4/YHimllVlLQudQL5OkbF
|
|
||||||
+Krj3uVHtBg==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBHDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMjkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBmhjGvk
|
|
||||||
+C3QfSVdY5zuHEY4Rf3eKVro6vcKymgdBPFjjDggZNktR3OMnayCabJB51g2VL7Fg
|
|
||||||
+MegdwzJWzPvQreyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEvevGIfitXek0IStYIR
|
|
||||||
+5ne2SkJwMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBzlv0TggDJWUWx0UHl
|
|
||||||
+cqxuMpoNdy+ifizQIlcjWcrzvgIhAJdQfkPaZdc4/j/HfGaVNN9InJuBWGrPYU6A
|
|
||||||
+iwsSB0jY
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEzCCAbigAwIBAgIBHTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMzAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAyOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCrC5p+Z
|
|
||||||
+ywMukm1LRuXeJ5V1M6V+8A8PjqB3tgHVeEn973HOfia8lt2/7EoKaLKzP8A7D3eC
|
|
||||||
+aBJUmTgHauaolYOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGG5D5h1FRA+aZMbSXfZ
|
|
||||||
+Mp8pjYUEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAnI2IhyXtBCRiv+Xs
|
|
||||||
+EzsO497oVf1U8SJiVR8SaEx0gzgCIQC0+un/Hcb0OWvpvoeHKcRi7e8SZkX+vn2i
|
|
||||||
+u+KsPqlfzA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBHjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAzMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHg1qbhT
|
|
||||||
+bpV0agLQkk6di7EdwrrqIn7yCiBCfPwoDI7czY1bHwkR2E8EdrG4ZLBHHFXYNHau
|
|
||||||
+kEo9nueljxbA6MGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGXSqDk/Zov8a62kkXDr
|
|
||||||
+8YhtqdkTMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA1D2Fm3D8REQtj8o4
|
|
||||||
+ZrnDyWam0Rx6cEMsvmeoafOBUeUCIBW0IoUYmF46faRQWKN7R8wnvbjUw0bxztzy
|
|
||||||
+okUR5Pma
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEjCCAbigAwIBAgIBHzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
|
|
||||||
+Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
|
|
||||||
+BAMTDFBvbGljeSBDQSAzMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIwGMmHl
|
|
||||||
+/QJSpu6KHakSe4gkf3L+NpsrtQpxu6sNfmSjO++dGv6sj2v3+DZNeyagVUJRVHaD
|
|
||||||
+IZzpoyVVrBBO6vijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA+f9g1sP2kM5sOT/8Ge
|
|
||||||
+IDKq5FcUMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
|
|
||||||
+A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
|
|
||||||
+BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
|
|
||||||
+AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAvQlbAmF3pS041Zo2
|
|
||||||
+eHrxMO3j8thB+XqHU8RatCZ60WACIG1vUFPH7UwzTTann7Sgp4s+Gd/jLOkrJnEk
|
|
||||||
+W3De9dSX
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/80-test_policy_tree_data/small_leaf.pem
|
|
||||||
@@ -0,0 +1,11 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIBmjCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
|
|
||||||
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAER7oh
|
|
||||||
+z+MnwilNhyEB2bZTuYBpeiwW4QlpYZU6b/8uWOldyMXCaPmaXwY60nrMznfFJX6F
|
|
||||||
+h8dC6XIzvQmjUMdSoqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
|
|
||||||
+AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
|
|
||||||
+MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49
|
|
||||||
+BAMCA0kAMEYCIQC2km5juUULIRYsRgHuLFEiABBR0pDAyTbl9LRjlkSeEQIhAO9b
|
|
||||||
+ye60dMNbhY1OOzrr4mDRv0tuNmbGBErcFs61YZkC
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/80-test_policy_tree_data/small_policy_tree.pem
|
|
||||||
@@ -0,0 +1,70 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICETCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQu7GyNFjN6
|
|
||||||
+Sqwk1CZAt+lzTC/Us6ZkO5nsmb8yAuPb6RJ0A2LvUbsmZea+UyBFq3VuEbbuCoeE
|
|
||||||
+KRbKkS6wefAzo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQkJvfn8gFHIXVTBJ4hrtP
|
|
||||||
+ypA9QTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhALn6/b3H+jLusJE5QiaS
|
|
||||||
+PiwrLcl+NDguWCnxo0c6AfduAiEApkXUN+7vRfXeFFd9CfA1BnTW3eUzBOsukZoN
|
|
||||||
+zaj+utk=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+p+A+K6MI
|
|
||||||
+R3eVP/+2O7lam32HU10frEKpyQslZAabYJwkc9iq5WatMbTMPQibuOIWHFl02uJ8
|
|
||||||
+cxGKy/Hke8P5o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSSOt6HCXw+L/4uzJsInqqA
|
|
||||||
+XrWt8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgS/vh3osFy+q1MLuVnAdg
|
|
||||||
+gMINfiIJw1+3zbYsJYlNhWgCICu6Qgzee4NwIrJagcdVA0RAfnCOo6wfvikpl0ts
|
|
||||||
+EepA
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQONHKgpAJ6
|
|
||||||
+vE41FYBekpLzybpBQp/gUmgRPKrcL0z4lLTDjCG3j6yIbZma8u2bPM1MBXw5otZ7
|
|
||||||
+xVFhQ1AkZIOco4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ69465BL89BXORf4sSnneU
|
|
||||||
+exkm0jAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPK9PqPxgme9x6TPFh2z
|
|
||||||
+vv+qVEM2WxOTdRKOPgUYzCp9AiBl8qO3szv5jNDzb0fRIqVp37v9yBjWcgO9Wl02
|
|
||||||
+QDCpGw==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICETCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLrUP7BFi7
|
|
||||||
++LE2uDVCZ2Z2HK6BpL/kjBbwKkLxlJe+LqNolzu53b8+WtHwrvPPVkD9t3KMdWXU
|
|
||||||
+K7NtHYgXUz07o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS0kaY2oJVEBLtjkqI8pXsv
|
|
||||||
+eqm3VDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAJuTMvMUda4Y29V1Tm5O
|
|
||||||
+jCqBThR2NwdQfnET1sjch3Q7AiEA7nEudfXKMljjz608aWtafTkw5V5I2/SbuUKr
|
|
||||||
+vjprfIo=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
|
|
||||||
+Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
|
|
||||||
+AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9RuYVzUGB
|
|
||||||
+FkAEM9kHe9xynDo/NcsiaAO3+E2u7jJQQN50d6hVEDHf9961omldhKhP4HTNfhqj
|
|
||||||
+VMIHKGMhXCgKo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
|
|
||||||
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTVrjWaVjkfMpilq5tGZ4zZ
|
|
||||||
+iJtaSDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
|
|
||||||
+HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
|
|
||||||
+YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
|
|
||||||
+MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPVgPpACX2ylQMEMSntw
|
|
||||||
+izxKHTSPhXuF6IHhNHRz7KFnAiB8y/QcF7N2iXNZEqffWSkVted/XOw3Xrck0sJ6
|
|
||||||
+4eXNcw==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
@ -1,241 +0,0 @@
|
|||||||
From d45bdaa97d821ab88fb36d9e6484f5dc3df50cde Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Tue, 7 Mar 2023 15:22:40 +0000
|
|
||||||
Subject: [PATCH 1/5] Generate some certificates with the certificatePolicies
|
|
||||||
extension
|
|
||||||
|
|
||||||
Related-to: CVE-2023-0465
|
|
||||||
---
|
|
||||||
CHANGES.md | 14 ++++++++++++--
|
|
||||||
NEWS.md | 5 +++++
|
|
||||||
crypto/x509/x509_vfy.c | 12 ++++++++++--
|
|
||||||
test/certs/ca-pol-cert.pem | 19 +++++++++++++++++++
|
|
||||||
test/certs/ee-cert-policies-bad.pem | 20 ++++++++++++++++++++
|
|
||||||
test/certs/ee-cert-policies.pem | 20 ++++++++++++++++++++
|
|
||||||
test/certs/mkcert.sh | 9 +++++++--
|
|
||||||
test/certs/setup.sh | 6 ++++++
|
|
||||||
test/recipes/25-test_verify.t | 13 ++++++++++++-
|
|
||||||
9 files changed, 111 insertions(+), 7 deletions(-)
|
|
||||||
create mode 100644 test/certs/ca-pol-cert.pem
|
|
||||||
create mode 100644 test/certs/ee-cert-policies-bad.pem
|
|
||||||
create mode 100644 test/certs/ee-cert-policies.pem
|
|
||||||
|
|
||||||
--- a/CHANGES.md
|
|
||||||
+++ b/CHANGES.md
|
|
||||||
@@ -24,14 +24,22 @@ OpenSSL 3.1
|
|
||||||
|
|
||||||
### Changes between 3.0 and 3.1.0 [14 Mar 2023]
|
|
||||||
|
|
||||||
+ * Fixed an issue where invalid certificate policies in leaf certificates are
|
|
||||||
+ silently ignored by OpenSSL and other certificate policy checks are skipped
|
|
||||||
+ for that certificate. A malicious CA could use this to deliberately assert
|
|
||||||
+ invalid certificate policies in order to circumvent policy checking on the
|
|
||||||
+ certificate altogether.
|
|
||||||
+ ([CVE-2023-0465])
|
|
||||||
+
|
|
||||||
+ *Matt Caswell*
|
|
||||||
+
|
|
||||||
* Limited the number of nodes created in a policy tree to mitigate
|
|
||||||
against CVE-2023-0464. The default limit is set to 1000 nodes, which
|
|
||||||
should be sufficient for most installations. If required, the limit
|
|
||||||
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
|
|
||||||
time define to a desired maximum number of nodes or zero to allow
|
|
||||||
unlimited growth.
|
|
||||||
-
|
|
||||||
- *Paul Dale*
|
|
||||||
+ ([CVE-2023-0464])
|
|
||||||
|
|
||||||
* Add FIPS provider configuration option to enforce the
|
|
||||||
Extended Master Secret (EMS) check during the TLS1_PRF KDF.
|
|
||||||
@@ -19687,6 +19695,8 @@ ndif
|
|
||||||
|
|
||||||
<!-- Links -->
|
|
||||||
|
|
||||||
+[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
|
|
||||||
+[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
|
|
||||||
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
|
|
||||||
[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
|
|
||||||
[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
|
|
||||||
--- a/NEWS.md
|
|
||||||
+++ b/NEWS.md
|
|
||||||
@@ -26,6 +26,9 @@ OpenSSL 3.1
|
|
||||||
assembler code algorithm implementations.
|
|
||||||
* Deprecated LHASH statistics functions.
|
|
||||||
* FIPS 140-3 compliance changes.
|
|
||||||
+ * Fixed handling of invalid certificate policies in leaf certificates
|
|
||||||
+ ([CVE-2023-0465])
|
|
||||||
+ * Limited the number of nodes created in a policy tree ([CVE-2023-0464])
|
|
||||||
|
|
||||||
OpenSSL 3.0
|
|
||||||
-----------
|
|
||||||
@@ -1442,6 +1445,8 @@ OpenSSL 0.9.x
|
|
||||||
* Support for various new platforms
|
|
||||||
|
|
||||||
<!-- Links -->
|
|
||||||
+[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
|
|
||||||
+[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
|
|
||||||
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
|
|
||||||
[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
|
|
||||||
[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
|
|
||||||
--- a/crypto/x509/x509_vfy.c
|
|
||||||
+++ b/crypto/x509/x509_vfy.c
|
|
||||||
@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *
|
|
||||||
goto memerr;
|
|
||||||
/* Invalid or inconsistent extensions */
|
|
||||||
if (ret == X509_PCY_TREE_INVALID) {
|
|
||||||
- int i;
|
|
||||||
+ int i, cbcalled = 0;
|
|
||||||
|
|
||||||
/* Locate certificates with bad extensions and notify callback. */
|
|
||||||
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
|
||||||
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
|
|
||||||
X509 *x = sk_X509_value(ctx->chain, i);
|
|
||||||
|
|
||||||
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
|
|
||||||
+ cbcalled = 1;
|
|
||||||
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
|
|
||||||
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
|
|
||||||
}
|
|
||||||
+ if (!cbcalled) {
|
|
||||||
+ /* Should not be able to get here */
|
|
||||||
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ /* The callback ignored the error so we return success */
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
if (ret == X509_PCY_TREE_FAILURE) {
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/certs/ca-pol-cert.pem
|
|
||||||
@@ -0,0 +1,19 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
|
||||||
+IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD
|
|
||||||
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
|
|
||||||
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
|
|
||||||
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
|
|
||||||
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
|
|
||||||
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
|
|
||||||
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
|
|
||||||
+CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD
|
|
||||||
+VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE
|
|
||||||
+PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3
|
|
||||||
+DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7
|
|
||||||
+Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H
|
|
||||||
+unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ
|
|
||||||
+7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g
|
|
||||||
+DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C
|
|
||||||
+9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/certs/ee-cert-policies-bad.pem
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
|
||||||
+Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy
|
|
||||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
|
||||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
|
||||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
|
||||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
|
||||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
|
||||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
|
||||||
+iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
|
|
||||||
+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
|
|
||||||
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
|
|
||||||
+bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G
|
|
||||||
+CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ
|
|
||||||
+P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs
|
|
||||||
+YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N
|
|
||||||
+XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa
|
|
||||||
+QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx
|
|
||||||
+wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/certs/ee-cert-policies.pem
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
|
||||||
+Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy
|
|
||||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
|
||||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
|
||||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
|
||||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
|
||||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
|
||||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
|
||||||
+iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
|
|
||||||
+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
|
|
||||||
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
|
|
||||||
+bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB
|
|
||||||
+AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D
|
|
||||||
+QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl
|
|
||||||
+CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa
|
|
||||||
+dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK
|
|
||||||
+NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk
|
|
||||||
+D3brBn24UISaFRZoB7jsjok=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--- a/test/certs/mkcert.sh
|
|
||||||
+++ b/test/certs/mkcert.sh
|
|
||||||
@@ -119,11 +119,12 @@ genca() {
|
|
||||||
local OPTIND=1
|
|
||||||
local purpose=
|
|
||||||
|
|
||||||
- while getopts p: o
|
|
||||||
+ while getopts p:c: o
|
|
||||||
do
|
|
||||||
case $o in
|
|
||||||
p) purpose="$OPTARG";;
|
|
||||||
- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
|
|
||||||
+ c) certpol="$OPTARG";;
|
|
||||||
+ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2
|
|
||||||
return 1;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
@@ -146,6 +147,10 @@ genca() {
|
|
||||||
if [ -n "$NC" ]; then
|
|
||||||
exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
|
|
||||||
fi
|
|
||||||
+ if [ -n "$certpol" ]; then
|
|
||||||
+ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol")
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
csr=$(req "$key" "CN = $cn") || return 1
|
|
||||||
echo "$csr" |
|
|
||||||
cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
|
|
||||||
--- a/test/certs/setup.sh
|
|
||||||
+++ b/test/certs/setup.sh
|
|
||||||
@@ -451,3 +451,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed44
|
|
||||||
|
|
||||||
# critical id-pkix-ocsp-no-check extension
|
|
||||||
./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
|
|
||||||
+
|
|
||||||
+# certificatePolicies extension
|
|
||||||
+./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
|
|
||||||
+./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
|
|
||||||
+# We can create a cert with a duplicate policy oid - but its actually invalid!
|
|
||||||
+./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
|
|
||||||
--- a/test/recipes/25-test_verify.t
|
|
||||||
+++ b/test/recipes/25-test_verify.t
|
|
||||||
@@ -29,7 +29,7 @@ sub verify {
|
|
||||||
run(app([@args]));
|
|
||||||
}
|
|
||||||
|
|
||||||
-plan tests => 173;
|
|
||||||
+plan tests => 175;
|
|
||||||
|
|
||||||
# Canonical success
|
|
||||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
|
||||||
@@ -536,3 +536,14 @@ SKIP: {
|
|
||||||
ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])),
|
|
||||||
'Mixed key + cert file test');
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+# Certificate Policies
|
|
||||||
+ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
|
|
||||||
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
|
|
||||||
+ "-explicit_policy"),
|
|
||||||
+ "Certificate policy");
|
|
||||||
+
|
|
||||||
+ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
|
|
||||||
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
|
|
||||||
+ "-explicit_policy"),
|
|
||||||
+ "Bad certificate policy");
|
|
||||||
@ -1,81 +0,0 @@
|
|||||||
From 3030973be586e0965370e2fd038cdb432ec1e7ec Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Tue, 21 Mar 2023 16:15:47 +0100
|
|
||||||
Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
|
|
||||||
|
|
||||||
The function was incorrectly documented as enabling policy checking.
|
|
||||||
|
|
||||||
Fixes: CVE-2023-0466
|
|
||||||
---
|
|
||||||
CHANGES.md | 8 ++++++++
|
|
||||||
NEWS.md | 2 ++
|
|
||||||
doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
|
|
||||||
3 files changed, 17 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/CHANGES.md
|
|
||||||
+++ b/CHANGES.md
|
|
||||||
@@ -24,6 +24,13 @@ OpenSSL 3.1
|
|
||||||
|
|
||||||
### Changes between 3.0 and 3.1.0 [14 Mar 2023]
|
|
||||||
|
|
||||||
+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
|
|
||||||
+ that it does not enable policy checking. Thanks to David Benjamin for
|
|
||||||
+ discovering this issue.
|
|
||||||
+ ([CVE-2023-0466])
|
|
||||||
+
|
|
||||||
+ *Tomáš Mráz*
|
|
||||||
+
|
|
||||||
* Fixed an issue where invalid certificate policies in leaf certificates are
|
|
||||||
silently ignored by OpenSSL and other certificate policy checks are skipped
|
|
||||||
for that certificate. A malicious CA could use this to deliberately assert
|
|
||||||
@@ -19695,6 +19702,7 @@ ndif
|
|
||||||
|
|
||||||
<!-- Links -->
|
|
||||||
|
|
||||||
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
|
|
||||||
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
|
|
||||||
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
|
|
||||||
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
|
|
||||||
--- a/NEWS.md
|
|
||||||
+++ b/NEWS.md
|
|
||||||
@@ -26,6 +26,7 @@ OpenSSL 3.1
|
|
||||||
assembler code algorithm implementations.
|
|
||||||
* Deprecated LHASH statistics functions.
|
|
||||||
* FIPS 140-3 compliance changes.
|
|
||||||
+ * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
|
|
||||||
* Fixed handling of invalid certificate policies in leaf certificates
|
|
||||||
([CVE-2023-0465])
|
|
||||||
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
|
|
||||||
@@ -1445,6 +1446,7 @@ OpenSSL 0.9.x
|
|
||||||
* Support for various new platforms
|
|
||||||
|
|
||||||
<!-- Links -->
|
|
||||||
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
|
|
||||||
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
|
|
||||||
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
|
|
||||||
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
|
|
||||||
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
|
||||||
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
|
||||||
@@ -98,8 +98,9 @@ B<trust>.
|
|
||||||
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
|
|
||||||
B<t>. Normally the current time is used.
|
|
||||||
|
|
||||||
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
|
|
||||||
-by default) and adds B<policy> to the acceptable policy set.
|
|
||||||
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
|
|
||||||
+Contrary to preexisting documentation of this function it does not enable
|
|
||||||
+policy checking.
|
|
||||||
|
|
||||||
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
|
|
||||||
by default) and sets the acceptable policy set to B<policies>. Any existing
|
|
||||||
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() fu
|
|
||||||
The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
|
|
||||||
and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
|
|
||||||
|
|
||||||
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
|
|
||||||
+enabling policy checking however the implementation has never done this.
|
|
||||||
+The documentation was changed to align with the implementation.
|
|
||||||
+
|
|
||||||
=head1 COPYRIGHT
|
|
||||||
|
|
||||||
Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
@ -1,64 +0,0 @@
|
|||||||
From 908ba3ed9adbb3df90f7684a3111ca916a45202d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Tue, 21 Mar 2023 11:36:56 +0100
|
|
||||||
Subject: [PATCH] OBJ_nid2obj(): Return UNDEF object instead of NULL for
|
|
||||||
NID_undef
|
|
||||||
|
|
||||||
Fixes a regression from 3.0 from the obj creation refactoring.
|
|
||||||
|
|
||||||
Fixes #20555
|
|
||||||
|
|
||||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/20556)
|
|
||||||
---
|
|
||||||
crypto/objects/obj_dat.c | 5 ++---
|
|
||||||
test/asn1_internal_test.c | 11 +++++++++++
|
|
||||||
2 files changed, 13 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
Index: openssl-3.1.0/crypto/objects/obj_dat.c
|
|
||||||
===================================================================
|
|
||||||
--- openssl-3.1.0.orig/crypto/objects/obj_dat.c
|
|
||||||
+++ openssl-3.1.0/crypto/objects/obj_dat.c
|
|
||||||
@@ -311,10 +311,9 @@ ASN1_OBJECT *OBJ_nid2obj(int n)
|
|
||||||
ADDED_OBJ ad, *adp = NULL;
|
|
||||||
ASN1_OBJECT ob;
|
|
||||||
|
|
||||||
- if (n == NID_undef)
|
|
||||||
- return NULL;
|
|
||||||
- if (n >= 0 && n < NUM_NID && nid_objs[n].nid != NID_undef)
|
|
||||||
- return (ASN1_OBJECT *)&(nid_objs[n]);
|
|
||||||
+ if (n == NID_undef
|
|
||||||
+ || (n > 0 && n < NUM_NID && nid_objs[n].nid != NID_undef))
|
|
||||||
+ return (ASN1_OBJECT *)&(nid_objs[n]);
|
|
||||||
|
|
||||||
ad.type = ADDED_NID;
|
|
||||||
ad.obj = &ob;
|
|
||||||
Index: openssl-3.1.0/test/asn1_internal_test.c
|
|
||||||
===================================================================
|
|
||||||
--- openssl-3.1.0.orig/test/asn1_internal_test.c
|
|
||||||
+++ openssl-3.1.0/test/asn1_internal_test.c
|
|
||||||
@@ -190,11 +190,22 @@ static int test_unicode_range(void)
|
|
||||||
return ok;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_obj_nid_undef(void)
|
|
||||||
+{
|
|
||||||
+ if (!TEST_ptr(OBJ_nid2obj(NID_undef))
|
|
||||||
+ || !TEST_ptr(OBJ_nid2sn(NID_undef))
|
|
||||||
+ || !TEST_ptr(OBJ_nid2ln(NID_undef)))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
ADD_TEST(test_tbl_standard);
|
|
||||||
ADD_TEST(test_standard_methods);
|
|
||||||
ADD_TEST(test_empty_nonoptional_content);
|
|
||||||
ADD_TEST(test_unicode_range);
|
|
||||||
+ ADD_TEST(test_obj_nid_undef);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
152
openssl.keyring
152
openssl.keyring
@ -1,41 +1,117 @@
|
|||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
|
Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
|
||||||
Comment: Matt Caswell <frodo@baggins.org>
|
Comment: Tomáš Mráz <tm@t8m.info>
|
||||||
Comment: Matt Caswell <matt@openssl.org>
|
Comment: Tomáš Mráz <tomas@arleto.cz>
|
||||||
|
Comment: Tomáš Mráz <tomas@openssl.org>
|
||||||
|
|
||||||
xsBNBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
|
xsFNBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
|
||||||
hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
|
55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
|
||||||
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
|
F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
|
||||||
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
|
UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
|
||||||
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
|
pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
|
||||||
UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAHNIE1hdHQgQ2Fzd2VsbCA8
|
/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
|
||||||
ZnJvZG9AYmFnZ2lucy5vcmc+wsCPBBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
|
MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
|
||||||
CgsEFgIDAQIeAQIXgAAhCRDZxNJtDmBEkRYhBIZXq7Jg8Fax5RkIOdnE0m0OYESR
|
laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
|
||||||
Y/4H/RKxZJ4saj6+Khvz3flSKt6LgW+fMY5RXXD92AMtLNq+bKxXFvir2mynW+PU
|
HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
|
||||||
oS2bXy/Nk7v0B4BEbBZNBgaYWas1FZnYOBuMbIngtLmQsGpD0VoXu9QW2aXpHTjL
|
zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
|
||||||
H5FOBBODrTVewCN5Ty5JquZ5mAZUwAiex0ytRzviUl5YpKei+vggU52CJT96e/X2
|
YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
|
||||||
0rfnlux9O9vSSwTlDvCeehFd0vI163QBZ/h52dYMSdFvpwhUMXbxRGPEfrIh+oBV
|
zRtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz7CwZQEEwEIAD4WIQSiH6t0sAiK
|
||||||
7tWe4MHhJ+5yThHiBgVL/EZ9OChw9QNnitTPzCV4YvAMiJTsamKWa1lOXUVM+QVr
|
o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
|
||||||
+aptwmB1VMmotk7m8hImRm+oTlTNH01hdHQgQ2Fzd2VsbCA8bWF0dEBvcGVuc3Ns
|
AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
|
||||||
Lm9yZz7CwI8EEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
|
U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
|
||||||
ACEJENnE0m0OYESRFiEEhlersmDwVrHlGQg52cTSbQ5gRJGgPQf/WUQld+vrqt2+
|
KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
|
||||||
yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr9OOfzVPenCavcXghwsY0sPPgSDrvFur9
|
nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
|
||||||
PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZtEG7bgUozuhfcpC+Ah0lZ3EccmyOkYJW
|
1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
|
||||||
ITWYgUBEDOU37qne09udDMA2NHLuL89hT+eIZ2pVwyFydkJfkXtgfrDq3RmZgfeb
|
m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
|
||||||
VB5ESdap/G7t7Iewi95syApMj9swbxnsqUtmFr0fCsVdAA8hJPqx9zVuUon0g1QM
|
kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
|
||||||
z2IroNH+6WTDt7SGYcuqNapizk/PJd6g2ew9cm3r3CIANiqPgo0Mh02nVGgX2p9v
|
IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
|
||||||
WcT4MzquBs7ATQRRgC7CAQgAz2dQkASmxUFjAr3Y8/0yWjX961enomAEjryw4InF
|
8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
|
||||||
PDMGttPMiV69VBepb3N04MPo5spyAY24b4bo3Cfng/oxxGl3Z3Giv1gD7JojTJPo
|
z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
|
||||||
JWeHGxePBz++5Di0EAvq1+4wBdFUh4RWTbZwqTgckHrwiZcIJF3JGL0cgTmJOtke
|
xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
|
||||||
wcLiyMCyKuGVzSjyFTeCqQqHYSHBrr5TyXM3HTqGgURnEhVG16jPWPMIciYXsRfO
|
MriPFc0fVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PsLBlAQTAQgAPhYh
|
||||||
0RwMhqY7y5yRUoC4psmAUaRTduS82BaVzw+DHi1FQ0kYLUsTidippITB57VKkD9V
|
BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
|
||||||
7CIM5uP3s+jMJMXNEJQEKdK9oCVOekD3ROc4Mftqv4vloQARAQABwsB2BBgBAgAJ
|
AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
|
||||||
BQJRgC7CAhsMACEJENnE0m0OYESRFiEEhlersmDwVrHlGQg52cTSbQ5gRJELNgf/
|
8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
|
||||||
elwfYchaV/24buNWDa+50gOuXQ4vXfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMh
|
UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
|
||||||
TupjrXV1oDXYAxexymWLxwa+qcrbSwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw
|
FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
|
||||||
0kBJEiAiyPv4SMLhFzm+me4Dq1+xdbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpg
|
FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
|
||||||
oIN/4p28G/IN9fdWG5Ni315p3WhLHRMzC609IOsCIJsm8+lHVblT30jxpctFVlQB
|
UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
|
||||||
tbDTzgqQLiaTVevlca3VYgMd70D28d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780H
|
Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
|
||||||
KIpFp6UWP5aDxpEoOEwe2g==
|
2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
|
||||||
=UMCV
|
kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
|
||||||
|
T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
|
||||||
|
yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
|
||||||
|
8tmXB4BcoHFB9N0AzSFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz7C
|
||||||
|
wZQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
|
||||||
|
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
|
||||||
|
KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
|
||||||
|
2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
|
||||||
|
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
|
||||||
|
yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
|
||||||
|
cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
|
||||||
|
ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
|
||||||
|
Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
|
||||||
|
q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
|
||||||
|
Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
|
||||||
|
hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
|
||||||
|
w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZc7BTQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
|
||||||
|
VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
|
||||||
|
1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
|
||||||
|
djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
|
||||||
|
IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
|
||||||
|
bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
|
||||||
|
gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
|
||||||
|
NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
|
||||||
|
D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
|
||||||
|
a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
|
||||||
|
HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
|
||||||
|
nAaLOI/nw1ydegw8F+s1ALEAEQEAAcLDsgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
|
||||||
|
Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
|
||||||
|
Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
|
||||||
|
otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
|
||||||
|
SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
|
||||||
|
cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
|
||||||
|
8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
|
||||||
|
vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
|
||||||
|
yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
|
||||||
|
HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
|
||||||
|
K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
|
||||||
|
aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
|
||||||
|
uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
|
||||||
|
cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
|
||||||
|
RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
|
||||||
|
9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
|
||||||
|
JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
|
||||||
|
muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
|
||||||
|
86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
|
||||||
|
HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
|
||||||
|
DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
|
||||||
|
ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
|
||||||
|
uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
|
||||||
|
YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
|
||||||
|
JKbGoqC+wchHmOLOwU0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
|
||||||
|
aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
|
||||||
|
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
|
||||||
|
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
|
||||||
|
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
|
||||||
|
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
|
||||||
|
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
|
||||||
|
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
|
||||||
|
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
|
||||||
|
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
|
||||||
|
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
|
||||||
|
LQ1kotFTABEBAAHCwXwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
|
||||||
|
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
|
||||||
|
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
|
||||||
|
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
|
||||||
|
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
|
||||||
|
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
|
||||||
|
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
|
||||||
|
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
|
||||||
|
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
|
||||||
|
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
|
||||||
|
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
|
||||||
|
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
|
||||||
|
TIdjvGbJ/k4qxw==
|
||||||
|
=fnGl
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user