Security-57740.20.22.tar.gz

diff --git a/.gitignore b/.gitignore
new file mode 100644 (file)
index 0000000..dfd386e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+*~
+cscope.out
+.DS_Store
+xcuserdata

diff --git a/OSX/OSX.xcodeproj/project.pbxproj b/OSX/OSX.xcodeproj/project.pbxproj
index 482c59462e9a623324fddf733482ac0d5a8c7fa2..030366f798780f56c98ccfa2b682f70a1df32de3 100644 (file)
--- a/OSX/OSX.xcodeproj/project.pbxproj
+++ b/OSX/OSX.xcodeproj/project.pbxproj
@@ -210,7 +210,6 @@
                18F2353615C9FDD200060520 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; };
                18F2353715C9FDE400060520 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; };
                18F2353815C9FDEF00060520 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; };
-               18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; };
                18FE68021471A42900A2CBE3 /* SecDigestTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A3146F1BEC000BF1F3 /* SecDigestTransform.h */; settings = {ATTRIBUTES = (Public, ); }; };
                18FE68031471A42900A2CBE3 /* SecReadTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A4146F1BEC000BF1F3 /* SecReadTransform.h */; settings = {ATTRIBUTES = (Public, ); }; };
                18FE68041471A42900A2CBE3 /* SecTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A5146F1BEC000BF1F3 /* SecTransform.h */; settings = {ATTRIBUTES = (Public, ); }; };
@@ -448,6 +447,7 @@
                52F8DE4C1AF2EB6600A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */; };
                532847791785076B009118DC /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5328475117850741009118DC /* Localizable.strings */; };
                5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */; };
+               5E6344221D4B834600A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5E6343FC1D4B6FF800A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings */; };
                5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; };
                5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; };
                5EC01FEE1B0CA7E0009FBB75 /* sec_acl_stress.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */; };
@@ -479,7 +479,6 @@
                BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; };
                BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
                BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; };
-               BE48AE0D1ADF1DF4000836C1 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; };
                BE48AE0E1ADF1DF4000836C1 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
                BE48AE0F1ADF1DF4000836C1 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
                BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
@@ -591,6 +590,8 @@
                DC311CC81CCEC82E00E14E8D /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
                DC7EFBAB1CBC46A7005F9624 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */; };
                DC7EFC0E1CBC7567005F9624 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */; };
+               DCA28DF71D629C6D00201446 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DCA28DF61D629C6D00201446 /* libsqlite3.dylib */; };
+               DCA28E1C1D629C7C00201446 /* AppleSystemInfo.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C5DD46B17A5F67300696A79 /* AppleSystemInfo.framework */; };
                E74583F51BF66506001B54A4 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
                E76079D61951FDAF00F69731 /* liblogging.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E76079D51951FDA800F69731 /* liblogging.a */; };
                E778BFBC17176DDE00302C14 /* security.exp-in in Sources */ = {isa = PBXBuildFile; fileRef = 182BB562146F4C73000BF1F3 /* security.exp-in */; };
@@ -2629,6 +2630,7 @@
                5328475217850741009118DC /* en */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/Localizable.strings; sourceTree = "<group>"; };
                5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_client.a; path = usr/local/lib/libcoreauthd_client.a; sourceTree = SDKROOT; };
                5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_test_client.a; path = usr/local/lib/libcoreauthd_test_client.a; sourceTree = SDKROOT; };
+               5E6343FD1D4B6FF800A23FB4 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = "en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings"; sourceTree = "<group>"; };
                5E7AF4721ACD64AC00005140 /* libACM.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libACM.a; path = usr/local/lib/libACM.a; sourceTree = SDKROOT; };
                5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sec_acl_stress.c; path = ../../secacltests/sec_acl_stress.c; sourceTree = "<group>"; };
                5EC01FF01B0CAE62009FBB75 /* LocalAuthentication.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = LocalAuthentication.framework; path = System/Library/Frameworks/LocalAuthentication.framework; sourceTree = SDKROOT; };
@@ -2706,6 +2708,7 @@
                D4DDD9661CA2F2A700AA03AE /* libbsm.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libbsm.dylib; path = usr/lib/libbsm.dylib; sourceTree = SDKROOT; };
                D4EC94D51CEA48000083E753 /* si-20-sectrust-policies-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-20-sectrust-policies-data"; path = "../shared_regressions/si-20-sectrust-policies-data"; sourceTree = "<group>"; };
                DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SecurityFoundation.framework; path = System/Library/Frameworks/SecurityFoundation.framework; sourceTree = SDKROOT; };
+               DCA28DF61D629C6D00201446 /* libsqlite3.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libsqlite3.dylib; path = usr/lib/libsqlite3.dylib; sourceTree = SDKROOT; };
                EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "bc-10-knife-on-bread.m"; path = "Breadcrumb/bc-10-knife-on-bread.m"; sourceTree = "<group>"; };
                EB22F3F618A26BA50016A8EC /* breadcrumb_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = breadcrumb_regressions.h; path = Breadcrumb/breadcrumb_regressions.h; sourceTree = "<group>"; };
                EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecBreadcrumb.c; path = Breadcrumb/SecBreadcrumb.c; sourceTree = "<group>"; };
@@ -2851,7 +2854,6 @@
                                44A655CF1AA4B4F50059D185 /* libctkclient.a in Frameworks */,
                                8E64DB4A1C17C26F0076C9DF /* libDER.a in Frameworks */,
                                AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */,
-                               18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */,
                                18270EFA14CF426200B05E7F /* libsqlite3.dylib in Frameworks */,
                                4C8D8651177A752D0019A804 /* libsecipc_client.a in Frameworks */,
                                4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */,
@@ -2964,6 +2966,8 @@
                        isa = PBXFrameworksBuildPhase;
                        buildActionMask = 2147483647;
                        files = (
+                               DCA28E1C1D629C7C00201446 /* AppleSystemInfo.framework in Frameworks */,
+                               DCA28DF71D629C6D00201446 /* libsqlite3.dylib in Frameworks */,
                                EBB6970B1BE2091300715F16 /* Foundation.framework in Frameworks */,
                                5EF7C2521B00EB0A00E5E99C /* libaks.a in Frameworks */,
                                5EF7C2511B00EAF100E5E99C /* libcoreauthd_client.a in Frameworks */,
@@ -2997,7 +3001,6 @@
                                BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */,
                                BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */,
                                BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */,
-                               BE48AE0D1ADF1DF4000836C1 /* libsecurity_codesigning.a in Frameworks */,
                                BE48AE0E1ADF1DF4000836C1 /* libASN1.a in Frameworks */,
                                BE48AE0F1ADF1DF4000836C1 /* libDER.a in Frameworks */,
                                BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */,
@@ -3143,6 +3146,7 @@
                1807384D146D0D4E00F05C24 /* Frameworks */ = {
                        isa = PBXGroup;
                        children = (
+                               DCA28DF61D629C6D00201446 /* libsqlite3.dylib */,
                                6C721DB01D3D18D700888AE1 /* login.framework */,
                                D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */,
                                DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */,
@@ -3315,6 +3319,7 @@
                        children = (
                                187D6B8F15D4359F00E27494 /* authorization.buttons.strings */,
                                187D6B9115D4359F00E27494 /* authorization.prompts.strings */,
+                               5E6343FC1D4B6FF800A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings */,
                                43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */,
                                188AD8D81471FE3D0081C619 /* FDELocalizable.strings */,
                                182BB55C146F4544000BF1F3 /* FDEPrefs.plist */,
@@ -5621,6 +5626,7 @@
                                188AD8DC1471FE3E0081C619 /* FDELocalizable.strings in Resources */,
                                188AD8DD1471FE3E0081C619 /* InfoPlist.strings in Resources */,
                                52B006C015238F76005D4556 /* TimeStampingPrefs.plist in Resources */,
+                               5E6344221D4B834600A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings in Resources */,
                                187D6B9315D435BD00E27494 /* authorization.buttons.strings in Resources */,
                                187D6B9415D435C700E27494 /* authorization.prompts.strings in Resources */,
                        );
@@ -6590,6 +6596,14 @@
                        name = Localizable.strings;
                        sourceTree = "<group>";
                };
+               5E6343FC1D4B6FF800A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings */ = {
+                       isa = PBXVariantGroup;
+                       children = (
+                               5E6343FD1D4B6FF800A23FB4 /* en */,
+                       );
+                       name = "authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings";
+                       sourceTree = "<group>";
+               };
                CD276BE21A83F204003226BC /* InfoPlist.strings */ = {
                        isa = PBXVariantGroup;
                        children = (
@@ -6792,6 +6806,7 @@
                                        "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
                                        "-framework",
                                        AppleSystemInfo,
+                                       "-lc++",
                                );
                                USE_HEADERMAP = NO;
                        };
@@ -7461,6 +7476,10 @@
                                ARCHS = "$(ARCHS_STANDARD)";
                                CLANG_ENABLE_OBJC_ARC = YES;
                                CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist";
+                               FRAMEWORK_SEARCH_PATHS = (
+                                       "$(inherited)",
+                                       "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+                               );
                                GCC_PREPROCESSOR_DEFINITIONS = (
                                        "DEBUG=1",
                                        "$(inherited)",
@@ -7492,6 +7511,10 @@
                                ARCHS = "$(ARCHS_STANDARD)";
                                CLANG_ENABLE_OBJC_ARC = YES;
                                CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist";
+                               FRAMEWORK_SEARCH_PATHS = (
+                                       "$(inherited)",
+                                       "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+                               );
                                GCC_WARN_UNDECLARED_SELECTOR = YES;
                                HEADER_SEARCH_PATHS = (
                                        "$(inherited)",
@@ -7546,6 +7569,7 @@
                                        "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
                                        "-framework",
                                        AppleSystemInfo,
+                                       "-lc++",
                                );
                                PRODUCT_NAME = trustd;
                                USE_HEADERMAP = NO;
@@ -7587,6 +7611,7 @@
                                        "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
                                        "-framework",
                                        AppleSystemInfo,
+                                       "-lc++",
                                );
                                PRODUCT_NAME = trustd;
                                USE_HEADERMAP = NO;

diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme
index 09f31817199a1bdf92b89a326a4b3afdceabb0f9..0264d450504c5370258172a3f2c021ad13ade6a6 100644 (file)
--- a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme
+++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme
@@ -73,10 +73,6 @@
          </BuildableReference>
       </BuildableProductRunnable>
       <CommandLineArguments>
-         <CommandLineArgument
-            argument = "ssl-42-ciphers"
-            isEnabled = "NO">
-         </CommandLineArgument>
          <CommandLineArgument
             argument = "kc-05-find-existing-items-locked"
             isEnabled = "NO">
@@ -97,6 +93,10 @@
             argument = "kc-30-xara"
             isEnabled = "NO">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "ssl-42-ciphers"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "ssl-43-ciphers"
             isEnabled = "NO">
@@ -285,6 +285,10 @@
             argument = "si_83_seccertificate_sighashalg"
             isEnabled = "NO">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "si_84_sectrust_allowlist"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "si_85_sectrust_ssl_policy"
             isEnabled = "NO">

diff --git a/OSX/authd/authtoken.c b/OSX/authd/authtoken.c
index 6f123e6f7bed7f3d4a6043f8cf4674a51867091f..c627cb293c35c79c8d4ab4c2b72b56f19300fbb5 100644 (file)
--- a/OSX/authd/authtoken.c
+++ b/OSX/authd/authtoken.c
@@ -60,6 +60,7 @@ struct _auth_token_s {
     
     bool least_privileged;
     bool appleSigned;
+       bool firstPartySigned;
     
     bool sandboxed;
     char * code_url;

diff --git a/OSX/authd/engine.c b/OSX/authd/engine.c
index 6e2d250c1ef881d7dac5ff10c373b9f20d38720e..0ef521badfd5cca1163098895b640c0a3eed89e0 100644 (file)
--- a/OSX/authd/engine.c
+++ b/OSX/authd/engine.c
@@ -185,6 +185,7 @@ _set_process_immutable_hints(auth_items_t immutable_hints, process_t proc)
 {
     // process information - immutable
     auth_items_set_bool(immutable_hints, AGENT_HINT_PROCESS_SIGNED, process_apple_signed(proc));
+       auth_items_set_bool(immutable_hints, AGENT_HINT_PROCESS_FROM_APPLE, process_firstparty_signed(proc));
 }
 
 void

diff --git a/OSX/authd/process.c b/OSX/authd/process.c
index 19f71229fb7ecd250d0981c4fcf5e4d513fbeaa7..2e8eb4daeb587f874517895bdd4aef33b8603af0 100644 (file)
--- a/OSX/authd/process.c
+++ b/OSX/authd/process.c
@@ -33,7 +33,8 @@ struct _process_s {
     
     mach_port_t bootstrap;
     
-    bool appleSigned;
+    bool appStoreSigned;
+       bool firstPartySigned;
 };
 
 static void
@@ -182,14 +183,20 @@ process_create(const audit_info_s * auditInfo, session_t session)
     }
 
     // This is the clownfish supported way to check for a Mac App Store or B&I signed build
-    CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])");
+       // AppStore apps must have resource envelope 2. Check with spctl -a -t exec -vv <path>
+    CFStringRef firstPartyRequirement = CFSTR("anchor apple");
+       CFStringRef appStoreRequirement = CFSTR("anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists");
     SecRequirementRef  secRequirementRef = NULL;
-    status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef);
+    status = SecRequirementCreateWithString(firstPartyRequirement, kSecCSDefaultFlags, &secRequirementRef);
     if (status == errSecSuccess) {
-        proc->appleSigned = process_verify_requirment(proc, secRequirementRef);
+        proc->firstPartySigned = process_verify_requirement(proc, secRequirementRef);
+               CFReleaseNull(secRequirementRef);
     }
-    CFReleaseSafe(secRequirementRef);
-
+       status = SecRequirementCreateWithString(appStoreRequirement, kSecCSDefaultFlags, &secRequirementRef);
+       if (status == errSecSuccess) {
+               proc->appStoreSigned = process_verify_requirement(proc, secRequirementRef);
+               CFReleaseSafe(secRequirementRef);
+       }
     LOGV("process[%i]: created (sid=%i) %s %p", proc->auditInfo.pid, proc->auditInfo.asid, proc->code_url, proc);
 
 done:
@@ -456,7 +463,7 @@ process_get_requirement(process_t proc)
     return proc->code_requirement;
 }
 
-bool process_verify_requirment(process_t proc, SecRequirementRef requirment)
+bool process_verify_requirement(process_t proc, SecRequirementRef requirment)
 {
     OSStatus status = SecCodeCheckValidity(proc->codeRef, kSecCSDefaultFlags, requirment);
     if (status != errSecSuccess) {
@@ -467,7 +474,12 @@ bool process_verify_requirment(process_t proc, SecRequirementRef requirment)
 
 // Returns true if the process was signed by B&I or the Mac App Store
 bool process_apple_signed(process_t proc) {
-    return proc->appleSigned;
+    return (proc->firstPartySigned || proc->appStoreSigned);
+}
+
+// Returns true if the process was signed by B&I
+bool process_firstparty_signed(process_t proc) {
+       return proc->firstPartySigned;
 }
 
 mach_port_t process_get_bootstrap(process_t proc)

diff --git a/OSX/authd/process.h b/OSX/authd/process.h
index cb89b4d4f5319d2002c88c2e068fc3a874695703..c4def564117de5080206a2abd641086bd24ef7f5 100644 (file)
--- a/OSX/authd/process.h
+++ b/OSX/authd/process.h
@@ -12,7 +12,7 @@ extern "C" {
 #endif
     
 AUTH_WARN_RESULT AUTH_MALLOC AUTH_NONNULL_ALL AUTH_RETURNS_RETAINED
-process_t process_create(const audit_info_s*,session_t);
+process_t process_create(const audit_info_s*, session_t);
 
 AUTH_NONNULL_ALL
 const void * process_get_key(process_t);
@@ -54,13 +54,13 @@ AUTH_NONNULL_ALL
 CFIndex process_get_connection_count(process_t);
     
 AUTH_NONNULL_ALL
-void process_add_auth_token(process_t,auth_token_t);
+void process_add_auth_token(process_t, auth_token_t);
 
 AUTH_NONNULL_ALL
-void process_remove_auth_token(process_t,auth_token_t, uint32_t flags);
+void process_remove_auth_token(process_t, auth_token_t, uint32_t flags);
 
 AUTH_NONNULL_ALL
-auth_token_t process_find_copy_auth_token(process_t,const AuthorizationBlob*);
+auth_token_t process_find_copy_auth_token(process_t, const AuthorizationBlob*);
 
 AUTH_NONNULL_ALL
 CFIndex process_get_auth_token_count(process_t);
@@ -84,11 +84,14 @@ AUTH_NONNULL_ALL
 SecRequirementRef process_get_requirement(process_t);
     
 AUTH_NONNULL_ALL
-bool process_verify_requirment(process_t,SecRequirementRef);
+bool process_verify_requirement(process_t, SecRequirementRef);
 
 AUTH_NONNULL_ALL
 bool process_apple_signed(process_t proc);
 
+AUTH_NONNULL_ALL
+bool process_firstparty_signed(process_t proc);
+
 AUTH_NONNULL_ALL
 mach_port_t process_get_bootstrap(process_t);
     

diff --git a/OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings b/OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings
new file mode 100644 (file)
index 0000000..a37ee1e
--- /dev/null
+++ b/OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings
@@ -0,0 +1,157 @@
+"system.preferences.accounts" = "Touch ID to Unlock Users & Groups Preferences.";
+
+"com.apple.SoftwareUpdate.scan" = "Touch ID to Check for New Apple-provided Software.";
+
+"system.preferences.datetime" = "Touch ID to Unlock the Date & Time Preferences.";
+
+"system.identity.write.credential" = "Touch ID to Update the Authentication Credentials.";
+
+"com.apple.appserver.privilege.admin" = "Touch ID to Modify the Application Server Settings.";
+
+"system.privilege.taskport.safe" = "Touch ID to Take Control of Another Process.";
+
+"com.apple.DiskManagement.internal." = "Touch ID to Modify the Selected Disk.";
+
+"system.print.operator" = "Touch ID to Use the Printer.";
+
+"com.apple.AOSNotification.FindMyMac.modify" = "Touch ID to Make Changes to Find My Mac.";
+
+"system.printingmanager" = "Touch ID to Print to a Locked Printer.";
+
+"com.apple.DiskManagement.reserveKEK" = "Touch ID to Modify an Encrypted Disk.";
+
+"system.services.systemconfiguration.network" = "Touch ID to Modify the System Network Configuration.";
+
+"sys.openfile." = "Touch ID to Open the Chosen File.";
+
+"com.apple.lldb.LaunchUsingXPC" = "Touch ID to Take Control of a Root Process.";
+
+"com.apple.OpenScripting.additions.send" = "Touch ID to Send Restricted Scripting Addition Commands to Other Applications.";
+
+"com.apple.library-repair" = "Touch ID to Repair Your Photo Library.";
+
+"com.apple.XType.fontmover.restore" = "Touch ID to Restore the Default System Fonts.";
+
+"system.csfde.requestpassword" = "Touch ID to Unlock Your Disk.";
+
+"com.apple.Safari.show-passwords" = "Touch ID to Show Passwords.";
+
+"com.apple.Safari.show-credit-card-numbers" = "Touch ID to Show Credit Card Numbers.";
+
+"com.apple.Safari.install-ephemeral-extensions" = "Touch ID to Install an Extension.";
+
+"com.apple.Safari.allow-apple-events-to-run-javascript" = "Touch ID to Allow Apple Events to Run JavaScript on Web Pages.";
+
+"com.apple.Safari.allow-javascript-in-smart-search-field" = "Touch ID to Allow JavaScript to be Used in the Smart Search Field.";
+
+"system.sharepoints." = "Touch ID to Modify Sharing Preferences.";
+
+"system.preferences.energysaver" = "Touch ID to Unlock the Energy Saver Preferences.";
+
+"system.install.apple-software" = "Touch ID to Install Apple-provided Software.";
+
+"system.install.apple-software.standard-user" = "Touch ID to Install Apple-provided software.";
+
+"com.apple.security.assessment.update" = "Touch ID to Install an App from an Unidentified Developer.";
+
+"com.apple.docset.install" = "Touch ID to Update the Developer Documentation.";
+
+"com.apple.Safari.parental-controls" = "Touch ID to Modify the Parental Controls Settings for Safari.";
+
+"com.apple.Safari.allow-unsigned-app-extensions" = "Touch ID to Allow Unsigned Extensions.";
+
+"com.apple.ServiceManagement.blesshelper" = "Touch ID to Install a New Helper Tool.";
+
+"system.device.dvd.setregion.initial" = "Touch ID to Set the DVD Region Code for the First Time.";
+
+"system.preferences.network" = "Touch ID to Unlock the Network Preferences.";
+
+"system.identity.write." = "Touch ID to Update the Set of Local Users.";
+
+"com.apple.opendirectoryd.linkidentity" = "Touch ID to Modify Your User Account.";
+
+"com.apple.trust-settings.user" = "Touch ID to Change Your Certificate Trust Settings.";
+
+"system.preferences.printing" = "Touch ID to Unlock the Printers & Scanners Preferences.";
+
+"system.hdd.smart" = "Touch ID to Modify the Diagnostic Settings for Your Hard Drive.";
+
+"system.print.admin" = "Touch ID to Modify the Printer Settings.";
+
+"system.preferences.accessibility" = "Touch ID to Unlock Accessibility Preferences.";
+
+"com.apple.activitymonitor.kill" = "Touch ID to Quit the Selected Process.";
+
+"system.burn" = "Touch ID to Burn a Disc.";
+
+"system.preferences.sharing" = "Touch ID to Unlock the Sharing Preferences.";
+
+"system.preferences.parental-controls" = "Touch ID to Unlock Parental Controls Preferences.";
+
+"system.preferences.security" = "Touch ID to Unlock Security & Privacy Preferences.";
+
+"system.preferences.startupdisk" = "Touch ID to Unlock the Startup Disk Preferences.";
+
+"com.apple.ServiceManagement.daemons.modify" = "Touch ID to Add a New Helper Tool.";
+
+"com.apple.DiskManagement." = "Touch ID to Modify the Selected Disk.";
+
+"com.apple.trust-settings.admin" = "Touch ID to Change the System Certificate Trust Settings.";
+
+"system.identity.write.self" = "Touch ID to Update Your Authentication Credentials.";
+
+"system.install.app-store-software" = "Touch ID to Install Software.";
+
+"system.install.app-store-software.standard-user" = "Touch ID to Install Software.";
+
+"system.preferences.version-cue" = "Touch ID to Modify the Version Cue Preferences.";
+
+"system.preferences" = "Touch ID to Modify Your System Settings.";
+
+"com.apple.SoftwareUpdate.modify-settings" = "Touch ID to Unlock the App Store Preferences.";
+
+"com.apple.uninstalld.uninstall" = "Touch ID to Delete an Application.";
+
+"system.privilege.taskport" = "Touch ID to Take Control of Another Process.";
+
+"system.install.software" = "Touch ID to Install New Software.";
+
+"system.preferences.security.remotepair" = "Touch ID to Pair the Remote.";
+
+"com.apple.XType.fontmover.remove" = "Touch ID to Remove Existing System Fonts.";
+
+"system.global-login-items." = "Touch ID to Add a Login Item.";
+
+"com.apple.server.admin.streaming" = "Touch ID to Modify the QuickTime Streaming Server Settings.";
+
+"system.preferences.softwareupdate" = "Touch ID to Unlock the App Store Preferences.";
+
+"system.keychain.modify" = "Touch ID to Modify the System Keychain.";
+
+"com.apple.XType.fontmover.install" = "Touch ID to Install New System Fonts.";
+
+"system.services.directory.configure" = "Touch ID to Modify the Directory Services Configuration.";
+
+"system.preferences.timemachine" = "Touch ID to Unlock the Time Machine Preferences.";
+
+"com.apple.appserver.privilege.user" = "Touch ID to Modify your Application Server Settings.";
+
+"system.privilege.taskport.debug" = "Touch ID to Take Control of Another Process for Debugging to Continue.";
+
+"com.apple.container-repair" = "Touch ID to Repair Your Library to Run Applications.";
+
+"com.apple.pf.rule" = "Touch ID to Modify Firewall Rules.";
+
+"com.apple.AOSNotification.FindMyMac.remove" = "Touch ID to Turn Off Find My Mac.";
+
+"com.apple.iBooksX.ParentalControl" = "Touch ID to Unlock Your Parental Controls Preferences.";
+
+"system.services.networkextension.vpn" = "Touch ID to Modify the VPN Configuration.";
+
+"system.services.networkextension.filtering" = "Touch ID to Modify the Content Filtering Configuration.";
+
+"com.apple.iCloud.passwordReset" = "Touch ID to Reset Your Apple ID Password.";
+
+"system.preferences.continuity" = "Touch ID to Unlock the Touch ID Preferences.";
+
+"com.apple.ctkbind.admin" = "Touch ID to Pair the Current User With the SmartCard Identity.";

diff --git a/OSX/lib/security.exp-in b/OSX/lib/security.exp-in
index 637f80214d6942ac1f6a1deb548e7466b7d0f56f..8752c7d04cc9aa123ad9c894faa7b87ee6604cb0 100644 (file)
--- a/OSX/lib/security.exp-in
+++ b/OSX/lib/security.exp-in
@@ -18,6 +18,7 @@ _SecAsn1Decode
 _SecAsn1DecodeData
 _SecAsn1EncodeItem
 _SecAsn1Malloc
+_SecAsn1OidCompare
 _kSecAsn1AnyTemplate
 _kSecAsn1BMPStringTemplate
 _kSecAsn1BitStringTemplate
@@ -403,6 +404,9 @@ _SecTaskCreateFromSelf
 _SecTaskCopyValueForEntitlement
 _SecTaskCopyValuesForEntitlements
 _SecTaskCopySigningIdentifier
+#if TARGET_OS_OSX
+_SecTaskEntitlementsValidated
+#endif
 _SecTaskGetCodeSignStatus
 _SecTaskGetTypeID
 _SecTaskValidateForRequirement
@@ -1411,6 +1415,7 @@ _kSecPolicyAppleProfileSigner
 _kSecPolicyApplePushService
 _kSecPolicyAppleQAProfileSigner
 _kSecPolicyAppleRevocation
+_kSecPolicyAppleSecureIOStaticAsset
 _kSecPolicyAppleServerAuthentication
 _kSecPolicyAppleSMIME
 _kSecPolicyAppleSMPEncryption
@@ -1425,6 +1430,7 @@ _kSecPolicyAppleTimeStamping
 _kSecPolicyAppleTVOSApplicationSigning
 _kSecPolicyAppleUniqueDeviceIdentifierCertificate
 _kSecPolicyAppleURLBag
+_kSecPolicyAppleWarsaw
 _kSecPolicyAppleX509Basic
 _kSecPolicyMacAppStoreReceipt
 _kSecPolicyAppleAnchorIncludeTestRoots
@@ -1745,7 +1751,8 @@ _SecCertificateIsCA
 _SecCertificateIsSelfSigned
 _SecCertificateIsSelfSignedCA
 _SecCertificateIsSignedBy
-_SecCertificateIsWeak
+_SecCertificateIsWeakHash
+_SecCertificateIsWeakKey
 _SecCertificateParseGeneralNameContentProperty
 _SecCertificateParseGeneralNames
 _SecCertificatePathCopyAddingLeaf
@@ -1763,6 +1770,7 @@ _SecCertificatePathGetRoot
 _SecCertificatePathGetUsageConstraintsAtIndex
 _SecCertificatePathHasWeakHash
 _SecCertificatePathIsAnchored
+_SecCertificatePathIsValid
 _SecCertificatePathScore
 _SecCertificatePathSelfSignedIndex
 _SecCertificatePathSetIsAnchored
@@ -1821,6 +1829,9 @@ _SecItemCopyDisplayNames
 _SecItemCopyMatching
 _SecItemCopyParentCertificates
 _SecItemCopyStoredCertificate
+#if TARGET_OS_OSX
+_SecItemCreateFromAttributeDictionary_osx
+#endif
 #if TARGET_OS_EMBEDDED
 _SecCopyLastError
 _SecItemUpdateWithError
@@ -1874,6 +1885,7 @@ _SecKeyCopyModulus
 _SecKeyCreate
 _SecKeyCreateAttestation
 _SecKeyCreateDecryptedData
+_SecKeyCreateDuplicate
 _SecKeyCreateEncryptedData
 _SecKeyCreateFromAttributeDictionary
 _SecKeyCreateFromPublicBytes
@@ -2072,12 +2084,14 @@ _SecPolicyCreateApplePPQService
 _SecPolicyCreateApplePPQSigning
 _SecPolicyCreateApplePushService
 _SecPolicyCreateApplePushServiceLegacy
+_SecPolicyCreateAppleSecureIOStaticAsset
 _SecPolicyCreateAppleSMPEncryption
 _SecPolicyCreateAppleSoftwareSigning
 _SecPolicyCreateAppleSSLPinned
 _SecPolicyCreateAppleSSLService
 _SecPolicyCreateAppleTimeStamping
 _SecPolicyCreateAppleTVOSApplicationSigning
+_SecPolicyCreateAppleWarsaw
 _SecPolicyCreateBasicX509
 _SecPolicyCreateCodeSigning
 _SecPolicyCreateConfigurationProfileSigner

diff --git a/OSX/libsecurity_asn1/.gitignore b/OSX/libsecurity_asn1/.gitignore
new file mode 100644 (file)
index 0000000..35cfb4d
--- /dev/null
+++ b/OSX/libsecurity_asn1/.gitignore
@@ -0,0 +1,3 @@
+.DS_Store
+xcuserdata
+project.xcworkspace

diff --git a/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore b/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
index 6001609ec06da8f6f21604ce6a2634fd1e04aec7..6c90551d35e70dfe22dab3ddd4965407978a5a4e 100644 (file)
--- a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
+++ b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
@@ -259,6 +259,7 @@
 #define AGENT_HINT_AUTHORIZE_RULE "authorize-rule"
 #define AGENT_HINT_TOKEN_NAME "token-name"
 #define AGENT_HINT_PROCESS_SIGNED "process-apple-signed"
+#define AGENT_HINT_PROCESS_FROM_APPLE "process-firstparty-signed"
 #define AGENT_HINT_SHOW_RESET "show-reset"
 #define AGENT_HINT_PASSWORD_ONLY "password-only"
 

diff --git a/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj b/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj
index ff45f46c76c637ab1c5db8621ccd915ee6dbf211..395b161c061eed7540062120678f31525956d403 100644 (file)
--- a/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj
@@ -162,6 +162,7 @@
                C2F4439B14C626D4000A01E6 /* quarantine++.h in Headers */ = {isa = PBXBuildFile; fileRef = C2F4439914C626D4000A01E6 /* quarantine++.h */; };
                C2F6566E0BCBFB250078779E /* cserror.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2F6566C0BCBFB250078779E /* cserror.cpp */; };
                DC1418651CCEE2EC00CFD769 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1418641CCEE2EC00CFD769 /* libutilities.a */; };
+               DC529B311D63C78000D617E8 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC529B301D63C78000D617E8 /* IOKit.framework */; };
                EB68B111150DAEEA00B4013D /* RequirementLexer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB68B10B150DAEBB00B4013D /* RequirementLexer.cpp */; };
                EB68B112150DAEEA00B4013D /* RequirementParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB68B10D150DAEBB00B4013D /* RequirementParser.cpp */; };
                EB68B133150DB04400B4013D /* RequirementKeywords.h in Headers */ = {isa = PBXBuildFile; fileRef = EB68B10A150DAEBB00B4013D /* RequirementKeywords.h */; };
@@ -503,6 +504,7 @@
                C2F6566D0BCBFB250078779E /* cserror.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cserror.h; sourceTree = "<group>"; };
                CDCBE8941A1A96E8002CB2B7 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; };
                DC1418641CCEE2EC00CFD769 /* libutilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libutilities.a; path = "../../../Users/kmowery/Library/Developer/Xcode/DerivedData/Security-fkwwcnddijtngfaslvsedvgyzbou/Build/Products/Debug/libutilities.a"; sourceTree = "<group>"; };
+               DC529B301D63C78000D617E8 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; };
                EB68B10A150DAEBB00B4013D /* RequirementKeywords.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RequirementKeywords.h; sourceTree = "<group>"; };
                EB68B10B150DAEBB00B4013D /* RequirementLexer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RequirementLexer.cpp; sourceTree = "<group>"; };
                EB68B10C150DAEBB00B4013D /* RequirementLexer.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = RequirementLexer.hpp; sourceTree = "<group>"; };
@@ -636,6 +638,7 @@
                                C200424E15D425D9004AE0A1 /* libsecurity_utilities.a in Frameworks */,
                                DC1418651CCEE2EC00CFD769 /* libutilities.a in Frameworks */,
                                7ACF261219958B6F00849B25 /* CoreFoundation.framework in Frameworks */,
+                               DC529B311D63C78000D617E8 /* IOKit.framework in Frameworks */,
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                };
@@ -932,6 +935,7 @@
                C2CC30EF0B8519CF005FA59D /* Frameworks */ = {
                        isa = PBXGroup;
                        children = (
+                               DC529B301D63C78000D617E8 /* IOKit.framework */,
                                DC1418641CCEE2EC00CFD769 /* libutilities.a */,
                                C2D6EA461C8F5265009B586F /* libsecurity_utilities.a */,
                                C2D6EA441C8F5257009B586F /* Security.framework */,

diff --git a/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp b/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp
index 9e4e9df6762ac6883d6402bbe456484475b88409..ecef3fbeb787c9f271c60ebdda208cf97689fa53 100644 (file)
--- a/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp
+++ b/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp
@@ -958,6 +958,13 @@ DLDbListCFPref::searchList()
 void
 DLDbListCFPref::searchList(const vector<DLDbIdentifier> &searchList)
 {
+    if(searchList.size() == 0) {
+        mSearchList.clear();
+        mSearchListSet = false;
+        changed(true);
+        return;
+    }
+
        vector<DLDbIdentifier> newList(searchList);
        mSearchList.swap(newList);
     mSearchListSet = true;

diff --git a/OSX/libsecurity_keychain/lib/SecItem.cpp b/OSX/libsecurity_keychain/lib/SecItem.cpp
index 93635785d5c1cba06d5e3048550899769ac57c06..c4f4fd3b1156910eeb463a7b910fb181faee370c 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecItem.cpp
+++ b/OSX/libsecurity_keychain/lib/SecItem.cpp
@@ -64,7 +64,7 @@ OSStatus SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUp
 OSStatus SecItemDelete_ios(CFDictionaryRef query);
 OSStatus SecItemUpdateTokenItems_ios(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
 
-CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes);
+
 OSStatus SecItemValidateAppleApplicationGroupAccess(CFStringRef group);
 CFDictionaryRef SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
        bool iOSOut, bool pruneMatch, bool pruneSync, bool pruneReturn, bool pruneData, bool pruneAccess);

diff --git a/OSX/libsecurity_keychain/lib/SecItemPriv.h b/OSX/libsecurity_keychain/lib/SecItemPriv.h
index c8065f0c258b64cf85dfb71f5300537bfde1f929..8b88d67e181e84f3761f184d744494aad8d155de 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecItemPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecItemPriv.h
@@ -453,6 +453,8 @@ bool _SecSystemKeychainTransfer(CFErrorRef *error);
 
 OSStatus SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
 
+CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes);
+
 __END_DECLS
 
 #endif /* !_SECURITY_SECITEMPRIV_H_ */

diff --git a/OSX/libsecurity_keychain/lib/SecKeyPriv.h b/OSX/libsecurity_keychain/lib/SecKeyPriv.h
index e2b1ebc55a112edfde0c5925825ac2ed26c9887a..bf97e64a7e54071aabe0e9a56b85ac9fecd5c8c8 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecKeyPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecKeyPriv.h
@@ -129,6 +129,8 @@ typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key);
 typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error);
 typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
 typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
+typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
+
 /*!
  @abstract Performs cryptographic operation with the key.
  @param key Key to perform the operation on.
@@ -194,6 +196,7 @@ typedef struct __SecKeyDescriptor {
     SecKeyCopyPublicKeyMethod copyPublicKey;
     SecKeyCopyOperationResultMethod copyOperationResult;
     SecKeyIsEqualMethod isEqual;
+    SecKeyCreateDuplicateMethod createDuplicate;
 #endif
 } SecKeyDescriptor;
 
@@ -531,6 +534,19 @@ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AV
 Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
+/*!
+ @function SecKeyCreateDuplicate
+ @abstract Creates duplicate fo the key.
+
+ @param key Source key to be duplicated
+
+ @discussion Only memory representation of the key is duplicated, so if the key is backed by keychain, only one instance
+ stays in the keychain.  Duplicating key is useful for setting 'temporary' key parameters using SecKeySetParameter.
+ If the key is immutable (i.e. does not support SecKeySetParameter), calling this method is identical to calling CFRetain().
+ */
+SecKeyRef SecKeyCreateDuplicate(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
 /*!
  Algorithms for converting between bigendian and core-crypto ccunit data representation.
  */

diff --git a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
index 7eb06b4c241a31a8ff5fa07cc5671aacc102afbf..ee635e69b463544e85d66853210b456b4688b82a 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
@@ -24,8 +24,8 @@
 /*!
  @header SecPolicyPriv
  The functions provided in SecPolicyPriv provide an interface to various
-       X.509 certificate trust policies.
- */
+ X.509 certificate trust policies.
+*/
 
 #ifndef _SECURITY_SECPOLICYPRIV_H_
 #define _SECURITY_SECPOLICYPRIV_H_
@@ -95,6 +95,8 @@ CF_IMPLICIT_BRIDGING_ENABLED
        @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate
        @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth
        @constant kSecPolicyAppleMMCSCompatibilityServerAuth
+       @constant kSecPolicyAppleSecureIOStaticAsset
+       @constant kSecPolicyAppleWarsaw
  */
 extern const CFStringRef kSecPolicyAppleMobileStore
     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
@@ -200,6 +202,11 @@ extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
     __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
 extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
     __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+extern const CFStringRef kSecPolicyAppleWarsaw
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+
 
 /*!
  @enum Policy Value Constants
@@ -265,7 +272,7 @@ extern const CFStringRef kSecPolicyRootDigest
     * The intermediate has a marker extension with OID matching the intermediateMarkerOID
     parameter.
     * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
@@ -298,12 +305,8 @@ SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName,
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
     extension or Common Name.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
- For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL
- on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@"
- (where %@ is the policyName parameter) in the com.apple.Security preferences for the user
- of the calling application.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
  */
@@ -318,13 +321,14 @@ SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef h
  certificate chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in chain.
     * The intermediate has Common Name "Apple iPhone Certification Authority".
     * The leaf has Common Name "iPhone Activation".
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneActivation(void);
 
@@ -334,12 +338,13 @@ SecPolicyRef SecPolicyCreateiPhoneActivation(void);
  chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * There are exactly 4 certs in chain.
-    * The chain is anchored to "Apple Root CA" certificate.
-    * The first intermediate has Common Name "Apple iPhone Device CA".
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 4 certs in chain.
+     * The first intermediate has Common Name "Apple iPhone Device CA".
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
 
@@ -349,10 +354,10 @@ SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
  chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to the Factory Device CA.
+     * The chain is anchored to the Factory Device CA.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
 
@@ -361,13 +366,13 @@ SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
  @abstract Returns a policy object for verifying iAP certificate chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The leaf has notBefore date after 5/31/2006 midnight GMT.
-    * The leaf has Common Name beginning with "IPA_".
+     * The leaf has notBefore date after 5/31/2006 midnight GMT.
+     * The leaf has Common Name beginning with "IPA_".
  The intended use of this policy is that the caller pass in the
  intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiAP(void);
 
@@ -377,13 +382,13 @@ SecPolicyRef SecPolicyCreateiAP(void);
  certificates.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to the iTMS CA.
-    * There are exactly 2 certs in the chain.
-    * The leaf has Organization "Apple Inc.".
-    * The leaf has Common Name "iTunes Store URL Bag".
+     * The chain is anchored to the iTMS CA.
+     * There are exactly 2 certs in the chain.
+     * The leaf has Organization "Apple Inc.".
+     * The leaf has Common Name "iTunes Store URL Bag".
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
 
@@ -402,8 +407,8 @@ SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
  to contain either the ServerAuth OID, if the server param is true or
  ClientAuth OID, otherwise.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames);
 
@@ -416,8 +421,8 @@ SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedSer
  hostname or ip address to match the hostname in the leaf certificate.
  @discussion This policy uses the Basic X.509 policy with validity check.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable  hostname);
 
@@ -426,12 +431,14 @@ SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable  hostna
  @abstract Returns a policy object for evaluating SW update signing certs.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
-    * There are exactly 3 certs in the chain.
-    * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1.
+     * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
  @result A policy object. The caller is responsible for calling CFRelease
  on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
 
@@ -440,11 +447,14 @@ SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
  @abstract Returns a policy object for evaluating installer package signing certs.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
-    * There are exactly 3 certs in the chain.
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The leaf KeyUsage extension has the digital signature bit set.
+     * The leaf ExtendedKeyUsage extension has the CodeSigning OID.
  @result A policy object. The caller is responsible for calling CFRelease
  on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateApplePackageSigning(void);
 
@@ -454,18 +464,18 @@ SecPolicyRef SecPolicyCreateApplePackageSigning(void);
  signatures.  This is for apps signed directly by the app store.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
-    * There are exactly 3 certs in the chain.
-    * The intermediate has Common Name "Apple iPhone Certification Authority".
-    * The leaf has Common Name "Apple iPhone OS Application Signing".
-    * If the device is not a production device and is running an internal
-    release, the leaf may have the Common Name "TEST Apple iPhone OS
-    Application Signing TEST".
-    * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
-    or the CodeSigning OID.
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The intermediate has Common Name "Apple iPhone Certification Authority".
+     * The leaf has Common Name "Apple iPhone OS Application Signing".
+     * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID
+     1.2.840.113635.100.6.1.6.
+     * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
+       or the CodeSigning OID.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
 
@@ -475,10 +485,10 @@ SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
  signatures. This policy is for certificates inside a UPP or regular
  profile.
  @discussion  This policy only verifies that the leaf is temporally valid
- and not revoked.
+ and not revoked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
 
@@ -487,16 +497,17 @@ SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
  @abstract Returns a policy object for evaluating provisioning profile signatures.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
-    * There are exactly 3 certs in the chain.
-    * The intermediate has Common Name "Apple iPhone Certification Authority".
-    * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
-    * If the device is not a production device and is running an internal
-    release, the leaf may have the Common Name "TEST Apple iPhone OS
-    Provisioning Profile Signing TEST".
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The intermediate has Common Name "Apple iPhone Certification Authority".
+     * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
+     * If the device is not a production device and is running an internal
+       release, the leaf may have the Common Name "TEST Apple iPhone OS
+       Provisioning Profile Signing TEST".
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
 
@@ -507,17 +518,17 @@ SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
  and allows for both the prod and the dev/test certs.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to any of the production Apple Root CAs.
-    Test roots are never permitted.
-    * There are exactly 3 certs in the chain.
-    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
-    * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
-    the CodeSigning OID.
-    * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
- 1.2.840.113635.100.6.1.24.1.
+     * The chain is anchored to any of the production Apple Root CAs.
+       Test roots are never permitted.
+     * There are exactly 3 certs in the chain.
+     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+     * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
+       the CodeSigning OID.
+     * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
+       1.2.840.113635.100.6.1.24.1.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
 
@@ -527,8 +538,8 @@ SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
  @discussion This policy uses the Basic X.509 policy with validity check and
  requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateOCSPSigner(void);
 
@@ -541,27 +552,27 @@ enum {
     kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
     kSecKeyExchangeBothSMIMEUsage = (1 << 5),
     kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
-    kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage
+        kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage
 };
 
 /*!
  @function SecPolicyCreateSMIME
  @abstract Returns a policy object for evaluating S/MIME certificate chains.
-       @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
+ @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
  flags, to indicate the intended usage of this certificate.
-       @param email Optional; if present, the policy will require the specified
-       email to match the email in the leaf certificate.
+ @param email Optional; if present, the policy will require the specified
+ email to match the email in the leaf certificate.
  @discussion This policy uses the Basic X.509 policy with validity check and
  requires the leaf to have
-    * a KeyUsage matching the smimeUsage,
-    * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
-    EmailProtection OID, and
-    * if the email param is specified, the email address in the RFC822Name in the
-    SubjectAlternativeName extension or in the Email Address field of the
-    Subject Name.
+     * a KeyUsage matching the smimeUsage,
+     * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
+       EmailProtection OID, and
+     * if the email param is specified, the email address in the RFC822Name in the
+       SubjectAlternativeName extension or in the Email Address field of the
+       Subject Name.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email);
 
@@ -570,11 +581,11 @@ SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable ema
  @abstract Returns a policy object for evaluating code signing certificate chains.
  @discussion This policy uses the Basic X.509 policy with validity check and
  requires the leaf to have
-    * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
-    * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
+     * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
+     * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateCodeSigning(void);
 
@@ -584,8 +595,8 @@ SecPolicyRef SecPolicyCreateCodeSigning(void);
  @disucssion This policy checks some of the Basic X.509 policy options with no
  validity check. It explicitly allows for empty subjects.
  @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
- */
+ on this when it is no longer needed.
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateLockdownPairing(void);
 
@@ -605,8 +616,10 @@ SecPolicyRef SecPolicyCreateURLBag(void);
  @abstract  Returns a policy object for evaluating certificate chains for signing OTA Tasking.
  @discussion This policy uses the Basic X.509 policy with validity check and
  pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
+    * The intermediate has Common Name "Apple iPhone Certification Authority".
     * The leaf has Common Name "OTA Task Signing".
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -619,8 +632,10 @@ SecPolicyRef SecPolicyCreateOTATasking(void);
  @abstract  Returns a policy object for evaluating certificate chains for signing Mobile Assets.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
+    * The intermediate has Common Name "Apple iPhone Certification Authority".
     * The leaf has Common Name "Asset Manifest Signing".
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -633,9 +648,10 @@ SecPolicyRef SecPolicyCreateMobileAsset(void);
  @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
-    or OID 1.2.840.113635.100.6.2.7.
+      or OID 1.2.840.113635.100.6.2.7.
     * The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -649,7 +665,13 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
  Mac App Store Receipts.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+    * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1.
+    * The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -664,9 +686,10 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
  team ID to match the organizationalUnit field in the leaf certificate's subject.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
-    cardIssuer.
+      cardIssuer.
     * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
     * The leaf has a Organizational Unit matching the TeamID.
  @result A policy object. The caller is responsible for calling CFRelease
@@ -674,14 +697,15 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
  */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
-                                               CFStringRef __nullable teamIdentifier);
+       CFStringRef __nullable teamIdentifier);
 
 /*!
  @function SecPolicyCreateMobileStoreSigner
  @abstract Returns a policy object for evaluating Mobile Store certificate chains.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
     * The leaf has KeyUsage with the DigitalSignature bit set.
@@ -697,7 +721,8 @@ SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
  @abstract  Returns a policy object for evaluating Test Mobile Store certificate chains.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
     * The leaf has KeyUsage with the DigitalSignature bit set.
@@ -742,14 +767,15 @@ SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
  Provisioning Profiles.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
     * The leaf has KeyUsage with the DigitalSignature bit set.
     * The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
     * Revocation is checked via OCSP.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
 
@@ -759,25 +785,31 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
  Configuration Profiles.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
     * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
 
 /*!
  @function SecPolicyCreateQAConfigurationProfileSigner
  @abstract Returns a policy object for evaluating certificate chains for signing
- QA Configuration Profiles.
+ QA Configuration Profiles. On customer builds, this function returns the same
+ policy as SecPolicyCreateConfigurationProfileSigner.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
     * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
 
@@ -790,7 +822,7 @@ SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
     * There are exactly 2 certs in the chain.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateOTAPKISigner(void);
 
@@ -803,7 +835,7 @@ SecPolicyRef SecPolicyCreateOTAPKISigner(void);
     * There are exactly 2 certs in the chain.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
 
@@ -813,14 +845,15 @@ SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
  Apple ID Validation Records.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
-    or OID 1.2.840.113635.100.6.2.10.
+      or OID 1.2.840.113635.100.6.2.10.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
     * Revocation is checked via OCSP.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
- */
+*/
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
 
@@ -829,7 +862,8 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
  @abstract Returns a policy object for evaluating SMP certificate chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA - ECC" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
     * The leaf has KeyUsage with the KeyEncipherment bit set.
@@ -862,10 +896,11 @@ SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
  @abstract Returns a policy object for verifying production PPQ Signing certificates.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification
-    Authority".
+      Authority".
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
     * The leaf has KeyUsage with the DigitalSignature bit set.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2.
@@ -877,13 +912,15 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void);
 
 /*!
  @function SecPolicyCreateTestApplePPQSigning
- @abstract Returns a policy object for verifying test PPQ Signing certificates.
+ @abstract Returns a policy object for verifying test PPQ Signing certificates. On
+ customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification
-    Authority".
+      Authority".
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
     * The leaf has KeyUsage with the DigitalSignature bit set.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1.
@@ -912,16 +949,16 @@ SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname);
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
-    are permitted only on internal releases either using the context dictionary or with
-    defaults write.
+      are permitted only on internal releases either using the context dictionary or with
+      defaults write.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
-    if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
+      if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -937,16 +974,16 @@ SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDicti
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
-    are permitted only on internal releases either using the context dictionary or with
-    defaults write.
+      are permitted only on internal releases either using the context dictionary or with
+      defaults write.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or,
-    if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
+      if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -961,10 +998,10 @@ SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryR
  and pinning options:
     * The chain is anchored to an Entrust Intermediate.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -976,7 +1013,7 @@ SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
  @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
  @param hostname Required; hostname to verify the certificate name against.
  @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value
- Boolean true will allow Test Apple rotos and test OIDs on internal releases.
+ Boolean true will allow Test Apple roots and test OIDs on internal releases.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs.
@@ -1025,15 +1062,15 @@ SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname)
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
-    are permitted only on internal releases either using the context dictionary or with
-    defaults write.
+      are permitted only on internal releases either using the context dictionary or with
+      defaults write.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1050,16 +1087,16 @@ SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
-    are permitted only on internal releases either using the context dictionary or with
-    defaults write.
+      are permitted only on internal releases either using the context dictionary or with
+      defaults write.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or,
-    if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
+      if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1076,15 +1113,15 @@ SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRe
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
-    are permitted either using the context dictionary or with defaults write.
+      are permitted either using the context dictionary or with defaults write.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or,
-    if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
+      if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1097,27 +1134,51 @@ SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryR
  @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
  @param hostname Required; hostname to verify the certificate name against.
  @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value
- Boolean true will allow Test Apple roots on internal releases.
+Boolean true will allow Test Apple roots on internal releases.
  @discussion This policy uses the Basic X.509 policy with validity check
- and pinning options:
+and pinning options:
     * The chain is anchored to any of the production Apple Root CAs via full certificate
-    comparison. Test Apple Root CAs are permitted only on internal releases either
-    using the context dictionary or with defaults write.
+      comparison. Test Apple Root CAs are permitted only on internal releases either
+      using the context dictionary or with defaults write.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
-    if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
+      if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-    extension or Common Name.
+      extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via CRL.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
- on this when it is no longer needed.
+on this when it is no longer needed.
  */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context)
     __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
 
+/*!
+ @function SecPolicyCreateAppleCompatibilityEscrowProxyService
+ @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+    * The chain is anchored to the GeoTrust Global CA
+    * The intermediate has a subject public key info hash matching the public key of
+    the Apple IST CA G1 intermediate.
+    * The chain length is 3.
+    * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
+    if UAT is enabled with a defaults write (internal devices only),
+    OID 1.2.840.113635.100.6.27.7.1.
+    * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+    extension or Common Name.
+    * The leaf is checked against the Black and Gray lists.
+    * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname)
+__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
 /*!
  @function SecPolicyCreateAppleFMiPService
  @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
@@ -1136,7 +1197,7 @@ SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDict
     extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via CRL.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
  on this when it is no longer needed.
  */
@@ -1150,14 +1211,15 @@ SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryR
  @param hostname Optional; hostname to verify the certificate name against.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
     extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1180,7 +1242,8 @@ SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
  @abstract  Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA - ECC" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
     * The leaf has KeyUsage with the KeyEncipherment bit set.
@@ -1198,7 +1261,7 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
     * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
-    are permitted only on internal releases.
+      are permitted only on internal releases.
     * There are exactly 3 certs in the chain.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.43.
@@ -1224,7 +1287,7 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
     extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via CRL.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
  on this when it is no longer needed.
  */
@@ -1257,7 +1320,7 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
         * 1.2.840.113635.100.4.8    ("Safari Developer" EKU)
         * 1.2.840.113635.100.4.9    ("3rd Party Mac Developer Installer" EKU)
         * 1.2.840.113635.100.4.13   ("Developer ID Installer" EKU)
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
@@ -1277,7 +1340,7 @@ SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void)
     * The intermediate has the Common Name "Apple Code Signing Certification Authority".
     * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
     * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
@@ -1318,14 +1381,51 @@ CFStringRef SecPolicyGetOidString(SecPolicyRef policy)
     * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
     of "ucrt".
     * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
-    * RSA key sizes are are disallowed. EC key sizes are P-256 or larger.
- @result A policy object. The caller is responsible for calling CFRelease on this when
+    * RSA key sizes are disallowed. EC key sizes are P-256 or larger.
+@result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
  */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash)
     __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
+/*!
+ @function SecPolicyCreateAppleWarsaw
+ @abstract Returns a policy object for verifying signed Warsaw assets.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14.
+    * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29.
+    * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleWarsaw(void)
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+
+/*!
+ @function SecPolicyCreateAppleSecureIOStaticAsset
+ @abstract Returns a policy object for verifying signed static assets for Secure IO.
+ @discussion The resulting policy uses the Basic X.509 policy with no validity check and
+ pinning options:
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10.
+    * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50.
+    * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void)
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+
+
 CF_IMPLICIT_BRIDGING_DISABLED
 CF_ASSUME_NONNULL_END
 

diff --git a/OSX/libsecurity_keychain/lib/StorageManager.cpp b/OSX/libsecurity_keychain/lib/StorageManager.cpp
index 74041838dfd7a6067b82664cb823a92530e9e152..fb7d24a7c092089f3e664f0525052b896c7457f5 100644 (file)
--- a/OSX/libsecurity_keychain/lib/StorageManager.cpp
+++ b/OSX/libsecurity_keychain/lib/StorageManager.cpp
@@ -1430,8 +1430,8 @@ void StorageManager::login(UInt32 nameLength, const void *name,
         try
         {
             Keychain loginRenamed1KC(keychain(loginRenamed1DLDbIdentifier));
-            secnotice("KCLogin", "Attempting to unlock %s with %d-character password",
-                (loginRenamed1KC) ? loginRenamed1KC->name() : "<NULL>", (unsigned int)passwordLength);
+            secnotice("KCLogin", "Attempting to unlock renamed KC \"%s\"",
+                      (loginRenamed1KC) ? loginRenamed1KC->name() : "<NULL>");
             loginRenamed1KC->unlock(CssmData(const_cast<void *>(password), passwordLength));
             // if we get here, we unlocked it
             if (loginKeychainExists) {
@@ -1661,7 +1661,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
         try
         {
             Keychain shortnameDotKC(keychain(shortnameDotDLDbIdentifier));
-            secnotice("KCLogin", "Attempting to unlock %s",
+            secnotice("KCLogin", "Attempting to unlock short name keychain \"%s\"",
                 (shortnameDotKC) ? shortnameDotKC->name() : "<NULL>");
             shortnameDotKC->unlock(CssmData(const_cast<void *>(password), passwordLength));
         }

diff --git a/OSX/libsecurity_keychain/libDER/.gitignore b/OSX/libsecurity_keychain/libDER/.gitignore
new file mode 100644 (file)
index 0000000..35cfb4d
--- /dev/null
+++ b/OSX/libsecurity_keychain/libDER/.gitignore
@@ -0,0 +1,3 @@
+.DS_Store
+xcuserdata
+project.xcworkspace

diff --git a/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore b/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/OSX/libsecurity_smime/.gitignore b/OSX/libsecurity_smime/.gitignore
new file mode 100644 (file)
index 0000000..35cfb4d
--- /dev/null
+++ b/OSX/libsecurity_smime/.gitignore
@@ -0,0 +1,3 @@
+.DS_Store
+xcuserdata
+project.xcworkspace

diff --git a/OSX/libsecurity_ssl/.gitignore b/OSX/libsecurity_ssl/.gitignore
new file mode 100644 (file)
index 0000000..35cfb4d
--- /dev/null
+++ b/OSX/libsecurity_ssl/.gitignore
@@ -0,0 +1,3 @@
+.DS_Store
+xcuserdata
+project.xcworkspace

diff --git a/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore b/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/OSX/regressions/.gitignore b/OSX/regressions/.gitignore
new file mode 100644 (file)
index 0000000..e43b0f9
--- /dev/null
+++ b/OSX/regressions/.gitignore
@@ -0,0 +1 @@
+.DS_Store

diff --git a/OSX/regressions/regressions.xcodeproj/.gitignore b/OSX/regressions/regressions.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/OSX/regressions/regressions.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/OSX/sec/.gitignore b/OSX/sec/.gitignore
new file mode 100644 (file)
index 0000000..53eb330
--- /dev/null
+++ b/OSX/sec/.gitignore
@@ -0,0 +1,4 @@
+.DS_Store
+xcuserdata
+project.xcworkspace
+*.swp

diff --git a/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h
new file mode 100644 (file)
index 0000000..b60e913
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h
@@ -0,0 +1,270 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef _SECURITY_SI_25_CMS_SKID_H_
+#define _SECURITY_SI_25_CMS_SKID_H_
+
+const uint8_t _content[33] = {
+    0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x63, 0x6f, 0x6e,
+    0x74, 0x61, 0x69, 0x6e, 0x73, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x2e,
+    0x0a
+};
+
+const uint8_t _signedData[3740] = {
+    0x30, 0x82, 0x0e, 0x98, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0,
+    0x82, 0x0e, 0x89, 0x30, 0x82, 0x0e, 0x85, 0x02, 0x01, 0x03, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09,
+    0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x0d, 0x1f, 0x30, 0x82, 0x03, 0x54, 0x30, 0x82,
+    0x02, 0x3c, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x02, 0x34, 0x56, 0x30, 0x0d, 0x06, 0x09,
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x42, 0x31, 0x0b, 0x30,
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
+    0x55, 0x04, 0x0a, 0x13, 0x0d, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x49, 0x6e,
+    0x63, 0x2e, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x47, 0x65, 0x6f,
+    0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x30,
+    0x1e, 0x17, 0x0d, 0x30, 0x32, 0x30, 0x35, 0x32, 0x31, 0x30, 0x34, 0x30, 0x30, 0x30, 0x30, 0x5a,
+    0x17, 0x0d, 0x32, 0x32, 0x30, 0x35, 0x32, 0x31, 0x30, 0x34, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30,
+    0x42, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x16,
+    0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73,
+    0x74, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
+    0x12, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c,
+    0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+    0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
+    0x82, 0x01, 0x01, 0x00, 0xda, 0xcc, 0x18, 0x63, 0x30, 0xfd, 0xf4, 0x17, 0x23, 0x1a, 0x56, 0x7e,
+    0x5b, 0xdf, 0x3c, 0x6c, 0x38, 0xe4, 0x71, 0xb7, 0x78, 0x91, 0xd4, 0xbc, 0xa1, 0xd8, 0x4c, 0xf8,
+    0xa8, 0x43, 0xb6, 0x03, 0xe9, 0x4d, 0x21, 0x07, 0x08, 0x88, 0xda, 0x58, 0x2f, 0x66, 0x39, 0x29,
+    0xbd, 0x05, 0x78, 0x8b, 0x9d, 0x38, 0xe8, 0x05, 0xb7, 0x6a, 0x7e, 0x71, 0xa4, 0xe6, 0xc4, 0x60,
+    0xa6, 0xb0, 0xef, 0x80, 0xe4, 0x89, 0x28, 0x0f, 0x9e, 0x25, 0xd6, 0xed, 0x83, 0xf3, 0xad, 0xa6,
+    0x91, 0xc7, 0x98, 0xc9, 0x42, 0x18, 0x35, 0x14, 0x9d, 0xad, 0x98, 0x46, 0x92, 0x2e, 0x4f, 0xca,
+    0xf1, 0x87, 0x43, 0xc1, 0x16, 0x95, 0x57, 0x2d, 0x50, 0xef, 0x89, 0x2d, 0x80, 0x7a, 0x57, 0xad,
+    0xf2, 0xee, 0x5f, 0x6b, 0xd2, 0x00, 0x8d, 0xb9, 0x14, 0xf8, 0x14, 0x15, 0x35, 0xd9, 0xc0, 0x46,
+    0xa3, 0x7b, 0x72, 0xc8, 0x91, 0xbf, 0xc9, 0x55, 0x2b, 0xcd, 0xd0, 0x97, 0x3e, 0x9c, 0x26, 0x64,
+    0xcc, 0xdf, 0xce, 0x83, 0x19, 0x71, 0xca, 0x4e, 0xe6, 0xd4, 0xd5, 0x7b, 0xa9, 0x19, 0xcd, 0x55,
+    0xde, 0xc8, 0xec, 0xd2, 0x5e, 0x38, 0x53, 0xe5, 0x5c, 0x4f, 0x8c, 0x2d, 0xfe, 0x50, 0x23, 0x36,
+    0xfc, 0x66, 0xe6, 0xcb, 0x8e, 0xa4, 0x39, 0x19, 0x00, 0xb7, 0x95, 0x02, 0x39, 0x91, 0x0b, 0x0e,
+    0xfe, 0x38, 0x2e, 0xd1, 0x1d, 0x05, 0x9a, 0xf6, 0x4d, 0x3e, 0x6f, 0x0f, 0x07, 0x1d, 0xaf, 0x2c,
+    0x1e, 0x8f, 0x60, 0x39, 0xe2, 0xfa, 0x36, 0x53, 0x13, 0x39, 0xd4, 0x5e, 0x26, 0x2b, 0xdb, 0x3d,
+    0xa8, 0x14, 0xbd, 0x32, 0xeb, 0x18, 0x03, 0x28, 0x52, 0x04, 0x71, 0xe5, 0xab, 0x33, 0x3d, 0xe1,
+    0x38, 0xbb, 0x07, 0x36, 0x84, 0x62, 0x9c, 0x79, 0xea, 0x16, 0x30, 0xf4, 0x5f, 0xc0, 0x2b, 0xe8,
+    0x71, 0x6b, 0xe4, 0xf9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x0f, 0x06,
+    0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d,
+    0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89, 0xfb,
+    0xab, 0x05, 0x64, 0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e, 0x30, 0x1f, 0x06,
+    0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89,
+    0xfb, 0xab, 0x05, 0x64, 0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e, 0x30, 0x0d,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01,
+    0x01, 0x00, 0x35, 0xe3, 0x29, 0x6a, 0xe5, 0x2f, 0x5d, 0x54, 0x8e, 0x29, 0x50, 0x94, 0x9f, 0x99,
+    0x1a, 0x14, 0xe4, 0x8f, 0x78, 0x2a, 0x62, 0x94, 0xa2, 0x27, 0x67, 0x9e, 0xd0, 0xcf, 0x1a, 0x5e,
+    0x47, 0xe9, 0xc1, 0xb2, 0xa4, 0xcf, 0xdd, 0x41, 0x1a, 0x05, 0x4e, 0x9b, 0x4b, 0xee, 0x4a, 0x6f,
+    0x55, 0x52, 0xb3, 0x24, 0xa1, 0x37, 0x0a, 0xeb, 0x64, 0x76, 0x2a, 0x2e, 0x2c, 0xf3, 0xfd, 0x3b,
+    0x75, 0x90, 0xbf, 0xfa, 0x71, 0xd8, 0xc7, 0x3d, 0x37, 0xd2, 0xb5, 0x05, 0x95, 0x62, 0xb9, 0xa6,
+    0xde, 0x89, 0x3d, 0x36, 0x7b, 0x38, 0x77, 0x48, 0x97, 0xac, 0xa6, 0x20, 0x8f, 0x2e, 0xa6, 0xc9,
+    0x0c, 0xc2, 0xb2, 0x99, 0x45, 0x00, 0xc7, 0xce, 0x11, 0x51, 0x22, 0x22, 0xe0, 0xa5, 0xea, 0xb6,
+    0x15, 0x48, 0x09, 0x64, 0xea, 0x5e, 0x4f, 0x74, 0xf7, 0x05, 0x3e, 0xc7, 0x8a, 0x52, 0x0c, 0xdb,
+    0x15, 0xb4, 0xbd, 0x6d, 0x9b, 0xe5, 0xc6, 0xb1, 0x54, 0x68, 0xa9, 0xe3, 0x69, 0x90, 0xb6, 0x9a,
+    0xa5, 0x0f, 0xb8, 0xb9, 0x3f, 0x20, 0x7d, 0xae, 0x4a, 0xb5, 0xb8, 0x9c, 0xe4, 0x1d, 0xb6, 0xab,
+    0xe6, 0x94, 0xa5, 0xc1, 0xc7, 0x83, 0xad, 0xdb, 0xf5, 0x27, 0x87, 0x0e, 0x04, 0x6c, 0xd5, 0xff,
+    0xdd, 0xa0, 0x5d, 0xed, 0x87, 0x52, 0xb7, 0x2b, 0x15, 0x02, 0xae, 0x39, 0xa6, 0x6a, 0x74, 0xe9,
+    0xda, 0xc4, 0xe7, 0xbc, 0x4d, 0x34, 0x1e, 0xa9, 0x5c, 0x4d, 0x33, 0x5f, 0x92, 0x09, 0x2f, 0x88,
+    0x66, 0x5d, 0x77, 0x97, 0xc7, 0x1d, 0x76, 0x13, 0xa9, 0xd5, 0xe5, 0xf1, 0x16, 0x09, 0x11, 0x35,
+    0xd5, 0xac, 0xdb, 0x24, 0x71, 0x70, 0x2c, 0x98, 0x56, 0x0b, 0xd9, 0x17, 0xb4, 0xd1, 0xe3, 0x51,
+    0x2b, 0x5e, 0x75, 0xe8, 0xd5, 0xd0, 0xdc, 0x4f, 0x34, 0xed, 0xc2, 0x05, 0x66, 0x80, 0xa1, 0xcb,
+    0xe6, 0x33, 0x30, 0x82, 0x04, 0x40, 0x30, 0x82, 0x03, 0x28, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+    0x03, 0x02, 0x3a, 0x75, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+    0x0b, 0x05, 0x00, 0x30, 0x42, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+    0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x47, 0x65, 0x6f,
+    0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03,
+    0x55, 0x04, 0x03, 0x13, 0x12, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x47, 0x6c,
+    0x6f, 0x62, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x36, 0x31,
+    0x36, 0x31, 0x35, 0x34, 0x32, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x35, 0x32, 0x30,
+    0x31, 0x35, 0x34, 0x32, 0x34, 0x33, 0x5a, 0x30, 0x62, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55,
+    0x04, 0x03, 0x13, 0x13, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41,
+    0x20, 0x35, 0x20, 0x2d, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b,
+    0x13, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
+    0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+    0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b,
+    0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30,
+    0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
+    0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf0, 0x8a, 0x08, 0xba,
+    0x2c, 0x13, 0x5c, 0x5a, 0xf1, 0x98, 0xfd, 0x31, 0x59, 0x66, 0xc2, 0x56, 0x7a, 0x7e, 0x40, 0x2a,
+    0x4c, 0x94, 0xc9, 0x68, 0xb6, 0xb3, 0x23, 0xbd, 0x60, 0x1b, 0x3b, 0xe7, 0xfd, 0x3d, 0x5d, 0x70,
+    0x26, 0xc5, 0x3a, 0xaa, 0xb0, 0xca, 0x69, 0x64, 0x0b, 0x62, 0x3e, 0x49, 0xe9, 0x4c, 0x05, 0x21,
+    0xbe, 0x34, 0xf4, 0xaa, 0x73, 0x21, 0x13, 0x31, 0x84, 0xe8, 0xce, 0xef, 0x38, 0xcf, 0x57, 0xe9,
+    0xdb, 0xcb, 0xce, 0xd1, 0x6d, 0xfa, 0xc8, 0x81, 0x92, 0x2d, 0x22, 0xce, 0x15, 0x7e, 0x7e, 0xb1,
+    0x07, 0xac, 0x88, 0xc7, 0x18, 0x92, 0xc1, 0x96, 0xc6, 0x0c, 0x90, 0x26, 0x17, 0x55, 0x5f, 0x19,
+    0x1b, 0x25, 0xcf, 0x9e, 0x51, 0x34, 0xfa, 0xf3, 0xe7, 0xb1, 0x1c, 0x78, 0x18, 0xda, 0xe4, 0x39,
+    0x1a, 0x91, 0x1b, 0xc2, 0xdf, 0xa8, 0x00, 0x5b, 0x5f, 0x4e, 0xc4, 0x22, 0xb4, 0xba, 0x64, 0xe2,
+    0x4a, 0x77, 0xba, 0xed, 0x2c, 0xeb, 0xfe, 0x8b, 0x61, 0x96, 0xf0, 0x1e, 0x84, 0x2d, 0x74, 0x0a,
+    0x7b, 0x17, 0xcd, 0xc3, 0xee, 0x00, 0x6e, 0xd7, 0x66, 0x79, 0x8b, 0x50, 0xe9, 0x4f, 0xaf, 0xa6,
+    0x3d, 0x91, 0x31, 0x2f, 0xca, 0x87, 0x2b, 0xcf, 0xf7, 0x08, 0x49, 0x14, 0x8a, 0x8e, 0x62, 0x7d,
+    0xad, 0x56, 0xaa, 0x95, 0x62, 0xe3, 0xe9, 0x6b, 0x4e, 0x64, 0x41, 0xe2, 0x4f, 0x22, 0xf7, 0x4b,
+    0x56, 0xf1, 0x2c, 0xa8, 0x71, 0x11, 0x38, 0x09, 0x8b, 0x97, 0xb9, 0x08, 0xbf, 0xcf, 0x30, 0x26,
+    0x83, 0x40, 0x90, 0x63, 0x1a, 0xb6, 0x69, 0xba, 0x79, 0xb7, 0xae, 0x59, 0xec, 0x6b, 0x0d, 0x84,
+    0x47, 0xa7, 0xae, 0x0b, 0x47, 0x4c, 0x06, 0xfb, 0x76, 0x82, 0x69, 0x7b, 0x5e, 0x23, 0x60, 0x52,
+    0x35, 0xd0, 0xac, 0x46, 0x1c, 0xea, 0xa0, 0xb6, 0x5a, 0x8b, 0xd9, 0xed, 0x02, 0x03, 0x01, 0x00,
+    0x01, 0xa3, 0x82, 0x01, 0x1d, 0x30, 0x82, 0x01, 0x19, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
+    0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89, 0xfb, 0xab, 0x05, 0x64,
+    0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
+    0x0e, 0x04, 0x16, 0x04, 0x14, 0x56, 0x33, 0x90, 0x2f, 0x9d, 0xf4, 0xd2, 0x30, 0xd0, 0x0d, 0x62,
+    0x25, 0x13, 0x78, 0x1d, 0x21, 0xa7, 0x51, 0x12, 0x0f, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06,
+    0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x35, 0x06,
+    0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2e, 0x30, 0x2c, 0x30, 0x2a, 0xa0, 0x28, 0xa0, 0x26, 0x86, 0x24,
+    0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x67, 0x2e, 0x73, 0x79, 0x6d, 0x63, 0x62, 0x2e, 0x63,
+    0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x73, 0x2f, 0x67, 0x74, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c,
+    0x2e, 0x63, 0x72, 0x6c, 0x30, 0x2e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
+    0x04, 0x22, 0x30, 0x20, 0x30, 0x1e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
+    0x86, 0x12, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x67, 0x2e, 0x73, 0x79, 0x6d, 0x63, 0x64,
+    0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4c, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x45, 0x30, 0x43, 0x30,
+    0x41, 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x36, 0x30, 0x33, 0x30,
+    0x31, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x25, 0x68, 0x74, 0x74,
+    0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x65, 0x6f, 0x74, 0x72, 0x75, 0x73, 0x74,
+    0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x63,
+    0x70, 0x73, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+    0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x98, 0xfa, 0xbf, 0x23, 0x7e, 0x50, 0xda, 0xdc, 0x6d, 0x99,
+    0x5a, 0x97, 0x61, 0xe3, 0xa2, 0x67, 0x00, 0x75, 0x23, 0x98, 0xaf, 0x9f, 0xad, 0x21, 0x35, 0xa8,
+    0x78, 0x8b, 0xa3, 0xaf, 0x1c, 0x3a, 0x1e, 0x40, 0xe0, 0x84, 0x39, 0x6a, 0x84, 0xd5, 0xd4, 0xa8,
+    0x9f, 0xfe, 0xbd, 0xb2, 0x07, 0x76, 0x74, 0x50, 0xb0, 0xbf, 0x6a, 0x00, 0x19, 0xf4, 0xbd, 0xd2,
+    0xf6, 0x55, 0x7d, 0x93, 0x0c, 0x14, 0xcd, 0x13, 0xec, 0xc5, 0x31, 0x66, 0xb4, 0xf4, 0x50, 0x50,
+    0x71, 0xde, 0xde, 0xfc, 0xce, 0x33, 0x9f, 0xfe, 0xe5, 0x14, 0xa5, 0x17, 0x4c, 0x10, 0xa4, 0xd9,
+    0x3a, 0x7e, 0xa4, 0xe7, 0xe0, 0xbd, 0x53, 0x7f, 0xfd, 0xea, 0x8c, 0x80, 0x55, 0x7c, 0xbc, 0x95,
+    0xa8, 0x1f, 0xc7, 0x30, 0x41, 0x1b, 0x92, 0xf8, 0xd7, 0xe5, 0x42, 0xb9, 0x71, 0xd7, 0x29, 0x70,
+    0x44, 0x55, 0x42, 0xd5, 0x77, 0x12, 0xb5, 0x80, 0xad, 0x55, 0x5f, 0xc3, 0x5b, 0x93, 0xc0, 0x5b,
+    0xd6, 0x97, 0xc7, 0x8d, 0x31, 0x49, 0xb7, 0x30, 0x88, 0x33, 0xd8, 0xc6, 0x50, 0x17, 0xc1, 0xb0,
+    0x94, 0x0c, 0x88, 0xe3, 0x33, 0x28, 0xad, 0x30, 0x04, 0x05, 0x6d, 0xdc, 0x23, 0xcd, 0x76, 0x4f,
+    0x1c, 0xd0, 0xb4, 0x17, 0x7a, 0x04, 0x42, 0x0b, 0xb3, 0xdb, 0xe4, 0x3b, 0xbe, 0x7e, 0x6d, 0xe5,
+    0xe1, 0x60, 0x91, 0x7e, 0x24, 0xd1, 0xdf, 0x6e, 0xc0, 0xc9, 0x97, 0x26, 0x17, 0x03, 0xd9, 0xec,
+    0x5b, 0x51, 0x5f, 0x8d, 0x28, 0xc9, 0x0e, 0x25, 0x96, 0x5c, 0x98, 0x01, 0x10, 0x19, 0x6b, 0x17,
+    0x5a, 0x72, 0x85, 0xf0, 0x5a, 0x70, 0x10, 0x59, 0x4a, 0x43, 0x85, 0xa2, 0x6c, 0xf8, 0x2d, 0x98,
+    0x4c, 0xeb, 0xe3, 0x20, 0x73, 0xe9, 0x12, 0xea, 0x03, 0x6a, 0x06, 0xb3, 0xbd, 0x41, 0xca, 0x1c,
+    0x57, 0xdf, 0x1f, 0xf5, 0xc4, 0x37, 0x30, 0x82, 0x05, 0x7f, 0x30, 0x82, 0x04, 0x67, 0xa0, 0x03,
+    0x02, 0x01, 0x02, 0x02, 0x08, 0x7f, 0x11, 0xef, 0xdb, 0xe0, 0x91, 0x91, 0xe6, 0x30, 0x0d, 0x06,
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x62, 0x31, 0x1c,
+    0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
+    0x53, 0x54, 0x20, 0x43, 0x41, 0x20, 0x35, 0x20, 0x2d, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1e,
+    0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+    0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13,
+    0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
+    0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+    0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x35, 0x32, 0x38, 0x31, 0x38, 0x33, 0x30, 0x35, 0x33,
+    0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x36, 0x32, 0x36, 0x31, 0x38, 0x33, 0x30, 0x35, 0x33, 0x5a,
+    0x30, 0x53, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x62, 0x62, 0x61,
+    0x73, 0x69, 0x6c, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x13,
+    0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
+    0x6e, 0x63, 0x2e, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61,
+    0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+    0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+    0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xaf, 0xba, 0x8e, 0x32, 0x59, 0xa1, 0xd3, 0xc7, 0x16, 0x1c,
+    0x21, 0xe8, 0x65, 0xc8, 0x2f, 0x48, 0xc1, 0x01, 0x36, 0xdc, 0x55, 0xcb, 0x73, 0x95, 0x0d, 0x16,
+    0x60, 0x40, 0x7c, 0xe3, 0x87, 0xb6, 0xad, 0xa7, 0x40, 0x86, 0xb9, 0x81, 0xfa, 0xd4, 0xd4, 0x55,
+    0xe0, 0xa1, 0x73, 0x24, 0x49, 0x30, 0xff, 0x33, 0xe2, 0xb2, 0x7a, 0xf6, 0x66, 0xda, 0x37, 0x42,
+    0x49, 0xaa, 0x54, 0x87, 0x55, 0x46, 0x75, 0xe2, 0x62, 0x07, 0xc6, 0x68, 0x95, 0x6a, 0x43, 0xd7,
+    0x4a, 0xe1, 0xf3, 0xd9, 0x56, 0x11, 0xa7, 0xdb, 0x90, 0xfc, 0x5a, 0xd2, 0xa1, 0x61, 0xac, 0xc3,
+    0xe0, 0x6c, 0x8d, 0x3a, 0x2e, 0xee, 0xee, 0x74, 0x1c, 0xba, 0xad, 0x24, 0x1b, 0xf2, 0x41, 0xae,
+    0x49, 0x5d, 0x6e, 0x6c, 0x3f, 0xc8, 0x2b, 0xcd, 0xbc, 0x64, 0xb7, 0x68, 0x31, 0x69, 0xc7, 0x00,
+    0x0a, 0x8b, 0xe8, 0xe8, 0x6a, 0x5d, 0xd8, 0xda, 0x7b, 0x7a, 0x3e, 0xf1, 0xde, 0x0d, 0x83, 0xbc,
+    0x7d, 0xeb, 0x76, 0xd1, 0xa5, 0x3f, 0x90, 0xb5, 0xa7, 0xd6, 0x0c, 0x1b, 0xe8, 0x2d, 0x75, 0xc3,
+    0xed, 0x6b, 0xf6, 0xf2, 0x99, 0xf2, 0xa6, 0xd0, 0xff, 0x4f, 0x27, 0x18, 0x19, 0x6c, 0x57, 0xc9,
+    0x74, 0xe8, 0x74, 0x20, 0x97, 0x82, 0x86, 0x86, 0xed, 0x1a, 0x5c, 0xf6, 0xab, 0x09, 0x57, 0x0e,
+    0x40, 0xc9, 0x97, 0xbe, 0x00, 0x82, 0xb7, 0x03, 0x9b, 0x23, 0xb1, 0xbb, 0xdc, 0x57, 0xdb, 0xf1,
+    0xbb, 0x8a, 0x60, 0xf5, 0x8f, 0xc1, 0x9c, 0x29, 0xe3, 0x44, 0xec, 0x6c, 0xeb, 0x43, 0x4f, 0x5b,
+    0xc4, 0xa3, 0x65, 0x96, 0xb8, 0xa7, 0x7c, 0xe0, 0x86, 0xf8, 0xd3, 0x53, 0x96, 0xc9, 0xdf, 0x10,
+    0x87, 0x95, 0xfb, 0x37, 0xb6, 0xb6, 0x1a, 0x27, 0x3a, 0x06, 0x46, 0x46, 0xbc, 0x83, 0x67, 0xa6,
+    0xc2, 0x0e, 0xa1, 0x6d, 0xdb, 0x85, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x46, 0x30,
+    0x82, 0x02, 0x42, 0x30, 0x48, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04,
+    0x3c, 0x30, 0x3a, 0x30, 0x38, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86,
+    0x2c, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70,
+    0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34, 0x2d, 0x61, 0x70,
+    0x70, 0x6c, 0x65, 0x69, 0x73, 0x74, 0x63, 0x61, 0x35, 0x67, 0x31, 0x30, 0x31, 0x30, 0x1d, 0x06,
+    0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xf2, 0x03, 0x28, 0xd3, 0x26, 0xde, 0xc3, 0x80,
+    0xbc, 0xf9, 0x02, 0x31, 0xc2, 0x25, 0x13, 0x6c, 0x4c, 0xa6, 0x2e, 0xbe, 0x30, 0x0c, 0x06, 0x03,
+    0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
+    0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x56, 0x33, 0x90, 0x2f, 0x9d, 0xf4, 0xd2, 0x30, 0xd0,
+    0x0d, 0x62, 0x25, 0x13, 0x78, 0x1d, 0x21, 0xa7, 0x51, 0x12, 0x0f, 0x30, 0x82, 0x01, 0x2a, 0x06,
+    0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x21, 0x30, 0x82, 0x01, 0x1d, 0x30, 0x82, 0x01, 0x19,
+    0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x0b, 0x05, 0x01, 0x30, 0x82, 0x01,
+    0x08, 0x30, 0x81, 0xca, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81,
+    0xbd, 0x0c, 0x81, 0xba, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x6e, 0x20,
+    0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+    0x20, 0x61, 0x73, 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61,
+    0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69,
+    0x63, 0x61, 0x62, 0x6c, 0x65, 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75,
+    0x73, 0x65, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+    0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69, 0x63, 0x65, 0x20, 0x73, 0x74,
+    0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x63,
+    0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x73, 0x68, 0x61, 0x6c, 0x6c,
+    0x20, 0x6e, 0x6f, 0x74, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x20, 0x61, 0x73, 0x2c, 0x20, 0x6f,
+    0x72, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x20, 0x61, 0x20, 0x77, 0x72, 0x69, 0x74,
+    0x74, 0x65, 0x6e, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x30, 0x39,
+    0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x2d, 0x68, 0x74, 0x74, 0x70,
+    0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+    0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x61, 0x75, 0x74, 0x68,
+    0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x72, 0x70, 0x61, 0x30, 0x37, 0x06, 0x03, 0x55, 0x1d, 0x1f,
+    0x04, 0x30, 0x30, 0x2e, 0x30, 0x2c, 0xa0, 0x2a, 0xa0, 0x28, 0x86, 0x26, 0x68, 0x74, 0x74, 0x70,
+    0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+    0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x69, 0x73, 0x74, 0x63, 0x61, 0x35, 0x67, 0x31, 0x2e, 0x63,
+    0x72, 0x6c, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
+    0x05, 0xa0, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b,
+    0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15,
+    0x30, 0x13, 0x81, 0x11, 0x62, 0x62, 0x61, 0x73, 0x69, 0x6c, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c,
+    0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+    0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6b, 0x17, 0xbc, 0x28, 0x7a, 0x64, 0xe7,
+    0x6a, 0x30, 0x36, 0x2e, 0x49, 0x9b, 0x45, 0xda, 0x4c, 0x64, 0x86, 0xbb, 0x8c, 0x08, 0xc3, 0xbb,
+    0x2e, 0xfb, 0xa2, 0x8e, 0x9d, 0x33, 0xdf, 0x29, 0xea, 0x69, 0x2a, 0x6b, 0x06, 0x2b, 0x9b, 0x39,
+    0x7a, 0xcc, 0xe2, 0x50, 0x22, 0xb3, 0x09, 0x47, 0x60, 0x98, 0x34, 0x08, 0xb9, 0x72, 0x9f, 0xf8,
+    0x3a, 0x52, 0x6f, 0x60, 0x82, 0x24, 0x10, 0xd2, 0xe2, 0xba, 0xc3, 0x84, 0xf2, 0xdc, 0x39, 0x0b,
+    0xef, 0x5f, 0xdb, 0x82, 0x38, 0x5c, 0x69, 0xf3, 0x0e, 0xe8, 0x66, 0x93, 0x56, 0xde, 0xe0, 0xba,
+    0xed, 0xc7, 0x31, 0xfa, 0x33, 0x1c, 0x65, 0xb4, 0xbc, 0x55, 0x4c, 0xc0, 0x0c, 0xda, 0xe2, 0x3e,
+    0x76, 0xf6, 0xc4, 0x27, 0x92, 0xef, 0x60, 0x9d, 0x08, 0x7e, 0xad, 0x91, 0x63, 0x61, 0xc0, 0x07,
+    0x11, 0xd5, 0x85, 0xc1, 0xa3, 0xb4, 0x26, 0xab, 0xd2, 0xac, 0xe7, 0x5a, 0xc6, 0xf5, 0xa5, 0xe3,
+    0x1c, 0x55, 0x97, 0xae, 0xd7, 0x6c, 0x53, 0xfe, 0x24, 0x76, 0xf7, 0x40, 0x0e, 0x7d, 0xb9, 0xe5,
+    0xcf, 0x65, 0x83, 0xa8, 0xc0, 0x28, 0x83, 0xcf, 0x03, 0xe8, 0xac, 0x90, 0x4c, 0xdd, 0xea, 0xbf,
+    0x08, 0x54, 0xf4, 0x64, 0x46, 0x44, 0xfd, 0xab, 0xa1, 0x0d, 0x32, 0x26, 0xbd, 0xab, 0xef, 0xa1,
+    0x3f, 0x8b, 0x92, 0x0e, 0xdd, 0x15, 0xeb, 0xb2, 0x76, 0x43, 0xbc, 0xe5, 0xde, 0x21, 0x95, 0x0c,
+    0x49, 0xfb, 0x64, 0x90, 0x17, 0x27, 0x8d, 0x7f, 0x53, 0xc3, 0xb0, 0xf1, 0x73, 0xa4, 0x08, 0x5d,
+    0x92, 0x5f, 0x4b, 0xb5, 0xeb, 0xdb, 0x11, 0xcb, 0xb6, 0xe9, 0xef, 0xc7, 0xe0, 0x65, 0x32, 0x5a,
+    0x39, 0xd6, 0xc3, 0xfb, 0xcf, 0xb5, 0xf3, 0x88, 0x3c, 0x3b, 0xa2, 0xe7, 0xc6, 0x57, 0x59, 0x03,
+    0xb6, 0xc1, 0x32, 0x8e, 0x23, 0x1f, 0xc9, 0x33, 0xdb, 0x31, 0x82, 0x01, 0x3f, 0x30, 0x82, 0x01,
+    0x3b, 0x02, 0x01, 0x03, 0xa0, 0x16, 0x04, 0x14, 0xf2, 0x03, 0x28, 0xd3, 0x26, 0xde, 0xc3, 0x80,
+    0xbc, 0xf9, 0x02, 0x31, 0xc2, 0x25, 0x13, 0x6c, 0x4c, 0xa6, 0x2e, 0xbe, 0x30, 0x0b, 0x06, 0x09,
+    0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x2f, 0x47, 0xc4, 0xc0,
+    0x95, 0x16, 0x10, 0x08, 0x48, 0xe1, 0x91, 0x4e, 0xd9, 0x24, 0xae, 0xf3, 0xb1, 0x7f, 0x92, 0x8e,
+    0x88, 0xc3, 0xfd, 0x11, 0x33, 0x14, 0xc1, 0xf1, 0x19, 0xa3, 0x54, 0x60, 0xe7, 0x75, 0x9d, 0xb6,
+    0xac, 0x07, 0x83, 0x5c, 0xab, 0xf7, 0x6a, 0xf2, 0x3d, 0xf0, 0x26, 0x5e, 0xdf, 0xaf, 0x92, 0x2d,
+    0xea, 0x01, 0x77, 0x2d, 0x91, 0x7c, 0x89, 0x79, 0xe1, 0xc5, 0xa5, 0xdc, 0x7a, 0x3a, 0xfd, 0xba,
+    0x60, 0x64, 0xad, 0x0e, 0xc2, 0x09, 0x39, 0x61, 0x8b, 0x83, 0x27, 0x8a, 0xeb, 0xc0, 0x30, 0x1e,
+    0x67, 0x01, 0x77, 0xd9, 0xe8, 0xf8, 0x0b, 0x60, 0xf4, 0x17, 0x19, 0xbb, 0x20, 0xfa, 0x80, 0xeb,
+    0xe6, 0x52, 0xac, 0x7e, 0x5b, 0xe1, 0xed, 0x60, 0x68, 0x40, 0x33, 0x97, 0x1e, 0x57, 0x85, 0x89,
+    0xad, 0xe9, 0xd3, 0x81, 0xf0, 0xea, 0xa1, 0x73, 0x5a, 0x66, 0xb1, 0x03, 0x9a, 0x5f, 0xdd, 0x89,
+    0xd6, 0xd7, 0x93, 0x18, 0xc6, 0xd0, 0xbf, 0xd2, 0xdf, 0x67, 0xca, 0xbe, 0x1b, 0x05, 0x42, 0xc2,
+    0x1f, 0x36, 0xfa, 0xbe, 0x1d, 0x4b, 0x2b, 0x28, 0xf0, 0x9c, 0xdb, 0x84, 0xbc, 0xf7, 0x39, 0x20,
+    0x68, 0x10, 0x5b, 0xdd, 0x61, 0x00, 0x72, 0x67, 0x61, 0x19, 0x46, 0xa3, 0x3a, 0x09, 0x03, 0xcd,
+    0x79, 0x49, 0x06, 0xe8, 0x8f, 0x59, 0x41, 0xbd, 0x81, 0xf0, 0x32, 0x81, 0x78, 0xc0, 0x8f, 0x3f,
+    0x18, 0xa2, 0x12, 0xdd, 0xde, 0xe7, 0xed, 0x8e, 0x9f, 0x57, 0x76, 0xe0, 0x62, 0x72, 0xc6, 0x90,
+    0xcc, 0x73, 0xda, 0xe0, 0x30, 0xce, 0xb3, 0x21, 0x6b, 0x52, 0x31, 0x8c, 0x6a, 0x26, 0x59, 0xed,
+    0xad, 0x46, 0x03, 0x69, 0xe7, 0xf5, 0x88, 0x97, 0x6f, 0x42, 0x21, 0x6b, 0xe8, 0xc6, 0x6e, 0x89,
+    0x47, 0x01, 0x28, 0xf6, 0x6a, 0x89, 0x54, 0x4a, 0xdc, 0x9e, 0x3e, 0x1f
+};
+
+#endif /* _SECURITY_SI_25_CMS_SKID_H_ */

diff --git a/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m
new file mode 100644 (file)
index 0000000..d6d53b9
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "shared_regressions.h"
+
+#import <AssertMacros.h>
+#import <Foundation/Foundation.h>
+
+#import <Security/SecCMS.h>
+#import <Security/SecTrust.h>
+#include <utilities/SecCFRelease.h>
+
+#import "si-25-cms-skid.h"
+
+static void test_cms_verification(void)
+{
+    NSData *content = [NSData dataWithBytes:_content length:sizeof(_content)];
+    NSData *signedData = [NSData dataWithBytes:_signedData length:sizeof(_signedData)];
+
+    SecPolicyRef policy = SecPolicyCreateBasicX509();
+    SecTrustRef trust = NULL;
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+
+    ok_status(SecCMSVerify((__bridge CFDataRef)signedData, (__bridge CFDataRef)content, policy, &trust, NULL), "verify CMS message");
+
+    //10 Sept 2016
+    ok_status(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:495245242.0]), "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    is(trustResult, kSecTrustResultUnspecified, "trust suceeded");
+
+    CFReleaseSafe(policy);
+    CFRetainSafe(trust);
+}
+
+int si_25_cms_skid(int argc, char *const *argv)
+{
+    plan_tests(4);
+
+    test_cms_verification();
+
+    return 0;
+}

diff --git a/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c b/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c
index 1d53918749db107e4510d1f5c1425491c420aa62..bc8c78f23b6bd47dc8fee0323e52d0120c55b796 100644 (file)
--- a/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c
+++ b/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c
@@ -489,6 +489,7 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors)
        CFArrayRef certs = NULL;
        CFDateRef date = NULL;
        SecTrustRef trust = NULL;
+       OSStatus status;
 
        isnt(leafCert = SecCertificateCreateWithBytes(NULL, kPCSEscrowLeafCert, sizeof(kPCSEscrowLeafCert)),
            NULL, "could not create leafCert from kPCSEscrowLeafCert");
@@ -503,7 +504,8 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors)
 
        /* Set explicit verify date: Mar 18 2016. */
        isnt(date = CFDateCreate(NULL, 480000000.0), NULL, "create verify date");
-       ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+       status = (date) ? SecTrustSetVerifyDate(trust, date) : errSecParam;
+       ok_status(status, "set date");
 
        SecTrustSetAnchorCertificates(trust, anchors);
 

diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c
new file mode 100644 (file)
index 0000000..9603fb8
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c
@@ -0,0 +1,1386 @@
+/*
+ *  si-84-sectrust-allowlist.c
+ *  Security
+ *
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+
+#include "shared_regressions.h"
+
+/* On allow list until:
+   Not After : Mar  9 07:45:00 2018 GMT
+*/
+static const UInt8 cert0[] = {
+    0x30,0x82,0x05,0x44,0x30,0x82,0x04,0x2c,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+    0x9d,0x12,0x4b,0xdb,0x57,0xb7,0x9f,0xba,0x33,0xf6,0x44,0xd9,0x10,0x40,0x48,0x4c,
+    0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,
+    0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,
+    0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,
+    0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x31,0x19,0x30,0x17,0x06,0x03,0x55,
+    0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,
+    0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x35,0x30,0x33,0x30,0x39,0x30,0x37,
+    0x34,0x35,0x30,0x30,0x5a,0x17,0x0d,0x31,0x38,0x30,0x33,0x30,0x39,0x30,0x37,0x34,
+    0x35,0x30,0x30,0x5a,0x30,0x79,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x53,0x17,
+    0x4e,0xac,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x07,0x1e,0x04,0x53,0x17,0x4e,
+    0xac,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x0a,0x1e,0x1a,0x53,0x17,0x4e,0xac,
+    0x74,0x5e,0x94,0xb1,0x5b,0x9d,0x4f,0xe1,0x60,0x6f,0x67,0x0d,0x52,0xa1,0x67,0x09,
+    0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x0b,0x1e,
+    0x06,0x7f,0x51,0x7e,0xdc,0x90,0xe8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,
+    0x13,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x30,
+    0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
+    0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,
+    0xfc,0x09,0x73,0x1d,0x18,0x75,0xbd,0x7f,0xf5,0xce,0x9e,0x6e,0x26,0x1c,0xbd,0xca,
+    0xc7,0x1b,0x75,0x45,0x13,0x1e,0xe4,0x52,0x7e,0x78,0xe9,0x1c,0x79,0xa1,0x02,0xd8,
+    0x3d,0xc6,0xc5,0x6f,0x7b,0xbd,0xae,0xc7,0x3b,0xe6,0x45,0xc2,0xe9,0xc9,0x32,0x2d,
+    0xd4,0xda,0x7a,0x93,0x79,0x30,0xce,0xec,0x6f,0xf5,0x0d,0x2d,0xde,0xa4,0xce,0xbd,
+    0x40,0xfb,0xda,0x7d,0x48,0x7d,0x98,0x02,0x17,0x75,0x99,0x65,0x68,0x1c,0xbb,0x92,
+    0x29,0x16,0xdc,0xc6,0x1d,0x1d,0x19,0x1b,0x94,0x17,0x6e,0x93,0xd8,0x57,0xaa,0x00,
+    0xf9,0xa2,0x37,0x9a,0xde,0x65,0xc2,0xce,0xa5,0xae,0x80,0xa7,0x56,0xab,0x8c,0xc8,
+    0x6a,0x3d,0xbe,0x86,0xe1,0x13,0x69,0x41,0x4b,0xe9,0xfa,0xd9,0xa5,0x63,0x8f,0xba,
+    0x02,0x15,0x09,0xca,0xf9,0x27,0x0f,0xea,0x90,0x4f,0x5d,0xa5,0x66,0x51,0xad,0xc8,
+    0xff,0x2d,0xf3,0xd4,0x7c,0xd3,0x06,0xe8,0xc2,0xdc,0x08,0x63,0x3d,0x69,0xb6,0x89,
+    0x5f,0x3f,0x9c,0xdc,0x21,0xa8,0xbd,0x0a,0xbe,0xc2,0x0e,0x08,0x06,0x05,0xb7,0x46,
+    0x96,0xec,0x08,0x5c,0xb9,0xef,0xfa,0x4b,0xd1,0x60,0x10,0xac,0xc8,0x88,0xbf,0xb7,
+    0xb1,0xb1,0x7a,0x55,0xdd,0xd9,0x96,0x06,0x5b,0xfb,0xc2,0xa5,0xd4,0x9c,0xde,0x24,
+    0x0c,0x7e,0x22,0x59,0xb0,0xa6,0x7a,0xc7,0x18,0x02,0x6c,0x1a,0x21,0x8c,0x79,0x8a,
+    0xc5,0xbb,0x10,0x54,0x1b,0x77,0x04,0xcf,0x46,0x60,0x36,0x42,0xfb,0x8a,0x13,0xf7,
+    0xa0,0xd6,0x03,0x33,0xb6,0xc4,0x1e,0x08,0x58,0x5d,0xb3,0xd3,0xc3,0x6c,0x0e,0x9f,
+    0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xfb,0x30,0x82,0x01,0xf7,0x30,0x09,0x06,
+    0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x73,0x06,0x08,0x2b,0x06,0x01,0x05,
+    0x05,0x07,0x01,0x01,0x04,0x67,0x30,0x65,0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05,
+    0x05,0x07,0x30,0x01,0x86,0x1c,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,
+    0x70,0x73,0x68,0x61,0x32,0x73,0x73,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
+    0x6e,0x2f,0x30,0x39,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x2d,
+    0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,
+    0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,
+    0x74,0x2f,0x53,0x48,0x41,0x32,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x36,0x06,
+    0x03,0x55,0x1d,0x11,0x04,0x2f,0x30,0x2d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,
+    0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,
+    0x71,0x62,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,0x71,
+    0x74,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,
+    0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x50,0x0e,0x94,
+    0x7e,0x68,0x20,0x2d,0x95,0x58,0x3f,0x8f,0x51,0xa6,0xdd,0x5a,0xb9,0xef,0xfe,0xf0,
+    0x50,0x30,0x1d,0x06,0x03,0x55,0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06,
+    0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02,
+    0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xb7,0xd1,0x59,
+    0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,
+    0x3c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,
+    0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x01,0x30,0x26,0x30,0x24,0x06,0x08,
+    0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,
+    0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,
+    0x73,0x2f,0x30,0x81,0x8f,0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x87,0x30,0x81,0x84,
+    0x30,0x4d,0xa0,0x4b,0xa0,0x49,0xa4,0x47,0x30,0x45,0x31,0x0b,0x30,0x09,0x06,0x03,
+    0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,
+    0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,
+    0x53,0x4c,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,0x63,0x72,0x6c,
+    0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,0x6c,0x31,0x30,
+    0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72,
+    0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,
+    0x6f,0x61,0x64,0x2f,0x73,0x68,0x61,0x32,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,
+    0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+    0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x26,0xa8,0x7c,0x88,0x57,0xb7,0xe2,0xa0,
+    0xf5,0x55,0xbb,0x93,0xa1,0xea,0xc2,0x0a,0x82,0xa1,0x82,0x3d,0xe1,0x85,0xfe,0x26,
+    0x95,0x5f,0x16,0x13,0x88,0x87,0x2d,0x6f,0xbe,0x0a,0xe8,0xe7,0x04,0xcd,0xa5,0x9e,
+    0xac,0x69,0xd5,0xa0,0x81,0x27,0x91,0xdc,0xcd,0xa6,0xbd,0x62,0x0c,0x67,0x3f,0x39,
+    0xdf,0x23,0xa8,0xf5,0xd5,0xb6,0xa8,0x14,0x93,0x80,0x0b,0x17,0x04,0xbd,0x0a,0x75,
+    0x74,0x34,0x26,0xf6,0x46,0x82,0x34,0x1d,0x26,0x06,0x43,0x2a,0xd8,0xff,0x0e,0xf1,
+    0xf0,0xf1,0x74,0x8b,0x17,0x9a,0x6d,0x24,0x90,0x8d,0x35,0x69,0xc4,0xff,0xf7,0x6a,
+    0x81,0x00,0x27,0x11,0xd5,0xc7,0xc4,0xac,0x98,0x15,0x20,0xe7,0x90,0x8a,0xb7,0x3d,
+    0xdf,0xbf,0x18,0x7f,0x7c,0xa7,0x38,0x42,0xa7,0xe2,0x94,0xda,0xcb,0xb5,0x84,0x67,
+    0x9d,0x82,0x37,0x58,0xa0,0x7f,0x06,0xcb,0xf5,0x3b,0x22,0x8f,0x54,0x19,0x8e,0xad,
+    0x82,0x14,0xf3,0x8f,0xcd,0x55,0x93,0xb6,0xa7,0xdb,0xf5,0x25,0xd9,0x04,0x7c,0x69,
+    0xc7,0x08,0x7e,0x32,0xcb,0xce,0x9d,0xb2,0x45,0x25,0x61,0x6b,0x7b,0xd3,0xb0,0x2a,
+    0xd1,0xa8,0x1c,0xab,0x5b,0x3f,0x1d,0x8f,0xbd,0x46,0xb8,0x0d,0x33,0x4b,0xc9,0x3b,
+    0x94,0x7f,0xa8,0x28,0x0f,0xa8,0xb7,0xbc,0x0d,0xcf,0xf7,0x7e,0xc1,0xcf,0xc7,0xf2,
+    0x2f,0x1d,0x77,0xe4,0xdc,0x15,0xb0,0x42,0x0c,0x4d,0xd2,0x8d,0x6e,0x58,0x31,0x5b,
+    0x5f,0xc9,0x4f,0x43,0x53,0x76,0x7b,0x2a,0xd6,0x65,0x93,0x28,0xb4,0xb8,0xdc,0x3c,
+    0x3c,0x03,0xcc,0x5e,0x9f,0x52,0x28,0x9a,
+};
+
+/* On allow list until:
+   Not After : Dec 24 08:34:15 2016 GMT
+*/
+static const UInt8 cert1[1475]={
+       0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x1A,
+       0x2F,0xDD,0xD9,0x35,0x3B,0x65,0xEE,0x1B,0xB4,0x66,0x19,0x4D,0xF3,0x10,0xE1,0x30,
+       0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
+       0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,
+       0x30,0x06,0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,
+       0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,
+       0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,
+       0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0C,0x0C,0x43,0x4E,0x4E,0x49,
+       0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x32,
+       0x32,0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x17,0x0D,0x31,0x36,0x31,0x32,0x32,
+       0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x30,0x81,0xF3,0x31,0x1B,0x30,0x19,0x06,
+       0x03,0x55,0x04,0x0F,0x13,0x12,0x56,0x31,0x2E,0x30,0x2C,0x20,0x43,0x6C,0x61,0x75,
+       0x73,0x65,0x20,0x35,0x2E,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,
+       0x05,0x13,0x0F,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x33,0x39,0x33,0x39,
+       0x35,0x39,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,
+       0x02,0x01,0x03,0x13,0x02,0x43,0x4E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,
+       0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x07,0x53,0x69,0x63,0x68,0x75,0x61,
+       0x6E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,
+       0x01,0x01,0x13,0x07,0x63,0x68,0x65,0x6E,0x67,0x44,0x75,0x31,0x0B,0x30,0x09,0x06,
+       0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,
+       0x08,0x1E,0x04,0x56,0xDB,0x5D,0xDD,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x07,
+       0x1E,0x04,0x62,0x10,0x90,0xFD,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x1E,
+       0x14,0x56,0xDB,0x5D,0xDD,0x9E,0x4F,0x59,0x29,0x62,0x95,0x8D,0x44,0x67,0x09,0x96,
+       0x50,0x51,0x6C,0x53,0xF8,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x0B,0x1E,0x06,
+       0x62,0x80,0x67,0x2F,0x90,0xE8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,
+       0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x82,
+       0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
+       0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x99,
+       0x31,0x25,0x93,0xE0,0x9A,0x65,0x36,0xCC,0x16,0x86,0xAF,0xBF,0x0D,0x2D,0x0B,0xE6,
+       0x9A,0xD5,0x00,0x89,0xAD,0x6B,0x49,0x59,0x10,0x74,0x3A,0xA7,0x4F,0xEB,0xBD,0xC0,
+       0xEE,0x46,0x1A,0x4E,0x9B,0x96,0x20,0xD7,0x2C,0xF8,0x93,0x5C,0x2A,0xAF,0x57,0x15,
+       0x0C,0x57,0x3A,0xD0,0x25,0x92,0x2E,0x18,0xB4,0xDF,0xD8,0x3E,0xA2,0xC0,0xC6,0x5E,
+       0x7A,0xD1,0xDA,0xAD,0x99,0x12,0x24,0x04,0xA1,0x42,0x5A,0xB0,0x42,0x3A,0x4F,0x02,
+       0xDE,0x8A,0x55,0xD7,0xB0,0x24,0x97,0x62,0xF9,0x95,0x70,0xFA,0xA8,0x81,0xFC,0x3A,
+       0xB5,0xA0,0x94,0x8E,0x42,0x89,0xF9,0x15,0x4B,0x06,0xD8,0xA1,0xC7,0xB0,0xC8,0x94,
+       0x03,0x57,0xF0,0x01,0xDB,0x0D,0x85,0xFD,0xA1,0xCD,0x1D,0x3C,0xF5,0x14,0x6C,0x79,
+       0x46,0xCF,0x00,0x3A,0x6C,0x74,0xD9,0x79,0xFD,0x9C,0xD9,0x61,0x7D,0x84,0x4F,0x82,
+       0x2A,0x40,0x00,0x58,0x2C,0xF0,0x3A,0xDF,0xD4,0x8A,0x39,0x24,0x5C,0xB1,0xA6,0xAD,
+       0x02,0x4C,0x16,0xCE,0x82,0xE6,0x22,0x32,0xC2,0x2A,0x93,0x94,0x25,0x5D,0x42,0xF9,
+       0xD2,0x2B,0xD5,0x9F,0xDB,0x45,0x51,0xE4,0x0E,0xD4,0x48,0x12,0xB1,0x67,0xF4,0x6D,
+       0x91,0x86,0xBC,0xFB,0xC6,0xE6,0xA0,0x7F,0x2B,0x8F,0xFB,0x67,0xEA,0x5D,0xAB,0x73,
+       0xDD,0x9D,0x40,0xFA,0xF7,0xDC,0xDE,0x48,0x20,0x47,0x32,0xC0,0xD1,0x98,0x4F,0x81,
+       0xDF,0xAF,0x96,0xDB,0x83,0xEE,0xC5,0x3A,0x4E,0x67,0xE1,0xF4,0x83,0x27,0x46,0x0D,
+       0x78,0xB1,0xC6,0x42,0xEF,0xD9,0x76,0xD3,0xAC,0x7C,0x5A,0xF8,0x09,0xCF,0x0B,0x02,
+       0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xE7,0x30,0x82,0x01,0xE3,0x30,0x09,0x06,0x03,
+       0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+       0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+       0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,
+       0x65,0x76,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x30,0x3C,0x06,0x08,0x2B,
+       0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+       0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,
+       0x6E,0x6C,0x6F,0x61,0x64,0x2F,0x63,0x65,0x72,0x74,0x2F,0x43,0x4E,0x4E,0x49,0x43,
+       0x45,0x56,0x53,0x53,0x4C,0x2E,0x63,0x65,0x72,0x30,0x18,0x06,0x03,0x55,0x1D,0x11,
+       0x04,0x11,0x30,0x0F,0x82,0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,
+       0x63,0x6F,0x6D,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,
+       0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x04,0x26,0xBE,0x73,0x88,
+       0x8C,0xF6,0x64,0xBA,0xBB,0x09,0x34,0x7A,0x09,0xF9,0x51,0x57,0x43,0x8D,0x86,0x30,
+       0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
+       0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
+       0x14,0x0C,0xCF,0xB4,0x48,0x2C,0x50,0xE8,0x8B,0xD2,0x72,0xFD,0x1C,0xF0,0x2F,0xBC,
+       0x52,0xAB,0x2B,0x69,0x5E,0x30,0x3F,0x06,0x03,0x55,0x1D,0x20,0x04,0x38,0x30,0x36,
+       0x30,0x34,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x81,0xE9,0x0C,0x01,0x0A,0x30,0x26,
+       0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,
+       0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,
+       0x6E,0x2F,0x63,0x70,0x73,0x2F,0x30,0x81,0xA6,0x06,0x03,0x55,0x1D,0x1F,0x04,0x81,
+       0x9E,0x30,0x81,0x9B,0x30,0x66,0xA0,0x64,0xA0,0x62,0xA4,0x60,0x30,0x5E,0x31,0x0B,
+       0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,0x30,0x06,
+       0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,0x74,0x65,
+       0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,0x6E,0x66,
+       0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,0x72,0x31,
+       0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x03,0x63,0x72,0x6C,0x31,0x0D,0x30,
+       0x0B,0x06,0x03,0x55,0x04,0x03,0x0C,0x04,0x63,0x72,0x6C,0x31,0x30,0x31,0xA0,0x2F,
+       0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,
+       0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64,
+       0x2F,0x65,0x76,0x63,0x72,0x6C,0x2F,0x63,0x72,0x6C,0x31,0x2E,0x63,0x72,0x6C,0x30,
+       0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
+       0x01,0x01,0x00,0xA3,0xDE,0x24,0x78,0xF5,0x07,0x23,0xEC,0x77,0x62,0x71,0x60,0x01,
+       0xAE,0xC7,0xBD,0x49,0x8D,0x40,0x0C,0x49,0xAE,0x1A,0x47,0x2B,0x22,0xAE,0x66,0x2B,
+       0x34,0x83,0xAD,0x17,0xA1,0x45,0xC7,0xEC,0x16,0x80,0x2F,0x24,0x41,0xDF,0xFF,0xB0,
+       0x9D,0xE0,0x47,0x51,0x53,0x10,0xDC,0x85,0xC3,0xF9,0x72,0x3A,0xC9,0x79,0x22,0x89,
+       0xD4,0xCB,0x40,0x60,0x7E,0x3E,0x86,0x52,0x01,0xD2,0xA5,0x41,0x57,0x0C,0xB0,0x5C,
+       0xDD,0x24,0x0E,0xB2,0xF4,0x7E,0xB7,0x45,0xCE,0xA2,0x1B,0x3B,0x77,0xC6,0x9B,0x1E,
+       0x7D,0x7F,0x42,0x53,0xE4,0xF4,0xE6,0x84,0xFD,0xCC,0x27,0xB2,0xC9,0x72,0x30,0x09,
+       0xEE,0xC7,0x8B,0xE5,0xBF,0x2C,0x3B,0x73,0xA0,0x9C,0xD8,0x3E,0x81,0xED,0xB4,0x74,
+       0x88,0x67,0x99,0x69,0xE5,0x3A,0x3C,0x5A,0xA4,0xE4,0xD3,0x6D,0xBF,0xF6,0xF0,0x0C,
+       0x92,0x9C,0xB4,0x53,0x39,0x70,0x9A,0x3D,0xF4,0x3F,0x9D,0x07,0x66,0x3F,0x85,0x09,
+       0x07,0x8E,0x5C,0x9D,0x83,0x23,0x0F,0x45,0xE7,0x3C,0xE5,0x7F,0x6C,0x0C,0x29,0x3B,
+       0x2B,0x5D,0xE2,0xB7,0xCB,0x0E,0xEF,0xC8,0x14,0x4C,0x30,0xD0,0xD0,0x9C,0x7D,0x8E,
+       0x67,0x94,0xD9,0xB2,0x71,0x7E,0x74,0x0F,0x5C,0xD7,0xB5,0xFB,0x35,0x13,0x3F,0x05,
+       0xD7,0x7C,0x08,0x2F,0x7A,0x31,0x78,0x99,0xF8,0x76,0x0D,0xB3,0xFB,0xD2,0xD3,0x6C,
+       0xC7,0x32,0x61,0x2E,0x8E,0x64,0x96,0xFD,0xB1,0xFA,0x73,0xC7,0x56,0x54,0x8B,0x0D,
+       0x27,0xD2,0x66,0x9E,0xA5,0xCB,0xCE,0xD0,0xA4,0x9C,0x03,0xDD,0x9D,0x1F,0xED,0x5E,
+       0x7A,0x73,0x5D,
+};
+
+/* expired:
+   Not After : Oct 20 03:20:57 2015 GMT
+*/
+static const UInt8 cert1_expired[] = {
+    0x30,0x82,0x05,0xd6,0x30,0x82,0x04,0xbe,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1a,
+    0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x10,0xd5,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
+    0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,
+    0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,
+    0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,
+    0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,
+    0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,
+    0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x30,
+    0x32,0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x17,0x0d,0x31,0x35,0x31,0x30,0x32,
+    0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x30,0x82,0x01,0x05,0x31,0x1b,0x30,0x19,
+    0x06,0x03,0x55,0x04,0x0f,0x13,0x12,0x56,0x31,0x2e,0x30,0x2c,0x20,0x43,0x6c,0x61,
+    0x75,0x73,0x65,0x20,0x35,0x2e,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,
+    0x04,0x05,0x13,0x0f,0x34,0x34,0x30,0x33,0x30,0x31,0x35,0x30,0x33,0x34,0x32,0x36,
+    0x35,0x34,0x36,0x31,0x13,0x30,0x11,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,
+    0x3c,0x02,0x01,0x03,0x13,0x02,0x43,0x4e,0x31,0x1a,0x30,0x18,0x06,0x0b,0x2b,0x06,
+    0x01,0x04,0x01,0x82,0x37,0x3c,0x02,0x01,0x02,0x13,0x09,0x67,0x75,0x61,0x6e,0x67,
+    0x64,0x6f,0x6e,0x67,0x31,0x19,0x30,0x17,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,
+    0x37,0x3c,0x02,0x01,0x01,0x13,0x08,0x73,0x68,0x65,0x6e,0x7a,0x68,0x65,0x6e,0x31,
+    0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,
+    0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x5e,0x7f,0x4e,0x1c,0x31,0x0d,0x30,0x0b,0x06,
+    0x03,0x55,0x04,0x07,0x1e,0x04,0x6d,0xf1,0x57,0x33,0x31,0x21,0x30,0x1f,0x06,0x03,
+    0x55,0x04,0x0a,0x1e,0x18,0x80,0x54,0x54,0x08,0x51,0x49,0x4f,0x0f,0x00,0x28,0x6d,
+    0xf1,0x57,0x33,0x00,0x29,0x67,0x09,0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x16,0x30,
+    0x14,0x06,0x03,0x55,0x04,0x0b,0x13,0x0d,0x49,0x54,0x20,0x44,0x65,0x70,0x61,0x72,
+    0x74,0x6d,0x65,0x6e,0x74,0x31,0x1a,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,
+    0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,
+    0x6d,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
+    0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,
+    0x01,0x00,0xc0,0x5c,0x75,0x0e,0x29,0x93,0xf9,0xc2,0x0f,0x9e,0x24,0xeb,0x6d,0xb8,
+    0xb5,0x09,0x79,0xfe,0xbb,0xa0,0x78,0x20,0xbf,0xeb,0xc3,0x3d,0x00,0xb2,0x75,0x20,
+    0xa1,0x26,0x40,0x9e,0x0e,0x38,0x3c,0x38,0x89,0x5a,0x4f,0x46,0x5d,0xaf,0x0f,0x49,
+    0x58,0xf5,0x9f,0x34,0x0f,0x1d,0x57,0xd0,0xa7,0x89,0x88,0x58,0xe6,0x00,0xca,0xde,
+    0x0e,0x61,0xc6,0x3f,0xf4,0x08,0x9e,0x4e,0xf9,0x8e,0xdc,0xc6,0x1f,0xab,0x56,0x38,
+    0xf7,0x8f,0xd4,0xb7,0x0c,0x77,0xf9,0xdf,0x02,0x26,0xc3,0xf3,0x2a,0x7e,0x7b,0x02,
+    0x89,0x75,0x50,0xf6,0x4b,0x98,0xe7,0x02,0xdc,0xe0,0xb2,0x57,0xa6,0x50,0xa3,0x27,
+    0x48,0xaf,0x26,0x6e,0xf5,0x47,0x04,0x9b,0x26,0x1f,0x10,0x84,0x26,0xbe,0x4e,0xa7,
+    0xd5,0x7d,0xad,0xe0,0x0f,0x78,0xfa,0x5e,0xcd,0xf1,0xce,0x6f,0x06,0x39,0x4b,0xa1,
+    0xd7,0xce,0x01,0xfb,0x58,0x8c,0x47,0x24,0xfd,0x9f,0x6e,0xb0,0x5b,0x51,0x62,0x6f,
+    0x9c,0xd5,0xaf,0xaf,0xc1,0x6d,0xcc,0x22,0x3e,0x04,0xcc,0xe8,0x41,0x98,0xc0,0xc7,
+    0xb0,0xf5,0x59,0x0e,0x26,0xed,0x1f,0x7b,0x0a,0xce,0xb6,0xa5,0xfe,0xa6,0xc7,0xba,
+    0x1b,0x6b,0x11,0xc6,0x15,0x10,0x5b,0x8b,0x34,0x14,0xd9,0x3c,0x4d,0xc6,0x6c,0x89,
+    0x01,0xf3,0xd1,0x5a,0xf3,0x2b,0x9b,0x28,0x16,0xbe,0x6d,0x43,0x66,0xf8,0x56,0x15,
+    0x3b,0xaf,0x79,0xda,0x46,0x22,0xd4,0x2b,0xd3,0x9d,0x99,0x53,0x2f,0xa0,0x39,0x59,
+    0x4e,0x22,0x54,0x1e,0x47,0xf5,0xa9,0xa9,0x4e,0xf5,0x1d,0x9d,0x98,0x45,0xc6,0x85,
+    0xae,0x01,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xeb,0x30,0x82,0x01,0xe7,0x30,
+    0x09,0x06,0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2b,0x06,
+    0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2b,0x06,
+    0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,
+    0x63,0x73,0x70,0x65,0x76,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x3c,
+    0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,
+    0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+    0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,0x74,0x2f,0x43,0x4e,
+    0x4e,0x49,0x43,0x45,0x56,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x1c,0x06,0x03,
+    0x55,0x1d,0x11,0x04,0x15,0x30,0x13,0x82,0x11,0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,
+    0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,
+    0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,
+    0x04,0x14,0xd7,0x06,0xeb,0x3b,0x83,0x70,0x55,0x58,0x9a,0x40,0x03,0xd5,0x7e,0x8e,
+    0xcb,0x49,0x23,0x10,0x67,0xc4,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,0x0c,0x30,
+    0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1f,0x06,0x03,0x55,
+    0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,
+    0xd2,0x72,0xfd,0x1c,0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x3f,0x06,0x03,
+    0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,
+    0x81,0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,
+    0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,
+    0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xa6,
+    0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x9e,0x30,0x81,0x9b,0x30,0x66,0xa0,0x64,0xa0,
+    0x62,0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+    0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,
+    0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
+    0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
+    0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,
+    0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,
+    0x72,0x6c,0x31,0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,
+    0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,
+    0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x63,0x72,0x6c,0x2f,0x63,0x72,
+    0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
+    0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6e,0x84,0xe5,0x57,0x7e,0x96,
+    0xaf,0x39,0xbf,0xa0,0x2a,0xf2,0xd1,0x10,0x57,0x8e,0x3d,0x68,0x4d,0x61,0x35,0x97,
+    0xbb,0xed,0x7f,0x5e,0x4f,0x17,0x58,0x2f,0x4b,0x94,0x4f,0xda,0xd8,0x9c,0x78,0x52,
+    0x2e,0xec,0xcd,0x86,0x87,0xa1,0x64,0xdc,0x41,0x0e,0x44,0x23,0xdb,0x7d,0xc8,0x86,
+    0xef,0x07,0x29,0xaa,0x78,0x1b,0x95,0x84,0xb8,0xf9,0x60,0x95,0x89,0x3f,0x58,0x3d,
+    0x42,0x74,0x4b,0x82,0x0d,0x65,0x16,0x1a,0x70,0xaa,0x2d,0xb2,0xab,0x79,0x27,0x2e,
+    0x7e,0x6f,0x44,0xfb,0xdf,0xf5,0xff,0x3e,0xc3,0x67,0xa5,0xe1,0x6b,0xe3,0xf7,0xcc,
+    0x11,0x9f,0x2a,0xe8,0x87,0x46,0x3d,0x5c,0xbf,0x5f,0xca,0x9b,0x09,0xbe,0x0a,0x83,
+    0xb0,0x98,0x03,0x3a,0x67,0xb1,0xe9,0xa4,0x04,0x96,0x2b,0x24,0xe1,0xcd,0xc1,0x26,
+    0x88,0x76,0x10,0x41,0x85,0xf0,0x07,0xb0,0x4b,0x6b,0xd2,0x25,0x0f,0x12,0x52,0xea,
+    0x3b,0xac,0xc3,0xfa,0x56,0x5f,0xfb,0x3b,0x4b,0x86,0xf6,0x67,0x45,0x51,0xb4,0xb4,
+    0x94,0x98,0xa6,0xac,0x46,0x8b,0x42,0x94,0xff,0x9e,0x71,0x09,0x7c,0x87,0xb0,0x36,
+    0x70,0x8a,0x5e,0x88,0x33,0x79,0x85,0x78,0x30,0x56,0x4a,0x6a,0xfc,0x5b,0x34,0xe9,
+    0xb7,0x57,0xde,0xdc,0x0a,0x3c,0x1e,0x71,0xfc,0x23,0xc6,0x5a,0xd3,0x1a,0x50,0x06,
+    0xbe,0x9c,0x60,0xd5,0x36,0x44,0x65,0x59,0x89,0xe6,0xda,0x1b,0xc9,0x89,0x21,0xe0,
+    0x59,0x7d,0x25,0x4f,0x76,0x87,0x4f,0x7e,0xb1,0x1a,0x43,0xff,0x00,0xbb,0xc7,0xc5,
+    0x5e,0xcc,0xfd,0x4a,0x1b,0xc1,0x6e,0x75,0xd9,0xe6
+};
+
+/* On allow list until:
+   Not After : Jun  6 02:00:32 2017 GMT
+*/
+static const UInt8 cert2[] = {
+    0x30,0x82,0x04,0x2d,0x30,0x82,0x03,0x15,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1c,
+    0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x11,0x3c,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,
+    0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,
+    0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,
+    0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,
+    0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x30,0x36,0x30,0x39,0x30,0x33,
+    0x33,0x36,0x33,0x37,0x5a,0x17,0x0d,0x31,0x37,0x30,0x36,0x30,0x36,0x30,0x32,0x30,
+    0x30,0x33,0x32,0x5a,0x30,0x54,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x43,0x4e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,0x77,0x77,
+    0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x31,0x17,0x30,0x15,0x06,0x03,
+    0x55,0x04,0x03,0x13,0x0e,0x6d,0x61,0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,
+    0x2e,0x63,0x6e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x77,0x77,
+    0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,
+    0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,
+    0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xc7,0x2f,0x0e,0xba,0xf0,
+    0xff,0x9e,0x56,0x3b,0x88,0x3b,0x94,0x0d,0xc6,0x81,0x22,0xe7,0xeb,0x1b,0x22,0x1d,
+    0xb2,0x75,0x5b,0xae,0x41,0xea,0x55,0x6a,0x7c,0x95,0x85,0x3e,0x0e,0xd1,0x95,0xf4,
+    0x71,0xdf,0x7c,0x5c,0x8e,0xcc,0x25,0xb9,0xae,0x15,0xc9,0xf2,0xd0,0x30,0xe8,0x7c,
+    0x91,0x5d,0x24,0x09,0x93,0x23,0x3f,0x55,0x7b,0x09,0x17,0x82,0x37,0x0b,0xf8,0x1a,
+    0x6e,0xaa,0x08,0x0d,0xa8,0x2d,0xb7,0x6d,0x38,0x24,0xc0,0x48,0x5d,0x29,0x7a,0xe9,
+    0xac,0x4d,0x93,0xec,0xd0,0x6c,0x62,0x1e,0x17,0xe7,0x2d,0xd7,0x0b,0x64,0x8f,0x56,
+    0xd3,0x82,0x37,0xad,0x2d,0x28,0xe8,0x7e,0x9d,0x83,0x7d,0x6d,0x06,0xa2,0x36,0x62,
+    0x60,0x30,0xbe,0x31,0xf9,0x9e,0xe0,0xb7,0x5b,0x72,0x6e,0x16,0x36,0x75,0xdc,0x17,
+    0x56,0xff,0x5f,0x27,0x57,0x34,0xdc,0x2a,0x98,0xcd,0x9d,0x3f,0x5c,0x48,0x79,0x0b,
+    0xa5,0xcf,0x16,0x20,0xc5,0x57,0x5f,0xa6,0xd6,0x1d,0xd6,0x6a,0x17,0x89,0x2d,0xb8,
+    0xde,0xc5,0x30,0xe4,0xf0,0x39,0xf6,0x87,0x87,0x54,0x5c,0xc0,0x34,0x0f,0x1c,0xfb,
+    0xf0,0xe4,0xc5,0xde,0xe1,0xa7,0xcf,0x54,0x2a,0x02,0x20,0x94,0xf9,0xd1,0xf8,0xb6,
+    0x97,0xe2,0x3a,0x30,0x43,0x24,0x45,0x2d,0x9a,0xd3,0xe0,0x6a,0x70,0x41,0x96,0xf0,
+    0x4d,0x21,0x8d,0x61,0x2c,0x2c,0x56,0xda,0xec,0xc8,0xdc,0xbf,0xce,0x75,0x9d,0xd9,
+    0x5a,0x2d,0x39,0xc7,0xef,0x29,0x32,0xd6,0x6c,0xf8,0xc7,0x88,0x84,0xfc,0x51,0x5b,
+    0x11,0x44,0xde,0x87,0xd3,0x6f,0x05,0x0c,0x8e,0xc7,0x0f,0x02,0x03,0x01,0x00,0x01,
+    0xa3,0x82,0x01,0x19,0x30,0x82,0x01,0x15,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
+    0x18,0x30,0x16,0x80,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,0xfc,
+    0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x09,0x06,0x03,0x55,0x1d,0x13,
+    0x04,0x02,0x30,0x00,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,
+    0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,
+    0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,
+    0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,
+    0x2f,0x63,0x70,0x73,0x2f,0x30,0x3c,0x06,0x03,0x55,0x1d,0x1f,0x04,0x35,0x30,0x33,
+    0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,
+    0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,
+    0x6c,0x6f,0x61,0x64,0x2f,0x64,0x71,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,0x2e,
+    0x63,0x72,0x6c,0x30,0x27,0x06,0x03,0x55,0x1d,0x11,0x04,0x20,0x30,0x1e,0x82,0x0c,
+    0x77,0x77,0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x82,0x0e,0x6d,0x61,
+    0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,0x2e,0x63,0x6e,0x30,0x0b,0x06,0x03,
+    0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
+    0x04,0x16,0x04,0x14,0x00,0x8b,0xf0,0x61,0xdf,0xf1,0x0b,0x53,0xd8,0x52,0x97,0xfe,
+    0x23,0x9f,0x34,0x50,0x1d,0xac,0xec,0x90,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,
+    0x0c,0x30,0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x0d,0x06,
+    0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,
+    0x00,0x86,0x62,0x31,0x67,0xba,0x3e,0x2b,0x1f,0xf7,0xdd,0xc0,0x9b,0xa2,0x27,0xb5,
+    0x61,0x8c,0xd8,0x68,0xc1,0x58,0x47,0xb2,0x72,0xb9,0xfe,0x06,0x52,0x7d,0x92,0x35,
+    0x9b,0xa9,0x08,0xa7,0x3a,0x37,0x70,0x9d,0xe1,0x47,0xbe,0x3d,0x15,0x20,0x35,0x9a,
+    0x79,0x7c,0x16,0xe8,0x8e,0xa5,0x0f,0x42,0xd5,0x6b,0x5b,0x9e,0x55,0x2b,0xdd,0x35,
+    0x3e,0x32,0x41,0xef,0x14,0xa0,0x15,0x70,0xf8,0x8c,0x3f,0x9e,0xc0,0xc2,0x32,0x4d,
+    0x90,0x9a,0xd0,0x9b,0xc1,0x72,0x64,0x2f,0x2e,0x8c,0x44,0x80,0x5a,0x6f,0xb7,0x08,
+    0xa9,0x0e,0x76,0xa4,0x82,0xd6,0x2e,0x64,0xf6,0xe4,0x5e,0x1b,0xb4,0x09,0xbc,0x1d,
+    0x80,0x46,0xd7,0x35,0x7f,0x58,0x70,0x09,0x10,0x7a,0x1e,0xe5,0x28,0xf5,0x5a,0x28,
+    0x7e,0x54,0x52,0x88,0xe6,0x3f,0x4e,0x55,0xb3,0x15,0x67,0x4c,0xac,0x82,0xbb,0xf8,
+    0x98,0xd0,0xd2,0x69,0x17,0x70,0x6a,0x09,0x52,0x91,0xc1,0xe7,0xbb,0xa7,0xe8,0x78,
+    0xdb,0x57,0xa3,0x37,0x3f,0x3c,0x7f,0x80,0xc2,0x40,0x61,0xd2,0xe5,0x6f,0xe8,0x93,
+    0xa2,0xb7,0x84,0x00,0x4e,0x4d,0xed,0xf3,0x87,0x14,0x35,0xd2,0xdb,0xf6,0x6b,0xc0,
+    0x2a,0xb2,0x9c,0xc3,0x48,0xba,0xd0,0xb9,0x55,0xf2,0x1a,0x17,0xa0,0x0d,0x45,0x2c,
+    0x28,0x0a,0xba,0x60,0x4a,0xb8,0x73,0xd6,0xb0,0x83,0x6e,0x92,0x87,0x1f,0x39,0x91,
+    0xa5,0x4f,0xef,0xcb,0xf7,0xee,0x28,0x39,0x5e,0x21,0xf0,0xc1,0x91,0x23,0x24,0x78,
+    0xbc,0x01,0xb6,0xf1,0x4d,0x58,0x63,0xa6,0x89,0xf4,0x8b,0xa9,0xc9,0xad,0xfa,0xe1,
+    0x9b
+};
+
+static const UInt8 intermediate0[] = {
+    0x30,0x82,0x04,0x99,0x30,0x82,0x03,0x81,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
+    0x33,0x00,0x7c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,
+    0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+    0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
+    0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
+    0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x32,0x31,0x38,
+    0x31,0x32,0x33,0x32,0x31,0x38,0x5a,0x17,0x0d,0x32,0x34,0x31,0x32,0x31,0x38,0x31,
+    0x32,0x33,0x32,0x31,0x38,0x5a,0x30,0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,
+    0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,
+    0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,
+    0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+    0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xf0,0xa3,0x8d,0x71,
+    0x34,0xfe,0x11,0x3c,0xc7,0x98,0x61,0x0b,0xc5,0xaa,0x7b,0x13,0xd9,0x40,0x7f,0x9b,
+    0x59,0xd0,0x4a,0xc0,0x93,0x45,0x5e,0x48,0xf1,0xfe,0xb1,0x8f,0xb9,0x4c,0xdf,0x53,
+    0x50,0x15,0x19,0xf9,0xea,0xe7,0x22,0x8d,0xa8,0xdb,0x09,0x45,0xa6,0x86,0xc6,0xf8,
+    0xd5,0xdc,0x55,0xb4,0x8f,0xeb,0x56,0x3d,0x1f,0x36,0xc7,0x95,0x55,0xf4,0x4e,0x11,
+    0xc7,0x08,0x6f,0xe8,0xf9,0x7f,0x9e,0x85,0x9a,0x65,0x10,0x9b,0x87,0x86,0xb4,0x42,
+    0x92,0xaf,0x3f,0x5b,0xd9,0x8b,0x2f,0x68,0xc2,0x08,0x58,0xf6,0xe4,0x5f,0x3b,0x79,
+    0x8b,0x9e,0xde,0xb1,0x48,0x1f,0x59,0x40,0xb9,0xea,0x24,0x07,0x66,0x97,0xf6,0x2f,
+    0x52,0xec,0x0c,0xc8,0x4e,0x65,0x5a,0x60,0x6f,0xe5,0x8f,0x9d,0xfd,0x6a,0xde,0x89,
+    0xe4,0x7a,0x4b,0xb6,0x1e,0x82,0x8d,0x9c,0xdd,0x8d,0x73,0x33,0x92,0xd3,0x46,0x8e,
+    0x9e,0x58,0x01,0xf3,0x2e,0x83,0xe0,0xd2,0x4a,0x13,0x94,0x2c,0xd0,0x8a,0x12,0xd0,
+    0x29,0x34,0xed,0x6b,0xea,0xc6,0xc9,0x14,0x7a,0x75,0x92,0x8e,0x42,0x7e,0xd2,0x76,
+    0x88,0xdb,0xad,0x9b,0x20,0xe2,0x30,0x94,0x97,0xa3,0xa3,0xae,0x52,0x4c,0x2d,0xa3,
+    0x77,0x79,0x74,0xf7,0x87,0x8c,0x86,0x8f,0xb3,0x63,0x51,0x3e,0xf6,0xc0,0x6e,0x25,
+    0x9b,0x0d,0xc1,0x99,0x4f,0xf2,0x5c,0x9d,0xf5,0x21,0x04,0x42,0xde,0x74,0x59,0xe4,
+    0x39,0x80,0x82,0x50,0x21,0xde,0x49,0xe3,0x14,0x83,0xa7,0xc8,0xce,0x6d,0xfa,0x49,
+    0x5b,0x5e,0x3f,0x55,0x65,0xc1,0x5d,0x57,0x41,0x00,0x7d,0x43,0x02,0x03,0x01,0x00,
+    0x01,0xa3,0x82,0x01,0xa4,0x30,0x82,0x01,0xa0,0x30,0x76,0x06,0x08,0x2b,0x06,0x01,
+    0x05,0x05,0x07,0x01,0x01,0x04,0x6a,0x30,0x68,0x30,0x29,0x06,0x08,0x2b,0x06,0x01,
+    0x05,0x05,0x07,0x30,0x01,0x86,0x1d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,
+    0x73,0x70,0x63,0x6e,0x6e,0x69,0x63,0x72,0x6f,0x6f,0x74,0x2e,0x63,0x6e,0x6e,0x69,
+    0x63,0x2e,0x63,0x6e,0x30,0x3b,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
+    0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,
+    0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,
+    0x65,0x72,0x74,0x2f,0x43,0x4e,0x4e,0x49,0x43,0x52,0x4f,0x4f,0x54,0x2e,0x63,0x65,
+    0x72,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x65,0xf2,
+    0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,
+    0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,
+    0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,
+    0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,0x24,
+    0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,
+    0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+    0x63,0x70,0x73,0x2f,0x30,0x81,0x86,0x06,0x03,0x55,0x1d,0x1f,0x04,0x7f,0x30,0x7d,
+    0x30,0x42,0xa0,0x40,0xa0,0x3e,0xa4,0x3c,0x30,0x3a,0x31,0x0b,0x30,0x09,0x06,0x03,
+    0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,
+    0x0c,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,
+    0x0c,0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,
+    0x63,0x72,0x6c,0x31,0x30,0x37,0xa0,0x35,0xa0,0x33,0x86,0x31,0x68,0x74,0x74,0x70,
+    0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+    0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x73,0x68,0x61,
+    0x32,0x63,0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0b,0x06,
+    0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,
+    0x0e,0x04,0x16,0x04,0x14,0xb7,0xd1,0x59,0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,
+    0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,0x3c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+    0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4f,0xc7,0x80,
+    0x5e,0x29,0x70,0x8c,0xd6,0x59,0xae,0x59,0x4f,0xd1,0xd8,0x41,0xa8,0xa7,0xa8,0x58,
+    0xa6,0x06,0x25,0xd2,0xf8,0x3c,0x13,0x52,0xec,0x51,0x54,0x38,0xb6,0x60,0xd0,0x95,
+    0xaf,0x30,0xbf,0x78,0xa3,0x19,0xfd,0x6b,0x54,0x98,0x49,0xc4,0x81,0x84,0xaa,0x51,
+    0x54,0xd3,0x95,0x9d,0x92,0x66,0x02,0x6e,0x55,0x4b,0xf1,0xe0,0x4e,0x02,0x05,0xb5,
+    0x67,0x3b,0x31,0x4d,0xb3,0xb3,0xb7,0xa2,0x13,0xff,0x28,0x10,0xbc,0xa4,0x9b,0x71,
+    0x4c,0x36,0x9c,0x60,0xac,0x65,0x7c,0x66,0x8a,0xb6,0x1c,0x7f,0xa1,0xad,0xe8,0x6e,
+    0xce,0x0b,0xee,0x85,0xe6,0x01,0xe5,0xab,0x7f,0x11,0x1f,0x33,0xd9,0x1d,0xa1,0x0c,
+    0xf2,0x3a,0x7e,0xdb,0xf5,0x63,0xe2,0x77,0xdb,0x01,0x1a,0x60,0xe8,0xfb,0x42,0xd4,
+    0xf3,0xdf,0x8d,0xec,0x4f,0x4f,0xc8,0xa7,0x24,0xf7,0xb5,0xb7,0x58,0xae,0xad,0x0c,
+    0x9b,0x7a,0x39,0x81,0xd9,0xd0,0x8a,0x18,0x28,0x8a,0xf2,0x91,0x88,0x11,0x3d,0xb1,
+    0x42,0x5d,0x0e,0x31,0xfe,0x00,0x99,0xfe,0x87,0x3f,0x8e,0xbd,0xef,0x83,0x72,0xd7,
+    0x49,0x22,0xfd,0x82,0xe2,0xfc,0xe8,0xe8,0xf7,0x4b,0xff,0xa5,0x62,0xec,0xd3,0x87,
+    0x51,0x6f,0x35,0xbc,0x51,0x54,0x6c,0x36,0xfe,0x88,0xcb,0xaf,0xb1,0x0e,0x7b,0x76,
+    0x9c,0x16,0x11,0xda,0x7f,0xd1,0xf4,0x85,0xce,0xb8,0x87,0x45,0x0c,0x43,0xe4,0xb3,
+    0x6f,0xbc,0x95,0xce,0x59,0x57,0xf3,0xb4,0xec,0xa8,0xc2,0x1f,0x98,0x77,0x93,0x7d,
+    0xad,0x92,0x4e,0xba,0xab,0x5d,0x45,0x93,0x7c,0xf0,0x17,0xcd,0xc7
+};
+
+static const UInt8 intermediate1[] = {
+    0x30,0x82,0x04,0xf8,0x30,0x82,0x03,0xe0,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x0b,
+    0x24,0x01,0xb7,0x39,0x86,0x38,0x3c,0x29,0xc2,0xf8,0x19,0x4d,0x23,0x10,0x7b,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
+    0x8a,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,
+    0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,
+    0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,
+    0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,
+    0x65,0x72,0x31,0x47,0x30,0x45,0x06,0x03,0x55,0x04,0x03,0x0c,0x3e,0x43,0x68,0x69,
+    0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
+    0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
+    0x43,0x65,0x6e,0x74,0x65,0x72,0x20,0x45,0x56,0x20,0x43,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x65,0x73,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,0x0d,0x31,
+    0x30,0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x17,0x0d,0x32,0x30,
+    0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x30,0x58,0x31,0x0b,0x30,
+    0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,
+    0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,
+    0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,
+    0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x15,
+    0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x45,
+    0x56,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+    0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,
+    0x0a,0x02,0x82,0x01,0x01,0x00,0xc9,0x8b,0x5d,0x84,0x90,0x33,0x98,0x83,0xdd,0xa1,
+    0x9a,0x76,0x4f,0xd2,0xff,0xf4,0xbc,0x5d,0x7f,0xd5,0x0c,0xdc,0xd1,0x58,0xe8,0x3a,
+    0xd7,0xab,0xa9,0x24,0x05,0x78,0x28,0x3d,0x64,0x03,0x7d,0x7f,0xee,0x16,0x3e,0x51,
+    0xc7,0x69,0xb4,0x06,0xe8,0xa5,0x3b,0x7a,0xf0,0xac,0xcd,0x9e,0xb4,0x00,0xbf,0x25,
+    0xe5,0xd9,0x95,0x45,0x31,0x20,0x59,0xed,0xf0,0xbc,0x86,0x02,0x9a,0xa6,0x52,0x73,
+    0xaf,0x02,0x09,0x22,0xf1,0x04,0x97,0xe3,0x15,0x8c,0x7e,0xa5,0xc7,0x37,0xbd,0x42,
+    0x4f,0x27,0x85,0x9d,0xb9,0x24,0x29,0xcb,0x4c,0xd4,0xd2,0xed,0x79,0x3b,0x39,0xa1,
+    0x08,0x26,0xba,0x14,0xb3,0x49,0x0f,0x8e,0xd7,0x9d,0x5f,0xde,0x72,0xf0,0x53,0xee,
+    0x8a,0x4e,0x6c,0x06,0x6f,0xea,0x9f,0x25,0x4a,0x23,0x80,0x7e,0x2e,0xb2,0x81,0x9d,
+    0x3b,0x4e,0xdf,0x73,0xbe,0x1b,0x89,0x10,0x89,0xf7,0xac,0xa0,0x2f,0xfb,0x71,0xc4,
+    0xe2,0xe9,0xd0,0x79,0xb7,0x54,0x9d,0xf6,0xcc,0x3a,0x6c,0x88,0x25,0xf4,0x0e,0xf4,
+    0x49,0xa1,0x23,0xd2,0xe2,0x71,0xb8,0x1c,0x44,0x46,0xb4,0x70,0x5d,0x5d,0xab,0x7f,
+    0x0e,0x27,0x8d,0x4b,0xf4,0xe1,0x52,0x88,0x58,0xf9,0xec,0x1e,0xbb,0x56,0x1f,0x37,
+    0x1a,0xce,0x74,0xf3,0x6d,0x63,0xbc,0x18,0xa8,0x95,0x30,0x8b,0x16,0xe2,0x9f,0x0a,
+    0x89,0xe0,0x36,0xba,0x0f,0x90,0x5e,0x67,0x6c,0x04,0x77,0xfa,0xd1,0x6e,0xdb,0x1c,
+    0x3c,0x1f,0x9f,0x83,0xb5,0x4b,0xc8,0x4e,0x90,0xf8,0x02,0x26,0x2e,0xce,0x7c,0xe6,
+    0x3e,0xe8,0x0e,0xf0,0x77,0xf1,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0x89,0x30,
+    0x82,0x01,0x85,0x30,0x34,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,
+    0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,
+    0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x72,0x6f,0x6f,0x74,
+    0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,
+    0x04,0x18,0x30,0x16,0x80,0x14,0x7c,0x72,0x4b,0x39,0xc7,0xc0,0xdb,0x62,0xa5,0x4f,
+    0x9b,0xaa,0x18,0x34,0x92,0xa2,0xca,0x83,0x82,0x59,0x30,0x0f,0x06,0x03,0x55,0x1d,
+    0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,
+    0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,
+    0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,
+    0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,
+    0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xaa,0x06,
+    0x03,0x55,0x1d,0x1f,0x04,0x81,0xa2,0x30,0x81,0x9f,0x30,0x66,0xa0,0x64,0xa0,0x62,
+    0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+    0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,
+    0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,
+    0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,
+    0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,
+    0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,
+    0x6c,0x31,0x30,0x35,0xa0,0x33,0xa0,0x31,0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,
+    0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,
+    0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x72,0x6f,0x6f,0x74,0x63,0x72,0x6c,
+    0x2f,0x63,0x72,0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,
+    0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
+    0x04,0x16,0x04,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,0xd2,0x72,0xfd,0x1c,
+    0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+    0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0xf9,0xad,0x13,
+    0x7b,0x62,0x9b,0x8b,0xa5,0xfd,0x52,0x5d,0xd1,0x13,0xca,0x28,0x92,0xdc,0xc3,0x84,
+    0x3d,0xf1,0xc5,0x9b,0x2a,0xc3,0x15,0xfc,0x1d,0x4f,0x30,0x54,0x77,0x9a,0x5a,0x5a,
+    0x1b,0x07,0xbb,0xf7,0x7e,0xea,0x47,0x01,0xc7,0x6d,0x30,0xe0,0x2e,0xcc,0x44,0xea,
+    0x6c,0xa5,0xcd,0x42,0x86,0x38,0xf5,0x88,0x9c,0xff,0x74,0xc1,0x3d,0x70,0xfa,0x9a,
+    0x54,0xbd,0x37,0xb0,0x38,0x9f,0xb6,0xe4,0x51,0xec,0x24,0xa0,0xa4,0xbe,0x9f,0x6e,
+    0xad,0x3b,0x0f,0x30,0xa0,0xd2,0x37,0x67,0x9b,0xc2,0x6f,0xd5,0xfd,0x9a,0xfd,0xc6,
+    0x56,0x08,0x64,0x84,0x74,0x12,0xfe,0xa8,0xe3,0x26,0x4a,0x08,0x2f,0xdb,0x32,0x9a,
+    0xae,0xaf,0x01,0x75,0xf0,0x7b,0x28,0xb6,0xb2,0x4a,0xf0,0xd8,0xfd,0xb4,0x11,0xf5,
+    0x26,0x31,0x49,0xd1,0x82,0x91,0x04,0x3b,0x4b,0x79,0x3c,0x57,0x2e,0x38,0x9f,0x9a,
+    0xfd,0xdf,0x53,0xd9,0xbd,0x48,0x96,0xfb,0xbb,0x21,0x64,0xdd,0xec,0x68,0xc3,0x77,
+    0x7d,0x41,0xcf,0x7c,0x2f,0xa8,0x87,0xf0,0x8f,0xf0,0x0c,0xdd,0x3f,0x88,0x5c,0x23,
+    0x49,0x26,0x1b,0x60,0xff,0xbc,0x9e,0xb8,0xc0,0xf6,0xe0,0x21,0xf1,0x44,0x44,0x21,
+    0x81,0x06,0x9b,0x39,0xf0,0xaf,0xf0,0x5c,0x44,0x44,0xc7,0x51,0xf2,0x1d,0xf3,0x06,
+    0x1a,0x14,0x04,0xd1,0xa4,0xed,0x92,0x39,0x21,0x77,0xe9,0x77,0x1f,0xd6,0x80,0x5e,
+    0x42,0xb4,0xd5,0x44,0xd1,0xd2,0xd6,0x84,0xca,0xa5,0xb8,0xee,0x48,0x4f,0x93,0x2d,
+    0xca,0x82,0x46,0xff,0x77,0x5b,0x18,0x79,0x88,0x14,0x4c,0x0d
+};
+
+static const UInt8 intermediate2[] = {
+    0x30,0x82,0x03,0xca,0x30,0x82,0x02,0xb2,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
+    0x33,0x00,0x65,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,
+    0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+    0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
+    0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
+    0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x30,0x31,0x32,0x31,0x35,
+    0x30,0x35,0x30,0x37,0x30,0x30,0x5a,0x17,0x0d,0x32,0x30,0x31,0x32,0x31,0x35,0x30,
+    0x35,0x30,0x37,0x30,0x30,0x5a,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,
+    0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,
+    0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,
+    0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,
+    0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa8,0x7f,0xa9,
+    0x2d,0x47,0xc3,0xdb,0xdb,0x10,0x79,0xa0,0xae,0xd5,0x80,0xfa,0x5b,0xbe,0x64,0x5f,
+    0x26,0xb9,0x5a,0x84,0x0d,0x1b,0x56,0x14,0x49,0xe1,0xda,0xfb,0x83,0x07,0xaf,0x80,
+    0x2d,0x93,0xbf,0x44,0xd9,0x85,0x1f,0x18,0xb0,0xe1,0xb9,0x06,0x34,0x24,0xd1,0xf9,
+    0x9f,0x34,0xe0,0x26,0x3e,0xce,0x57,0xca,0x30,0x3b,0xae,0x44,0x55,0x47,0x7f,0x2e,
+    0xe5,0xe8,0x51,0x55,0x90,0x95,0x23,0xde,0xd3,0xb4,0x88,0xf8,0x33,0x1e,0x5e,0xe6,
+    0x2b,0xae,0x9b,0x94,0x2c,0xec,0xd9,0xc9,0x47,0x67,0x14,0x54,0x6a,0x33,0x6f,0xe1,
+    0x0c,0x7f,0x0f,0xa0,0x7e,0xb5,0xc3,0x0f,0x63,0x4f,0xdf,0x38,0x9d,0x73,0xea,0x9f,
+    0xaa,0x34,0x30,0xbf,0xba,0x83,0x56,0x65,0x26,0x90,0x01,0xf6,0xfc,0x93,0xc6,0x2b,
+    0xcc,0xf2,0x90,0x7d,0x2a,0x31,0xe1,0xcd,0x0f,0x23,0xd1,0x78,0x2b,0x49,0xc5,0x21,
+    0x77,0xc9,0x8b,0x02,0x70,0xf1,0xc2,0xa3,0xdf,0xca,0xb7,0x73,0x06,0x76,0xfd,0xcb,
+    0xc0,0xc9,0x23,0x21,0x17,0x34,0x1c,0x80,0xa9,0xc6,0x92,0x95,0xd0,0xc6,0xeb,0x83,
+    0x56,0xb0,0x98,0x90,0x50,0xf4,0xcf,0x9b,0x3b,0x2d,0x3e,0xcf,0x94,0x27,0x69,0x9f,
+    0xdc,0x66,0xfb,0x05,0x0c,0xe3,0x99,0x1e,0x06,0x86,0xd9,0xe6,0xf5,0x6c,0xfe,0x98,
+    0x5d,0x61,0xb1,0x89,0x01,0xc4,0x7f,0x48,0x68,0x62,0x06,0x26,0x95,0x40,0xcd,0x93,
+    0x46,0xf8,0xb0,0x8d,0x28,0x3a,0xc7,0x0e,0x46,0x42,0x9f,0x32,0xc3,0xc6,0x78,0xc7,
+    0x10,0xd5,0x37,0xff,0x17,0x4c,0x24,0x60,0xc6,0xd5,0x18,0x9a,0x7d,0x02,0x03,0x01,
+    0x00,0x01,0xa3,0x81,0xe5,0x30,0x81,0xe2,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
+    0x18,0x30,0x16,0x80,0x14,0x65,0xf2,0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,
+    0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,
+    0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,
+    0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,
+    0x0c,0x01,0x06,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,
+    0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,
+    0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x3e,0x06,0x03,0x55,
+    0x1d,0x1f,0x04,0x37,0x30,0x35,0x30,0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,
+    0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
+    0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x63,
+    0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,
+    0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,
+    0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,
+    0xfc,0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x0d,0x06,0x09,0x2a,0x86,
+    0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xb6,0x37,
+    0x1c,0xdb,0x09,0x29,0xbd,0x24,0x76,0x1b,0x7f,0x6b,0x36,0x25,0xd2,0x43,0xf2,0x09,
+    0x22,0x63,0x3f,0x8e,0xd6,0x15,0xf9,0x9c,0x36,0xc9,0xb1,0x1c,0x10,0x61,0x39,0x24,
+    0x96,0x76,0xa4,0xa3,0x70,0xa4,0xe5,0x52,0xc1,0xba,0xb9,0xbb,0x72,0x1a,0xdc,0x76,
+    0x05,0x86,0x45,0x03,0x0a,0xb8,0x95,0xd5,0xb2,0x63,0xb4,0x7b,0x9a,0x00,0xd5,0x31,
+    0x76,0x50,0x25,0xc0,0x98,0x17,0xc9,0xfa,0x57,0x36,0x50,0x1f,0x66,0x2b,0xb1,0xd1,
+    0xe6,0xcf,0x14,0x56,0xf2,0xb9,0x9f,0xa9,0x6f,0x2d,0x15,0xb7,0x66,0x46,0x9e,0x85,
+    0x7c,0x68,0xbd,0xf3,0x5f,0x9f,0xbf,0xbe,0xf8,0xf9,0x7f,0x7b,0x1b,0xca,0x51,0xc2,
+    0xae,0x43,0x20,0x83,0x90,0xab,0xb5,0x70,0x73,0x42,0xa9,0xc1,0xd5,0x4f,0x89,0xcf,
+    0x72,0xba,0x86,0x5c,0xd8,0x8c,0xaf,0x85,0xf1,0x3d,0x52,0x23,0xac,0x68,0x05,0x73,
+    0xca,0x36,0x7c,0x12,0x86,0xae,0xdc,0xda,0x91,0x40,0x1f,0xe0,0x6b,0x26,0x43,0x64,
+    0xe9,0x5f,0x71,0xbf,0x22,0x6c,0x6e,0xd1,0x32,0x0c,0x7c,0x07,0x36,0x3a,0x09,0xef,
+    0xe7,0xa7,0x9b,0x73,0x19,0xe3,0x6a,0xd2,0x41,0x43,0x23,0xef,0x63,0x30,0xa0,0x34,
+    0x12,0x2c,0xe5,0x23,0x5f,0x46,0x87,0xcc,0xf1,0x2f,0x0b,0xd1,0x72,0x58,0xc5,0x36,
+    0xcb,0x4e,0x00,0x5f,0x15,0x80,0x0a,0x05,0xb5,0x34,0x34,0x9c,0x19,0x20,0xc1,0x5b,
+    0x80,0x98,0x96,0x42,0x01,0x54,0x6c,0x65,0x4e,0xc5,0x2b,0x04,0x55,0x63,0x71,0x5e,
+    0x99,0x79,0xc5,0xfb,0x03,0xbf,0x27,0x56,0xa6,0xdf,0x3a,0x4c,0xea,0x63
+};
+
+
+/* subject:/C=RU/CN=telegram.im */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* Not After : Sep  3 23:57:19 2019 GMT */
+
+unsigned char leafOnAllowList_Cert[1719]={
+    0x30,0x82,0x06,0xB3,0x30,0x82,0x05,0x9B,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x31,
+    0x4E,0xCD,0xA3,0x65,0x0B,0x68,0x8D,0x7D,0x77,0xD3,0x5A,0x00,0x4A,0xC5,0x94,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
+    0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+    0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x39,0x30,0x33,0x32,
+    0x33,0x35,0x37,0x31,0x39,0x5A,0x17,0x0D,0x31,0x39,0x30,0x39,0x30,0x33,0x32,0x33,
+    0x35,0x37,0x31,0x39,0x5A,0x30,0x23,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x52,0x55,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x0C,0x0B,0x74,
+    0x65,0x6C,0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x82,0x02,0x22,0x30,0x0D,
+    0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,
+    0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xCA,0xCD,0x7B,0x38,0x40,
+    0x59,0xBD,0xD7,0x0D,0xB4,0xDA,0xA7,0x43,0x3F,0x64,0xE7,0xD5,0x88,0x4A,0xA3,0x7D,
+    0xA1,0x8A,0x6C,0x3B,0x1B,0xE0,0xE4,0xE0,0x82,0xCD,0xD3,0x38,0x7D,0x6E,0x49,0x0F,
+    0x56,0x2D,0xA7,0x3A,0x1D,0x7A,0x5C,0x48,0x0D,0x15,0xBD,0x68,0xC0,0x24,0xAE,0x9B,
+    0x03,0x33,0x5E,0xBB,0x12,0x13,0x32,0xDA,0xAF,0xAD,0xEB,0x36,0x76,0x6F,0xBD,0x91,
+    0xF0,0xC1,0xC6,0x14,0xE1,0xDA,0x88,0x32,0x47,0x26,0x5C,0x92,0x5D,0xE1,0xA4,0x3E,
+    0x99,0xCD,0x5B,0xFB,0x92,0x3C,0xA9,0x56,0xEC,0x6B,0xA9,0xEB,0xB0,0x34,0x89,0x4B,
+    0x96,0x1A,0x57,0x0D,0x5F,0x94,0x7C,0x25,0x67,0xCE,0xC0,0x6A,0xB1,0x73,0xE4,0xB3,
+    0x56,0xD8,0xE9,0x09,0x4F,0x5D,0x91,0xBB,0x5E,0x6C,0x13,0xE7,0x18,0xDB,0x62,0x0D,
+    0xDA,0xB9,0xCD,0x97,0xC1,0xD4,0x35,0x0F,0x1A,0x4B,0xCA,0xFC,0x9D,0x88,0xD1,0xE4,
+    0xFC,0x1D,0x43,0x7E,0xE7,0x1A,0xEB,0xED,0x1F,0x7D,0x1F,0x2B,0xF9,0x3A,0x0D,0x06,
+    0x03,0x3F,0x2D,0xAF,0xF4,0xDB,0xCC,0x91,0x7B,0xF7,0x9D,0xAA,0x13,0x41,0xC0,0x57,
+    0x8F,0x3E,0xE2,0xCA,0x45,0x7D,0x35,0x1B,0x0C,0x51,0x53,0x81,0x05,0x74,0x88,0xA2,
+    0x37,0x9B,0x26,0x34,0xAE,0x49,0xB6,0x97,0x9F,0x81,0xFB,0x45,0x7F,0x65,0x82,0x1F,
+    0x8E,0xC1,0xF0,0xC0,0x63,0x1F,0x7B,0xE4,0x45,0xA7,0x4C,0x1C,0x09,0x10,0xF6,0x8A,
+    0x81,0x8E,0x3B,0x6E,0xFF,0x15,0x53,0x9D,0x36,0x2F,0x52,0x01,0x0C,0x34,0x59,0x12,
+    0x9C,0xCA,0xAF,0xF5,0x58,0x31,0x37,0xE6,0x44,0xE5,0x0D,0xDB,0x0F,0x43,0xA3,0x09,
+    0x79,0x78,0x00,0x3D,0x7F,0x3B,0x2F,0xB8,0x28,0x58,0x79,0x35,0xEE,0xA1,0xDA,0x1B,
+    0xF2,0x8F,0x9C,0xAB,0x3F,0x38,0xB5,0x88,0x85,0x78,0x48,0xAA,0x67,0x41,0x0A,0xAB,
+    0x1D,0x89,0xE1,0x60,0x39,0x9A,0x6B,0x88,0xE3,0xB9,0x78,0x02,0x2F,0x74,0x58,0xDD,
+    0xBD,0xEE,0x51,0x8E,0xA9,0x1E,0x5E,0xFD,0x84,0x2B,0x94,0x55,0x14,0xAE,0x68,0x71,
+    0x73,0xC7,0xE3,0xAE,0x9E,0xD9,0x54,0xB4,0x6D,0xE1,0x9A,0x10,0x1A,0x51,0x68,0x13,
+    0x8E,0x51,0x18,0xBF,0xA8,0x7C,0x1A,0x18,0x2C,0xCE,0xF6,0x56,0xFD,0x9E,0xDC,0x97,
+    0xE8,0x95,0x08,0xDA,0xC6,0xBC,0x8C,0x9C,0xDC,0x70,0x45,0xFD,0xD2,0x3E,0x83,0xE3,
+    0x01,0x23,0xD4,0x74,0x6D,0xFD,0x2B,0x55,0x97,0x99,0x96,0xEB,0xD3,0x2D,0x5A,0xA7,
+    0xEF,0xC8,0x89,0x4C,0xA3,0xC1,0xDA,0x17,0xD0,0xDE,0x9C,0xB6,0xA3,0x1D,0x14,0x05,
+    0x65,0xCA,0x5C,0x32,0xD0,0x58,0x62,0xAA,0x56,0x72,0x90,0x02,0xC0,0xFC,0xB6,0x85,
+    0x5A,0x53,0xC2,0xC1,0x31,0xAE,0xD6,0xC8,0x54,0xBE,0x78,0xE2,0x44,0x41,0x58,0xC3,
+    0xEE,0xA7,0x38,0x6D,0x4E,0xAF,0xF1,0xD2,0xD1,0xD9,0xB1,0x17,0x5D,0x10,0x00,0x1D,
+    0x8A,0x07,0xF6,0x5C,0x2C,0x1D,0x2B,0xDB,0xDE,0x3C,0x5B,0x22,0xC4,0xBB,0x27,0xC6,
+    0x5A,0x78,0x25,0x7A,0x8F,0x86,0x42,0x6A,0x82,0xD3,0x7C,0xCA,0x07,0x62,0x23,0x09,
+    0x44,0xEE,0x3B,0xEF,0x0E,0xB7,0x1A,0xA4,0x4D,0xBB,0x93,0xFD,0x83,0xCD,0x67,0x22,
+    0x4B,0xE9,0x37,0x23,0x99,0x3F,0xD7,0xD4,0xEE,0x5C,0x4B,0x02,0x03,0x01,0x00,0x01,
+    0xA3,0x82,0x02,0xAF,0x30,0x82,0x02,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
+    0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,
+    0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,
+    0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,
+    0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x2A,0x36,0x37,
+    0x39,0xD2,0xCA,0x66,0xB3,0xF8,0x12,0x94,0x78,0xB1,0xD9,0x18,0x1C,0x11,0xD9,0x7C,
+    0xD7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,
+    0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
+    0xA8,0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,
+    0x30,0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,
+    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,
+    0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,
+    0x65,0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,
+    0x05,0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
+    0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,
+    0x2E,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,
+    0x72,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,
+    0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,
+    0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,
+    0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,
+    0x30,0x16,0x06,0x03,0x55,0x1D,0x11,0x04,0x0F,0x30,0x0D,0x82,0x0B,0x74,0x65,0x6C,
+    0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x4F,0x06,0x03,0x55,0x1D,0x20,0x04,
+    0x48,0x30,0x46,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3A,0x06,
+    0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x01,0x01,0x02,0x30,0x2B,0x30,0x29,
+    0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,
+    0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,
+    0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x82,0x01,0x06,0x06,0x0A,0x2B,
+    0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF7,0x04,0x81,0xF4,0x00,
+    0xF2,0x00,0x77,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE,0x3A,0x8C,0xEE,0xB9,
+    0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1,0x0A,0x67,0xAC,0xBB,
+    0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x56,0xF2,0x97,0xEB,0x40,0x00,0x00,0x04,0x03,
+    0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xBC,0xC2,0x3C,0xA9,0x92,0x2F,0x3D,0x59,0x3C,
+    0x82,0x38,0xD6,0x1A,0x83,0x95,0x04,0x15,0x1C,0x85,0x19,0x8F,0x12,0x33,0x01,0x1B,
+    0xB1,0xCF,0xBE,0xE6,0xC1,0x6F,0xBE,0x02,0x21,0x00,0xB2,0x3B,0x8C,0xA0,0xB0,0x9C,
+    0xCF,0xBA,0xFA,0x4E,0xBA,0xE7,0x95,0x85,0x89,0x5C,0xE1,0x5F,0x34,0x7A,0xA8,0xCB,
+    0x19,0xC8,0x0C,0xED,0x3A,0xA4,0xE2,0x29,0xCD,0xBF,0x00,0x77,0x00,0xA4,0xB9,0x09,
+    0x90,0xB4,0x18,0x58,0x14,0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,
+    0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,
+    0x56,0xF2,0x97,0xEC,0x65,0x00,0x00,0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,
+    0x96,0x67,0x94,0x08,0x36,0x41,0xF7,0x3F,0x97,0x0B,0xAE,0xAB,0x2F,0xD4,0x0C,0xE5,
+    0xFA,0x3F,0xB2,0x0B,0x4F,0x57,0x1C,0xDF,0x0A,0xF4,0xE7,0x04,0x59,0x1F,0x0D,0xEF,
+    0x02,0x21,0x00,0xBC,0xB5,0xAD,0xF5,0x60,0x34,0x47,0xD5,0x23,0x08,0x12,0xDE,0x8F,
+    0xC7,0xE9,0x14,0x0C,0x02,0x25,0x0B,0x6D,0xB8,0xBF,0x1C,0x0D,0x65,0xEC,0x86,0x9B,
+    0x30,0x88,0x2F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+    0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x9A,0xD3,0xED,0xF3,0xA8,0x95,0x4E,0x35,
+    0x96,0xFF,0xA4,0xF1,0x61,0xB1,0x97,0xCA,0xF1,0xC8,0xDC,0x82,0x51,0xB9,0x29,0x3D,
+    0x77,0x59,0x96,0xF4,0x32,0x1F,0xCC,0xF9,0xC6,0x71,0x9E,0x6E,0xB4,0x83,0xFC,0xD9,
+    0xBF,0x21,0x43,0xAF,0xEB,0xB1,0x37,0x36,0x91,0x26,0x72,0xF8,0xAA,0x3A,0x38,0xBE,
+    0x51,0x27,0xBB,0x07,0x48,0x92,0x4E,0xFA,0xA0,0x5A,0x00,0x0D,0x81,0xCB,0x3B,0x17,
+    0x4E,0x04,0x0A,0xF7,0x0E,0x53,0xCD,0xAC,0x5E,0xC8,0xA5,0xE3,0x31,0x6E,0x9F,0x45,
+    0x65,0xA1,0x81,0x5C,0x98,0xF9,0x7E,0x07,0xC1,0x05,0x92,0xBD,0xCD,0xEA,0x5C,0xC7,
+    0x0B,0xC1,0x22,0x8F,0x13,0x7E,0xA2,0xB5,0xE2,0x88,0xBF,0x00,0xF0,0xC5,0xCA,0x99,
+    0xB2,0x59,0x9E,0x6E,0x71,0x35,0x49,0xC5,0xAF,0xAB,0x9B,0x80,0x2A,0xE1,0x8F,0x82,
+    0x98,0x43,0x54,0x8D,0x7A,0x28,0x98,0xA4,0xAE,0xDE,0x29,0xCC,0x15,0xBF,0x2E,0x4F,
+    0xD8,0x70,0x2E,0x8F,0xD8,0xE0,0xB9,0xC0,0x37,0x67,0x7A,0x29,0x35,0x0B,0xCD,0x7D,
+    0xF9,0x59,0x4A,0x6C,0x1C,0x87,0x31,0x2C,0x85,0x83,0x08,0x4E,0xAB,0xED,0xA1,0xEF,
+    0x76,0x90,0x32,0x71,0x6D,0xE6,0x13,0xE5,0x70,0xB8,0x7B,0xF3,0x6C,0x47,0x04,0xDE,
+    0xCC,0x61,0x67,0x5D,0x98,0xC0,0xDB,0x7D,0x24,0x3D,0x60,0xA9,0x60,0x9D,0xD8,0xC7,
+    0x27,0x8C,0x5F,0xA7,0x5A,0xE9,0x58,0x2C,0x2A,0x03,0x92,0xB6,0xF1,0x51,0xC6,0x1D,
+    0xA4,0x7B,0xDF,0xE6,0xF3,0x1A,0xD4,0x23,0x6C,0x4E,0x8D,0x5F,0xFB,0x98,0xD2,0xB3,
+    0x0B,0x73,0x41,0xB6,0x5C,0x84,0xEF,
+};
+
+/* subject:/CN=mmime.info */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* Not After : Sep 12 17:15:48 2016 GMT */
+
+unsigned char leafNotOnAllowList_Cert[1343]={
+    0x30,0x82,0x05,0x3B,0x30,0x82,0x04,0x23,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x6A,
+    0xC3,0x4F,0x8F,0xC7,0x97,0x97,0x53,0xE4,0x61,0x64,0x13,0xC4,0x2E,0x92,0x9B,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
+    0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+    0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x31,0x32,0x31,
+    0x37,0x31,0x35,0x34,0x38,0x5A,0x17,0x0D,0x31,0x36,0x30,0x39,0x31,0x32,0x31,0x37,
+    0x31,0x35,0x34,0x38,0x5A,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
+    0x0C,0x0A,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x82,0x01,0x22,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
+    0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB6,0x88,0xD4,
+    0xC3,0xBE,0x56,0x7F,0xB1,0xF1,0x48,0x37,0x71,0x3F,0xC7,0x72,0x53,0x95,0x64,0xAC,
+    0x60,0xF6,0x8C,0x01,0x15,0x2C,0xBD,0x6D,0x43,0x3F,0x8F,0x50,0x12,0x03,0x72,0x0C,
+    0x0D,0x37,0xD7,0x00,0x13,0xEC,0x49,0xC5,0xCF,0x00,0xE1,0x84,0x01,0x8B,0x1A,0xD7,
+    0x6D,0x8A,0xC7,0xB9,0xA7,0x3F,0x3A,0xE5,0xDD,0x1A,0xC9,0xCD,0x30,0xB5,0x74,0x0B,
+    0xFD,0x3C,0x70,0x8D,0xCF,0xCC,0xB7,0xB7,0x52,0x95,0x47,0xDB,0x47,0x2F,0x9C,0x5C,
+    0x06,0x6B,0x3D,0xA4,0xE5,0x42,0x6C,0x85,0x69,0xF3,0x35,0x07,0x3C,0xEF,0xA2,0xFB,
+    0x81,0x3F,0xF6,0x1C,0x51,0x17,0xA6,0x19,0x70,0xF3,0x02,0x43,0x8C,0xC3,0x42,0xED,
+    0xFE,0xF7,0x5F,0xD1,0xF3,0xBB,0x46,0xE9,0x11,0xB8,0x39,0x2E,0xE6,0x8E,0x00,0x48,
+    0x66,0xDF,0x78,0xDE,0x1A,0x27,0x71,0xF1,0x13,0x37,0xC7,0x65,0xA0,0x03,0x41,0xF9,
+    0xB2,0xE1,0x82,0x54,0x38,0x60,0x7E,0x1A,0x5A,0x77,0xC6,0x6E,0x9C,0x91,0x06,0x62,
+    0x84,0xA6,0x91,0xF0,0x3E,0x10,0x4F,0x83,0x1D,0x87,0x94,0xEB,0x0F,0x14,0x91,0xEC,
+    0x58,0xFC,0x15,0x60,0x16,0xF6,0xCD,0x88,0xF7,0x7C,0xE9,0x26,0x71,0x3C,0x14,0x3E,
+    0xD0,0xE0,0x06,0x3B,0xC2,0xAC,0xC0,0x16,0x16,0x0B,0x43,0xD2,0x92,0x96,0x84,0xC9,
+    0x65,0x6E,0xC9,0x76,0x8A,0xE3,0x5B,0x96,0xDE,0xB9,0x57,0xB0,0x7C,0xC2,0xE9,0x74,
+    0x2D,0x6D,0x6F,0x58,0x23,0xC9,0xEB,0xB3,0x63,0xB6,0x18,0xC6,0xD6,0x6B,0xF0,0x88,
+    0xAC,0x2D,0x3E,0x05,0x6D,0x00,0xC0,0x25,0x9A,0x4C,0x3E,0xFE,0xA5,0x02,0x03,0x01,
+    0x00,0x01,0xA3,0x82,0x02,0x45,0x30,0x82,0x02,0x41,0x30,0x0B,0x06,0x03,0x55,0x1D,
+    0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,
+    0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06,
+    0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,
+    0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3D,0xAB,0x6A,0xB5,
+    0xCC,0x2F,0xFE,0x38,0x1F,0xEF,0x88,0xA0,0xF7,0xBC,0x2A,0x44,0xEA,0x9E,0xE6,0xBD,
+    0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,0x16,
+    0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,0xA8,
+    0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,0x30,
+    0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x36,0x2E,0x77,0x6F,0x73,0x69,
+    0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,0x65,
+    0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+    0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x36,
+    0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2E,
+    0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,0x72,
+    0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0,
+    0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x36,0x2E,
+    0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,0x73,
+    0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,0x30,
+    0x81,0xB6,0x06,0x03,0x55,0x1D,0x11,0x04,0x81,0xAE,0x30,0x81,0xAB,0x82,0x0A,0x6D,
+    0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0E,0x77,0x77,0x77,0x2E,0x6D,
+    0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x63,0x6C,0x6F,0x75,0x64,
+    0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x12,0x77,0x65,0x62,
+    0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
+    0x0E,0x76,0x70,0x6E,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
+    0x11,0x62,0x61,0x63,0x6B,0x75,0x70,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,
+    0x66,0x6F,0x82,0x10,0x66,0x69,0x6C,0x65,0x73,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,
+    0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,
+    0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x73,0x68,0x61,0x72,0x65,0x2E,0x6D,0x6D,0x69,
+    0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6E,0x65,0x77,0x73,0x2E,0x6D,0x6D,
+    0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x51,0x06,0x03,0x55,0x1D,0x20,0x04,
+    0x4A,0x30,0x48,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3C,0x06,
+    0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,0x2B,
+    0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,
+    0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,
+    0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,0x2A,
+    0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x7A,
+    0x93,0xB0,0x04,0xAB,0xCA,0x53,0x61,0x83,0xC4,0xDC,0x8B,0xE9,0xA5,0x62,0x46,0x9E,
+    0x22,0x7A,0xBB,0x23,0x32,0xC9,0xC8,0x55,0xA7,0x87,0x53,0x68,0x61,0xF4,0x14,0x9B,
+    0xA6,0xC1,0xC2,0x2D,0xF1,0xD6,0x2F,0x58,0x6D,0xCC,0xF9,0x47,0x4F,0x49,0x82,0xDD,
+    0xFA,0x61,0xD4,0xE1,0x99,0xB3,0x1E,0x5A,0x44,0x1E,0xA3,0xC2,0x1E,0x83,0x4F,0x9C,
+    0xB8,0xBC,0x25,0xCD,0x32,0x13,0xCA,0xA8,0xEC,0x17,0xD6,0xEB,0x96,0x38,0xFF,0x26,
+    0xF7,0x76,0x85,0xA0,0x96,0x7C,0x70,0xCE,0xFC,0xBF,0x23,0x1D,0xF8,0xFB,0x0F,0x3E,
+    0xA8,0x22,0xF4,0xE6,0x96,0xD7,0x38,0xF3,0xCE,0xA2,0xDE,0xD3,0xAA,0x11,0x61,0x2E,
+    0x41,0xBF,0xE0,0xAD,0x65,0x88,0x06,0xB4,0x8E,0x45,0x38,0xEB,0x48,0xA5,0xEB,0xE6,
+    0x88,0xD2,0x0D,0x83,0x8B,0x6A,0x2A,0x97,0xC6,0xBD,0x01,0x39,0x71,0x0A,0xDA,0xF3,
+    0x2A,0x8D,0x7F,0x5C,0xCC,0xF0,0x05,0x17,0x99,0x98,0x11,0xD3,0x43,0x23,0xCE,0x91,
+    0x55,0x02,0x7E,0x93,0x1B,0x37,0xE9,0x81,0x84,0x7D,0xEE,0x80,0x0D,0x69,0xF5,0x77,
+    0x20,0x8B,0x39,0x7F,0x4E,0x52,0x94,0xED,0x07,0x76,0xF0,0xB6,0x12,0x39,0xDA,0xEB,
+    0x80,0x42,0x02,0xD4,0xFE,0xE6,0x42,0xB7,0xC5,0xA8,0xEC,0xA6,0x83,0x9C,0x68,0x60,
+    0x9A,0x52,0xF2,0x7F,0xF6,0x48,0x92,0x93,0x10,0x43,0xDE,0x5E,0x75,0x18,0x1B,0x22,
+    0x12,0x3F,0xEB,0x7A,0x38,0x6E,0x73,0xBD,0x6A,0x2C,0xE6,0x07,0xEA,0xFC,0x50,0x31,
+    0x54,0xC3,0x7B,0xD1,0x0B,0xC1,0x78,0x9D,0x6E,0xF2,0xAF,0x65,0xB9,0xF1,0xB5,
+};
+
+/* subject:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
+/* Not After : Nov  8 00:58:58 2029 GMT */
+
+unsigned char ca1_Cert[1456]={
+    0x30,0x82,0x05,0xAC,0x30,0x82,0x03,0x94,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x38,
+    0xF6,0x45,0xC1,0xE2,0x5D,0x91,0x2C,0xCE,0x3B,0x2B,0x39,0x12,0x31,0x74,0x0D,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
+    0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x6F,0x66,0x20,0x57,
+    0x6F,0x53,0x69,0x67,0x6E,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x31,0x30,0x38,0x30,
+    0x30,0x35,0x38,0x35,0x38,0x5A,0x17,0x0D,0x32,0x39,0x31,0x31,0x30,0x38,0x30,0x30,
+    0x35,0x38,0x35,0x38,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,
+    0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,
+    0x31,0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,
+    0x6E,0x20,0x43,0x41,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,
+    0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x47,0x32,0x30,0x82,0x01,0x22,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
+    0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE3,0xB4,0x80,
+    0x0E,0x6B,0x30,0x50,0x82,0x2F,0x1F,0xE7,0x9D,0xBF,0xF8,0x7C,0x42,0x25,0xED,0xAE,
+    0x61,0xC4,0xEB,0x86,0x87,0x23,0x7F,0x11,0x1F,0xC0,0x93,0x5F,0x1B,0x92,0x90,0x1E,
+    0x77,0x8C,0xBC,0x76,0xF7,0xFB,0x0A,0xA5,0xD5,0x7D,0xAC,0xDC,0x4B,0x18,0xD8,0x58,
+    0x2E,0xDF,0x46,0x6B,0x34,0x0F,0x45,0x64,0x60,0x84,0xC2,0xEB,0x9A,0x0E,0x51,0xD4,
+    0x2A,0x54,0x51,0x3E,0x27,0x3B,0x64,0x68,0x86,0x6F,0x7C,0x6B,0x00,0x3C,0x99,0xF6,
+    0x4C,0xA8,0x45,0x27,0xAD,0xA5,0xCB,0x2B,0x37,0xED,0x59,0xC3,0x52,0x4C,0x4F,0xDE,
+    0x34,0x9C,0xF2,0xB7,0xD1,0xFA,0x58,0xCB,0xE5,0x62,0x9E,0x55,0x46,0x5C,0xB7,0xC5,
+    0x8D,0x38,0x24,0x35,0xEF,0x97,0x2C,0x7C,0x65,0x10,0x0D,0xEF,0x9F,0x97,0x08,0xD5,
+    0xE5,0xB3,0x12,0x7A,0x92,0xDD,0xFE,0x88,0x0F,0x8F,0xA4,0xAF,0xBD,0xC5,0xD6,0x36,
+    0xF7,0x41,0x1B,0xE8,0x59,0xDD,0x86,0xFF,0x35,0xBF,0xED,0xE4,0xD1,0xA0,0x93,0x6E,
+    0x51,0xA8,0x99,0xCB,0xDF,0xDD,0xBE,0x71,0x88,0xC3,0xDA,0xB1,0x65,0xCC,0x7B,0x95,
+    0xC4,0x66,0x8F,0xBE,0x4E,0x06,0x7F,0x9B,0x53,0x8C,0x6B,0x3C,0xCE,0x97,0x26,0x82,
+    0x1F,0x17,0x30,0xBA,0x3F,0xC8,0xDE,0xCC,0x0B,0xA1,0xB4,0xEF,0x12,0x3D,0x93,0xCB,
+    0x08,0x30,0xE7,0x1A,0x98,0x97,0x80,0x3A,0x26,0x84,0x8F,0xFE,0x73,0x74,0x95,0x53,
+    0x0F,0x51,0xB2,0xAA,0x89,0x57,0xF4,0x96,0x40,0x72,0x13,0x1D,0xE4,0x67,0x98,0x4E,
+    0x8F,0xC6,0x40,0x0B,0xF5,0x1D,0x0C,0x45,0x2D,0xE0,0xD5,0x92,0x83,0x02,0x03,0x01,
+    0x00,0x01,0xA3,0x82,0x01,0x76,0x30,0x82,0x01,0x72,0x30,0x0E,0x06,0x03,0x55,0x1D,
+    0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,
+    0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,
+    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+    0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x30,0x06,
+    0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F,
+    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,0x2E,0x77,0x6F,0x73,
+    0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,
+    0x72,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x66,0x30,0x64,0x30,
+    0x27,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,
+    0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
+    0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05,
+    0x05,0x07,0x30,0x02,0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
+    0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,
+    0x67,0x32,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,
+    0x63,0x65,0x72,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xA7,
+    0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
+    0xA8,0xC7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE1,
+    0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,
+    0xFE,0xFB,0x3E,0x30,0x47,0x06,0x03,0x55,0x1D,0x20,0x04,0x40,0x30,0x3E,0x30,0x3C,
+    0x06,0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,
+    0x2B,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
+    0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
+    0x96,0x5A,0xDF,0x96,0x91,0x17,0x68,0x90,0x5D,0x2F,0xB4,0x32,0x15,0x80,0x03,0x03,
+    0x0B,0xE9,0x1C,0xB7,0x73,0x6C,0xDA,0xA8,0xFA,0x94,0xDD,0xDD,0x3E,0x34,0x2B,0x2E,
+    0x80,0x93,0x6C,0xFA,0xA6,0x67,0xD3,0x1B,0x7A,0x82,0x41,0xCE,0x9E,0xFF,0x3F,0xEF,
+    0xB2,0x83,0x6A,0x9E,0xFC,0x32,0xFD,0x44,0xF3,0x82,0x66,0xAA,0xCF,0x44,0x2F,0xB3,
+    0x37,0x41,0xF0,0x79,0x12,0xE3,0x02,0x27,0x86,0x48,0x92,0xBE,0xCF,0x56,0xD7,0xCB,
+    0xD7,0xE7,0x1E,0x25,0x9D,0x41,0xDB,0x0A,0xE7,0x33,0x12,0x58,0xAD,0x95,0xD8,0x9E,
+    0xD4,0xB7,0x95,0x29,0xBA,0xFE,0xFF,0xDF,0x80,0xA4,0x77,0x5B,0x15,0x62,0x0F,0x69,
+    0xF8,0x87,0x6D,0x74,0xEA,0x85,0xA2,0x76,0x5D,0x9F,0x95,0x2E,0x03,0xBC,0x8A,0xF9,
+    0x8A,0xAC,0x81,0x64,0x50,0xF2,0x0B,0x45,0x4B,0xEC,0x97,0x30,0x39,0x74,0xE5,0xA7,
+    0x7E,0x16,0x24,0x62,0x2B,0x50,0xF1,0x5C,0xD8,0x4F,0xCD,0x2E,0xA2,0x18,0x25,0xA3,
+    0xCE,0xF6,0x1F,0x60,0xDD,0x15,0xDE,0x20,0x15,0x1B,0x0E,0x7F,0xAF,0x85,0xD9,0x40,
+    0xAC,0x07,0x2A,0x34,0xDD,0x51,0xB0,0x1A,0xA8,0xE6,0x0E,0x9F,0x5F,0xDB,0x46,0x70,
+    0xE6,0xF5,0xD9,0x25,0x1C,0xF0,0x1D,0xE5,0x42,0xA1,0x2D,0x22,0x9D,0x6E,0x11,0xC9,
+    0x8D,0xA6,0x65,0xBC,0x0E,0xAA,0x76,0x73,0xC8,0x56,0x60,0x2F,0xFB,0x3F,0x86,0xB9,
+    0xA5,0xF5,0x33,0xEF,0xD5,0x13,0x1F,0x49,0x4C,0x38,0x07,0x9E,0x59,0x22,0x5A,0xC7,
+    0x4E,0xD9,0x25,0x24,0xBA,0x53,0x70,0xFC,0x63,0x2A,0x54,0x51,0xEB,0xC3,0x4B,0x41,
+    0x7D,0xE4,0xE8,0x3C,0x2C,0xA5,0x76,0x5A,0xBF,0xD9,0x4C,0xA8,0x0D,0xAE,0x52,0x6E,
+    0xA5,0x5D,0x98,0x3D,0x6C,0x90,0x6D,0x78,0x1F,0xC3,0x70,0x95,0x86,0x07,0x3F,0x54,
+    0xE3,0xEA,0x8A,0x81,0x64,0x62,0x9A,0x8F,0x31,0xAF,0x7B,0x2A,0x7E,0x92,0x22,0xC3,
+    0x8E,0xCC,0x53,0xAC,0xC7,0x9C,0x99,0x11,0x2B,0x48,0x3F,0x52,0x71,0x2B,0x6E,0xC0,
+    0xE1,0xB3,0x0A,0xE5,0x03,0x62,0xD7,0x89,0x18,0x28,0x4C,0x0A,0x8D,0x3F,0x0B,0x45,
+    0x89,0x81,0x8B,0x88,0xA4,0x93,0xC2,0x7F,0x44,0xE5,0x1E,0x5B,0x40,0x00,0xFC,0x2F,
+    0xCC,0x3B,0xF8,0x6A,0x79,0x31,0xFD,0x44,0x14,0xB6,0x8F,0x48,0x85,0x4C,0xAB,0x0A,
+    0x9D,0xBB,0x37,0x0A,0xFC,0x51,0x19,0xE0,0xFE,0x59,0x6A,0x3B,0x8F,0x60,0x62,0xA7,
+    0x07,0x82,0xAF,0x08,0x66,0xA0,0xF2,0xDA,0x60,0x02,0xEA,0xD8,0x34,0x7E,0x57,0x71,
+    0xA1,0xB5,0xFE,0x69,0xD7,0xFB,0xDD,0x5A,0x9C,0xF3,0xFF,0xC4,0xEA,0xCD,0x74,0xFA,
+    0x94,0x70,0xD3,0x58,0x92,0xCE,0xAF,0x12,0xE4,0x6E,0xEB,0xDD,0xB8,0xAF,0x1D,0xE2,
+    0x65,0xD4,0x46,0xEA,0x0B,0x3E,0xE3,0x68,0x0E,0x0A,0x4C,0x27,0x83,0x50,0x91,0x06,
+    0xC6,0x7B,0xF8,0xFA,0x9B,0x26,0xED,0x2C,0x0E,0x67,0xB8,0x6C,0xE5,0x2C,0x98,0x6D,
+    0x5F,0x7A,0x28,0xC3,0x84,0x3C,0x03,0x0D,0xF7,0xE2,0x03,0xE1,0x94,0xC2,0x58,0x27,
+    0xF8,0x4D,0x81,0x59,0x2F,0xF1,0x7C,0x61,0xC9,0x57,0x5D,0xBD,0xDC,0x9C,0x80,0xD0,
+    0x64,0xDF,0x7C,0x87,0x78,0x85,0xE6,0x94,0x8B,0x70,0x8B,0x05,0x47,0xE4,0xC8,0x7B,
+};
+
+/* subject:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
+/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* Not After : Dec 31 23:59:59 2019 GMT */
+
+unsigned char ca2_Cert[1632]={
+    0x30,0x82,0x06,0x5C,0x30,0x82,0x04,0x44,0xA0,0x03,0x02,0x01,0x02,0x02,0x07,0x19,
+    0xC2,0x85,0x30,0xE9,0x3B,0x36,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+    0x01,0x01,0x0B,0x05,0x00,0x30,0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x49,0x4C,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,
+    0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,
+    0x06,0x03,0x55,0x04,0x0B,0x13,0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,
+    0x67,0x69,0x74,0x61,0x6C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+    0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
+    0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+    0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x32,0x32,
+    0x34,0x36,0x33,0x36,0x5A,0x17,0x0D,0x31,0x39,0x31,0x32,0x33,0x31,0x32,0x33,0x35,
+    0x39,0x35,0x39,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,
+    0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,
+    0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
+    0x79,0x20,0x6F,0x66,0x20,0x57,0x6F,0x53,0x69,0x67,0x6E,0x30,0x82,0x02,0x22,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+    0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xBD,0xCA,0x8D,0xAC,
+    0xB8,0x91,0x15,0x56,0x97,0x7B,0x6B,0x5C,0x7A,0xC2,0xDE,0x6B,0xD9,0xA1,0xB0,0xC3,
+    0x10,0x23,0xFA,0xA7,0xA1,0xB2,0xCC,0x31,0xFA,0x3E,0xD9,0xA6,0x29,0x6F,0x16,0x3D,
+    0xE0,0x6B,0xF8,0xB8,0x40,0x5F,0xDB,0x39,0xA8,0x00,0x7A,0x8B,0xA0,0x4D,0x54,0x7D,
+    0xC2,0x22,0x78,0xFC,0x8E,0x09,0xB8,0xA8,0x85,0xD7,0xCC,0x95,0x97,0x4B,0x74,0xD8,
+    0x9E,0x7E,0xF0,0x00,0xE4,0x0E,0x89,0xAE,0x49,0x28,0x44,0x1A,0x10,0x99,0x32,0x0F,
+    0x25,0x88,0x53,0xA4,0x0D,0xB3,0x0F,0x12,0x08,0x16,0x0B,0x03,0x71,0x27,0x1C,0x7F,
+    0xE1,0xDB,0xD2,0xFD,0x67,0x68,0xC4,0x05,0x5D,0x0A,0x0E,0x5D,0x70,0xD7,0xD8,0x97,
+    0xA0,0xBC,0x53,0x41,0x9A,0x91,0x8D,0xF4,0x9E,0x36,0x66,0x7A,0x7E,0x56,0xC1,0x90,
+    0x5F,0xE6,0xB1,0x68,0x20,0x36,0xA4,0x8C,0x24,0x2C,0x2C,0x47,0x0B,0x59,0x76,0x66,
+    0x30,0xB5,0xBE,0xDE,0xED,0x8F,0xF8,0x9D,0xD3,0xBB,0x01,0x30,0xE6,0xF2,0xF3,0x0E,
+    0xE0,0x2C,0x92,0x80,0xF3,0x85,0xF9,0x28,0x8A,0xB4,0x54,0x2E,0x9A,0xED,0xF7,0x76,
+    0xFC,0x15,0x68,0x16,0xEB,0x4A,0x6C,0xEB,0x2E,0x12,0x8F,0xD4,0xCF,0xFE,0x0C,0xC7,
+    0x5C,0x1D,0x0B,0x7E,0x05,0x32,0xBE,0x5E,0xB0,0x09,0x2A,0x42,0xD5,0xC9,0x4E,0x90,
+    0xB3,0x59,0x0D,0xBB,0x7A,0x7E,0xCD,0xD5,0x08,0x5A,0xB4,0x7F,0xD8,0x1C,0x69,0x11,
+    0xF9,0x27,0x0F,0x7B,0x06,0xAF,0x54,0x83,0x18,0x7B,0xE1,0xDD,0x54,0x7A,0x51,0x68,
+    0x6E,0x77,0xFC,0xC6,0xBF,0x52,0x4A,0x66,0x46,0xA1,0xB2,0x67,0x1A,0xBB,0xA3,0x4F,
+    0x77,0xA0,0xBE,0x5D,0xFF,0xFC,0x56,0x0B,0x43,0x72,0x77,0x90,0xCA,0x9E,0xF9,0xF2,
+    0x39,0xF5,0x0D,0xA9,0xF4,0xEA,0xD7,0xE7,0xB3,0x10,0x2F,0x30,0x42,0x37,0x21,0xCC,
+    0x30,0x70,0xC9,0x86,0x98,0x0F,0xCC,0x58,0x4D,0x83,0xBB,0x7D,0xE5,0x1A,0xA5,0x37,
+    0x8D,0xB6,0xAC,0x32,0x97,0x00,0x3A,0x63,0x71,0x24,0x1E,0x9E,0x37,0xC4,0xFF,0x74,
+    0xD4,0x37,0xC0,0xE2,0xFE,0x88,0x46,0x60,0x11,0xDD,0x08,0x3F,0x50,0x36,0xAB,0xB8,
+    0x7A,0xA4,0x95,0x62,0x6A,0x6E,0xB0,0xCA,0x6A,0x21,0x5A,0x69,0xF3,0xF3,0xFB,0x1D,
+    0x70,0x39,0x95,0xF3,0xA7,0x6E,0xA6,0x81,0x89,0xA1,0x88,0xC5,0x3B,0x71,0xCA,0xA3,
+    0x52,0xEE,0x83,0xBB,0xFD,0xA0,0x77,0xF4,0xE4,0x6F,0xE7,0x42,0xDB,0x6D,0x4A,0x99,
+    0x8A,0x34,0x48,0xBC,0x17,0xDC,0xE4,0x80,0x08,0x22,0xB6,0xF2,0x31,0xC0,0x3F,0x04,
+    0x3E,0xEB,0x9F,0x20,0x79,0xD6,0xB8,0x06,0x64,0x64,0x02,0x31,0xD7,0xA9,0xCD,0x52,
+    0xFB,0x84,0x45,0x69,0x09,0x00,0x2A,0xDC,0x55,0x8B,0xC4,0x06,0x46,0x4B,0xC0,0x4A,
+    0x1D,0x09,0x5B,0x39,0x28,0xFD,0xA9,0xAB,0xCE,0x00,0xF9,0x2E,0x48,0x4B,0x26,0xE6,
+    0x30,0x4C,0xA5,0x58,0xCA,0xB4,0x44,0x82,0x4F,0xE7,0x91,0x1E,0x33,0xC3,0xB0,0x93,
+    0xFF,0x11,0xFC,0x81,0xD2,0xCA,0x1F,0x71,0x29,0xDD,0x76,0x4F,0x92,0x25,0xAF,0x1D,
+    0x81,0xB7,0x0F,0x2F,0x8C,0xC3,0x06,0xCC,0x2F,0x27,0xA3,0x4A,0xE4,0x0E,0x99,0xBA,
+    0x7C,0x1E,0x45,0x1F,0x7F,0xAA,0x19,0x45,0x96,0xFD,0xFC,0x3D,0x02,0x03,0x01,0x00,
+    0x01,0xA3,0x82,0x01,0x07,0x30,0x82,0x01,0x03,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+    0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06,
+    0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
+    0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xE1,0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,
+    0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,0xFE,0xFB,0x3E,0x30,0x1F,0x06,0x03,
+    0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,
+    0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,0x43,0xD0,0x41,0xAE,0xF2,0x30,0x69,0x06,
+    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x5D,0x30,0x5B,0x30,0x27,0x06,
+    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,0x70,0x3A,
+    0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,
+    0x63,0x6F,0x6D,0x2F,0x63,0x61,0x30,0x30,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
+    0x30,0x02,0x86,0x24,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x2E,0x73,
+    0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74,
+    0x73,0x2F,0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x32,0x06,0x03,0x55,0x1D,0x1F,0x04,
+    0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3A,
+    0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,
+    0x6F,0x6D,0x2F,0x73,0x66,0x73,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
+    0xB6,0x6D,0xF8,0x70,0xFB,0xE2,0x0D,0x4C,0x98,0xB3,0x07,0x49,0x15,0xF5,0x04,0xC4,
+    0x6C,0xCA,0xCA,0xF5,0x68,0xA0,0x08,0xFE,0x12,0x6D,0x9C,0x04,0x06,0xC9,0xAD,0x9A,
+    0x91,0x52,0x3E,0x78,0xC4,0x5C,0xEE,0x9F,0x54,0x1D,0xEE,0xE3,0xF1,0x5E,0x30,0xC9,
+    0x49,0xE1,0x39,0xE0,0xA6,0x9D,0x36,0x6C,0x57,0xFA,0xE6,0x34,0x4F,0x55,0xE8,0x87,
+    0xA8,0x2C,0xDD,0x05,0xF1,0x58,0x12,0x91,0xE8,0xCA,0xCE,0x28,0x78,0x8F,0xDF,0x07,
+    0x85,0x01,0xA5,0xDC,0x45,0x96,0x05,0xD4,0x80,0xB2,0x2B,0x05,0x9A,0xCB,0x9A,0xA5,
+    0x8B,0xE0,0x3A,0x67,0xE6,0x73,0x47,0xBE,0x4A,0xFD,0x27,0xB1,0x88,0xEF,0xE6,0xCA,
+    0xCF,0x8D,0x0E,0x26,0x9F,0xFA,0x5F,0x57,0x78,0xAD,0x6D,0xFE,0xAE,0x9B,0x35,0x08,
+    0xB1,0xC3,0xBA,0xC1,0x00,0x4A,0x4B,0x7D,0x14,0xBD,0xF7,0xF1,0xD3,0x55,0x18,0xAC,
+    0xD0,0x33,0x70,0x88,0x6D,0xC4,0x09,0x71,0x14,0xA6,0x2B,0x4F,0x88,0x81,0xE7,0x0B,
+    0x00,0x37,0xA9,0x15,0x7D,0x7E,0xD7,0x01,0x96,0x3F,0x2F,0xAF,0x7B,0x62,0xAE,0x0A,
+    0x4A,0xBF,0x4B,0x39,0x2E,0x35,0x10,0x8B,0xFE,0x04,0x39,0xE4,0x3C,0x3A,0x0C,0x09,
+    0x56,0x40,0x3A,0xB5,0xF4,0xC2,0x68,0x0C,0xB5,0xF9,0x52,0xCD,0xEE,0x9D,0xF8,0x98,
+    0xFC,0x78,0xE7,0x58,0x47,0x8F,0x1C,0x73,0x58,0x69,0x33,0xAB,0xFF,0xDD,0xDF,0x8E,
+    0x24,0x01,0x77,0x98,0x19,0x3A,0xB0,0x66,0x79,0xBC,0xE1,0x08,0xA3,0x0E,0x4F,0xC1,
+    0x04,0xB3,0xF3,0x01,0xC8,0xEB,0xD3,0x59,0x1C,0x35,0xD2,0x93,0x1E,0x70,0x65,0x82,
+    0x7F,0xDB,0xCF,0xFB,0xC8,0x99,0x12,0x60,0xC3,0x44,0x6F,0x3A,0x80,0x4B,0xD7,0xBE,
+    0x21,0xAA,0x14,0x7A,0x64,0xCB,0xDD,0x37,0x43,0x45,0x5B,0x32,0x2E,0x45,0xF0,0xD9,
+    0x59,0x1F,0x6B,0x18,0xF0,0x7C,0xE9,0x55,0x36,0x19,0x61,0x5F,0xB5,0x7D,0xF1,0x8D,
+    0xBD,0x88,0xE4,0x75,0x4B,0x98,0xDD,0x27,0xB0,0xE4,0x84,0x44,0x2A,0x61,0x84,0x57,
+    0x05,0x82,0x11,0x1F,0xAA,0x35,0x58,0xF3,0x20,0x0E,0xAF,0x59,0xEF,0xFA,0x55,0x72,
+    0x72,0x0D,0x26,0xD0,0x9B,0x53,0x49,0xAC,0xCE,0x37,0x2E,0x65,0x61,0xFF,0xF6,0xEC,
+    0x1B,0xEA,0xF6,0xF1,0xA6,0xD3,0xD1,0xB5,0x7B,0xBE,0x35,0xF4,0x22,0xC1,0xBC,0x8D,
+    0x01,0xBD,0x68,0x5E,0x83,0x0D,0x2F,0xEC,0xD6,0xDA,0x63,0x0C,0x27,0xD1,0x54,0x3E,
+    0xE4,0xA8,0xD3,0xCE,0x4B,0x32,0xB8,0x91,0x94,0xFF,0xFB,0x5B,0x49,0x2D,0x75,0x18,
+    0xA8,0xBA,0x71,0x9A,0x3B,0xAE,0xD9,0xC0,0xA9,0x4F,0x87,0x91,0xED,0x8B,0x7B,0x6B,
+    0x20,0x98,0x89,0x39,0x83,0x4F,0x80,0xC4,0x69,0xCC,0x17,0xC9,0xC8,0x4E,0xBE,0xE4,
+    0xA9,0xA5,0x81,0x76,0x70,0x06,0x04,0x32,0xCD,0x83,0x65,0xF4,0xBC,0x7D,0x3E,0x13,
+    0xBC,0xD2,0xE8,0x6F,0x63,0xAA,0xB5,0x3B,0xDA,0x8D,0x86,0x32,0x82,0x78,0x9D,0xD9,
+    0xCC,0xFF,0xBF,0x57,0x64,0x74,0xED,0x28,0x3D,0x44,0x62,0x15,0x61,0x4B,0xF7,0x94,
+    0xB0,0x0D,0x2A,0x67,0x1C,0xF0,0xCB,0x9B,0xA5,0x92,0xBF,0xF8,0x41,0x5A,0xC1,0x3D,
+    0x60,0xED,0x9F,0xBB,0xB8,0x6D,0x9B,0xCE,0xA9,0x6A,0x16,0x3F,0x7E,0xEA,0x06,0xF1,
+};
+
+/* subject:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* Not After : Sep 17 19:46:36 2036 GMT */
+
+unsigned char root_Cert[1997]={
+    0x30,0x82,0x07,0xC9,0x30,0x82,0x05,0xB1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
+    0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,
+    0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,
+    0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,
+    0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,
+    0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,
+    0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,
+    0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+    0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,
+    0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x17,
+    0x0D,0x33,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x30,0x7D,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,0x30,
+    0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,
+    0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,0x22,
+    0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,0x43,
+    0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,
+    0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,0x61,
+    0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+    0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x02,
+    0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
+    0x03,0x82,0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xC1,0x88,
+    0xDB,0x09,0xBC,0x6C,0x46,0x7C,0x78,0x9F,0x95,0x7B,0xB5,0x33,0x90,0xF2,0x72,0x62,
+    0xD6,0xC1,0x36,0x20,0x22,0x24,0x5E,0xCE,0xE9,0x77,0xF2,0x43,0x0A,0xA2,0x06,0x64,
+    0xA4,0xCC,0x8E,0x36,0xF8,0x38,0xE6,0x23,0xF0,0x6E,0x6D,0xB1,0x3C,0xDD,0x72,0xA3,
+    0x85,0x1C,0xA1,0xD3,0x3D,0xB4,0x33,0x2B,0xD3,0x2F,0xAF,0xFE,0xEA,0xB0,0x41,0x59,
+    0x67,0xB6,0xC4,0x06,0x7D,0x0A,0x9E,0x74,0x85,0xD6,0x79,0x4C,0x80,0x37,0x7A,0xDF,
+    0x39,0x05,0x52,0x59,0xF7,0xF4,0x1B,0x46,0x43,0xA4,0xD2,0x85,0x85,0xD2,0xC3,0x71,
+    0xF3,0x75,0x62,0x34,0xBA,0x2C,0x8A,0x7F,0x1E,0x8F,0xEE,0xED,0x34,0xD0,0x11,0xC7,
+    0x96,0xCD,0x52,0x3D,0xBA,0x33,0xD6,0xDD,0x4D,0xDE,0x0B,0x3B,0x4A,0x4B,0x9F,0xC2,
+    0x26,0x2F,0xFA,0xB5,0x16,0x1C,0x72,0x35,0x77,0xCA,0x3C,0x5D,0xE6,0xCA,0xE1,0x26,
+    0x8B,0x1A,0x36,0x76,0x5C,0x01,0xDB,0x74,0x14,0x25,0xFE,0xED,0xB5,0xA0,0x88,0x0F,
+    0xDD,0x78,0xCA,0x2D,0x1F,0x07,0x97,0x30,0x01,0x2D,0x72,0x79,0xFA,0x46,0xD6,0x13,
+    0x2A,0xA8,0xB9,0xA6,0xAB,0x83,0x49,0x1D,0xE5,0xF2,0xEF,0xDD,0xE4,0x01,0x8E,0x18,
+    0x0A,0x8F,0x63,0x53,0x16,0x85,0x62,0xA9,0x0E,0x19,0x3A,0xCC,0xB5,0x66,0xA6,0xC2,
+    0x6B,0x74,0x07,0xE4,0x2B,0xE1,0x76,0x3E,0xB4,0x6D,0xD8,0xF6,0x44,0xE1,0x73,0x62,
+    0x1F,0x3B,0xC4,0xBE,0xA0,0x53,0x56,0x25,0x6C,0x51,0x09,0xF7,0xAA,0xAB,0xCA,0xBF,
+    0x76,0xFD,0x6D,0x9B,0xF3,0x9D,0xDB,0xBF,0x3D,0x66,0xBC,0x0C,0x56,0xAA,0xAF,0x98,
+    0x48,0x95,0x3A,0x4B,0xDF,0xA7,0x58,0x50,0xD9,0x38,0x75,0xA9,0x5B,0xEA,0x43,0x0C,
+    0x02,0xFF,0x99,0xEB,0xE8,0x6C,0x4D,0x70,0x5B,0x29,0x65,0x9C,0xDD,0xAA,0x5D,0xCC,
+    0xAF,0x01,0x31,0xEC,0x0C,0xEB,0xD2,0x8D,0xE8,0xEA,0x9C,0x7B,0xE6,0x6E,0xF7,0x27,
+    0x66,0x0C,0x1A,0x48,0xD7,0x6E,0x42,0xE3,0x3F,0xDE,0x21,0x3E,0x7B,0xE1,0x0D,0x70,
+    0xFB,0x63,0xAA,0xA8,0x6C,0x1A,0x54,0xB4,0x5C,0x25,0x7A,0xC9,0xA2,0xC9,0x8B,0x16,
+    0xA6,0xBB,0x2C,0x7E,0x17,0x5E,0x05,0x4D,0x58,0x6E,0x12,0x1D,0x01,0xEE,0x12,0x10,
+    0x0D,0xC6,0x32,0x7F,0x18,0xFF,0xFC,0xF4,0xFA,0xCD,0x6E,0x91,0xE8,0x36,0x49,0xBE,
+    0x1A,0x48,0x69,0x8B,0xC2,0x96,0x4D,0x1A,0x12,0xB2,0x69,0x17,0xC1,0x0A,0x90,0xD6,
+    0xFA,0x79,0x22,0x48,0xBF,0xBA,0x7B,0x69,0xF8,0x70,0xC7,0xFA,0x7A,0x37,0xD8,0xD8,
+    0x0D,0xD2,0x76,0x4F,0x57,0xFF,0x90,0xB7,0xE3,0x91,0xD2,0xDD,0xEF,0xC2,0x60,0xB7,
+    0x67,0x3A,0xDD,0xFE,0xAA,0x9C,0xF0,0xD4,0x8B,0x7F,0x72,0x22,0xCE,0xC6,0x9F,0x97,
+    0xB6,0xF8,0xAF,0x8A,0xA0,0x10,0xA8,0xD9,0xFB,0x18,0xC6,0xB6,0xB5,0x5C,0x52,0x3C,
+    0x89,0xB6,0x19,0x2A,0x73,0x01,0x0A,0x0F,0x03,0xB3,0x12,0x60,0xF2,0x7A,0x2F,0x81,
+    0xDB,0xA3,0x6E,0xFF,0x26,0x30,0x97,0xF5,0x8B,0xDD,0x89,0x57,0xB6,0xAD,0x3D,0xB3,
+    0xAF,0x2B,0xC5,0xB7,0x76,0x02,0xF0,0xA5,0xD6,0x2B,0x9A,0x86,0x14,0x2A,0x72,0xF6,
+    0xE3,0x33,0x8C,0x5D,0x09,0x4B,0x13,0xDF,0xBB,0x8C,0x74,0x13,0x52,0x4B,0x02,0x03,
+    0x01,0x00,0x01,0xA3,0x82,0x02,0x52,0x30,0x82,0x02,0x4E,0x30,0x0C,0x06,0x03,0x55,
+    0x1D,0x13,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,
+    0x04,0x04,0x03,0x02,0x01,0xAE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+    0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,
+    0x43,0xD0,0x41,0xAE,0xF2,0x30,0x64,0x06,0x03,0x55,0x1D,0x1F,0x04,0x5D,0x30,0x5B,
+    0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,
+    0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,
+    0x2F,0x73,0x66,0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x2B,
+    0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,
+    0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x73,0x66,
+    0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x82,0x01,0x5D,0x06,
+    0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x54,0x30,0x82,0x01,0x50,0x30,0x82,0x01,0x4C,
+    0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x81,0xB5,0x37,0x01,0x01,0x01,0x30,0x82,0x01,
+    0x3B,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x23,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,
+    0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,
+    0x64,0x66,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29,
+    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,
+    0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x69,0x6E,0x74,0x65,0x72,0x6D,0x65,
+    0x64,0x69,0x61,0x74,0x65,0x2E,0x70,0x64,0x66,0x30,0x81,0xD0,0x06,0x08,0x2B,0x06,
+    0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xC3,0x30,0x27,0x16,0x20,0x53,0x74,0x61,
+    0x72,0x74,0x20,0x43,0x6F,0x6D,0x6D,0x65,0x72,0x63,0x69,0x61,0x6C,0x20,0x28,0x53,
+    0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x29,0x20,0x4C,0x74,0x64,0x2E,0x30,0x03,0x02,
+    0x01,0x01,0x1A,0x81,0x97,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x20,0x4C,0x69,0x61,
+    0x62,0x69,0x6C,0x69,0x74,0x79,0x2C,0x20,0x72,0x65,0x61,0x64,0x20,0x74,0x68,0x65,
+    0x20,0x73,0x65,0x63,0x74,0x69,0x6F,0x6E,0x20,0x2A,0x4C,0x65,0x67,0x61,0x6C,0x20,
+    0x4C,0x69,0x6D,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2A,0x20,0x6F,0x66,0x20,
+    0x74,0x68,0x65,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
+    0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+    0x72,0x69,0x74,0x79,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x76,0x61,0x69,
+    0x6C,0x61,0x62,0x6C,0x65,0x20,0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+    0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,
+    0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,0x64,0x66,0x30,0x11,0x06,0x09,
+    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x00,0x07,0x30,
+    0x38,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,0x04,0x2B,0x16,0x29,
+    0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,
+    0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+    0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+    0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0x16,0x6C,0x99,
+    0xF4,0x66,0x0C,0x34,0xF5,0xD0,0x85,0x5E,0x7D,0x0A,0xEC,0xDA,0x10,0x4E,0x38,0x1C,
+    0x5E,0xDF,0xA6,0x25,0x05,0x4B,0x91,0x32,0xC1,0xE8,0x3B,0xF1,0x3D,0xDD,0x44,0x09,
+    0x5B,0x07,0x49,0x8A,0x29,0xCB,0x66,0x02,0xB7,0xB1,0x9A,0xF7,0x25,0x98,0x09,0x3C,
+    0x8E,0x1B,0xE1,0xDD,0x36,0x87,0x2B,0x4B,0xBB,0x68,0xD3,0x39,0x66,0x3D,0xA0,0x26,
+    0xC7,0xF2,0x39,0x91,0x1D,0x51,0xAB,0x82,0x7B,0x7E,0xD5,0xCE,0x5A,0xE4,0xE2,0x03,
+    0x57,0x70,0x69,0x97,0x08,0xF9,0x5E,0x58,0xA6,0x0A,0xDF,0x8C,0x06,0x9A,0x45,0x16,
+    0x16,0x38,0x0A,0x5E,0x57,0xF6,0x62,0xC7,0x7A,0x02,0x05,0xE6,0xBC,0x1E,0xB5,0xF2,
+    0x9E,0xF4,0xA9,0x29,0x83,0xF8,0xB2,0x14,0xE3,0x6E,0x28,0x87,0x44,0xC3,0x90,0x1A,
+    0xDE,0x38,0xA9,0x3C,0xAC,0x43,0x4D,0x64,0x45,0xCE,0xDD,0x28,0xA9,0x5C,0xF2,0x73,
+    0x7B,0x04,0xF8,0x17,0xE8,0xAB,0xB1,0xF3,0x2E,0x5C,0x64,0x6E,0x73,0x31,0x3A,0x12,
+    0xB8,0xBC,0xB3,0x11,0xE4,0x7D,0x8F,0x81,0x51,0x9A,0x3B,0x8D,0x89,0xF4,0x4D,0x93,
+    0x66,0x7B,0x3C,0x03,0xED,0xD3,0x9A,0x1D,0x9A,0xF3,0x65,0x50,0xF5,0xA0,0xD0,0x75,
+    0x9F,0x2F,0xAF,0xF0,0xEA,0x82,0x43,0x98,0xF8,0x69,0x9C,0x89,0x79,0xC4,0x43,0x8E,
+    0x46,0x72,0xE3,0x64,0x36,0x12,0xAF,0xF7,0x25,0x1E,0x38,0x89,0x90,0x77,0x7E,0xC3,
+    0x6B,0x6A,0xB9,0xC3,0xCB,0x44,0x4B,0xAC,0x78,0x90,0x8B,0xE7,0xC7,0x2C,0x1E,0x4B,
+    0x11,0x44,0xC8,0x34,0x52,0x27,0xCD,0x0A,0x5D,0x9F,0x85,0xC1,0x89,0xD5,0x1A,0x78,
+    0xF2,0x95,0x10,0x53,0x32,0xDD,0x80,0x84,0x66,0x75,0xD9,0xB5,0x68,0x28,0xFB,0x61,
+    0x2E,0xBE,0x84,0xA8,0x38,0xC0,0x99,0x12,0x86,0xA5,0x1E,0x67,0x64,0xAD,0x06,0x2E,
+    0x2F,0xA9,0x70,0x85,0xC7,0x96,0x0F,0x7C,0x89,0x65,0xF5,0x8E,0x43,0x54,0x0E,0xAB,
+    0xDD,0xA5,0x80,0x39,0x94,0x60,0xC0,0x34,0xC9,0x96,0x70,0x2C,0xA3,0x12,0xF5,0x1F,
+    0x48,0x7B,0xBD,0x1C,0x7E,0x6B,0xB7,0x9D,0x90,0xF4,0x22,0x3B,0xAE,0xF8,0xFC,0x2A,
+    0xCA,0xFA,0x82,0x52,0xA0,0xEF,0xAF,0x4B,0x55,0x93,0xEB,0xC1,0xB5,0xF0,0x22,0x8B,
+    0xAC,0x34,0x4E,0x26,0x22,0x04,0xA1,0x87,0x2C,0x75,0x4A,0xB7,0xE5,0x7D,0x13,0xD7,
+    0xB8,0x0C,0x64,0xC0,0x36,0xD2,0xC9,0x2F,0x86,0x12,0x8C,0x23,0x09,0xC1,0x1B,0x82,
+    0x3B,0x73,0x49,0xA3,0x6A,0x57,0x87,0x94,0xE5,0xD6,0x78,0xC5,0x99,0x43,0x63,0xE3,
+    0x4D,0xE0,0x77,0x2D,0xE1,0x65,0x99,0x72,0x69,0x04,0x1A,0x47,0x09,0xE6,0x0F,0x01,
+    0x56,0x24,0xFB,0x1F,0xBF,0x0E,0x79,0xA9,0x58,0x2E,0xB9,0xC4,0x09,0x01,0x7E,0x95,
+    0xBA,0x6D,0x00,0x06,0x3E,0xB2,0xEA,0x4A,0x10,0x39,0xD8,0xD0,0x2B,0xF5,0xBF,0xEC,
+    0x75,0xBF,0x97,0x02,0xC5,0x09,0x1B,0x08,0xDC,0x55,0x37,0xE2,0x81,0xFB,0x37,0x84,
+    0x43,0x62,0x20,0xCA,0xE7,0x56,0x4B,0x65,0xEA,0xFE,0x6C,0xC1,0x24,0x93,0x24,0xA1,
+    0x34,0xEB,0x05,0xFF,0x9A,0x22,0xAE,0x9B,0x7D,0x3F,0xF1,0x65,0x51,0x0A,0xA6,0x30,
+    0x6A,0xB3,0xF4,0x88,0x1C,0x80,0x0D,0xFC,0x72,0x8A,0xE8,0x83,0x5E,
+};
+
+
+static SecCertificateRef createCertFromStaticData(const UInt8 *certData, CFIndex certLength)
+{
+    SecCertificateRef cert = NULL;
+    CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, certData, certLength, kCFAllocatorNull);
+    if (data) {
+        cert = SecCertificateCreateWithData(NULL, data);
+        CFRelease(data);
+    }
+    return cert;
+}
+
+static void TestLeafOnAllowList()
+{
+    SecCertificateRef certs[4];
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    CFDateRef date = NULL;
+    CFArrayRef certArray = NULL;
+    CFArrayRef anchorsArray = NULL;
+
+    isnt(certs[0] = createCertFromStaticData(leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)),
+         NULL, "allowlist: create leaf cert");
+    isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
+         NULL, "allowlist: create intermediate ca 1");
+    isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
+         NULL, "allowlist: create intermediate ca 2");
+    isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
+         NULL, "allowlist: create root");
+
+    isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
+         NULL, "allowlist: create cert array");
+
+    /* create a trust reference with basic policy */
+    isnt(policy = SecPolicyCreateBasicX509(), NULL, "allowlist: create policy");
+    ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "allowlist: create trust");
+
+    /* set evaluate date: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "allowlist: create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "allowlist: set verify date");
+
+    /* use a known root CA at this point in time to anchor the chain */
+    isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
+         NULL, "allowlist: create anchors array");
+    ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "allowlist: set anchors");
+
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+    ok_status(SecTrustEvaluate(trust, &trustResult), "allowlist: evaluate");
+
+    /* expected result is kSecTrustResultUnspecified since cert is on allow list and its issuer chains to a trusted root */
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+
+    /* clean up */
+    for(CFIndex idx=0; idx < 4; idx++) {
+        if (certs[idx]) { CFRelease(certs[idx]); }
+    }
+    if (policy) { CFRelease(policy); }
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+    if (certArray) { CFRelease(certArray); }
+    if (anchorsArray) { CFRelease(anchorsArray); }
+}
+
+static void TestLeafNotOnAllowList()
+{
+    SecCertificateRef certs[4];
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    CFDateRef date = NULL;
+    CFArrayRef certArray = NULL;
+    CFArrayRef anchorsArray = NULL;
+
+    isnt(certs[0] = createCertFromStaticData(leafNotOnAllowList_Cert, sizeof(leafNotOnAllowList_Cert)),
+         NULL, "!allowlist: create leaf cert");
+    isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
+         NULL, "!allowlist: create intermediate ca 1");
+    isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
+         NULL, "!allowlist: create intermediate ca 2");
+    isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
+         NULL, "!allowlist: create root");
+
+    isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
+         NULL, "!allowlist: create cert array");
+
+    /* create a trust reference with basic policy */
+    isnt(policy = SecPolicyCreateBasicX509(), NULL, "!allowlist: create policy");
+    ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "!allowlist: create trust");
+
+    /* set evaluate date: September 7, 2016 at 9:00:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495000000.0), NULL, "!allowlist: create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "!allowlist: set verify date");
+
+    /* use a known root CA at this point in time to anchor the chain */
+    isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
+         NULL, "allowlist: create anchors array");
+    ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "!allowlist: set anchors");
+
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+    ok_status(SecTrustEvaluate(trust, &trustResult), "!allowlist: evaluate");
+
+    /* expected result is kSecTrustResultRecoverableTrustFailure (if issuer is distrusted)
+     or kSecTrustResultFatalTrustFailure (if issuer is revoked), since cert is not on allow list */
+    ok(trustResult == kSecTrustResultRecoverableTrustFailure ||
+       trustResult == kSecTrustResultFatalTrustFailure,
+       "trustResult 5 or 6 expected (got %d)", (int)trustResult);
+
+    /* clean up */
+    for(CFIndex idx=0; idx < 4; idx++) {
+        if (certs[idx]) { CFRelease(certs[idx]); }
+    }
+    if (policy) { CFRelease(policy); }
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+    if (certArray) { CFRelease(certArray); }
+    if (anchorsArray) { CFRelease(anchorsArray); }
+}
+
+static void TestAllowListForRootCA(void)
+{
+    SecCertificateRef test0[2] = {NULL,NULL};
+    SecCertificateRef test1[2] = {NULL,NULL};
+    SecCertificateRef test1e[2] = {NULL,NULL};
+    SecCertificateRef test2[2] = {NULL,NULL};
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    CFDateRef date = NULL;
+    SecTrustResultType trustResult;
+
+    isnt(test0[0] = createCertFromStaticData(cert0, sizeof(cert0)),
+            NULL, "create first leaf");
+    isnt(test1[0] = createCertFromStaticData(cert1, sizeof(cert1)),
+         NULL, "create second leaf");
+    isnt(test1e[0] = createCertFromStaticData(cert1_expired, sizeof(cert1_expired)),
+         NULL, "create second leaf (expired)");
+    isnt(test2[0] = createCertFromStaticData(cert2, sizeof(cert2)),
+         NULL, "create third leaf");
+
+    isnt(test0[1] = createCertFromStaticData(intermediate0, sizeof(intermediate0)),
+         NULL, "create intermediate");
+    isnt(test1[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
+         NULL, "create intermediate");
+    isnt(test1e[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
+         NULL, "create intermediate");
+    isnt(test2[1] = createCertFromStaticData(intermediate2, sizeof(intermediate2)),
+         NULL, "create intermediate");
+
+    CFArrayRef certs0 = CFArrayCreate(kCFAllocatorDefault, (const void **)test0, 2, &kCFTypeArrayCallBacks);
+    CFArrayRef certs1 = CFArrayCreate(kCFAllocatorDefault, (const void **)test1, 2, &kCFTypeArrayCallBacks);
+    CFArrayRef certs1e = CFArrayCreate(kCFAllocatorDefault, (const void **)test1e, 2, &kCFTypeArrayCallBacks);
+    CFArrayRef certs2 = CFArrayCreate(kCFAllocatorDefault, (const void **)test2, 2, &kCFTypeArrayCallBacks);
+
+    /*
+     * Whitelisted certificates issued by untrusted root CA.
+     */
+    isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy");
+    ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+    ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+    ok_status(SecTrustCreateWithCertificates(certs2, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+    /*
+     * Same certificate, on allow list but past expiration. Expect to fail.
+     */
+    if (date) { CFRelease(date); }
+    isnt(date = CFDateCreate(NULL, 667680000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set date to far future so certs are expired");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+    /*
+     * Expired certificate not on allow list. Expect to fail.
+     */
+    ok_status(SecTrustCreateWithCertificates(certs1e, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+
+    /* Clean up. */
+    if (policy) { CFRelease(policy); }
+    if (certs0) { CFRelease(certs0); }
+    if (certs1) { CFRelease(certs1); }
+    if (certs1e) { CFRelease(certs1e); }
+    if (certs2) { CFRelease(certs2); }
+
+    if (test0[0]) { CFRelease(test0[0]); }
+    if (test0[1]) { CFRelease(test0[1]); }
+    if (test1[0]) { CFRelease(test1[0]); }
+    if (test1[1]) { CFRelease(test1[1]); }
+    if (test1e[0]) { CFRelease(test1e[0]); }
+    if (test1e[1]) { CFRelease(test1e[1]); }
+    if (test2[0]) { CFRelease(test2[0]); }
+    if (test2[1]) { CFRelease(test2[1]); }
+}
+
+static void tests(void)
+{
+    TestAllowListForRootCA();
+    TestLeafOnAllowList();
+    TestLeafNotOnAllowList();
+}
+
+int si_84_sectrust_allowlist(int argc, char *const *argv)
+{
+    plan_tests(59);
+    tests();
+
+    return 0;
+}

diff --git a/OSX/sec/Security/SecAccessControl.c b/OSX/sec/Security/SecAccessControl.c
index 752cf3e3e5b30c546f09b972156f41cd7135c772..d7c506d466eb4d68acab05213a75c1983e1909cd 100644 (file)
--- a/OSX/sec/Security/SecAccessControl.c
+++ b/OSX/sec/Security/SecAccessControl.c
@@ -175,6 +175,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
             require_quiet(constraint = SecAccessConstraintCreateValueOfKofN(allocator, or?1:constraints_count, constraints, error), errOut);
             if (flags & kSecAccessControlPrivateKeyUsage) {
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, constraint, error), errOut);
+                require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, constraint, error), errOut);
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
             }
             else {
@@ -189,6 +190,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
 #if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
             if (flags & kSecAccessControlPrivateKeyUsage) {
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
+                require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
             }
             else {
@@ -203,6 +205,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
 #if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
             if (flags & kSecAccessControlPrivateKeyUsage) {
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, kCFBooleanTrue, error), errOut);
+                require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, kCFBooleanTrue, error), errOut);
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
                 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut);
             }
@@ -340,7 +343,7 @@ errOut:
 bool SecAccessControlAddConstraintForOperation(SecAccessControlRef access_control, CFTypeRef operation, CFTypeRef constraint, CFErrorRef *error) {
     CheckItemInArray(operation, ItemArray(kAKSKeyOpEncrypt, kAKSKeyOpDecrypt,
 #if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
-                                          kAKSKeyOpSign, kAKSKeyOpAttest,
+                                          kAKSKeyOpSign, kAKSKeyOpAttest, kAKSKeyOpComputeKey,
 #endif
                                           kAKSKeyOpSync, kAKSKeyOpDefaultAcl, kAKSKeyOpDelete),
                      "SecAccessControl: invalid operation %@");

diff --git a/OSX/sec/Security/SecCTKKey.c b/OSX/sec/Security/SecCTKKey.c
index 93181ca14d61be86559692183b1dfc255577b3a2..bbc468d8fe05ba303cd8b0c148e632b0c5097239 100644 (file)
--- a/OSX/sec/Security/SecCTKKey.c
+++ b/OSX/sec/Security/SecCTKKey.c
@@ -30,6 +30,7 @@
 #include <Security/SecBasePriv.h>
 #include <utilities/SecCFError.h>
 #include <utilities/SecCFWrappers.h>
+#include <utilities/array_size.h>
 #include <ctkclient.h>
 #include <libaks_acl_cf_keys.h>
 
@@ -227,6 +228,8 @@ out:
     return attrs;
 }
 
+static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key);
+
 static SecKeyDescriptor kSecCTKKeyDescriptor = {
     .version = kSecKeyDescriptorVersion,
     .name = "CTKKey",
@@ -239,8 +242,26 @@ static SecKeyDescriptor kSecCTKKeyDescriptor = {
     .getAlgorithmID = SecCTKGetAlgorithmID,
     .copyPublic = SecCTKKeyCopyPublicOctets,
     .copyOperationResult = SecCTKKeyCopyOperationResult,
+    .createDuplicate = SecCTKKeyCreateDuplicate,
 };
 
+static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key) {
+    SecKeyRef result = SecKeyCreate(CFGetAllocator(key), &kSecCTKKeyDescriptor, 0, 0, 0);
+    SecCTKKeyData *kd = key->key, *rd = result->key;
+    rd->token = CFRetainSafe(kd->token);
+    rd->objectID = CFRetainSafe(kd->objectID);
+    rd->token_id = CFRetainSafe(kd->token_id);
+    if (kd->attributes.dictionary != NULL) {
+        rd->attributes.dictionary = kd->attributes.dictionary;
+        SecCFDictionaryCOWGetMutable(&rd->attributes);
+    }
+    if (kd->auth_params.dictionary != NULL) {
+        rd->auth_params.dictionary = kd->auth_params.dictionary;
+        SecCFDictionaryCOWGetMutable(&rd->auth_params);
+    }
+    return result;
+}
+
 SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttributes, CFErrorRef *error) {
     SecKeyRef key = SecKeyCreate(allocator, &kSecCTKKeyDescriptor, 0, 0, 0);
     SecCTKKeyData *kd = key->key;
@@ -425,18 +446,57 @@ out:
 }
 
 Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+    CFTypeRef acm_reference = NULL;
     require_action_quiet(key->key_class == &kSecCTKKeyDescriptor, out,
                          SecError(errSecUnimplemented, error, CFSTR("SecKeySetParameter() not supported for key %@"), key));
     SecCTKKeyData *kd = key->key;
-    if (kd->params == NULL) {
-        kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+    static const CFStringRef *const knownUseFlags[] = {
+        &kSecUseOperationPrompt,
+        &kSecUseAuthenticationContext,
+        &kSecUseAuthenticationUI,
+        &kSecUseCallerName,
+        &kSecUseCredentialReference,
+    };
+
+    // Check, whether name is part of known use flags.
+    bool isUseFlag = false;
+    for (size_t i = 0; i < array_size(knownUseFlags); i++) {
+        if (CFEqual(*knownUseFlags[i], name)) {
+            isUseFlag = true;
+            break;
+        }
     }
-    if (value != NULL) {
-        CFDictionarySetValue(kd->params, name, value);
+
+    if (CFEqual(name, kSecUseAuthenticationContext)) {
+        // Preprocess LAContext to ACMRef value.
+        if (value != NULL) {
+            require_quiet(acm_reference = SecItemAttributesCopyPreparedAuthContext(value, error), out);
+            value = acm_reference;
+        }
+        name = kSecUseCredentialReference;
+    }
+
+    if (isUseFlag) {
+        // Release existing token connection to enforce creation of new connection with new auth params.
+        CFReleaseNull(kd->token);
+        if (value != NULL) {
+            CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name, value);
+        } else {
+            CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name);
+        }
     } else {
-        CFDictionaryRemoveValue(kd->params, name);
+        if (kd->params == NULL) {
+            kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+        }
+        if (value != NULL) {
+            CFDictionarySetValue(kd->params, name, value);
+        } else {
+            CFDictionaryRemoveValue(kd->params, name);
+        }
     }
 
 out:
+    CFReleaseSafe(acm_reference);
     return TRUE;
 }

diff --git a/OSX/sec/Security/SecCertificate.c b/OSX/sec/Security/SecCertificate.c
index 674e1607697100033d713bd13147c01cee09039c..3d437f1f06e6ae1a84db78be8bd0f10e3f891691 100644 (file)
--- a/OSX/sec/Security/SecCertificate.c
+++ b/OSX/sec/Security/SecCertificate.c
@@ -5045,7 +5045,7 @@ SecKeyRef SecCertificateCopyPublicKey(SecCertificateRef certificate)
     return CFRetainSafe(certificate->_pubKey);
 }
 
-bool SecCertificateIsWeak(SecCertificateRef certificate) {
+bool SecCertificateIsWeakKey(SecCertificateRef certificate) {
     bool weak = true;
     SecKeyRef pubKey = NULL;
 #if SECTRUST_OSX
@@ -5070,6 +5070,19 @@ out:
     return weak;
 }
 
+bool SecCertificateIsWeakHash(SecCertificateRef certificate) {
+    SecSignatureHashAlgorithm certAlg = 0;
+    certAlg = SecCertificateGetSignatureHashAlgorithm(certificate);
+    if (certAlg == kSecSignatureHashAlgorithmUnknown ||
+        certAlg == kSecSignatureHashAlgorithmMD2 ||
+        certAlg == kSecSignatureHashAlgorithmMD4 ||
+        certAlg == kSecSignatureHashAlgorithmMD5 ||
+        certAlg == kSecSignatureHashAlgorithmSHA1) {
+        return true;
+    }
+    return false;
+}
+
 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
                                        CFDictionaryRef keySizes) {
     bool goodSize = false;

diff --git a/OSX/sec/Security/SecCertificateInternal.h b/OSX/sec/Security/SecCertificateInternal.h
index 262c03776122bd85e40021e75b38f6791de8c7c8..da7de66f2a2414531f32c6a31383aa00c6e21793 100644 (file)
--- a/OSX/sec/Security/SecCertificateInternal.h
+++ b/OSX/sec/Security/SecCertificateInternal.h
@@ -329,7 +329,7 @@ OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag,
 OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context,
                                          parseGeneralNameCallback callback);
 
-bool SecCertificateIsWeak(SecCertificateRef certificate);
+bool SecCertificateIsWeakKey(SecCertificateRef certificate);
 bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
                                        CFDictionaryRef keySizes);
 
@@ -343,6 +343,8 @@ extern const CFStringRef kSecSignatureDigestAlgorithmSHA256;
 extern const CFStringRef kSecSignatureDigestAlgorithmSHA384;
 extern const CFStringRef kSecSignatureDigestAlgorithmSHA512;
 
+bool SecCertificateIsWeakHash(SecCertificateRef certificate);
+
 CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string);
 bool SecCertificateIsOidString(CFStringRef oid);
 

diff --git a/OSX/sec/Security/SecCertificatePath.c b/OSX/sec/Security/SecCertificatePath.c
index 9b47506be6dcff5230b1c768eb715e73a75b9c95..1e05a332d66ef10a00992e79028b93670597df7f 100644 (file)
--- a/OSX/sec/Security/SecCertificatePath.c
+++ b/OSX/sec/Security/SecCertificatePath.c
@@ -600,7 +600,7 @@ SecPathVerifyStatus SecCertificatePathVerify(
        return kSecPathVerifySuccess;
 }
 
-static bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime) {
+bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime) {
     CFIndex ix;
     for (ix = 0; ix < certificatePath->count; ++ix) {
         if (!SecCertificateIsValid(certificatePath->certificates[ix],
@@ -619,13 +619,7 @@ bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath) {
         count--;
     }
     for (ix = 0; ix < count; ++ix) {
-        SecSignatureHashAlgorithm certAlg = 0;
-        certAlg = SecCertificateGetSignatureHashAlgorithm(certificatePath->certificates[ix]);
-        if (certAlg == kSecSignatureHashAlgorithmUnknown ||
-            certAlg == kSecSignatureHashAlgorithmMD2 ||
-            certAlg == kSecSignatureHashAlgorithmMD4 ||
-            certAlg == kSecSignatureHashAlgorithmMD5 ||
-            certAlg == kSecSignatureHashAlgorithmSHA1) {
+        if (SecCertificateIsWeakHash(certificatePath->certificates[ix])) {
             return true;
         }
     }

diff --git a/OSX/sec/Security/SecCertificatePath.h b/OSX/sec/Security/SecCertificatePath.h
index b87932b506763650cedaf3faeddf3f117c01bca3..a1e5e966454f09e23e3fc1921ffc65a3de8a04fb 100644 (file)
--- a/OSX/sec/Security/SecCertificatePath.h
+++ b/OSX/sec/Security/SecCertificatePath.h
@@ -123,6 +123,8 @@ enum {
 SecPathVerifyStatus SecCertificatePathVerify(
        SecCertificatePathRef certificatePath);
 
+bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime);
+
 bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath);
 
 CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath,

diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in
index f235687431482f1c2443220fce1c746d900348fe..4399d1e5de1ab9f44d9f1d02222be02e20b77d61 100644 (file)
--- a/OSX/sec/Security/SecExports.exp-in
+++ b/OSX/sec/Security/SecExports.exp-in
@@ -96,6 +96,7 @@ _kSecPolicyAppleProfileSigner
 _kSecPolicyApplePushService
 _kSecPolicyAppleQAProfileSigner
 _kSecPolicyAppleRevocation
+_kSecPolicyAppleSecureIOStaticAsset
 _kSecPolicyAppleServerAuthentication
 _kSecPolicyAppleSMIME
 _kSecPolicyAppleSMPEncryption
@@ -110,6 +111,7 @@ _kSecPolicyAppleTimeStamping
 _kSecPolicyAppleTVOSApplicationSigning
 _kSecPolicyAppleUniqueDeviceIdentifierCertificate
 _kSecPolicyAppleURLBag
+_kSecPolicyAppleWarsaw
 _kSecPolicyAppleX509Basic
 _kSecPolicyMacAppStoreReceipt
 
@@ -226,12 +228,14 @@ _SecPolicyCreateApplePPQService
 _SecPolicyCreateApplePPQSigning
 _SecPolicyCreateApplePushService
 _SecPolicyCreateApplePushServiceLegacy
+_SecPolicyCreateAppleSecureIOStaticAsset
 _SecPolicyCreateAppleSMPEncryption
 _SecPolicyCreateAppleSoftwareSigning
 _SecPolicyCreateAppleSSLPinned
 _SecPolicyCreateAppleSSLService
 _SecPolicyCreateAppleTimeStamping
 _SecPolicyCreateAppleTVOSApplicationSigning
+_SecPolicyCreateAppleWarsaw
 _SecPolicyCreateBasicX509
 _SecPolicyCreateCodeSigning
 _SecPolicyCreateConfigurationProfileSigner
@@ -484,7 +488,8 @@ _SecCertificateIsSelfSigned
 _SecCertificateIsSelfSignedCA
 _SecCertificateIsSignedBy
 _SecCertificateIsValid
-_SecCertificateIsWeak
+_SecCertificateIsWeakHash
+_SecCertificateIsWeakKey
 _SecCertificateNotValidAfter
 _SecCertificateNotValidBefore
 _SecCertificateParseGeneralNameContentProperty
@@ -503,6 +508,7 @@ _SecCertificatePathGetRoot
 _SecCertificatePathGetUsageConstraintsAtIndex
 _SecCertificatePathHasWeakHash
 _SecCertificatePathIsAnchored
+_SecCertificatePathIsValid
 _SecCertificatePathScore
 _SecCertificatePathSelfSignedIndex
 _SecCertificatePathSetIsAnchored
@@ -779,6 +785,7 @@ _SecKeyCreate
 _SecKeyCreateAttestation
 _SecKeyCreateEncryptedData
 _SecKeyCreateDecryptedData
+_SecKeyCreateDuplicate
 _SecKeyCreatePublicFromPrivate
 _SecKeyCreateSignature
 _SecKeyCreateFromAttributeDictionary

diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c
index 161f56cee5a8eb63931305757360ebf02da31806..18c366701b9039e7afc51d3336e8d6df5214558d 100644 (file)
--- a/OSX/sec/Security/SecItem.c
+++ b/OSX/sec/Security/SecItem.c
@@ -231,6 +231,8 @@ static OSStatus osstatus_for_ctk_error(CFIndex ctkError) {
             return errSecUnimplemented;
         case kTKErrorCodeCanceledByUser:
             return errSecUserCanceled;
+        case kTKErrorCodeCorruptedData:
+            return errSecDecode;
         default:
             return errSecInternal;
     }
@@ -1028,6 +1030,23 @@ out:
     return ok;
 }
 
+CFDataRef SecItemAttributesCopyPreparedAuthContext(CFTypeRef la_context, CFErrorRef *error) {
+    void *la_lib = NULL;
+    CFDataRef acm_context = NULL;
+    require_action_quiet(la_lib = dlopen("/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication", RTLD_LAZY), out,
+                         SecError(errSecInternal, error, CFSTR("failed to open LocalAuthentication.framework")));
+    LAFunctionCopyExternalizedContext fnCopyExternalizedContext = NULL;
+    require_action_quiet(fnCopyExternalizedContext = dlsym(la_lib, "LACopyExternalizedContext"), out,
+                         SecError(errSecInternal, error, CFSTR("failed to obtain LACopyExternalizedContext")));
+    require_action_quiet(acm_context = fnCopyExternalizedContext(la_context), out,
+                         SecError(errSecInternal, error, CFSTR("failed to get ACM handle from LAContext")));
+out:
+    if (la_lib != NULL) {
+        dlclose(la_lib);
+    }
+    return acm_context;
+}
+
 static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, CFErrorRef *error) {
     bool ok = false;
     CFDataRef ac_data = NULL, acm_context = NULL;
@@ -1043,13 +1062,7 @@ static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, C
     if (la_context) {
         require_action_quiet(!CFDictionaryContainsKey(attrs->dictionary, kSecUseCredentialReference), out,
                              SecError(errSecParam, error, CFSTR("kSecUseAuthenticationContext cannot be used together with kSecUseCredentialReference")));
-        require_action_quiet(la_lib = dlopen("/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication", RTLD_LAZY), out,
-                             SecError(errSecInternal, error, CFSTR("failed to open LocalAuthentication.framework")));
-        LAFunctionCopyExternalizedContext fnCopyExternalizedContext = NULL;
-        require_action_quiet(fnCopyExternalizedContext = dlsym(la_lib, "LACopyExternalizedContext"), out,
-                             SecError(errSecInternal, error, CFSTR("failed to obtain LACopyExternalizedContext")));
-        require_action_quiet(acm_context = fnCopyExternalizedContext(la_context), out,
-                             SecError(errSecInternal, error, CFSTR("failed to get ACM handle from LAContext")));
+        require_quiet(acm_context = SecItemAttributesCopyPreparedAuthContext(la_context, error), out);
         CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(attrs), kSecUseAuthenticationContext);
         CFDictionarySetValue(SecCFDictionaryCOWGetMutable(attrs), kSecUseCredentialReference, acm_context);
     }

diff --git a/OSX/sec/Security/SecItemInternal.h b/OSX/sec/Security/SecItemInternal.h
index 6312eb69836041083da6b733488d1ce8500a062a..fb1fda872b63317f30849f694c9f5da65f4449e5 100644 (file)
--- a/OSX/sec/Security/SecItemInternal.h
+++ b/OSX/sec/Security/SecItemInternal.h
@@ -88,6 +88,8 @@ TKTokenRef SecTokenCreate(CFStringRef token_id, CFDictionaryRef auth_params, CFE
 
 CFDataRef _SecTokenItemCopyValueData(CFDataRef db_value, CFErrorRef *error);
 
+CFDataRef SecItemAttributesCopyPreparedAuthContext(CFTypeRef la_context, CFErrorRef *error);
+
 __END_DECLS
 
 #endif /* !_SECURITY_SECITEMINTERNAL_H_ */

diff --git a/OSX/sec/Security/SecKey.c b/OSX/sec/Security/SecKey.c
index 7b4bc43b4c16218e938bf06a42edd49a7892490b..90cef0427a1fa8df857793a5a8c38bf4fc859a62 100644 (file)
--- a/OSX/sec/Security/SecKey.c
+++ b/OSX/sec/Security/SecKey.c
@@ -579,7 +579,7 @@ out:
     CFReleaseSafe(in2);
     CFReleaseSafe(output);
     if (error != NULL) {
-        status = (OSStatus)CFErrorGetCode(error);
+        status = SecErrorGetOSStatus(error);
         if (status == errSecVerifyFailed) {
             // Legacy functions used errSSLCrypto, while new implementation uses errSecVerifyFailed.
             status = errSSLCrypto;
@@ -1172,6 +1172,14 @@ SecKeyRef SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error) {
     return privKey;
 }
 
+SecKeyRef SecKeyCreateDuplicate(SecKeyRef key) {
+    if (key->key_class->version >= 4 && key->key_class->createDuplicate) {
+        return key->key_class->createDuplicate(key);
+    } else {
+        return (SecKeyRef)CFRetain(key);
+    }
+}
+
 #pragma mark Generic algorithm adaptor lookup and invocation
 
 static CFTypeRef SecKeyCopyBackendOperationResult(SecKeyOperationContext *context, SecKeyAlgorithm algorithm,

diff --git a/OSX/sec/Security/SecKeyPriv.h b/OSX/sec/Security/SecKeyPriv.h
index b2d7bfcd0a16efd385e915acf043c67fa2d2de8b..51704ea9e616f7fd1bf4f6e4e2dec77eb54aba8d 100644 (file)
--- a/OSX/sec/Security/SecKeyPriv.h
+++ b/OSX/sec/Security/SecKeyPriv.h
@@ -132,6 +132,7 @@ typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key);
 typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error);
 typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
 typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
+typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
 
 /*!
  @abstract Performs cryptographic operation with the key.
@@ -198,6 +199,7 @@ typedef struct __SecKeyDescriptor {
     SecKeyCopyPublicKeyMethod copyPublicKey;
     SecKeyCopyOperationResultMethod copyOperationResult;
     SecKeyIsEqualMethod isEqual;
+    SecKeyCreateDuplicateMethod createDuplicate;
 #endif
 } SecKeyDescriptor;
 
@@ -462,6 +464,19 @@ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AV
 Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
+/*!
+ @function SecKeyCreateDuplicate
+ @abstract Creates duplicate fo the key.
+
+ @param key Source key to be duplicated
+
+ @discussion Only memory representation of the key is duplicated, so if the key is backed by keychain, only one instance
+ stays in the keychain.  Duplicating key is useful for setting 'temporary' key parameters using SecKeySetParameter.
+ If the key is immutable (i.e. does not support SecKeySetParameter), calling this method is identical to calling CFRetain().
+ */
+SecKeyRef SecKeyCreateDuplicate(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
 /*!
  Algorithms for converting between bigendian and core-crypto ccunit data representation.
  */

diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c
index 339c029d251e9d2cd97ced1ab55e037869a2e83f..3b0ed3743abfe77fe49935bf93dfbdaa6289b53c 100644 (file)
--- a/OSX/sec/Security/SecPolicy.c
+++ b/OSX/sec/Security/SecPolicy.c
@@ -44,11 +44,6 @@
 #include <utilities/SecCFWrappers.h>
 #include <utilities/array_size.h>
 #include <ipc/securityd_client.h>
-#if TARGET_OS_EMBEDDED
-#include <MobileGestalt.h>
-#else
-#include <sys/utsname.h>
-#endif
 
 #include <utilities/SecInternalReleasePriv.h>
 
@@ -265,6 +260,8 @@ SEC_CONST_DECL (kSecPolicyAppleTVOSApplicationSigning, "1.2.840.113635.100.1.71"
 SEC_CONST_DECL (kSecPolicyAppleUniqueDeviceIdentifierCertificate, "1.2.840.113635.100.1.72");
 SEC_CONST_DECL (kSecPolicyAppleEscrowProxyCompatibilityServerAuth, "1.2.840.113635.100.1.73");
 SEC_CONST_DECL (kSecPolicyAppleMMCSCompatibilityServerAuth, "1.2.840.113635.100.1.74");
+SEC_CONST_DECL (kSecPolicyAppleSecureIOStaticAsset, "1.2.840.113635.100.1.75");
+SEC_CONST_DECL (kSecPolicyAppleWarsaw, "1.2.840.113635.100.1.76");
 
 SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
 SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
@@ -354,6 +351,8 @@ static CFStringRef kSecPolicyNameAppleGSService = CFSTR("GS");
 static CFStringRef kSecPolicyNameAppleMMCSService = CFSTR("MMCS");
 static CFStringRef kSecPolicyNameApplePPQService = CFSTR("PPQ");
 static CFStringRef kSecPolicyNameAppleUniqueDeviceCertificate = CFSTR("UCRT");
+static CFStringRef kSecPolicyNameAppleSecureIOStaticAsset = CFSTR("SecureIOStaticAsset");
+static CFStringRef kSecPolicyNameAppleWarsaw = CFSTR("Warsaw");
 
 
 /* Policies will now change to multiple categories of checks.
@@ -651,6 +650,7 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
        }
 
        /* These are in the same order as the constant declarations. */
+       /* @@@ This should be turned into a table. */
        if (CFEqual(policyIdentifier, kSecPolicyAppleX509Basic)) {
                policy = SecPolicyCreateBasicX509();
        }
@@ -890,6 +890,9 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
         } else {
             secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
         }
+    }
+    else if (CFEqual(policyIdentifier, kSecPolicyAppleSecureIOStaticAsset)) {
+        policy = SecPolicyCreateAppleSecureIOStaticAsset();
     }
        else {
                secerror("ERROR: policy \"%@\" is unsupported", policyIdentifier);
@@ -1630,6 +1633,8 @@ static bool allowTestHierarchyForPolicy(CFStringRef policyName) {
     require(setting, fail);
     if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL)) {
         allow = true;
+    } else {
+        secnotice("pinningQA", "could not enable test hierarchy: %@ not true", setting);
     }
     CFRelease(setting);
 fail:
@@ -1638,7 +1643,7 @@ fail:
 
 static bool SecPolicyAddAppleAnchorOptions(CFMutableDictionaryRef options, CFStringRef policyName)
 {
-    CFMutableDictionaryRef appleAnchorOptions;
+    CFMutableDictionaryRef appleAnchorOptions = NULL;
     appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
     if (!appleAnchorOptions) {
         return false;
@@ -1766,9 +1771,14 @@ requireUATPinning(CFStringRef service)
     if (SecIsInternalRelease()) {
         CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationNoPinning%@"), service);
         require(setting, fail);
-        if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL))
+        if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) {
             pinningRequired = false;
+        } else {
+            secnotice("pinningQA", "could not disable pinning: %@ not true", setting);
+        }
         CFRelease(setting);
+    } else {
+        secnotice("pinningQA", "could not disable pinning: not an internal release");
     }
 fail:
     return pinningRequired;
@@ -3065,7 +3075,13 @@ allowUATRoot(bool allowNonProd, CFStringRef service, CFDictionaryRef context)
         if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) {
             UATAllowed = true;
         }
+
+        if (!UATAllowed) {
+            secnotice("pinningQA", "could not enable test cert: %@ not true", setting);
+        }
         CFRelease(setting);
+    } else {
+        secnotice("pinningQA", "could not enable test cert: not an internal release");
     }
 fail:
     return UATAllowed;
@@ -3840,3 +3856,121 @@ errOut:
     CFReleaseSafe(ecSize);
     return result;
 }
+
+SecPolicyRef SecPolicyCreateAppleWarsaw(void) {
+    CFMutableDictionaryRef options = NULL;
+    CFDictionaryRef keySizes = NULL;
+    CFNumberRef rsaSize = NULL, ecSize = NULL;
+    SecPolicyRef result = NULL;
+#if TARGET_OS_BRIDGE
+    CFMutableDictionaryRef appleAnchorOptions = NULL;
+#endif
+
+    require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+                                                &kCFTypeDictionaryKeyCallBacks,
+                                                &kCFTypeDictionaryValueCallBacks), errOut);
+
+    SecPolicyAddBasicX509Options(options);
+
+    /* Anchored to the Apple Roots. */
+#if TARGET_OS_BRIDGE
+    /* On the bridge, test roots are gated in the trust and policy servers. */
+    require_quiet(appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL), errOut);
+    CFDictionarySetValue(appleAnchorOptions,
+                         kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+    add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+    CFReleaseSafe(appleAnchorOptions);
+#else
+    require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleWarsaw),
+                  errOut);
+#endif
+
+    /* Exactly 3 certs in the chain */
+    require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+    /* Intermediate marker OID matches input OID */
+    add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.14"));
+
+    /* Leaf marker OID matches input OID */
+    add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.29"));
+
+    /* Check revocation using any available method */
+    add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+
+    /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+    const void *values[] = { rsaSize, ecSize };
+    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+                                          &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+    add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+    require(result = SecPolicyCreate(kSecPolicyAppleWarsaw,
+                                     kSecPolicyNameAppleWarsaw, options), errOut);
+
+errOut:
+    CFReleaseSafe(options);
+    CFReleaseSafe(keySizes);
+    CFReleaseSafe(rsaSize);
+    CFReleaseSafe(ecSize);
+    return result;
+}
+
+SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) {
+    CFMutableDictionaryRef options = NULL;
+    CFDictionaryRef keySizes = NULL;
+    CFNumberRef rsaSize = NULL, ecSize = NULL;
+    SecPolicyRef result = NULL;
+#if TARGET_OS_BRIDGE
+    CFMutableDictionaryRef appleAnchorOptions = NULL;
+#endif
+
+    require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+                                                &kCFTypeDictionaryKeyCallBacks,
+                                                &kCFTypeDictionaryValueCallBacks), errOut);
+
+    /* This certificate cannot expire so that assets always load */
+    SecPolicyAddBasicCertOptions(options);
+
+    /* Anchored to the Apple Roots. */
+#if TARGET_OS_BRIDGE
+    /* On the bridge, test roots are gated in the trust and policy servers. */
+    require_quiet(appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL), errOut);
+    CFDictionarySetValue(appleAnchorOptions,
+                         kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+    add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+    CFReleaseSafe(appleAnchorOptions);
+#else
+    require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSecureIOStaticAsset),
+                  errOut);
+#endif
+
+    /* Exactly 3 certs in the chain */
+    require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+    /* Intermediate marker OID matches input OID */
+    add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.10"));
+
+    /* Leaf marker OID matches input OID */
+    add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.50"));
+
+    /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+    const void *values[] = { rsaSize, ecSize };
+    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+                                          &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+    add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+    require(result = SecPolicyCreate(kSecPolicyAppleSecureIOStaticAsset,
+                                     kSecPolicyNameAppleSecureIOStaticAsset, options), errOut);
+
+errOut:
+    CFReleaseSafe(options);
+    CFReleaseSafe(keySizes);
+    CFReleaseSafe(rsaSize);
+    CFReleaseSafe(ecSize);
+    return result;
+}

diff --git a/OSX/sec/Security/SecPolicyLeafCallbacks.c b/OSX/sec/Security/SecPolicyLeafCallbacks.c
index c3cb359b3113c322e63789ac3f6bb6d62e6113fe..081b1ecec6f6b61d321045cde628c7fde8317bd4 100644 (file)
--- a/OSX/sec/Security/SecPolicyLeafCallbacks.c
+++ b/OSX/sec/Security/SecPolicyLeafCallbacks.c
@@ -592,7 +592,7 @@ static bool SecPolicyCheckCertCertificatePolicyOid(SecCertificateRef cert, CFTyp
 }
 
 static bool SecPolicyCheckCertWeak(SecCertificateRef cert, CFTypeRef __unused pvcValue) {
-    if (cert && SecCertificateIsWeak(cert)) {
+    if (cert && SecCertificateIsWeakKey(cert)) {
         /* Leaf certificate has a weak key. */
         return false;
     }

diff --git a/OSX/sec/Security/SecPolicyPriv.h b/OSX/sec/Security/SecPolicyPriv.h
index 049b9498fc52129ae9ebbf74b4b7a36ebabd27b9..ee635e69b463544e85d66853210b456b4688b82a 100644 (file)
--- a/OSX/sec/Security/SecPolicyPriv.h
+++ b/OSX/sec/Security/SecPolicyPriv.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2016 Apple Inc. All Rights Reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
  *
@@ -22,9 +22,9 @@
  */
 
 /*!
-    @header SecPolicyPriv
-    The functions provided in SecPolicyPriv provide an interface to various
-       X.509 certificate trust policies.
+ @header SecPolicyPriv
+ The functions provided in SecPolicyPriv provide an interface to various
+ X.509 certificate trust policies.
 */
 
 #ifndef _SECURITY_SECPOLICYPRIV_H_
@@ -95,6 +95,8 @@ CF_IMPLICIT_BRIDGING_ENABLED
        @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate
        @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth
        @constant kSecPolicyAppleMMCSCompatibilityServerAuth
+       @constant kSecPolicyAppleSecureIOStaticAsset
+       @constant kSecPolicyAppleWarsaw
  */
 extern const CFStringRef kSecPolicyAppleMobileStore
     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
@@ -200,6 +202,11 @@ extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
     __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
 extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
     __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+extern const CFStringRef kSecPolicyAppleWarsaw
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+
 
 /*!
  @enum Policy Value Constants
@@ -265,7 +272,7 @@ extern const CFStringRef kSecPolicyRootDigest
     * The intermediate has a marker extension with OID matching the intermediateMarkerOID
     parameter.
     * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
@@ -298,236 +305,240 @@ SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName,
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
     extension or Common Name.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
- For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL
- on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@"
- (where %@ is the policyName parameter) in the com.apple.Security preferences for the user
- of the calling application.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
  */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
-                                          CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID)
+                                           CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID)
     __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
 
 /*!
-    @function SecPolicyCreateiPhoneActivation
-    @abstract Returns a policy object for verifying iPhone Activation
-    certificate chains.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to "Apple Root CA" certificate.
-        * There are exactly 3 certs in chain.
-        * The intermediate has Common Name "Apple iPhone Certification Authority".
-        * The leaf has Common Name "iPhone Activation".
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiPhoneActivation
+ @abstract Returns a policy object for verifying iPhone Activation
+ certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in chain.
+    * The intermediate has Common Name "Apple iPhone Certification Authority".
+    * The leaf has Common Name "iPhone Activation".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneActivation(void);
 
 /*!
-    @function SecPolicyCreateiPhoneDeviceCertificate
-    @abstract Returns a policy object for verifying iPhone Device certificate
-    chains.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * There are exactly 4 certs in chain.
-        * The chain is anchored to "Apple Root CA" certificate.
-        * The first intermediate has Common Name "Apple iPhone Device CA".
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiPhoneDeviceCertificate
+ @abstract Returns a policy object for verifying iPhone Device certificate
+ chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 4 certs in chain.
+     * The first intermediate has Common Name "Apple iPhone Device CA".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
 
 /*!
-    @function SecPolicyCreateFactoryDeviceCertificate
-    @abstract Returns a policy object for verifying Factory Device certificate
-    chains.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to the Factory Device CA.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateFactoryDeviceCertificate
+ @abstract Returns a policy object for verifying Factory Device certificate
+ chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to the Factory Device CA.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
 
 /*!
-    @function SecPolicyCreateiAP
-    @abstract Returns a policy object for verifying iAP certificate chains.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The leaf has notBefore date after 5/31/2006 midnight GMT.
-        * The leaf has Common Name beginning with "IPA_".
-       The intended use of this policy is that the caller pass in the
-       intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiAP
+ @abstract Returns a policy object for verifying iAP certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The leaf has notBefore date after 5/31/2006 midnight GMT.
+     * The leaf has Common Name beginning with "IPA_".
+ The intended use of this policy is that the caller pass in the
+ intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiAP(void);
 
 /*!
-    @function SecPolicyCreateiTunesStoreURLBag
-    @abstract Returns a policy object for verifying iTunes Store URL bag
-    certificates.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to the iTMS CA.
-        * There are exactly 2 certs in the chain.
-        * The leaf has Organization "Apple Inc.".
-        * The leaf has Common Name "iTunes Store URL Bag".
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiTunesStoreURLBag
+ @abstract Returns a policy object for verifying iTunes Store URL bag
+ certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to the iTMS CA.
+     * There are exactly 2 certs in the chain.
+     * The leaf has Organization "Apple Inc.".
+     * The leaf has Common Name "iTunes Store URL Bag".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
 
 /*!
-    @function SecPolicyCreateEAP
-    @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
-       @param server Passing true for this parameter create a policy for EAP
-       server certificates.
-       @param trustedServerNames Optional; if present, the hostname in the leaf
-    certificate must be in the trustedServerNames list.  Note that contrary
-    to all other policies the trustedServerNames list entries can have wildcards
-    whilst the certificate cannot.  This matches the existing deployments.
-    @discussion This policy uses the Basic X.509 policy with validity check but
-    disallowing network fetching. If trustedServerNames param is non-null, the
-    ExtendedKeyUsage extension, if present, of the leaf certificate is verified
-    to contain either the ServerAuth OID, if the server param is true or
-    ClientAuth OID, otherwise.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateEAP
+ @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
+ @param server Passing true for this parameter create a policy for EAP
+ server certificates.
+ @param trustedServerNames Optional; if present, the hostname in the leaf
+ certificate must be in the trustedServerNames list.  Note that contrary
+ to all other policies the trustedServerNames list entries can have wildcards
+ whilst the certificate cannot.  This matches the existing deployments.
+ @discussion This policy uses the Basic X.509 policy with validity check but
+ disallowing network fetching. If trustedServerNames param is non-null, the
+ ExtendedKeyUsage extension, if present, of the leaf certificate is verified
+ to contain either the ServerAuth OID, if the server param is true or
+ ClientAuth OID, otherwise.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames);
 
 /*!
-    @function SecPolicyCreateIPSec
-    @abstract Returns a policy object for evaluating IPSec certificate chains.
-       @param server Passing true for this parameter create a policy for IPSec
-       server certificates.
-       @param hostname Optional; if present, the policy will require the specified
-       hostname or ip address to match the hostname in the leaf certificate.
-    @discussion This policy uses the Basic X.509 policy with validity check.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateIPSec
+ @abstract Returns a policy object for evaluating IPSec certificate chains.
+ @param server Passing true for this parameter create a policy for IPSec
+ server certificates.
+ @param hostname Optional; if present, the policy will require the specified
+ hostname or ip address to match the hostname in the leaf certificate.
+ @discussion This policy uses the Basic X.509 policy with validity check.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable  hostname);
 
 /*!
-       @function SecPolicyCreateAppleSWUpdateSigning
-       @abstract Returns a policy object for evaluating SW update signing certs.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to "Apple Root CA" certificate.
-        * There are exactly 3 certs in the chain.
-        * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
-       @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateAppleSWUpdateSigning
+ @abstract Returns a policy object for evaluating SW update signing certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1.
+     * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
 
 /*!
-       @function SecPolicyCreateApplePackageSigning
-       @abstract Returns a policy object for evaluating installer package signing certs.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to "Apple Root CA" certificate.
-        * There are exactly 3 certs in the chain.
-       @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateApplePackageSigning
+ @abstract Returns a policy object for evaluating installer package signing certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The leaf KeyUsage extension has the digital signature bit set.
+     * The leaf ExtendedKeyUsage extension has the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateApplePackageSigning(void);
 
 /*!
-    @function SecPolicyCreateiPhoneApplicationSigning
-    @abstract Returns a policy object for evaluating signed application
-    signatures.  This is for apps signed directly by the app store.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to "Apple Root CA" certificate.
-        * There are exactly 3 certs in the chain.
-        * The intermediate has Common Name "Apple iPhone Certification Authority".
-        * The leaf has Common Name "Apple iPhone OS Application Signing".
-        * If the device is not a production device and is running an internal
-          release, the leaf may have the Common Name "TEST Apple iPhone OS
-          Application Signing TEST".
-        * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
-          or the CodeSigning OID.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiPhoneApplicationSigning
+ @abstract Returns a policy object for evaluating signed application
+ signatures.  This is for apps signed directly by the app store.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The intermediate has Common Name "Apple iPhone Certification Authority".
+     * The leaf has Common Name "Apple iPhone OS Application Signing".
+     * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID
+     1.2.840.113635.100.6.1.6.
+     * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
+       or the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
 
 /*!
-    @function SecPolicyCreateiPhoneProfileApplicationSigning
-    @abstract Returns a policy object for evaluating signed application
-    signatures. This policy is for certificates inside a UPP or regular
-    profile.
-    @discussion  This policy only verifies that the leaf is temporally valid
-    and not revoked.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiPhoneProfileApplicationSigning
+ @abstract Returns a policy object for evaluating signed application
+ signatures. This policy is for certificates inside a UPP or regular
+ profile.
+ @discussion  This policy only verifies that the leaf is temporally valid
+ and not revoked via any available method.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
 
 /*!
-    @function SecPolicyCreateiPhoneProvisioningProfileSigning
-    @abstract Returns a policy object for evaluating provisioning profile signatures.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to "Apple Root CA" certificate.
-        * There are exactly 3 certs in the chain.
-        * The intermediate has Common Name "Apple iPhone Certification Authority".
-        * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
-        * If the device is not a production device and is running an internal
-          release, the leaf may have the Common Name "TEST Apple iPhone OS
-          Provisioning Profile Signing TEST".
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateiPhoneProvisioningProfileSigning
+ @abstract Returns a policy object for evaluating provisioning profile signatures.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+     the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+     * There are exactly 3 certs in the chain.
+     * The intermediate has Common Name "Apple iPhone Certification Authority".
+     * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
+     * If the device is not a production device and is running an internal
+       release, the leaf may have the Common Name "TEST Apple iPhone OS
+       Provisioning Profile Signing TEST".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
 
 /*!
-    @function SecPolicyCreateAppleTVOSApplicationSigning
-    @abstract Returns a policy object for evaluating signed application
-    signatures.  This is for apps signed directly by the Apple TV app store,
-    and allows for both the prod and the dev/test certs.
-    @discussion This policy uses the Basic X.509 policy with no validity check
-    and pinning options:
-        * The chain is anchored to any of the production Apple Root CAs.
-          Test roots are never permitted.
-        * There are exactly 3 certs in the chain.
-        * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
-        * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
-          the CodeSigning OID.
-        * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
-          1.2.840.113635.100.6.1.24.1.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateAppleTVOSApplicationSigning
+ @abstract Returns a policy object for evaluating signed application
+ signatures.  This is for apps signed directly by the Apple TV app store,
+ and allows for both the prod and the dev/test certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+     * The chain is anchored to any of the production Apple Root CAs.
+       Test roots are never permitted.
+     * There are exactly 3 certs in the chain.
+     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+     * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
+       the CodeSigning OID.
+     * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
+       1.2.840.113635.100.6.1.24.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
 
 /*!
-    @function SecPolicyCreateOCSPSigner
-    @abstract Returns a policy object for evaluating ocsp response signers.
-    @discussion This policy uses the Basic X.509 policy with validity check and
-    requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateOCSPSigner
+ @abstract Returns a policy object for evaluating ocsp response signers.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateOCSPSigner(void);
@@ -545,46 +556,46 @@ enum {
 };
 
 /*!
-    @function SecPolicyCreateSMIME
-    @abstract Returns a policy object for evaluating S/MIME certificate chains.
-       @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
-    flags, to indicate the intended usage of this certificate.
-       @param email Optional; if present, the policy will require the specified
-       email to match the email in the leaf certificate.
-    @discussion This policy uses the Basic X.509 policy with validity check and
-    requires the leaf to have
-        * a KeyUsage matching the smimeUsage,
-        * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
-          EmailProtection OID, and
-        * if the email param is specified, the email address in the RFC822Name in the
-          SubjectAlternativeName extension or in the Email Address field of the
-          Subject Name.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateSMIME
+ @abstract Returns a policy object for evaluating S/MIME certificate chains.
+ @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
+ flags, to indicate the intended usage of this certificate.
+ @param email Optional; if present, the policy will require the specified
+ email to match the email in the leaf certificate.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have
+     * a KeyUsage matching the smimeUsage,
+     * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
+       EmailProtection OID, and
+     * if the email param is specified, the email address in the RFC822Name in the
+       SubjectAlternativeName extension or in the Email Address field of the
+       Subject Name.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email);
 
 /*!
-    @function SecPolicyCreateCodeSigning
-    @abstract Returns a policy object for evaluating code signing certificate chains.
-    @discussion This policy uses the Basic X.509 policy with validity check and
-    requires the leaf to have
-        * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
-        * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateCodeSigning
+ @abstract Returns a policy object for evaluating code signing certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have
+     * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
+     * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateCodeSigning(void);
 
 /*!
-    @function SecPolicyCreateLockdownPairing
-    @abstract basic x509 policy for checking lockdown pairing certificate chains.
-    @disucssion This policy checks some of the Basic X.509 policy options with no
-    validity check. It explicitly allows for empty subjects.
-    @result A policy object. The caller is responsible for calling CFRelease
-       on this when it is no longer needed.
+ @function SecPolicyCreateLockdownPairing
+ @abstract basic x509 policy for checking lockdown pairing certificate chains.
+ @disucssion This policy checks some of the Basic X.509 policy options with no
+ validity check. It explicitly allows for empty subjects.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
 */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateLockdownPairing(void);
@@ -592,7 +603,7 @@ SecPolicyRef SecPolicyCreateLockdownPairing(void);
 /*!
  @function SecPolicyCreateURLBag
  @abstract Returns a policy object for evaluating certificate chains for signing URL bags.
- @discussion This policy uses the Basic X.509 policy with no validity check and requires 
+ @discussion This policy uses the Basic X.509 policy with no validity check and requires
  that the leaf has ExtendedKeyUsage extension with the CodeSigning OID.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -603,10 +614,12 @@ SecPolicyRef SecPolicyCreateURLBag(void);
 /*!
  @function SecPolicyCreateOTATasking
  @abstract  Returns a policy object for evaluating certificate chains for signing OTA Tasking.
- @discussion This policy uses the Basic X.509 policy with validity check and 
+ @discussion This policy uses the Basic X.509 policy with validity check and
  pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
+    * The intermediate has Common Name "Apple iPhone Certification Authority".
     * The leaf has Common Name "OTA Task Signing".
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -617,10 +630,12 @@ SecPolicyRef SecPolicyCreateOTATasking(void);
 /*!
  @function SecPolicyCreateMobileAsset
  @abstract  Returns a policy object for evaluating certificate chains for signing Mobile Assets.
- @discussion This policy uses the Basic X.509 policy with no validity check 
+ @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
+    * The intermediate has Common Name "Apple iPhone Certification Authority".
     * The leaf has Common Name "Asset Manifest Signing".
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -633,8 +648,9 @@ SecPolicyRef SecPolicyCreateMobileAsset(void);
  @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
-    * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
       or OID 1.2.840.113635.100.6.2.7.
     * The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
  @result A policy object. The caller is responsible for calling CFRelease
@@ -649,7 +665,13 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
  Mac App Store Receipts.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+    * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1.
+    * The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -664,7 +686,8 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
  team ID to match the organizationalUnit field in the leaf certificate's subject.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
       cardIssuer.
     * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
@@ -681,7 +704,8 @@ SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
  @abstract Returns a policy object for evaluating Mobile Store certificate chains.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
     * The leaf has KeyUsage with the DigitalSignature bit set.
@@ -697,7 +721,8 @@ SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
  @abstract  Returns a policy object for evaluating Test Mobile Store certificate chains.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
     * The leaf has KeyUsage with the DigitalSignature bit set.
@@ -742,7 +767,8 @@ SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
  Provisioning Profiles.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
     * The leaf has KeyUsage with the DigitalSignature bit set.
     * The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
@@ -759,7 +785,10 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
  Configuration Profiles.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
     * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -770,10 +799,13 @@ SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
 /*!
  @function SecPolicyCreateQAConfigurationProfileSigner
  @abstract Returns a policy object for evaluating certificate chains for signing
- QA Configuration Profiles.
+ QA Configuration Profiles. On customer builds, this function returns the same
+ policy as SecPolicyCreateConfigurationProfileSigner.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3.
     * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
@@ -813,8 +845,9 @@ SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
  Apple ID Validation Records.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
-    * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
       or OID 1.2.840.113635.100.6.2.10.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
     * Revocation is checked via OCSP.
@@ -829,7 +862,8 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
  @abstract Returns a policy object for evaluating SMP certificate chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA - ECC" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
     * The leaf has KeyUsage with the KeyEncipherment bit set.
@@ -862,7 +896,8 @@ SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
  @abstract Returns a policy object for verifying production PPQ Signing certificates.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification
       Authority".
@@ -877,10 +912,12 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void);
 
 /*!
  @function SecPolicyCreateTestApplePPQSigning
- @abstract Returns a policy object for verifying test PPQ Signing certificates.
+ @abstract Returns a policy object for verifying test PPQ Signing certificates. On
+ customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple System Integration 2 Certification
       Authority".
@@ -921,7 +958,7 @@ SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname);
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -946,7 +983,7 @@ SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDicti
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -964,7 +1001,7 @@ SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryR
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1033,7 +1070,7 @@ SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname)
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1059,7 +1096,7 @@ SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1084,7 +1121,7 @@ SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRe
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1110,7 +1147,7 @@ and pinning options:
       extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via CRL.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
 on this when it is no longer needed.
  */
@@ -1160,7 +1197,7 @@ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
     extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via CRL.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
  on this when it is no longer needed.
  */
@@ -1174,14 +1211,15 @@ SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryR
  @param hostname Optional; hostname to verify the certificate name against.
  @discussion This policy uses the Basic X.509 policy with validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
     * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
     * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
-      extension or Common Name.
+    extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
-    * Revocation is checked via OCSP.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
        on this when it is no longer needed.
  */
@@ -1204,7 +1242,8 @@ SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
  @abstract  Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
  @discussion This policy uses the Basic X.509 policy with no validity check
  and pinning options:
-    * The chain is anchored to "Apple Root CA - ECC" certificate.
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
     * There are exactly 3 certs in the chain.
     * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
     * The leaf has KeyUsage with the KeyEncipherment bit set.
@@ -1248,7 +1287,7 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
     extension or Common Name.
     * The leaf is checked against the Black and Gray lists.
     * The leaf has ExtendedKeyUsage with the ServerAuth OID.
-    * Revocation is checked via CRL.
+    * Revocation is checked via any available method.
  @result A policy object. The caller is responsible for calling CFRelease
  on this when it is no longer needed.
  */
@@ -1281,7 +1320,7 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
         * 1.2.840.113635.100.4.8    ("Safari Developer" EKU)
         * 1.2.840.113635.100.4.9    ("3rd Party Mac Developer Installer" EKU)
         * 1.2.840.113635.100.4.13   ("Developer ID Installer" EKU)
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
@@ -1301,7 +1340,7 @@ SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void)
     * The intermediate has the Common Name "Apple Code Signing Certification Authority".
     * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
     * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
-    * Revocation is checked via OCSP or CRL.
+    * Revocation is checked via any available method.
     * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
  @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
@@ -1342,13 +1381,50 @@ CFStringRef SecPolicyGetOidString(SecPolicyRef policy)
     * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
     of "ucrt".
     * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
-    * RSA key sizes are are disallowed. EC key sizes are P-256 or larger.
+    * RSA key sizes are disallowed. EC key sizes are P-256 or larger.
 @result A policy object. The caller is responsible for calling CFRelease on this when
  it is no longer needed.
  */
 __nullable CF_RETURNS_RETAINED
 SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash)
-__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+    __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyCreateAppleWarsaw
+ @abstract Returns a policy object for verifying signed Warsaw assets.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14.
+    * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29.
+    * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleWarsaw(void)
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+
+/*!
+ @function SecPolicyCreateAppleSecureIOStaticAsset
+ @abstract Returns a policy object for verifying signed static assets for Secure IO.
+ @discussion The resulting policy uses the Basic X.509 policy with no validity check and
+ pinning options:
+    * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+    the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+    * There are exactly 3 certs in the chain.
+    * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10.
+    * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50.
+    * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void)
+    __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1);
+
 
 CF_IMPLICIT_BRIDGING_DISABLED
 CF_ASSUME_NONNULL_END

diff --git a/OSX/sec/sec.xcodeproj/project.pbxproj b/OSX/sec/sec.xcodeproj/project.pbxproj
index 98166cd823d8cd3ca249adf7119a9bdfefcf3253..3fa4b64bfad768717b94b68ecd43205eba26ed97 100644 (file)
--- a/OSX/sec/sec.xcodeproj/project.pbxproj
+++ b/OSX/sec/sec.xcodeproj/project.pbxproj
@@ -283,6 +283,7 @@
                BE53FA301B0AC5C300719A63 /* SecKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563C14CB6EB9008233F2 /* SecKey.c */; };
                BE53FA311B0AC65500719A63 /* SecECKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562C14CB6EB9008233F2 /* SecECKey.c */; };
                BE53FA321B0AC65B00719A63 /* SecRSAKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564714CB6EB9008233F2 /* SecRSAKey.c */; };
+               BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */ = {isa = PBXBuildFile; fileRef = BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */; };
                BE5EC1F018C80108005E7682 /* swcagent_client.c in Sources */ = {isa = PBXBuildFile; fileRef = BEF9640A18B418A400813FA3 /* swcagent_client.c */; };
                BE62D7601747FF3E001EAA9D /* si-72-syncableitems.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */; };
                BE642BB2188F32C200C899A2 /* SecSharedCredential.c in Sources */ = {isa = PBXBuildFile; fileRef = BE642BB1188F32C200C899A2 /* SecSharedCredential.c */; };
@@ -373,6 +374,8 @@
                D40771BE1C9B50590016AA66 /* si-82-seccertificate-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = D40771AB1C9B4C530016AA66 /* si-82-seccertificate-ct.c */; };
                D40771BF1C9B50590016AA66 /* si-82-sectrust-ct.m in Sources */ = {isa = PBXBuildFile; fileRef = D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */; };
                D4273AA61B5D54E70007D67B /* nameconstraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4273AA21B5D54CA0007D67B /* nameconstraints.c */; };
+               D43091551D84D7FE004097DA /* si-25-cms-skid.m in Sources */ = {isa = PBXBuildFile; fileRef = D43091511D84D482004097DA /* si-25-cms-skid.m */; };
+               D43091561D84D80B004097DA /* si-25-cms-skid.h in Headers */ = {isa = PBXBuildFile; fileRef = D43091531D84D494004097DA /* si-25-cms-skid.h */; };
                D43CDF731C9C77540020217E /* si-28-sectrustsettings.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */; };
                D442160A1CCAD9C200D2D455 /* si-22-sectrust-iap.h in Headers */ = {isa = PBXBuildFile; fileRef = D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */; };
                D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */ = {isa = PBXBuildFile; fileRef = D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */; };
@@ -918,6 +921,7 @@
                BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecSignatureVerificationSupport.c; sourceTree = "<group>"; };
                BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSignatureVerificationSupport.h; sourceTree = "<group>"; };
                BE556A5D19550E1600E6EE8C /* SecPolicyCerts.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecPolicyCerts.h; sourceTree = "<group>"; };
+               BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-whitelist.c"; sourceTree = "<group>"; };
                BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-72-syncableitems.c"; sourceTree = "<group>"; };
                BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-70-sectrust-unified.c"; sourceTree = "<group>"; };
                BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSharedCredential.h; sourceTree = "<group>"; };
@@ -999,6 +1003,8 @@
                D40771B81C9B4D200016AA66 /* libSharedRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSharedRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
                D4273AA21B5D54CA0007D67B /* nameconstraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = nameconstraints.c; sourceTree = "<group>"; };
                D4273AA31B5D54CA0007D67B /* nameconstraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = nameconstraints.h; sourceTree = "<group>"; };
+               D43091511D84D482004097DA /* si-25-cms-skid.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-25-cms-skid.m"; sourceTree = "<group>"; };
+               D43091531D84D494004097DA /* si-25-cms-skid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-25-cms-skid.h"; sourceTree = "<group>"; };
                D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-22-sectrust-iap.h"; sourceTree = "<group>"; };
                D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-97-sectrust-path-scoring.m"; sourceTree = "<group>"; };
                D44C81E91CD1947200BE9A0D /* si-97-sectrust-path-scoring.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-97-sectrust-path-scoring.h"; sourceTree = "<group>"; };
@@ -1574,6 +1580,8 @@
                                4CC92A2615A3ABD400C6D578 /* si-24-sectrust-itms.c */,
                                4CC92A2815A3ABD400C6D578 /* si-24-sectrust-nist.c */,
                                4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-passbook.c */,
+                               D43091511D84D482004097DA /* si-25-cms-skid.m */,
+                               D43091531D84D494004097DA /* si-25-cms-skid.h */,
                                4CC92A2C15A3ABD400C6D578 /* si-26-sectrust-copyproperties.c */,
                                4CC92A2D15A3ABD400C6D578 /* si-27-sectrust-exceptions.c */,
                                4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */,
@@ -1620,6 +1628,7 @@
                                D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */,
                                440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */,
                                BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */,
+                               BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */,
                                D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */,
                                D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */,
                                D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */,
@@ -2223,6 +2232,7 @@
                        files = (
                                0C0C887A1CCED00E00617D1B /* shared_regressions.h in Headers */,
                                D44C81EA1CD1947200BE9A0D /* si-97-sectrust-path-scoring.h in Headers */,
+                               D43091561D84D80B004097DA /* si-25-cms-skid.h in Headers */,
                                D4653DEB1C9E2299002ED6D5 /* si-28-sectrustsettings.h in Headers */,
                        );
                        runOnlyForDeploymentPostprocessing = 0;
@@ -2965,11 +2975,13 @@
                                09AE116F1CEDA1E4004C617D /* si-44-seckey-ies.m in Sources */,
                                09EC947F1CEDEA70003E5101 /* si-44-seckey-rsa.m in Sources */,
                                D4D887531CED0A9100DC7583 /* si-24-sectrust-digicert-malaysia.c in Sources */,
+                               D43091551D84D7FE004097DA /* si-25-cms-skid.m in Sources */,
                                D4D886C21CEB9FC600DC7583 /* si-85-sectrust-ssl-policy.c in Sources */,
                                D4D887541CED0A9700DC7583 /* si-24-sectrust-diginotar.c in Sources */,
                                D4D887571CED0B9400DC7583 /* si-27-sectrust-exceptions.c in Sources */,
                                0982E02C1D19695B0060002E /* si-44-seckey-ec.m in Sources */,
                                D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */,
+                               BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */,
                                D4D886F01CEC008600DC7583 /* si-23-sectrust-ocsp.c in Sources */,
                                D4D8875E1CED490700DC7583 /* si-74-OTAPKISigner.c in Sources */,
                                D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */,

diff --git a/OSX/sec/securityd/OTATrustUtilities.c b/OSX/sec/securityd/OTATrustUtilities.c
index dbe5ba77ff42aff103e926cddc4ba44dc5f32415..cd8fc6007672c115f8017d8b8ae9950e21051a81 100644 (file)
--- a/OSX/sec/securityd/OTATrustUtilities.c
+++ b/OSX/sec/securityd/OTATrustUtilities.c
@@ -125,18 +125,19 @@ typedef struct index_record index_record;
 
 struct _OpaqueSecOTAPKI
 {
-       CFRuntimeBase           _base;
-       CFSetRef                        _blackListSet;
-       CFSetRef                        _grayListSet;
-    CFDictionaryRef     _allowList;
-    CFArrayRef          _trustedCTLogs;
-    CFDataRef           _CTWhiteListData;
-       CFArrayRef                      _escrowCertificates;
-       CFArrayRef                      _escrowPCSCertificates;
-       CFDictionaryRef         _evPolicyToAnchorMapping;
-       CFDictionaryRef         _anchorLookupTable;
-       const char*                     _anchorTable;
-       int                                     _assetVersion;
+       CFRuntimeBase       _base;
+       CFSetRef            _blackListSet;
+       CFSetRef            _grayListSet;
+       CFDictionaryRef     _allowList;
+       CFArrayRef          _trustedCTLogs;
+       CFDataRef           _CTWhiteListData;
+       CFArrayRef          _escrowCertificates;
+       CFArrayRef          _escrowPCSCertificates;
+       CFDictionaryRef     _evPolicyToAnchorMapping;
+       CFDictionaryRef     _anchorLookupTable;
+       const char*         _anchorTable;
+       const char*         _assetPath;
+       int                 _assetVersion;
 };
 
 CFGiblisFor(SecOTAPKI)
@@ -159,10 +160,17 @@ static void SecOTAPKIDestroy(CFTypeRef cf)
     CFReleaseNull(otapkiref->_evPolicyToAnchorMapping);
     CFReleaseNull(otapkiref->_anchorLookupTable);
 
-       free((void *)otapkiref->_anchorTable);
-
     CFReleaseNull(otapkiref->_trustedCTLogs);
     CFReleaseNull(otapkiref->_CTWhiteListData);
+
+    if (otapkiref->_anchorTable) {
+        free((void *)otapkiref->_anchorTable);
+        otapkiref->_anchorTable = NULL;
+    }
+    if (otapkiref->_assetPath) {
+        free((void *)otapkiref->_assetPath);
+        otapkiref->_assetPath = NULL;
+    }
 }
 
 static CFDataRef SecOTACopyFileContents(const char *path)
@@ -965,7 +973,7 @@ static SecOTAPKIRef SecOTACreate()
 
        SecOTAPKIRef otapkiref = NULL;
 
-    otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault);
+       otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault);
 
        if (NULL == otapkiref)
        {
@@ -976,19 +984,21 @@ static SecOTAPKIRef SecOTACreate()
        // will do the right thing
        otapkiref->_blackListSet = NULL;
        otapkiref->_grayListSet = NULL;
-    otapkiref->_allowList = NULL;
-    otapkiref->_trustedCTLogs = NULL;
-    otapkiref->_CTWhiteListData = NULL;
+       otapkiref->_allowList = NULL;
+       otapkiref->_trustedCTLogs = NULL;
+       otapkiref->_CTWhiteListData = NULL;
        otapkiref->_escrowCertificates = NULL;
        otapkiref->_escrowPCSCertificates = NULL;
        otapkiref->_evPolicyToAnchorMapping = NULL;
        otapkiref->_anchorLookupTable = NULL;
        otapkiref->_anchorTable = NULL;
+       otapkiref->_assetPath = NULL;
        otapkiref->_assetVersion = 0;
 
        // Start off by getting the correct asset directory info
        int asset_version = 0;
        const char* path_ptr = InitOTADirectory(&asset_version);
+       otapkiref->_assetPath = path_ptr;
        otapkiref->_assetVersion = asset_version;
 
        TestOTALog("SecOTACreate: asset_path = %s\n", path_ptr);
@@ -998,9 +1008,6 @@ static SecOTAPKIRef SecOTACreate()
        CFSetRef blackKeysSet = InitializeBlackList(path_ptr);
        if (NULL == blackKeysSet)
        {
-               if (path_ptr) {
-                       free((void *)path_ptr);
-               }
                CFReleaseNull(otapkiref);
                return otapkiref;
        }
@@ -1010,31 +1017,25 @@ static SecOTAPKIRef SecOTACreate()
        CFSetRef grayKeysSet = InitializeGrayList(path_ptr);
        if (NULL == grayKeysSet)
        {
-               if (path_ptr) {
-                       free((void *)path_ptr);
-               }
                CFReleaseNull(otapkiref);
                return otapkiref;
        }
        otapkiref->_grayListSet = grayKeysSet;
 
-    // Get the allow list dictionary
-    otapkiref->_allowList = InitializeAllowList(path_ptr);
+       // Get the allow list dictionary
+       // (now loaded lazily in SecOTAPKICopyAllowList)
 
-    // Get the trusted Certificate Transparency Logs
-    otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(path_ptr);
+       // Get the trusted Certificate Transparency Logs
+       otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(path_ptr);
 
-    // Get the EV whitelist
-    otapkiref->_CTWhiteListData = InitializeCTWhiteListData(path_ptr);
+       // Get the EV whitelist
+       otapkiref->_CTWhiteListData = InitializeCTWhiteListData(path_ptr);
 
        CFArrayRef escrowCerts = NULL;
        CFArrayRef escrowPCSCerts = NULL;
        InitializeEscrowCertificates(path_ptr, &escrowCerts, &escrowPCSCerts);
        if (NULL == escrowCerts || NULL == escrowPCSCerts)
        {
-               if (path_ptr) {
-                       free((void *)path_ptr);
-               }
                CFReleaseNull(escrowCerts);
                CFReleaseNull(escrowPCSCerts);
                CFReleaseNull(otapkiref);
@@ -1047,9 +1048,6 @@ static SecOTAPKIRef SecOTACreate()
        CFDictionaryRef evOidToAnchorDigestMap = InitializeEVPolicyToAnchorDigestsTable(path_ptr);
        if (NULL == evOidToAnchorDigestMap)
        {
-               if (path_ptr) {
-                       free((void *)path_ptr);
-               }
                CFReleaseNull(otapkiref);
                return otapkiref;
        }
@@ -1064,9 +1062,6 @@ static SecOTAPKIRef SecOTACreate()
                if (anchorTablePtr) {
                        free((void *)anchorTablePtr);
                }
-               if (path_ptr) {
-                       free((void *)path_ptr);
-               }
                CFReleaseNull(otapkiref);
                return otapkiref;
        }
@@ -1127,15 +1122,54 @@ CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef)
 
 CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef)
 {
-    CFDictionaryRef result = NULL;
-    if (NULL == otapkiRef)
-    {
-        return result;
-    }
+       CFDictionaryRef result = NULL;
+       if (NULL == otapkiRef)
+       {
+               return result;
+       }
 
-    result = otapkiRef->_allowList;
-    CFRetainSafe(result);
-    return result;
+       result = otapkiRef->_allowList;
+       if (!result) {
+               result = InitializeAllowList(otapkiRef->_assetPath);
+               otapkiRef->_allowList = result;
+       }
+
+       CFRetainSafe(result);
+       return result;
+}
+
+CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRef authKeyID)
+{
+       // %%% temporary performance optimization:
+       // only load dictionary if we know an allow list exists for this key
+       const CFStringRef keyIDs[3] = {
+               CFSTR("7C724B39C7C0DB62A54F9BAA183492A2CA838259"),
+               CFSTR("65F231AD2AF7F7DD52960AC702C10EEFA6D53B11"),
+               CFSTR("D2A716207CAFD9959EEB430A19F2E0B9740EA8C7")
+       };
+       CFArrayRef result = NULL;
+       bool hasAllowList = false;
+       CFIndex count = (sizeof(keyIDs) / sizeof(keyIDs[0]));
+       for (CFIndex ix=0; ix<count && authKeyID; ix++) {
+               if (kCFCompareEqualTo == CFStringCompare(authKeyID, keyIDs[ix], 0)) {
+                       hasAllowList = true;
+                       break;
+               }
+       }
+       if (!hasAllowList || !otapkiRef) {
+               return result;
+       }
+
+       CFDictionaryRef allowListDict = SecOTAPKICopyAllowList(otapkiRef);
+       if (!allowListDict) {
+               return result;
+       }
+
+       // return a retained copy of the allow list array (or NULL)
+       result = CFDictionaryGetValue(allowListDict, authKeyID);
+       CFRetainSafe(result);
+       CFReleaseSafe(allowListDict);
+       return result;
 }
 
 CFArrayRef SecOTAPKICopyTrustedCTLogs(SecOTAPKIRef otapkiRef)

diff --git a/OSX/sec/securityd/OTATrustUtilities.h b/OSX/sec/securityd/OTATrustUtilities.h
index 763a511404d3343633b8d719120495e1732ec423..81b3f9206f8e7b406c4b4a5c18b6d4c07c4de000 100644 (file)
--- a/OSX/sec/securityd/OTATrustUtilities.h
+++ b/OSX/sec/securityd/OTATrustUtilities.h
@@ -50,11 +50,16 @@ CFSetRef SecOTAPKICopyBlackListSet(SecOTAPKIRef otapkiRef);
 CF_EXPORT
 CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef);
 
-// Accessor to retrieve a copy of the current allow list.
+// Accessor to retrieve a copy of the current allow list dictionary.
 // Caller is responsible for releasing the returned CFDictionaryRef
 CF_EXPORT
 CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef);
 
+// Accessor to retrieve a copy of the allow list for a specific authority key ID.
+// Caller is responsible for releasing the returned CFArrayRef
+CF_EXPORT
+CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRef authKeyID);
+
 // Accessor to retrieve a copy of the current trusted certificate transparency logs.
 // Caller is responsible for releasing the returned CFArrayRef
 CF_EXPORT

diff --git a/OSX/sec/securityd/SecDbKeychainItem.c b/OSX/sec/securityd/SecDbKeychainItem.c
index 962fbe08c6e3ad228b6b1aa1e93b52b0b2ba9d19..0386b7a57b6e9fdb02918b4a4e2e396c0d9c4c47 100644 (file)
--- a/OSX/sec/securityd/SecDbKeychainItem.c
+++ b/OSX/sec/securityd/SecDbKeychainItem.c
@@ -504,7 +504,7 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
             goto out;
         }
         cursor += ctLen;
-        if (memcmp(tag, cursor, tagLen)) {
+        if (timingsafe_bcmp(tag, cursor, tagLen)) {
             ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: CCCryptorGCM computed tag not same as tag in blob"));
             goto out;
         }

diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c
index b8a6cc4ab6fe3525cbbbdac6b3e58a713c60a102..a94acc7c7f0c6ce2d64aa579e932bce2efb7319c 100644 (file)
--- a/OSX/sec/securityd/SecItemDb.c
+++ b/OSX/sec/securityd/SecItemDb.c
@@ -1231,17 +1231,18 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) {
     SecAccessControlRef access_control = NULL;
     CFErrorRef localError = NULL;
 
-    /* Skip akpu items when backing up, those are intentionally lost across restores. */
-    bool skip_akpu = c->filter == kSecBackupableItemFilter;
+    /* Skip akpu items when backing up, those are intentionally lost across restores. The same applies to SEP-based keys */
+    bool skip_akpu_or_token = c->filter == kSecBackupableItemFilter;
 
     sqlite_int64 rowid = sqlite3_column_int64(stmt, 0);
-    CFMutableDictionaryRef item;
+    CFMutableDictionaryRef item = NULL;
     bool ok = s3dl_item_from_col(stmt, q, 1, c->qc.accessGroups, &item, &access_control, &localError);
 
     bool is_akpu = access_control ? CFEqualSafe(SecAccessControlGetProtection(access_control),
                                                 kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly) : false;
+    bool is_token = (ok && item != NULL) ? CFDictionaryContainsKey(item, kSecAttrTokenID) : false;
 
-    if (ok && item && !(skip_akpu && is_akpu)) {
+    if (ok && item && !(skip_akpu_or_token && (is_akpu || is_token))) {
         /* Only export sysbound items if do_sys_bound is true, only export non sysbound items otherwise. */
         bool do_sys_bound = c->filter == kSecSysBoundItemFilter;
         if (c->filter == kSecNoItemFilter ||
@@ -1286,7 +1287,7 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) {
     } else {
         OSStatus status = SecErrorGetOSStatus(localError);
 
-        if (status == errSecInteractionNotAllowed && is_akpu && skip_akpu) {
+        if (status == errSecInteractionNotAllowed && is_akpu && skip_akpu_or_token) {
             // We expect akpu items to be inaccessible when the device is locked.
             CFReleaseNull(localError);
         } else {
@@ -1481,6 +1482,14 @@ SecServerImportItem(const void *value, void *context)
                 return;
             }
         }
+
+        /* Avoid importing token-based items.  Although newer backups should not have them,
+         * older (iOS9, iOS10.0) produced backups with token-based items.
+         */
+        if (CFDictionaryContainsKey(dict, kSecAttrTokenID)) {
+            secdebug("item", "Skipping token-based item : %@", dict);
+            return;
+        }
     }
 
     SecDbItemRef item;

diff --git a/OSX/sec/securityd/SecKeybagSupport.c b/OSX/sec/securityd/SecKeybagSupport.c
index e22897b7d0e9168dd18699500ceebbec70609ef4..88aeeb0000f9b958a1490340924426da8dcb0d6e 100644 (file)
--- a/OSX/sec/securityd/SecKeybagSupport.c
+++ b/OSX/sec/securityd/SecKeybagSupport.c
@@ -132,9 +132,12 @@ bool ks_crypt(CFTypeRef operation, keybag_handle_t keybag,
     
     if (kernResult != KERN_SUCCESS) {
         if ((kernResult == kIOReturnNotPermitted) || (kernResult == kIOReturnNotPrivileged)) {
+            const char *substatus = "";
+            if (keyclass == key_class_ck || keyclass == key_class_cku)
+                substatus = " (hiberation ?)";
             /* Access to item attempted while keychain is locked. */
-            return SecError(errSecInteractionNotAllowed, error, CFSTR("ks_crypt: %x failed to '%@' item (class %"PRId32", bag: %"PRId32") Access to item attempted while keychain is locked."),
-                            kernResult, operation, keyclass, keybag);
+            return SecError(errSecInteractionNotAllowed, error, CFSTR("ks_crypt: %x failed to '%@' item (class %"PRId32", bag: %"PRId32") Access to item attempted while keychain is locked%s."),
+                            kernResult, operation, keyclass, keybag, substatus);
         } else if (kernResult == kIOReturnError) {
             /* Item can't be decrypted on this device, ever, so drop the item. */
             return SecError(errSecDecode, error, CFSTR("ks_crypt: %x failed to '%@' item (class %"PRId32", bag: %"PRId32") Item can't be decrypted on this device, ever, so drop the item."),

diff --git a/OSX/sec/securityd/SecKeybagSupport.h b/OSX/sec/securityd/SecKeybagSupport.h
index ee240cf2ba56d2079753a789fd2f065c838d5d94..565952c056577b973c479900c9668a302a29c6d0 100644 (file)
--- a/OSX/sec/securityd/SecKeybagSupport.h
+++ b/OSX/sec/securityd/SecKeybagSupport.h
@@ -43,11 +43,7 @@
 
 __BEGIN_DECLS
 
-// TODO: Get this out of this file
-#if USE_KEYSTORE
-typedef int32_t keyclass_t;
-#else
-
+#if !USE_KEYSTORE
 /* TODO: this needs to be available in the sim! */
 typedef int32_t keyclass_t;
 typedef int32_t key_handle_t;

diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c
index 2835e6851a9a935abc59466c6a4d7de5ae1bc788..2730c31678300fd6da6ff7d52e829aeb3bbfe3cf 100644 (file)
--- a/OSX/sec/securityd/SecPolicyServer.c
+++ b/OSX/sec/securityd/SecPolicyServer.c
@@ -1186,21 +1186,24 @@ static void SecPolicyCheckIntermediateEKU(SecPVCRef pvc, CFStringRef key)
        }
 }
 
-/* Returns true if path is on the allow list, false otherwise */
-static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
+/* Returns true if path is on the allow list for the authority key of the
+   certificate at certix, false otherwise.
+ */
+static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc, CFIndex certix)
 {
     bool result = false;
     CFIndex ix = 0, count = SecPVCGetCertificateCount(pvc);
     CFStringRef authKey = NULL;
+    CFArrayRef allowedCerts = NULL;
     SecOTAPKIRef otapkiRef = NULL;
-    CFDictionaryRef allowList = NULL;
 
-    //get authKeyID from the last chain in the cert
-    if (count < 1) {
+    if (certix < 0 || certix >= count) {
         return result;
     }
-    SecCertificateRef lastCert = SecPVCGetCertificateAtIndex(pvc, count - 1);
-    CFDataRef authKeyID = SecCertificateGetAuthorityKeyID(lastCert);
+
+    //get authKeyID from the specified cert in the chain
+    SecCertificateRef issuedCert = SecPVCGetCertificateAtIndex(pvc, certix);
+    CFDataRef authKeyID = SecCertificateGetAuthorityKeyID(issuedCert);
     if (NULL == authKeyID) {
         return result;
     }
@@ -1209,24 +1212,19 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
         goto errout;
     }
 
-    //if allowList && key is in allowList, this would have chained up to a now-removed anchor
     otapkiRef = SecOTAPKICopyCurrentOTAPKIRef();
     if (NULL == otapkiRef) {
         goto errout;
     }
-    allowList = SecOTAPKICopyAllowList(otapkiRef);
-    if (NULL == allowList) {
-        goto errout;
-    }
 
-    CFArrayRef allowedCerts = CFDictionaryGetValue(allowList, authKey);
-    if (!allowedCerts || !CFArrayGetCount(allowedCerts)) {
+    allowedCerts = SecOTAPKICopyAllowListForAuthKeyID(otapkiRef, authKey);
+    if (NULL == allowedCerts || !CFArrayGetCount(allowedCerts)) {
         goto errout;
     }
 
     //search sorted array for the SHA256 hash of a cert in the chain
     CFRange range = CFRangeMake(0, CFArrayGetCount(allowedCerts));
-    for (ix = 0; ix < count; ix++) {
+    for (ix = 0; ix <= certix; ix++) {
         SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
         if (!cert) {
             goto errout;
@@ -1253,7 +1251,7 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
 errout:
     CFReleaseNull(authKey);
     CFReleaseNull(otapkiRef);
-    CFReleaseNull(allowList);
+    CFReleaseNull(allowedCerts);
     return result;
 }
 
@@ -1460,7 +1458,8 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
         n--;
     } else {
         /* trust may be restored for a path with an untrusted root that matches the allow list */
-        if (!SecPVCCheckCertificateAllowList(pvc)) {
+        pvc->is_allowlisted = SecPVCCheckCertificateAllowList(pvc, n - 1);
+        if (!pvc->is_allowlisted) {
             /* Add a detail for the root not being trusted. */
             if (SecPVCSetResultForced(pvc, kSecPolicyCheckAnchorTrusted,
                                       n - 1, kCFBooleanFalse, true))
@@ -1516,7 +1515,7 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
                 goto errOut;
             }
         }
-        if (SecCertificateIsWeak(cert)) {
+        if (SecCertificateIsWeakKey(cert)) {
             CFStringRef fail_key = i == n ? kSecPolicyCheckWeakLeaf : kSecPolicyCheckWeakIntermediates;
             if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse)) {
                 goto errOut;
@@ -2467,7 +2466,7 @@ static void SecPolicyCheckWeakIntermediates(SecPVCRef pvc,
     CFIndex ix, count = SecPVCGetCertificateCount(pvc);
     for (ix = 1; ix < count - 1; ++ix) {
         SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
-        if (cert && SecCertificateIsWeak(cert)) {
+        if (cert && SecCertificateIsWeakKey(cert)) {
             /* Intermediate certificate has a weak key. */
             if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse))
                 return;
@@ -2478,7 +2477,7 @@ static void SecPolicyCheckWeakIntermediates(SecPVCRef pvc,
 static void SecPolicyCheckWeakLeaf(SecPVCRef pvc,
     CFStringRef key) {
     SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, 0);
-    if (cert && SecCertificateIsWeak(cert)) {
+    if (cert && SecCertificateIsWeakKey(cert)) {
         /* Leaf certificate has a weak key. */
         if (!SecPVCSetResult(pvc, key, 0, kCFBooleanFalse))
             return;
@@ -2490,7 +2489,7 @@ static void SecPolicyCheckWeakRoot(SecPVCRef pvc,
     CFIndex ix, count = SecPVCGetCertificateCount(pvc);
     ix = count - 1;
     SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
-    if (cert && SecCertificateIsWeak(cert)) {
+    if (cert && SecCertificateIsWeakKey(cert)) {
         /* Root certificate has a weak key. */
         if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse))
             return;
@@ -3333,6 +3332,13 @@ static bool SecPVCCheckRevocation(SecPVCRef pvc) {
             SecORVCProcessStapledResponses(rvc->orvc);
         }
 
+#if TARGET_OS_BRIDGE
+        /* The bridge has no writeable storage and no network. Nothing else we can
+         * do here. */
+        rvc->done = true;
+        return completed;
+#endif
+
         /* Then check the caches for revocation results. */
         SecRVCCheckRevocationCaches(rvc);
 
@@ -3537,23 +3543,14 @@ void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
     secdebug("alloc", "%p", pvc);
     // Weird logging policies crashes.
     //secdebug("policy", "%@", policies);
+
+    // Zero the pvc struct so only non-zero fields need to be explicitly set
+    memset(pvc, 0, sizeof(struct OpaqueSecPVC));
     pvc->builder = builder;
     pvc->policies = policies;
     if (policies)
         CFRetain(policies);
     pvc->verifyTime = verifyTime;
-    pvc->path = NULL;
-    pvc->details = NULL;
-    pvc->info = NULL;
-    pvc->valid_policy_tree = NULL;
-    pvc->callbacks = NULL;
-    pvc->policyIX = 0;
-    pvc->rvcs = NULL;
-    pvc->asyncJobCount = 0;
-    pvc->check_revocation = NULL;
-    pvc->response_required = false;
-    pvc->optionally_ev = false;
-    pvc->is_ev = false;
     pvc->result = true;
 }
 
@@ -3810,7 +3807,7 @@ bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix) {
             goto errOut;
        }
 
-    if (SecCertificateIsWeak(cert)) {
+    if (SecCertificateIsWeakKey(cert)) {
         /* Certificate uses weak key. */
         if (!SecPVCSetResult(pvc, is_anchor ? kSecPolicyCheckWeakRoot
             : kSecPolicyCheckWeakIntermediates, ix, kCFBooleanFalse))
@@ -3860,22 +3857,33 @@ bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix) {
                if (NULL != blackListedKeys)
                {
                        SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
-                   bool is_anchor = (ix == SecPVCGetCertificateCount(pvc) - 1
-                                     && SecPVCIsAnchored(pvc));
-                   if (!is_anchor) {
-                       /* Check for blacklisted intermediates keys. */
-                       CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert);
-                       if (dgst) {
-                           /* Check dgst against blacklist. */
-                           if (CFSetContainsValue(blackListedKeys, dgst)) {
-                               SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey,
-                                                     ix, kCFBooleanFalse, true);
-                           }
-                           CFRelease(dgst);
-                       }
-                   }
+                       CFIndex count = SecPVCGetCertificateCount(pvc);
+                       bool is_last = (ix == count - 1);
+                       bool is_anchor = (is_last && SecPVCIsAnchored(pvc));
+                       if (!is_anchor) {
+                               /* Check for blacklisted intermediate issuer keys. */
+                               CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert);
+                               if (dgst) {
+                                       /* Check dgst against blacklist. */
+                                       if (CFSetContainsValue(blackListedKeys, dgst)) {
+                                               /* Check allow list for this blacklisted issuer key,
+                                                  which is the authority key of the issued cert at ix-1.
+                                                  If ix is the last cert, the root is missing, so we
+                                                  also check our own authority key in that case.
+                                               */
+                                               bool allowed = ((ix && SecPVCCheckCertificateAllowList(pvc, ix - 1)) ||
+                                                               (is_last && SecPVCCheckCertificateAllowList(pvc, ix)));
+                                               if (!allowed) {
+                                                       SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey,
+                                                                             ix, kCFBooleanFalse, true);
+                                               }
+                                               pvc->is_allowlisted = allowed;
+                                       }
+                                       CFRelease(dgst);
+                               }
+                       }
                        CFRelease(blackListedKeys);
-                   return pvc->result;
+                       return pvc->result;
                }
        }
        // Assume OK
@@ -3884,7 +3892,7 @@ bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix) {
 
 bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix)
 {
-    /* Check stuff common to intermediate and anchors. */
+       /* Check stuff common to intermediate and anchors. */
        SecOTAPKIRef otapkiRef = SecOTAPKICopyCurrentOTAPKIRef();
        if (NULL != otapkiRef)
        {
@@ -3893,22 +3901,33 @@ bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix)
                if (NULL != grayListKeys)
                {
                        SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
-                   bool is_anchor = (ix == SecPVCGetCertificateCount(pvc) - 1
-                                     && SecPVCIsAnchored(pvc));
-                   if (!is_anchor) {
-                       /* Check for gray listed intermediates keys. */
-                       CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert);
-                       if (dgst) {
-                           /* Check dgst against gray list. */
-                           if (CFSetContainsValue(grayListKeys, dgst)) {
-                               SecPVCSetResultForced(pvc, kSecPolicyCheckGrayListedKey,
-                                                     ix, kCFBooleanFalse, true);
-                           }
-                           CFRelease(dgst);
-                       }
-                   }
+                       CFIndex count = SecPVCGetCertificateCount(pvc);
+                       bool is_last = (ix == count - 1);
+                       bool is_anchor = (is_last && SecPVCIsAnchored(pvc));
+                       if (!is_anchor) {
+                               /* Check for gray listed intermediate issuer keys. */
+                               CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert);
+                               if (dgst) {
+                                       /* Check dgst against gray list. */
+                                       if (CFSetContainsValue(grayListKeys, dgst)) {
+                                               /* Check allow list for this graylisted issuer key,
+                                                  which is the authority key of the issued cert at ix-1.
+                                                  If ix is the last cert, the root is missing, so we
+                                                  also check our own authority key in that case.
+                                               */
+                                               bool allowed = ((ix && SecPVCCheckCertificateAllowList(pvc, ix - 1)) ||
+                                                               (is_last && SecPVCCheckCertificateAllowList(pvc, ix)));
+                                               if (!allowed) {
+                                                       SecPVCSetResultForced(pvc, kSecPolicyCheckGrayListedKey,
+                                                                             ix, kCFBooleanFalse, true);
+                                               }
+                                               pvc->is_allowlisted = allowed;
+                                       }
+                                       CFRelease(dgst);
+                               }
+                       }
                        CFRelease(grayListKeys);
-                   return pvc->result;
+                       return pvc->result;
                }
        }
        // Assume ok

diff --git a/OSX/sec/securityd/SecPolicyServer.h b/OSX/sec/securityd/SecPolicyServer.h
index f1393c03e375d65daf911e3935f184692392963e..ecae581defd7d42b7bf7e5b0a202228ab8f659e2 100644 (file)
--- a/OSX/sec/securityd/SecPolicyServer.h
+++ b/OSX/sec/securityd/SecPolicyServer.h
@@ -63,6 +63,7 @@ struct OpaqueSecPVC {
     bool is_ev;
     bool is_ct;
     bool is_ct_whitelisted;
+    bool is_allowlisted;
     bool result;
 };
 

diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c
index 2d6edacb98a8791858983d95edc63a8b977c45bd..1b36ba36542879c6bbb98543d7c0cf582559ee50 100644 (file)
--- a/OSX/sec/securityd/SecTrustServer.c
+++ b/OSX/sec/securityd/SecTrustServer.c
@@ -33,6 +33,7 @@
 
 #include <utilities/SecIOFormat.h>
 #include <utilities/SecDispatchRelease.h>
+#include <utilities/SecAppleAnchorPriv.h>
 
 #include <Security/SecTrustPriv.h>
 #include <Security/SecItem.h>
@@ -61,6 +62,8 @@
 #include <ipc/securityd_client.h>
 #include <CommonCrypto/CommonDigest.h>
 #include "OTATrustUtilities.h"
+#include "personalization.h"
+#include <utilities/SecInternalReleasePriv.h>
 
 
 /********************************************************
@@ -770,6 +773,7 @@ struct SecPathBuilder {
     SecCertificateSourceRef certificateSource;
     SecCertificateSourceRef itemCertificateSource;
     SecCertificateSourceRef anchorSource;
+    SecCertificateSourceRef appleAnchorSource;
     CFMutableArrayRef       anchorSources;
     CFIndex                 nextParentSource;
     CFMutableArrayRef       parentSources;
@@ -861,11 +865,8 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
     builder->queue = dispatch_queue_create("builder", DISPATCH_QUEUE_SERIAL);
 
     builder->nextParentSource = 1;
-    builder->considerPartials = false;
 #if !TARGET_OS_WATCH
     builder->canAccessNetwork = true;
-#else
-    builder->canAccessNetwork = false;
 #endif
 
     builder->anchorSources = CFArrayCreateMutable(allocator, 0, NULL);
@@ -876,70 +877,90 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
     builder->partialPaths = CFArrayCreateMutable(allocator, 0, NULL);
     builder->rejectedPaths = CFArrayCreateMutable(allocator, 0, NULL);
     builder->candidatePaths = CFArrayCreateMutable(allocator, 0, NULL);
-    builder->partialIX = 0;
 
     /* Init the policy verification context. */
     SecPVCInit(&builder->path, builder, policies, verifyTime);
-       builder->bestPath = NULL;
-       builder->bestPathIsEV = false;
-    builder->bestPathIsSHA2 = false;
-    builder->denyBestPath = false;
-       builder->bestPathScore = 0;
 
        /* Let's create all the certificate sources we might want to use. */
        builder->certificateSource =
                SecMemoryCertificateSourceCreate(certificates);
-       if (anchors)
+    if (anchors) {
                builder->anchorSource = SecMemoryCertificateSourceCreate(anchors);
-       else
-               builder->anchorSource = NULL;
+    }
+
+    bool allowNonProduction = false;
+    builder->appleAnchorSource = SecMemoryCertificateSourceCreate(SecGetAppleTrustAnchors(allowNonProduction));
+
 
     /** Parent Sources
      ** The order here avoids the most expensive methods if the cheaper methods
      ** produce an acceptable chain: client-provided, keychains, network-fetched.
      **/
+#if !TARGET_OS_BRIDGE
     CFArrayAppendValue(builder->parentSources, builder->certificateSource);
     builder->itemCertificateSource = SecItemCertificateSourceCreate(accessGroups);
     if (keychainsAllowed) {
         CFArrayAppendValue(builder->parentSources, builder->itemCertificateSource);
-#if !TARGET_OS_IPHONE
+ #if TARGET_OS_OSX
         /* On OS X, need additional parent source to search legacy keychain files. */
         if (kSecLegacyCertificateSource.contains && kSecLegacyCertificateSource.copyParents) {
             CFArrayAppendValue(builder->parentSources, &kSecLegacyCertificateSource);
         }
-#endif
+ #endif
     }
     if (anchorsOnly) {
-        /* Add the system and user anchor certificate db to the search list
+        /* Add the Apple, system, and user anchor certificate db to the search list
          if we don't explicitly trust them. */
+        CFArrayAppendValue(builder->parentSources, builder->appleAnchorSource);
         CFArrayAppendValue(builder->parentSources, &kSecSystemAnchorSource);
-#if TARGET_OS_IPHONE
+ #if TARGET_OS_IPHONE
         CFArrayAppendValue(builder->parentSources, &kSecUserAnchorSource);
-#endif
+ #endif
     }
     if (keychainsAllowed && builder->canAccessNetwork) {
         CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource);
     }
+#else /* TARGET_OS_BRIDGE */
+    /* Bridge can only access memory sources. */
+    CFArrayAppendValue(builder->parentSources, builder->certificateSource);
+    if (anchorsOnly) {
+        /* Add the Apple, system, and user anchor certificate db to the search list
+         if we don't explicitly trust them. */
+        CFArrayAppendValue(builder->parentSources, builder->appleAnchorSource);
+    }
+#endif /* !TARGET_OS_BRIDGE */
 
     /** Anchor Sources
      ** The order here allows a client-provided anchor to overrule
      ** a user or admin trust setting which can overrule the system anchors.
+     ** Apple's anchors cannot be overriden by a trust setting.
      **/
+#if !TARGET_OS_BRIDGE
        if (builder->anchorSource) {
                CFArrayAppendValue(builder->anchorSources, builder->anchorSource);
        }
     if (!anchorsOnly) {
         /* Only add the system and user anchor certificate db to the
          anchorSources if we are supposed to trust them. */
-#if TARGET_OS_IPHONE
+        CFArrayAppendValue(builder->anchorSources, builder->appleAnchorSource);
+ #if TARGET_OS_IPHONE
         CFArrayAppendValue(builder->anchorSources, &kSecUserAnchorSource);
-#else
+ #else /* TARGET_OS_OSX */
         if (keychainsAllowed && kSecLegacyAnchorSource.contains && kSecLegacyAnchorSource.copyParents) {
             CFArrayAppendValue(builder->anchorSources, &kSecLegacyAnchorSource);
         }
-#endif
+ #endif
         CFArrayAppendValue(builder->anchorSources, &kSecSystemAnchorSource);
     }
+#else /* TARGET_OS_BRIDGE */
+    /* Bridge can only access memory sources. */
+    if (builder->anchorSource) {
+        CFArrayAppendValue(builder->anchorSources, builder->anchorSource);
+    }
+    if (!anchorsOnly) {
+        CFArrayAppendValue(builder->anchorSources, builder->appleAnchorSource);
+    }
+#endif /* !TARGET_OS_BRIDGE */
 
        /* Now let's get the leaf cert and turn it into a path. */
        SecCertificateRef leaf =
@@ -975,7 +996,6 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
         CFReleaseSafe(otapkiref);
     }
 
-    builder->activations = 0;
     builder->state = SecPathBuilderGetNext;
     builder->completed = completed;
     builder->context = context;
@@ -988,6 +1008,7 @@ SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
     CFAbsoluteTime verifyTime, CFArrayRef accessGroups,
     SecPathBuilderCompleted completed, const void *context) {
     SecPathBuilderRef builder = malloc(sizeof(*builder));
+    memset(builder, 0, sizeof(*builder));
     SecPathBuilderInit(builder, clientAuditToken, certificates,
         anchors, anchorsOnly, keychainsAllowed, policies, ocspResponses,
         signedCertificateTimestamps, trustedLogs, verifyTime,
@@ -998,12 +1019,14 @@ SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
 static void SecPathBuilderDestroy(SecPathBuilderRef builder) {
     secdebug("alloc", "%p", builder);
     dispatch_release_null(builder->queue);
-       if (builder->anchorSource)
-               SecMemoryCertificateSourceDestroy(builder->anchorSource);
-       if (builder->certificateSource)
-               SecMemoryCertificateSourceDestroy(builder->certificateSource);
-    if (builder->itemCertificateSource)
-        SecItemCertificateSourceDestroy(builder->itemCertificateSource);
+    if (builder->anchorSource) {
+        SecMemoryCertificateSourceDestroy(builder->anchorSource); }
+    if (builder->certificateSource) {
+        SecMemoryCertificateSourceDestroy(builder->certificateSource); }
+    if (builder->itemCertificateSource) {
+        SecItemCertificateSourceDestroy(builder->itemCertificateSource); }
+    if (builder->appleAnchorSource) {
+        SecMemoryCertificateSourceDestroy(builder->appleAnchorSource); }
        CFReleaseSafe(builder->clientAuditToken);
        CFReleaseSafe(builder->anchorSources);
        CFReleaseSafe(builder->parentSources);
@@ -1419,6 +1442,7 @@ static void SecPathBuilderAccept(SecPathBuilderRef builder) {
     check(builder);
     SecPVCRef pvc = &builder->path;
     bool isSHA2 = !SecCertificatePathHasWeakHash(pvc->path);
+    bool isOptionallySHA2 = !SecCertificateIsWeakHash(SecPVCGetCertificateAtIndex(pvc, 0));
     CFIndex bestScore = builder->bestPathScore;
     /* Score this path. Note that all points awarded or deducted in
      * SecCertificatePathScore are < 100,000 */
@@ -1442,7 +1466,7 @@ static void SecPathBuilderAccept(SecPathBuilderRef builder) {
 
     /* If we found the best accept we can, we want to switch directly to the
        SecPathBuilderComputeDetails state here, since we're done. */
-    if ((pvc->is_ev || !pvc->optionally_ev) && isSHA2)
+    if ((pvc->is_ev || !pvc->optionally_ev) && (isSHA2 || !isOptionallySHA2))
         builder->state = SecPathBuilderComputeDetails;
     else
         builder->state = SecPathBuilderGetNext;
@@ -1511,6 +1535,14 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) {
         builder->bestPathScore = 0;
     }
 
+    /* Accept a partial path if certificate is on the allow list
+       and is temporally valid. */
+    if (completed && pvc->is_allowlisted &&
+        builder->bestPathScore < ACCEPT_PATH_SCORE &&
+        SecCertificatePathIsValid(pvc->path, pvc->verifyTime)) {
+        builder->bestPathScore += ACCEPT_PATH_SCORE;
+    }
+
     CFReleaseSafe(details);
 
     return completed;

diff --git a/OSX/shared_regressions/shared_regressions.h b/OSX/shared_regressions/shared_regressions.h
index 64686bad45415fd4922b30a3d2d4634c1bfef4da..24acf828149f0a95a538fd427a9f16377cf8c3ac 100644 (file)
--- a/OSX/shared_regressions/shared_regressions.h
+++ b/OSX/shared_regressions/shared_regressions.h
@@ -24,6 +24,7 @@ ONE_TEST(si_24_sectrust_nist)
 ONE_TEST(si_24_sectrust_diginotar)
 ONE_TEST(si_24_sectrust_digicert_malaysia)
 ONE_TEST(si_24_sectrust_passbook)
+ONE_TEST(si_25_cms_skid)
 ONE_TEST(si_26_sectrust_copyproperties)
 ONE_TEST(si_27_sectrust_exceptions)
 ONE_TEST(si_28_sectrustsettings)
@@ -33,8 +34,10 @@ ONE_TEST(si_44_seckey_ec)
 ONE_TEST(si_44_seckey_ies)
 #if !TARGET_OS_WATCH
 ONE_TEST(si_67_sectrust_blacklist)
+ONE_TEST(si_84_sectrust_allowlist)
 #else
 DISABLED_ONE_TEST(si_67_sectrust_blacklist)
+DISABLED_ONE_TEST(si_84_sectrust_allowlist)
 #endif
 ONE_TEST(si_70_sectrust_unified)
 ONE_TEST(si_71_mobile_store_policy)

diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore b/OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore
new file mode 100644 (file)
index 0000000..82b4317
--- /dev/null
+++ b/OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore
@@ -0,0 +1,2 @@
+.DS_Store
+debugging.plist

diff --git a/OSX/utilities/.gitignore b/OSX/utilities/.gitignore
new file mode 100644 (file)
index 0000000..e43b0f9
--- /dev/null
+++ b/OSX/utilities/.gitignore
@@ -0,0 +1 @@
+.DS_Store

diff --git a/OSX/utilities/src/SecAppleAnchor.c b/OSX/utilities/src/SecAppleAnchor.c
index b453b9276e9054f3c9c72bf390f25dfd06ad25cd..4fcc54813828d510339a4ef9147dae9113630dd7 100644 (file)
--- a/OSX/utilities/src/SecAppleAnchor.c
+++ b/OSX/utilities/src/SecAppleAnchor.c
@@ -30,18 +30,6 @@
 
 static CFDictionaryRef getAnchors(void);
 
-static bool testAppleAnchorsAllowed(SecAppleTrustAnchorFlags flags) {
-    if (!(flags & kSecAppleTrustAnchorFlagsIncludeTestAnchors)) {
-        /* user does not want test anchors */
-        return false;
-    }
-    if (SecIsInternalRelease() ||
-        flags & kSecAppleTrustAnchorFlagsAllowNonProduction) {
-        /* device allows test anchors */
-        return true;
-    }
-    return false;
-}
 
 bool
 SecIsAppleTrustAnchorData(CFDataRef cert,
@@ -59,11 +47,8 @@ SecIsAppleTrustAnchorData(CFDataRef cert,
 
     require(isBoolean(value), fail);
 
-    if (testAppleAnchorsAllowed(flags)) {
-        res = true;
-    } else {
-        res = CFBooleanGetValue(value);
-    }
+    res = CFBooleanGetValue(value);
+
 
  fail:
     return res;
@@ -114,32 +99,6 @@ static const unsigned char AppleRootG3Hash[32] = {
     0x7c, 0x4f, 0x5c, 0x75, 0x6f, 0x30, 0x17, 0xb3, 0xa8, 0xc4, 0x88, 0xc3, 0x65, 0x3e, 0x91, 0x79
 };
 
-/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-/* SKID: 59:B8:2B:94:3A:1B:BA:F1:00:AE:EE:50:52:23:33:C9:59:C3:54:98 */
-/* Not Before: Apr 22 02:15:48 2015 GMT, Not After : Feb  9 21:40:36 2035 GMT */
-/* Signature Algorithm: sha1WithRSAEncryption */
-static const unsigned char TestAppleRootCAHash[32] = {
-    0x08, 0x47, 0x99, 0xfb, 0xa9, 0x9c, 0x06, 0x46, 0xe5, 0xcf, 0x0b, 0xf2, 0x73, 0x7f, 0x23, 0xa4,
-    0x77, 0xe4, 0x98, 0x05, 0x5b, 0x9e, 0xf9, 0x0c, 0xdf, 0x40, 0xc2, 0x92, 0xfd, 0x46, 0x6c, 0xd7
-};
-
-/* subject:/CN=Test Apple Global Root CA/OU=Apple Certification Authority/O=Apple Inc./C=US */
-/* SKID: 96:D3:56:5F:F8:49:C1:40:DF:3B:82:36:5F:09:75:EE:95:58:32:43 */
-/* Not Before: Apr 22 02:43:57 2015 GMT, Not After : Dec 26 03:13:37 2040 GMT */
-/* Signature Algorithm: ecdsa-with-SHA384 */
-static const unsigned char TestAppleRootG2Hash[32] = {
-    0x0c, 0x14, 0x3e, 0xab, 0x0e, 0xb9, 0x23, 0xbe, 0xa5, 0xc5, 0x3e, 0xe4, 0x24, 0xcf, 0xdb, 0x63,
-    0xc6, 0xa9, 0xc2, 0x38, 0x0f, 0x6b, 0xf6, 0xbf, 0xb2, 0x62, 0xdd, 0x36, 0x92, 0x25, 0xfb, 0xea
-};
-
-/* subject:/CN=Test Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
-/* SKID: FC:46:D8:83:6C:1F:E6:F2:DC:DF:A7:99:17:AE:0B:44:67:17:1B:46 */
-/* Not Before: Apr 22 03:17:44 2015 GMT, Not After : Dec 26 03:13:37 2040 GMT */
-/* Signature Algorithm: ecdsa-with-SHA384 */
-static const unsigned char TestAppleRootG3Hash[32] = {
-    0xbe, 0x9f, 0x7d, 0x2b, 0x62, 0x81, 0x8b, 0xb0, 0xce, 0x6d, 0x7d, 0x73, 0x65, 0xcc, 0x9f, 0xbc,
-    0xbe, 0xa4, 0x1b, 0x5a, 0xe1, 0xd4, 0xe9, 0xdd, 0xd5, 0x4c, 0x1b, 0x34, 0x9e, 0x7a, 0x2d, 0xa6
-};
 
 static void
 addAnchor(CFMutableDictionaryRef anchors,
@@ -166,11 +125,261 @@ getAnchors(void)
         addAnchor(temp, AppleRootCAHash, sizeof(AppleRootCAHash), true);
         addAnchor(temp, AppleRootG2Hash, sizeof(AppleRootG2Hash), true);
         addAnchor(temp, AppleRootG3Hash, sizeof(AppleRootG3Hash), true);
-        addAnchor(temp, TestAppleRootCAHash, sizeof(TestAppleRootCAHash), false);
-        addAnchor(temp, TestAppleRootG2Hash, sizeof(TestAppleRootG2Hash), false);
-        addAnchor(temp, TestAppleRootG3Hash, sizeof(TestAppleRootG3Hash), false);
 
 
+        anchors = temp;
+    });
+    return anchors;
+}
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
+/* SKID: 2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E */
+/* Not Before: Apr 25 21:40:36 2006 GMT, Not After : Feb  9 21:40:36 2035 GMT */
+/* Signature Algorithm: sha1WithRSAEncryption */
+static const unsigned char AppleRootCA[1215]={
+    0x30,0x82,0x04,0xBB,0x30,0x82,0x03,0xA3,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x02,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
+    0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
+    0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
+    0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
+    0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
+    0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
+    0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
+    0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x34,0x32,0x35,0x32,0x31,0x34,
+    0x30,0x33,0x36,0x5A,0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30,
+    0x33,0x36,0x5A,0x30,0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+    0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,
+    0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,
+    0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
+    0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,
+    0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,
+    0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,
+    0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,
+    0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE4,0x91,0xA9,0x09,0x1F,0x91,0xDB,0x1E,
+    0x47,0x50,0xEB,0x05,0xED,0x5E,0x79,0x84,0x2D,0xEB,0x36,0xA2,0x57,0x4C,0x55,0xEC,
+    0x8B,0x19,0x89,0xDE,0xF9,0x4B,0x6C,0xF5,0x07,0xAB,0x22,0x30,0x02,0xE8,0x18,0x3E,
+    0xF8,0x50,0x09,0xD3,0x7F,0x41,0xA8,0x98,0xF9,0xD1,0xCA,0x66,0x9C,0x24,0x6B,0x11,
+    0xD0,0xA3,0xBB,0xE4,0x1B,0x2A,0xC3,0x1F,0x95,0x9E,0x7A,0x0C,0xA4,0x47,0x8B,0x5B,
+    0xD4,0x16,0x37,0x33,0xCB,0xC4,0x0F,0x4D,0xCE,0x14,0x69,0xD1,0xC9,0x19,0x72,0xF5,
+    0x5D,0x0E,0xD5,0x7F,0x5F,0x9B,0xF2,0x25,0x03,0xBA,0x55,0x8F,0x4D,0x5D,0x0D,0xF1,
+    0x64,0x35,0x23,0x15,0x4B,0x15,0x59,0x1D,0xB3,0x94,0xF7,0xF6,0x9C,0x9E,0xCF,0x50,
+    0xBA,0xC1,0x58,0x50,0x67,0x8F,0x08,0xB4,0x20,0xF7,0xCB,0xAC,0x2C,0x20,0x6F,0x70,
+    0xB6,0x3F,0x01,0x30,0x8C,0xB7,0x43,0xCF,0x0F,0x9D,0x3D,0xF3,0x2B,0x49,0x28,0x1A,
+    0xC8,0xFE,0xCE,0xB5,0xB9,0x0E,0xD9,0x5E,0x1C,0xD6,0xCB,0x3D,0xB5,0x3A,0xAD,0xF4,
+    0x0F,0x0E,0x00,0x92,0x0B,0xB1,0x21,0x16,0x2E,0x74,0xD5,0x3C,0x0D,0xDB,0x62,0x16,
+    0xAB,0xA3,0x71,0x92,0x47,0x53,0x55,0xC1,0xAF,0x2F,0x41,0xB3,0xF8,0xFB,0xE3,0x70,
+    0xCD,0xE6,0xA3,0x4C,0x45,0x7E,0x1F,0x4C,0x6B,0x50,0x96,0x41,0x89,0xC4,0x74,0x62,
+    0x0B,0x10,0x83,0x41,0x87,0x33,0x8A,0x81,0xB1,0x30,0x58,0xEC,0x5A,0x04,0x32,0x8C,
+    0x68,0xB3,0x8F,0x1D,0xDE,0x65,0x73,0xFF,0x67,0x5E,0x65,0xBC,0x49,0xD8,0x76,0x9F,
+    0x33,0x14,0x65,0xA1,0x77,0x94,0xC9,0x2D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,
+    0x7A,0x30,0x82,0x01,0x76,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,
+    0x04,0x03,0x02,0x01,0x06,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+    0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+    0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6,0xF7,
+    0x47,0x4D,0x7F,0x08,0x5E,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+    0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6,
+    0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20,0x04,
+    0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86,0x48,
+    0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06,0x01,
+    0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77,
+    0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,
+    0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
+    0x02,0x02,0x30,0x81,0xB6,0x1A,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65,
+    0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,
+    0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74,
+    0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74,
+    0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E,
+    0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E,
+    0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63,
+    0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,
+    0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F,
+    0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,
+    0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20,
+    0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0D,0x06,0x09,0x2A,
+    0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x5C,
+    0x36,0x99,0x4C,0x2D,0x78,0xB7,0xED,0x8C,0x9B,0xDC,0xF3,0x77,0x9B,0xF2,0x76,0xD2,
+    0x77,0x30,0x4F,0xC1,0x1F,0x85,0x83,0x85,0x1B,0x99,0x3D,0x47,0x37,0xF2,0xA9,0x9B,
+    0x40,0x8E,0x2C,0xD4,0xB1,0x90,0x12,0xD8,0xBE,0xF4,0x73,0x9B,0xEE,0xD2,0x64,0x0F,
+    0xCB,0x79,0x4F,0x34,0xD8,0xA2,0x3E,0xF9,0x78,0xFF,0x6B,0xC8,0x07,0xEC,0x7D,0x39,
+    0x83,0x8B,0x53,0x20,0xD3,0x38,0xC4,0xB1,0xBF,0x9A,0x4F,0x0A,0x6B,0xFF,0x2B,0xFC,
+    0x59,0xA7,0x05,0x09,0x7C,0x17,0x40,0x56,0x11,0x1E,0x74,0xD3,0xB7,0x8B,0x23,0x3B,
+    0x47,0xA3,0xD5,0x6F,0x24,0xE2,0xEB,0xD1,0xB7,0x70,0xDF,0x0F,0x45,0xE1,0x27,0xCA,
+    0xF1,0x6D,0x78,0xED,0xE7,0xB5,0x17,0x17,0xA8,0xDC,0x7E,0x22,0x35,0xCA,0x25,0xD5,
+    0xD9,0x0F,0xD6,0x6B,0xD4,0xA2,0x24,0x23,0x11,0xF7,0xA1,0xAC,0x8F,0x73,0x81,0x60,
+    0xC6,0x1B,0x5B,0x09,0x2F,0x92,0xB2,0xF8,0x44,0x48,0xF0,0x60,0x38,0x9E,0x15,0xF5,
+    0x3D,0x26,0x67,0x20,0x8A,0x33,0x6A,0xF7,0x0D,0x82,0xCF,0xDE,0xEB,0xA3,0x2F,0xF9,
+    0x53,0x6A,0x5B,0x64,0xC0,0x63,0x33,0x77,0xF7,0x3A,0x07,0x2C,0x56,0xEB,0xDA,0x0F,
+    0x21,0x0E,0xDA,0xBA,0x73,0x19,0x4F,0xB5,0xD9,0x36,0x7F,0xC1,0x87,0x55,0xD9,0xA7,
+    0x99,0xB9,0x32,0x42,0xFB,0xD8,0xD5,0x71,0x9E,0x7E,0xA1,0x52,0xB7,0x1B,0xBD,0x93,
+    0x42,0x24,0x12,0x2A,0xC7,0x0F,0x1D,0xB6,0x4D,0x9C,0x5E,0x63,0xC8,0x4B,0x80,0x17,
+    0x50,0xAA,0x8A,0xD5,0xDA,0xE4,0xFC,0xD0,0x09,0x07,0x37,0xB0,0x75,0x75,0x21,
+};
+
+/* subject:/CN=Apple Root CA - G2/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* SKID: C4:99:13:6C:18:03:C2:7B:C0:A3:A0:0D:7F:72:80:7A:1C:77:26:8D */
+/* Not Before: Apr 30 18:10:09 2014 GMT, Not After : Apr 30 18:10:09 2039 GMT */
+/* Signature Algorithm: sha384WithRSAEncryption */
+static const unsigned char AppleRootG2[1430]={
+    0x30,0x82,0x05,0x92,0x30,0x82,0x03,0x7A,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x01,
+    0xE0,0xE5,0xB5,0x83,0x67,0xA3,0xE0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+    0x0D,0x01,0x01,0x0C,0x05,0x00,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,
+    0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,
+    0x20,0x2D,0x20,0x47,0x32,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+    0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,
+    0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,
+    0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,
+    0x1E,0x17,0x0D,0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x30,0x30,0x39,0x5A,
+    0x17,0x0D,0x33,0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x30,0x30,0x39,0x5A,0x30,
+    0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,
+    0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x32,0x31,0x26,
+    0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,
+    0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,
+    0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+    0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,
+    0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x02,0x22,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,0x0F,0x00,
+    0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xD8,0x11,0x12,0x48,0x48,0xDA,0x29,
+    0x8A,0x49,0xC5,0x1C,0xC7,0xEC,0x6E,0x33,0x6D,0xFE,0x4D,0xFB,0xE0,0x1C,0xDE,0xAC,
+    0x5E,0xE2,0x36,0xA7,0x24,0xF9,0x7F,0x50,0x6B,0x4C,0xCE,0xB9,0x30,0x54,0x27,0xE5,
+    0xB3,0xD6,0xED,0x25,0xE6,0x30,0xB6,0x05,0x37,0x5E,0x14,0x22,0x11,0xC5,0xE8,0xAA,
+    0x1B,0xD2,0xFB,0xB2,0xD2,0x09,0x95,0x38,0xA4,0xEF,0x2A,0x49,0x8C,0x5D,0x3E,0x71,
+    0x66,0x03,0x38,0xFB,0x16,0xF5,0x85,0x88,0xE4,0x5A,0x92,0x0C,0x04,0x32,0xF2,0xC8,
+    0x40,0xFB,0x52,0x5F,0x9F,0xF6,0xC0,0xF1,0xE3,0xBA,0x45,0xA0,0x50,0xD5,0x12,0x8B,
+    0xF2,0xDD,0xDE,0x91,0x86,0x23,0xF0,0xF5,0xB6,0x72,0x2E,0x01,0xDA,0x0B,0xF6,0x2E,
+    0x39,0x08,0x5F,0x19,0xA1,0x63,0x41,0x0B,0x1C,0xA7,0x94,0xC1,0x86,0xC4,0x53,0x2F,
+    0x76,0xF6,0x0A,0xD7,0x0C,0xD1,0x83,0x3F,0x1A,0x53,0x19,0xF3,0x57,0xD5,0x27,0x7F,
+    0xFC,0x13,0xB8,0xF8,0x92,0x8D,0xFC,0xD3,0x28,0x43,0x3C,0xB5,0x68,0x00,0x25,0x5D,
+    0x27,0x62,0xD3,0xDD,0x55,0xDD,0x44,0x20,0x90,0x83,0x35,0x93,0xC5,0xBF,0xB8,0x19,
+    0xFB,0x6B,0xE3,0xDC,0x08,0x42,0xE6,0xAF,0x6D,0xFA,0x9E,0x40,0xCA,0x4E,0x85,0x85,
+    0x78,0x49,0xB1,0xD7,0xC3,0xC1,0x30,0x39,0x32,0xAB,0x7E,0x5F,0xAA,0xD3,0x8B,0x6F,
+    0x9F,0x2D,0x1A,0x21,0x68,0x70,0x67,0xB3,0xA3,0xF1,0x98,0x41,0x6D,0x91,0x7C,0xF8,
+    0xD7,0xDB,0xA8,0xE7,0x5F,0x21,0x1A,0x8C,0x33,0xBF,0x31,0x74,0xB7,0xB8,0xD1,0xF4,
+    0xE0,0x22,0xF4,0xBF,0x72,0x34,0xDF,0xF7,0x81,0x4D,0x71,0x7D,0x51,0xA1,0xE2,0xB3,
+    0xF0,0xD3,0x28,0x16,0x73,0x6F,0xCD,0xCC,0xAD,0x37,0x7D,0x4E,0xEB,0xAD,0x40,0xE1,
+    0x3F,0x81,0xFD,0xF7,0x3D,0x0A,0x3E,0xA2,0xF1,0xBD,0x31,0x96,0x29,0x59,0xDC,0xC2,
+    0x19,0x80,0x8C,0x5B,0x74,0xC6,0x2C,0xD3,0x10,0x53,0x26,0x1D,0x14,0x4F,0xC4,0xD4,
+    0x81,0x66,0x3C,0x87,0x67,0x33,0x27,0x14,0x08,0xE9,0xB4,0x77,0x84,0x34,0x52,0x8F,
+    0x89,0xF8,0x68,0x98,0x17,0xBF,0xC3,0xBB,0xAA,0x13,0x93,0x1F,0x5D,0x54,0x2F,0xA8,
+    0xC7,0x7C,0xFB,0x0D,0x14,0xBE,0x15,0x3D,0x24,0x34,0xF2,0x9A,0xDC,0x75,0x41,0x66,
+    0x22,0xB4,0x01,0xD6,0x0B,0xAF,0x90,0x9E,0x0C,0xEA,0x62,0xF8,0x9B,0x59,0x3C,0x08,
+    0xE2,0x96,0x34,0xE4,0x63,0xDE,0xBC,0x37,0xD4,0xEB,0x0C,0x88,0x03,0x43,0x0B,0x50,
+    0xAF,0xA0,0x34,0xDD,0x50,0x4D,0x15,0xFB,0x5A,0x24,0xD8,0x0C,0xFA,0x0C,0x63,0x9E,
+    0x1F,0x03,0xB1,0xE1,0xEE,0xE1,0xAA,0x43,0xF4,0x66,0x65,0x28,0x37,0x02,0x31,0xEF,
+    0x01,0xC7,0x1E,0xD1,0xCC,0x9F,0x6D,0xCA,0x54,0x3A,0x40,0xDB,0xCE,0xCF,0x4F,0x46,
+    0x8B,0x4A,0x65,0x9A,0x6A,0xC6,0x68,0x6C,0xD7,0xCC,0x99,0x1B,0x47,0xB0,0x72,0xC3,
+    0x77,0x8F,0xC4,0xF7,0x61,0x9C,0x74,0x1F,0xCE,0xFD,0x6B,0xA1,0xC2,0x9C,0x94,0x82,
+    0xAB,0x94,0xA2,0xE7,0xBD,0x1B,0xBA,0xB9,0x70,0x39,0x95,0x17,0xC5,0x29,0xF3,0x39,
+    0x58,0x34,0xF5,0xC4,0xA4,0xC6,0x7B,0x60,0xB9,0x66,0x43,0x50,0x3F,0x6E,0x61,0xFC,
+    0x0E,0xF9,0x86,0xAA,0x60,0x0C,0x43,0x4B,0x95,0x02,0x03,0x01,0x00,0x01,0xA3,0x42,
+    0x30,0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC4,0x99,0x13,
+    0x6C,0x18,0x03,0xC2,0x7B,0xC0,0xA3,0xA0,0x0D,0x7F,0x72,0x80,0x7A,0x1C,0x77,0x26,
+    0x8D,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,
+    0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,
+    0x01,0x06,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,0x05,
+    0x00,0x03,0x82,0x02,0x01,0x00,0x51,0xA6,0xF3,0xE2,0xF4,0xB8,0x3D,0x93,0xBF,0x2D,
+    0xCE,0x0F,0xBB,0x5B,0xE1,0x55,0x14,0x4E,0x4E,0xD1,0xE5,0xCE,0x79,0x5D,0x81,0x7F,
+    0xFE,0xB6,0xF0,0x87,0x33,0xF8,0xEF,0x94,0xE5,0x7E,0xDC,0x6A,0x79,0xA7,0x1C,0xBE,
+    0xF0,0x94,0xB7,0xA6,0xD1,0x30,0x9C,0xC8,0x0D,0x0A,0x75,0x9E,0x7D,0x92,0x95,0x7E,
+    0x18,0x9D,0x7E,0xC2,0x71,0x69,0x7C,0x14,0xEA,0xCF,0x83,0x0E,0xE4,0x14,0x42,0x9E,
+    0x74,0x0E,0x10,0xCD,0xAB,0x1A,0xBA,0x11,0x61,0x81,0x78,0xD8,0xF1,0xB5,0x45,0x40,
+    0x78,0xAB,0xA8,0xC0,0xCE,0xFB,0x7D,0x63,0x37,0x68,0xF6,0xE7,0xFB,0xAF,0xC6,0xC3,
+    0x4B,0xEC,0x1F,0x36,0x26,0x13,0x54,0x86,0x94,0x72,0xB2,0xEA,0x02,0xED,0x8B,0x6D,
+    0xE4,0x0C,0xA6,0x90,0xC0,0x57,0x75,0xCF,0x8C,0x42,0x7D,0x5C,0xE6,0x31,0x7D,0xF3,
+    0xC9,0xB2,0x92,0x69,0x46,0x0E,0x88,0xF8,0xE3,0x2D,0x42,0xB2,0x38,0xA8,0xA6,0x19,
+    0x8D,0xF1,0x9F,0xCD,0xEE,0x6A,0x65,0xBC,0x1A,0xB0,0x25,0xBD,0xA7,0x29,0xFD,0xF4,
+    0x3E,0xA2,0x75,0x49,0xBF,0x9E,0xDB,0xC9,0xF7,0xA7,0x1E,0x63,0x99,0xE1,0x5C,0x46,
+    0xFF,0x92,0x05,0x8C,0xFA,0x1E,0x20,0xF9,0x86,0x94,0x56,0x25,0xE5,0xB4,0x57,0x38,
+    0x9D,0xEB,0x88,0x64,0x14,0x21,0x49,0x21,0x39,0xBF,0x62,0x66,0xA9,0xB1,0xA2,0xCA,
+    0x6F,0x3F,0x21,0x60,0xC5,0x89,0xD4,0x45,0x36,0xC8,0x98,0x7C,0xBD,0xF6,0xFE,0x99,
+    0x49,0x80,0x3B,0x2C,0xD2,0xA6,0xA7,0x88,0x03,0x04,0x31,0x19,0xB7,0xB6,0x3A,0x61,
+    0x45,0xFA,0xC9,0xF2,0x23,0xC8,0x63,0x73,0xBF,0x56,0x89,0x31,0xB0,0xD9,0x7C,0x62,
+    0xA7,0x7B,0x15,0xA8,0x88,0x8A,0xAB,0x38,0x40,0xC2,0xCC,0x12,0xFF,0x15,0xE3,0xF0,
+    0x37,0xDF,0x37,0x72,0xCB,0xCC,0x98,0xE6,0xBF,0xA2,0xBC,0xFA,0x26,0x8A,0x71,0x56,
+    0xD7,0xE7,0x24,0x1B,0x48,0x44,0x3E,0x9E,0xFC,0x9F,0xC9,0xCC,0x1A,0xEC,0x43,0x3C,
+    0x01,0xBC,0x34,0x78,0xC8,0x69,0xF5,0xC6,0xE6,0x56,0xEC,0x06,0x09,0x36,0x90,0xEB,
+    0x14,0x4A,0x1B,0x5E,0xC9,0x88,0x23,0xDA,0x03,0x30,0x91,0x0B,0xB8,0x36,0x3E,0xF9,
+    0xE7,0xB5,0x28,0x6F,0xBE,0x3F,0xEC,0x3C,0x8F,0x65,0x1D,0xE5,0xC0,0x1E,0x87,0xA4,
+    0xAA,0xBA,0x98,0xFD,0x92,0xE3,0x6C,0x26,0x77,0xDD,0x06,0xB4,0x64,0x06,0x87,0xF4,
+    0x4E,0xD6,0xBA,0x4A,0xAA,0x16,0xA8,0xF4,0x05,0x67,0x66,0x96,0xBA,0xE2,0x55,0x79,
+    0xC3,0x2C,0x5D,0x49,0x8F,0x80,0x49,0x2B,0x8A,0x12,0xC7,0x76,0x80,0x51,0xDF,0xBA,
+    0xBD,0x65,0x5D,0x3E,0x37,0x47,0x63,0x31,0xE9,0xE5,0xF4,0xC5,0x3F,0x4B,0xAD,0x04,
+    0x8A,0x7A,0x71,0x2C,0xAF,0x09,0x43,0x37,0x0F,0xA8,0xE3,0x32,0x4F,0xF4,0x45,0xB6,
+    0x6D,0x97,0x36,0xEC,0x84,0xF5,0x0A,0x01,0xEA,0x17,0xBB,0x85,0x8D,0x42,0x93,0x70,
+    0xC3,0x50,0xE5,0x14,0x8B,0xBF,0x3F,0xC3,0x41,0x0F,0xDD,0x22,0x04,0x23,0x08,0x8A,
+    0xBA,0x6D,0x71,0x44,0xAB,0x73,0x09,0x3A,0xC9,0xF9,0x52,0x80,0x09,0xDF,0xBA,0xE9,
+    0xE6,0x16,0xCA,0x2E,0x2E,0x4C,0xB2,0xD3,0xDC,0xE5,0x04,0x54,0xB2,0xD4,0x34,0x80,
+    0x32,0xB5,0xBC,0x0F,0x17,0xE1,
+};
+
+/* subject:/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* SKID: BB:B0:DE:A1:58:33:88:9A:A4:8A:99:DE:BE:BD:EB:AF:DA:CB:24:AB */
+/* Not Before: Apr 30 18:19:06 2014 GMT, Not After : Apr 30 18:19:06 2039 GMT */
+/* Signature Algorithm: ecdsa-with-SHA38 */
+static const unsigned char AppleRootG3[583]={
+    0x30,0x82,0x02,0x43,0x30,0x82,0x01,0xC9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x2D,
+    0xC5,0xFC,0x88,0xD2,0xC5,0x4B,0x95,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
+    0x04,0x03,0x03,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,
+    0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,
+    0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
+    0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
+    0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
+    0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
+    0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x17,0x0D,0x33,
+    0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x30,0x67,0x31,0x1B,
+    0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,
+    0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x31,0x26,0x30,0x24,0x06,
+    0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,
+    0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,
+    0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
+    0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x55,0x53,0x30,0x76,0x30,0x10,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,
+    0x02,0x01,0x06,0x05,0x2B,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0x98,0xE9,0x2F,
+    0x3D,0x40,0x72,0xA4,0xED,0x93,0x22,0x72,0x81,0x13,0x1C,0xDD,0x10,0x95,0xF1,0xC5,
+    0xA3,0x4E,0x71,0xDC,0x14,0x16,0xD9,0x0E,0xE5,0xA6,0x05,0x2A,0x77,0x64,0x7B,0x5F,
+    0x4E,0x38,0xD3,0xBB,0x1C,0x44,0xB5,0x7F,0xF5,0x1F,0xB6,0x32,0x62,0x5D,0xC9,0xE9,
+    0x84,0x5B,0x4F,0x30,0x4F,0x11,0x5A,0x00,0xFD,0x58,0x58,0x0C,0xA5,0xF5,0x0F,0x2C,
+    0x4D,0x07,0x47,0x13,0x75,0xDA,0x97,0x97,0x97,0x6F,0x31,0x5C,0xED,0x2B,0x9D,0x7B,
+    0x20,0x3B,0xD8,0xB9,0x54,0xD9,0x5E,0x99,0xA4,0x3A,0x51,0x0A,0x31,0xA3,0x42,0x30,
+    0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xBB,0xB0,0xDE,0xA1,
+    0x58,0x33,0x88,0x9A,0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,
+    0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,
+    0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,
+    0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,0x03,0x68,0x00,
+    0x30,0x65,0x02,0x31,0x00,0x83,0xE9,0xC1,0xC4,0x16,0x5E,0x1A,0x5D,0x34,0x18,0xD9,
+    0xED,0xEF,0xF4,0x6C,0x0E,0x00,0x46,0x4B,0xB8,0xDF,0xB2,0x46,0x11,0xC5,0x0F,0xFD,
+    0xE6,0x7A,0x8C,0xA1,0xA6,0x6B,0xCE,0xC2,0x03,0xD4,0x9C,0xF5,0x93,0xC6,0x74,0xB8,
+    0x6A,0xDF,0xAA,0x23,0x15,0x02,0x30,0x6D,0x66,0x8A,0x10,0xCA,0xD4,0x0D,0xD4,0x4F,
+    0xCD,0x8D,0x43,0x3E,0xB4,0x8A,0x63,0xA5,0x33,0x6E,0xE3,0x6D,0xDA,0x17,0xB7,0x64,
+    0x1F,0xC8,0x53,0x26,0xF9,0x88,0x62,0x74,0x39,0x0B,0x17,0x5B,0xCB,0x51,0xA8,0x0C,
+    0xE8,0x18,0x03,0xE7,0xA2,0xB2,0x28,
+};
+
+
+static void
+addCertificate(CFMutableArrayRef anchors,
+               const unsigned char *anchor, size_t size) {
+    SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, anchor, size);
+    if (CFArrayContainsValue(anchors, CFRangeMake(0, CFArrayGetCount(anchors)), cert)) {
+        abort();
+    }
+    CFArrayAppendValue(anchors, cert);
+    CFReleaseNull(cert);
+}
+
+CFArrayRef SecGetAppleTrustAnchors(bool allowNonProduction)
+{
+    static CFArrayRef anchors = NULL;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        CFMutableArrayRef temp = NULL;
+        temp = CFArrayCreateMutableForCFTypesWithCapacity(NULL, 3);
+
+        addCertificate(temp, AppleRootCA, sizeof(AppleRootCA));
+        addCertificate(temp, AppleRootG2, sizeof(AppleRootG2));
+        addCertificate(temp, AppleRootG3, sizeof(AppleRootG3));
+
         anchors = temp;
     });
     return anchors;

diff --git a/OSX/utilities/src/SecAppleAnchorPriv.h b/OSX/utilities/src/SecAppleAnchorPriv.h
index c24e3a0f4a50de377da363a6907a8d297bcbe8f8..2918c5cd5c7751fa5f70899c4c24e811b2e4517c 100644 (file)
--- a/OSX/utilities/src/SecAppleAnchorPriv.h
+++ b/OSX/utilities/src/SecAppleAnchorPriv.h
@@ -47,6 +47,8 @@ bool
 SecIsAppleTrustAnchorData(CFDataRef cert,
                          SecAppleTrustAnchorFlags flags);
 
+CFArrayRef SecGetAppleTrustAnchors(bool allowNonProduction);
+
 __END_DECLS
 
 

diff --git a/OSX/utilities/src/SecInternalRelease.c b/OSX/utilities/src/SecInternalRelease.c
index 6acb8b177199f9f8b70dd7ce6c3dcdeac91b2102..5317d59646027e43bea6178ff1981f7407980152 100644 (file)
--- a/OSX/utilities/src/SecInternalRelease.c
+++ b/OSX/utilities/src/SecInternalRelease.c
@@ -31,7 +31,7 @@
 #if TARGET_OS_EMBEDDED
 #include <MobileGestalt.h>
 #else
-#include <sys/utsname.h>
+#include <System/sys/csr.h>
 #endif
 
 

diff --git a/OSX/utilities/utilities.xcodeproj/.gitignore b/OSX/utilities/utilities.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/OSX/utilities/utilities.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/Security.xcodeproj/.gitignore b/Security.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/Security.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/Security.xcodeproj/project.pbxproj b/Security.xcodeproj/project.pbxproj
index 926bc1daf54e9b31cb2c4256880db74553e9523b..228278c6053d0edd3d86cd29c86947f73c26efe5 100644 (file)
--- a/Security.xcodeproj/project.pbxproj
+++ b/Security.xcodeproj/project.pbxproj
@@ -8791,7 +8791,6 @@
                                        MobileKeyBag,
                                        "-laks",
                                        "-lACM",
-                                       "-lmis",
                                        "-lImg4Decode",
                                );
                                PRODUCT_NAME = securityd;
@@ -8817,7 +8816,6 @@
                                        MobileKeyBag,
                                        "-laks",
                                        "-lACM",
-                                       "-lmis",
                                        "-lImg4Decode",
                                );
                                PRODUCT_NAME = securityd;

diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme
index 26df7a71162e0cb765c12d346b9fd6775b430267..9d93c518c6205ba39247632034eaf7df96111a93 100644 (file)
--- a/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme
+++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme
@@ -256,6 +256,10 @@
             argument = "si_24_sectrust_passbook"
             isEnabled = "NO">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "si_25_cms_skid"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "si_26_sectrust_copyproperties"
             isEnabled = "NO">
@@ -412,6 +416,10 @@
             argument = "si_83_seccertificate_sighashalg"
             isEnabled = "NO">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "si_84_sectrust_allowlist"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "si_85_sectrust_ssl_policy"
             isEnabled = "NO">

diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme
index 1aaca97bd7028438a249e0753ea6eca698c17263..d1ca217fc921a72fada005dfd96dc550728ec4b9 100644 (file)
--- a/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme
+++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme
@@ -386,6 +386,10 @@
             argument = "si_83_seccertificate_sighashalg"
             isEnabled = "NO">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "si_84_sectrust_allowlist"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "si_85_sectrust_ssl_policy"
             isEnabled = "NO">

diff --git a/SecurityTests/.gitignore b/SecurityTests/.gitignore
new file mode 100644 (file)
index 0000000..d56a7f1
--- /dev/null
+++ b/SecurityTests/.gitignore
@@ -0,0 +1,6 @@
+*.o
+clxutils/certChain/certChain
+clxutils/dotMacArchive/dotMacArchive
+clxutils/findCert/findCert
+cspxutils/hashTimeSA/hashTimeSA
+cspxutils/sha2Vectors/sha2Vectors

diff --git a/libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore b/libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore
new file mode 100644 (file)
index 0000000..7f42cdd
--- /dev/null
+++ b/libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore
@@ -0,0 +1,2 @@
+project.xcworkspace
+xcuserdata

diff --git a/securityd/securityd_service/securityd_service/main.c b/securityd/securityd_service/securityd_service/main.c
index df04c16b7c90055a39ba69e340a2a47aaa18d1ea..46a444fb1c5b8e6bf2f910239c84bf536f2d4742 100644 (file)
--- a/securityd/securityd_service/securityd_service/main.c
+++ b/securityd/securityd_service/securityd_service/main.c
@@ -75,21 +75,21 @@ openiodev(void)
     io_registry_entry_t service;
     io_connect_t conn;
     kern_return_t kr;
-    
+
     service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(kAppleFDEKeyStoreServiceName));
     if (service == IO_OBJECT_NULL)
         return IO_OBJECT_NULL;
-    
+
     kr = IOServiceOpen(service, mach_task_self(), 0, &conn);
     if (kr != KERN_SUCCESS)
         return IO_OBJECT_NULL;
-    
+
     kr = IOConnectCallMethod(conn, kAppleFDEKeyStoreUserClientOpen, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL);
     if (kr != KERN_SUCCESS) {
         IOServiceClose(conn);
         return IO_OBJECT_NULL;
     }
-    
+
     return conn;
 }
 
@@ -108,11 +108,11 @@ _kb_service_get_dispatch_queue()
 {
     static dispatch_once_t onceToken = 0;
     static dispatch_queue_t connection_queue = NULL;
-    
+
     dispatch_once(&onceToken, ^{
         connection_queue = dispatch_queue_create("kb-service-queue", DISPATCH_QUEUE_SERIAL);
     });
-    
+
     return connection_queue;
 }
 
@@ -190,9 +190,9 @@ _kb_copy_bag_filename(service_user_record_t * ur, kb_bag_type_t type)
 
     bag_file = calloc(1u, PATH_MAX);
     require(bag_file, done);
-    
+
     snprintf(bag_file, PATH_MAX, "%s/%s/%s/%s", ur->home, kb_home_path, get_host_uuid(), name);
-    
+
 done:
     return bag_file;
 }
@@ -279,16 +279,16 @@ _kb_save_bag_to_disk(service_user_record_t * ur, const char * bag_file, void * d
     int fd = -1;
 
     require(bag_file, done);
-    
+
     _set_thread_credentials(ur);
     require(_kb_verify_create_path(ur), done);
 
     fd = open(bag_file, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0600);
     require_action(fd != -1, done, syslog(LOG_ERR, "could not create file: %s (%s)", bag_file, strerror(errno)));
     require_action(write(fd, data, length) != -1, done, syslog(LOG_ERR, "failed to write keybag to disk %s", strerror(errno)));
-    
+
     result = true;
-    
+
 done:
     if (fd != -1) { close(fd); }
     _clear_thread_credentials();
@@ -303,7 +303,7 @@ _kb_load_bag_from_disk(service_user_record_t * ur, const char * bag_file, uint8_
     uint8_t * buf = NULL;
     size_t buf_size = 0;
     struct stat st_info = {};
-    
+
     require(bag_file, done);
 
     _set_thread_credentials(ur);
@@ -311,19 +311,19 @@ _kb_load_bag_from_disk(service_user_record_t * ur, const char * bag_file, uint8_
     require_quiet(lstat(bag_file, &st_info) == 0, done);
     require_action(S_ISREG(st_info.st_mode), done, syslog(LOG_ERR, "failed to load, not a file: %s", bag_file));
     buf_size = (size_t)st_info.st_size;
-    
+
     fd = open(bag_file, O_RDONLY | O_NOFOLLOW);
     require_action(fd != -1, done, syslog(LOG_ERR, "could not open file: %s (%s)", bag_file, strerror(errno)));
-    
+
     buf = (uint8_t *)calloc(1u, buf_size);
     require(buf != NULL, done);
     require(read(fd, buf, buf_size) == buf_size, done);
-    
+
     *data = buf;
     *length = buf_size;
     buf = NULL;
     result = true;
-    
+
 done:
     if (fd != -1) { close(fd); }
     if (buf) { free(buf); }
@@ -354,17 +354,25 @@ _kb_delete_bag_on_disk(service_user_record_t * ur, const char * bag_file)
     }
 }
 
+static int service_kb_load(service_context_t *context);
+static int service_kb_load_uid(uid_t s_uid);
+
 static int
 _kb_get_session_handle(service_context_t * context, keybag_handle_t * handle_out)
 {
     int rc = KB_BagNotLoaded;
-    keybag_handle_t session_handle = bad_keybag_handle;
-    require_noerr_quiet(aks_get_system(context->s_uid, &session_handle), done);
-    
-    *handle_out = session_handle;
+    require_noerr_quiet(aks_get_system(context->s_uid, handle_out), done);
+
     rc = KB_Success;
-    
+
 done:
+    if (rc == KB_BagNotLoaded) {
+        if (service_kb_load(context) == KB_Success) {
+            if (aks_get_system(context->s_uid, handle_out) == kIOReturnSuccess) {
+                rc = KB_Success;
+            }
+        }
+    }
     return rc;
 }
 
@@ -395,77 +403,90 @@ static int
 service_kb_create(service_context_t * context, const void * secret, int secret_len)
 {
     __block int rc = KB_GeneralError;
-    
+
     dispatch_sync(_kb_service_get_dispatch_queue(), ^{
         uint8_t * buf = NULL;
         size_t buf_size = 0;
         keybag_handle_t session_handle = bad_keybag_handle;
         service_user_record_t * ur = get_user_record(context->s_uid);
         char * bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user);
-        
+
         require(bag_file, done);
 
         // check for the existance of the bagfile
         require_action(!_kb_bag_exists(ur, bag_file), done, rc = KB_BagExists);
-        
+
         require_noerr(rc = aks_create_bag(secret, secret_len, kAppleKeyStoreDeviceBag, &session_handle), done);
         require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done);
         require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError);
         require_noerr(rc = aks_set_system(session_handle, context->s_uid), done);
         aks_unload_bag(session_handle);
         require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
-        
+
         if (secret && rc == KB_Success) {
             aks_unlock_bag(session_handle, secret, secret_len);
         }
-        
+
     done:
         if (buf) free(buf);
         if (bag_file) { free(bag_file); }
         if (ur) free_user_record(ur);
     });
-    
+
     return rc;
 }
 
+/* Load s_uid's keybag, unless already loaded */
 static int
-service_kb_load(service_context_t * context)
+_service_kb_load_uid(uid_t s_uid)
 {
     __block int rc = KB_GeneralError;
-    
+
     dispatch_sync(_kb_service_get_dispatch_queue(), ^{
         uint8_t * buf = NULL;
         size_t buf_size = 0;
         keybag_handle_t session_handle = bad_keybag_handle;
         service_user_record_t * ur = NULL;
         char * bag_file = NULL;
-        
-        rc = aks_get_system(context->s_uid, &session_handle);
+
+        rc = aks_get_system(s_uid, &session_handle);
         if (rc == kIOReturnNotFound) {
-            require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
+            require_action(ur = get_user_record(s_uid), done, rc = KB_GeneralError);
             require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError);
             require_action_quiet(_kb_load_bag_from_disk(ur, bag_file, &buf, &buf_size), done, rc = KB_BagNotFound);
             rc = aks_load_bag(buf, (int)buf_size, &session_handle);
             if (rc == kIOReturnNotPermitted) {
-                syslog(LOG_ERR, "error loading keybag for uid (%i) in session (%i)", context->s_uid, context->s_id);
+                syslog(LOG_ERR, "error loading keybag for uid (%i)", s_uid);
                 _kb_rename_bag_on_disk(ur, bag_file);
                 rc = KB_BagNotFound;
             }
             require_noerr(rc, done);
-            require_noerr(rc = aks_set_system(session_handle, context->s_uid), done);
+            require_noerr(rc = aks_set_system(session_handle, s_uid), done);
             aks_unload_bag(session_handle);
         }
         require(rc == KB_Success, done);
-        
+
     done:
         if (buf) free(buf);
         if (ur) free_user_record(ur);
         if (bag_file) free(bag_file);
     });
-    
+
     return rc;
 }
 
+static int
+service_kb_load_uid(uid_t s_uid)
+{
+    return _service_kb_load_uid(s_uid);
+}
+
+static int
+service_kb_load(service_context_t * context)
+{
+    return _service_kb_load_uid(context->s_uid);
+}
+
 static int
 service_kb_unload(service_context_t *context)
 {
@@ -534,9 +555,9 @@ service_kb_unlock(service_context_t * context, const void * secret, int secret_l
     int rc = KB_GeneralError;
     keybag_handle_t session_handle;
     require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
-    
+
     rc = aks_unlock_bag(session_handle, secret, secret_len);
-    
+
 done:
     return rc;
 }
@@ -554,19 +575,19 @@ service_kb_change_secret(service_context_t * context, const void * secret, int s
     __block int rc = KB_GeneralError;
     keybag_handle_t session_handle;
     require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
-    
+
     dispatch_sync(_kb_service_get_dispatch_queue(), ^{
         uint8_t * buf = NULL;
         size_t buf_size = 0;
         service_user_record_t * ur = NULL;
         char * bag_file = NULL;
-        
+
         require_noerr(rc = aks_change_secret(session_handle, secret, secret_len, new_secret, new_secret_len, NULL, NULL), done);
         require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done);
         require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
         require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError);
         require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError);
-        
+
         rc = KB_Success;
 
     done:
@@ -575,7 +596,7 @@ service_kb_change_secret(service_context_t * context, const void * secret, int s
         if (bag_file) free(bag_file);
         return;
     });
-    
+
 done:
     return rc;
 }
@@ -627,12 +648,12 @@ service_kb_is_locked(service_context_t * context, xpc_object_t reply)
     keybag_state_t state;
     keybag_handle_t session_handle;
     require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
-    
+
     require_noerr(rc = aks_get_lock_state(session_handle, &state), done);
-    
+
     xpc_dictionary_set_bool(reply, SERVICE_XPC_LOCKED, state & keybag_state_locked);
     xpc_dictionary_set_bool(reply, SERVICE_XPC_NO_PIN, state & keybag_state_no_pin);
-    
+
 done:
     return rc;
 }
@@ -677,12 +698,12 @@ service_kb_stash_load(service_context_t * context, const void * key, unsigned ke
     service_user_record_t * ur = NULL;
     __block uint8_t * stashbag = NULL;
     __block size_t stashbag_size = 0;
-    
+
     require(key, done);
     require_noerr(rc = _kb_get_session_handle(context, &session_handle), done);
     require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError);
     require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_stash), done, rc = KB_GeneralError);
-    
+
     // sync loading the bag from disk
     dispatch_sync(_kb_service_get_dispatch_queue(), ^{
         if (!_kb_load_bag_from_disk(ur, bag_file, &stashbag, &stashbag_size)) {
@@ -693,7 +714,7 @@ service_kb_stash_load(service_context_t * context, const void * key, unsigned ke
 
     require_noerr(rc = aks_stash_escrow(session_handle, false, key, key_size, stashbag, (int)stashbag_size, NULL, NULL), done);
     rc = KB_Success;
-    
+
 done:
     if (stashbag) { free(stashbag); }
     if ((bag_file) && (!nondestructive)) {
@@ -716,17 +737,17 @@ OSStatus service_stash_get_key(service_context_t * context, xpc_object_t event,
     getStashKey_OutStruct_t outStruct;
     size_t outSize = sizeof(outStruct);
     kern_return_t kr = KERN_INVALID_ARGUMENT;
-    
+
     io_connect_t conn = openiodev();
     require(conn, done);
     inStruct.type = kAppleFDEKeyStoreStash_master;
-    
+
     kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_getStashKey,
                              NULL, 0,
                              &inStruct, sizeof(inStruct),
                              NULL, NULL,
                              &outStruct, &outSize);
-    
+
     if (kr == KERN_SUCCESS) {
         xpc_dictionary_set_data(reply, SERVICE_XPC_KEY, outStruct.outBuf.key.key, outStruct.outBuf.key.keysize);
         service_kb_stash_load(context, outStruct.outBuf.key.key, outStruct.outBuf.key.keysize, false);
@@ -735,7 +756,7 @@ OSStatus service_stash_get_key(service_context_t * context, xpc_object_t event,
 done:
     if (conn)
         closeiodev(conn);
-    
+
     return kr;
 }
 
@@ -759,14 +780,14 @@ OSStatus service_stash_set_key(service_context_t * context, xpc_object_t event,
     require_noerr(_kb_get_session_handle(context, &session_handle), done);
     require_noerr(aks_get_lock_state(session_handle, &state), done);
     require_action(!(state & keybag_lock_locked), done, kr = CSSMERR_CSP_OS_ACCESS_DENIED; LOG("stash failed keybag locked"));
-    
+
     conn = openiodev();
     require(conn, done);
 
     // Store the key in the keystore and get its uuid
     setKeyGetUUID_InStruct_t inStruct1;
     uuid_OutStruct_t outStruct1;
-    
+
 
     const uint8_t *keydata = xpc_dictionary_get_data(event, SERVICE_XPC_KEY, &keydata_len);
     require(keydata, done);
@@ -780,12 +801,12 @@ OSStatus service_stash_set_key(service_context_t * context, xpc_object_t event,
                              NULL, NULL,
                              &outStruct1, &len);
     require(kr == KERN_SUCCESS, done);
-    
+
     // Now using the uuid stash it as the master key
     setStashKey_InStruct_t inStruct2;
     memcpy(&inStruct2.uuid, &outStruct1.uuid, sizeof(outStruct1.uuid));
     inStruct2.type  = kAppleFDEKeyStoreStash_master;
-    
+
     kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_setStashKey,
                              NULL, 0,
                              &inStruct2, sizeof(inStruct2),
@@ -809,13 +830,13 @@ OSStatus service_stash_load_key(service_context_t * context, xpc_object_t event,
 {
     kern_return_t kr = KERN_SUCCESS;
     size_t keydata_len = 0;
-    
+
     const uint8_t *keydata = xpc_dictionary_get_data(event, SERVICE_XPC_KEY, &keydata_len);
     require(keydata, done);
-    
+
     kr = service_kb_stash_load(context, keydata, (cryptosize_t) keydata_len, true);
 done:
-    
+
     return kr;
 }
 
@@ -829,19 +850,19 @@ done:
 OSStatus service_stash_blob(xpc_object_t event, xpc_object_t reply)
 {
     kern_return_t kr = KERN_INVALID_ARGUMENT;
-    
+
     io_connect_t conn = openiodev();
     require(conn, done);
-    
+
     kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_commitStash,
                              NULL, 0,
                              NULL, 0,
                              NULL, NULL,
-                             NULL, NULL);    
+                             NULL, NULL);
 done:
     if (conn)
         closeiodev(conn);
-    
+
     return kr;
 }
 #endif
@@ -849,12 +870,12 @@ done:
 bool peer_has_entitlement(xpc_connection_t peer, const char * entitlement)
 {
     bool entitled = false;
-    
+
     xpc_object_t value = xpc_connection_copy_entitlement_value(peer, entitlement);
     if (value && (xpc_get_type(value) == XPC_TYPE_BOOL)) {
         entitled = xpc_bool_get_value(value);
     }
-    
+
     if (value) xpc_release(value);
     return entitled;
 }
@@ -886,6 +907,8 @@ static char * sel_to_char(uint64_t sel)
             return "kb_reset";
         case SERVICE_KB_UNLOAD:
             return "kb_unload";
+        case SERVICE_KB_LOAD_UID:
+            return "kb_load_uid";
         default:
             return "unknown";
     }
@@ -916,13 +939,14 @@ static char * err_to_char(int err)
 void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event)
 {
     xpc_type_t type = xpc_get_type(event);
-    
+    uid_t uid;
+
     if (type == XPC_TYPE_ERROR) {
                if (event == XPC_ERROR_CONNECTION_INVALID) {
         }
     } else {
         assert(type == XPC_TYPE_DICTIONARY);
-        
+
         int rc = KB_GeneralError;
         uint64_t request = 0;
         const uint8_t * secret = NULL, * new_secret = NULL;
@@ -930,15 +954,25 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event)
         service_context_t * context = NULL;
         bool free_context = false;
         const void * data;
-        
+        const char *entitlement;
+
         xpc_object_t reply = xpc_dictionary_create_reply(event);
 
         request = xpc_dictionary_get_uint64(event, SERVICE_XPC_REQUEST);
 
-        // For SERVICE_KB_UNLOAD only, allow non-securityd, non-root but
+
+        // For SERVICE_KB_{UNLOAD,LOAD} only, allow non-securityd, non-root but
         // entitled callers.
-        if (request == SERVICE_KB_UNLOAD) {
-            if (!peer_has_entitlement(connection, "com.apple.private.securityd.keybag-unload")) {
+        if (request == SERVICE_KB_UNLOAD || request == SERVICE_KB_LOAD_UID) {
+            switch (request) {
+                case SERVICE_KB_UNLOAD:
+                    entitlement = "com.apple.private.securityd.keybag-unload";
+                    break;
+                case SERVICE_KB_LOAD_UID:
+                    entitlement = "com.apple.private.securityd.keybag-load";
+                    break;
+            }
+            if (!peer_has_entitlement(connection, entitlement) && !peer_has_entitlement(connection, "com.apple.keystore.device")) {
                 xpc_connection_cancel(connection);
                 return;
             }
@@ -954,7 +988,7 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event)
         }
 
         data = xpc_dictionary_get_data(event, SERVICE_XPC_CONTEXT, &data_len);
-        require_action(data || request == SERVICE_KB_UNLOAD, done, rc = KB_GeneralError);
+        require_action(data || request == SERVICE_KB_UNLOAD || request == SERVICE_KB_LOAD_UID, done, rc = KB_GeneralError);
         if (data) {
             require(data_len == sizeof(service_context_t), done);
             context = (service_context_t*)data;
@@ -1015,6 +1049,10 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event)
             case SERVICE_STASH_LOAD_KEY:
                 rc = service_stash_load_key(context, event, reply);
                 break;
+            case SERVICE_KB_LOAD_UID:
+                uid = (uid_t)xpc_dictionary_get_uint64(event, SERVICE_XPC_UID);
+                rc = service_kb_load_uid(uid);
+                break;
 #if DEBUG
             case SERVICE_STASH_BLOB:
                 rc = service_stash_blob(event, reply);
@@ -1024,7 +1062,7 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event)
                 LOG("unknown service type");
                 break;
         }
-        
+
     done:
 #if DEBUG
         LOG("selector: %s (%llu), error: %s (%x), sid: %d, suid: %d, pid: %d", sel_to_char(request), request, err_to_char(rc), rc, context ? context->s_id : 0, context ? context->s_uid : 0, context ? get_caller_pid(&context->procToken) : 0);
@@ -1146,7 +1184,7 @@ int main(int argc, const char * argv[])
         xpc_connection_resume(peer);
     });
     xpc_connection_resume(listener);
-    
+
     dispatch_main();
     exit(EXIT_FAILURE);
 }

diff --git a/securityd/securityd_service/securityd_service/securityd_service.h b/securityd/securityd_service/securityd_service/securityd_service.h
index b2eac5c70ee19e5d7aa8ca78b375f6abfda527cd..ee9178f438bd2a49f1a81bb332b4e931aad8889d 100644 (file)
--- a/securityd/securityd_service/securityd_service/securityd_service.h
+++ b/securityd/securityd_service/securityd_service/securityd_service.h
@@ -13,6 +13,8 @@
 #define SERVICE_XPC_CONTEXT     "_context"
 #define SERVICE_XPC_LOCKED      "_locked"
 #define SERVICE_XPC_NO_PIN      "_no_pin"
+#define SERVICE_XPC_UID         "_uid"
+
 
 enum {
     SERVICE_STASH_SET_KEY = 1,
@@ -28,6 +30,7 @@ enum {
     SERVICE_KB_RESET,
     SERVICE_STASH_LOAD_KEY,
     SERVICE_KB_UNLOAD,
+    SERVICE_KB_LOAD_UID,
 };
 
 #endif

diff --git a/securityd/securityd_service/securityd_service/securityd_service_client.c b/securityd/securityd_service/securityd_service/securityd_service_client.c
index 851586db8a6277ac35c6e0a7c4936e40995cd16f..047498beff44fa6d6085c9d0e0483b8caf1eee18 100644 (file)
--- a/securityd/securityd_service/securityd_service/securityd_service_client.c
+++ b/securityd/securityd_service/securityd_service/securityd_service_client.c
@@ -12,11 +12,11 @@ _service_get_connection()
 {
     static dispatch_once_t onceToken;
     static xpc_connection_t connection = NULL;
-    
+
     dispatch_once(&onceToken, ^{
         connection = xpc_connection_create_mach_service(SECURITYD_SERVICE_NAME, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
         require(connection, done);
-        
+
         xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
             if (xpc_get_type(event) == XPC_TYPE_ERROR) {
                 if (event == XPC_ERROR_CONNECTION_INVALID) {
@@ -30,7 +30,7 @@ _service_get_connection()
                 free(desc);
             }
         });
-        
+
         xpc_connection_resume(connection);
     done:
         return;
@@ -56,39 +56,59 @@ _service_send_msg(service_context_t *context, xpc_object_t message, xpc_object_t
     reply = xpc_connection_send_message_with_reply_sync(conn, message);
     require(reply, done);
     require(xpc_get_type(reply) != XPC_TYPE_ERROR, done);
-    
+
     rc = (int)xpc_dictionary_get_int64(reply, SERVICE_XPC_RC);
-    
+
     if (reply_out) {
         *reply_out = reply;
         reply = NULL;
     }
-    
+
 done:
     if (reply) xpc_release(reply);
     return rc;
 }
 
+int
+_service_client_send_uid(service_context_t *context, uint64_t request, uid_t uid)
+{
+    int rc = KB_GeneralError;
+    xpc_object_t message = NULL;
+
+    message = xpc_dictionary_create(NULL, NULL, 0);
+    require_quiet(message, done);
+
+    xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, request);
+    xpc_dictionary_set_uint64(message, SERVICE_XPC_UID, uid);
+
+    rc = _service_send_msg(context, message, NULL);
+
+done:
+    if (message) xpc_release(message);
+    return rc;
+}
+
+
 int
 _service_client_send_secret(service_context_t *context, uint64_t request, const void * secret, int secret_len, const void * new_secret, int new_secret_len)
 {
     int rc = KB_GeneralError;
     xpc_object_t message = NULL;
-    
+
     message = xpc_dictionary_create(NULL, NULL, 0);
     require_quiet(message, done);
-    
+
     xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, request);
     if (secret) {
         xpc_dictionary_set_data(message, SERVICE_XPC_SECRET, secret, secret_len);
     }
-    
+
     if (new_secret) {
         xpc_dictionary_set_data(message, SERVICE_XPC_SECRET_NEW, new_secret, new_secret_len);
     }
 
     rc = _service_send_msg(context, message, NULL);
-    
+
 done:
     if (message) xpc_release(message);
     return rc;
@@ -106,6 +126,12 @@ service_client_kb_load(service_context_t *context)
     return _service_client_send_secret(context, SERVICE_KB_LOAD, NULL, 0, NULL, 0);
 }
 
+int
+service_client_kb_load_uid(uid_t uid)
+{
+    return _service_client_send_uid(NULL, SERVICE_KB_LOAD_UID, uid);
+}
+
 int
 service_client_kb_unload(service_context_t *context)
 {
@@ -117,7 +143,7 @@ service_client_kb_save(service_context_t *context)
 {
     return _service_client_send_secret(context, SERVICE_KB_SAVE, NULL, 0, NULL, 0);
 }
-    
+
 int
 service_client_kb_unlock(service_context_t *context, const void * secret, int secret_len)
 {
@@ -178,17 +204,17 @@ service_client_stash_set_key(service_context_t *context, const void * key, int k
 {
     int rc = KB_GeneralError;
     xpc_object_t message = NULL;
-    
+
     message = xpc_dictionary_create(NULL, NULL, 0);
     require_quiet(message, done);
-    
+
     xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, SERVICE_STASH_SET_KEY);
-    
+
     if (key)
         xpc_dictionary_set_data(message, SERVICE_XPC_KEY, key, key_len);
-    
+
     rc = _service_send_msg(context, message, NULL);
-    
+
 done:
     if (message) xpc_release(message);
     return rc;
@@ -199,17 +225,17 @@ service_client_stash_load_key(service_context_t *context, const void * key, int
 {
     int rc = KB_GeneralError;
     xpc_object_t message = NULL;
-    
+
     message = xpc_dictionary_create(NULL, NULL, 0);
     require_quiet(message, done);
-    
+
     xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, SERVICE_STASH_LOAD_KEY);
-    
+
     if (key)
         xpc_dictionary_set_data(message, SERVICE_XPC_KEY, key, key_len);
-    
+
     rc = _service_send_msg(context, message, NULL);
-    
+
 done:
     if (message) xpc_release(message);
     return rc;
@@ -221,17 +247,17 @@ service_client_stash_get_key(service_context_t *context, void ** key, int * key_
     int rc = KB_GeneralError;
     xpc_object_t message = NULL;
     xpc_object_t reply = NULL;
-    
+
     require(key, done);
     require(key_len, done);
-    
+
     message = xpc_dictionary_create(NULL, NULL, 0);
     require_quiet(message, done);
-    
+
     xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, SERVICE_STASH_GET_KEY);
-    
+
     rc = _service_send_msg(context, message, &reply);
-    
+
     if (rc == KB_Success) {
         size_t data_len = 0;
         const void * data = xpc_dictionary_get_data(reply, SERVICE_XPC_KEY, &data_len);
@@ -241,7 +267,7 @@ service_client_stash_get_key(service_context_t *context, void ** key, int * key_
             *key_len = (int)data_len;
         }
     }
-    
+
 done:
     if (message) xpc_release(message);
     if (reply) xpc_release(reply);

diff --git a/securityd/securityd_service/securityd_service/securityd_service_client.h b/securityd/securityd_service/securityd_service/securityd_service_client.h
index 393f6a4d649d7ba2a961a5368729e580c52a4c75..123f10efae290131dd272c7e61506cb73416042b 100644 (file)
--- a/securityd/securityd_service/securityd_service/securityd_service_client.h
+++ b/securityd/securityd_service/securityd_service/securityd_service_client.h
@@ -10,7 +10,7 @@ extern "C" {
 #include <bsm/audit.h>
 #include <mach/message.h>
 #include <stdbool.h>
-    
+
 enum {
     KB_Success      = 0,
     KB_GeneralError,
@@ -26,9 +26,10 @@ typedef struct {
     uid_t s_uid;
     audit_token_t procToken;
 } service_context_t;
-    
+
 int service_client_kb_create(service_context_t *context, const void * secret, int secret_len);
 int service_client_kb_load(service_context_t *context);
+int service_client_kb_load_uid(uid_t uid);
 int service_client_kb_unload(service_context_t *context);
 int service_client_kb_save(service_context_t *context);
 int service_client_kb_unlock(service_context_t *context, const void * secret, int secret_len);

diff --git a/securityd/securityd_service/securitydservicectrl/main.c b/securityd/securityd_service/securitydservicectrl/main.c
index f31d2cff49c7d7fdb8b198987611afe1d2c376cb..bd61c2b8d1eabcf6264c9ef84a546cb6a3b6b616 100644 (file)
--- a/securityd/securityd_service/securitydservicectrl/main.c
+++ b/securityd/securityd_service/securitydservicectrl/main.c
@@ -36,37 +36,38 @@ int main(int argc, const char * argv[])
     OSStatus status = noErr;
     uint8_t testkey[128] = "\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef";
     xpc_connection_t connection = xpc_connection_create_mach_service(SECURITYD_SERVICE_NAME, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
-    
+    xpc_object_t message = NULL, reply = NULL;
+
     xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
         if (xpc_get_type(event) == XPC_TYPE_ERROR) {
             printf("XPC error\n");
         }
     });
     xpc_connection_resume(connection);
-    
-    if (argc != 2) {
-        printf("Usage: securityservicectrl < get | set | stash | login | loginstash | unload >\n");
+
+    if (argc < 2) {
+        printf("Usage: securityservicectrl < get | set | stash | login | loginstash | unload | load <uid> >\n");
         return 1;
     }
-    
+
     if (strcmp(argv[1], "get") == 0) {
         action = SERVICE_STASH_GET_KEY;
         printf("Get key\n");
-        
+
     } else if (strcmp(argv[1], "set") == 0) {
         action = SERVICE_STASH_SET_KEY;
         printf("Set key\n");
-        
+
     } else if (strcmp(argv[1], "stash") == 0) {
         action = SERVICE_STASH_BLOB;
         printf("Stash\n");
-        
+
     } else if (strcmp(argv[1], "login") == 0) {
         printf("SecKeychainLogin() null passwd\n");
         status = SecKeychainLogin((uint32) strlen("test"), "test", 0, NULL);
         printf("Returned: %i\n", status);
         return status ? 1 : 0;
-        
+
     } else if (strcmp(argv[1], "loginstash") == 0) {
         printf("SecKeychainStash()\n");
         status = SecKeychainStash();
@@ -75,23 +76,26 @@ int main(int argc, const char * argv[])
 
     } else if (strcmp(argv[1], "unload") == 0) {
         return service_client_kb_unload(NULL);
-
+    } else if (strcmp(argv[1], "load") == 0) {
+        require_action(argc == 3, done, printf("missing <uid>\n"));
+        uid_t uid = atoi(argv[2]);
+        return service_client_kb_load_uid(uid);
     } else {
         printf("%s not known\n", argv[1]);
         return 1;
     }
 
     // Send
-    xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
+    message = xpc_dictionary_create(NULL, NULL, 0);
     xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, action);
-    
+
     if (action == SERVICE_STASH_SET_KEY)
         xpc_dictionary_set_data(message, SERVICE_XPC_KEY, testkey, 16);
-    
-    xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, message);
+
+    reply = xpc_connection_send_message_with_reply_sync(connection, message);
     require_action(reply != NULL, done, status = -1);
     require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = -1);
-    
+
     if (action == SERVICE_STASH_GET_KEY) {
         size_t len = 0;
         const uint8_t *keydata = xpc_dictionary_get_data(reply, SERVICE_XPC_KEY, &len);
@@ -100,7 +104,7 @@ int main(int argc, const char * argv[])
             printf("\tkey = %s\n", hextostr(keydata, len > sizeof(testkey) ? sizeof(testkey) : len, buf));
         }
     }
-    
+
     status = (OSStatus)xpc_dictionary_get_int64(reply, SERVICE_XPC_RC);
 
 done:
@@ -112,7 +116,7 @@ done:
         xpc_release(connection);
 
     printf("Returned: %i\n", status);
-    
+
     return status ? 1 : 0;
 }
 

diff --git a/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements b/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements
index d3d534f25378b770a29e02df5a5816e722ea96d4..92c73b1f459637ba344f64011a27620f9160f345 100644 (file)
--- a/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements
+++ b/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements
@@ -2,7 +2,9 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-       <key>com.apple.security.keybag-unload</key>
+       <key>com.apple.private.securityd.keybag-load</key>
+       <true/>
+       <key>com.apple.private.securityd.keybag-unload</key>
        <true/>
 </dict>
 </plist>