#import <os/activity.h>
#include <utilities/SecAKSWrappers.h>
+#include <utilities/SecCFWrappers.h>
#include <utilities/SecCFRelease.h>
#include <AssertMacros.h>
bool handledSettingID = false;
handledSettingID = SOSCCSetDeviceID((__bridge CFStringRef) deviceID, &localError);
if(!handledSettingID && localError != NULL){
-
if(CFErrorGetCode(localError) == SECD_RUN_AS_ROOT_ERROR){
secerror("SETTING RUN AS ROOT ERROR: %@", localError);
_isSecDRunningAsRoot = true;
_doesSecDHavePeer = false;
}
}
+ else
+ _setIDSDeviceID = NO;
+
CFReleaseNull(localError);
dispatch_async(queue, ^{
- done(nil, NO, handledSettingID);
+ done(nil, NO, YES);
});
}];
}
_shadowDoSetIDSDeviceID = NO;
- if(_setIDSDeviceID && !_isLocked && _isSecDRunningAsRoot == false && _doesSecDHavePeer)
- [self doSetIDSDeviceID];
-
xpc_transaction_end();
});
});
- (NSMutableDictionary *)copyValues:(NSSet *)keysOfInterest;
- (void) doAfterFlush: (dispatch_block_t) block;
-- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout;
+- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration,
+ dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration, NSError* error))) callout;
- (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError **error)) handleKeys;
- (void)recordWriteToKVS:(NSDictionary *)values;
#import "CKDSecuritydAccount.h"
#include <Security/SecureObjectSync/SOSARCDefines.h>
-#include <Security/SecureObjectSync/SOSKVSKeys.h>
+#include <utilities/SecCFWrappers.h>
#include "SOSCloudKeychainConstants.h"
static NSString *kMonitorFourthMinute = @"DFourthMinute";
static NSString *kMonitorFifthMinute = @"EFifthMinute";
static NSString *kMonitorWroteInTimeSlice = @"TimeSlice";
+const CFStringRef kSOSKVSKeyParametersKey = CFSTR(">KeyParameters");
+const CFStringRef kSOSKVSInitialSyncKey = CFSTR("^InitialSync");
+const CFStringRef kSOSKVSAccountChangedKey = CFSTR("^AccountChanged");
+const CFStringRef kSOSKVSRequiredKey = CFSTR("^Required");
+const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID");
#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
_shadowFlushBlock = block;
}
-- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout
+- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration,
+ dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration, NSError* error))) callout
{
// In CKDKVSProxy's serial queue
_shadowSyncWithPeersPending = NO;
});
- callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, _ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration) {
+ callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, _ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration, NSError* failure) {
secdebug("event", "%@ %s%s before callout handled: %s%s", self, mySyncWithPeersPending ? "S" : "s", myEnsurePeerRegistration ? "E" : "e", handledSyncWithPeers ? "S" : "s", handledEnsurePeerRegistration ? "E" : "e");
// In CKDKVSProxy's serial queue
dispatch_async(_calloutQueue, _shadowFlushBlock);
_shadowFlushBlock = NULL;
}
+
+ if (failure) {
+ [self updateIsLocked];
+ }
xpc_transaction_end();
});
}
- (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError** error)) handleKeys {
- [self calloutWith: ^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+ [self calloutWith: ^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool, NSError*)) {
NSError* error = NULL;
secnotice("CloudKeychainProxy", "send keys: %@", pending);
secerror("%@ ensurePeerRegistration failed: %@", self, error);
}
- done(handled, NO, NO);
+ done(handled, NO, NO, error);
});
}];
}
- (void) doEnsurePeerRegistration
{
NSObject<CKDAccount>* accountDelegate = [self account];
- [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+ [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool, NSError*)) {
NSError* error = nil;
bool handledEnsurePeerRegistration = [accountDelegate ensurePeerRegistration:&error];
secnotice("EnsurePeerRegistration", "%@ ensurePeerRegistration called, %@ (%@)", self, handledEnsurePeerRegistration ? @"success" : @"failure", error);
dispatch_async(queue, ^{
- done(nil, NO, handledEnsurePeerRegistration);
+ done(nil, NO, handledEnsurePeerRegistration, error);
});
}];
}
- (void) doSyncWithAllPeers
{
NSObject<CKDAccount>* accountDelegate = [self account];
- [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+ [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool, NSError*)) {
NSError* error = NULL;
SyncWithAllPeersReason reason = [accountDelegate syncWithAllPeers: &error];
dispatch_async(queue, ^{
secerror("%@ syncWithAllPeers %@, unknown reason: %d", self, error, reason);
}
- done(nil, handledSyncWithPeers, false);
+ done(nil, handledSyncWithPeers, false, error);
});
}];
}
#import <QuartzCore/QuartzCore.h>
#import <Regressions/SOSTestDataSource.h>
-#import <securityd/SOSCloudCircleServer.h>
#import <CKBridge/SOSCloudKeychainConstants.h>
#import "PeerListCell.h"
#import <utilities/SecCFRelease.h>
#import <QuartzCore/QuartzCore.h>
#include <Regressions/SOSTestDataSource.h>
-#include <securityd/SOSCloudCircleServer.h>
#include <CKBridge/SOSCloudKeychainConstants.h>
//#import "PeerListCell.h"
7A21DAE619B7F27C0007D37F /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
8E64DB4A1C17C26F0076C9DF /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
8E64DB4B1C17C2830076C9DF /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
+ 8EC74B8D1DA578EE00D7D801 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */; };
+ 8EC74BB21DA57A0300D7D801 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */; };
+ 8EC74BB31DA57B1000D7D801 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */; };
AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; };
AC5688BC18B4396D00F0526C /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = AC5688BA18B4396D00F0526C /* SecCMS.h */; settings = {ATTRIBUTES = (Private, ); }; };
ACB6171918B5231800EBEDD7 /* libsecurity_smime_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */; };
721680A8179B40F600406BB4 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
721680AA179B40F600406BB4 /* iCloudStats.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = iCloudStats.1; sourceTree = "<group>"; };
721680BD179B4F9100406BB4 /* com.apple.iCloudStats.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.iCloudStats.plist; sourceTree = "<group>"; };
+ 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileKeyBag.framework; path = System/Library/PrivateFrameworks/MobileKeyBag.framework; sourceTree = SDKROOT; };
AC5688BA18B4396D00F0526C /* SecCMS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCMS.h; path = libsecurity_smime/lib/SecCMS.h; sourceTree = SOURCE_ROOT; };
BE48AE211ADF1DF4000836C1 /* trustd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = trustd; sourceTree = BUILT_PRODUCTS_DIR; };
BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.trustd.agent.plist; sourceTree = "<group>"; };
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 8EC74BB31DA57B1000D7D801 /* MobileKeyBag.framework in Frameworks */,
D447C0E71D2C9C390082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */,
5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */,
187A05B1170393FF0038C158 /* libaks.a in Frameworks */,
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 8EC74BB21DA57A0300D7D801 /* MobileKeyBag.framework in Frameworks */,
6C721DB11D3D18D700888AE1 /* login.framework in Frameworks */,
D447C0C21D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */,
5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */,
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 8EC74B8D1DA578EE00D7D801 /* MobileKeyBag.framework in Frameworks */,
6C721DD61D3D18EC00888AE1 /* login.framework in Frameworks */,
D45FC3E41C9E06B500509CDA /* libSecureObjectSync.a in Frameworks */,
D4DDD3D01BE3EC0300E8AE2D /* libDiagnosticMessagesClient.dylib in Frameworks */,
1807384D146D0D4E00F05C24 /* Frameworks */ = {
isa = PBXGroup;
children = (
+ 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */,
DCA28DF61D629C6D00201446 /* libsqlite3.dylib */,
6C721DB01D3D18D700888AE1 /* login.framework */,
D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */,
ARCHS = "$(ARCHS_STANDARD)";
CLANG_ENABLE_OBJC_ARC = YES;
CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
+ FRAMEWORK_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ );
HEADER_SEARCH_PATHS = (
"$(inherited)",
"$(PROJECT_DIR)/sec",
ARCHS = "$(ARCHS_STANDARD)";
CLANG_ENABLE_OBJC_ARC = YES;
CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
+ FRAMEWORK_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ );
HEADER_SEARCH_PATHS = (
"$(inherited)",
"$(PROJECT_DIR)/sec",
#define AUTH_XPC_ITEM_FLAGS "_item_flags"
#define AUTH_XPC_ITEM_VALUE "_item_value"
#define AUTH_XPC_ITEM_TYPE "_item_type"
+#define AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH "_item_sensitive_value_length"
#define AUTH_XPC_REQUEST_METHOD_KEY "_agent_request_key"
#define AUTH_XPC_REQUEST_METHOD_CREATE "_agent_request_create"
#include "authutilities.h"
#include <Security/AuthorizationTags.h>
+#include <dispatch/private.h>
typedef struct _auth_item_s * auth_item_t;
xpc_object_t xpc_data = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(xpc_data, AUTH_XPC_ITEM_NAME, item->data.name);
if (item->data.value) {
- xpc_dictionary_set_data(xpc_data, AUTH_XPC_ITEM_VALUE, item->data.value, item->data.valueLength);
+ // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+ bool sensitive = strcmp(item->data.name, "password") == 0;
+ if (sensitive) {
+ vm_address_t vmBytes = 0;
+ size_t xpcOutOfBandBlockSize = (item->data.valueLength > 32768 ? item->data.valueLength : 32768); // min 16K on 64-bit systems and 12K on 32-bit systems
+ vm_allocate(mach_task_self(), &vmBytes, xpcOutOfBandBlockSize, VM_FLAGS_ANYWHERE);
+ memcpy((void *)vmBytes, item->data.value, item->data.valueLength);
+ dispatch_data_t dispData = dispatch_data_create((void *)vmBytes, xpcOutOfBandBlockSize, DISPATCH_TARGET_QUEUE_DEFAULT, DISPATCH_DATA_DESTRUCTOR_VM_DEALLOCATE); // out-of-band mapping
+ xpc_object_t xpcData = xpc_data_create_with_dispatch_data(dispData);
+ dispatch_release(dispData);
+ xpc_dictionary_set_value(xpc_data, AUTH_XPC_ITEM_VALUE, xpcData);
+ xpc_release(xpcData);
+ xpc_dictionary_set_uint64(xpc_data, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH, item->data.valueLength);
+ } else {
+ xpc_dictionary_set_data(xpc_data, AUTH_XPC_ITEM_VALUE, item->data.value, item->data.valueLength);
+ }
}
xpc_dictionary_set_uint64(xpc_data, AUTH_XPC_ITEM_FLAGS, item->data.flags);
xpc_dictionary_set_uint64(xpc_data, AUTH_XPC_ITEM_TYPE, item->type);
item->data.name = _copy_string(xpc_dictionary_get_string(data, AUTH_XPC_ITEM_NAME));
item->data.flags = (uint32_t)xpc_dictionary_get_uint64(data, AUTH_XPC_ITEM_FLAGS);
item->type = (uint32_t)xpc_dictionary_get_uint64(data, AUTH_XPC_ITEM_TYPE);
-
+
size_t len;
const void * value = xpc_dictionary_get_data(data, AUTH_XPC_ITEM_VALUE, &len);
if (value) {
- item->bufLen = len;
- item->data.valueLength = len;
- item->data.value = calloc(1u, len);
- memcpy(item->data.value, value, len);
+ // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+ bool sensitive = xpc_dictionary_get_value(data, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+ if (sensitive) {
+ size_t sensitiveLength = (size_t)xpc_dictionary_get_uint64(data, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+ item->bufLen = sensitiveLength;
+ item->data.valueLength = sensitiveLength;
+ item->data.value = calloc(1u, sensitiveLength);
+ memcpy(item->data.value, value, sensitiveLength);
+ memset_s((void *)value, len, 0, sensitiveLength); // clear the sensitive data, memset_s is never optimized away
+ } else {
+ item->bufLen = len;
+ item->data.valueLength = len;
+ item->data.value = calloc(1u, len);
+ memcpy(item->data.value, value, len);
+ }
}
done:
<key>rule</key>
<array>
<string>is-root</string>
- <string>entitled-admin-or-authenticate-admin</string>
+ <string>entitled-admin-or-authenticate-admin-nonshared</string>
</array>
+ <key>version</key>
+ <integer>1</integer>
</dict>
<key>com.apple.SoftwareUpdate.modify-settings</key>
<dict>
<string>builtin:generic-unlock</string>
</array>
</dict>
+ <key>com.apple.builtin.sc-kc-new-passphrase</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>mechanisms</key>
+ <array>
+ <string>builtin:generic-new-passphrase</string>
+ </array>
+ </dict>
<key>com.apple.container-repair</key>
<dict>
<key>class</key>
<string>loginwindow:done</string>
</array>
<key>version</key>
- <integer>4</integer>
+ <integer>6</integer>
</dict>
<key>system.login.fus</key>
<dict>
<key>timeout</key>
<integer>0</integer>
</dict>
+ <key>authenticate-admin-nonshared</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Authenticate as an administrator.</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>timeout</key>
+ <integer>30</integer>
+ <key>version</key>
+ <integer>1</integer>
+ </dict>
<key>authenticate-admin-30</key>
<dict>
<key>class</key>
<string>entitled</string>
</array>
</dict>
+ <key>entitled-admin-nonshared</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>is-admin-nonshared</string>
+ <string>entitled</string>
+ </array>
+ </dict>
+ <key>entitled-admin-or-authenticate-admin-nonshared</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>entitled-admin-nonshared</string>
+ <string>authenticate-admin-nonshared</string>
+ </array>
+ </dict>
<key>entitled-admin-or-authenticate-admin</key>
<dict>
<key>class</key>
<key>shared</key>
<true/>
</dict>
+ <key>is-admin-nonshared</key>
+ <dict>
+ <key>authenticate-user</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Verify that the user asking for authorization is an administrator - nonshared right.</string>
+ <key>group</key>
+ <string>admin</string>
+ </dict>
<key>is-appstore</key>
<dict>
<key>authenticate-user</key>
require_action(set->items != NULL, done, set->count = 0);
xpc_array_apply(data, ^bool(size_t index, xpc_object_t value) {
+ void *dataCopy = 0;
require(xpc_get_type(value) == XPC_TYPE_DICTIONARY, done);
size_t nameLen = 0;
const char * name = xpc_dictionary_get_string(value, AUTH_XPC_ITEM_NAME);
set->items[index].flags = (uint32_t)xpc_dictionary_get_uint64(value, AUTH_XPC_ITEM_FLAGS);
size_t len;
const void * valueData = xpc_dictionary_get_data(value, AUTH_XPC_ITEM_VALUE, &len);
+
+ // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+ if (xpc_dictionary_get_value(value, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH) != NULL) {
+ size_t sensitiveLength = (size_t)xpc_dictionary_get_uint64(value, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+ dataCopy = malloc(sensitiveLength);
+ require(dataCopy != NULL, done);
+ memcpy(dataCopy, valueData, sensitiveLength);
+ memset_s((void *)valueData, len, 0, sensitiveLength); // clear the sensitive data, memset_s is never optimized away
+ len = sensitiveLength;
+ } else {
+ dataCopy = malloc(len);
+ require(dataCopy != NULL, done);
+ memcpy(dataCopy, valueData, len);
+ }
+
set->items[index].valueLength = len;
if (len) {
set->items[index].value = calloc(1u, len);
require(set->items[index].value != NULL, done);
- memcpy(set->items[index].value, valueData, len);
+ memcpy(set->items[index].value, dataCopy, len);
}
+
done:
+ if (dataCopy)
+ free(dataCopy);
return true;
});
}
if (rule && _preevaluate_rule(engine, rule)) {
password_only = true;
+ CFReleaseSafe(rule);
return false;
}
+ CFReleaseSafe(rule);
return true;
});
authdb_connection_release(&dbconn); // release db handle
HEADER_SEARCH_PATHS = $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(BUILT_PRODUCTS_DIR) $(PROJECT_DIR)/lib $(PROJECT_DIR)/../utilities $(inherited)
+FRAMEWORK_SEARCH_PATHS = $(inherited) $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks
+
SKIP_INSTALL = YES
ALWAYS_SEARCH_USER_PATHS = YES
"system.preferences.continuity" = "__APPNAME__ is trying to unlock the Touch ID preferences.";
"com.apple.ctkbind.admin" = "__APPNAME__ is trying to pair the current user with the SmartCard identity.";
+
+"com.apple.builtin.sc-kc-new-passphrase" = "The system will now create a keychain to store your secrets. Your smart card will automatically unlock it. Please choose a password that can unlock it separately. You may use your account password or pick another one. For security reasons, do not use your smart card PIN or similar text.";
+
_SecCertificatePathGetRoot
_SecCertificatePathGetUsageConstraintsAtIndex
_SecCertificatePathHasWeakHash
+_SecCertificatePathHasWeakKeySize
_SecCertificatePathIsAnchored
_SecCertificatePathIsValid
_SecCertificatePathScore
_kSSLSessionConfig_RC4_fallback
_kSSLSessionConfig_TLSv1_fallback
_kSSLSessionConfig_TLSv1_RC4_fallback
+_kSSLSessionConfig_3DES_fallback
+_kSSLSessionConfig_TLSv1_3DES_fallback
_kSSLSessionConfig_legacy_DHE
_kSSLSessionConfig_anonymous
break;
default:
/* not reached */
+ badFormat = true;
break;
}
#include <CoreFoundation/CFDictionary.h>
+#if !SECTRUST_OSX
+
static CFStringRef kSecSystemTrustStoreBundlePath = CFSTR("/System/Library/Security/Certificates.bundle");
static CFURLRef SecSystemTrustStoreCopyResourceURL(CFStringRef resourceName,
return result;
}
+#else
+
+/* Legacy code path, only known to be used by IdentityCursorPolicyAndID::next. (rdar://28622060) */
+
+CSSM_RETURN tpCheckCertificateAllowList(TPCertGroup &certGroup) {
+ return CSSMERR_TP_NOT_TRUSTED;
+}
+
+#endif /* !SECTRUST_OSX */
+
#define AGENT_HINT_LOGIN_KC_CUST_STR2 "loginKCCreate:customStr2"
#define AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR "loginKCCreate:moreThanOneKeychainExists"
+#define AGENT_HINT_IGNORE_SESSION "ignore-session-state"
+
/* Keychain synchronization */
// iDisk keychain blob metainfo dictionary; follows "defaults" naming
#define AGENT_HINT_KCSYNC_DICT "com.apple.keychainsync.dictionary"
{
// The databaseManager will notify all its DbContext instances
// that the database is question is being deleted.
- secnotice("dbsession", "DbDelete of %s", inDbName);
+ secinfo("dbsession", "DbDelete of %s", inDbName);
mDatabaseManager.dbDelete(*this, DbName(inDbName, CssmNetAddress::optional(inDbLocation)), inAccessCred);
}
CSSM_DB_HANDLE &outDbHandle)
{
outDbHandle = CSSM_INVALID_HANDLE; // CDSA 2.0 says to set this if we fail
- secnotice("dbsession", "DbCreate of %s", inDbName);
+ secinfo("dbsession", "DbCreate of %s", inDbName);
outDbHandle = insertDbContext(mDatabaseManager.dbCreate(*this,
DbName(inDbName, CssmNetAddress::optional(inDbLocation)),
CSSM_DB_HANDLE &outDbHandle)
{
DOCDebug("DatabaseSession::DbOpen: dbName %s", inDbName);
- secnotice("dbsession", "DbOpen of %s", inDbName);
+ secinfo("dbsession", "DbOpen of %s", inDbName);
outDbHandle = CSSM_INVALID_HANDLE; // CDSA 2.0 says to set this if we fail
outDbHandle = insertDbContext(mDatabaseManager.dbOpen(*this,
DbName(inDbName, CssmNetAddress::optional(inDbLocation)),
/*
- * Copyright (c) 2002-2003,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
+ * Copyright (c) 2002-2003,2011-2012,2014-2016 Apple Inc. All Rights Reserved.
+ *
* The contents of this file constitute Original Code as defined in and are
* subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License.
+ * You may not use this file except in compliance with the License.
* Please obtain a copy of the License at http://www.apple.com/publicsource
* and read it before using this file.
- *
+ *
* This Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights
+ * Please see the License for the specific language governing rights
* and limitations under the License.
*/
-
+
/*
- * cuOidParser.cpp - parse an Intel-style OID, with the assistance
+ * cuOidParser.cpp - parse an Intel-style OID, with the assistance
* of dumpasn1.cfg
*/
-
+
#include <Security/cssmtype.h>
#include <string.h>
#include <stdlib.h>
static const char *OID_ENTRY_START = "OID = ";
static const char *OID_DESCR_START = "Description = ";
/*
- * Read entire file with extra bytes left over in the mallocd buffer.
+ * Read entire file with extra bytes left over in the mallocd buffer.
*/
static
int readFileExtra(
unsigned char *buf;
struct stat sb;
size_t size;
-
+
*numBytes = 0;
*bytes = NULL;
fd = open(fileName, O_RDONLY, 0);
}
/*
- * Attempt to read dumpasn1.cfg from various places. If we can't find it,
+ * Attempt to read dumpasn1.cfg from various places. If we can't find it,
* printOid() function will just print raw bytes as it
* would if the .cfg file did not contain the desired OID.
*/
{
CSSM_DATA_PTR configData = NULL;
int rtn;
-
+
configData = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
if(configData == NULL) {
return NULL;
}
/* malloc one extra byte, we'll null it later */
- rtn = readFileExtra(CONFIG_FILE1, 1, &configData->Data,
+ rtn = readFileExtra(CONFIG_FILE1, 1, &configData->Data,
&configData->Length);
if(rtn) {
- rtn = readFileExtra(CONFIG_FILE2, 1, &configData->Data,
+ rtn = readFileExtra(CONFIG_FILE2, 1, &configData->Data,
&configData->Length);
}
if(rtn) {
- char fileName[100];
char *localBuildDir = getenv(CONFIG_FILE_ENV);
if(localBuildDir == NULL) {
rtn = 1;
}
else {
- sprintf(fileName, "%s/%s", localBuildDir, CONFIG_FILE_NAME);
- rtn = readFileExtra(fileName, 1, &configData->Data,
- &configData->Length);
+ char *pathBuf = NULL;
+ rtn = asprintf(&pathBuf, "%s/%s", localBuildDir, CONFIG_FILE_NAME);
+ if (rtn < 1 || !pathBuf) {
+ rtn = 1;
+ }
+ else {
+ rtn = readFileExtra(pathBuf, 1, &configData->Data,
+ &configData->Length);
+ }
+ if (pathBuf) {
+ free(pathBuf);
+ }
}
}
if(rtn == 0) {
}
/*
- * The heart of this module.
+ * The heart of this module.
*
- * -- Convert Intel-style OID to a string which might be found
+ * -- Convert Intel-style OID to a string which might be found
* in the config file
* -- search config file for that string
* -- if found, use that entry in config file to output meaningful
* string and return CSSM_TRUE. Else return CSSM_FALSE.
*/
static CSSM_BOOL parseOidWithConfig(
- const CSSM_DATA_PTR configData,
- const CSSM_OID_PTR oid,
+ const CSSM_DATA_PTR configData,
+ const CSSM_OID_PTR oid,
char *strBuf)
{
char *fullOidStr = NULL;
char *nextNl; // next NL if any
char *eol; // end of line
int len;
-
+
if(configData == NULL) {
return CSSM_FALSE;
}
-
+
/* cook up a full OID string, with tag and length */
- fullOidStr = (char *)malloc((3 * oid->Length) +
+ fullOidStr = (char *)malloc((3 * oid->Length) +
// 2 chars plus space per byte
strlen(OID_ENTRY_START) + // "OID = "
6 + // 06 xx - tag and length
return CSSM_FALSE;
}
/* subsequent errors to errOut: */
-
+
sprintf(fullOidStr, "OID = 06 %02X", (unsigned)oid->Length);
cp = fullOidStr + strlen(fullOidStr);
for(i=0; i<oid->Length; i++) {
/* add one byte */
sprintf(cp, " %02X", oid->Data[i]);
}
-
- /*
+
+ /*
* Let's play it loose and assume that there are no embedded NULLs
* in the config file. Thus we can use the spiffy string functions
- * in stdlib.
+ * in stdlib.
*/
ourEntry = strstr((char *)configData->Data, fullOidStr);
if(ourEntry == NULL) {
brtn = CSSM_FALSE;
goto errOut;
}
-
+
/* get position of NEXT full entry - may be NULL (end of file) */
nextEntry = strstr(ourEntry+1, OID_ENTRY_START);
-
+
/* get position of our entry's description line */
descStart = strstr(ourEntry+1, OID_DESCR_START);
-
+
/* handle not found/overflow */
if( (descStart == NULL) || // no more description lines
( (descStart > nextEntry) && // no description in THIS entry
brtn = CSSM_FALSE;
goto errOut;
}
-
+
/* set descStart to after the leader */
descStart += strlen(OID_DESCR_START);
-
- /*
+
+ /*
* descStart points to the text we're interested in.
- * First find end of line, any style.
+ * First find end of line, any style.
*/
nextNl = strchr(descStart, '\n');
nextCr = strchr(descStart, '\r');
else {
eol = nextCr;
}
-
+
/* caller's string buf = remainder of description line */
len = (int)(eol - descStart);
if(len > (OID_PARSER_STRING_SIZE - 1)) {
}
memcpy(strBuf, descStart, len);
strBuf[len] = '\0';
- brtn = CSSM_TRUE;
+ brtn = CSSM_TRUE;
errOut:
if(fullOidStr != NULL) {
free(fullOidStr);
{
unsigned i;
CSSM_OID oid;
-
+
oid.Data = (uint8 *)oidp;
oid.Length = oidLen;
-
+
if((oidLen == 0) || (oidp == NULL)) {
strcpy(strBuf, "EMPTY");
return;
if(parseOidWithConfig(configData, &oid, strBuf) == CSSM_FALSE) {
/* no config file, just dump the bytes */
char cbuf[8];
-
+
sprintf(strBuf, "OID : < 06 %02X ", (unsigned)oid.Length);
for(i=0; i<oid.Length; i++) {
sprintf(cbuf, "%02X ", oid.Data[i]);
// Now that we have created the lock and the new db file create a tempfile
// object.
RefPointer<AtomicTempFile> temp(new AtomicTempFile(*this, lock, mode));
- secnotice("atomicfile", "%p created %s", this, path);
+ secinfo("atomicfile", "%p created %s", this, path);
return temp;
}
catch (...)
if (::stat(path, &st) == -1)
{
int error = errno;
- secnotice("atomicfile", "stat %s: %s", path, strerror(error));
+ secinfo("atomicfile", "stat %s: %s", path, strerror(error));
UnixError::throwMe(error);
}
return st.st_mode;
if (mBuffer)
{
- secnotice("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
+ secinfo("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
unloadBuffer();
}
}
if (mFileRef == -1)
{
int error = errno;
- secnotice("atomicfile", "open %s: %s", path, strerror(error));
+ secinfo("atomicfile", "open %s: %s", path, strerror(error));
// Do the obvious error code translations here.
// @@@ Consider moving these up a level.
else
{
int error = errno;
- secnotice("atomicfile", "lseek(%s, END): %s", path, strerror(error));
+ secinfo("atomicfile", "lseek(%s, END): %s", path, strerror(error));
AtomicFile::rclose(mFileRef);
mFileRef = -1;
UnixError::throwMe(error);
mBuffer = new uint8[mLength];
if(lseek(mFileRef, 0, SEEK_SET) < 0) {
int error = errno;
- secnotice("atomicfile", "lseek(%s, BEGINNING): %s", mPath.c_str(), strerror(error));
+ secinfo("atomicfile", "lseek(%s, BEGINNING): %s", mPath.c_str(), strerror(error));
UnixError::throwMe(error);
}
ssize_t pos = 0;
if (errno != EINTR)
{
int error = errno;
- secnotice("atomicfile", "read(%s, %zd): %s", mPath.c_str(), bytesToRead, strerror(error));
+ secinfo("atomicfile", "read(%s, %zd): %s", mPath.c_str(), bytesToRead, strerror(error));
if (mFileRef >= 0) {
AtomicFile::rclose(mFileRef);
mFileRef = -1;
{
if (mFileRef < 0)
{
- secnotice("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
+ secinfo("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
open();
}
off_t bytesLeft = inLength;
if (mBuffer)
{
- secnotice("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
+ secinfo("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
unloadBuffer();
}
loadBuffer();
- secnotice("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
+ secinfo("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
off_t maxEnd = inOffset + inLength;
if (maxEnd > mLength)
if (mFileRef == -1)
{
int error = errno;
- secnotice("atomicfile", "open %s: %s", path, strerror(error));
+ secnotice("atomicfile", "create %s: %s", path, strerror(error));
// Do the obvious error code translations here.
// @@@ Consider moving these up a level.
UnixError::throwMe(error);
}
- secnotice("atomicfile", "%p fsynced %s", this, mPath.c_str());
+ secinfo("atomicfile", "%p fsynced %s", this, mPath.c_str());
}
}
else
doSyslog = true;
- secnotice("atomicfile", "Locking %s", path); /* in order to cater for clock skew: get */
+ secinfo("atomicfile", "Locking %s", path); /* in order to cater for clock skew: get */
if (!xcreat(path, mode, t)) /* time t from the filesystem */
{
/* lock acquired, hurray! */
StLock<Mutex>_(*globals().storageManager.getStorageManagerMutex());
DLDbIdentifier dbid = NameValueDictionary::MakeDLDbIdentifierFromNameValueDictionary(dictionary);
thisKeychain = globals().storageManager.keychain(dbid);
+ globals().storageManager.tickleKeychain(thisKeychain);
}
const NameValuePair* item = dictionary.FindByName(ITEM_KEY);
}
void ItemImpl::addIntegrity(Access &access, bool force) {
- secnotice("integrity", "called");
-
if(!force && (!mKeychain || !mKeychain->hasIntegrityProtection())) {
secnotice("integrity", "skipping integrity add due to keychain version\n");
return;
AclFactory aclFactory;
const AccessCredentials *nullCred = aclFactory.nullCred();
- secnotice("integrity", "called");
-
bool haveOldUniqueId = !!mUniqueId.get();
SSDbUniqueRecord ssUniqueId(NULL);
SSGroup ssGroup(NULL);
ItemImpl::modifyContent(const SecKeychainAttributeList *attrList, UInt32 dataLength, const void *inData)
{
StLock<Mutex>_(mMutex);
+ unique_ptr<StReadWriteLock> __(mKeychain == NULL ? NULL : new StReadWriteLock(*(mKeychain->getKeychainReadWriteLock()), StReadWriteLock::Write));
+
if (!mDbAttributes.get())
{
mDbAttributes.reset(new DbAttributes());
mAllFailed(true),
mDeleteInvalidRecords(false),
mIsNewKeychain(true),
- mMutex(Mutex::recursive),
- mKeychainReadLock(NULL)
+ mMutex(Mutex::recursive)
{
recordType(Schema::recordTypeFor(itemClass));
mAllFailed(true),
mDeleteInvalidRecords(false),
mIsNewKeychain(true),
- mMutex(Mutex::recursive),
- mKeychainReadLock(NULL)
+ mMutex(Mutex::recursive)
{
if (!attrList) // No additional selectionPredicates: we are done
return;
KCCursorImpl::~KCCursorImpl() throw()
{
- if(mKeychainReadLock) {
- delete mKeychainReadLock;
- }
}
//static ModuleNexus<Mutex> gActivationMutex;
}
Keychain &kc = *mCurrent;
+
+ // Grab a read lock on the keychain
+ StReadWriteLock __(*(kc->getKeychainReadWriteLock()), StReadWriteLock::Read);
+
Mutex* mutex = kc->getKeychainMutex();
StLock<Mutex> _(*mutex);
}
}
}
- // release the Keychain lock before checking item integrity to avoid deadlock
item = tempItem;
return;
}
- // Always lose the last keychain's lock
- if(mKeychainReadLock) {
- delete mKeychainReadLock;
- mKeychainReadLock = NULL;
- }
-
if(kcIter != mSearchList.end()) {
(*kcIter)->performKeychainUpgradeIfNeeded();
(*kcIter)->tickle();
-
- // Grab a read lock on the keychain
- mKeychainReadLock = new StReadWriteLock(*((*kcIter)->getKeychainReadWriteLock()), StReadWriteLock::Read);
}
// Mark down that this function has been called
protected:
Mutex mMutex;
- StReadWriteLock* mKeychainReadLock;
// Call this every time we switch to a new keychain
// Will:
const SecKeyDescriptor *key_class;
SecKeyRef cdsaKey;
Security::KeychainCore::KeyItem *key;
+ SecCredentialType credentialType;
};
#endif // !_SECURITY_KEYITEM_H_
UInt32
KeychainImpl::status() const
{
+ StLock<Mutex>_(mMutex);
+
// @@@ We should figure out the read/write status though a DL passthrough
// or some other way. Also should locked be unlocked read only or just
// read-only?
void
KeychainImpl::addCopy(Item &inItem)
{
+ StReadWriteLock _(mRWLock, StReadWriteLock::Write);
+
Keychain keychain(this);
PrimaryKey primaryKey = inItem->addWithCopyInfo(keychain, true);
completeAdd(inItem, primaryKey);
void
KeychainImpl::add(Item &inItem)
{
+ // Make sure we hold a write lock on ourselves when we do this
+ StReadWriteLock _(mRWLock, StReadWriteLock::Write);
+
Keychain keychain(this);
PrimaryKey primaryKey = inItem->add(keychain);
completeAdd(inItem, primaryKey);
void
KeychainImpl::deleteItem(Item &inoutItem)
{
+ StReadWriteLock _(mRWLock, StReadWriteLock::Write);
+
{
// item must be persistent
if (!inoutItem->isPersistent())
// We only want to upgrade file-based Apple keychains. Check the GUID.
if(mDb->dl()->guid() != gGuidAppleCSPDL) {
- secnotice("integrity", "skipping upgrade for %s due to guid mismatch\n", mDb->name());
+ secinfo("integrity", "skipping upgrade for %s due to guid mismatch\n", mDb->name());
return false;
}
// Don't upgrade the System root certificate keychain (to make old tp code happy)
if(strncmp(mDb->name(), SYSTEM_ROOT_STORE_PATH, strlen(SYSTEM_ROOT_STORE_PATH)) == 0) {
- secnotice("integrity", "skipping upgrade for %s\n", mDb->name());
+ secinfo("integrity", "skipping upgrade for %s\n", mDb->name());
return false;
}
secnotice("integrity", "Couldn't read System.keychain key, skipping update");
}
} else {
- secnotice("integrity", "not attempting migration for %s version %d (%d %d %d)", path.c_str(), dbBlobVersion, inHomeLibraryKeychains, endsWithKeychainDb, isSystemKeychain);
+ secinfo("integrity", "not attempting migration for %s version %d (%d %d %d)", path.c_str(), dbBlobVersion, inHomeLibraryKeychains, endsWithKeychainDb, isSystemKeychain);
// Since we don't believe any migration needs to be done here, mark the
// migration as "attempted" to short-circuit future checks.
if (cssme.osStatus() == CSSMERR_DL_RECORD_NOT_FOUND) {
secnotice("integrity", "deleting corrupt (Not Found) record");
keychain->deleteItem(item);
+ } else if(cssme.osStatus() == CSSMERR_CSP_INVALID_KEY) {
+ secnotice("integrity", "deleting corrupt key record");
+ keychain->deleteItem(item);
} else {
throw;
}
}
bool KeychainImpl::hasIntegrityProtection() {
+ StLock<Mutex>_(mMutex);
+
// This keychain only supports integrity if there's a database attached, that database is an Apple CSPDL, and the blob version is high enough
if(mDb && (mDb->dl()->guid() == gGuidAppleCSPDL)) {
if(mDb->dbBlobVersion() >= SecurityServer::DbBlob::version_partition) {
DefaultCredentials mCustomUnlockCreds;
bool mIsInBatchMode;
EventBuffer *mEventBuffer;
- Mutex mMutex;
+ mutable Mutex mMutex;
// Now that we sometimes change the database object, Db object
// creation/returning needs a mutex. You should only hold this if you're
#define END_SECKEYAPI }\
catch (const MacOSError &err) { SecError(err.osStatus(), error, CFSTR("%s"), err.what()); result = NULL; } \
-catch (const CommonError &err) { SecError(SecKeychainErrFromOSStatus(err.osStatus()), error, CFSTR("%s"), err.what()); result = NULL; } \
+catch (const CommonError &err) { \
+ if (err.osStatus() != CSSMERR_CSP_INVALID_DIGEST_ALGORITHM) { \
+ OSStatus status = SecKeychainErrFromOSStatus(err.osStatus()); if (status == errSecInputLengthError) status = errSecParam; \
+ SecError(status, error, CFSTR("%s"), err.what()); result = NULL; } \
+ } \
catch (const std::bad_alloc &) { SecError(errSecAllocate, error, CFSTR("allocation failed")); result = NULL; } \
catch (...) { SecError(errSecInternalComponent, error, CFSTR("internal error")); result = NULL; } \
return result;
// %%% used by SecCertificate{Copy,Set}Preference
#include <Security/SecKeychainItemPriv.h>
#include <Security/SecIdentityPriv.h>
+#include <Security/SecItemPriv.h>
#include <security_keychain/KCCursor.h>
#include <security_cdsa_utilities/Schema.h>
#include <security_cdsa_utils/cuCdsaUtils.h>
SecCertificateFindByIssuerAndSN(CFTypeRef keychainOrArray,const CSSM_DATA *issuer,
const CSSM_DATA *serialNumber, SecCertificateRef *certificate)
{
+ if (issuer && serialNumber) {
+ CFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecAttrNoLegacy, kCFBooleanTrue);
+
+ CFRef<CFDataRef> issuerData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)issuer->Data, issuer->Length, kCFAllocatorNull);
+ CFDictionarySetValue(query, kSecAttrIssuer, issuerData);
+
+ CFRef<CFDataRef> serialNumberData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)serialNumber->Data, serialNumber->Length, kCFAllocatorNull);
+ CFDictionarySetValue(query, kSecAttrSerialNumber, serialNumberData);
+
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)certificate);
+ if (status == errSecSuccess) {
+ return status;
+ }
+ }
+
BEGIN_SECAPI
StorageManager::KeychainList keychains;
SecCertificateFindBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID,
SecCertificateRef *certificate)
{
- BEGIN_SECAPI
+ if (subjectKeyID) {
+ CFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecAttrNoLegacy, kCFBooleanTrue);
+
+ CFRef<CFDataRef> subjectKeyIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)subjectKeyID->Data, subjectKeyID->Length, kCFAllocatorNull);
+ CFDictionarySetValue(query, kSecAttrSubjectKeyID, subjectKeyIDData);
+
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)certificate);
+ if (status == errSecSuccess) {
+ return status;
+ }
+ }
+
+ BEGIN_SECAPI
StorageManager::KeychainList keychains;
globals().storageManager.optionalSearchList(keychainOrArray, keychains);
OSStatus
SecCertificateFindByEmail(CFTypeRef keychainOrArray, const char *emailAddress, SecCertificateRef *certificate)
{
- BEGIN_SECAPI
+ if (emailAddress) {
+ CFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecAttrNoLegacy, kCFBooleanTrue);
+
+ CFRef<CFStringRef> emailAddressString = CFStringCreateWithCString(kCFAllocatorDefault, emailAddress, kCFStringEncodingUTF8);
+ CFTypeRef keys[] = { kSecPolicyName };
+ CFTypeRef values[] = { emailAddressString };
+ CFRef<CFDictionaryRef> properties = CFDictionaryCreate(kCFAllocatorDefault, keys, values, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFRef<SecPolicyRef> policy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, properties);
+ CFDictionarySetValue(query, kSecMatchPolicy, policy);
+
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)certificate);
+ if (status == errSecSuccess) {
+ return status;
+ }
+ }
+
+ BEGIN_SECAPI
StorageManager::KeychainList keychains;
globals().storageManager.optionalSearchList(keychainOrArray, keychains);
*/
CFDataRef SecCertificateCopyNormalizedIssuerSequenceP(
SecCertificateRefP certificate) {
+ if (!certificate || !certificate->_normalizedIssuer) {
+ return NULL;
+ }
DERItem tmpdi;
tmpdi.data = (DERByte *)CFDataGetBytePtr(certificate->_normalizedIssuer);
tmpdi.length = CFDataGetLength(certificate->_normalizedIssuer);
*/
CFDataRef SecCertificateCopyNormalizedSubjectSequenceP(
SecCertificateRefP certificate) {
+ if (!certificate || !certificate->_normalizedSubject) {
+ return NULL;
+ }
DERItem tmpdi;
tmpdi.data = (DERByte *)CFDataGetBytePtr(certificate->_normalizedSubject);
tmpdi.length = CFDataGetLength(certificate->_normalizedSubject);
#include <AssertMacros.h>
#include <syslog.h>
+#include <dlfcn.h>
#include <Security/SecTrustedApplication.h>
#include <Security/SecTrustedApplicationPriv.h>
#include <Security/SecCodePriv.h>
#include <Security/SecRequirement.h>
+#include <login/SessionAgentCom.h>
+#include <login/SessionAgentStatusCom.h>
+
+
const uint8_t kUUIDStringLength = 36;
OSStatus SecItemAdd_osx(CFDictionaryRef attributes, CFTypeRef *result);
CFDictionaryAddValue(query, kSecMatchSearchList, combinedSearchList);
CFRelease(combinedSearchList);
}
- CFDictionaryAddValue(query, kSecAttrSubject, normalizedIssuer);
- /* Get all certificates matching our query. */
CFTypeRef results = NULL;
- status = SecItemCopyMatching_osx(query, &results);
+ if (normalizedIssuer) {
+ /* Look up certs whose subject is the same as this cert's issuer. */
+ CFDictionaryAddValue(query, kSecAttrSubject, normalizedIssuer);
+ status = SecItemCopyMatching_osx(query, &results);
+ }
+ else {
+ /* Cannot match anything without an issuer! */
+ status = errSecItemNotFound;
+ }
+
if ((status != errSecSuccess) && (status != errSecItemNotFound)) {
secitemlog(LOG_WARNING, "SecItemCopyParentCertificates: %d", (int)status);
}
}
}
+static bool
+ShouldTryUnlockKeybag(OSErr status)
+{
+ static typeof(SASSessionStateForUser) *soft_SASSessionStateForUser = NULL;
+ static dispatch_once_t onceToken;
+ static void *framework;
+
+ if (status != errSecInteractionNotAllowed)
+ return false;
+
+ dispatch_once(&onceToken, ^{
+ framework = dlopen("/System/Library/PrivateFrameworks/login.framework/login", RTLD_LAZY);
+ if (framework == NULL)
+ return;
+ soft_SASSessionStateForUser = (typeof(soft_SASSessionStateForUser)) dlsym(framework, "SASSessionStateForUser");
+ });
+
+ if (soft_SASSessionStateForUser == NULL)
+ return false;
+
+ SessionAgentState sessionState = soft_SASSessionStateForUser(getuid());
+ if(sessionState != kSA_state_desktopshowing)
+ return false;
+
+ return true;
+}
+
OSStatus
SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
{
}
else {
status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
- if(status_ios == errSecInteractionNotAllowed) {
+ if(ShouldTryUnlockKeybag(status_ios)) {
// The keybag is locked. Attempt to unlock it...
- if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ secitemlog(LOG_WARNING, "SecItemCopyMatching triggering SecurityAgent");
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
CFReleaseNull(result_ios);
status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
}
status = errSecParam;
} else {
status = SecItemAdd_ios(attrs_ios, &result_ios);
- if(status == errSecInteractionNotAllowed) {
+ if(ShouldTryUnlockKeybag(status)) {
// The keybag is locked. Attempt to unlock it...
+ secitemlog(LOG_WARNING, "SecItemAdd triggering SecurityAgent");
if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
CFReleaseNull(result_ios);
status = SecItemAdd_ios(attrs_ios, &result_ios);
else {
if (SecItemHasSynchronizableUpdate(true, attributesToUpdate)) {
status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
- if(status_ios == errSecInteractionNotAllowed) {
+ if(ShouldTryUnlockKeybag(status_ios)) {
// The keybag is locked. Attempt to unlock it...
- if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent");
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
}
}
} else {
status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
- if(status_ios == errSecInteractionNotAllowed) {
+ if(ShouldTryUnlockKeybag(status_ios)) {
// The keybag is locked. Attempt to unlock it...
- if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent");
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
}
}
status_ios = errSecParam;
} else {
status_ios = SecItemDelete_ios(attrs_ios);
- if(status_ios == errSecInteractionNotAllowed) {
- // The keybag is locked. Attempt to unlock it...
- if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
- status_ios = SecItemDelete_ios(attrs_ios);
- }
- }
CFRelease(attrs_ios);
}
secitemlog(LOG_NOTICE, "SecItemDelete_ios result: %d", status_ios);
SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
{
OSStatus status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
- if(status == errSecInteractionNotAllowed) {
+ if(ShouldTryUnlockKeybag(status)) {
// The keybag is locked. Attempt to unlock it...
- if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
+ secitemlog(LOG_WARNING, "SecItemUpdateTokenItems triggering SecurityAgent");
status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
}
}
SecCDSAKeyInit(SecKeyRef key, const uint8_t *keyData, CFIndex keyDataLength, SecKeyEncoding encoding) {
key->key = const_cast<KeyItem *>(reinterpret_cast<const KeyItem *>(keyData));
key->key->initializeWithSecKeyRef(key);
+ key->credentialType = kSecCredentialTypeDefault;
return errSecSuccess;
}
static KeyItem *SecCDSAKeyPrepareParameters(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
CSSM_ALGORITHMS &baseAlgorithm, CSSM_ALGORITHMS &secondaryAlgorithm,
- CSSM_ALGORITHMS &paddingAlgorithm) {
+ CSSM_ALGORITHMS &paddingAlgorithm, CFIndex &inputSizeLimit) {
KeyItem *keyItem = key->key;
CSSM_KEYCLASS keyClass = keyItem->key()->header().keyClass();
baseAlgorithm = keyItem->key()->header().algorithm();
if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureRaw)) {
secondaryAlgorithm = CSSM_ALGID_NONE;
paddingAlgorithm = CSSM_PADDING_NONE;
+ inputSizeLimit = 0;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw)) {
secondaryAlgorithm = CSSM_ALGID_NONE;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = -11;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1)) {
secondaryAlgorithm = CSSM_ALGID_SHA1;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = 20;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224)) {
secondaryAlgorithm = CSSM_ALGID_SHA224;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = 224 / 8;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256)) {
secondaryAlgorithm = CSSM_ALGID_SHA256;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = 256 / 8;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384)) {
secondaryAlgorithm = CSSM_ALGID_SHA384;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = 384 / 8;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512)) {
secondaryAlgorithm = CSSM_ALGID_SHA512;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = 512 / 8;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5)) {
secondaryAlgorithm = CSSM_ALGID_MD5;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = 16;
} else {
return NULL;
}
if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionRaw)) {
secondaryAlgorithm = CSSM_ALGID_NONE;
paddingAlgorithm = CSSM_PADDING_NONE;
+ inputSizeLimit = 0;
} else if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionPKCS1)) {
secondaryAlgorithm = CSSM_ALGID_NONE;
paddingAlgorithm = CSSM_PADDING_PKCS1;
+ inputSizeLimit = operation == kSecKeyOperationTypeEncrypt ? -11 : 0;
} else {
return NULL;
}
CFArrayRef allAlgorithms, SecKeyOperationMode mode,
CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
BEGIN_SECKEYAPI(CFTypeRef, kCFNull)
+ CFIndex inputSizeLimit = 0;
CSSM_ALGORITHMS baseAlgorithm, secondaryAlgorithm, paddingAlgorithm;
- KeyItem *keyItem = SecCDSAKeyPrepareParameters(key, operation, algorithm, baseAlgorithm, secondaryAlgorithm, paddingAlgorithm);
+ KeyItem *keyItem = SecCDSAKeyPrepareParameters(key, operation, algorithm, baseAlgorithm, secondaryAlgorithm, paddingAlgorithm, inputSizeLimit);
if (keyItem == NULL) {
// Operation/algorithm/key combination is not supported.
return kCFNull;
} else if (mode == kSecKeyOperationModeCheckIfSupported) {
// Operation is supported and caller wants to just know that.
return kCFBooleanTrue;
+ } else if (baseAlgorithm == CSSM_ALGID_RSA) {
+ if (inputSizeLimit <= 0) {
+ inputSizeLimit += SecCDSAKeyGetBlockSize(key);
+ }
+ if (CFDataGetLength((CFDataRef)in1) > inputSizeLimit) {
+ MacOSError::throwMe(errSecParam);
+ }
}
switch (operation) {
case kSecKeyOperationTypeSign: {
CssmClient::Sign signContext(keyItem->csp(), baseAlgorithm, secondaryAlgorithm);
signContext.key(keyItem->key());
- signContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_SIGN, kSecCredentialTypeDefault));
+ signContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_SIGN, key->credentialType));
signContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlgorithm);
CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
CssmAutoData signature(signContext.allocator());
case kSecKeyOperationTypeVerify: {
CssmClient::Verify verifyContext(keyItem->csp(), baseAlgorithm, secondaryAlgorithm);
verifyContext.key(keyItem->key());
- verifyContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ANY, kSecCredentialTypeDefault));
+ verifyContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ANY, key->credentialType));
verifyContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlgorithm);
CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
verifyContext.verify(CssmData(CFDataRef(input)), CssmData(CFRef<CFDataRef>::check(in2, errSecParam)));
CssmClient::Encrypt encryptContext(keyItem->csp(), baseAlgorithm);
encryptContext.key(keyItem->key());
encryptContext.padding(paddingAlgorithm);
- encryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ENCRYPT, kSecCredentialTypeDefault));
+ encryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ENCRYPT, key->credentialType));
CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
CssmAutoData output(encryptContext.allocator()), remainingData(encryptContext.allocator());
size_t length = encryptContext.encrypt(CssmData(CFDataRef(input)), output.get(), remainingData.get());
CssmClient::Decrypt decryptContext(keyItem->csp(), baseAlgorithm);
decryptContext.key(keyItem->key());
decryptContext.padding(paddingAlgorithm);
- decryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DECRYPT, kSecCredentialTypeDefault));
+ decryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DECRYPT, key->credentialType));
CssmAutoData output(decryptContext.allocator()), remainingData(decryptContext.allocator());
size_t length = decryptContext.decrypt(CssmData(CFRef<CFDataRef>::check(in1, errSecParam)),
output.get(), remainingData.get());
END_SECKEYAPI
}
-static Boolean SecCDSAIsEqual(SecKeyRef key1, SecKeyRef key2) {
+static Boolean SecCDSAKeyIsEqual(SecKeyRef key1, SecKeyRef key2) {
CFErrorRef *error;
BEGIN_SECKEYAPI(Boolean, false)
END_SECKEYAPI
}
+static Boolean SecCDSAKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+ BEGIN_SECKEYAPI(Boolean, false)
+
+ if (CFEqual(name, kSecUseAuthenticationUI)) {
+ key->credentialType = CFEqual(value, kSecUseAuthenticationUIAllow) ? kSecCredentialTypeDefault : kSecCredentialTypeNoUI;
+ result = true;
+ } else {
+ result = SecError(errSecUnimplemented, error, CFSTR("Unsupported parameter '%@' for SecKeyCDSASetParameter"), name);
+ }
+
+ END_SECKEYAPI
+}
+
const SecKeyDescriptor kSecCDSAKeyDescriptor = {
.version = kSecKeyDescriptorVersion,
.name = "CDSAKey",
.copyExternalRepresentation = SecCDSAKeyCopyExternalRepresentation,
.copyPublicKey = SecCDSAKeyCopyPublicKey,
.copyOperationResult = SecCDSAKeyCopyOperationResult,
- .isEqual = SecCDSAIsEqual,
+ .isEqual = SecCDSAKeyIsEqual,
+ .setParameter = SecCDSAKeySetParameter,
};
namespace Security {
typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
+typedef Boolean (*SecKeySetParameterMethod)(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error);
/*!
@abstract Performs cryptographic operation with the key.
SecKeyCopyOperationResultMethod copyOperationResult;
SecKeyIsEqualMethod isEqual;
SecKeyCreateDuplicateMethod createDuplicate;
+ SecKeySetParameterMethod setParameter;
#endif
} SecKeyDescriptor;
@param error Error which gathers more information when something went wrong.
@discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
- to SecKey implementation backend (currently only CTK-based token backend is supported). Parameter names and types are
- a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
+ to SecKey implementation backend. Parameter names and types are either generic kSecUse*** attributes or are a contract between
+ SecKey user (application) and backend and in this case are not interpreted by SecKey layer in any way.
*/
Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
}
catch (CommonError &e)
{
+ secnotice("KCLogin", "SecKeychainLogin failed: %d, password was%s supplied", (int)e.osStatus(), password?"":" not");
if (e.osStatus() == CSSMERR_DL_OPERATION_AUTH_DENIED)
{
return errSecAuthFailed;
return e.osStatus();
}
}
-
+
+ catch (...) {
+ __secapiresult=errSecInternalComponent;
+ }
+ secnotice("KCLogin", "SecKeychainLogin result: %d, password was%s supplied", (int)__secapiresult, password?"":" not");
+
END_SECAPI
}
AuthorizationRef authorizationRef;
result = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorizationRef);
if (result != errAuthorizationSuccess) {
- secinfo("SecKeychain", "failed to create authorization");
+ secnotice("SecKeychain", "failed to create authorization");
return result;
}
UInt32 pathLength = PATH_MAX;
result = SecKeychainGetPath(userKeychain, &pathLength, pathName);
if (result != errSecSuccess) {
- secinfo("SecKeychain", "Failed to get kc path: %d", (int) result);
+ secnotice("SecKeychain", "failed to create authorization");
return result;
}
Boolean checkPwd = TRUE;
+ Boolean ignoreSession = TRUE;
AuthorizationItem envItems[] = {
{AGENT_HINT_KEYCHAIN_PATH, pathLength, pathName, 0},
- {AGENT_HINT_KEYCHAIN_CHECK, sizeof(checkPwd), &checkPwd}
+ {AGENT_HINT_KEYCHAIN_CHECK, sizeof(checkPwd), &checkPwd},
+ {AGENT_HINT_IGNORE_SESSION, sizeof(ignoreSession), &ignoreSession}
};
- AuthorizationEnvironment environment = {2, envItems};
+ AuthorizationEnvironment environment = {3, envItems};
AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
result = AuthorizationCopyRights(authorizationRef, &myRights, &environment, flags, &authorizedRights);
if (authorizedRights)
}
AuthorizationFree(authorizationRef, kAuthorizationFlagDefaults);
if (result != errAuthorizationSuccess) {
- secinfo("SecKeychain", "did not get authorization to pair the card");
+ secnotice("SecKeychain", "did not get authorization to pair the card");
return result;
}
} else {
}
if (!pwd) {
- secinfo("SecKeychain", "did not get kcpass");
+ secnotice("SecKeychain", "did not get kcpass");
return errSecInternalComponent;
}
* MARK: CFRunloop
*/
-static OSStatus SecLegacySourceChanged(__unused SecKeychainEvent keychainEvent, __unused SecKeychainCallbackInfo *info, __unused void *context) {
+static OSStatus SecLegacySourceChanged(SecKeychainEvent keychainEvent, SecKeychainCallbackInfo *info, __unused void *context) {
+ if (keychainEvent == kSecAddEvent || keychainEvent == kSecDeleteEvent || keychainEvent == kSecUpdateEvent) {
+ /* We don't need to purge the cache if the item changed wasn't a cert */
+ SecKeychainItemRef item = info->item;
+ if (item && CFGetTypeID(item) != SecCertificateGetTypeID()) {
+ return 0;
+ }
+ }
// Purge keychain parent cache
SecItemParentCachePurge();
// Purge unrestricted roots cache
#include <vector>
#include <CommonCrypto/CommonDigest.h>
#include <CoreFoundation/CFPreferences.h>
+#include <utilities/SecCFRelease.h>
#define trustSettingsDbg(args...) secinfo("trustSettings", ## args)
}
static CFArrayRef gUserAdminCerts = NULL;
+static bool gUserAdminCertsCacheBuilt = false;
static ReadWriteLock gUserAdminCertsLock;
void SecTrustSettingsPurgeUserAdminCertsCache(void) {
StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
- if (gUserAdminCerts) {
- CFRelease(gUserAdminCerts);
- gUserAdminCerts = NULL;
- }
+ CFReleaseNull(gUserAdminCerts);
+ gUserAdminCertsCacheBuilt = false;
}
OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
- CFArrayRef *certArray)
+ CFArrayRef *certArray)
{
TS_REQUIRED(certArray);
OSStatus result = errSecSuccess;
- { /* Only hold the lock for the check */
+ { /* Hold the read lock for the check */
StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Read);
- if (gUserAdminCerts) {
- *certArray = (CFArrayRef)CFRetain(gUserAdminCerts);
- return errSecSuccess;
+ if (gUserAdminCertsCacheBuilt) {
+ if (gUserAdminCerts) {
+ *certArray = (CFArrayRef)CFRetain(gUserAdminCerts);
+ return errSecSuccess;
+ } else {
+ return errSecNoTrustSettings;
+ }
}
}
+ /* There were no cached results. We'll have to recreate them. */
CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
if (!outArray) {
return errSecAllocate;
CFRelease(adminTrusted);
}
- /* Lack of trust settings for a domain results in an error. Only fail
+ /* Lack of trust settings for a domain results in an error above. Only fail
* if we weren't able to get trust settings for both domains. */
if (userStatus != errSecSuccess && adminStatus != errSecSuccess) {
result = userStatus;
*certArray = outArray;
- if (certArray && *certArray) {
+ /* For valid results, update the global cache */
+ if (result == errSecSuccess || result == errSecNoTrustSettings) {
StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
- if (!gUserAdminCerts) {
- gUserAdminCerts = (CFArrayRef)CFRetain(*certArray);
- }
+ CFReleaseNull(gUserAdminCerts);
+ gUserAdminCerts = (CFArrayRef)CFRetainSafe(outArray);
+ gUserAdminCertsCacheBuilt = true;
}
return result;
#include <Security/AuthorizationTagsPriv.h>
#include <Security/SecTask.h>
#include <security_keychain/SecCFTypes.h>
+#include <Security/SecCFAllocator.h>
#include "TrustSettingsSchema.h"
#include <security_cdsa_client/wrapkey.h>
#include <securityd_client/ssblob.h>
if (!dLDbIdentifier)
return Keychain();
- DLDbIdentifier dldbi = mungeDLDbIdentifier(dLDbIdentifier, false);
+ KeychainMap::iterator it = mKeychainMap.end();
- KeychainMap::iterator it = mKeychainMap.find(dldbi);
- if (it != mKeychainMap.end())
- {
+ // If we have a keychain object for the munged keychain, return that.
+ // Don't hit the filesystem to check file status if we've already done that work...
+ DLDbIdentifier munge_dldbi = forceMungeDLDbIDentifier(dLDbIdentifier);
+ it = mKeychainMap.find(munge_dldbi);
+ if (it != mKeychainMap.end()) {
return it->second;
- }
+ }
// If we have a keychain object for the un/demunged keychain, return that.
- // We might be in the middle of an upgrade...
+ // We might be in the middle of an upgrade, where the -db file exists as a bit-perfect copy of the original file.
DLDbIdentifier demunge_dldbi = demungeDLDbIdentifier(dLDbIdentifier);
it = mKeychainMap.find(demunge_dldbi);
if (it != mKeychainMap.end()) {
- secnotice("integrity", "returning unmunged keychain ref");
return it->second;
}
+ // Okay, we haven't seen this keychain before. Do the full process...
+ DLDbIdentifier dldbi = mungeDLDbIdentifier(dLDbIdentifier, false);
+ it = mKeychainMap.find(dldbi); // Almost certain not to find it here
+ if (it != mKeychainMap.end())
+ {
+ return it->second;
+ }
+
if (gServerMode) {
secnotice("servermode", "keychain reference in server mode");
return Keychain();
string pathdb = makeKeychainDbFilename(path);
struct stat st;
- int stat_result;
- stat_result = ::stat(path.c_str(), &st);
- bool path_exists = (stat_result == 0);
- stat_result = ::stat(pathdb.c_str(), &st);
- bool pathdb_exists = (stat_result == 0);
+ int path_stat_err = 0;
+ bool path_exists = (::stat(path.c_str(), &st) == 0);
+ if(!path_exists) {
+ path_stat_err = errno;
+ }
+
+ int pathdb_stat_err = 0;
+ bool pathdb_exists = (::stat(pathdb.c_str(), &st) == 0);
+ if(!pathdb_exists) {
+ pathdb_stat_err = errno;
+ }
// If protections are off, don't change the requested filename.
// If protictions are on and the -db file exists, always use it.
bool switchPaths = shouldCreateProtected && (pathdb_exists || (!pathdb_exists && !path_exists) || isReset);
if(switchPaths) {
- secnotice("integrity", "switching to keychain-db: %s from %s (%d %d %d %d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, pathdb_exists);
+ secinfo("integrity", "switching to keychain-db: %s from %s (%d %d %d_%d %d_%d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, path_stat_err, pathdb_exists, pathdb_stat_err);
path = pathdb;
} else {
- secnotice("integrity", "not switching: %s from %s (%d %d %d %d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, pathdb_exists);
+ secinfo("integrity", "not switching: %s from %s (%d %d %d_%d %d_%d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, path_stat_err, pathdb_exists, pathdb_stat_err);
}
- } else {
- secnotice("integrity", "not switching as we're not in ~/Library/Keychains/: %s (%d)", path.c_str(), isReset);
}
DLDbIdentifier id(dLDbIdentifier.ssuid(), path.c_str(), dLDbIdentifier.dbLocation());
return id;
}
+DLDbIdentifier
+StorageManager::forceMungeDLDbIDentifier(const DLDbIdentifier& dLDbIdentifier) {
+ if(!dLDbIdentifier.dbName() || dLDbIdentifier.mImpl == NULL) {
+ return dLDbIdentifier;
+ }
+
+ string path = dLDbIdentifier.dbName();
+ string pathdb = makeKeychainDbFilename(path);
+
+ DLDbIdentifier id(dLDbIdentifier.ssuid(), pathdb.c_str(), dLDbIdentifier.dbLocation());
+ return id;
+}
+
DLDbIdentifier
StorageManager::demungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier) {
if(dLDbIdentifier.dbName() == NULL) {
if(kcImpl->mCacheTimer) {
// Update the cache timer to be seconds from now
dispatch_source_set_timer(kcImpl->mCacheTimer, dispatch_time(DISPATCH_TIME_NOW, seconds * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, NSEC_PER_SEC/2);
+ secdebug("keychain", "updating cache on %p %s", kcImpl, kcImpl->name());
// We've added an extra retain to this keychain right before invoking this block. Release it.
CFRelease(kcHandle);
// No cache timer; make one.
kcImpl->mCacheTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, release_queue);
dispatch_source_set_timer(kcImpl->mCacheTimer, dispatch_time(DISPATCH_TIME_NOW, seconds * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, NSEC_PER_SEC/2);
+ secdebug("keychain", "taking cache on %p %s", kcImpl, kcImpl->name());
dispatch_source_set_event_handler(kcImpl->mCacheTimer, ^{
+ secdebug("keychain", "releasing cache on %p %s", kcImpl, kcImpl->name());
dispatch_source_cancel(kcImpl->mCacheTimer);
dispatch_release(kcImpl->mCacheTimer);
kcImpl->mCacheTimer = NULL;
MacOSError::throwMe(errSecNoSuchKeychain);
}
+DLDbIdentifier
+StorageManager::loginKeychainDLDbIdentifer()
+{
+ StLock<Mutex>_(mMutex);
+ DLDbIdentifier loginDLDbIdentifier(mSavedList.loginDLDbIdentifier());
+ return mungeDLDbIdentifier(loginDLDbIdentifier, false);
+}
+
void
StorageManager::loginKeychain(Keychain keychain)
{
}
}
-void StorageManager::renameUnique(Keychain keychain, CFStringRef newName, bool appendDbSuffix)
+// If you pass NULL as the keychain, you must pass an oldName.
+void StorageManager::renameUnique(Keychain keychain, CFStringRef oldName, CFStringRef newName, bool appendDbSuffix)
{
StLock<Mutex>_(mMutex);
struct stat filebuf;
if ( lstat(toUseBuff2, &filebuf) )
{
- rename(keychain, toUseBuff2);
- KeychainList kcList;
- kcList.push_back(keychain);
- remove(kcList, false);
+ if(keychain) {
+ rename(keychain, toUseBuff2);
+ KeychainList kcList;
+ kcList.push_back(keychain);
+ remove(kcList, false);
+ } else {
+ // We don't have a Keychain object, so force the rename here if possible
+ char oldNameCString[MAXPATHLEN];
+ if ( CFStringGetCString(oldName, oldNameCString, MAXPATHLEN, kCFStringEncodingUTF8) ) {
+ int result = ::rename(oldNameCString, toUseBuff2);
+ secnotice("KClogin", "keychain force rename to %s: %d %d", newNameCString, result, (result == 0) ? 0 : errno);
+ if(result != 0) {
+ UnixError::throwMe(errno);
+ }
+ } else {
+ secnotice("KClogin", "path is wrong, quitting");
+ }
+ }
doneCreating = true;
}
else
}
}
- // if login.keychain does not exist at this point, create it
- if (!loginKeychainExists || (isReset && !loginKeychainDbExists)) {
+ // is it token login?
+ CFRef<CFDictionaryRef> tokenLoginContext;
+ CFRef<CFStringRef> smartCardPassword;
+ OSStatus tokenContextStatus = TokenLoginGetContext(password, passwordLength, tokenLoginContext.take());
+ // if login.keychain does not exist at this point, create it
+ if (!loginKeychainExists || (isReset && !loginKeychainDbExists)) {
+ // when we creating new KC and user is logged using token (i.e. smart card), we have to get
+ // the password for that account first
+ if (tokenContextStatus == errSecSuccess) {
+ secnotice("KCLogin", "Going to create login keychain for sc login");
+ AuthorizationRef authRef;
+ OSStatus status = AuthorizationCreate(NULL, NULL, 0, &authRef);
+ if (status == errSecSuccess) {
+ AuthorizationItem right = { "com.apple.builtin.sc-kc-new-passphrase", 0, NULL, 0 };
+ AuthorizationItemSet rightSet = { 1, &right };
+
+ uint32_t reason, tries;
+ reason = 0;
+ tries = 0;
+ AuthorizationItem envRights[] = {
+ { AGENT_HINT_RETRY_REASON, sizeof(reason), &reason, 0 },
+ { AGENT_HINT_TRIES, sizeof(tries), &tries, 0 }};
+
+ AuthorizationItemSet envSet = { sizeof(envRights) / sizeof(*envRights), envRights };
+ status = AuthorizationCopyRights(authRef, &rightSet, &envSet, kAuthorizationFlagDefaults|kAuthorizationFlagInteractionAllowed|kAuthorizationFlagExtendRights, NULL);
+ if (status == errSecSuccess) {
+ AuthorizationItemSet *returnedInfo;
+ status = AuthorizationCopyInfo(authRef, NULL, &returnedInfo);
+ if (status == errSecSuccess) {
+ if (returnedInfo && (returnedInfo->count > 0)) {
+ for (uint32_t index = 0; index < returnedInfo->count; index++) {
+ AuthorizationItem &item = returnedInfo->items[index];
+ if (!strcmp(AGENT_PASSWORD, item.name)) {
+ CFIndex len = item.valueLength;
+ if (len) {
+ secnotice("KCLogin", "User entered pwd");
+ smartCardPassword = CFStringCreateWithBytes(SecCFAllocatorZeroize(), (UInt8 *)item.value, (CFIndex)len, kCFStringEncodingUTF8, TRUE);
+ memset(item.value, 0, len);
+ }
+ }
+ }
+ }
+ }
+ AuthorizationFreeItemSet(returnedInfo);
+ }
+ AuthorizationFree(authRef, 0);
+ }
+ }
+
// but don't add it to the search list yet; we'll do that later
Keychain theKeychain = makeKeychain(loginDLDbIdentifier, false, true);
- secnotice("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- theKeychain->create(passwordLength, password);
+ secnotice("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ if (tokenContextStatus == errSecSuccess) {
+ if (smartCardPassword.get()) {
+ CFIndex length = CFStringGetLength(smartCardPassword);
+ CFIndex maxSize = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
+ char *buffer = (char *)malloc(maxSize);
+ if (CFStringGetCString(smartCardPassword, buffer, maxSize, kCFStringEncodingUTF8)) {
+ secnotice("KCLogin", "Keychain is created using password provided by sc user");
+ theKeychain->create((UInt32)strlen(buffer), buffer);
+ memset(buffer, 0, maxSize);
+ } else {
+ secnotice("KCLogin", "Conversion failed");
+ MacOSError::throwMe(errSecNotAvailable);
+ }
+ } else {
+ secnotice("KCLogin", "User did not provide kc password");
+ MacOSError::throwMe(errSecNotAvailable);
+ }
+ } else {
+ theKeychain->create(passwordLength, password);
+ }
secnotice("KCLogin", "Login keychain created successfully");
loginKeychainExists = true;
// Set the prefs for this new login keychain.
}
}
- // is it token login?
- CFRef<CFDictionaryRef> tokenLoginContext;
- OSStatus status = TokenLoginGetContext(password, passwordLength, tokenLoginContext.take());
- if (!loginUnlocked || status == errSecSuccess) {
+ if (!loginUnlocked || tokenContextStatus == errSecSuccess) {
Keychain theKeychain(keychain(loginDLDbIdentifier));
bool tokenLoginDataUpdated = false;
CFRef<CFDictionaryRef> tokenLoginData;
if (tokenLoginContext) {
- status = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
+ OSStatus status = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
if (status != errSecSuccess) {
if (tokenLoginDataUpdated) {
loginResult = status;
}
// updating unlock key fails if it is not token login
secnotice("KCLogin", "Error %d, reconstructing unlock data", (int)status);
- status = TokenLoginUpdateUnlockData(tokenLoginContext);
+ status = TokenLoginUpdateUnlockData(tokenLoginContext, smartCardPassword);
if (status == errSecSuccess) {
loginResult = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
if (loginResult != errSecSuccess) {
// first try to unlock login keychain because if this fails, token keychain unlock fails as well
if (tokenLoginData) {
secnotice("KCLogin", "Going to unlock keybag using scBlob");
- status = TokenLoginUnlockKeybag(tokenLoginContext, tokenLoginData);
+ OSStatus status = TokenLoginUnlockKeybag(tokenLoginContext, tokenLoginData);
secnotice("KCLogin", "Keybag unlock result %d", (int)status);
if (status)
CssmError::throwMe(status); // to trigger login data regeneration
key.header().KeyAttr = 0;
CFRef<CFDataRef> tokenLoginUnlockKey;
if (tokenLoginData) {
- status = TokenLoginGetUnlockKey(tokenLoginContext, tokenLoginUnlockKey.take());
+ OSStatus status = TokenLoginGetUnlockKey(tokenLoginContext, tokenLoginUnlockKey.take());
if (status)
CssmError::throwMe(status); // to trigger login data regeneration
key.KeyData = CssmData(tokenLoginUnlockKey.get());
} catch (const CssmError &e) {
if (tokenLoginData && !tokenLoginDataUpdated) {
// token login unlock key was invalid
- loginResult = TokenLoginUpdateUnlockData(tokenLoginContext);
+ loginResult = TokenLoginUpdateUnlockData(tokenLoginContext, smartCardPassword);
if (loginResult == errSecSuccess) {
tokenLoginDataUpdated = true;
continue;
StLock<Mutex>_(mMutex);
// Clear the keychain search list.
+ Keychain keychain = NULL;
+ DLDbIdentifier dldbi;
try
{
if ( resetSearchList )
// Get a reference to the existing login keychain...
// If we don't have one, we throw (not requiring a rename).
//
- Keychain keychain = loginKeychain();
+ keychain = loginKeychain();
+ } catch(const CommonError& e) {
+ secnotice("KClogin", "Failed to open login keychain due to an error: %s", e.what());
+
+ // Set up fallback rename.
+ dldbi = loginKeychainDLDbIdentifer();
+
+ struct stat exists;
+ if(::stat(dldbi.dbName(), &exists) != 0) {
+ // no file exists, everything is fine
+ secnotice("KClogin", "no file exists; resetKeychain() is done");
+ return;
+ }
+ }
+
+ try{
//
// Rename the existing login.keychain (i.e. put it aside).
//
CFMutableStringRef newName = NULL;
newName = CFStringCreateMutable(NULL, 0);
CFStringRef currName = NULL;
- currName = CFStringCreateWithCString(NULL, keychain->name(), kCFStringEncodingUTF8);
+ if(keychain) {
+ currName = CFStringCreateWithCString(NULL, keychain->name(), kCFStringEncodingUTF8);
+ } else {
+ currName = CFStringCreateWithCString(NULL, dldbi.dbName(), kCFStringEncodingUTF8);
+ }
if ( newName && currName )
{
CFStringAppend(newName, currName);
CFStringAppend(newName, CFSTR(kKeychainRenamedSuffix)); // add "_renamed_"
try
{
- renameUnique(keychain, newName, hasDbSuffix);
+ secnotice("KClogin", "attempting keychain rename to %@", newName);
+ renameUnique(keychain, currName, newName, hasDbSuffix);
}
- catch(...)
+ catch(const CommonError& e)
{
// we need to release 'newName' & 'currName'
+ secnotice("KClogin", "Failed to renameUnique due to an error: %s", e.what());
+ }
+ catch(...)
+ {
+ secnotice("KClogin", "Failed to renameUnique due to an unknown error");
}
} // else, let the login call report a duplicate
+ else {
+ secnotice("KClogin", "don't have paths, quitting");
+ }
if ( newName )
CFRelease(newName);
if ( currName )
CFRelease(currName);
}
+ catch(const CommonError& e) {
+ secnotice("KClogin", "Failed to reset login keychain due to an error: %s", e.what());
+ }
catch(...)
{
// We either don't have a login keychain, or there was a
// failure to rename the existing one.
+ secnotice("KClogin", "Failed to reset keychain due to an unknown error");
}
}
void setSearchList(SecPreferencesDomain domain, const KeychainList &keychainList);
void rename(Keychain keychain, const char* newName);
- void renameUnique(Keychain keychain, CFStringRef newName, bool appendDbSuffix);
+ void renameUnique(Keychain keychain, CFStringRef oldName, CFStringRef newName, bool appendDbSuffix);
// Iff keychainOrArray is NULL return the default KeychainList in keychainList otherwise
// if keychainOrArray is a CFArrayRef containing SecKeychainRef's convernt it to KeychainList,
void defaultKeychain(const Keychain &keychain);
Keychain loginKeychain();
+ DLDbIdentifier loginKeychainDLDbIdentifer();
+
void loginKeychain(Keychain keychain);
Keychain defaultKeychain(SecPreferencesDomain domain);
// Otherwise, leave it alone.
static DLDbIdentifier mungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier, bool isReset);
+ // Change the DLDbIdentifier to always use the pattern ending with "-db".
+ static DLDbIdentifier forceMungeDLDbIDentifier(const DLDbIdentifier& dLDbIdentifier);
+
// Due to compatibility requirements, we need the DLDbListCFPref lists to
// never see a ".keychain-db" filename. Call this function to give them what
// they need.
return errSecSuccess;
}
-OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context)
+OSStatus TokenLoginGetPin(CFDictionaryRef context, CFStringRef *pin)
+{
+ if (!pin || !context) {
+ return errSecParam;
+ }
+ *pin = getPin(context);
+
+ return errSecSuccess;
+}
+
+OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef password)
{
if (!context) {
return errSecParam;
return result;
}
- return SecKeychainStoreUnlockKeyWithPubKeyHash(getPubKeyHash(context), getTokenId(context), getPubKeyHashWrap(context), loginKeychain, NULL);
+ return SecKeychainStoreUnlockKeyWithPubKeyHash(getPubKeyHash(context), getTokenId(context), getPubKeyHashWrap(context), loginKeychain, password);
}
OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob)
OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64TokenLoginDataLength, CFDictionaryRef *context);
OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginData);
+OSStatus TokenLoginGetPin(CFDictionaryRef context, CFStringRef *pin);
OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob);
-OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context);
+OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef password);
OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef loginData);
OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash);
CFRelease(certificate);
ok_status(SecKeychainDelete(keychain), "SecKeychainDelete");
- is(CFGetRetainCount(keychain), 1, "keychain retain count is 1");
+ cmp_ok(CFGetRetainCount(keychain), >=, 1, "keychain retain count is 1");
CFRelease(keychain);
}
ok_status(SecKeychainItemFreeContent(&attrList, data), "SecKeychainItemCopyContent");
is(CFGetRetainCount(item), 1, "item retaincount is 1");
- is(CFGetRetainCount(keychain), 2, "keychain retaincount is 2");
+ cmp_ok(CFGetRetainCount(keychain), >=, 2, "keychain retaincount is at least 2");
CFRelease(item);
- is(CFGetRetainCount(keychain), 1, "keychain retaincount is 1");
+ cmp_ok(CFGetRetainCount(keychain), >=, 1, "keychain retaincount is at least 1");
ok_status(SecKeychainDelete(keychain), "delete keychain");
CFRelease(keychain);
}
};
unsigned int Test_7875801__Code_Signing__cer_len = 999;
-/* Test certificate for S/MIME policy (encrypt only, no sign), expires April 2026
+/* Test certificate for S/MIME policy (encrypt only, no sign), expires September 2026
*/
unsigned char Test_smime_encryptonly[]={
0x30, 0x82, 0x04, 0x07, 0x30, 0x82, 0x02, 0xef, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x02, 0xb8, 0x95, 0x23, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30,
- 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f, 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
- 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
- 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12,
- 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x23,
+ 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+ 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f, 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x43, 0x41, 0x31, 0x10,
+ 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x14, 0x30, 0x12,
+ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x23,
0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x73, 0x6d, 0x69, 0x6d, 0x65,
0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x36, 0x30, 0x34, 0x30, 0x34, 0x32, 0x32, 0x32, 0x32, 0x33, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x32,
- 0x32, 0x32, 0x32, 0x32, 0x33, 0x36, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+ 0x36, 0x30, 0x39, 0x32, 0x30, 0x31, 0x32, 0x30, 0x32, 0x31, 0x33, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x39, 0x31, 0x38,
+ 0x31, 0x32, 0x30, 0x32, 0x31, 0x33, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f,
- 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f,
- 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07,
- 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65,
+ 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b,
+ 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b,
+ 0x13, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b,
+ 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61,
0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0xc6, 0x5a, 0xe9, 0x94, 0x4a, 0x9e, 0x4d, 0x47, 0xa3, 0x9d, 0x06, 0xb3, 0xd5, 0x05, 0xad, 0x05, 0x71, 0xaf, 0x93,
- 0x42, 0x9d, 0x02, 0x58, 0x33, 0x30, 0xee, 0xcb, 0xe4, 0x96, 0x24, 0x4b, 0x35, 0x0b, 0x6a, 0x58, 0xd0, 0xe7, 0x13, 0x5b,
- 0xd5, 0xd3, 0xa1, 0x99, 0x55, 0xff, 0xe9, 0x3b, 0xe7, 0x20, 0x4e, 0x9e, 0x6b, 0xcd, 0x86, 0x47, 0xd7, 0xf6, 0x67, 0xc2,
- 0xde, 0x51, 0xbc, 0x58, 0xd8, 0xc8, 0xe1, 0xb6, 0x42, 0xc5, 0xe9, 0x9e, 0x65, 0x3a, 0x04, 0xab, 0x47, 0x1b, 0xc8, 0xfe,
- 0xb6, 0xb2, 0x47, 0x03, 0xc4, 0xa4, 0xb8, 0xaf, 0x31, 0xe7, 0x10, 0x7b, 0x4a, 0x4b, 0x29, 0x09, 0x91, 0xc2, 0xd2, 0x1f,
- 0x42, 0x9a, 0x77, 0xc2, 0x08, 0x98, 0x53, 0x32, 0x8f, 0x8c, 0xa7, 0x06, 0xa5, 0x05, 0x9e, 0xeb, 0xc9, 0x5b, 0x7a, 0x5c,
- 0xb3, 0xd7, 0x91, 0x6f, 0xea, 0xa1, 0x4f, 0x93, 0x9b, 0xa6, 0xf5, 0xdb, 0x32, 0x3b, 0x71, 0xfd, 0x07, 0xa4, 0x30, 0x30,
- 0x35, 0xfa, 0x6c, 0x77, 0x76, 0x98, 0x99, 0x3a, 0x19, 0xcd, 0x7c, 0x5d, 0xc5, 0x70, 0x86, 0xaf, 0xf9, 0x9e, 0xa1, 0x45,
- 0x5e, 0x6d, 0x03, 0x63, 0x3b, 0x4a, 0xcc, 0x14, 0xda, 0x75, 0xc2, 0xf1, 0x8f, 0x51, 0xd3, 0x80, 0x5f, 0xf7, 0x52, 0xd0,
- 0x04, 0x1b, 0x37, 0x6e, 0x3a, 0xfe, 0xcc, 0x5d, 0xba, 0xbe, 0x0f, 0x1a, 0xd8, 0x31, 0xd4, 0x7b, 0xf2, 0x20, 0x22, 0x56,
- 0xd1, 0x84, 0x8f, 0x12, 0x4a, 0x81, 0xa5, 0xeb, 0x7f, 0x8b, 0x4b, 0x21, 0x02, 0xeb, 0xb4, 0x6e, 0xb6, 0x3c, 0x3c, 0x15,
- 0x09, 0xa4, 0x79, 0x7c, 0x3e, 0x45, 0xf3, 0xe7, 0x84, 0x10, 0xc9, 0x45, 0x86, 0xd5, 0xda, 0x9e, 0xdf, 0x7d, 0x05, 0xcc,
- 0xdf, 0x1a, 0x30, 0x8f, 0xea, 0x57, 0x9a, 0x72, 0xb0, 0x58, 0x95, 0x6b, 0x9e, 0xe8, 0x94, 0xf2, 0x8d, 0x02, 0x03, 0x01,
+ 0x00, 0xd5, 0x9e, 0xf0, 0xe6, 0x4e, 0x8d, 0x1d, 0x0f, 0x62, 0x75, 0x1a, 0x5d, 0xd7, 0x19, 0x34, 0xf0, 0x27, 0xaf, 0x35,
+ 0xbb, 0x6d, 0xfe, 0x1b, 0xe5, 0xfd, 0xd5, 0x54, 0x77, 0x4a, 0x2f, 0x1d, 0x50, 0x51, 0xbb, 0x6e, 0x55, 0x9e, 0xfe, 0xcd,
+ 0x40, 0xe0, 0xe1, 0xa5, 0xfb, 0xef, 0x8c, 0x6b, 0x49, 0x7e, 0x73, 0x5c, 0x19, 0x44, 0xad, 0x50, 0xbc, 0x10, 0xf9, 0x66,
+ 0xcf, 0x17, 0xd4, 0x63, 0x8d, 0x6b, 0x4b, 0x61, 0x09, 0x5e, 0xe7, 0xf2, 0xbf, 0x20, 0x78, 0xf4, 0xe4, 0x71, 0x81, 0xba,
+ 0xb9, 0xb0, 0x0e, 0x8c, 0x58, 0xfd, 0x23, 0x67, 0x67, 0x38, 0x4b, 0xcd, 0x23, 0xb3, 0x76, 0x20, 0x51, 0x99, 0xb7, 0x7a,
+ 0xc4, 0x34, 0xd4, 0xca, 0x50, 0xc1, 0x16, 0x4d, 0xcf, 0x60, 0x3c, 0xc2, 0x29, 0x06, 0x9b, 0x48, 0x35, 0xdb, 0x7e, 0x1a,
+ 0xf8, 0x5d, 0x0e, 0x72, 0xa7, 0x01, 0x02, 0xb4, 0x26, 0x40, 0x81, 0xf3, 0xa8, 0x28, 0x0e, 0x53, 0x79, 0x55, 0x19, 0x13,
+ 0xe1, 0xd9, 0x41, 0x78, 0xe6, 0x68, 0x96, 0x91, 0xf9, 0xc9, 0xbf, 0x60, 0xd4, 0x88, 0xdf, 0x26, 0x19, 0xc6, 0xd5, 0xc4,
+ 0x3f, 0x70, 0x1f, 0xc0, 0x8f, 0x2c, 0x3d, 0x49, 0xba, 0x79, 0xd8, 0xcd, 0x6d, 0xcc, 0x88, 0xde, 0x86, 0xd4, 0x19, 0x89,
+ 0x1b, 0x1c, 0xbd, 0xd8, 0xeb, 0xc6, 0x81, 0xdb, 0xb7, 0x57, 0x53, 0xeb, 0x92, 0xbf, 0xf8, 0x1b, 0xd8, 0x4a, 0xe7, 0xee,
+ 0x83, 0x01, 0xf7, 0xae, 0xf4, 0x25, 0x2b, 0x6f, 0x17, 0xf4, 0xa0, 0xb8, 0x7f, 0x87, 0x20, 0x4f, 0xfd, 0xac, 0x59, 0x00,
+ 0x80, 0x5e, 0x20, 0x02, 0x5a, 0x41, 0x76, 0xf2, 0x57, 0x97, 0x29, 0xa9, 0x87, 0xae, 0x79, 0xb7, 0x3f, 0x95, 0x2f, 0x37,
+ 0x6e, 0xbf, 0x1f, 0x6d, 0xe2, 0x27, 0x39, 0x1c, 0xf2, 0x0b, 0x8f, 0xe4, 0xff, 0x60, 0x5d, 0x8f, 0xeb, 0x02, 0x03, 0x01,
0x00, 0x01, 0xa3, 0x4b, 0x30, 0x49, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
- 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
+ 0x05, 0x20, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x18, 0x30, 0x16, 0x81, 0x14, 0x73,
0x6d, 0x69, 0x6d, 0x65, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x79,
- 0xc0, 0x92, 0xf8, 0xfd, 0xac, 0x3f, 0x21, 0x3a, 0x1b, 0x7c, 0x2b, 0xc9, 0x0a, 0x62, 0xb6, 0xe2, 0x1d, 0x3b, 0x67, 0x4b,
- 0x4b, 0xf8, 0xe8, 0xbe, 0xd8, 0x8e, 0x71, 0x07, 0x4a, 0x6e, 0xbd, 0x07, 0xc8, 0xd0, 0x86, 0x9c, 0xdb, 0xd5, 0x43, 0x23,
- 0xc3, 0x56, 0x03, 0x45, 0xa6, 0xab, 0xf8, 0xba, 0xc2, 0xba, 0xd8, 0x78, 0x33, 0x49, 0xaa, 0x82, 0xb4, 0x0c, 0x6c, 0x9b,
- 0x4c, 0x5b, 0x9d, 0x4f, 0xb5, 0xd8, 0xd9, 0x0f, 0x33, 0x21, 0x27, 0x8c, 0x99, 0xa0, 0xb6, 0xe0, 0xfb, 0x40, 0x4e, 0x88,
- 0x36, 0x91, 0x42, 0x3f, 0xcc, 0x52, 0x3f, 0x39, 0x82, 0x3d, 0xbd, 0x43, 0x45, 0xf4, 0x1c, 0x17, 0x4c, 0x29, 0x63, 0x5d,
- 0x12, 0xdd, 0x16, 0x8a, 0xa3, 0x6a, 0x81, 0x21, 0xbc, 0x55, 0x10, 0xfa, 0x88, 0x95, 0x80, 0x5d, 0x6a, 0xeb, 0x96, 0x54,
- 0x37, 0x94, 0x07, 0x28, 0x06, 0x0f, 0x62, 0x7e, 0x6f, 0x3d, 0x9e, 0xe7, 0x1d, 0x0e, 0x35, 0xb5, 0x89, 0x07, 0x04, 0xd6,
- 0x70, 0x69, 0x43, 0x8b, 0x44, 0xdb, 0xb5, 0x0b, 0xc8, 0x80, 0xc5, 0xe9, 0x8f, 0xe4, 0xa7, 0x75, 0x32, 0xa6, 0x47, 0xdc,
- 0xc9, 0x68, 0x26, 0x85, 0x96, 0x8c, 0x15, 0x47, 0xe0, 0x4f, 0x13, 0x81, 0x97, 0xae, 0x7c, 0xc5, 0x1c, 0xda, 0x22, 0xef,
- 0x39, 0xef, 0xe8, 0x8f, 0xbb, 0x33, 0xd3, 0x40, 0x12, 0x45, 0xcd, 0x05, 0x81, 0x39, 0xdc, 0x88, 0x9f, 0xd2, 0x3e, 0x20,
- 0xe5, 0xec, 0xf9, 0x39, 0xc5, 0x55, 0xeb, 0x97, 0x7f, 0x67, 0x36, 0x80, 0xfa, 0x2a, 0xe1, 0xf4, 0x36, 0x03, 0xe5, 0xe2,
- 0xa8, 0x75, 0x0e, 0x58, 0x21, 0xdf, 0x86, 0x38, 0x49, 0x19, 0x6f, 0x00, 0x3b, 0x8c, 0x57, 0x8c, 0xa7, 0x60, 0xf8, 0xda,
- 0x01, 0xbc, 0xbc, 0xe5, 0x77, 0x81, 0xeb, 0xda, 0xd6, 0xd6, 0x6e, 0xa4, 0x1a, 0x09, 0x3c
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x0a,
+ 0x49, 0x1f, 0xbe, 0xda, 0xa3, 0x8f, 0x78, 0x2c, 0x19, 0x6d, 0xd1, 0xa4, 0xa8, 0x8d, 0xa1, 0x00, 0xee, 0x8f, 0xa4, 0xd3,
+ 0x2b, 0x73, 0xad, 0x46, 0x00, 0x44, 0x40, 0x18, 0xc7, 0x7a, 0xbd, 0x5c, 0x21, 0x80, 0x91, 0xfe, 0xa0, 0x48, 0xfe, 0x00,
+ 0x3f, 0xf3, 0xc3, 0xb5, 0x26, 0xf0, 0xf2, 0xfa, 0x6e, 0xf2, 0x64, 0x45, 0x59, 0x41, 0xbd, 0x6f, 0xc2, 0xb6, 0xf8, 0xba,
+ 0xc4, 0x75, 0x6a, 0x41, 0xd1, 0x0a, 0x6d, 0x1f, 0xd4, 0xe0, 0xec, 0x77, 0x7a, 0x5f, 0xa8, 0x44, 0x2e, 0xb3, 0x96, 0xe4,
+ 0x62, 0x8e, 0xa2, 0x58, 0x85, 0x77, 0x21, 0x4f, 0x70, 0xed, 0x38, 0x5a, 0x69, 0x36, 0x8e, 0xf5, 0x3f, 0x4b, 0x25, 0x40,
+ 0xe4, 0x4a, 0x00, 0xef, 0x14, 0xe4, 0xa3, 0xad, 0xaa, 0xbc, 0xdc, 0x18, 0x5f, 0xc5, 0xe9, 0xc1, 0xfe, 0xe4, 0x68, 0x52,
+ 0x30, 0x87, 0x1e, 0x80, 0x4d, 0xa6, 0xf5, 0xfd, 0x0d, 0x15, 0x00, 0x06, 0xd8, 0x05, 0x82, 0x2d, 0x94, 0x44, 0x80, 0x8f,
+ 0x1b, 0xac, 0x18, 0x9f, 0x51, 0x40, 0x47, 0x29, 0x4f, 0x7b, 0xb8, 0xbb, 0x03, 0xdd, 0x8a, 0x01, 0x4f, 0xd0, 0x4e, 0x21,
+ 0xf5, 0xc3, 0x64, 0x2f, 0xa6, 0xe3, 0x81, 0x8d, 0x65, 0xc0, 0x6a, 0x17, 0x1d, 0xc5, 0xdf, 0xa6, 0x07, 0x7c, 0x48, 0x59,
+ 0x35, 0x78, 0x02, 0x29, 0xa0, 0xbe, 0x25, 0x39, 0xdf, 0x51, 0x30, 0x7b, 0x2a, 0x19, 0xd0, 0x33, 0xcd, 0x07, 0x61, 0x38,
+ 0x18, 0x46, 0xc7, 0x16, 0x8b, 0xcd, 0xa9, 0xbf, 0x22, 0xd0, 0xf7, 0xd1, 0xa4, 0x32, 0x80, 0x9f, 0x2e, 0x17, 0x0a, 0x17,
+ 0xbc, 0x48, 0xf3, 0x2c, 0x6d, 0x40, 0x3b, 0xf0, 0xf5, 0x0b, 0x10, 0x98, 0x93, 0x50, 0xcc, 0x46, 0x64, 0x57, 0x6d, 0xb5,
+ 0xa0, 0xda, 0x8f, 0xd7, 0xc6, 0x0a, 0x01, 0x1d, 0x89, 0x0b, 0x2f, 0xe3, 0x98, 0xcc, 0x9a
};
unsigned int Test_Encryption__S_MIME__cer_len = 1035;
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
+ CFIndex maxMatchesExpected,
OSStatus expected)
{
/* create a SecPolicyRef for S/MIME */
OSStatus status = SecItemCopyMatching(query, &results);
if (!status && results) {
- status = CheckResults(results, minMatchesExpected, MAXITEMS);
+ status = CheckResults(results, minMatchesExpected, maxMatchesExpected);
CFRelease(results);
}
if (query)
// look up cert by email address for SMIME encryption, date valid today, want array of all results as SecCertificateRef
// (note that a date value of kCFNull is interpreted as the current date)
result += FindCertificateForSMIMEEncryption(keychain, CFSTR("smime-test@apple.com"), kCFNull,
- kSecReturnRef, kSecMatchLimitAll, 1, noErr);
+ kSecReturnRef, kSecMatchLimitAll, 1, 1, noErr);
CFReleaseSafe(sslPolicy);
CFReleaseSafe(codeSigningPolicy);
++result;
// define a valid date for this preferred certificate (typically this would just be kCFNull in a real program, meaning "now")
- CFGregorianDate aCurrentGDate = { 2016, 7, 27, 21, 0, 0 }; // Jul 27 2016 9:00 PM
+ CFGregorianDate aCurrentGDate = { 2016, 9, 27, 21, 0, 0 }; // September 27 2016 9:00 PM
CFDateRef aCurrentDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aCurrentGDate, NULL));
if (FindPreferredCertificateForSMIMEEncryption(keychain, CFSTR("smime-test@apple.com"), aCurrentDate))
++result;
CFRelease(original);
is(CFGetRetainCount(copy), 1, "copy retaincount is 1");
CFRelease(copy);
- is(CFGetRetainCount(source), 1, "source retaincount is 1");
+ cmp_ok(CFGetRetainCount(source), >=, 1, "source keychain retaincount is 1");
ok_status(SecKeychainDelete(source), "delete keychain source");
CFRelease(source);
ok_status(SecKeychainDelete(dest), "delete keychain dest");
- is(CFGetRetainCount(dest), 1, "dest retaincount is 1");
+ cmp_ok(CFGetRetainCount(dest), >=, 1, "dest retaincount is 1");
CFRelease(dest);
}
#include <libaks.h>
#include <AssertMacros.h>
+#define DATA_ARG(x) (x) ? CFDataGetBytePtr((x)) : NULL, (x) ? (int)CFDataGetLength((x)) : 0
static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
{
keybag_handle_t handle = bad_keybag_handle;
- if (aks_create_bag(NULL, 0, bag_type, &handle) == 0) {
+ if (aks_create_bag(DATA_ARG(password), bag_type, &handle) == 0) {
void * keybag = NULL;
int keybag_size = 0;
if (aks_save_bag(handle, &keybag, &keybag_size) == 0) {
CFDictionaryAddValue(query, kSecValueData, pwdata);
CFDictionaryAddValue(query, kSecAttrSynchronizable, kCFBooleanTrue);
- CFDataRef keybag = NULL, password = NULL;
+ CFDataRef keybag = NULL;
+ const char *p = "sup3rsekretpassc0de";
+ CFDataRef password = CFDataCreate(NULL, (UInt8 *)p, strlen(p));
keybag = create_keybag(kAppleKeyStoreAsymmetricBackupBag, password);
ok_status(SecItemDelete(query), "delete restored item");
if (backup) { CFRelease(backup); }
+ if (password) { CFRelease(password); }
}
int si_33_keychain_backup(int argc, char *const *argv)
/* if poolp is not NULL, cmsg is the owner of its arena */
if (cmsg->poolp_is_ours) {
PORT_FreeArena (cmsg->poolp, PR_FALSE); /* XXX clear it? */
- cmsg->poolp = NULL;
}
}
* Predefined TLS configurations constants
*/
-/* Default configuration - currently same as kSSLSessionConfig_standard */
+/* Default configuration (has 3DES, no RC4) */
extern const CFStringRef kSSLSessionConfig_default;
/* ATS v1 Config: TLS v1.2, only PFS ciphersuites */
extern const CFStringRef kSSLSessionConfig_ATSv1;
/* ATS v1 Config without PFS: TLS v1.2, include non PFS ciphersuites */
extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS;
-/* TLS v1.2 to TLS v1.0, with default ciphersuites (no RC4) */
+/* TLS v1.2 to TLS v1.0, with default ciphersuites (no 3DES, no RC4) */
extern const CFStringRef kSSLSessionConfig_standard;
-/* TLS v1.2 to TLS v1.0, with defaults ciphersuites + RC4 */
+/* TLS v1.2 to TLS v1.0, with default ciphersuites + RC4 + 3DES */
extern const CFStringRef kSSLSessionConfig_RC4_fallback;
-/* TLS v1.0 only, with defaults ciphersuites + fallback SCSV */
+/* TLS v1.0 only, with default ciphersuites + fallback SCSV */
extern const CFStringRef kSSLSessionConfig_TLSv1_fallback;
-/* TLS v1.0, with defaults ciphersuites + RC4 + fallback SCSV */
+/* TLS v1.0, with default ciphersuites + RC4 + 3DES + fallback SCSV */
extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback;
/* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
extern const CFStringRef kSSLSessionConfig_legacy;
-/* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
+/* TLS v1.2 to TLS v1.0, default + RC4 + DHE ciphersuites */
extern const CFStringRef kSSLSessionConfig_legacy_DHE;
/* TLS v1.2, anonymous ciphersuites only */
extern const CFStringRef kSSLSessionConfig_anonymous;
+/* TLS v1.2 to TLS v1.0, has 3DES, no RC4 */
+extern const CFStringRef kSSLSessionConfig_3DES_fallback;
+/* TLS v1.0, with default ciphersuites + 3DES, no RC4 */
+extern const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback;
/******************
const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback = CFSTR("TLSv1_RC4_fallback");
const CFStringRef kSSLSessionConfig_legacy_DHE = CFSTR("legacy_DHE");
const CFStringRef kSSLSessionConfig_anonymous = CFSTR("anonymous");
+const CFStringRef kSSLSessionConfig_3DES_fallback = CFSTR("3DES_fallback");
+const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback = CFSTR("TLSv1_3DES_fallback");
+
static
tls_handshake_config_t SSLSessionConfig_to_tls_handshake_config(CFStringRef config)
return tls_handshake_config_TLSv1_RC4_fallback;
} else if(CFEqual(config, kSSLSessionConfig_RC4_fallback)){
return tls_handshake_config_RC4_fallback;
+ } else if(CFEqual(config, kSSLSessionConfig_3DES_fallback)){
+ return tls_handshake_config_3DES_fallback;
+ } else if(CFEqual(config, kSSLSessionConfig_TLSv1_3DES_fallback)){
+ return tls_handshake_config_TLSv1_3DES_fallback;
} else if(CFEqual(config, kSSLSessionConfig_legacy)){
return tls_handshake_config_legacy;
} else if(CFEqual(config, kSSLSessionConfig_legacy_DHE)){
const SSLCipherSuite standard_ciphersuites[] = {
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+};
+
+const SSLCipherSuite default_ciphersuites[] = {
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
/* The order of this tests does matter, be careful when adding tests */
ok(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client");
- ok(!test_GetEnabledCiphers(ssl, sizeof(standard_ciphersuites)/sizeof(SSLCipherSuite), standard_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
+ ok(!test_GetEnabledCiphers(ssl, sizeof(default_ciphersuites)/sizeof(SSLCipherSuite), default_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
CFRelease(ssl); ssl=NULL;
int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
{
- plan_tests(154);
+ plan_tests(178);
test_dhe(kSSLClientSide, true);
test_dhe(kSSLServerSide, true);
TEST_CONFIG(kSSLSessionConfig_legacy_DHE, legacy_DHE_ciphersuites);
TEST_CONFIG(kSSLSessionConfig_standard, standard_ciphersuites);
TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites);
- TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, standard_ciphersuites);
+ TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, default_ciphersuites);
TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites);
- TEST_CONFIG(kSSLSessionConfig_default, standard_ciphersuites);
+ TEST_CONFIG(kSSLSessionConfig_default, default_ciphersuites);
TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites);
+ TEST_CONFIG(kSSLSessionConfig_3DES_fallback, default_ciphersuites);
+ TEST_CONFIG(kSSLSessionConfig_TLSv1_3DES_fallback, default_ciphersuites);
return 0;
}
};
StReadWriteLock(ReadWriteLock &lck, Type type) : mType(type), mIsLocked(false), mRWLock(lck)
{ lock(); }
- ~StReadWriteLock() { if(mIsLocked) mRWLock.unlock(); }
+ ~StReadWriteLock() { if(mIsLocked) unlock(); }
bool lock();
void unlock();
{
magic = magicNumber;
- secnotice("integrity", "creating a keychain with version %d", version);
+ secinfo("integrity", "creating a keychain with version %d", version);
this->blobVersion = version;
}
#include <Security/SecureObjectSync/SOSChangeTracker.h>
#include <Security/SecureObjectSync/SOSDigestVector.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <Security/SecureObjectSync/SOSManifest.h>
#include <Security/SecureObjectSync/SOSInternal.h>
#include <utilities/SecCFError.h>
#include <Security/SecureObjectSync/SOSCircle.h>
#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
#include <Security/SecureObjectSync/SOSInternal.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <Security/SecureObjectSync/SOSPeer.h>
#include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
#include <Security/SecureObjectSync/SOSGenCount.h>
}
bool SOSCCIsIcloudKeychainSyncing(void) {
- CFStringRef views[] = { kSOSViewAutofillPasswords, kSOSViewSafariCreditCards };
- return sosIsViewSetSyncing(1, views);
+ CFStringRef views[] = { kSOSViewWiFi, kSOSViewAutofillPasswords, kSOSViewSafariCreditCards, kSOSViewOtherSyncable };
+ return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsSafariSyncing(void) {
CFStringRef views[] = { kSOSViewAutofillPasswords, kSOSViewSafariCreditCards };
- return sosIsViewSetSyncing(2, views);
+ return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsAppleTVSyncing(void) {
CFStringRef views[] = { kSOSViewAppleTV };
- return sosIsViewSetSyncing(1, views);
+ return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsHomeKitSyncing(void) {
CFStringRef views[] = { kSOSViewHomeKit };
- return sosIsViewSetSyncing(1, views);
+ return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsWiFiSyncing(void) {
CFStringRef views[] = { kSOSViewWiFi };
- return sosIsViewSetSyncing(1, views);
+ return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
bool SOSCCIsContinuityUnlockSyncing(void) {
CFStringRef views[] = { kSOSViewContinuityUnlock };
- return sosIsViewSetSyncing(1, views);
+ return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
}
static CFStringRef SOSCoderCopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) {
SOSCoderRef coder = (SOSCoderRef)cf;
if(coder){
- CFStringRef desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Coder %@ %@ %@ %s%s>"),
- coder->peer_id,
+ CFStringRef desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Coder %@ %@ %s%s>"),
coder->sessRef,
coder->hashOfLastReceived,
coder->waitingForDataPacket ? "W" : "w",
}
}
-CFStringRef SOSCoderGetID(SOSCoderRef coder) {
- return coder->peer_id;
-}
-
/*
static void logRawCoderMessage(const uint8_t* der, uint8_t* der_end, bool encoding)
{
if (coder) {
CFReleaseNull(coder->sessRef);
CFReleaseNull(coder->pendingResponse);
- CFReleaseNull(coder->peer_id);
CFReleaseNull(coder->hashOfLastReceived);
}
}
*/
#include <Security/SecureObjectSync/SOSChangeTracker.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <Security/SecureObjectSync/SOSDigestVector.h>
#include <Security/SecureObjectSync/SOSInternal.h>
#include <Security/SecureObjectSync/SOSPeer.h>
//----------------------------------------------------------------------------------------
// MARK: Engine state v2
//----------------------------------------------------------------------------------------
-
+#if !TARGET_IPHONE_SIMULATOR
static const CFIndex kCurrentEngineVersion = 2;
+#endif
// Keychain/datasource items
// Used for the kSecAttrAccount when saving in the datasource with dsSetStateWithKey
// Class D [kSecAttrAccessibleAlwaysPrivate/kSecAttrAccessibleAlwaysThisDeviceOnly]
// Keys for individual dictionaries
// engine-state-v2
+#if !TARGET_IPHONE_SIMULATOR
static CFStringRef kSOSEngineStateVersionKey = CFSTR("engine-stateVersion");
+#endif
// Current save/load routines
// SOSEngineCreate/SOSEngineLoad/SOSEngineSetState
*/
-/* SOSEngine implementation. */
-struct __OpaqueSOSEngine {
- CFRuntimeBase _base;
- SOSDataSourceRef dataSource;
- CFStringRef myID; // My peerID in the circle
- // We need to address the issues of corrupt keychain items
- SOSManifestRef unreadable; // Possibly by having a set of unreadable items, to which we
- // add any corrupted items in the db that have yet to be deleted.
- // This happens if we notce corruption during a (read only) query.
- // We would also perma-subtract unreadable from manifest whenever
- // anyone asked for manifest. This result would be cached in
- // The manifestCache below, so we just need a key into the cache
- CFDataRef localMinusUnreadableDigest; // or a digest (CFDataRef of the right size).
-
- CFMutableDictionaryRef manifestCache; // digest -> ( refcount, manifest )
- CFMutableDictionaryRef peerMap; // peerId -> SOSPeerRef
- CFDictionaryRef viewNameSet2ChangeTracker; // CFSetRef of CFStringRef -> SOSChangeTrackerRef
- CFDictionaryRef viewName2ChangeTracker; // CFStringRef -> SOSChangeTrackerRef
- CFArrayRef peerIDs;
- CFDateRef lastTraceDate; // Last time we did a CloudKeychainTrace
- CFMutableDictionaryRef coders;
- bool haveLoadedCoders;
-
- bool dirty;
- bool codersNeedSaving;
- dispatch_queue_t queue; // Engine queue
-
- dispatch_source_t save_timer; // Engine state save timer
- bool save_timer_pending; // Engine state timer running, read/modify on engine queue
-
- dispatch_queue_t syncCompleteQueue; // Non-retained queue for async notificaion
- SOSEnginePeerInSyncBlock syncCompleteListener; // Block to call to notify the listener.
-};
static bool SOSEngineLoad(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
static bool SOSEngineSetPeers_locked(SOSEngineRef engine, SOSPeerMetaRef myPeerMeta, CFArrayRef trustedPeerMetas, CFArrayRef untrustedPeerMetas);
static void SOSEngineApplyPeerState(SOSEngineRef engine, CFDictionaryRef peerStateMap);
static void SOSEngineSynthesizePeerMetas(SOSEngineRef engine, CFMutableArrayRef trustedPeersMetas, CFMutableArrayRef untrustedPeers);
static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+#if !TARGET_IPHONE_SIMULATOR
static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
-
+#endif
static CFStringRef SOSPeerIDArrayCreateString(CFArrayRef peerIDs) {
return peerIDs ? CFStringCreateByCombiningStrings(kCFAllocatorDefault, peerIDs, CFSTR(" ")) : CFSTR("");
}
}
return manifests;
}
-
+#if !TARGET_IPHONE_SIMULATOR
static CFDictionaryRef SOSEngineCopyEncodedManifestCache_locked(SOSEngineRef engine, CFErrorRef *error) {
CFMutableDictionaryRef mfc = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
SOSEngineForEachPeer_locked(engine, ^(SOSPeerRef peer) {
});
return mfc;
}
-
-#if 0
-static bool SOSEngineGCManifests_locked(SOSEngineRef engine, CFErrorRef *error) {
- __block struct SOSDigestVector mdInCache = SOSDigestVectorInit;
- __block struct SOSDigestVector mdInUse = SOSDigestVectorInit;
- struct SOSDigestVector mdUnused = SOSDigestVectorInit;
- struct SOSDigestVector mdMissing = SOSDigestVectorInit;
- bool ok = true;
-
- SOSEngineForEachPeer_locked(engine, ^(SOSPeerRef peer) {
- SOSPeerMarkDigestsInUse(peer, &mdInUse);
- });
-
- if (engine->manifestCache) {
- CFDictionaryForEach(engine->manifestCache, ^(const void *key, const void *value) {
- CFDataRef digest = (CFDataRef)key;
- if (isData(digest))
- SOSDigestVectorAppend(&mdInCache, CFDataGetBytePtr(digest));
- });
-
- // Delete unused manifests.
- SOSDigestVectorDiff(&mdInCache, &mdInUse, &mdUnused, &mdMissing);
- SOSManifestRef unused = SOSManifestCreateWithDigestVector(&mdUnused, NULL);
- SOSManifestForEach(unused, ^(CFDataRef digest, bool *stop) {
- if (digest)
- CFDictionaryRemoveValue(engine->manifestCache, digest);
- });
- CFReleaseSafe(unused);
- }
-
- SOSDigestVectorFree(&mdInCache);
- SOSDigestVectorFree(&mdInUse);
- SOSDigestVectorFree(&mdUnused);
- SOSDigestVectorFree(&mdMissing);
- return ok;
-}
#endif
//
return coder;
}
-static SOSCoderRef SOSEngineGetCoder_locked(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error) {
- return SOSEngineGetCoderInTx_locked(engine, NULL, peerID, error);
-}
-
-static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, CFStringRef peerID, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, SOSCoderRef ourCoder, CFErrorRef *error) {
+static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, SOSTransactionRef txn, CFStringRef peerID, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, SOSCoderRef ourCoder, CFErrorRef *error) {
+ //have to have caused coder loading, transactions do this.
if (!ourCoder || !SOSCoderIsFor(ourCoder, peerInfo, myPeerInfo)) {
secinfo("coder", "New coder for id %@.", peerID);
CFErrorRef localError = NULL;
return false;
}
CFDictionarySetValue(engine->coders, peerID, coder);
+ secdebug("coder", "setting coder for peerid: %@, coder: %@", peerID, coder);
CFReleaseNull(coder);
+ engine->codersNeedSaving = true;
}
return true;
}
bool SOSEngineInitializePeerCoder(SOSEngineRef engine, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
__block bool ok = true;
CFStringRef peerID = SOSPeerInfoGetPeerID(peerInfo);
- ok &= SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
- ok = SOSEngineEnsureCoder_locked(engine, peerID, myPeerInfo, peerInfo, coder, error);
+
+ ok &= SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) {
+ ok = SOSEngineEnsureCoder_locked(engine, txn, peerID, myPeerInfo, peerInfo, coder, error);
+ *forceSaveState = ok;
});
+
return ok;
}
//exit:
return ok;
}
-
+#if !TARGET_IPHONE_SIMULATOR
static CFMutableDictionaryRef SOSEngineCopyPeerState_locked(SOSEngineRef engine, CFErrorRef *error) {
CFMutableDictionaryRef peerState = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
CFDictionaryForEach(engine->peerMap, ^(const void *key, const void *value) {
});
return peerState;
}
-
+#endif
static CFMutableDictionaryRef SOSEngineCopyPeerCoders_locked(SOSEngineRef engine, CFErrorRef *error) {
CFMutableDictionaryRef coders = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
CFDictionaryForEach(engine->peerMap, ^(const void *key, const void *value) {
CFDataRef coderData = NULL;
CFErrorRef localError = NULL;
bool ok = SOSEngineCopyCoderData(engine, (CFStringRef)key, &coderData, &localError);
+
if (!ok) {
secnotice("engine", "%@ no coder for peer: %@", key, localError);
}
static CFDataRef SOSEngineCopyCoders(SOSEngineRef engine, CFErrorRef *error) {
// Copy the CFDataRef version of the coders into a dictionary, which is then DER-encoded for saving
CFDictionaryRef coders = SOSEngineCopyPeerCoders_locked(engine, error);
+ secdebug("coders", "copying coders! %@", coders);
CFDataRef der = CFPropertyListCreateDERData(kCFAllocatorDefault, coders, error);
CFReleaseSafe(coders);
return der;
static bool SOSEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
// MUST hold engine lock
// Device must be unlocked for this to succeed
+
+ if(!engine->haveLoadedCoders){
+ secdebug("coders", "attempting to save coders before we have loaded them!");
+ }
+
bool ok = true;
if (engine->codersNeedSaving) {
CFDataRef derCoders = SOSEngineCopyCoders(engine, error);
kSOSEngineProtectionDomainClassA, derCoders, error);
if (ok) {
engine->codersNeedSaving = false;
+ secnotice("coder", "saved coders: %@", engine->coders);
}
CFReleaseSafe(derCoders);
}
return ok;
}
+bool SOSTestEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error){
+ return SOSEngineSaveCoders(engine, txn, error);
+}
+#if !TARGET_IPHONE_SIMULATOR
+
static CFDictionaryRef SOSEngineCopyBasicState(SOSEngineRef engine, CFErrorRef *error) {
// Create a version of the in-memory engine state for saving to disk
CFMutableDictionaryRef state = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
SOSPersistCFIndex(state, kSOSEngineStateVersionKey, kCurrentEngineVersion);
return state;
}
-
static bool SOSEngineDoSaveOneState(SOSEngineRef engine, SOSTransactionRef txn, CFStringRef key, CFStringRef pdmn,
CFDictionaryRef state, CFErrorRef *error) {
CFDataRef derState = CFPropertyListCreateDERData(kCFAllocatorDefault, state, error);
CFReleaseSafe(derState);
return ok;
}
-
static bool SOSEngineDoSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
bool ok = true;
return ok;
}
-
-#if ENGINE_DELAY_SAVE
-
-#define SOSENGINE_SAVE_TIMEOUT (NSEC_PER_MSEC * 500ull)
-#define SOSENGINE_SAVE_LEEWAY (NSEC_PER_MSEC * 500ull)
-#define SOSENGINE_SAVE_MAX_DELAY (NSEC_PER_MSEC * 500ull)
-
-#if !(TARGET_IPHONE_SIMULATOR)
-static void SOSEngineShouldSave(SOSEngineRef engine) {
- bool start_timer = false;
-
- if (engine->save_timer == NULL) {
- // Schedule the timer to fire on a concurrent queue, so we can follow
- // the proper procedure of acquiring a dataSource and then engine queues.
- engine->save_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0));
- dispatch_source_set_event_handler(engine->save_timer, ^{
- CFErrorRef dsWithError = NULL;
-
- // Start with clearing the pending state so that any other caller
- // get their own timer, worse case it that we get a duplicate store.
- dispatch_sync(engine->queue, ^{
- engine->save_timer_pending = false;
- });
-
- if (engine->dataSource) {
- if (!SOSDataSourceWith(engine->dataSource, &dsWithError, ^(SOSTransactionRef txn, bool *commit) {
- dispatch_sync(engine->queue, ^{
- CFErrorRef saveError = NULL;
- if (!SOSEngineDoSave(engine, txn, &saveError)) {
- secerrorq("Failed to save engine state: %@", saveError);
- CFReleaseNull(saveError);
- }
- });
- })) {
- secerrorq("Failed to open dataSource to save engine state: %@", dsWithError);
- CFReleaseNull(dsWithError);
- }
- }
-
- xpc_transaction_end();
- });
- start_timer = true;
- assert(engine->save_timer_pending == false);
- }
-
- if (engine->save_timer_pending)
- return;
-
- engine->save_timer_pending = true;
-
- // Start a trasaction, then start the timer, the handler for the timer will end
- // the transaction.
- xpc_transaction_begin();
-
- // Set the timer's fire time to now + SOSENGINE_SAVE_TIMEOUT seconds with a SOSENGINE_SAVE_LEEWAY fuzz factor.
- dispatch_source_set_timer(engine->save_timer,
- dispatch_time(DISPATCH_TIME_NOW, SOSENGINE_SAVE_TIMEOUT),
- DISPATCH_TIME_FOREVER, SOSENGINE_SAVE_LEEWAY);
-
- if (start_timer)
- dispatch_resume(engine->save_timer);
-
-}
#endif
-#endif /* ENGINE_DELAY_SAVE */
-
static bool SOSEngineSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
// Don't save engine state from tests
if (!engine->dataSource)
return true;
-#if (TARGET_IPHONE_SIMULATOR) || !ENGINE_DELAY_SAVE
+#if !TARGET_IPHONE_SIMULATOR
return SOSEngineDoSave(engine, txn, error);
-#else
- SOSEngineShouldSave(engine);
#endif
return true;
}
}
return stateDict;
}
+bool TestSOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error)
+{
+ return SOSEngineLoadCoders(engine, txn, error);
+}
static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
// Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine
bool ok = true;
CFDataRef derCoders = NULL;
CFMutableDictionaryRef codersDict = NULL;
-
derCoders = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineCoders, kSOSEngineProtectionDomainClassA, txn, error);
require_quiet(derCoders, xit);
codersDict = derStateToDictionaryCopy(derCoders, error);
require_quiet(codersDict, xit);
-
CFDictionaryForEach(engine->peerMap, ^(const void *peerID, const void *peerState) {
if (peerID) {
- if (!CFDictionaryContainsKey(engine->coders, peerID)) {
- CFDataRef coderData = asData(CFDictionaryGetValue(codersDict, peerID), NULL);
+ CFTypeRef coderRef = CFDictionaryGetValue(codersDict, peerID);
+ if (coderRef) {
+ CFDataRef coderData = asData(coderRef, NULL);
if (coderData) {
CFErrorRef createError = NULL;
SOSCoderRef coder = SOSCoderCreateFromData(coderData, &createError);
if (coder) {
- // Sanity check
- CFStringRef coderid = SOSCoderGetID(coder);
- if (!CFEqualSafe(coderid, (CFStringRef)peerID)) {
- secerror("Coder id %@ on disk does not match: %@", coderid, peerID);
- } else {
- CFDictionaryAddValue(engine->coders, peerID, coder);
- }
+ CFDictionaryAddValue(engine->coders, peerID, coder);
+ secnotice("coder", "adding coder: %@ for peerid: %@", coder, peerID);
} else {
secnotice("coder", "Coder for '%@' failed to create: %@", peerID, createError);
}
} else {
// Needed a coder, didn't find one, notify the account to help us out.
// Next attempt to sync will fix this
+ secnotice("coder", "coder for %@ was not cf data: %@", peerID, coderData);
SOSCCEnsurePeerRegistration();
}
}
+ else{
+ secnotice("coder", "didn't find coder for peer: %@ engine dictionary: %@", peerID, codersDict);
+ SOSCCEnsurePeerRegistration();
+ }
}
});
+
+ engine->haveLoadedCoders = true;
+
xit:
CFReleaseNull(derCoders);
CFReleaseNull(codersDict);
return ok;
}
-
+#if !TARGET_IPHONE_SIMULATOR
static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
// SOSDataSourceDeleteStateWithKey(engine->dataSource, kSOSEngineState, kSOSEngineProtectionDomainClassD, txn, error);
CFReleaseSafe(derState);
return ok;
}
-
+#endif
static bool SOSEngineLoad(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
// Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine
bool ok = true;
// Only consider writing if we're in the WillCommit phase.
// DidCommit phases happen outside the database lock and
// writing to the DBConn will cause deadlocks.
- if (mappedItemChanged) {
+ if (mappedItemChanged || source == kSOSDataSourceSOSTransaction) {
// Write SOSEngine and SOSPeer state to disk
+ secnotice("engine", "saving engine state");
ok &= SOSEngineSave(engine, txn, error);
} else {
secnotice("engine", "Not saving engine state, nothing changed.");
}
}
+
break;
}
}
// Start with no coders
CFMutableDictionaryRef codersToKeep = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- // If we're the same peerID we keep known peers (both trusted and untrusted)
- if (CFEqualSafe(myPeerID, engine->myID)) {
- void (^copyPeerMetasCoder)(const void *value) = ^(const void*element) {
- SOSPeerMetaRef peerMeta = (SOSPeerMetaRef) element;
+ if(engine->haveLoadedCoders){
+ // If we're the same peerID we keep known peers (both trusted and untrusted)
+ if (CFEqualSafe(myPeerID, engine->myID)) {
+ void (^copyPeerMetasCoder)(const void *value) = ^(const void*element) {
+ SOSPeerMetaRef peerMeta = (SOSPeerMetaRef) element;
- CFStringRef currentID = SOSPeerMetaGetComponents(peerMeta, NULL, NULL, NULL);
- if (currentID) {
- SOSCoderRef coder = (SOSCoderRef) CFDictionaryGetValue(engine->coders, currentID);
- if (coder) {
- CFDictionarySetValue(codersToKeep, currentID, coder);
+ CFStringRef currentID = SOSPeerMetaGetComponents(peerMeta, NULL, NULL, NULL);
+ if (currentID) {
+ SOSCoderRef coder = (SOSCoderRef) CFDictionaryGetValue(engine->coders, currentID);
+ if (coder) {
+ CFDictionarySetValue(codersToKeep, currentID, coder);
+ }
}
- }
- };
+ };
- if (trustedPeerMetas) {
- CFArrayForEach(trustedPeerMetas, copyPeerMetasCoder);
- }
- if (untrustedPeerMetas) {
- CFArrayForEach(untrustedPeerMetas, copyPeerMetasCoder);
+ if (trustedPeerMetas) {
+ CFArrayForEach(trustedPeerMetas, copyPeerMetasCoder);
+ }
+ if (untrustedPeerMetas) {
+ CFArrayForEach(untrustedPeerMetas, copyPeerMetasCoder);
+ }
}
- }
-
- CFTransferRetained(engine->coders, codersToKeep);
- engine->codersNeedSaving = true;
+ engine->codersNeedSaving = true;
+ }
CFRetainAssign(engine->myID, myPeerID);
+ CFTransferRetained(engine->coders, codersToKeep);
// Remake engine->peerMap from both trusted and untrusted peers
SOSEngineReferenceChangeTrackers(engine, trustedPeerMetas, untrustedPeerMetas, desc);
__block bool peersOrViewsChanged = false;
SOSEngineDoOnQueue(engine, ^{
peersOrViewsChanged = SOSEngineCircleChanged_locked(engine, myPeerID, trustedPeers, untrustedPeers);
- engine->dirty = peersOrViewsChanged;
- engine->codersNeedSaving = peersOrViewsChanged;
});
__block bool ok = true;
return peer;
}
-bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer)) {
+bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer)) {
__block bool ok = true;
SOSDataSourceReadWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn) {
SOSEngineDoOnQueue(engine, ^{
return ok;
}
-bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder)) {
- __block bool ok = true;
- SOSDataSourceReadWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn) {
- SOSEngineDoOnQueue(engine, ^{
- SOSPeerRef peer = SOSEngineCopyPeerWithID_locked(engine, peerID, error);
- if (peer) {
- SOSCoderRef coder = SOSEngineGetCoder_locked(engine, peerID, NULL);
- forPeer(txn, peer, coder);
- CFRelease(peer);
- } else {
- ok = false;
- }
- });
- });
-
- return ok;
-}
-
bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState)) {
__block bool result = true;
result &= SOSEngineDoTxnOnQueue(engine, error, ^(SOSTransactionRef txn, bool *commit) {
CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, SOSEnginePeerMessageSentBlock *sentBlock, CFErrorRef *error) {
__block CFDataRef message = NULL;
- SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
+ SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
message = SOSEngineCreateMessage_locked(engine, txn, peer, error, sentBlock);
});
return message;
CFDataRef keybagDigest, CFDataRef manifestData, CFErrorRef *error) {
__block bool ok = true;
- ok &= SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
+ ok &= SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
bool dirty = false;
bool incomplete = false;
SOSManifestRef confirmed = NULL;
SOSPeerRef SOSEngineCopyPeerWithID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error);
// Operate on a peer with a given peer_id under the engine lock
-bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder));
-bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer));
+bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer));
// Modify a peer inside a transaction under then engine lock and optionally force an engine state save when done.
bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState));
// Private do not use!
SOSDataSourceRef SOSEngineGetDataSource(SOSEngineRef engine);
bool SOSTestEngineSaveWithDER(SOSEngineRef engine, CFDataRef derState, CFErrorRef *error);
+bool SOSTestEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+bool TestSOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
// MARK: Sync completion notification registration
--- /dev/null
+//
+// SOSEnginePriv.h
+// sec
+//
+//
+
+#ifndef SOSEnginePriv_h
+#define SOSEnginePriv_h
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreFoundation/CFRuntime.h>
+#include <Security/SecureObjectSync/SOSEngine.h>
+
+/* SOSEngine implementation. */
+struct __OpaqueSOSEngine {
+ CFRuntimeBase _base;
+ SOSDataSourceRef dataSource;
+ CFStringRef myID; // My peerID in the circle
+ // We need to address the issues of corrupt keychain items
+ SOSManifestRef unreadable; // Possibly by having a set of unreadable items, to which we
+ // add any corrupted items in the db that have yet to be deleted.
+ // This happens if we notce corruption during a (read only) query.
+ // We would also perma-subtract unreadable from manifest whenever
+ // anyone asked for manifest. This result would be cached in
+ // The manifestCache below, so we just need a key into the cache
+ CFDataRef localMinusUnreadableDigest; // or a digest (CFDataRef of the right size).
+
+ CFMutableDictionaryRef manifestCache; // digest -> ( refcount, manifest )
+ CFMutableDictionaryRef peerMap; // peerId -> SOSPeerRef
+ CFDictionaryRef viewNameSet2ChangeTracker; // CFSetRef of CFStringRef -> SOSChangeTrackerRef
+ CFDictionaryRef viewName2ChangeTracker; // CFStringRef -> SOSChangeTrackerRef
+ CFArrayRef peerIDs;
+ CFDateRef lastTraceDate; // Last time we did a CloudKeychainTrace
+ CFMutableDictionaryRef coders;
+ bool haveLoadedCoders;
+
+ bool codersNeedSaving;
+
+ dispatch_queue_t queue; // Engine queue
+
+ dispatch_source_t save_timer; // Engine state save timer
+ bool save_timer_pending; // Engine state timer running, read/modify on engine queue
+
+ dispatch_queue_t syncCompleteQueue; // Non-retained queue for async notificaion
+ SOSEnginePeerInSyncBlock syncCompleteListener; // Block to call to notify the listener.
+};
+
+#endif /* SOSEnginePriv_h */
#include <Security/SecureObjectSync/SOSCoder.h>
#include <Security/SecureObjectSync/SOSAccount.h>
#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <utilities/debugging.h>
#include <utilities/SecCFWrappers.h>
bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error) {
bool ok = false;
+ secnotice("transport", "coder state: %@", coder);
require_action_quiet(coder, xit, secerror("%@ getCoder: %@", peer_id, error ? *error : NULL));
if (SOSCoderCanWrap(coder)) {
secnotice("transport", "%@ SOSCoderWrap failed: %@", peer_id, *error);
} else {
CFRetainAssign(*message_to_send, codedMessage);
+ engine->codersNeedSaving = true;
}
CFReleaseNull(codedMessage);
} else {
CFReleaseNull(message);
} else {
*message_to_send = SOSCoderCopyPendingResponse(coder);
+ engine->codersNeedSaving = true;
secinfo("transport", "%@ negotiating, %@", peer_id, message_to_send ? CFSTR("sending negotiation message.") : CFSTR("waiting for negotiation message."));
*sent = Block_copy(^(bool wasSent){
if (wasSent)
__block bool ok = true;
SOSEngineRef engine = SOSTransportMessageGetEngine(transport);
- ok &= SOSEngineForPeerID(engine, peer_id, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
- // Now under engine lock do stuff
- CFDataRef message_to_send = NULL;
- SOSEnginePeerMessageSentBlock sent = NULL;
- ok = SOSPeerCoderSendMessageIfNeeded(engine, txn, peer, coder, &message_to_send, circle_id, peer_id, &sent, error);
- if (message_to_send) {
- CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
- peer_id, message_to_send,
- NULL);
- CFDictionaryRef circle_peers = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
- circle_id, peer_dict,
- NULL);
- ok = ok && SOSTransportMessageSendMessages(transport, circle_peers, error);
-
- SOSPeerCoderConsume(&sent, ok);
-
- CFReleaseSafe(peer_dict);
- CFReleaseSafe(circle_peers);
- }
+ ok &= SOSEngineWithPeerID(engine, peer_id, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) {
+ // Now under engine lock do stuff
+ CFDataRef message_to_send = NULL;
+ SOSEnginePeerMessageSentBlock sent = NULL;
+ ok = SOSPeerCoderSendMessageIfNeeded(engine, txn, peer, coder, &message_to_send, circle_id, peer_id, &sent, error);
+ if (message_to_send) {
+ CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ peer_id, message_to_send,
+ NULL);
+ CFDictionaryRef circle_peers = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ circle_id, peer_dict,
+ NULL);
+ ok = ok && SOSTransportMessageSendMessages(transport, circle_peers, error);
+
+ SOSPeerCoderConsume(&sent, ok);
+
+ CFReleaseSafe(peer_dict);
+ CFReleaseSafe(circle_peers);
+ }else{
+ secnotice("transport", "no message to send to peer: %@", peer_id);
+ }
+
+ Block_release(sent);
+ CFReleaseSafe(message_to_send);
- Block_release(sent);
- CFReleaseSafe(message_to_send);
+ *forceSaveState = ok;
});
+
return ok;
}
#define SOSTransportMessage_h
#include <Security/SecureObjectSync/SOSAccount.h>
-#include <Security/SecureObjectSync/SOSEngine.h> // TODO: Remove when SOSEnginePeerMessageSentBlock moves to SOSPeer.h
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <CoreFoundation/CFRuntime.h>
typedef struct __OpaqueSOSTransportMessage *SOSTransportMessageRef;
" -i info (current status)\n"
" -D [itemName] dump contents of KVS\n"
" -L list all known view and their status\n"
+ " -M string place a mark in the syslog - category \"mark\"\n"
"\n",
"iCloud Keychain Logging")
}
return keystore;
}
+#define DATA_ARG(x) (x) ? CFDataGetBytePtr((x)) : NULL, (x) ? (int)CFDataGetLength((x)) : 0
static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
{
kernResult = IOConnectCallMethod(keystore,
kAppleKeyStoreKeyBagCreate,
- inputs, num_inputs, NULL, 0,
+ inputs, num_inputs, DATA_ARG(password),
outputs, &num_outputs, NULL, 0);
if (kernResult) {
#include "Security_regressions.h"
-#if !TARGET_OS_WATCH && !TARGET_OS_TV
+#if TARGET_OS_IOS
#define WAIT_WHILE(X) { while ((X)) { (void)CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, TRUE); } }
int si_76_shared_credentials(int argc, char *const *argv)
{
-#if !TARGET_OS_WATCH && !TARGET_OS_TV
+#if TARGET_OS_IOS
plan_tests(12);
tests();
#else
--- /dev/null
+/*
+ * si-84-sectrust-allowlist.c
+ * Security
+ *
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ */
+
+#include <AssertMacros.h>
+#import <Foundation/Foundation.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
+#include <utilities/SecCFRelease.h>
+#include <AssertMacros.h>
+
+#include "shared_regressions.h"
+
+#include "si-84-sectrust-allowlist/cnnic_certs.h"
+#include "si-84-sectrust-allowlist/wosign_certs.h"
+#include "si-84-sectrust-allowlist/date_testing_certs.h"
+
+
+static SecCertificateRef createCertFromStaticData(const UInt8 *certData, CFIndex certLength)
+{
+ SecCertificateRef cert = NULL;
+ CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, certData, certLength, kCFAllocatorNull);
+ if (data) {
+ cert = SecCertificateCreateWithData(NULL, data);
+ CFRelease(data);
+ }
+ return cert;
+}
+
+static void TestLeafOnAllowList()
+{
+ SecCertificateRef certs[4];
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ CFDateRef date = NULL;
+ CFArrayRef certArray = NULL;
+ CFArrayRef anchorsArray = NULL;
+
+ isnt(certs[0] = createCertFromStaticData(leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)),
+ NULL, "allowlist: create leaf cert");
+ isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
+ NULL, "allowlist: create intermediate ca 1");
+ isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
+ NULL, "allowlist: create intermediate ca 2");
+ isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
+ NULL, "allowlist: create root");
+
+ isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
+ NULL, "allowlist: create cert array");
+
+ /* create a trust reference with basic policy */
+ isnt(policy = SecPolicyCreateBasicX509(), NULL, "allowlist: create policy");
+ ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "allowlist: create trust");
+
+ /* set evaluate date: September 12, 2016 at 1:30:00 PM PDT */
+ isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "allowlist: create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "allowlist: set verify date");
+
+ /* use a known root CA at this point in time to anchor the chain */
+ isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
+ NULL, "allowlist: create anchors array");
+ ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "allowlist: set anchors");
+
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+ ok_status(SecTrustEvaluate(trust, &trustResult), "allowlist: evaluate");
+
+ /* expected result is kSecTrustResultUnspecified since cert is on allow list and its issuer chains to a trusted root */
+ ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+ (int)trustResult);
+
+ /* clean up */
+ for(CFIndex idx=0; idx < 4; idx++) {
+ if (certs[idx]) { CFRelease(certs[idx]); }
+ }
+ if (policy) { CFRelease(policy); }
+ if (trust) { CFRelease(trust); }
+ if (date) { CFRelease(date); }
+ if (certArray) { CFRelease(certArray); }
+ if (anchorsArray) { CFRelease(anchorsArray); }
+}
+
+static void TestLeafNotOnAllowList()
+{
+ SecCertificateRef certs[4];
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ CFDateRef date = NULL;
+ CFArrayRef certArray = NULL;
+ CFArrayRef anchorsArray = NULL;
+
+ isnt(certs[0] = createCertFromStaticData(leafNotOnAllowList_Cert, sizeof(leafNotOnAllowList_Cert)),
+ NULL, "!allowlist: create leaf cert");
+ isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
+ NULL, "!allowlist: create intermediate ca 1");
+ isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
+ NULL, "!allowlist: create intermediate ca 2");
+ isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
+ NULL, "!allowlist: create root");
+
+ isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
+ NULL, "!allowlist: create cert array");
+
+ /* create a trust reference with basic policy */
+ isnt(policy = SecPolicyCreateBasicX509(), NULL, "!allowlist: create policy");
+ ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "!allowlist: create trust");
+
+ /* set evaluate date: September 7, 2016 at 9:00:00 PM PDT */
+ isnt(date = CFDateCreate(NULL, 495000000.0), NULL, "!allowlist: create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "!allowlist: set verify date");
+
+ /* use a known root CA at this point in time to anchor the chain */
+ isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
+ NULL, "allowlist: create anchors array");
+ ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "!allowlist: set anchors");
+
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+ ok_status(SecTrustEvaluate(trust, &trustResult), "!allowlist: evaluate");
+
+ /* expected result is kSecTrustResultRecoverableTrustFailure (if issuer is distrusted)
+ or kSecTrustResultFatalTrustFailure (if issuer is revoked), since cert is not on allow list */
+ ok(trustResult == kSecTrustResultRecoverableTrustFailure ||
+ trustResult == kSecTrustResultFatalTrustFailure,
+ "trustResult 5 or 6 expected (got %d)", (int)trustResult);
+
+ /* clean up */
+ for(CFIndex idx=0; idx < 4; idx++) {
+ if (certs[idx]) { CFRelease(certs[idx]); }
+ }
+ if (policy) { CFRelease(policy); }
+ if (trust) { CFRelease(trust); }
+ if (date) { CFRelease(date); }
+ if (certArray) { CFRelease(certArray); }
+ if (anchorsArray) { CFRelease(anchorsArray); }
+}
+
+static void TestAllowListForRootCA(void)
+{
+ SecCertificateRef test0[2] = {NULL,NULL};
+ SecCertificateRef test1[2] = {NULL,NULL};
+ SecCertificateRef test1e[2] = {NULL,NULL};
+ SecCertificateRef test2[2] = {NULL,NULL};
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ CFDateRef date = NULL;
+ SecTrustResultType trustResult;
+
+ isnt(test0[0] = createCertFromStaticData(cert0, sizeof(cert0)),
+ NULL, "create first leaf");
+ isnt(test1[0] = createCertFromStaticData(cert1, sizeof(cert1)),
+ NULL, "create second leaf");
+ isnt(test1e[0] = createCertFromStaticData(cert1_expired, sizeof(cert1_expired)),
+ NULL, "create second leaf (expired)");
+ isnt(test2[0] = createCertFromStaticData(cert2, sizeof(cert2)),
+ NULL, "create third leaf");
+
+ isnt(test0[1] = createCertFromStaticData(intermediate0, sizeof(intermediate0)),
+ NULL, "create intermediate");
+ isnt(test1[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
+ NULL, "create intermediate");
+ isnt(test1e[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
+ NULL, "create intermediate");
+ isnt(test2[1] = createCertFromStaticData(intermediate2, sizeof(intermediate2)),
+ NULL, "create intermediate");
+
+ CFArrayRef certs0 = CFArrayCreate(kCFAllocatorDefault, (const void **)test0, 2, &kCFTypeArrayCallBacks);
+ CFArrayRef certs1 = CFArrayCreate(kCFAllocatorDefault, (const void **)test1, 2, &kCFTypeArrayCallBacks);
+ CFArrayRef certs1e = CFArrayCreate(kCFAllocatorDefault, (const void **)test1e, 2, &kCFTypeArrayCallBacks);
+ CFArrayRef certs2 = CFArrayCreate(kCFAllocatorDefault, (const void **)test2, 2, &kCFTypeArrayCallBacks);
+
+ /*
+ * Whitelisted certificates issued by untrusted root CA.
+ */
+ isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy");
+ ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust");
+ /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+ isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+ (int)trustResult);
+ if (trust) { CFRelease(trust); }
+ if (date) { CFRelease(date); }
+
+ ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust");
+ /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+ isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+ (int)trustResult);
+ if (trust) { CFRelease(trust); }
+ if (date) { CFRelease(date); }
+
+ ok_status(SecTrustCreateWithCertificates(certs2, policy, &trust), "create trust");
+ /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+ isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+ (int)trustResult);
+ /*
+ * Same certificate, on allow list but past expiration. Expect to fail.
+ */
+ if (date) { CFRelease(date); }
+ isnt(date = CFDateCreate(NULL, 667680000.0), NULL, "create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set date to far future so certs are expired");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
+ (int)trustResult);
+ if (trust) { CFRelease(trust); }
+ if (date) { CFRelease(date); }
+
+ /*
+ * Expired certificate not on allow list. Expect to fail.
+ */
+ ok_status(SecTrustCreateWithCertificates(certs1e, policy, &trust), "create trust");
+ /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+ isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+ ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
+ (int)trustResult);
+ if (trust) { CFRelease(trust); }
+ if (date) { CFRelease(date); }
+
+
+ /* Clean up. */
+ if (policy) { CFRelease(policy); }
+ if (certs0) { CFRelease(certs0); }
+ if (certs1) { CFRelease(certs1); }
+ if (certs1e) { CFRelease(certs1e); }
+ if (certs2) { CFRelease(certs2); }
+
+ if (test0[0]) { CFRelease(test0[0]); }
+ if (test0[1]) { CFRelease(test0[1]); }
+ if (test1[0]) { CFRelease(test1[0]); }
+ if (test1[1]) { CFRelease(test1[1]); }
+ if (test1e[0]) { CFRelease(test1e[0]); }
+ if (test1e[1]) { CFRelease(test1e[1]); }
+ if (test2[0]) { CFRelease(test2[0]); }
+ if (test2[1]) { CFRelease(test2[1]); }
+}
+
+static void TestDateBasedAllowListForRootCA(void) {
+ SecCertificateRef root = NULL, beforeInt = NULL, afterInt = NULL,
+ beforeLeaf = NULL, afterLeaf = NULL;
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ NSArray *anchors = nil, *certs = nil;
+ NSDate *verifyDate = nil;
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+
+ require(root = SecCertificateCreateWithBytes(NULL, _datetest_root, sizeof(_datetest_root)), out);
+ require(beforeInt = SecCertificateCreateWithBytes(NULL, _datetest_before_int, sizeof(_datetest_before_int)), out);
+ require(afterInt = SecCertificateCreateWithBytes(NULL, _datetest_after_int, sizeof(_datetest_after_int)), out);
+ require(beforeLeaf = SecCertificateCreateWithBytes(NULL, _datetest_before_leaf, sizeof(_datetest_before_leaf)), out);
+ require(afterLeaf = SecCertificateCreateWithBytes(NULL, _datetest_after_leaf, sizeof(_datetest_after_leaf)), out);
+
+ anchors = @[(__bridge id)root];
+ require(policy = SecPolicyCreateSSL(true, CFSTR("testserver.apple.com")), out);
+ verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:504000000.0]; /* 21 Dec 2016 */
+
+ /* Leaf issued before cutoff should pass */
+ certs = @[(__bridge id)beforeLeaf, (__bridge id)beforeInt];
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultUnspecified, "leaf issued before cutoff failed evaluation");
+ CFReleaseNull(trust);
+ trustResult = kSecTrustResultInvalid;
+
+ /* Leaf issued after cutoff should fail */
+ certs = @[(__bridge id)afterLeaf, (__bridge id)beforeInt];
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultFatalTrustFailure, "leaf issued after cutoff succeeded evaluation");
+ CFReleaseNull(trust);
+ trustResult = kSecTrustResultInvalid;
+
+ /* Intermediate issued after cutoff should fail (even for leaf issued before) */
+ certs = @[(__bridge id)beforeLeaf, (__bridge id)afterInt];
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultFatalTrustFailure, "intermediate issued after cutoff succeeded evaluation");
+ CFReleaseNull(trust);
+ trustResult = kSecTrustResultInvalid;
+
+ /* Intermediate issued after cutoff should fail */
+ certs = @[(__bridge id)afterLeaf, (__bridge id)afterInt];
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultFatalTrustFailure, "intermediate issued before cutoff succeeded evaluation");
+ CFReleaseNull(trust);
+ trustResult = kSecTrustResultInvalid;
+
+ /* Leaf issued before cutoff should choose acceptable path */
+ certs = @[(__bridge id)beforeLeaf, (__bridge id) afterInt, (__bridge id)beforeInt];
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultUnspecified, "leaf issued before cutoff failed evaluation (multi-path)");
+ CFReleaseNull(trust);
+ trustResult = kSecTrustResultInvalid;
+
+ /* No good path for leaf issued after cutoff */
+ certs = @[(__bridge id)afterLeaf, (__bridge id)beforeInt, (__bridge id)afterInt];
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultFatalTrustFailure, "leaf issued after cutoff succeeded evaluation (multi-path)");
+
+out:
+ CFReleaseNull(root);
+ CFReleaseNull(beforeInt);
+ CFReleaseNull(afterInt);
+ CFReleaseNull(beforeLeaf);
+ CFReleaseNull(afterLeaf);
+ CFReleaseNull(policy);
+ CFReleaseNull(trust);
+}
+
+static void TestLeafOnAllowListOtherFailures(void)
+{
+ SecCertificateRef certs[4];
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ NSArray *anchors = nil, *certArray = nil;
+ NSDate *verifyDate = nil;
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+
+ memset(certs, 0, 4 * sizeof(SecCertificateRef));
+
+ require(certs[0] = SecCertificateCreateWithBytes(NULL, leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)), out);
+ require(certs[1] = SecCertificateCreateWithBytes(NULL, ca1_Cert, sizeof(ca1_Cert)), out);
+ require(certs[2] = SecCertificateCreateWithBytes(NULL, ca2_Cert, sizeof(ca2_Cert)), out);
+ require(certs[3] = SecCertificateCreateWithBytes(NULL, root_Cert, sizeof(root_Cert)), out);
+
+ anchors = @[(__bridge id)certs[3]];
+ certArray = @[(__bridge id)certs[0], (__bridge id)certs[1], (__bridge id)certs[2], (__bridge id)certs[3]];
+ verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:495405000.0];
+
+ /* Mismatched hostname, should fail */
+ require(policy = SecPolicyCreateSSL(true, (__bridge CFStringRef)@"wrong.hostname.com"), out);
+ require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certArray, policy, &trust), out);
+ require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+ require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultRecoverableTrustFailure, "hostname failure with cert on allow list succeeded evaluation");
+ CFReleaseNull(policy);
+ trustResult = kSecTrustResultInvalid;
+
+ /* Wrong EKU, should fail */
+ require(policy = SecPolicyCreateCodeSigning(), out);
+ require_noerr(SecTrustSetPolicies(trust, policy), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultRecoverableTrustFailure, "EKU failure with cert on allow list succeeded evaluation");
+ CFReleaseNull(policy);
+ trustResult = kSecTrustResultInvalid;
+
+ /* Apple pinning policy, should fail */
+ require(policy = SecPolicyCreateAppleSSLPinned((__bridge CFStringRef)@"aPolicy",
+ (__bridge CFStringRef)@"telegram.im", NULL,
+ (__bridge CFStringRef)@"1.2.840.113635.100.6.27.12"), out);
+ require_noerr(SecTrustSetPolicies(trust, policy), out);
+ require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+ is(trustResult, kSecTrustResultRecoverableTrustFailure, "Apple pinning policy with cert on allow list succeeded evaluation");
+
+ out:
+ CFReleaseNull(certs[0]);
+ CFReleaseNull(certs[1]);
+ CFReleaseNull(certs[2]);
+ CFReleaseNull(certs[3]);
+ CFReleaseNull(policy);
+ CFReleaseNull(trust);
+}
+
+static void tests(void)
+{
+ TestAllowListForRootCA();
+ TestLeafOnAllowList();
+ TestLeafNotOnAllowList();
+ TestDateBasedAllowListForRootCA();
+ TestLeafOnAllowListOtherFailures();
+}
+
+int si_84_sectrust_allowlist(int argc, char *const *argv)
+{
+ plan_tests(68);
+ tests();
+
+ return 0;
+}
--- /dev/null
+/*
+ * cnnic_certs.h
+ * Security
+ *
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ */
+
+#ifndef cnnic_certs_h
+#define cnnic_certs_h
+
+
+/* On allow list until:
+ Not After : Mar 9 07:45:00 2018 GMT
+ */
+static const UInt8 cert0[] = {
+ 0x30,0x82,0x05,0x44,0x30,0x82,0x04,0x2c,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+ 0x9d,0x12,0x4b,0xdb,0x57,0xb7,0x9f,0xba,0x33,0xf6,0x44,0xd9,0x10,0x40,0x48,0x4c,
+ 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,
+ 0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,
+ 0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,
+ 0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x31,0x19,0x30,0x17,0x06,0x03,0x55,
+ 0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,
+ 0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x35,0x30,0x33,0x30,0x39,0x30,0x37,
+ 0x34,0x35,0x30,0x30,0x5a,0x17,0x0d,0x31,0x38,0x30,0x33,0x30,0x39,0x30,0x37,0x34,
+ 0x35,0x30,0x30,0x5a,0x30,0x79,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+ 0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x53,0x17,
+ 0x4e,0xac,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x07,0x1e,0x04,0x53,0x17,0x4e,
+ 0xac,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x0a,0x1e,0x1a,0x53,0x17,0x4e,0xac,
+ 0x74,0x5e,0x94,0xb1,0x5b,0x9d,0x4f,0xe1,0x60,0x6f,0x67,0x0d,0x52,0xa1,0x67,0x09,
+ 0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x0b,0x1e,
+ 0x06,0x7f,0x51,0x7e,0xdc,0x90,0xe8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,
+ 0x13,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x30,
+ 0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
+ 0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,
+ 0xfc,0x09,0x73,0x1d,0x18,0x75,0xbd,0x7f,0xf5,0xce,0x9e,0x6e,0x26,0x1c,0xbd,0xca,
+ 0xc7,0x1b,0x75,0x45,0x13,0x1e,0xe4,0x52,0x7e,0x78,0xe9,0x1c,0x79,0xa1,0x02,0xd8,
+ 0x3d,0xc6,0xc5,0x6f,0x7b,0xbd,0xae,0xc7,0x3b,0xe6,0x45,0xc2,0xe9,0xc9,0x32,0x2d,
+ 0xd4,0xda,0x7a,0x93,0x79,0x30,0xce,0xec,0x6f,0xf5,0x0d,0x2d,0xde,0xa4,0xce,0xbd,
+ 0x40,0xfb,0xda,0x7d,0x48,0x7d,0x98,0x02,0x17,0x75,0x99,0x65,0x68,0x1c,0xbb,0x92,
+ 0x29,0x16,0xdc,0xc6,0x1d,0x1d,0x19,0x1b,0x94,0x17,0x6e,0x93,0xd8,0x57,0xaa,0x00,
+ 0xf9,0xa2,0x37,0x9a,0xde,0x65,0xc2,0xce,0xa5,0xae,0x80,0xa7,0x56,0xab,0x8c,0xc8,
+ 0x6a,0x3d,0xbe,0x86,0xe1,0x13,0x69,0x41,0x4b,0xe9,0xfa,0xd9,0xa5,0x63,0x8f,0xba,
+ 0x02,0x15,0x09,0xca,0xf9,0x27,0x0f,0xea,0x90,0x4f,0x5d,0xa5,0x66,0x51,0xad,0xc8,
+ 0xff,0x2d,0xf3,0xd4,0x7c,0xd3,0x06,0xe8,0xc2,0xdc,0x08,0x63,0x3d,0x69,0xb6,0x89,
+ 0x5f,0x3f,0x9c,0xdc,0x21,0xa8,0xbd,0x0a,0xbe,0xc2,0x0e,0x08,0x06,0x05,0xb7,0x46,
+ 0x96,0xec,0x08,0x5c,0xb9,0xef,0xfa,0x4b,0xd1,0x60,0x10,0xac,0xc8,0x88,0xbf,0xb7,
+ 0xb1,0xb1,0x7a,0x55,0xdd,0xd9,0x96,0x06,0x5b,0xfb,0xc2,0xa5,0xd4,0x9c,0xde,0x24,
+ 0x0c,0x7e,0x22,0x59,0xb0,0xa6,0x7a,0xc7,0x18,0x02,0x6c,0x1a,0x21,0x8c,0x79,0x8a,
+ 0xc5,0xbb,0x10,0x54,0x1b,0x77,0x04,0xcf,0x46,0x60,0x36,0x42,0xfb,0x8a,0x13,0xf7,
+ 0xa0,0xd6,0x03,0x33,0xb6,0xc4,0x1e,0x08,0x58,0x5d,0xb3,0xd3,0xc3,0x6c,0x0e,0x9f,
+ 0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xfb,0x30,0x82,0x01,0xf7,0x30,0x09,0x06,
+ 0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x73,0x06,0x08,0x2b,0x06,0x01,0x05,
+ 0x05,0x07,0x01,0x01,0x04,0x67,0x30,0x65,0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05,
+ 0x05,0x07,0x30,0x01,0x86,0x1c,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,
+ 0x70,0x73,0x68,0x61,0x32,0x73,0x73,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
+ 0x6e,0x2f,0x30,0x39,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x2d,
+ 0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,
+ 0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,
+ 0x74,0x2f,0x53,0x48,0x41,0x32,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x36,0x06,
+ 0x03,0x55,0x1d,0x11,0x04,0x2f,0x30,0x2d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,
+ 0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,
+ 0x71,0x62,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,0x71,
+ 0x74,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,
+ 0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x50,0x0e,0x94,
+ 0x7e,0x68,0x20,0x2d,0x95,0x58,0x3f,0x8f,0x51,0xa6,0xdd,0x5a,0xb9,0xef,0xfe,0xf0,
+ 0x50,0x30,0x1d,0x06,0x03,0x55,0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06,
+ 0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02,
+ 0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xb7,0xd1,0x59,
+ 0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,
+ 0x3c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,
+ 0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x01,0x30,0x26,0x30,0x24,0x06,0x08,
+ 0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,
+ 0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,
+ 0x73,0x2f,0x30,0x81,0x8f,0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x87,0x30,0x81,0x84,
+ 0x30,0x4d,0xa0,0x4b,0xa0,0x49,0xa4,0x47,0x30,0x45,0x31,0x0b,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,
+ 0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,
+ 0x53,0x4c,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,0x63,0x72,0x6c,
+ 0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,0x6c,0x31,0x30,
+ 0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72,
+ 0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,
+ 0x6f,0x61,0x64,0x2f,0x73,0x68,0x61,0x32,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,
+ 0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+ 0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x26,0xa8,0x7c,0x88,0x57,0xb7,0xe2,0xa0,
+ 0xf5,0x55,0xbb,0x93,0xa1,0xea,0xc2,0x0a,0x82,0xa1,0x82,0x3d,0xe1,0x85,0xfe,0x26,
+ 0x95,0x5f,0x16,0x13,0x88,0x87,0x2d,0x6f,0xbe,0x0a,0xe8,0xe7,0x04,0xcd,0xa5,0x9e,
+ 0xac,0x69,0xd5,0xa0,0x81,0x27,0x91,0xdc,0xcd,0xa6,0xbd,0x62,0x0c,0x67,0x3f,0x39,
+ 0xdf,0x23,0xa8,0xf5,0xd5,0xb6,0xa8,0x14,0x93,0x80,0x0b,0x17,0x04,0xbd,0x0a,0x75,
+ 0x74,0x34,0x26,0xf6,0x46,0x82,0x34,0x1d,0x26,0x06,0x43,0x2a,0xd8,0xff,0x0e,0xf1,
+ 0xf0,0xf1,0x74,0x8b,0x17,0x9a,0x6d,0x24,0x90,0x8d,0x35,0x69,0xc4,0xff,0xf7,0x6a,
+ 0x81,0x00,0x27,0x11,0xd5,0xc7,0xc4,0xac,0x98,0x15,0x20,0xe7,0x90,0x8a,0xb7,0x3d,
+ 0xdf,0xbf,0x18,0x7f,0x7c,0xa7,0x38,0x42,0xa7,0xe2,0x94,0xda,0xcb,0xb5,0x84,0x67,
+ 0x9d,0x82,0x37,0x58,0xa0,0x7f,0x06,0xcb,0xf5,0x3b,0x22,0x8f,0x54,0x19,0x8e,0xad,
+ 0x82,0x14,0xf3,0x8f,0xcd,0x55,0x93,0xb6,0xa7,0xdb,0xf5,0x25,0xd9,0x04,0x7c,0x69,
+ 0xc7,0x08,0x7e,0x32,0xcb,0xce,0x9d,0xb2,0x45,0x25,0x61,0x6b,0x7b,0xd3,0xb0,0x2a,
+ 0xd1,0xa8,0x1c,0xab,0x5b,0x3f,0x1d,0x8f,0xbd,0x46,0xb8,0x0d,0x33,0x4b,0xc9,0x3b,
+ 0x94,0x7f,0xa8,0x28,0x0f,0xa8,0xb7,0xbc,0x0d,0xcf,0xf7,0x7e,0xc1,0xcf,0xc7,0xf2,
+ 0x2f,0x1d,0x77,0xe4,0xdc,0x15,0xb0,0x42,0x0c,0x4d,0xd2,0x8d,0x6e,0x58,0x31,0x5b,
+ 0x5f,0xc9,0x4f,0x43,0x53,0x76,0x7b,0x2a,0xd6,0x65,0x93,0x28,0xb4,0xb8,0xdc,0x3c,
+ 0x3c,0x03,0xcc,0x5e,0x9f,0x52,0x28,0x9a,
+};
+
+/* On allow list until:
+ Not After : Dec 24 08:34:15 2016 GMT
+ */
+static const UInt8 cert1[1475]={
+ 0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x1A,
+ 0x2F,0xDD,0xD9,0x35,0x3B,0x65,0xEE,0x1B,0xB4,0x66,0x19,0x4D,0xF3,0x10,0xE1,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,
+ 0x30,0x06,0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,
+ 0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,
+ 0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,
+ 0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0C,0x0C,0x43,0x4E,0x4E,0x49,
+ 0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x32,
+ 0x32,0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x17,0x0D,0x31,0x36,0x31,0x32,0x32,
+ 0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x30,0x81,0xF3,0x31,0x1B,0x30,0x19,0x06,
+ 0x03,0x55,0x04,0x0F,0x13,0x12,0x56,0x31,0x2E,0x30,0x2C,0x20,0x43,0x6C,0x61,0x75,
+ 0x73,0x65,0x20,0x35,0x2E,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,
+ 0x05,0x13,0x0F,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x33,0x39,0x33,0x39,
+ 0x35,0x39,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,
+ 0x02,0x01,0x03,0x13,0x02,0x43,0x4E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,
+ 0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x07,0x53,0x69,0x63,0x68,0x75,0x61,
+ 0x6E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,
+ 0x01,0x01,0x13,0x07,0x63,0x68,0x65,0x6E,0x67,0x44,0x75,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,
+ 0x08,0x1E,0x04,0x56,0xDB,0x5D,0xDD,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x07,
+ 0x1E,0x04,0x62,0x10,0x90,0xFD,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x1E,
+ 0x14,0x56,0xDB,0x5D,0xDD,0x9E,0x4F,0x59,0x29,0x62,0x95,0x8D,0x44,0x67,0x09,0x96,
+ 0x50,0x51,0x6C,0x53,0xF8,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x0B,0x1E,0x06,
+ 0x62,0x80,0x67,0x2F,0x90,0xE8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,
+ 0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x82,
+ 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
+ 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x99,
+ 0x31,0x25,0x93,0xE0,0x9A,0x65,0x36,0xCC,0x16,0x86,0xAF,0xBF,0x0D,0x2D,0x0B,0xE6,
+ 0x9A,0xD5,0x00,0x89,0xAD,0x6B,0x49,0x59,0x10,0x74,0x3A,0xA7,0x4F,0xEB,0xBD,0xC0,
+ 0xEE,0x46,0x1A,0x4E,0x9B,0x96,0x20,0xD7,0x2C,0xF8,0x93,0x5C,0x2A,0xAF,0x57,0x15,
+ 0x0C,0x57,0x3A,0xD0,0x25,0x92,0x2E,0x18,0xB4,0xDF,0xD8,0x3E,0xA2,0xC0,0xC6,0x5E,
+ 0x7A,0xD1,0xDA,0xAD,0x99,0x12,0x24,0x04,0xA1,0x42,0x5A,0xB0,0x42,0x3A,0x4F,0x02,
+ 0xDE,0x8A,0x55,0xD7,0xB0,0x24,0x97,0x62,0xF9,0x95,0x70,0xFA,0xA8,0x81,0xFC,0x3A,
+ 0xB5,0xA0,0x94,0x8E,0x42,0x89,0xF9,0x15,0x4B,0x06,0xD8,0xA1,0xC7,0xB0,0xC8,0x94,
+ 0x03,0x57,0xF0,0x01,0xDB,0x0D,0x85,0xFD,0xA1,0xCD,0x1D,0x3C,0xF5,0x14,0x6C,0x79,
+ 0x46,0xCF,0x00,0x3A,0x6C,0x74,0xD9,0x79,0xFD,0x9C,0xD9,0x61,0x7D,0x84,0x4F,0x82,
+ 0x2A,0x40,0x00,0x58,0x2C,0xF0,0x3A,0xDF,0xD4,0x8A,0x39,0x24,0x5C,0xB1,0xA6,0xAD,
+ 0x02,0x4C,0x16,0xCE,0x82,0xE6,0x22,0x32,0xC2,0x2A,0x93,0x94,0x25,0x5D,0x42,0xF9,
+ 0xD2,0x2B,0xD5,0x9F,0xDB,0x45,0x51,0xE4,0x0E,0xD4,0x48,0x12,0xB1,0x67,0xF4,0x6D,
+ 0x91,0x86,0xBC,0xFB,0xC6,0xE6,0xA0,0x7F,0x2B,0x8F,0xFB,0x67,0xEA,0x5D,0xAB,0x73,
+ 0xDD,0x9D,0x40,0xFA,0xF7,0xDC,0xDE,0x48,0x20,0x47,0x32,0xC0,0xD1,0x98,0x4F,0x81,
+ 0xDF,0xAF,0x96,0xDB,0x83,0xEE,0xC5,0x3A,0x4E,0x67,0xE1,0xF4,0x83,0x27,0x46,0x0D,
+ 0x78,0xB1,0xC6,0x42,0xEF,0xD9,0x76,0xD3,0xAC,0x7C,0x5A,0xF8,0x09,0xCF,0x0B,0x02,
+ 0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xE7,0x30,0x82,0x01,0xE3,0x30,0x09,0x06,0x03,
+ 0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+ 0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+ 0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,
+ 0x65,0x76,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x30,0x3C,0x06,0x08,0x2B,
+ 0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+ 0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,
+ 0x6E,0x6C,0x6F,0x61,0x64,0x2F,0x63,0x65,0x72,0x74,0x2F,0x43,0x4E,0x4E,0x49,0x43,
+ 0x45,0x56,0x53,0x53,0x4C,0x2E,0x63,0x65,0x72,0x30,0x18,0x06,0x03,0x55,0x1D,0x11,
+ 0x04,0x11,0x30,0x0F,0x82,0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,
+ 0x63,0x6F,0x6D,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,
+ 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x04,0x26,0xBE,0x73,0x88,
+ 0x8C,0xF6,0x64,0xBA,0xBB,0x09,0x34,0x7A,0x09,0xF9,0x51,0x57,0x43,0x8D,0x86,0x30,
+ 0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
+ 0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
+ 0x14,0x0C,0xCF,0xB4,0x48,0x2C,0x50,0xE8,0x8B,0xD2,0x72,0xFD,0x1C,0xF0,0x2F,0xBC,
+ 0x52,0xAB,0x2B,0x69,0x5E,0x30,0x3F,0x06,0x03,0x55,0x1D,0x20,0x04,0x38,0x30,0x36,
+ 0x30,0x34,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x81,0xE9,0x0C,0x01,0x0A,0x30,0x26,
+ 0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,
+ 0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,
+ 0x6E,0x2F,0x63,0x70,0x73,0x2F,0x30,0x81,0xA6,0x06,0x03,0x55,0x1D,0x1F,0x04,0x81,
+ 0x9E,0x30,0x81,0x9B,0x30,0x66,0xA0,0x64,0xA0,0x62,0xA4,0x60,0x30,0x5E,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,0x30,0x06,
+ 0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,0x74,0x65,
+ 0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,0x6E,0x66,
+ 0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,0x72,0x31,
+ 0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x03,0x63,0x72,0x6C,0x31,0x0D,0x30,
+ 0x0B,0x06,0x03,0x55,0x04,0x03,0x0C,0x04,0x63,0x72,0x6C,0x31,0x30,0x31,0xA0,0x2F,
+ 0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,
+ 0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64,
+ 0x2F,0x65,0x76,0x63,0x72,0x6C,0x2F,0x63,0x72,0x6C,0x31,0x2E,0x63,0x72,0x6C,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
+ 0x01,0x01,0x00,0xA3,0xDE,0x24,0x78,0xF5,0x07,0x23,0xEC,0x77,0x62,0x71,0x60,0x01,
+ 0xAE,0xC7,0xBD,0x49,0x8D,0x40,0x0C,0x49,0xAE,0x1A,0x47,0x2B,0x22,0xAE,0x66,0x2B,
+ 0x34,0x83,0xAD,0x17,0xA1,0x45,0xC7,0xEC,0x16,0x80,0x2F,0x24,0x41,0xDF,0xFF,0xB0,
+ 0x9D,0xE0,0x47,0x51,0x53,0x10,0xDC,0x85,0xC3,0xF9,0x72,0x3A,0xC9,0x79,0x22,0x89,
+ 0xD4,0xCB,0x40,0x60,0x7E,0x3E,0x86,0x52,0x01,0xD2,0xA5,0x41,0x57,0x0C,0xB0,0x5C,
+ 0xDD,0x24,0x0E,0xB2,0xF4,0x7E,0xB7,0x45,0xCE,0xA2,0x1B,0x3B,0x77,0xC6,0x9B,0x1E,
+ 0x7D,0x7F,0x42,0x53,0xE4,0xF4,0xE6,0x84,0xFD,0xCC,0x27,0xB2,0xC9,0x72,0x30,0x09,
+ 0xEE,0xC7,0x8B,0xE5,0xBF,0x2C,0x3B,0x73,0xA0,0x9C,0xD8,0x3E,0x81,0xED,0xB4,0x74,
+ 0x88,0x67,0x99,0x69,0xE5,0x3A,0x3C,0x5A,0xA4,0xE4,0xD3,0x6D,0xBF,0xF6,0xF0,0x0C,
+ 0x92,0x9C,0xB4,0x53,0x39,0x70,0x9A,0x3D,0xF4,0x3F,0x9D,0x07,0x66,0x3F,0x85,0x09,
+ 0x07,0x8E,0x5C,0x9D,0x83,0x23,0x0F,0x45,0xE7,0x3C,0xE5,0x7F,0x6C,0x0C,0x29,0x3B,
+ 0x2B,0x5D,0xE2,0xB7,0xCB,0x0E,0xEF,0xC8,0x14,0x4C,0x30,0xD0,0xD0,0x9C,0x7D,0x8E,
+ 0x67,0x94,0xD9,0xB2,0x71,0x7E,0x74,0x0F,0x5C,0xD7,0xB5,0xFB,0x35,0x13,0x3F,0x05,
+ 0xD7,0x7C,0x08,0x2F,0x7A,0x31,0x78,0x99,0xF8,0x76,0x0D,0xB3,0xFB,0xD2,0xD3,0x6C,
+ 0xC7,0x32,0x61,0x2E,0x8E,0x64,0x96,0xFD,0xB1,0xFA,0x73,0xC7,0x56,0x54,0x8B,0x0D,
+ 0x27,0xD2,0x66,0x9E,0xA5,0xCB,0xCE,0xD0,0xA4,0x9C,0x03,0xDD,0x9D,0x1F,0xED,0x5E,
+ 0x7A,0x73,0x5D,
+};
+
+/* expired:
+ Not After : Oct 20 03:20:57 2015 GMT
+ */
+static const UInt8 cert1_expired[] = {
+ 0x30,0x82,0x05,0xd6,0x30,0x82,0x04,0xbe,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1a,
+ 0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x10,0xd5,0x30,
+ 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
+ 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,
+ 0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,
+ 0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,
+ 0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,
+ 0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,
+ 0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x30,
+ 0x32,0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x17,0x0d,0x31,0x35,0x31,0x30,0x32,
+ 0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x30,0x82,0x01,0x05,0x31,0x1b,0x30,0x19,
+ 0x06,0x03,0x55,0x04,0x0f,0x13,0x12,0x56,0x31,0x2e,0x30,0x2c,0x20,0x43,0x6c,0x61,
+ 0x75,0x73,0x65,0x20,0x35,0x2e,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,
+ 0x04,0x05,0x13,0x0f,0x34,0x34,0x30,0x33,0x30,0x31,0x35,0x30,0x33,0x34,0x32,0x36,
+ 0x35,0x34,0x36,0x31,0x13,0x30,0x11,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,
+ 0x3c,0x02,0x01,0x03,0x13,0x02,0x43,0x4e,0x31,0x1a,0x30,0x18,0x06,0x0b,0x2b,0x06,
+ 0x01,0x04,0x01,0x82,0x37,0x3c,0x02,0x01,0x02,0x13,0x09,0x67,0x75,0x61,0x6e,0x67,
+ 0x64,0x6f,0x6e,0x67,0x31,0x19,0x30,0x17,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,
+ 0x37,0x3c,0x02,0x01,0x01,0x13,0x08,0x73,0x68,0x65,0x6e,0x7a,0x68,0x65,0x6e,0x31,
+ 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,
+ 0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x5e,0x7f,0x4e,0x1c,0x31,0x0d,0x30,0x0b,0x06,
+ 0x03,0x55,0x04,0x07,0x1e,0x04,0x6d,0xf1,0x57,0x33,0x31,0x21,0x30,0x1f,0x06,0x03,
+ 0x55,0x04,0x0a,0x1e,0x18,0x80,0x54,0x54,0x08,0x51,0x49,0x4f,0x0f,0x00,0x28,0x6d,
+ 0xf1,0x57,0x33,0x00,0x29,0x67,0x09,0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x16,0x30,
+ 0x14,0x06,0x03,0x55,0x04,0x0b,0x13,0x0d,0x49,0x54,0x20,0x44,0x65,0x70,0x61,0x72,
+ 0x74,0x6d,0x65,0x6e,0x74,0x31,0x1a,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,
+ 0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,
+ 0x6d,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
+ 0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,
+ 0x01,0x00,0xc0,0x5c,0x75,0x0e,0x29,0x93,0xf9,0xc2,0x0f,0x9e,0x24,0xeb,0x6d,0xb8,
+ 0xb5,0x09,0x79,0xfe,0xbb,0xa0,0x78,0x20,0xbf,0xeb,0xc3,0x3d,0x00,0xb2,0x75,0x20,
+ 0xa1,0x26,0x40,0x9e,0x0e,0x38,0x3c,0x38,0x89,0x5a,0x4f,0x46,0x5d,0xaf,0x0f,0x49,
+ 0x58,0xf5,0x9f,0x34,0x0f,0x1d,0x57,0xd0,0xa7,0x89,0x88,0x58,0xe6,0x00,0xca,0xde,
+ 0x0e,0x61,0xc6,0x3f,0xf4,0x08,0x9e,0x4e,0xf9,0x8e,0xdc,0xc6,0x1f,0xab,0x56,0x38,
+ 0xf7,0x8f,0xd4,0xb7,0x0c,0x77,0xf9,0xdf,0x02,0x26,0xc3,0xf3,0x2a,0x7e,0x7b,0x02,
+ 0x89,0x75,0x50,0xf6,0x4b,0x98,0xe7,0x02,0xdc,0xe0,0xb2,0x57,0xa6,0x50,0xa3,0x27,
+ 0x48,0xaf,0x26,0x6e,0xf5,0x47,0x04,0x9b,0x26,0x1f,0x10,0x84,0x26,0xbe,0x4e,0xa7,
+ 0xd5,0x7d,0xad,0xe0,0x0f,0x78,0xfa,0x5e,0xcd,0xf1,0xce,0x6f,0x06,0x39,0x4b,0xa1,
+ 0xd7,0xce,0x01,0xfb,0x58,0x8c,0x47,0x24,0xfd,0x9f,0x6e,0xb0,0x5b,0x51,0x62,0x6f,
+ 0x9c,0xd5,0xaf,0xaf,0xc1,0x6d,0xcc,0x22,0x3e,0x04,0xcc,0xe8,0x41,0x98,0xc0,0xc7,
+ 0xb0,0xf5,0x59,0x0e,0x26,0xed,0x1f,0x7b,0x0a,0xce,0xb6,0xa5,0xfe,0xa6,0xc7,0xba,
+ 0x1b,0x6b,0x11,0xc6,0x15,0x10,0x5b,0x8b,0x34,0x14,0xd9,0x3c,0x4d,0xc6,0x6c,0x89,
+ 0x01,0xf3,0xd1,0x5a,0xf3,0x2b,0x9b,0x28,0x16,0xbe,0x6d,0x43,0x66,0xf8,0x56,0x15,
+ 0x3b,0xaf,0x79,0xda,0x46,0x22,0xd4,0x2b,0xd3,0x9d,0x99,0x53,0x2f,0xa0,0x39,0x59,
+ 0x4e,0x22,0x54,0x1e,0x47,0xf5,0xa9,0xa9,0x4e,0xf5,0x1d,0x9d,0x98,0x45,0xc6,0x85,
+ 0xae,0x01,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xeb,0x30,0x82,0x01,0xe7,0x30,
+ 0x09,0x06,0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2b,0x06,
+ 0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2b,0x06,
+ 0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,
+ 0x63,0x73,0x70,0x65,0x76,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x3c,
+ 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,
+ 0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+ 0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,0x74,0x2f,0x43,0x4e,
+ 0x4e,0x49,0x43,0x45,0x56,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x1c,0x06,0x03,
+ 0x55,0x1d,0x11,0x04,0x15,0x30,0x13,0x82,0x11,0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,
+ 0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,
+ 0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,
+ 0x04,0x14,0xd7,0x06,0xeb,0x3b,0x83,0x70,0x55,0x58,0x9a,0x40,0x03,0xd5,0x7e,0x8e,
+ 0xcb,0x49,0x23,0x10,0x67,0xc4,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,0x0c,0x30,
+ 0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1f,0x06,0x03,0x55,
+ 0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,
+ 0xd2,0x72,0xfd,0x1c,0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x3f,0x06,0x03,
+ 0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,
+ 0x81,0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,
+ 0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,
+ 0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xa6,
+ 0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x9e,0x30,0x81,0x9b,0x30,0x66,0xa0,0x64,0xa0,
+ 0x62,0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+ 0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,
+ 0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
+ 0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
+ 0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,
+ 0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,
+ 0x72,0x6c,0x31,0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,
+ 0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,
+ 0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x63,0x72,0x6c,0x2f,0x63,0x72,
+ 0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
+ 0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6e,0x84,0xe5,0x57,0x7e,0x96,
+ 0xaf,0x39,0xbf,0xa0,0x2a,0xf2,0xd1,0x10,0x57,0x8e,0x3d,0x68,0x4d,0x61,0x35,0x97,
+ 0xbb,0xed,0x7f,0x5e,0x4f,0x17,0x58,0x2f,0x4b,0x94,0x4f,0xda,0xd8,0x9c,0x78,0x52,
+ 0x2e,0xec,0xcd,0x86,0x87,0xa1,0x64,0xdc,0x41,0x0e,0x44,0x23,0xdb,0x7d,0xc8,0x86,
+ 0xef,0x07,0x29,0xaa,0x78,0x1b,0x95,0x84,0xb8,0xf9,0x60,0x95,0x89,0x3f,0x58,0x3d,
+ 0x42,0x74,0x4b,0x82,0x0d,0x65,0x16,0x1a,0x70,0xaa,0x2d,0xb2,0xab,0x79,0x27,0x2e,
+ 0x7e,0x6f,0x44,0xfb,0xdf,0xf5,0xff,0x3e,0xc3,0x67,0xa5,0xe1,0x6b,0xe3,0xf7,0xcc,
+ 0x11,0x9f,0x2a,0xe8,0x87,0x46,0x3d,0x5c,0xbf,0x5f,0xca,0x9b,0x09,0xbe,0x0a,0x83,
+ 0xb0,0x98,0x03,0x3a,0x67,0xb1,0xe9,0xa4,0x04,0x96,0x2b,0x24,0xe1,0xcd,0xc1,0x26,
+ 0x88,0x76,0x10,0x41,0x85,0xf0,0x07,0xb0,0x4b,0x6b,0xd2,0x25,0x0f,0x12,0x52,0xea,
+ 0x3b,0xac,0xc3,0xfa,0x56,0x5f,0xfb,0x3b,0x4b,0x86,0xf6,0x67,0x45,0x51,0xb4,0xb4,
+ 0x94,0x98,0xa6,0xac,0x46,0x8b,0x42,0x94,0xff,0x9e,0x71,0x09,0x7c,0x87,0xb0,0x36,
+ 0x70,0x8a,0x5e,0x88,0x33,0x79,0x85,0x78,0x30,0x56,0x4a,0x6a,0xfc,0x5b,0x34,0xe9,
+ 0xb7,0x57,0xde,0xdc,0x0a,0x3c,0x1e,0x71,0xfc,0x23,0xc6,0x5a,0xd3,0x1a,0x50,0x06,
+ 0xbe,0x9c,0x60,0xd5,0x36,0x44,0x65,0x59,0x89,0xe6,0xda,0x1b,0xc9,0x89,0x21,0xe0,
+ 0x59,0x7d,0x25,0x4f,0x76,0x87,0x4f,0x7e,0xb1,0x1a,0x43,0xff,0x00,0xbb,0xc7,0xc5,
+ 0x5e,0xcc,0xfd,0x4a,0x1b,0xc1,0x6e,0x75,0xd9,0xe6
+};
+
+/* On allow list until:
+ Not After : Jun 6 02:00:32 2017 GMT
+ */
+static const UInt8 cert2[] = {
+ 0x30,0x82,0x04,0x2d,0x30,0x82,0x03,0x15,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1c,
+ 0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x11,0x3c,0x30,
+ 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,
+ 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,
+ 0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,
+ 0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,
+ 0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x30,0x36,0x30,0x39,0x30,0x33,
+ 0x33,0x36,0x33,0x37,0x5a,0x17,0x0d,0x31,0x37,0x30,0x36,0x30,0x36,0x30,0x32,0x30,
+ 0x30,0x33,0x32,0x5a,0x30,0x54,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+ 0x02,0x43,0x4e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,0x77,0x77,
+ 0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x31,0x17,0x30,0x15,0x06,0x03,
+ 0x55,0x04,0x03,0x13,0x0e,0x6d,0x61,0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,
+ 0x2e,0x63,0x6e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x77,0x77,
+ 0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,
+ 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,
+ 0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xc7,0x2f,0x0e,0xba,0xf0,
+ 0xff,0x9e,0x56,0x3b,0x88,0x3b,0x94,0x0d,0xc6,0x81,0x22,0xe7,0xeb,0x1b,0x22,0x1d,
+ 0xb2,0x75,0x5b,0xae,0x41,0xea,0x55,0x6a,0x7c,0x95,0x85,0x3e,0x0e,0xd1,0x95,0xf4,
+ 0x71,0xdf,0x7c,0x5c,0x8e,0xcc,0x25,0xb9,0xae,0x15,0xc9,0xf2,0xd0,0x30,0xe8,0x7c,
+ 0x91,0x5d,0x24,0x09,0x93,0x23,0x3f,0x55,0x7b,0x09,0x17,0x82,0x37,0x0b,0xf8,0x1a,
+ 0x6e,0xaa,0x08,0x0d,0xa8,0x2d,0xb7,0x6d,0x38,0x24,0xc0,0x48,0x5d,0x29,0x7a,0xe9,
+ 0xac,0x4d,0x93,0xec,0xd0,0x6c,0x62,0x1e,0x17,0xe7,0x2d,0xd7,0x0b,0x64,0x8f,0x56,
+ 0xd3,0x82,0x37,0xad,0x2d,0x28,0xe8,0x7e,0x9d,0x83,0x7d,0x6d,0x06,0xa2,0x36,0x62,
+ 0x60,0x30,0xbe,0x31,0xf9,0x9e,0xe0,0xb7,0x5b,0x72,0x6e,0x16,0x36,0x75,0xdc,0x17,
+ 0x56,0xff,0x5f,0x27,0x57,0x34,0xdc,0x2a,0x98,0xcd,0x9d,0x3f,0x5c,0x48,0x79,0x0b,
+ 0xa5,0xcf,0x16,0x20,0xc5,0x57,0x5f,0xa6,0xd6,0x1d,0xd6,0x6a,0x17,0x89,0x2d,0xb8,
+ 0xde,0xc5,0x30,0xe4,0xf0,0x39,0xf6,0x87,0x87,0x54,0x5c,0xc0,0x34,0x0f,0x1c,0xfb,
+ 0xf0,0xe4,0xc5,0xde,0xe1,0xa7,0xcf,0x54,0x2a,0x02,0x20,0x94,0xf9,0xd1,0xf8,0xb6,
+ 0x97,0xe2,0x3a,0x30,0x43,0x24,0x45,0x2d,0x9a,0xd3,0xe0,0x6a,0x70,0x41,0x96,0xf0,
+ 0x4d,0x21,0x8d,0x61,0x2c,0x2c,0x56,0xda,0xec,0xc8,0xdc,0xbf,0xce,0x75,0x9d,0xd9,
+ 0x5a,0x2d,0x39,0xc7,0xef,0x29,0x32,0xd6,0x6c,0xf8,0xc7,0x88,0x84,0xfc,0x51,0x5b,
+ 0x11,0x44,0xde,0x87,0xd3,0x6f,0x05,0x0c,0x8e,0xc7,0x0f,0x02,0x03,0x01,0x00,0x01,
+ 0xa3,0x82,0x01,0x19,0x30,0x82,0x01,0x15,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
+ 0x18,0x30,0x16,0x80,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,0xfc,
+ 0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x09,0x06,0x03,0x55,0x1d,0x13,
+ 0x04,0x02,0x30,0x00,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,
+ 0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,
+ 0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,
+ 0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,
+ 0x2f,0x63,0x70,0x73,0x2f,0x30,0x3c,0x06,0x03,0x55,0x1d,0x1f,0x04,0x35,0x30,0x33,
+ 0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,
+ 0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,
+ 0x6c,0x6f,0x61,0x64,0x2f,0x64,0x71,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,0x2e,
+ 0x63,0x72,0x6c,0x30,0x27,0x06,0x03,0x55,0x1d,0x11,0x04,0x20,0x30,0x1e,0x82,0x0c,
+ 0x77,0x77,0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x82,0x0e,0x6d,0x61,
+ 0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,0x2e,0x63,0x6e,0x30,0x0b,0x06,0x03,
+ 0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
+ 0x04,0x16,0x04,0x14,0x00,0x8b,0xf0,0x61,0xdf,0xf1,0x0b,0x53,0xd8,0x52,0x97,0xfe,
+ 0x23,0x9f,0x34,0x50,0x1d,0xac,0xec,0x90,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,
+ 0x0c,0x30,0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x0d,0x06,
+ 0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,
+ 0x00,0x86,0x62,0x31,0x67,0xba,0x3e,0x2b,0x1f,0xf7,0xdd,0xc0,0x9b,0xa2,0x27,0xb5,
+ 0x61,0x8c,0xd8,0x68,0xc1,0x58,0x47,0xb2,0x72,0xb9,0xfe,0x06,0x52,0x7d,0x92,0x35,
+ 0x9b,0xa9,0x08,0xa7,0x3a,0x37,0x70,0x9d,0xe1,0x47,0xbe,0x3d,0x15,0x20,0x35,0x9a,
+ 0x79,0x7c,0x16,0xe8,0x8e,0xa5,0x0f,0x42,0xd5,0x6b,0x5b,0x9e,0x55,0x2b,0xdd,0x35,
+ 0x3e,0x32,0x41,0xef,0x14,0xa0,0x15,0x70,0xf8,0x8c,0x3f,0x9e,0xc0,0xc2,0x32,0x4d,
+ 0x90,0x9a,0xd0,0x9b,0xc1,0x72,0x64,0x2f,0x2e,0x8c,0x44,0x80,0x5a,0x6f,0xb7,0x08,
+ 0xa9,0x0e,0x76,0xa4,0x82,0xd6,0x2e,0x64,0xf6,0xe4,0x5e,0x1b,0xb4,0x09,0xbc,0x1d,
+ 0x80,0x46,0xd7,0x35,0x7f,0x58,0x70,0x09,0x10,0x7a,0x1e,0xe5,0x28,0xf5,0x5a,0x28,
+ 0x7e,0x54,0x52,0x88,0xe6,0x3f,0x4e,0x55,0xb3,0x15,0x67,0x4c,0xac,0x82,0xbb,0xf8,
+ 0x98,0xd0,0xd2,0x69,0x17,0x70,0x6a,0x09,0x52,0x91,0xc1,0xe7,0xbb,0xa7,0xe8,0x78,
+ 0xdb,0x57,0xa3,0x37,0x3f,0x3c,0x7f,0x80,0xc2,0x40,0x61,0xd2,0xe5,0x6f,0xe8,0x93,
+ 0xa2,0xb7,0x84,0x00,0x4e,0x4d,0xed,0xf3,0x87,0x14,0x35,0xd2,0xdb,0xf6,0x6b,0xc0,
+ 0x2a,0xb2,0x9c,0xc3,0x48,0xba,0xd0,0xb9,0x55,0xf2,0x1a,0x17,0xa0,0x0d,0x45,0x2c,
+ 0x28,0x0a,0xba,0x60,0x4a,0xb8,0x73,0xd6,0xb0,0x83,0x6e,0x92,0x87,0x1f,0x39,0x91,
+ 0xa5,0x4f,0xef,0xcb,0xf7,0xee,0x28,0x39,0x5e,0x21,0xf0,0xc1,0x91,0x23,0x24,0x78,
+ 0xbc,0x01,0xb6,0xf1,0x4d,0x58,0x63,0xa6,0x89,0xf4,0x8b,0xa9,0xc9,0xad,0xfa,0xe1,
+ 0x9b
+};
+
+static const UInt8 intermediate0[] = {
+ 0x30,0x82,0x04,0x99,0x30,0x82,0x03,0x81,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
+ 0x33,0x00,0x7c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,
+ 0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+ 0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
+ 0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
+ 0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x32,0x31,0x38,
+ 0x31,0x32,0x33,0x32,0x31,0x38,0x5a,0x17,0x0d,0x32,0x34,0x31,0x32,0x31,0x38,0x31,
+ 0x32,0x33,0x32,0x31,0x38,0x5a,0x30,0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+ 0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,
+ 0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,
+ 0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,
+ 0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,
+ 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+ 0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xf0,0xa3,0x8d,0x71,
+ 0x34,0xfe,0x11,0x3c,0xc7,0x98,0x61,0x0b,0xc5,0xaa,0x7b,0x13,0xd9,0x40,0x7f,0x9b,
+ 0x59,0xd0,0x4a,0xc0,0x93,0x45,0x5e,0x48,0xf1,0xfe,0xb1,0x8f,0xb9,0x4c,0xdf,0x53,
+ 0x50,0x15,0x19,0xf9,0xea,0xe7,0x22,0x8d,0xa8,0xdb,0x09,0x45,0xa6,0x86,0xc6,0xf8,
+ 0xd5,0xdc,0x55,0xb4,0x8f,0xeb,0x56,0x3d,0x1f,0x36,0xc7,0x95,0x55,0xf4,0x4e,0x11,
+ 0xc7,0x08,0x6f,0xe8,0xf9,0x7f,0x9e,0x85,0x9a,0x65,0x10,0x9b,0x87,0x86,0xb4,0x42,
+ 0x92,0xaf,0x3f,0x5b,0xd9,0x8b,0x2f,0x68,0xc2,0x08,0x58,0xf6,0xe4,0x5f,0x3b,0x79,
+ 0x8b,0x9e,0xde,0xb1,0x48,0x1f,0x59,0x40,0xb9,0xea,0x24,0x07,0x66,0x97,0xf6,0x2f,
+ 0x52,0xec,0x0c,0xc8,0x4e,0x65,0x5a,0x60,0x6f,0xe5,0x8f,0x9d,0xfd,0x6a,0xde,0x89,
+ 0xe4,0x7a,0x4b,0xb6,0x1e,0x82,0x8d,0x9c,0xdd,0x8d,0x73,0x33,0x92,0xd3,0x46,0x8e,
+ 0x9e,0x58,0x01,0xf3,0x2e,0x83,0xe0,0xd2,0x4a,0x13,0x94,0x2c,0xd0,0x8a,0x12,0xd0,
+ 0x29,0x34,0xed,0x6b,0xea,0xc6,0xc9,0x14,0x7a,0x75,0x92,0x8e,0x42,0x7e,0xd2,0x76,
+ 0x88,0xdb,0xad,0x9b,0x20,0xe2,0x30,0x94,0x97,0xa3,0xa3,0xae,0x52,0x4c,0x2d,0xa3,
+ 0x77,0x79,0x74,0xf7,0x87,0x8c,0x86,0x8f,0xb3,0x63,0x51,0x3e,0xf6,0xc0,0x6e,0x25,
+ 0x9b,0x0d,0xc1,0x99,0x4f,0xf2,0x5c,0x9d,0xf5,0x21,0x04,0x42,0xde,0x74,0x59,0xe4,
+ 0x39,0x80,0x82,0x50,0x21,0xde,0x49,0xe3,0x14,0x83,0xa7,0xc8,0xce,0x6d,0xfa,0x49,
+ 0x5b,0x5e,0x3f,0x55,0x65,0xc1,0x5d,0x57,0x41,0x00,0x7d,0x43,0x02,0x03,0x01,0x00,
+ 0x01,0xa3,0x82,0x01,0xa4,0x30,0x82,0x01,0xa0,0x30,0x76,0x06,0x08,0x2b,0x06,0x01,
+ 0x05,0x05,0x07,0x01,0x01,0x04,0x6a,0x30,0x68,0x30,0x29,0x06,0x08,0x2b,0x06,0x01,
+ 0x05,0x05,0x07,0x30,0x01,0x86,0x1d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,
+ 0x73,0x70,0x63,0x6e,0x6e,0x69,0x63,0x72,0x6f,0x6f,0x74,0x2e,0x63,0x6e,0x6e,0x69,
+ 0x63,0x2e,0x63,0x6e,0x30,0x3b,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
+ 0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,
+ 0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,
+ 0x65,0x72,0x74,0x2f,0x43,0x4e,0x4e,0x49,0x43,0x52,0x4f,0x4f,0x54,0x2e,0x63,0x65,
+ 0x72,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x65,0xf2,
+ 0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,
+ 0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,
+ 0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,
+ 0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,0x24,
+ 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,
+ 0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+ 0x63,0x70,0x73,0x2f,0x30,0x81,0x86,0x06,0x03,0x55,0x1d,0x1f,0x04,0x7f,0x30,0x7d,
+ 0x30,0x42,0xa0,0x40,0xa0,0x3e,0xa4,0x3c,0x30,0x3a,0x31,0x0b,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,
+ 0x0c,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,
+ 0x0c,0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,
+ 0x63,0x72,0x6c,0x31,0x30,0x37,0xa0,0x35,0xa0,0x33,0x86,0x31,0x68,0x74,0x74,0x70,
+ 0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+ 0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x73,0x68,0x61,
+ 0x32,0x63,0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0b,0x06,
+ 0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,
+ 0x0e,0x04,0x16,0x04,0x14,0xb7,0xd1,0x59,0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,
+ 0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,0x3c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+ 0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4f,0xc7,0x80,
+ 0x5e,0x29,0x70,0x8c,0xd6,0x59,0xae,0x59,0x4f,0xd1,0xd8,0x41,0xa8,0xa7,0xa8,0x58,
+ 0xa6,0x06,0x25,0xd2,0xf8,0x3c,0x13,0x52,0xec,0x51,0x54,0x38,0xb6,0x60,0xd0,0x95,
+ 0xaf,0x30,0xbf,0x78,0xa3,0x19,0xfd,0x6b,0x54,0x98,0x49,0xc4,0x81,0x84,0xaa,0x51,
+ 0x54,0xd3,0x95,0x9d,0x92,0x66,0x02,0x6e,0x55,0x4b,0xf1,0xe0,0x4e,0x02,0x05,0xb5,
+ 0x67,0x3b,0x31,0x4d,0xb3,0xb3,0xb7,0xa2,0x13,0xff,0x28,0x10,0xbc,0xa4,0x9b,0x71,
+ 0x4c,0x36,0x9c,0x60,0xac,0x65,0x7c,0x66,0x8a,0xb6,0x1c,0x7f,0xa1,0xad,0xe8,0x6e,
+ 0xce,0x0b,0xee,0x85,0xe6,0x01,0xe5,0xab,0x7f,0x11,0x1f,0x33,0xd9,0x1d,0xa1,0x0c,
+ 0xf2,0x3a,0x7e,0xdb,0xf5,0x63,0xe2,0x77,0xdb,0x01,0x1a,0x60,0xe8,0xfb,0x42,0xd4,
+ 0xf3,0xdf,0x8d,0xec,0x4f,0x4f,0xc8,0xa7,0x24,0xf7,0xb5,0xb7,0x58,0xae,0xad,0x0c,
+ 0x9b,0x7a,0x39,0x81,0xd9,0xd0,0x8a,0x18,0x28,0x8a,0xf2,0x91,0x88,0x11,0x3d,0xb1,
+ 0x42,0x5d,0x0e,0x31,0xfe,0x00,0x99,0xfe,0x87,0x3f,0x8e,0xbd,0xef,0x83,0x72,0xd7,
+ 0x49,0x22,0xfd,0x82,0xe2,0xfc,0xe8,0xe8,0xf7,0x4b,0xff,0xa5,0x62,0xec,0xd3,0x87,
+ 0x51,0x6f,0x35,0xbc,0x51,0x54,0x6c,0x36,0xfe,0x88,0xcb,0xaf,0xb1,0x0e,0x7b,0x76,
+ 0x9c,0x16,0x11,0xda,0x7f,0xd1,0xf4,0x85,0xce,0xb8,0x87,0x45,0x0c,0x43,0xe4,0xb3,
+ 0x6f,0xbc,0x95,0xce,0x59,0x57,0xf3,0xb4,0xec,0xa8,0xc2,0x1f,0x98,0x77,0x93,0x7d,
+ 0xad,0x92,0x4e,0xba,0xab,0x5d,0x45,0x93,0x7c,0xf0,0x17,0xcd,0xc7
+};
+
+static const UInt8 intermediate1[] = {
+ 0x30,0x82,0x04,0xf8,0x30,0x82,0x03,0xe0,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x0b,
+ 0x24,0x01,0xb7,0x39,0x86,0x38,0x3c,0x29,0xc2,0xf8,0x19,0x4d,0x23,0x10,0x7b,0x30,
+ 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
+ 0x8a,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,
+ 0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,
+ 0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,
+ 0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,
+ 0x65,0x72,0x31,0x47,0x30,0x45,0x06,0x03,0x55,0x04,0x03,0x0c,0x3e,0x43,0x68,0x69,
+ 0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
+ 0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
+ 0x43,0x65,0x6e,0x74,0x65,0x72,0x20,0x45,0x56,0x20,0x43,0x65,0x72,0x74,0x69,0x66,
+ 0x69,0x63,0x61,0x74,0x65,0x73,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,0x0d,0x31,
+ 0x30,0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x17,0x0d,0x32,0x30,
+ 0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x30,0x58,0x31,0x0b,0x30,
+ 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,
+ 0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,
+ 0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,
+ 0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x15,
+ 0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x45,
+ 0x56,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+ 0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,
+ 0x0a,0x02,0x82,0x01,0x01,0x00,0xc9,0x8b,0x5d,0x84,0x90,0x33,0x98,0x83,0xdd,0xa1,
+ 0x9a,0x76,0x4f,0xd2,0xff,0xf4,0xbc,0x5d,0x7f,0xd5,0x0c,0xdc,0xd1,0x58,0xe8,0x3a,
+ 0xd7,0xab,0xa9,0x24,0x05,0x78,0x28,0x3d,0x64,0x03,0x7d,0x7f,0xee,0x16,0x3e,0x51,
+ 0xc7,0x69,0xb4,0x06,0xe8,0xa5,0x3b,0x7a,0xf0,0xac,0xcd,0x9e,0xb4,0x00,0xbf,0x25,
+ 0xe5,0xd9,0x95,0x45,0x31,0x20,0x59,0xed,0xf0,0xbc,0x86,0x02,0x9a,0xa6,0x52,0x73,
+ 0xaf,0x02,0x09,0x22,0xf1,0x04,0x97,0xe3,0x15,0x8c,0x7e,0xa5,0xc7,0x37,0xbd,0x42,
+ 0x4f,0x27,0x85,0x9d,0xb9,0x24,0x29,0xcb,0x4c,0xd4,0xd2,0xed,0x79,0x3b,0x39,0xa1,
+ 0x08,0x26,0xba,0x14,0xb3,0x49,0x0f,0x8e,0xd7,0x9d,0x5f,0xde,0x72,0xf0,0x53,0xee,
+ 0x8a,0x4e,0x6c,0x06,0x6f,0xea,0x9f,0x25,0x4a,0x23,0x80,0x7e,0x2e,0xb2,0x81,0x9d,
+ 0x3b,0x4e,0xdf,0x73,0xbe,0x1b,0x89,0x10,0x89,0xf7,0xac,0xa0,0x2f,0xfb,0x71,0xc4,
+ 0xe2,0xe9,0xd0,0x79,0xb7,0x54,0x9d,0xf6,0xcc,0x3a,0x6c,0x88,0x25,0xf4,0x0e,0xf4,
+ 0x49,0xa1,0x23,0xd2,0xe2,0x71,0xb8,0x1c,0x44,0x46,0xb4,0x70,0x5d,0x5d,0xab,0x7f,
+ 0x0e,0x27,0x8d,0x4b,0xf4,0xe1,0x52,0x88,0x58,0xf9,0xec,0x1e,0xbb,0x56,0x1f,0x37,
+ 0x1a,0xce,0x74,0xf3,0x6d,0x63,0xbc,0x18,0xa8,0x95,0x30,0x8b,0x16,0xe2,0x9f,0x0a,
+ 0x89,0xe0,0x36,0xba,0x0f,0x90,0x5e,0x67,0x6c,0x04,0x77,0xfa,0xd1,0x6e,0xdb,0x1c,
+ 0x3c,0x1f,0x9f,0x83,0xb5,0x4b,0xc8,0x4e,0x90,0xf8,0x02,0x26,0x2e,0xce,0x7c,0xe6,
+ 0x3e,0xe8,0x0e,0xf0,0x77,0xf1,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0x89,0x30,
+ 0x82,0x01,0x85,0x30,0x34,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,
+ 0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,
+ 0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x72,0x6f,0x6f,0x74,
+ 0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,
+ 0x04,0x18,0x30,0x16,0x80,0x14,0x7c,0x72,0x4b,0x39,0xc7,0xc0,0xdb,0x62,0xa5,0x4f,
+ 0x9b,0xaa,0x18,0x34,0x92,0xa2,0xca,0x83,0x82,0x59,0x30,0x0f,0x06,0x03,0x55,0x1d,
+ 0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,
+ 0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,
+ 0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,
+ 0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,
+ 0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xaa,0x06,
+ 0x03,0x55,0x1d,0x1f,0x04,0x81,0xa2,0x30,0x81,0x9f,0x30,0x66,0xa0,0x64,0xa0,0x62,
+ 0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+ 0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,
+ 0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,
+ 0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,
+ 0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,
+ 0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,
+ 0x6c,0x31,0x30,0x35,0xa0,0x33,0xa0,0x31,0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,
+ 0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,
+ 0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x72,0x6f,0x6f,0x74,0x63,0x72,0x6c,
+ 0x2f,0x63,0x72,0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,
+ 0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
+ 0x04,0x16,0x04,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,0xd2,0x72,0xfd,0x1c,
+ 0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+ 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0xf9,0xad,0x13,
+ 0x7b,0x62,0x9b,0x8b,0xa5,0xfd,0x52,0x5d,0xd1,0x13,0xca,0x28,0x92,0xdc,0xc3,0x84,
+ 0x3d,0xf1,0xc5,0x9b,0x2a,0xc3,0x15,0xfc,0x1d,0x4f,0x30,0x54,0x77,0x9a,0x5a,0x5a,
+ 0x1b,0x07,0xbb,0xf7,0x7e,0xea,0x47,0x01,0xc7,0x6d,0x30,0xe0,0x2e,0xcc,0x44,0xea,
+ 0x6c,0xa5,0xcd,0x42,0x86,0x38,0xf5,0x88,0x9c,0xff,0x74,0xc1,0x3d,0x70,0xfa,0x9a,
+ 0x54,0xbd,0x37,0xb0,0x38,0x9f,0xb6,0xe4,0x51,0xec,0x24,0xa0,0xa4,0xbe,0x9f,0x6e,
+ 0xad,0x3b,0x0f,0x30,0xa0,0xd2,0x37,0x67,0x9b,0xc2,0x6f,0xd5,0xfd,0x9a,0xfd,0xc6,
+ 0x56,0x08,0x64,0x84,0x74,0x12,0xfe,0xa8,0xe3,0x26,0x4a,0x08,0x2f,0xdb,0x32,0x9a,
+ 0xae,0xaf,0x01,0x75,0xf0,0x7b,0x28,0xb6,0xb2,0x4a,0xf0,0xd8,0xfd,0xb4,0x11,0xf5,
+ 0x26,0x31,0x49,0xd1,0x82,0x91,0x04,0x3b,0x4b,0x79,0x3c,0x57,0x2e,0x38,0x9f,0x9a,
+ 0xfd,0xdf,0x53,0xd9,0xbd,0x48,0x96,0xfb,0xbb,0x21,0x64,0xdd,0xec,0x68,0xc3,0x77,
+ 0x7d,0x41,0xcf,0x7c,0x2f,0xa8,0x87,0xf0,0x8f,0xf0,0x0c,0xdd,0x3f,0x88,0x5c,0x23,
+ 0x49,0x26,0x1b,0x60,0xff,0xbc,0x9e,0xb8,0xc0,0xf6,0xe0,0x21,0xf1,0x44,0x44,0x21,
+ 0x81,0x06,0x9b,0x39,0xf0,0xaf,0xf0,0x5c,0x44,0x44,0xc7,0x51,0xf2,0x1d,0xf3,0x06,
+ 0x1a,0x14,0x04,0xd1,0xa4,0xed,0x92,0x39,0x21,0x77,0xe9,0x77,0x1f,0xd6,0x80,0x5e,
+ 0x42,0xb4,0xd5,0x44,0xd1,0xd2,0xd6,0x84,0xca,0xa5,0xb8,0xee,0x48,0x4f,0x93,0x2d,
+ 0xca,0x82,0x46,0xff,0x77,0x5b,0x18,0x79,0x88,0x14,0x4c,0x0d
+};
+
+static const UInt8 intermediate2[] = {
+ 0x30,0x82,0x03,0xca,0x30,0x82,0x02,0xb2,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
+ 0x33,0x00,0x65,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,
+ 0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+ 0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
+ 0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
+ 0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x30,0x31,0x32,0x31,0x35,
+ 0x30,0x35,0x30,0x37,0x30,0x30,0x5a,0x17,0x0d,0x32,0x30,0x31,0x32,0x31,0x35,0x30,
+ 0x35,0x30,0x37,0x30,0x30,0x5a,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+ 0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,
+ 0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,
+ 0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,
+ 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,
+ 0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa8,0x7f,0xa9,
+ 0x2d,0x47,0xc3,0xdb,0xdb,0x10,0x79,0xa0,0xae,0xd5,0x80,0xfa,0x5b,0xbe,0x64,0x5f,
+ 0x26,0xb9,0x5a,0x84,0x0d,0x1b,0x56,0x14,0x49,0xe1,0xda,0xfb,0x83,0x07,0xaf,0x80,
+ 0x2d,0x93,0xbf,0x44,0xd9,0x85,0x1f,0x18,0xb0,0xe1,0xb9,0x06,0x34,0x24,0xd1,0xf9,
+ 0x9f,0x34,0xe0,0x26,0x3e,0xce,0x57,0xca,0x30,0x3b,0xae,0x44,0x55,0x47,0x7f,0x2e,
+ 0xe5,0xe8,0x51,0x55,0x90,0x95,0x23,0xde,0xd3,0xb4,0x88,0xf8,0x33,0x1e,0x5e,0xe6,
+ 0x2b,0xae,0x9b,0x94,0x2c,0xec,0xd9,0xc9,0x47,0x67,0x14,0x54,0x6a,0x33,0x6f,0xe1,
+ 0x0c,0x7f,0x0f,0xa0,0x7e,0xb5,0xc3,0x0f,0x63,0x4f,0xdf,0x38,0x9d,0x73,0xea,0x9f,
+ 0xaa,0x34,0x30,0xbf,0xba,0x83,0x56,0x65,0x26,0x90,0x01,0xf6,0xfc,0x93,0xc6,0x2b,
+ 0xcc,0xf2,0x90,0x7d,0x2a,0x31,0xe1,0xcd,0x0f,0x23,0xd1,0x78,0x2b,0x49,0xc5,0x21,
+ 0x77,0xc9,0x8b,0x02,0x70,0xf1,0xc2,0xa3,0xdf,0xca,0xb7,0x73,0x06,0x76,0xfd,0xcb,
+ 0xc0,0xc9,0x23,0x21,0x17,0x34,0x1c,0x80,0xa9,0xc6,0x92,0x95,0xd0,0xc6,0xeb,0x83,
+ 0x56,0xb0,0x98,0x90,0x50,0xf4,0xcf,0x9b,0x3b,0x2d,0x3e,0xcf,0x94,0x27,0x69,0x9f,
+ 0xdc,0x66,0xfb,0x05,0x0c,0xe3,0x99,0x1e,0x06,0x86,0xd9,0xe6,0xf5,0x6c,0xfe,0x98,
+ 0x5d,0x61,0xb1,0x89,0x01,0xc4,0x7f,0x48,0x68,0x62,0x06,0x26,0x95,0x40,0xcd,0x93,
+ 0x46,0xf8,0xb0,0x8d,0x28,0x3a,0xc7,0x0e,0x46,0x42,0x9f,0x32,0xc3,0xc6,0x78,0xc7,
+ 0x10,0xd5,0x37,0xff,0x17,0x4c,0x24,0x60,0xc6,0xd5,0x18,0x9a,0x7d,0x02,0x03,0x01,
+ 0x00,0x01,0xa3,0x81,0xe5,0x30,0x81,0xe2,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
+ 0x18,0x30,0x16,0x80,0x14,0x65,0xf2,0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,
+ 0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,
+ 0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,
+ 0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,
+ 0x0c,0x01,0x06,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,
+ 0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,
+ 0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x3e,0x06,0x03,0x55,
+ 0x1d,0x1f,0x04,0x37,0x30,0x35,0x30,0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,
+ 0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
+ 0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x63,
+ 0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,
+ 0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,
+ 0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,
+ 0xfc,0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x0d,0x06,0x09,0x2a,0x86,
+ 0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xb6,0x37,
+ 0x1c,0xdb,0x09,0x29,0xbd,0x24,0x76,0x1b,0x7f,0x6b,0x36,0x25,0xd2,0x43,0xf2,0x09,
+ 0x22,0x63,0x3f,0x8e,0xd6,0x15,0xf9,0x9c,0x36,0xc9,0xb1,0x1c,0x10,0x61,0x39,0x24,
+ 0x96,0x76,0xa4,0xa3,0x70,0xa4,0xe5,0x52,0xc1,0xba,0xb9,0xbb,0x72,0x1a,0xdc,0x76,
+ 0x05,0x86,0x45,0x03,0x0a,0xb8,0x95,0xd5,0xb2,0x63,0xb4,0x7b,0x9a,0x00,0xd5,0x31,
+ 0x76,0x50,0x25,0xc0,0x98,0x17,0xc9,0xfa,0x57,0x36,0x50,0x1f,0x66,0x2b,0xb1,0xd1,
+ 0xe6,0xcf,0x14,0x56,0xf2,0xb9,0x9f,0xa9,0x6f,0x2d,0x15,0xb7,0x66,0x46,0x9e,0x85,
+ 0x7c,0x68,0xbd,0xf3,0x5f,0x9f,0xbf,0xbe,0xf8,0xf9,0x7f,0x7b,0x1b,0xca,0x51,0xc2,
+ 0xae,0x43,0x20,0x83,0x90,0xab,0xb5,0x70,0x73,0x42,0xa9,0xc1,0xd5,0x4f,0x89,0xcf,
+ 0x72,0xba,0x86,0x5c,0xd8,0x8c,0xaf,0x85,0xf1,0x3d,0x52,0x23,0xac,0x68,0x05,0x73,
+ 0xca,0x36,0x7c,0x12,0x86,0xae,0xdc,0xda,0x91,0x40,0x1f,0xe0,0x6b,0x26,0x43,0x64,
+ 0xe9,0x5f,0x71,0xbf,0x22,0x6c,0x6e,0xd1,0x32,0x0c,0x7c,0x07,0x36,0x3a,0x09,0xef,
+ 0xe7,0xa7,0x9b,0x73,0x19,0xe3,0x6a,0xd2,0x41,0x43,0x23,0xef,0x63,0x30,0xa0,0x34,
+ 0x12,0x2c,0xe5,0x23,0x5f,0x46,0x87,0xcc,0xf1,0x2f,0x0b,0xd1,0x72,0x58,0xc5,0x36,
+ 0xcb,0x4e,0x00,0x5f,0x15,0x80,0x0a,0x05,0xb5,0x34,0x34,0x9c,0x19,0x20,0xc1,0x5b,
+ 0x80,0x98,0x96,0x42,0x01,0x54,0x6c,0x65,0x4e,0xc5,0x2b,0x04,0x55,0x63,0x71,0x5e,
+ 0x99,0x79,0xc5,0xfb,0x03,0xbf,0x27,0x56,0xa6,0xdf,0x3a,0x4c,0xea,0x63
+};
+
+#endif /* cnnic_certs_h */
--- /dev/null
+/*
+ * date_testing_certs.h
+ * Security
+ *
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+#ifndef date_testing_certs_h
+#define date_testing_certs_h
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* SHA256: 51a0f31fc01dec8732b6fd136a434d6c87cd62e038b4fbd640b0fd624d1fcf6d */
+unsigned char _datetest_root[994]={
+ 0x30,0x82,0x03,0xDE,0x30,0x82,0x02,0xC6,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xAB,0x16,0xC1,0x56,0x85,0x86,0xE5,0xC8,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,
+ 0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,
+ 0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,
+ 0x72,0x69,0x6E,0x67,0x31,0x1E,0x30,0x1C,0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,
+ 0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,
+ 0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,0x31,0x30,0x31,0x32,0x31,0x38,
+ 0x31,0x35,0x34,0x39,0x5A,0x17,0x0D,0x32,0x36,0x31,0x30,0x31,0x30,0x31,0x38,0x31,
+ 0x35,0x34,0x39,0x5A,0x30,0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+ 0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,
+ 0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,
+ 0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,
+ 0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,
+ 0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,
+ 0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,
+ 0x67,0x31,0x1E,0x30,0x1C,0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,0x65,0x6E,0x79,
+ 0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x20,0x43,
+ 0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+ 0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,
+ 0x01,0x00,0xF0,0x5A,0x62,0x0B,0xEA,0xD6,0xD6,0x78,0x94,0xEE,0x71,0xB5,0xF8,0x42,
+ 0xBB,0xF2,0x2F,0xC6,0xFB,0x53,0x7E,0xE4,0xF5,0xC9,0x8F,0x94,0xBC,0x02,0xB9,0x12,
+ 0x8E,0x5D,0xB4,0x12,0xE3,0x73,0xBD,0xD8,0x1A,0x3F,0x2D,0xBC,0x39,0x31,0x42,0x02,
+ 0x74,0xE7,0x93,0xB4,0x2B,0x6F,0xA9,0x42,0x8A,0xD4,0x0E,0xC9,0x96,0x90,0xE5,0xF6,
+ 0xAD,0xD7,0x7E,0x58,0xBA,0x6B,0xBD,0xBF,0xFC,0x8F,0x1E,0xD4,0xBE,0xD1,0x11,0x4B,
+ 0x7D,0x8A,0xD0,0x36,0xAD,0x2A,0x9A,0x37,0x5B,0xDF,0xCB,0x66,0x85,0x85,0x4F,0xD6,
+ 0x6F,0xEB,0xB3,0xC8,0xF7,0x6C,0x42,0x2E,0xE9,0xD6,0x84,0xD7,0x0F,0xD5,0x97,0xFD,
+ 0x4F,0x31,0x33,0x1B,0x5B,0x23,0x56,0x1B,0x7C,0x1E,0x11,0x51,0xE8,0x14,0x22,0x50,
+ 0x15,0x3D,0x01,0x1F,0x02,0x36,0x44,0x64,0x70,0xB3,0x7A,0xF7,0xF6,0xDA,0x14,0x9E,
+ 0x39,0xC3,0xD1,0x9E,0xED,0x70,0x2C,0x4E,0xA5,0xA5,0x1C,0xB7,0xEE,0xEF,0x4E,0x90,
+ 0x5D,0xF9,0x34,0xBB,0xA7,0xDF,0xD4,0xC5,0xEB,0x84,0xC4,0x3B,0x3D,0xCA,0x9A,0x9C,
+ 0xAD,0xB1,0x24,0xD4,0xD1,0x82,0xCC,0x1A,0xC4,0xEF,0xAE,0xB1,0xF0,0x12,0x28,0x37,
+ 0x40,0x45,0x83,0xBF,0x39,0xC7,0x90,0xB6,0x23,0x63,0xAD,0xC8,0xB9,0xF4,0x80,0x4B,
+ 0x91,0x91,0x64,0xDD,0x05,0x5E,0x0A,0x36,0xAB,0x7A,0x32,0xBA,0x05,0xBC,0x62,0x93,
+ 0xDE,0x5D,0xBA,0x2B,0x91,0xF2,0xD6,0x49,0x61,0x08,0x98,0xA2,0xD2,0x6E,0xF2,0x2D,
+ 0x4D,0x90,0x65,0x51,0x9C,0xC0,0x79,0x33,0x08,0xE1,0x7F,0xC0,0x09,0xCF,0x4D,0xB3,
+ 0x25,0x1F,0x02,0x03,0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,
+ 0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,
+ 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,
+ 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x4D,0xA5,0xDB,0xEF,0x4F,0xCD,
+ 0x74,0xE6,0x2A,0xB1,0xDC,0x5C,0xBE,0x12,0x04,0x94,0xEC,0x4A,0x66,0xD3,0x30,0x0D,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,
+ 0x01,0x00,0x06,0x5E,0xFD,0x98,0x73,0xA7,0x69,0xE2,0xAE,0x1C,0x06,0x00,0xD1,0x7C,
+ 0x59,0x70,0xB9,0x85,0xAF,0xB8,0xC0,0xAB,0x3B,0x60,0x64,0x0B,0x1B,0x81,0xA7,0x7D,
+ 0x5A,0xC4,0xDA,0x94,0x2B,0xBC,0xA7,0xDA,0x24,0x4E,0x83,0x21,0x12,0xFA,0x93,0x3E,
+ 0x67,0x38,0x37,0xBD,0x2B,0xEB,0x19,0xA4,0x08,0x73,0xB1,0x27,0x84,0x67,0x10,0x48,
+ 0x50,0x94,0x4C,0x55,0x0D,0x23,0x9F,0x0A,0xB2,0x18,0x6F,0xC1,0xE0,0x13,0xC2,0x2D,
+ 0x29,0x52,0xBA,0x4F,0x01,0x2C,0xD6,0x9E,0x73,0x5B,0x74,0x8A,0x0D,0x8C,0x1E,0x15,
+ 0x70,0x7E,0x9B,0xE0,0xCC,0xB2,0x6E,0xFE,0x44,0xD4,0xD0,0x76,0x41,0x95,0xFE,0x11,
+ 0xAA,0x4E,0x07,0xC6,0xBA,0x4B,0x46,0x02,0x0E,0xFC,0x4A,0xB9,0x15,0x2D,0x80,0xB5,
+ 0x33,0xE3,0x4E,0x41,0x46,0x05,0xEB,0x0A,0x15,0x43,0xC6,0x6A,0xC5,0x2B,0x53,0x49,
+ 0x49,0x61,0x57,0x0D,0x8D,0x42,0x63,0xB2,0xA6,0xC5,0xA5,0x23,0x3B,0xAC,0x50,0xDC,
+ 0x05,0x41,0x53,0x74,0xC5,0x67,0xA1,0x69,0xA6,0x66,0x4D,0x0F,0xF8,0x94,0x54,0x4B,
+ 0xA5,0x31,0x81,0xE8,0x3A,0x5C,0x02,0x84,0x56,0xFF,0xBE,0x13,0x15,0x95,0xC9,0xAF,
+ 0x17,0x77,0xD0,0x38,0x38,0x12,0xF9,0xA8,0x93,0x77,0x2F,0xCD,0x40,0x60,0xBC,0xCF,
+ 0x35,0x1C,0xE4,0xBD,0x5E,0x8D,0x96,0x19,0xB7,0x50,0x7E,0xED,0x44,0x1C,0x8C,0x08,
+ 0x6B,0xEE,0xEE,0xC9,0x8C,0xD6,0xDC,0x61,0x2C,0xD2,0x35,0x5E,0xB7,0x4C,0x58,0xFC,
+ 0x5D,0x62,0xEA,0xED,0x68,0xE8,0x1F,0xB1,0x0A,0x39,0x5C,0x29,0xBC,0x42,0x09,0xBA,
+ 0x4F,0x35,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* Not Before: Oct 15 00:00:00 2016 GMT */
+/* X509v3 Subject Key Identifier: E7:C3:06:5B:22:E0:EC:DA:8C:80:00:D9:0C:AC:0B:78:D4:68:C5:B7 */
+unsigned char _datetest_before_int[1050]={
+ 0x30,0x82,0x04,0x16,0x30,0x82,0x02,0xFE,0xA0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+ 0x9A,0x17,0xF8,0x6F,0x33,0x3D,0xAB,0x4C,0xD3,0xFB,0x3A,0x6D,0xCF,0x05,0x94,0xEC,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
+ 0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,
+ 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,
+ 0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,
+ 0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+ 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,
+ 0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,
+ 0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x1E,0x30,0x1C,
+ 0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,
+ 0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+ 0x31,0x36,0x31,0x30,0x31,0x35,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,
+ 0x37,0x31,0x30,0x31,0x32,0x31,0x38,0x32,0x38,0x31,0x38,0x5A,0x30,0x81,0x9C,0x31,
+ 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,
+ 0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,
+ 0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
+ 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,
+ 0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,
+ 0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,0x03,0x55,
+ 0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,
+ 0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,0x72,0x6D,
+ 0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x82,0x01,0x22,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+ 0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xF0,0xCB,0x1D,0x6C,
+ 0x7D,0xC1,0x90,0xB7,0xD9,0xB5,0x66,0x61,0x5E,0x34,0x76,0x14,0xFA,0xF8,0xB4,0xE1,
+ 0x6D,0x67,0xB0,0x9E,0xB9,0x93,0xB0,0xBE,0x15,0xA4,0xAB,0x76,0x23,0x0D,0x5C,0xC0,
+ 0x4D,0xB6,0x9F,0xCC,0x9B,0x3A,0x7E,0x50,0x13,0xE6,0x46,0x39,0xB1,0xE9,0x5F,0xB3,
+ 0xD7,0x86,0xA4,0x23,0xA5,0x27,0xDC,0x20,0x6A,0x64,0xD8,0x0A,0xCD,0x5F,0xEE,0x40,
+ 0x16,0xCE,0x4D,0xB9,0xCF,0xA2,0x62,0xC8,0x01,0x70,0x7F,0x8D,0x42,0x46,0xB1,0xF2,
+ 0x80,0x57,0xD5,0x82,0x53,0xEF,0xF2,0x16,0xA4,0xD5,0x07,0xE2,0xA7,0x7A,0x5E,0xD5,
+ 0x5A,0x4F,0x58,0x88,0xF7,0xEB,0x1B,0x58,0x91,0x6D,0x4E,0xD8,0xCC,0x9F,0xA6,0x98,
+ 0x05,0xE6,0xFB,0xC2,0x55,0xCA,0xD9,0x7E,0xC8,0xAA,0xC2,0x92,0xC1,0x73,0xBB,0xEC,
+ 0x89,0x51,0x1C,0x6B,0x0C,0xE5,0x7D,0xF8,0x54,0xBE,0xF7,0x67,0x8C,0xEE,0xE4,0xBB,
+ 0xFF,0xB9,0x15,0x4F,0xD7,0x1B,0x76,0xF7,0x37,0xEF,0xB0,0xA0,0x2A,0x22,0x4D,0x4B,
+ 0x2A,0xDE,0x3D,0x37,0x28,0x4A,0x79,0xF6,0xC7,0xE3,0x51,0xEC,0xC4,0x2F,0xDA,0xC1,
+ 0xBA,0x1A,0xFF,0xDD,0x43,0x2A,0x44,0xD4,0x94,0xDC,0xEE,0xDB,0xC3,0xF2,0xB4,0x76,
+ 0x01,0xF7,0x69,0x48,0x11,0x67,0xAC,0x3C,0x1C,0xE0,0xEF,0x88,0x77,0x70,0x66,0x39,
+ 0x17,0xAA,0xD8,0x2C,0x67,0xE3,0xC3,0x2B,0xCD,0xC4,0xB9,0xC8,0xCD,0xA9,0xA4,0xC1,
+ 0x24,0xDF,0x8E,0x4D,0xE0,0x03,0x1E,0x40,0xAB,0xDD,0x10,0xE7,0xB5,0x93,0x1F,0xF2,
+ 0xC9,0xCC,0x91,0x3A,0x8D,0x52,0xC9,0x3D,0x7D,0x4D,0xA0,0xBB,0x02,0x03,0x01,0x00,
+ 0x01,0xA3,0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+ 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,
+ 0x04,0x04,0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+ 0x14,0xE7,0xC3,0x06,0x5B,0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,
+ 0x78,0xD4,0x68,0xC5,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+ 0x80,0x14,0x4D,0xA5,0xDB,0xEF,0x4F,0xCD,0x74,0xE6,0x2A,0xB1,0xDC,0x5C,0xBE,0x12,
+ 0x04,0x94,0xEC,0x4A,0x66,0xD3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+ 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x08,0xDC,0x9E,0xA4,0x60,0xDF,
+ 0x04,0x27,0xB5,0x01,0x63,0xDA,0xE3,0x6C,0x58,0x1D,0xB8,0xE8,0x17,0x06,0x4F,0x86,
+ 0xC8,0x97,0x65,0xF5,0x6D,0x39,0x51,0x0F,0xD4,0xF9,0xAD,0xCF,0x8C,0x08,0x7C,0xAC,
+ 0x26,0xD1,0x43,0xB2,0x79,0x7E,0x13,0xCD,0xF2,0x9D,0x30,0xC4,0x63,0xF2,0x5E,0x72,
+ 0x1A,0x0F,0x41,0x47,0x69,0x98,0x00,0xF0,0x4D,0x93,0x44,0x8A,0x26,0xDE,0x24,0xC0,
+ 0x66,0xA3,0xB0,0x20,0xAD,0x33,0xEB,0xF2,0x0A,0xDD,0x65,0xF4,0x9D,0x29,0x10,0x88,
+ 0x5B,0xFF,0x1C,0x76,0x71,0x42,0xE9,0x6F,0xBD,0xAE,0xA6,0xBB,0x4B,0xFF,0x30,0xA0,
+ 0x6E,0x47,0x85,0x12,0x6E,0x81,0xFC,0xB0,0x51,0x5F,0xB4,0xE9,0xCC,0x83,0x0E,0xC5,
+ 0xEC,0x41,0x6F,0x28,0x28,0xF0,0x51,0x4A,0x42,0x7C,0xCF,0xAE,0x8B,0xD8,0x09,0x44,
+ 0x32,0x27,0x07,0x57,0x86,0x1B,0xB6,0xF3,0xAF,0xCA,0x1C,0x2F,0xDD,0x1C,0x58,0x17,
+ 0xF4,0x13,0xA3,0x4F,0x72,0x60,0x71,0x39,0xEE,0x8E,0xF2,0x9D,0x40,0xCA,0x39,0x63,
+ 0xFD,0x1F,0x8C,0x2C,0xFD,0x62,0xA8,0x0E,0xC3,0x04,0x62,0x9D,0x79,0x11,0xD2,0x5C,
+ 0x09,0xE5,0x27,0x50,0x3A,0x62,0x93,0xC5,0xA5,0x60,0xFB,0xE5,0x7F,0xB6,0x46,0xD5,
+ 0xA8,0xF8,0x38,0x05,0x94,0xCD,0x47,0x5B,0xA0,0xA4,0x67,0xB8,0x81,0x99,0xA2,0x92,
+ 0xEB,0x13,0x37,0x56,0xD6,0xAC,0x80,0xA6,0x7F,0x1A,0xBB,0x14,0x68,0x72,0x04,0xBD,
+ 0xD7,0xEE,0x8F,0x48,0x56,0xC7,0xDF,0x86,0xBB,0x76,0xE4,0xE3,0xE3,0x46,0xF3,0x8B,
+ 0x51,0x22,0xD6,0xD2,0xB9,0xAA,0x15,0xA2,0xB4,0xAC,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* Not Before: Dec 1 00:01:00 2016 GMT */
+/* X509v3 Subject Key Identifier: E7:C3:06:5B:22:E0:EC:DA:8C:80:00:D9:0C:AC:0B:78:D4:68:C5:B7 */
+unsigned char _datetest_after_int[1050]={
+ 0x30,0x82,0x04,0x16,0x30,0x82,0x02,0xFE,0xA0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+ 0x9A,0x17,0xF8,0x6F,0x33,0x3D,0xAB,0x4C,0xD3,0xFB,0x3A,0x6D,0xCF,0x05,0x94,0xEE,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
+ 0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,
+ 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,
+ 0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,
+ 0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+ 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,
+ 0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,
+ 0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x1E,0x30,0x1C,
+ 0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,
+ 0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+ 0x31,0x36,0x31,0x32,0x30,0x31,0x30,0x30,0x30,0x31,0x30,0x30,0x5A,0x17,0x0D,0x31,
+ 0x37,0x31,0x30,0x31,0x32,0x32,0x30,0x33,0x34,0x34,0x38,0x5A,0x30,0x81,0x9C,0x31,
+ 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,
+ 0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,
+ 0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
+ 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,
+ 0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,
+ 0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,0x03,0x55,
+ 0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,
+ 0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,0x72,0x6D,
+ 0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x82,0x01,0x22,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+ 0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xF0,0xCB,0x1D,0x6C,
+ 0x7D,0xC1,0x90,0xB7,0xD9,0xB5,0x66,0x61,0x5E,0x34,0x76,0x14,0xFA,0xF8,0xB4,0xE1,
+ 0x6D,0x67,0xB0,0x9E,0xB9,0x93,0xB0,0xBE,0x15,0xA4,0xAB,0x76,0x23,0x0D,0x5C,0xC0,
+ 0x4D,0xB6,0x9F,0xCC,0x9B,0x3A,0x7E,0x50,0x13,0xE6,0x46,0x39,0xB1,0xE9,0x5F,0xB3,
+ 0xD7,0x86,0xA4,0x23,0xA5,0x27,0xDC,0x20,0x6A,0x64,0xD8,0x0A,0xCD,0x5F,0xEE,0x40,
+ 0x16,0xCE,0x4D,0xB9,0xCF,0xA2,0x62,0xC8,0x01,0x70,0x7F,0x8D,0x42,0x46,0xB1,0xF2,
+ 0x80,0x57,0xD5,0x82,0x53,0xEF,0xF2,0x16,0xA4,0xD5,0x07,0xE2,0xA7,0x7A,0x5E,0xD5,
+ 0x5A,0x4F,0x58,0x88,0xF7,0xEB,0x1B,0x58,0x91,0x6D,0x4E,0xD8,0xCC,0x9F,0xA6,0x98,
+ 0x05,0xE6,0xFB,0xC2,0x55,0xCA,0xD9,0x7E,0xC8,0xAA,0xC2,0x92,0xC1,0x73,0xBB,0xEC,
+ 0x89,0x51,0x1C,0x6B,0x0C,0xE5,0x7D,0xF8,0x54,0xBE,0xF7,0x67,0x8C,0xEE,0xE4,0xBB,
+ 0xFF,0xB9,0x15,0x4F,0xD7,0x1B,0x76,0xF7,0x37,0xEF,0xB0,0xA0,0x2A,0x22,0x4D,0x4B,
+ 0x2A,0xDE,0x3D,0x37,0x28,0x4A,0x79,0xF6,0xC7,0xE3,0x51,0xEC,0xC4,0x2F,0xDA,0xC1,
+ 0xBA,0x1A,0xFF,0xDD,0x43,0x2A,0x44,0xD4,0x94,0xDC,0xEE,0xDB,0xC3,0xF2,0xB4,0x76,
+ 0x01,0xF7,0x69,0x48,0x11,0x67,0xAC,0x3C,0x1C,0xE0,0xEF,0x88,0x77,0x70,0x66,0x39,
+ 0x17,0xAA,0xD8,0x2C,0x67,0xE3,0xC3,0x2B,0xCD,0xC4,0xB9,0xC8,0xCD,0xA9,0xA4,0xC1,
+ 0x24,0xDF,0x8E,0x4D,0xE0,0x03,0x1E,0x40,0xAB,0xDD,0x10,0xE7,0xB5,0x93,0x1F,0xF2,
+ 0xC9,0xCC,0x91,0x3A,0x8D,0x52,0xC9,0x3D,0x7D,0x4D,0xA0,0xBB,0x02,0x03,0x01,0x00,
+ 0x01,0xA3,0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+ 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,
+ 0x04,0x04,0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+ 0x14,0xE7,0xC3,0x06,0x5B,0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,
+ 0x78,0xD4,0x68,0xC5,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+ 0x80,0x14,0x4D,0xA5,0xDB,0xEF,0x4F,0xCD,0x74,0xE6,0x2A,0xB1,0xDC,0x5C,0xBE,0x12,
+ 0x04,0x94,0xEC,0x4A,0x66,0xD3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+ 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x82,0xDE,0x0F,0x06,0xD4,0xC3,
+ 0x55,0xD1,0xC9,0x9A,0xDF,0x87,0x69,0xA8,0xA2,0x11,0x12,0x73,0xF4,0x8B,0x98,0x02,
+ 0xA6,0xE0,0xB1,0x11,0x0E,0xEB,0xC3,0x3B,0x1D,0x8B,0xBF,0x45,0x4B,0x24,0xEA,0x7A,
+ 0xEF,0x70,0x2A,0xAB,0xE4,0xB6,0xA1,0xB1,0x66,0x5E,0x12,0x09,0x49,0x93,0x6A,0x4B,
+ 0x3A,0x10,0xD1,0xEE,0xA0,0x6D,0xC7,0x19,0x5B,0xE0,0x75,0x2F,0x3F,0xFB,0x66,0x1F,
+ 0x91,0x86,0x30,0x5A,0xC6,0x77,0xED,0x06,0x85,0xF8,0x65,0x96,0x48,0x30,0x32,0x25,
+ 0x93,0x59,0x51,0x2D,0x7D,0x20,0x12,0x9A,0x87,0x07,0x40,0x8C,0x8F,0x81,0xD8,0xF8,
+ 0xF2,0xF2,0x3E,0xF3,0xF3,0xC8,0x7D,0x7A,0xAA,0xE3,0xF7,0xCD,0x9D,0x69,0x6F,0x85,
+ 0x15,0xCD,0x18,0xC0,0xBB,0x6E,0x27,0xAD,0xD3,0x9A,0xD2,0x6A,0x42,0x02,0x0C,0xDB,
+ 0xF5,0x0C,0x85,0xC3,0xB3,0xDB,0x4C,0x28,0x61,0x82,0xC8,0x88,0x44,0x95,0x08,0xBE,
+ 0x24,0x07,0xEA,0xD2,0x4C,0x0A,0xA9,0x2E,0x47,0x28,0xDE,0xF3,0x24,0xDC,0x22,0x57,
+ 0xA4,0x5D,0x04,0x22,0x28,0xC6,0x4F,0xBD,0x2E,0xB7,0xD4,0x2C,0x06,0x0E,0x22,0xF5,
+ 0x05,0xA6,0x76,0x8E,0x77,0xFD,0x1C,0xA1,0x4E,0x10,0x1D,0x82,0x74,0x73,0x06,0x47,
+ 0xC2,0xD2,0xF7,0x59,0xD5,0xBF,0x64,0x77,0xBB,0x47,0x15,0x23,0x4B,0x78,0x7C,0x51,
+ 0x34,0xF0,0xF7,0x04,0xE1,0x5C,0xED,0x28,0x55,0x7B,0xC1,0x07,0x52,0x2A,0x86,0x48,
+ 0xEB,0x8C,0xC2,0x55,0x56,0xDA,0x98,0xF3,0x5C,0x8F,0x21,0x70,0xDD,0xFB,0xA4,0x61,
+ 0x2F,0x57,0xE7,0x0B,0x70,0x2F,0x00,0x72,0x79,0x3C,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Testing Before Leaf */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* Not Before: Oct 15 00:00:00 2016 GMT */
+unsigned char _datetest_before_leaf[1109]={
+ 0x30,0x82,0x04,0x51,0x30,0x82,0x03,0x39,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x4C,
+ 0x3E,0x59,0xB4,0xB4,0x96,0x67,0xC6,0x13,0xB0,0xB4,0x67,0x03,0xB9,0x27,0xAE,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,
+ 0x9C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
+ 0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,
+ 0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,
+ 0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
+ 0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,
+ 0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,
+ 0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,
+ 0x03,0x55,0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,
+ 0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,
+ 0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x1E,0x17,
+ 0x0D,0x31,0x36,0x31,0x30,0x31,0x35,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,
+ 0x31,0x37,0x31,0x30,0x31,0x32,0x31,0x38,0x33,0x38,0x30,0x38,0x5A,0x30,0x81,0x91,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
+ 0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,
+ 0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,
+ 0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,
+ 0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,
+ 0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,
+ 0x55,0x04,0x03,0x0C,0x1C,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x54,0x65,
+ 0x73,0x74,0x69,0x6E,0x67,0x20,0x42,0x65,0x66,0x6F,0x72,0x65,0x20,0x4C,0x65,0x61,
+ 0x66,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+ 0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,
+ 0x01,0x00,0xB5,0x10,0x30,0xBE,0xE6,0x80,0x11,0x8B,0x5B,0xD8,0xDD,0xFE,0x66,0x19,
+ 0x8A,0xBC,0x01,0x29,0xA8,0x85,0x25,0xDB,0xF0,0x33,0xA9,0x5F,0x34,0xFC,0x7A,0xB7,
+ 0x19,0xD1,0x4A,0x7C,0xC9,0xBE,0x9C,0x8E,0xD3,0xB6,0xAA,0x48,0x97,0x53,0xBF,0x20,
+ 0x1D,0x81,0xAC,0x87,0xCA,0x60,0xC0,0xD5,0xC5,0x9E,0x86,0x48,0xA4,0xBD,0xB2,0x9E,
+ 0x88,0x92,0x2C,0x6C,0x8D,0xAC,0xC5,0x65,0x6C,0x5C,0x38,0x4E,0x1A,0xDC,0x00,0x70,
+ 0xCA,0x68,0x33,0x38,0x10,0xE0,0x5F,0xAC,0x8C,0x47,0x73,0xA5,0xC6,0xC7,0x2C,0x4C,
+ 0xB8,0xBB,0xE7,0x6C,0x42,0x6C,0x11,0x8C,0x2C,0x5E,0xBC,0x4C,0x87,0x1E,0xDE,0x2C,
+ 0xDE,0x40,0x7E,0xB9,0x32,0x7D,0x73,0x5B,0xF8,0x59,0x50,0x71,0x1E,0x43,0x06,0x89,
+ 0x09,0xC3,0x3B,0xC2,0xEB,0xD5,0x26,0x50,0x0D,0x98,0x09,0xE7,0x50,0x39,0x87,0x3C,
+ 0x06,0x5E,0xFF,0x4E,0xD4,0x9C,0x53,0xF9,0xBD,0x3E,0x5E,0x73,0x8B,0xBC,0xE5,0x3E,
+ 0xD2,0x96,0x4D,0xE5,0x1E,0x24,0x3D,0x34,0xA8,0x7C,0xB9,0x55,0xC0,0xA6,0x61,0x69,
+ 0xC2,0xCF,0x1F,0x67,0x45,0xC6,0x3A,0x56,0x1F,0xD2,0x93,0x32,0x3F,0x1A,0x60,0x6B,
+ 0x5B,0xCD,0x1A,0x6D,0x54,0x8C,0xF4,0x3F,0x4D,0x2B,0xA8,0xE7,0x2D,0xF8,0x12,0x39,
+ 0xCC,0xE6,0x41,0x35,0xD0,0x27,0xE5,0x20,0x15,0xFD,0xF0,0xC4,0xDF,0x7C,0x13,0x65,
+ 0x1B,0xD8,0x54,0x9D,0x68,0xDC,0xAA,0x51,0xD3,0x6C,0x4F,0x6C,0x16,0x83,0xC6,0x3F,
+ 0xF9,0x95,0xFF,0xE6,0x4B,0x23,0x4B,0xE1,0x5D,0x02,0xC5,0x14,0x03,0x3A,0x0A,0xFB,
+ 0xAB,0x1B,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x97,0x30,0x81,0x94,0x30,0x0C,0x06,
+ 0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55,
+ 0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,
+ 0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,
+ 0x30,0x1F,0x06,0x03,0x55,0x1D,0x11,0x04,0x18,0x30,0x16,0x82,0x14,0x74,0x65,0x73,
+ 0x74,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,
+ 0x6D,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x52,0xBB,0x5E,0x78,
+ 0x5F,0x54,0xE6,0xD9,0x56,0x8B,0xE9,0x31,0xE7,0x9A,0x68,0xF2,0x96,0xB5,0x34,0xA4,
+ 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE7,0xC3,0x06,
+ 0x5B,0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,0x78,0xD4,0x68,0xC5,
+ 0xB7,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,
+ 0x03,0x82,0x01,0x01,0x00,0x2B,0x8A,0xFF,0xC4,0x3F,0x5C,0x0C,0x98,0x78,0x65,0xC2,
+ 0x5C,0x41,0x26,0xA1,0x1F,0x08,0xAB,0x6C,0xB2,0xF9,0xF3,0x6C,0x71,0xDA,0xD6,0xCB,
+ 0x40,0x2C,0xE8,0xA2,0x06,0x66,0xF0,0xD0,0x93,0x7B,0x0A,0x29,0xBB,0x9C,0x12,0xF5,
+ 0xE0,0xFF,0xC5,0x58,0xB2,0x95,0x25,0x29,0x1E,0x8B,0xFE,0xCC,0x8F,0xC7,0x5E,0x76,
+ 0x58,0x5E,0x27,0x29,0x47,0xC4,0x1B,0xC1,0xEB,0x22,0x2E,0xDB,0xE2,0x7F,0x38,0x09,
+ 0x14,0xAC,0x94,0xF6,0xFB,0x16,0x21,0x08,0x11,0x20,0x2B,0x2A,0xB5,0x22,0xD3,0x31,
+ 0x43,0xB0,0x4E,0xE8,0x33,0x3B,0xDC,0x10,0x56,0xDE,0x55,0xC8,0x9A,0x31,0x6C,0x52,
+ 0x6D,0xE9,0x79,0x70,0xEB,0xCD,0xD8,0x27,0x32,0xF6,0x30,0x7D,0x48,0xAF,0xB5,0xD8,
+ 0xBD,0xF3,0x68,0xEC,0xB0,0x7F,0x5A,0x52,0x9A,0x5A,0xF1,0x8E,0xCD,0x94,0x37,0x16,
+ 0xA2,0x75,0x3C,0x0E,0xDA,0xDE,0x12,0x33,0xAE,0x04,0xAB,0x27,0xDE,0xD1,0x60,0x13,
+ 0x0C,0x67,0x07,0x2A,0x7C,0xF2,0x46,0x74,0x3C,0x79,0x9B,0x6D,0xF3,0x2D,0x2E,0x69,
+ 0xDD,0xF4,0xEA,0xEC,0xD2,0xDD,0x85,0x79,0x77,0xCD,0x20,0xA9,0x19,0x3F,0x99,0xBB,
+ 0xA4,0x8A,0x78,0xBE,0x0E,0xEC,0xB9,0x91,0xAD,0xB6,0xFC,0xFB,0xCF,0xCF,0x71,0xBF,
+ 0x3C,0x13,0x2F,0xEB,0xD8,0xC8,0x22,0xC3,0x07,0xBB,0xCB,0x95,0x39,0xD4,0x61,0xDF,
+ 0x4F,0x87,0x41,0xCA,0xDD,0xD8,0x54,0xD7,0xDE,0x9C,0x13,0xF6,0x69,0x90,0xEE,0xE8,
+ 0xF8,0x0B,0x83,0x38,0x31,0x4C,0x67,0x96,0xF6,0x4A,0x77,0x00,0x41,0x11,0x91,0x77,
+ 0xC2,0x05,0x60,0x30,0x8C,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Testing After Leaf */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* Not Before: Dec 1 00:01:00 2016 GMT */
+unsigned char _datetest_after_leaf[1108]={
+ 0x30,0x82,0x04,0x50,0x30,0x82,0x03,0x38,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x4C,
+ 0x3E,0x59,0xB4,0xB4,0x96,0x67,0xC6,0x13,0xB0,0xB4,0x67,0x03,0xB9,0x27,0xAF,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,
+ 0x9C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
+ 0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,
+ 0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,
+ 0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
+ 0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,
+ 0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,
+ 0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,
+ 0x03,0x55,0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,
+ 0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,
+ 0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x1E,0x17,
+ 0x0D,0x31,0x36,0x31,0x32,0x30,0x31,0x30,0x30,0x30,0x31,0x30,0x30,0x5A,0x17,0x0D,
+ 0x31,0x37,0x31,0x30,0x31,0x32,0x31,0x38,0x33,0x38,0x34,0x37,0x5A,0x30,0x81,0x90,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
+ 0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,
+ 0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,
+ 0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,
+ 0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,
+ 0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x24,0x30,0x22,0x06,0x03,
+ 0x55,0x04,0x03,0x0C,0x1B,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x54,0x65,
+ 0x73,0x74,0x69,0x6E,0x67,0x20,0x41,0x66,0x74,0x65,0x72,0x20,0x4C,0x65,0x61,0x66,
+ 0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
+ 0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,
+ 0x00,0xE9,0xD1,0x18,0x04,0x41,0x52,0x27,0x4F,0x91,0x31,0xBD,0xF2,0x9F,0x11,0x8F,
+ 0x50,0xF6,0x5C,0xD2,0x6F,0x8B,0x7F,0xDA,0x20,0x50,0x92,0x7F,0x7D,0x61,0x6E,0x52,
+ 0x74,0xE1,0x66,0x14,0x70,0xAD,0x9E,0x84,0xF2,0x71,0x23,0xC7,0xC6,0xFD,0x58,0xE3,
+ 0x5B,0x37,0xFF,0x8F,0x72,0xC9,0x4D,0x71,0x20,0xA0,0x7F,0x23,0xD5,0xF5,0xC1,0x37,
+ 0x01,0x57,0x1C,0x8F,0x8E,0xD1,0x59,0xED,0x26,0x41,0xED,0xE7,0x47,0x86,0xCE,0xBB,
+ 0x27,0x45,0xAC,0x08,0x51,0xAB,0x3E,0xD8,0x92,0x98,0x6D,0x88,0x24,0xD1,0x56,0x8D,
+ 0xED,0x81,0xCE,0xBA,0x8F,0x9E,0x8E,0x9E,0x81,0x29,0xC5,0x9C,0x32,0x75,0xC6,0x5D,
+ 0xDE,0x1E,0x61,0x38,0xD7,0x89,0x41,0x17,0xAC,0xDC,0xB9,0x98,0xC4,0x7E,0xA7,0xC0,
+ 0x3B,0xB9,0xF2,0xA0,0xB0,0x88,0x3E,0x84,0xBC,0x28,0x1D,0x5B,0x35,0x92,0xCC,0xCB,
+ 0x9B,0x4E,0xD3,0xF2,0x2F,0x9B,0x77,0xC5,0xB1,0x08,0x18,0x86,0xF1,0x1E,0x47,0xDD,
+ 0x9A,0x94,0x5E,0xEF,0xE7,0x32,0xAD,0xD0,0x3C,0x65,0x81,0x5D,0xD7,0x94,0x56,0xCA,
+ 0x95,0xEA,0x4C,0x87,0xE1,0x48,0xC0,0xB9,0xA7,0x23,0xED,0x0F,0xFC,0x56,0x38,0x10,
+ 0x4E,0x7F,0xB3,0x73,0x0B,0x3A,0xCB,0xB9,0x89,0x15,0xA9,0xBD,0x81,0xB9,0x9F,0xD9,
+ 0x53,0x2E,0x73,0x95,0x2D,0xA9,0x81,0x85,0xA7,0xC2,0x0B,0xA2,0xDE,0x6F,0x41,0x72,
+ 0x05,0x50,0xE5,0xB4,0x10,0xD4,0xE7,0xF2,0x76,0x48,0xCC,0x2A,0x2C,0x44,0x74,0xF1,
+ 0x5E,0x0A,0xB5,0x02,0x55,0x25,0x54,0x29,0x92,0x6F,0x0A,0x78,0x33,0xBB,0x8C,0x01,
+ 0x1F,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x97,0x30,0x81,0x94,0x30,0x0C,0x06,0x03,
+ 0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,
+ 0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,
+ 0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,
+ 0x1F,0x06,0x03,0x55,0x1D,0x11,0x04,0x18,0x30,0x16,0x82,0x14,0x74,0x65,0x73,0x74,
+ 0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
+ 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x1F,0xBA,0x32,0x4F,0x63,
+ 0xBA,0x31,0x1E,0xA3,0x91,0xFC,0x59,0x84,0x62,0xA9,0x52,0x22,0xC6,0xF1,0xAB,0x30,
+ 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE7,0xC3,0x06,0x5B,
+ 0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,0x78,0xD4,0x68,0xC5,0xB7,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,
+ 0x82,0x01,0x01,0x00,0x86,0xFF,0xC5,0xB6,0xB6,0x57,0x9A,0x6B,0xA3,0x83,0xFA,0x97,
+ 0xA3,0xCB,0x4F,0xA3,0x44,0xB9,0x0A,0x89,0xC7,0x09,0xE3,0x9F,0x61,0x45,0x80,0x11,
+ 0x1C,0x8F,0x81,0x12,0x96,0x55,0x91,0xD7,0x93,0x70,0x7A,0x24,0x1D,0xA5,0xFE,0x8C,
+ 0xD9,0x0C,0x74,0x2A,0xB8,0x0C,0xF9,0xBC,0xA7,0xFE,0xC8,0x03,0x1F,0xC8,0x55,0xEF,
+ 0xC2,0x54,0x81,0x4D,0xA1,0x88,0x1F,0x88,0x74,0x12,0xE3,0xA2,0x58,0x9D,0x66,0x89,
+ 0x8F,0xBB,0x0F,0xB7,0xE5,0x9F,0xF0,0x81,0x0E,0xFC,0x0E,0x3D,0x33,0xB1,0x9D,0xDD,
+ 0x82,0x3E,0xF8,0xF2,0x10,0x50,0x1B,0xEB,0x19,0x44,0x5F,0x74,0x2E,0x98,0x68,0x3C,
+ 0xF7,0x08,0x2F,0x8B,0xB7,0x67,0x14,0xC5,0xC1,0x33,0xBB,0xA8,0xDF,0x47,0xFE,0x3D,
+ 0x24,0x36,0xD3,0xA7,0x8F,0xAC,0x9E,0x2E,0x49,0xFC,0xB1,0x68,0x93,0x9E,0x10,0x99,
+ 0x35,0x7F,0xC6,0xBF,0xFD,0x90,0x32,0xCB,0x73,0x57,0x65,0x11,0xDF,0xEB,0x64,0x23,
+ 0xDD,0x67,0xCC,0x8A,0x00,0xDA,0x0F,0x09,0x66,0xEE,0x72,0xCC,0x73,0x93,0x92,0xC5,
+ 0x53,0xF4,0x60,0xF1,0xAB,0x3E,0x8B,0x4B,0xEF,0x2C,0xCF,0xDA,0x70,0x4D,0x50,0xB0,
+ 0x10,0x87,0x97,0x87,0x26,0xA2,0x39,0x16,0xD2,0xEA,0xDC,0x42,0xE7,0xF0,0xED,0x53,
+ 0xD5,0xFF,0x61,0x1E,0x93,0x22,0xD7,0x59,0xDA,0xAC,0xCD,0x81,0x9E,0xD8,0x72,0x13,
+ 0x52,0x6B,0xEE,0x86,0xA1,0x37,0x6C,0xBA,0xA2,0x60,0xB2,0xCC,0xA1,0x51,0xA8,0x57,
+ 0x80,0xCA,0x9C,0xAF,0x03,0xAB,0xBD,0xC3,0x13,0xAA,0x46,0xBD,0x3B,0x99,0xE6,0x6F,
+ 0x7B,0x93,0x90,0xB6,
+};
+
+#endif /* date_testing_certs_h */
--- /dev/null
+/*
+ * wosign_certs.c
+ * Security
+ *
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+
+#ifndef wosign_certs_h
+#define wosign_certs_h
+
+
+/* subject:/C=RU/CN=telegram.im */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* Not After : Sep 3 23:57:19 2019 GMT */
+
+unsigned char leafOnAllowList_Cert[1719]={
+ 0x30,0x82,0x06,0xB3,0x30,0x82,0x05,0x9B,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x31,
+ 0x4E,0xCD,0xA3,0x65,0x0B,0x68,0x8D,0x7D,0x77,0xD3,0x5A,0x00,0x4A,0xC5,0x94,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+ 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+ 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
+ 0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+ 0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x39,0x30,0x33,0x32,
+ 0x33,0x35,0x37,0x31,0x39,0x5A,0x17,0x0D,0x31,0x39,0x30,0x39,0x30,0x33,0x32,0x33,
+ 0x35,0x37,0x31,0x39,0x5A,0x30,0x23,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+ 0x13,0x02,0x52,0x55,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x0C,0x0B,0x74,
+ 0x65,0x6C,0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x82,0x02,0x22,0x30,0x0D,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,
+ 0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xCA,0xCD,0x7B,0x38,0x40,
+ 0x59,0xBD,0xD7,0x0D,0xB4,0xDA,0xA7,0x43,0x3F,0x64,0xE7,0xD5,0x88,0x4A,0xA3,0x7D,
+ 0xA1,0x8A,0x6C,0x3B,0x1B,0xE0,0xE4,0xE0,0x82,0xCD,0xD3,0x38,0x7D,0x6E,0x49,0x0F,
+ 0x56,0x2D,0xA7,0x3A,0x1D,0x7A,0x5C,0x48,0x0D,0x15,0xBD,0x68,0xC0,0x24,0xAE,0x9B,
+ 0x03,0x33,0x5E,0xBB,0x12,0x13,0x32,0xDA,0xAF,0xAD,0xEB,0x36,0x76,0x6F,0xBD,0x91,
+ 0xF0,0xC1,0xC6,0x14,0xE1,0xDA,0x88,0x32,0x47,0x26,0x5C,0x92,0x5D,0xE1,0xA4,0x3E,
+ 0x99,0xCD,0x5B,0xFB,0x92,0x3C,0xA9,0x56,0xEC,0x6B,0xA9,0xEB,0xB0,0x34,0x89,0x4B,
+ 0x96,0x1A,0x57,0x0D,0x5F,0x94,0x7C,0x25,0x67,0xCE,0xC0,0x6A,0xB1,0x73,0xE4,0xB3,
+ 0x56,0xD8,0xE9,0x09,0x4F,0x5D,0x91,0xBB,0x5E,0x6C,0x13,0xE7,0x18,0xDB,0x62,0x0D,
+ 0xDA,0xB9,0xCD,0x97,0xC1,0xD4,0x35,0x0F,0x1A,0x4B,0xCA,0xFC,0x9D,0x88,0xD1,0xE4,
+ 0xFC,0x1D,0x43,0x7E,0xE7,0x1A,0xEB,0xED,0x1F,0x7D,0x1F,0x2B,0xF9,0x3A,0x0D,0x06,
+ 0x03,0x3F,0x2D,0xAF,0xF4,0xDB,0xCC,0x91,0x7B,0xF7,0x9D,0xAA,0x13,0x41,0xC0,0x57,
+ 0x8F,0x3E,0xE2,0xCA,0x45,0x7D,0x35,0x1B,0x0C,0x51,0x53,0x81,0x05,0x74,0x88,0xA2,
+ 0x37,0x9B,0x26,0x34,0xAE,0x49,0xB6,0x97,0x9F,0x81,0xFB,0x45,0x7F,0x65,0x82,0x1F,
+ 0x8E,0xC1,0xF0,0xC0,0x63,0x1F,0x7B,0xE4,0x45,0xA7,0x4C,0x1C,0x09,0x10,0xF6,0x8A,
+ 0x81,0x8E,0x3B,0x6E,0xFF,0x15,0x53,0x9D,0x36,0x2F,0x52,0x01,0x0C,0x34,0x59,0x12,
+ 0x9C,0xCA,0xAF,0xF5,0x58,0x31,0x37,0xE6,0x44,0xE5,0x0D,0xDB,0x0F,0x43,0xA3,0x09,
+ 0x79,0x78,0x00,0x3D,0x7F,0x3B,0x2F,0xB8,0x28,0x58,0x79,0x35,0xEE,0xA1,0xDA,0x1B,
+ 0xF2,0x8F,0x9C,0xAB,0x3F,0x38,0xB5,0x88,0x85,0x78,0x48,0xAA,0x67,0x41,0x0A,0xAB,
+ 0x1D,0x89,0xE1,0x60,0x39,0x9A,0x6B,0x88,0xE3,0xB9,0x78,0x02,0x2F,0x74,0x58,0xDD,
+ 0xBD,0xEE,0x51,0x8E,0xA9,0x1E,0x5E,0xFD,0x84,0x2B,0x94,0x55,0x14,0xAE,0x68,0x71,
+ 0x73,0xC7,0xE3,0xAE,0x9E,0xD9,0x54,0xB4,0x6D,0xE1,0x9A,0x10,0x1A,0x51,0x68,0x13,
+ 0x8E,0x51,0x18,0xBF,0xA8,0x7C,0x1A,0x18,0x2C,0xCE,0xF6,0x56,0xFD,0x9E,0xDC,0x97,
+ 0xE8,0x95,0x08,0xDA,0xC6,0xBC,0x8C,0x9C,0xDC,0x70,0x45,0xFD,0xD2,0x3E,0x83,0xE3,
+ 0x01,0x23,0xD4,0x74,0x6D,0xFD,0x2B,0x55,0x97,0x99,0x96,0xEB,0xD3,0x2D,0x5A,0xA7,
+ 0xEF,0xC8,0x89,0x4C,0xA3,0xC1,0xDA,0x17,0xD0,0xDE,0x9C,0xB6,0xA3,0x1D,0x14,0x05,
+ 0x65,0xCA,0x5C,0x32,0xD0,0x58,0x62,0xAA,0x56,0x72,0x90,0x02,0xC0,0xFC,0xB6,0x85,
+ 0x5A,0x53,0xC2,0xC1,0x31,0xAE,0xD6,0xC8,0x54,0xBE,0x78,0xE2,0x44,0x41,0x58,0xC3,
+ 0xEE,0xA7,0x38,0x6D,0x4E,0xAF,0xF1,0xD2,0xD1,0xD9,0xB1,0x17,0x5D,0x10,0x00,0x1D,
+ 0x8A,0x07,0xF6,0x5C,0x2C,0x1D,0x2B,0xDB,0xDE,0x3C,0x5B,0x22,0xC4,0xBB,0x27,0xC6,
+ 0x5A,0x78,0x25,0x7A,0x8F,0x86,0x42,0x6A,0x82,0xD3,0x7C,0xCA,0x07,0x62,0x23,0x09,
+ 0x44,0xEE,0x3B,0xEF,0x0E,0xB7,0x1A,0xA4,0x4D,0xBB,0x93,0xFD,0x83,0xCD,0x67,0x22,
+ 0x4B,0xE9,0x37,0x23,0x99,0x3F,0xD7,0xD4,0xEE,0x5C,0x4B,0x02,0x03,0x01,0x00,0x01,
+ 0xA3,0x82,0x02,0xAF,0x30,0x82,0x02,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
+ 0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,
+ 0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,
+ 0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,
+ 0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x2A,0x36,0x37,
+ 0x39,0xD2,0xCA,0x66,0xB3,0xF8,0x12,0x94,0x78,0xB1,0xD9,0x18,0x1C,0x11,0xD9,0x7C,
+ 0xD7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,
+ 0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
+ 0xA8,0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,
+ 0x30,0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,
+ 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,
+ 0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,
+ 0x65,0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,
+ 0x05,0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
+ 0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,
+ 0x2E,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,
+ 0x72,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,
+ 0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,
+ 0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,
+ 0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,
+ 0x30,0x16,0x06,0x03,0x55,0x1D,0x11,0x04,0x0F,0x30,0x0D,0x82,0x0B,0x74,0x65,0x6C,
+ 0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x4F,0x06,0x03,0x55,0x1D,0x20,0x04,
+ 0x48,0x30,0x46,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3A,0x06,
+ 0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x01,0x01,0x02,0x30,0x2B,0x30,0x29,
+ 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,
+ 0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,
+ 0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x82,0x01,0x06,0x06,0x0A,0x2B,
+ 0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF7,0x04,0x81,0xF4,0x00,
+ 0xF2,0x00,0x77,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE,0x3A,0x8C,0xEE,0xB9,
+ 0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1,0x0A,0x67,0xAC,0xBB,
+ 0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x56,0xF2,0x97,0xEB,0x40,0x00,0x00,0x04,0x03,
+ 0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xBC,0xC2,0x3C,0xA9,0x92,0x2F,0x3D,0x59,0x3C,
+ 0x82,0x38,0xD6,0x1A,0x83,0x95,0x04,0x15,0x1C,0x85,0x19,0x8F,0x12,0x33,0x01,0x1B,
+ 0xB1,0xCF,0xBE,0xE6,0xC1,0x6F,0xBE,0x02,0x21,0x00,0xB2,0x3B,0x8C,0xA0,0xB0,0x9C,
+ 0xCF,0xBA,0xFA,0x4E,0xBA,0xE7,0x95,0x85,0x89,0x5C,0xE1,0x5F,0x34,0x7A,0xA8,0xCB,
+ 0x19,0xC8,0x0C,0xED,0x3A,0xA4,0xE2,0x29,0xCD,0xBF,0x00,0x77,0x00,0xA4,0xB9,0x09,
+ 0x90,0xB4,0x18,0x58,0x14,0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,
+ 0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,
+ 0x56,0xF2,0x97,0xEC,0x65,0x00,0x00,0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,
+ 0x96,0x67,0x94,0x08,0x36,0x41,0xF7,0x3F,0x97,0x0B,0xAE,0xAB,0x2F,0xD4,0x0C,0xE5,
+ 0xFA,0x3F,0xB2,0x0B,0x4F,0x57,0x1C,0xDF,0x0A,0xF4,0xE7,0x04,0x59,0x1F,0x0D,0xEF,
+ 0x02,0x21,0x00,0xBC,0xB5,0xAD,0xF5,0x60,0x34,0x47,0xD5,0x23,0x08,0x12,0xDE,0x8F,
+ 0xC7,0xE9,0x14,0x0C,0x02,0x25,0x0B,0x6D,0xB8,0xBF,0x1C,0x0D,0x65,0xEC,0x86,0x9B,
+ 0x30,0x88,0x2F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+ 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x9A,0xD3,0xED,0xF3,0xA8,0x95,0x4E,0x35,
+ 0x96,0xFF,0xA4,0xF1,0x61,0xB1,0x97,0xCA,0xF1,0xC8,0xDC,0x82,0x51,0xB9,0x29,0x3D,
+ 0x77,0x59,0x96,0xF4,0x32,0x1F,0xCC,0xF9,0xC6,0x71,0x9E,0x6E,0xB4,0x83,0xFC,0xD9,
+ 0xBF,0x21,0x43,0xAF,0xEB,0xB1,0x37,0x36,0x91,0x26,0x72,0xF8,0xAA,0x3A,0x38,0xBE,
+ 0x51,0x27,0xBB,0x07,0x48,0x92,0x4E,0xFA,0xA0,0x5A,0x00,0x0D,0x81,0xCB,0x3B,0x17,
+ 0x4E,0x04,0x0A,0xF7,0x0E,0x53,0xCD,0xAC,0x5E,0xC8,0xA5,0xE3,0x31,0x6E,0x9F,0x45,
+ 0x65,0xA1,0x81,0x5C,0x98,0xF9,0x7E,0x07,0xC1,0x05,0x92,0xBD,0xCD,0xEA,0x5C,0xC7,
+ 0x0B,0xC1,0x22,0x8F,0x13,0x7E,0xA2,0xB5,0xE2,0x88,0xBF,0x00,0xF0,0xC5,0xCA,0x99,
+ 0xB2,0x59,0x9E,0x6E,0x71,0x35,0x49,0xC5,0xAF,0xAB,0x9B,0x80,0x2A,0xE1,0x8F,0x82,
+ 0x98,0x43,0x54,0x8D,0x7A,0x28,0x98,0xA4,0xAE,0xDE,0x29,0xCC,0x15,0xBF,0x2E,0x4F,
+ 0xD8,0x70,0x2E,0x8F,0xD8,0xE0,0xB9,0xC0,0x37,0x67,0x7A,0x29,0x35,0x0B,0xCD,0x7D,
+ 0xF9,0x59,0x4A,0x6C,0x1C,0x87,0x31,0x2C,0x85,0x83,0x08,0x4E,0xAB,0xED,0xA1,0xEF,
+ 0x76,0x90,0x32,0x71,0x6D,0xE6,0x13,0xE5,0x70,0xB8,0x7B,0xF3,0x6C,0x47,0x04,0xDE,
+ 0xCC,0x61,0x67,0x5D,0x98,0xC0,0xDB,0x7D,0x24,0x3D,0x60,0xA9,0x60,0x9D,0xD8,0xC7,
+ 0x27,0x8C,0x5F,0xA7,0x5A,0xE9,0x58,0x2C,0x2A,0x03,0x92,0xB6,0xF1,0x51,0xC6,0x1D,
+ 0xA4,0x7B,0xDF,0xE6,0xF3,0x1A,0xD4,0x23,0x6C,0x4E,0x8D,0x5F,0xFB,0x98,0xD2,0xB3,
+ 0x0B,0x73,0x41,0xB6,0x5C,0x84,0xEF,
+};
+
+/* subject:/CN=mmime.info */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* Not After : Sep 12 17:15:48 2016 GMT */
+
+unsigned char leafNotOnAllowList_Cert[1343]={
+ 0x30,0x82,0x05,0x3B,0x30,0x82,0x04,0x23,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x6A,
+ 0xC3,0x4F,0x8F,0xC7,0x97,0x97,0x53,0xE4,0x61,0x64,0x13,0xC4,0x2E,0x92,0x9B,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+ 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+ 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
+ 0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+ 0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x31,0x32,0x31,
+ 0x37,0x31,0x35,0x34,0x38,0x5A,0x17,0x0D,0x31,0x36,0x30,0x39,0x31,0x32,0x31,0x37,
+ 0x31,0x35,0x34,0x38,0x5A,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
+ 0x0C,0x0A,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x82,0x01,0x22,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
+ 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB6,0x88,0xD4,
+ 0xC3,0xBE,0x56,0x7F,0xB1,0xF1,0x48,0x37,0x71,0x3F,0xC7,0x72,0x53,0x95,0x64,0xAC,
+ 0x60,0xF6,0x8C,0x01,0x15,0x2C,0xBD,0x6D,0x43,0x3F,0x8F,0x50,0x12,0x03,0x72,0x0C,
+ 0x0D,0x37,0xD7,0x00,0x13,0xEC,0x49,0xC5,0xCF,0x00,0xE1,0x84,0x01,0x8B,0x1A,0xD7,
+ 0x6D,0x8A,0xC7,0xB9,0xA7,0x3F,0x3A,0xE5,0xDD,0x1A,0xC9,0xCD,0x30,0xB5,0x74,0x0B,
+ 0xFD,0x3C,0x70,0x8D,0xCF,0xCC,0xB7,0xB7,0x52,0x95,0x47,0xDB,0x47,0x2F,0x9C,0x5C,
+ 0x06,0x6B,0x3D,0xA4,0xE5,0x42,0x6C,0x85,0x69,0xF3,0x35,0x07,0x3C,0xEF,0xA2,0xFB,
+ 0x81,0x3F,0xF6,0x1C,0x51,0x17,0xA6,0x19,0x70,0xF3,0x02,0x43,0x8C,0xC3,0x42,0xED,
+ 0xFE,0xF7,0x5F,0xD1,0xF3,0xBB,0x46,0xE9,0x11,0xB8,0x39,0x2E,0xE6,0x8E,0x00,0x48,
+ 0x66,0xDF,0x78,0xDE,0x1A,0x27,0x71,0xF1,0x13,0x37,0xC7,0x65,0xA0,0x03,0x41,0xF9,
+ 0xB2,0xE1,0x82,0x54,0x38,0x60,0x7E,0x1A,0x5A,0x77,0xC6,0x6E,0x9C,0x91,0x06,0x62,
+ 0x84,0xA6,0x91,0xF0,0x3E,0x10,0x4F,0x83,0x1D,0x87,0x94,0xEB,0x0F,0x14,0x91,0xEC,
+ 0x58,0xFC,0x15,0x60,0x16,0xF6,0xCD,0x88,0xF7,0x7C,0xE9,0x26,0x71,0x3C,0x14,0x3E,
+ 0xD0,0xE0,0x06,0x3B,0xC2,0xAC,0xC0,0x16,0x16,0x0B,0x43,0xD2,0x92,0x96,0x84,0xC9,
+ 0x65,0x6E,0xC9,0x76,0x8A,0xE3,0x5B,0x96,0xDE,0xB9,0x57,0xB0,0x7C,0xC2,0xE9,0x74,
+ 0x2D,0x6D,0x6F,0x58,0x23,0xC9,0xEB,0xB3,0x63,0xB6,0x18,0xC6,0xD6,0x6B,0xF0,0x88,
+ 0xAC,0x2D,0x3E,0x05,0x6D,0x00,0xC0,0x25,0x9A,0x4C,0x3E,0xFE,0xA5,0x02,0x03,0x01,
+ 0x00,0x01,0xA3,0x82,0x02,0x45,0x30,0x82,0x02,0x41,0x30,0x0B,0x06,0x03,0x55,0x1D,
+ 0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,
+ 0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06,
+ 0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,
+ 0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3D,0xAB,0x6A,0xB5,
+ 0xCC,0x2F,0xFE,0x38,0x1F,0xEF,0x88,0xA0,0xF7,0xBC,0x2A,0x44,0xEA,0x9E,0xE6,0xBD,
+ 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,0x16,
+ 0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,0xA8,
+ 0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,0x30,
+ 0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,0x68,
+ 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x36,0x2E,0x77,0x6F,0x73,0x69,
+ 0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,0x65,
+ 0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+ 0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x36,
+ 0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2E,
+ 0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,0x72,
+ 0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0,
+ 0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x36,0x2E,
+ 0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,0x73,
+ 0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,0x30,
+ 0x81,0xB6,0x06,0x03,0x55,0x1D,0x11,0x04,0x81,0xAE,0x30,0x81,0xAB,0x82,0x0A,0x6D,
+ 0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0E,0x77,0x77,0x77,0x2E,0x6D,
+ 0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x63,0x6C,0x6F,0x75,0x64,
+ 0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x12,0x77,0x65,0x62,
+ 0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
+ 0x0E,0x76,0x70,0x6E,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
+ 0x11,0x62,0x61,0x63,0x6B,0x75,0x70,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,
+ 0x66,0x6F,0x82,0x10,0x66,0x69,0x6C,0x65,0x73,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,
+ 0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,
+ 0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x73,0x68,0x61,0x72,0x65,0x2E,0x6D,0x6D,0x69,
+ 0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6E,0x65,0x77,0x73,0x2E,0x6D,0x6D,
+ 0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x51,0x06,0x03,0x55,0x1D,0x20,0x04,
+ 0x4A,0x30,0x48,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3C,0x06,
+ 0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,0x2B,
+ 0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,
+ 0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,
+ 0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,0x2A,
+ 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x7A,
+ 0x93,0xB0,0x04,0xAB,0xCA,0x53,0x61,0x83,0xC4,0xDC,0x8B,0xE9,0xA5,0x62,0x46,0x9E,
+ 0x22,0x7A,0xBB,0x23,0x32,0xC9,0xC8,0x55,0xA7,0x87,0x53,0x68,0x61,0xF4,0x14,0x9B,
+ 0xA6,0xC1,0xC2,0x2D,0xF1,0xD6,0x2F,0x58,0x6D,0xCC,0xF9,0x47,0x4F,0x49,0x82,0xDD,
+ 0xFA,0x61,0xD4,0xE1,0x99,0xB3,0x1E,0x5A,0x44,0x1E,0xA3,0xC2,0x1E,0x83,0x4F,0x9C,
+ 0xB8,0xBC,0x25,0xCD,0x32,0x13,0xCA,0xA8,0xEC,0x17,0xD6,0xEB,0x96,0x38,0xFF,0x26,
+ 0xF7,0x76,0x85,0xA0,0x96,0x7C,0x70,0xCE,0xFC,0xBF,0x23,0x1D,0xF8,0xFB,0x0F,0x3E,
+ 0xA8,0x22,0xF4,0xE6,0x96,0xD7,0x38,0xF3,0xCE,0xA2,0xDE,0xD3,0xAA,0x11,0x61,0x2E,
+ 0x41,0xBF,0xE0,0xAD,0x65,0x88,0x06,0xB4,0x8E,0x45,0x38,0xEB,0x48,0xA5,0xEB,0xE6,
+ 0x88,0xD2,0x0D,0x83,0x8B,0x6A,0x2A,0x97,0xC6,0xBD,0x01,0x39,0x71,0x0A,0xDA,0xF3,
+ 0x2A,0x8D,0x7F,0x5C,0xCC,0xF0,0x05,0x17,0x99,0x98,0x11,0xD3,0x43,0x23,0xCE,0x91,
+ 0x55,0x02,0x7E,0x93,0x1B,0x37,0xE9,0x81,0x84,0x7D,0xEE,0x80,0x0D,0x69,0xF5,0x77,
+ 0x20,0x8B,0x39,0x7F,0x4E,0x52,0x94,0xED,0x07,0x76,0xF0,0xB6,0x12,0x39,0xDA,0xEB,
+ 0x80,0x42,0x02,0xD4,0xFE,0xE6,0x42,0xB7,0xC5,0xA8,0xEC,0xA6,0x83,0x9C,0x68,0x60,
+ 0x9A,0x52,0xF2,0x7F,0xF6,0x48,0x92,0x93,0x10,0x43,0xDE,0x5E,0x75,0x18,0x1B,0x22,
+ 0x12,0x3F,0xEB,0x7A,0x38,0x6E,0x73,0xBD,0x6A,0x2C,0xE6,0x07,0xEA,0xFC,0x50,0x31,
+ 0x54,0xC3,0x7B,0xD1,0x0B,0xC1,0x78,0x9D,0x6E,0xF2,0xAF,0x65,0xB9,0xF1,0xB5,
+};
+
+/* subject:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
+/* Not After : Nov 8 00:58:58 2029 GMT */
+
+unsigned char ca1_Cert[1456]={
+ 0x30,0x82,0x05,0xAC,0x30,0x82,0x03,0x94,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x38,
+ 0xF6,0x45,0xC1,0xE2,0x5D,0x91,0x2C,0xCE,0x3B,0x2B,0x39,0x12,0x31,0x74,0x0D,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+ 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+ 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
+ 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x6F,0x66,0x20,0x57,
+ 0x6F,0x53,0x69,0x67,0x6E,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x31,0x30,0x38,0x30,
+ 0x30,0x35,0x38,0x35,0x38,0x5A,0x17,0x0D,0x32,0x39,0x31,0x31,0x30,0x38,0x30,0x30,
+ 0x35,0x38,0x35,0x38,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+ 0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,
+ 0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,
+ 0x31,0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,
+ 0x6E,0x20,0x43,0x41,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,
+ 0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x47,0x32,0x30,0x82,0x01,0x22,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
+ 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE3,0xB4,0x80,
+ 0x0E,0x6B,0x30,0x50,0x82,0x2F,0x1F,0xE7,0x9D,0xBF,0xF8,0x7C,0x42,0x25,0xED,0xAE,
+ 0x61,0xC4,0xEB,0x86,0x87,0x23,0x7F,0x11,0x1F,0xC0,0x93,0x5F,0x1B,0x92,0x90,0x1E,
+ 0x77,0x8C,0xBC,0x76,0xF7,0xFB,0x0A,0xA5,0xD5,0x7D,0xAC,0xDC,0x4B,0x18,0xD8,0x58,
+ 0x2E,0xDF,0x46,0x6B,0x34,0x0F,0x45,0x64,0x60,0x84,0xC2,0xEB,0x9A,0x0E,0x51,0xD4,
+ 0x2A,0x54,0x51,0x3E,0x27,0x3B,0x64,0x68,0x86,0x6F,0x7C,0x6B,0x00,0x3C,0x99,0xF6,
+ 0x4C,0xA8,0x45,0x27,0xAD,0xA5,0xCB,0x2B,0x37,0xED,0x59,0xC3,0x52,0x4C,0x4F,0xDE,
+ 0x34,0x9C,0xF2,0xB7,0xD1,0xFA,0x58,0xCB,0xE5,0x62,0x9E,0x55,0x46,0x5C,0xB7,0xC5,
+ 0x8D,0x38,0x24,0x35,0xEF,0x97,0x2C,0x7C,0x65,0x10,0x0D,0xEF,0x9F,0x97,0x08,0xD5,
+ 0xE5,0xB3,0x12,0x7A,0x92,0xDD,0xFE,0x88,0x0F,0x8F,0xA4,0xAF,0xBD,0xC5,0xD6,0x36,
+ 0xF7,0x41,0x1B,0xE8,0x59,0xDD,0x86,0xFF,0x35,0xBF,0xED,0xE4,0xD1,0xA0,0x93,0x6E,
+ 0x51,0xA8,0x99,0xCB,0xDF,0xDD,0xBE,0x71,0x88,0xC3,0xDA,0xB1,0x65,0xCC,0x7B,0x95,
+ 0xC4,0x66,0x8F,0xBE,0x4E,0x06,0x7F,0x9B,0x53,0x8C,0x6B,0x3C,0xCE,0x97,0x26,0x82,
+ 0x1F,0x17,0x30,0xBA,0x3F,0xC8,0xDE,0xCC,0x0B,0xA1,0xB4,0xEF,0x12,0x3D,0x93,0xCB,
+ 0x08,0x30,0xE7,0x1A,0x98,0x97,0x80,0x3A,0x26,0x84,0x8F,0xFE,0x73,0x74,0x95,0x53,
+ 0x0F,0x51,0xB2,0xAA,0x89,0x57,0xF4,0x96,0x40,0x72,0x13,0x1D,0xE4,0x67,0x98,0x4E,
+ 0x8F,0xC6,0x40,0x0B,0xF5,0x1D,0x0C,0x45,0x2D,0xE0,0xD5,0x92,0x83,0x02,0x03,0x01,
+ 0x00,0x01,0xA3,0x82,0x01,0x76,0x30,0x82,0x01,0x72,0x30,0x0E,0x06,0x03,0x55,0x1D,
+ 0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,
+ 0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,
+ 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+ 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x30,0x06,
+ 0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F,
+ 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,0x2E,0x77,0x6F,0x73,
+ 0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,
+ 0x72,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x66,0x30,0x64,0x30,
+ 0x27,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,
+ 0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
+ 0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05,
+ 0x05,0x07,0x30,0x02,0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
+ 0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,
+ 0x67,0x32,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,
+ 0x63,0x65,0x72,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xA7,
+ 0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
+ 0xA8,0xC7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE1,
+ 0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,
+ 0xFE,0xFB,0x3E,0x30,0x47,0x06,0x03,0x55,0x1D,0x20,0x04,0x40,0x30,0x3E,0x30,0x3C,
+ 0x06,0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,
+ 0x2B,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,
+ 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
+ 0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
+ 0x96,0x5A,0xDF,0x96,0x91,0x17,0x68,0x90,0x5D,0x2F,0xB4,0x32,0x15,0x80,0x03,0x03,
+ 0x0B,0xE9,0x1C,0xB7,0x73,0x6C,0xDA,0xA8,0xFA,0x94,0xDD,0xDD,0x3E,0x34,0x2B,0x2E,
+ 0x80,0x93,0x6C,0xFA,0xA6,0x67,0xD3,0x1B,0x7A,0x82,0x41,0xCE,0x9E,0xFF,0x3F,0xEF,
+ 0xB2,0x83,0x6A,0x9E,0xFC,0x32,0xFD,0x44,0xF3,0x82,0x66,0xAA,0xCF,0x44,0x2F,0xB3,
+ 0x37,0x41,0xF0,0x79,0x12,0xE3,0x02,0x27,0x86,0x48,0x92,0xBE,0xCF,0x56,0xD7,0xCB,
+ 0xD7,0xE7,0x1E,0x25,0x9D,0x41,0xDB,0x0A,0xE7,0x33,0x12,0x58,0xAD,0x95,0xD8,0x9E,
+ 0xD4,0xB7,0x95,0x29,0xBA,0xFE,0xFF,0xDF,0x80,0xA4,0x77,0x5B,0x15,0x62,0x0F,0x69,
+ 0xF8,0x87,0x6D,0x74,0xEA,0x85,0xA2,0x76,0x5D,0x9F,0x95,0x2E,0x03,0xBC,0x8A,0xF9,
+ 0x8A,0xAC,0x81,0x64,0x50,0xF2,0x0B,0x45,0x4B,0xEC,0x97,0x30,0x39,0x74,0xE5,0xA7,
+ 0x7E,0x16,0x24,0x62,0x2B,0x50,0xF1,0x5C,0xD8,0x4F,0xCD,0x2E,0xA2,0x18,0x25,0xA3,
+ 0xCE,0xF6,0x1F,0x60,0xDD,0x15,0xDE,0x20,0x15,0x1B,0x0E,0x7F,0xAF,0x85,0xD9,0x40,
+ 0xAC,0x07,0x2A,0x34,0xDD,0x51,0xB0,0x1A,0xA8,0xE6,0x0E,0x9F,0x5F,0xDB,0x46,0x70,
+ 0xE6,0xF5,0xD9,0x25,0x1C,0xF0,0x1D,0xE5,0x42,0xA1,0x2D,0x22,0x9D,0x6E,0x11,0xC9,
+ 0x8D,0xA6,0x65,0xBC,0x0E,0xAA,0x76,0x73,0xC8,0x56,0x60,0x2F,0xFB,0x3F,0x86,0xB9,
+ 0xA5,0xF5,0x33,0xEF,0xD5,0x13,0x1F,0x49,0x4C,0x38,0x07,0x9E,0x59,0x22,0x5A,0xC7,
+ 0x4E,0xD9,0x25,0x24,0xBA,0x53,0x70,0xFC,0x63,0x2A,0x54,0x51,0xEB,0xC3,0x4B,0x41,
+ 0x7D,0xE4,0xE8,0x3C,0x2C,0xA5,0x76,0x5A,0xBF,0xD9,0x4C,0xA8,0x0D,0xAE,0x52,0x6E,
+ 0xA5,0x5D,0x98,0x3D,0x6C,0x90,0x6D,0x78,0x1F,0xC3,0x70,0x95,0x86,0x07,0x3F,0x54,
+ 0xE3,0xEA,0x8A,0x81,0x64,0x62,0x9A,0x8F,0x31,0xAF,0x7B,0x2A,0x7E,0x92,0x22,0xC3,
+ 0x8E,0xCC,0x53,0xAC,0xC7,0x9C,0x99,0x11,0x2B,0x48,0x3F,0x52,0x71,0x2B,0x6E,0xC0,
+ 0xE1,0xB3,0x0A,0xE5,0x03,0x62,0xD7,0x89,0x18,0x28,0x4C,0x0A,0x8D,0x3F,0x0B,0x45,
+ 0x89,0x81,0x8B,0x88,0xA4,0x93,0xC2,0x7F,0x44,0xE5,0x1E,0x5B,0x40,0x00,0xFC,0x2F,
+ 0xCC,0x3B,0xF8,0x6A,0x79,0x31,0xFD,0x44,0x14,0xB6,0x8F,0x48,0x85,0x4C,0xAB,0x0A,
+ 0x9D,0xBB,0x37,0x0A,0xFC,0x51,0x19,0xE0,0xFE,0x59,0x6A,0x3B,0x8F,0x60,0x62,0xA7,
+ 0x07,0x82,0xAF,0x08,0x66,0xA0,0xF2,0xDA,0x60,0x02,0xEA,0xD8,0x34,0x7E,0x57,0x71,
+ 0xA1,0xB5,0xFE,0x69,0xD7,0xFB,0xDD,0x5A,0x9C,0xF3,0xFF,0xC4,0xEA,0xCD,0x74,0xFA,
+ 0x94,0x70,0xD3,0x58,0x92,0xCE,0xAF,0x12,0xE4,0x6E,0xEB,0xDD,0xB8,0xAF,0x1D,0xE2,
+ 0x65,0xD4,0x46,0xEA,0x0B,0x3E,0xE3,0x68,0x0E,0x0A,0x4C,0x27,0x83,0x50,0x91,0x06,
+ 0xC6,0x7B,0xF8,0xFA,0x9B,0x26,0xED,0x2C,0x0E,0x67,0xB8,0x6C,0xE5,0x2C,0x98,0x6D,
+ 0x5F,0x7A,0x28,0xC3,0x84,0x3C,0x03,0x0D,0xF7,0xE2,0x03,0xE1,0x94,0xC2,0x58,0x27,
+ 0xF8,0x4D,0x81,0x59,0x2F,0xF1,0x7C,0x61,0xC9,0x57,0x5D,0xBD,0xDC,0x9C,0x80,0xD0,
+ 0x64,0xDF,0x7C,0x87,0x78,0x85,0xE6,0x94,0x8B,0x70,0x8B,0x05,0x47,0xE4,0xC8,0x7B,
+};
+
+/* subject:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
+/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* Not After : Dec 31 23:59:59 2019 GMT */
+
+unsigned char ca2_Cert[1632]={
+ 0x30,0x82,0x06,0x5C,0x30,0x82,0x04,0x44,0xA0,0x03,0x02,0x01,0x02,0x02,0x07,0x19,
+ 0xC2,0x85,0x30,0xE9,0x3B,0x36,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+ 0x01,0x01,0x0B,0x05,0x00,0x30,0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+ 0x13,0x02,0x49,0x4C,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,
+ 0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,
+ 0x06,0x03,0x55,0x04,0x0B,0x13,0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,
+ 0x67,0x69,0x74,0x61,0x6C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+ 0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
+ 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+ 0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x32,0x32,
+ 0x34,0x36,0x33,0x36,0x5A,0x17,0x0D,0x31,0x39,0x31,0x32,0x33,0x31,0x32,0x33,0x35,
+ 0x39,0x35,0x39,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+ 0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,
+ 0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,
+ 0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,
+ 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
+ 0x79,0x20,0x6F,0x66,0x20,0x57,0x6F,0x53,0x69,0x67,0x6E,0x30,0x82,0x02,0x22,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+ 0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xBD,0xCA,0x8D,0xAC,
+ 0xB8,0x91,0x15,0x56,0x97,0x7B,0x6B,0x5C,0x7A,0xC2,0xDE,0x6B,0xD9,0xA1,0xB0,0xC3,
+ 0x10,0x23,0xFA,0xA7,0xA1,0xB2,0xCC,0x31,0xFA,0x3E,0xD9,0xA6,0x29,0x6F,0x16,0x3D,
+ 0xE0,0x6B,0xF8,0xB8,0x40,0x5F,0xDB,0x39,0xA8,0x00,0x7A,0x8B,0xA0,0x4D,0x54,0x7D,
+ 0xC2,0x22,0x78,0xFC,0x8E,0x09,0xB8,0xA8,0x85,0xD7,0xCC,0x95,0x97,0x4B,0x74,0xD8,
+ 0x9E,0x7E,0xF0,0x00,0xE4,0x0E,0x89,0xAE,0x49,0x28,0x44,0x1A,0x10,0x99,0x32,0x0F,
+ 0x25,0x88,0x53,0xA4,0x0D,0xB3,0x0F,0x12,0x08,0x16,0x0B,0x03,0x71,0x27,0x1C,0x7F,
+ 0xE1,0xDB,0xD2,0xFD,0x67,0x68,0xC4,0x05,0x5D,0x0A,0x0E,0x5D,0x70,0xD7,0xD8,0x97,
+ 0xA0,0xBC,0x53,0x41,0x9A,0x91,0x8D,0xF4,0x9E,0x36,0x66,0x7A,0x7E,0x56,0xC1,0x90,
+ 0x5F,0xE6,0xB1,0x68,0x20,0x36,0xA4,0x8C,0x24,0x2C,0x2C,0x47,0x0B,0x59,0x76,0x66,
+ 0x30,0xB5,0xBE,0xDE,0xED,0x8F,0xF8,0x9D,0xD3,0xBB,0x01,0x30,0xE6,0xF2,0xF3,0x0E,
+ 0xE0,0x2C,0x92,0x80,0xF3,0x85,0xF9,0x28,0x8A,0xB4,0x54,0x2E,0x9A,0xED,0xF7,0x76,
+ 0xFC,0x15,0x68,0x16,0xEB,0x4A,0x6C,0xEB,0x2E,0x12,0x8F,0xD4,0xCF,0xFE,0x0C,0xC7,
+ 0x5C,0x1D,0x0B,0x7E,0x05,0x32,0xBE,0x5E,0xB0,0x09,0x2A,0x42,0xD5,0xC9,0x4E,0x90,
+ 0xB3,0x59,0x0D,0xBB,0x7A,0x7E,0xCD,0xD5,0x08,0x5A,0xB4,0x7F,0xD8,0x1C,0x69,0x11,
+ 0xF9,0x27,0x0F,0x7B,0x06,0xAF,0x54,0x83,0x18,0x7B,0xE1,0xDD,0x54,0x7A,0x51,0x68,
+ 0x6E,0x77,0xFC,0xC6,0xBF,0x52,0x4A,0x66,0x46,0xA1,0xB2,0x67,0x1A,0xBB,0xA3,0x4F,
+ 0x77,0xA0,0xBE,0x5D,0xFF,0xFC,0x56,0x0B,0x43,0x72,0x77,0x90,0xCA,0x9E,0xF9,0xF2,
+ 0x39,0xF5,0x0D,0xA9,0xF4,0xEA,0xD7,0xE7,0xB3,0x10,0x2F,0x30,0x42,0x37,0x21,0xCC,
+ 0x30,0x70,0xC9,0x86,0x98,0x0F,0xCC,0x58,0x4D,0x83,0xBB,0x7D,0xE5,0x1A,0xA5,0x37,
+ 0x8D,0xB6,0xAC,0x32,0x97,0x00,0x3A,0x63,0x71,0x24,0x1E,0x9E,0x37,0xC4,0xFF,0x74,
+ 0xD4,0x37,0xC0,0xE2,0xFE,0x88,0x46,0x60,0x11,0xDD,0x08,0x3F,0x50,0x36,0xAB,0xB8,
+ 0x7A,0xA4,0x95,0x62,0x6A,0x6E,0xB0,0xCA,0x6A,0x21,0x5A,0x69,0xF3,0xF3,0xFB,0x1D,
+ 0x70,0x39,0x95,0xF3,0xA7,0x6E,0xA6,0x81,0x89,0xA1,0x88,0xC5,0x3B,0x71,0xCA,0xA3,
+ 0x52,0xEE,0x83,0xBB,0xFD,0xA0,0x77,0xF4,0xE4,0x6F,0xE7,0x42,0xDB,0x6D,0x4A,0x99,
+ 0x8A,0x34,0x48,0xBC,0x17,0xDC,0xE4,0x80,0x08,0x22,0xB6,0xF2,0x31,0xC0,0x3F,0x04,
+ 0x3E,0xEB,0x9F,0x20,0x79,0xD6,0xB8,0x06,0x64,0x64,0x02,0x31,0xD7,0xA9,0xCD,0x52,
+ 0xFB,0x84,0x45,0x69,0x09,0x00,0x2A,0xDC,0x55,0x8B,0xC4,0x06,0x46,0x4B,0xC0,0x4A,
+ 0x1D,0x09,0x5B,0x39,0x28,0xFD,0xA9,0xAB,0xCE,0x00,0xF9,0x2E,0x48,0x4B,0x26,0xE6,
+ 0x30,0x4C,0xA5,0x58,0xCA,0xB4,0x44,0x82,0x4F,0xE7,0x91,0x1E,0x33,0xC3,0xB0,0x93,
+ 0xFF,0x11,0xFC,0x81,0xD2,0xCA,0x1F,0x71,0x29,0xDD,0x76,0x4F,0x92,0x25,0xAF,0x1D,
+ 0x81,0xB7,0x0F,0x2F,0x8C,0xC3,0x06,0xCC,0x2F,0x27,0xA3,0x4A,0xE4,0x0E,0x99,0xBA,
+ 0x7C,0x1E,0x45,0x1F,0x7F,0xAA,0x19,0x45,0x96,0xFD,0xFC,0x3D,0x02,0x03,0x01,0x00,
+ 0x01,0xA3,0x82,0x01,0x07,0x30,0x82,0x01,0x03,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+ 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06,
+ 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
+ 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xE1,0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,
+ 0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,0xFE,0xFB,0x3E,0x30,0x1F,0x06,0x03,
+ 0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,
+ 0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,0x43,0xD0,0x41,0xAE,0xF2,0x30,0x69,0x06,
+ 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x5D,0x30,0x5B,0x30,0x27,0x06,
+ 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,0x70,0x3A,
+ 0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,
+ 0x63,0x6F,0x6D,0x2F,0x63,0x61,0x30,0x30,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
+ 0x30,0x02,0x86,0x24,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x2E,0x73,
+ 0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74,
+ 0x73,0x2F,0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x32,0x06,0x03,0x55,0x1D,0x1F,0x04,
+ 0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3A,
+ 0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,
+ 0x6F,0x6D,0x2F,0x73,0x66,0x73,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
+ 0xB6,0x6D,0xF8,0x70,0xFB,0xE2,0x0D,0x4C,0x98,0xB3,0x07,0x49,0x15,0xF5,0x04,0xC4,
+ 0x6C,0xCA,0xCA,0xF5,0x68,0xA0,0x08,0xFE,0x12,0x6D,0x9C,0x04,0x06,0xC9,0xAD,0x9A,
+ 0x91,0x52,0x3E,0x78,0xC4,0x5C,0xEE,0x9F,0x54,0x1D,0xEE,0xE3,0xF1,0x5E,0x30,0xC9,
+ 0x49,0xE1,0x39,0xE0,0xA6,0x9D,0x36,0x6C,0x57,0xFA,0xE6,0x34,0x4F,0x55,0xE8,0x87,
+ 0xA8,0x2C,0xDD,0x05,0xF1,0x58,0x12,0x91,0xE8,0xCA,0xCE,0x28,0x78,0x8F,0xDF,0x07,
+ 0x85,0x01,0xA5,0xDC,0x45,0x96,0x05,0xD4,0x80,0xB2,0x2B,0x05,0x9A,0xCB,0x9A,0xA5,
+ 0x8B,0xE0,0x3A,0x67,0xE6,0x73,0x47,0xBE,0x4A,0xFD,0x27,0xB1,0x88,0xEF,0xE6,0xCA,
+ 0xCF,0x8D,0x0E,0x26,0x9F,0xFA,0x5F,0x57,0x78,0xAD,0x6D,0xFE,0xAE,0x9B,0x35,0x08,
+ 0xB1,0xC3,0xBA,0xC1,0x00,0x4A,0x4B,0x7D,0x14,0xBD,0xF7,0xF1,0xD3,0x55,0x18,0xAC,
+ 0xD0,0x33,0x70,0x88,0x6D,0xC4,0x09,0x71,0x14,0xA6,0x2B,0x4F,0x88,0x81,0xE7,0x0B,
+ 0x00,0x37,0xA9,0x15,0x7D,0x7E,0xD7,0x01,0x96,0x3F,0x2F,0xAF,0x7B,0x62,0xAE,0x0A,
+ 0x4A,0xBF,0x4B,0x39,0x2E,0x35,0x10,0x8B,0xFE,0x04,0x39,0xE4,0x3C,0x3A,0x0C,0x09,
+ 0x56,0x40,0x3A,0xB5,0xF4,0xC2,0x68,0x0C,0xB5,0xF9,0x52,0xCD,0xEE,0x9D,0xF8,0x98,
+ 0xFC,0x78,0xE7,0x58,0x47,0x8F,0x1C,0x73,0x58,0x69,0x33,0xAB,0xFF,0xDD,0xDF,0x8E,
+ 0x24,0x01,0x77,0x98,0x19,0x3A,0xB0,0x66,0x79,0xBC,0xE1,0x08,0xA3,0x0E,0x4F,0xC1,
+ 0x04,0xB3,0xF3,0x01,0xC8,0xEB,0xD3,0x59,0x1C,0x35,0xD2,0x93,0x1E,0x70,0x65,0x82,
+ 0x7F,0xDB,0xCF,0xFB,0xC8,0x99,0x12,0x60,0xC3,0x44,0x6F,0x3A,0x80,0x4B,0xD7,0xBE,
+ 0x21,0xAA,0x14,0x7A,0x64,0xCB,0xDD,0x37,0x43,0x45,0x5B,0x32,0x2E,0x45,0xF0,0xD9,
+ 0x59,0x1F,0x6B,0x18,0xF0,0x7C,0xE9,0x55,0x36,0x19,0x61,0x5F,0xB5,0x7D,0xF1,0x8D,
+ 0xBD,0x88,0xE4,0x75,0x4B,0x98,0xDD,0x27,0xB0,0xE4,0x84,0x44,0x2A,0x61,0x84,0x57,
+ 0x05,0x82,0x11,0x1F,0xAA,0x35,0x58,0xF3,0x20,0x0E,0xAF,0x59,0xEF,0xFA,0x55,0x72,
+ 0x72,0x0D,0x26,0xD0,0x9B,0x53,0x49,0xAC,0xCE,0x37,0x2E,0x65,0x61,0xFF,0xF6,0xEC,
+ 0x1B,0xEA,0xF6,0xF1,0xA6,0xD3,0xD1,0xB5,0x7B,0xBE,0x35,0xF4,0x22,0xC1,0xBC,0x8D,
+ 0x01,0xBD,0x68,0x5E,0x83,0x0D,0x2F,0xEC,0xD6,0xDA,0x63,0x0C,0x27,0xD1,0x54,0x3E,
+ 0xE4,0xA8,0xD3,0xCE,0x4B,0x32,0xB8,0x91,0x94,0xFF,0xFB,0x5B,0x49,0x2D,0x75,0x18,
+ 0xA8,0xBA,0x71,0x9A,0x3B,0xAE,0xD9,0xC0,0xA9,0x4F,0x87,0x91,0xED,0x8B,0x7B,0x6B,
+ 0x20,0x98,0x89,0x39,0x83,0x4F,0x80,0xC4,0x69,0xCC,0x17,0xC9,0xC8,0x4E,0xBE,0xE4,
+ 0xA9,0xA5,0x81,0x76,0x70,0x06,0x04,0x32,0xCD,0x83,0x65,0xF4,0xBC,0x7D,0x3E,0x13,
+ 0xBC,0xD2,0xE8,0x6F,0x63,0xAA,0xB5,0x3B,0xDA,0x8D,0x86,0x32,0x82,0x78,0x9D,0xD9,
+ 0xCC,0xFF,0xBF,0x57,0x64,0x74,0xED,0x28,0x3D,0x44,0x62,0x15,0x61,0x4B,0xF7,0x94,
+ 0xB0,0x0D,0x2A,0x67,0x1C,0xF0,0xCB,0x9B,0xA5,0x92,0xBF,0xF8,0x41,0x5A,0xC1,0x3D,
+ 0x60,0xED,0x9F,0xBB,0xB8,0x6D,0x9B,0xCE,0xA9,0x6A,0x16,0x3F,0x7E,0xEA,0x06,0xF1,
+};
+
+/* subject:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* Not After : Sep 17 19:46:36 2036 GMT */
+
+unsigned char root_Cert[1997]={
+ 0x30,0x82,0x07,0xC9,0x30,0x82,0x05,0xB1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
+ 0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,
+ 0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,
+ 0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,
+ 0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,
+ 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,
+ 0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,
+ 0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+ 0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,
+ 0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x17,
+ 0x0D,0x33,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x30,0x7D,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,0x30,
+ 0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,
+ 0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,0x22,
+ 0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,0x43,
+ 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,
+ 0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,0x61,
+ 0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+ 0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x02,
+ 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
+ 0x03,0x82,0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xC1,0x88,
+ 0xDB,0x09,0xBC,0x6C,0x46,0x7C,0x78,0x9F,0x95,0x7B,0xB5,0x33,0x90,0xF2,0x72,0x62,
+ 0xD6,0xC1,0x36,0x20,0x22,0x24,0x5E,0xCE,0xE9,0x77,0xF2,0x43,0x0A,0xA2,0x06,0x64,
+ 0xA4,0xCC,0x8E,0x36,0xF8,0x38,0xE6,0x23,0xF0,0x6E,0x6D,0xB1,0x3C,0xDD,0x72,0xA3,
+ 0x85,0x1C,0xA1,0xD3,0x3D,0xB4,0x33,0x2B,0xD3,0x2F,0xAF,0xFE,0xEA,0xB0,0x41,0x59,
+ 0x67,0xB6,0xC4,0x06,0x7D,0x0A,0x9E,0x74,0x85,0xD6,0x79,0x4C,0x80,0x37,0x7A,0xDF,
+ 0x39,0x05,0x52,0x59,0xF7,0xF4,0x1B,0x46,0x43,0xA4,0xD2,0x85,0x85,0xD2,0xC3,0x71,
+ 0xF3,0x75,0x62,0x34,0xBA,0x2C,0x8A,0x7F,0x1E,0x8F,0xEE,0xED,0x34,0xD0,0x11,0xC7,
+ 0x96,0xCD,0x52,0x3D,0xBA,0x33,0xD6,0xDD,0x4D,0xDE,0x0B,0x3B,0x4A,0x4B,0x9F,0xC2,
+ 0x26,0x2F,0xFA,0xB5,0x16,0x1C,0x72,0x35,0x77,0xCA,0x3C,0x5D,0xE6,0xCA,0xE1,0x26,
+ 0x8B,0x1A,0x36,0x76,0x5C,0x01,0xDB,0x74,0x14,0x25,0xFE,0xED,0xB5,0xA0,0x88,0x0F,
+ 0xDD,0x78,0xCA,0x2D,0x1F,0x07,0x97,0x30,0x01,0x2D,0x72,0x79,0xFA,0x46,0xD6,0x13,
+ 0x2A,0xA8,0xB9,0xA6,0xAB,0x83,0x49,0x1D,0xE5,0xF2,0xEF,0xDD,0xE4,0x01,0x8E,0x18,
+ 0x0A,0x8F,0x63,0x53,0x16,0x85,0x62,0xA9,0x0E,0x19,0x3A,0xCC,0xB5,0x66,0xA6,0xC2,
+ 0x6B,0x74,0x07,0xE4,0x2B,0xE1,0x76,0x3E,0xB4,0x6D,0xD8,0xF6,0x44,0xE1,0x73,0x62,
+ 0x1F,0x3B,0xC4,0xBE,0xA0,0x53,0x56,0x25,0x6C,0x51,0x09,0xF7,0xAA,0xAB,0xCA,0xBF,
+ 0x76,0xFD,0x6D,0x9B,0xF3,0x9D,0xDB,0xBF,0x3D,0x66,0xBC,0x0C,0x56,0xAA,0xAF,0x98,
+ 0x48,0x95,0x3A,0x4B,0xDF,0xA7,0x58,0x50,0xD9,0x38,0x75,0xA9,0x5B,0xEA,0x43,0x0C,
+ 0x02,0xFF,0x99,0xEB,0xE8,0x6C,0x4D,0x70,0x5B,0x29,0x65,0x9C,0xDD,0xAA,0x5D,0xCC,
+ 0xAF,0x01,0x31,0xEC,0x0C,0xEB,0xD2,0x8D,0xE8,0xEA,0x9C,0x7B,0xE6,0x6E,0xF7,0x27,
+ 0x66,0x0C,0x1A,0x48,0xD7,0x6E,0x42,0xE3,0x3F,0xDE,0x21,0x3E,0x7B,0xE1,0x0D,0x70,
+ 0xFB,0x63,0xAA,0xA8,0x6C,0x1A,0x54,0xB4,0x5C,0x25,0x7A,0xC9,0xA2,0xC9,0x8B,0x16,
+ 0xA6,0xBB,0x2C,0x7E,0x17,0x5E,0x05,0x4D,0x58,0x6E,0x12,0x1D,0x01,0xEE,0x12,0x10,
+ 0x0D,0xC6,0x32,0x7F,0x18,0xFF,0xFC,0xF4,0xFA,0xCD,0x6E,0x91,0xE8,0x36,0x49,0xBE,
+ 0x1A,0x48,0x69,0x8B,0xC2,0x96,0x4D,0x1A,0x12,0xB2,0x69,0x17,0xC1,0x0A,0x90,0xD6,
+ 0xFA,0x79,0x22,0x48,0xBF,0xBA,0x7B,0x69,0xF8,0x70,0xC7,0xFA,0x7A,0x37,0xD8,0xD8,
+ 0x0D,0xD2,0x76,0x4F,0x57,0xFF,0x90,0xB7,0xE3,0x91,0xD2,0xDD,0xEF,0xC2,0x60,0xB7,
+ 0x67,0x3A,0xDD,0xFE,0xAA,0x9C,0xF0,0xD4,0x8B,0x7F,0x72,0x22,0xCE,0xC6,0x9F,0x97,
+ 0xB6,0xF8,0xAF,0x8A,0xA0,0x10,0xA8,0xD9,0xFB,0x18,0xC6,0xB6,0xB5,0x5C,0x52,0x3C,
+ 0x89,0xB6,0x19,0x2A,0x73,0x01,0x0A,0x0F,0x03,0xB3,0x12,0x60,0xF2,0x7A,0x2F,0x81,
+ 0xDB,0xA3,0x6E,0xFF,0x26,0x30,0x97,0xF5,0x8B,0xDD,0x89,0x57,0xB6,0xAD,0x3D,0xB3,
+ 0xAF,0x2B,0xC5,0xB7,0x76,0x02,0xF0,0xA5,0xD6,0x2B,0x9A,0x86,0x14,0x2A,0x72,0xF6,
+ 0xE3,0x33,0x8C,0x5D,0x09,0x4B,0x13,0xDF,0xBB,0x8C,0x74,0x13,0x52,0x4B,0x02,0x03,
+ 0x01,0x00,0x01,0xA3,0x82,0x02,0x52,0x30,0x82,0x02,0x4E,0x30,0x0C,0x06,0x03,0x55,
+ 0x1D,0x13,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,
+ 0x04,0x04,0x03,0x02,0x01,0xAE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+ 0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,
+ 0x43,0xD0,0x41,0xAE,0xF2,0x30,0x64,0x06,0x03,0x55,0x1D,0x1F,0x04,0x5D,0x30,0x5B,
+ 0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,
+ 0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,
+ 0x2F,0x73,0x66,0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x2B,
+ 0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,
+ 0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x73,0x66,
+ 0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x82,0x01,0x5D,0x06,
+ 0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x54,0x30,0x82,0x01,0x50,0x30,0x82,0x01,0x4C,
+ 0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x81,0xB5,0x37,0x01,0x01,0x01,0x30,0x82,0x01,
+ 0x3B,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x23,0x68,
+ 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,
+ 0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,
+ 0x64,0x66,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29,
+ 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,
+ 0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x69,0x6E,0x74,0x65,0x72,0x6D,0x65,
+ 0x64,0x69,0x61,0x74,0x65,0x2E,0x70,0x64,0x66,0x30,0x81,0xD0,0x06,0x08,0x2B,0x06,
+ 0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xC3,0x30,0x27,0x16,0x20,0x53,0x74,0x61,
+ 0x72,0x74,0x20,0x43,0x6F,0x6D,0x6D,0x65,0x72,0x63,0x69,0x61,0x6C,0x20,0x28,0x53,
+ 0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x29,0x20,0x4C,0x74,0x64,0x2E,0x30,0x03,0x02,
+ 0x01,0x01,0x1A,0x81,0x97,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x20,0x4C,0x69,0x61,
+ 0x62,0x69,0x6C,0x69,0x74,0x79,0x2C,0x20,0x72,0x65,0x61,0x64,0x20,0x74,0x68,0x65,
+ 0x20,0x73,0x65,0x63,0x74,0x69,0x6F,0x6E,0x20,0x2A,0x4C,0x65,0x67,0x61,0x6C,0x20,
+ 0x4C,0x69,0x6D,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2A,0x20,0x6F,0x66,0x20,
+ 0x74,0x68,0x65,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
+ 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+ 0x72,0x69,0x74,0x79,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x76,0x61,0x69,
+ 0x6C,0x61,0x62,0x6C,0x65,0x20,0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+ 0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,
+ 0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,0x64,0x66,0x30,0x11,0x06,0x09,
+ 0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x00,0x07,0x30,
+ 0x38,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,0x04,0x2B,0x16,0x29,
+ 0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,
+ 0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+ 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+ 0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0x16,0x6C,0x99,
+ 0xF4,0x66,0x0C,0x34,0xF5,0xD0,0x85,0x5E,0x7D,0x0A,0xEC,0xDA,0x10,0x4E,0x38,0x1C,
+ 0x5E,0xDF,0xA6,0x25,0x05,0x4B,0x91,0x32,0xC1,0xE8,0x3B,0xF1,0x3D,0xDD,0x44,0x09,
+ 0x5B,0x07,0x49,0x8A,0x29,0xCB,0x66,0x02,0xB7,0xB1,0x9A,0xF7,0x25,0x98,0x09,0x3C,
+ 0x8E,0x1B,0xE1,0xDD,0x36,0x87,0x2B,0x4B,0xBB,0x68,0xD3,0x39,0x66,0x3D,0xA0,0x26,
+ 0xC7,0xF2,0x39,0x91,0x1D,0x51,0xAB,0x82,0x7B,0x7E,0xD5,0xCE,0x5A,0xE4,0xE2,0x03,
+ 0x57,0x70,0x69,0x97,0x08,0xF9,0x5E,0x58,0xA6,0x0A,0xDF,0x8C,0x06,0x9A,0x45,0x16,
+ 0x16,0x38,0x0A,0x5E,0x57,0xF6,0x62,0xC7,0x7A,0x02,0x05,0xE6,0xBC,0x1E,0xB5,0xF2,
+ 0x9E,0xF4,0xA9,0x29,0x83,0xF8,0xB2,0x14,0xE3,0x6E,0x28,0x87,0x44,0xC3,0x90,0x1A,
+ 0xDE,0x38,0xA9,0x3C,0xAC,0x43,0x4D,0x64,0x45,0xCE,0xDD,0x28,0xA9,0x5C,0xF2,0x73,
+ 0x7B,0x04,0xF8,0x17,0xE8,0xAB,0xB1,0xF3,0x2E,0x5C,0x64,0x6E,0x73,0x31,0x3A,0x12,
+ 0xB8,0xBC,0xB3,0x11,0xE4,0x7D,0x8F,0x81,0x51,0x9A,0x3B,0x8D,0x89,0xF4,0x4D,0x93,
+ 0x66,0x7B,0x3C,0x03,0xED,0xD3,0x9A,0x1D,0x9A,0xF3,0x65,0x50,0xF5,0xA0,0xD0,0x75,
+ 0x9F,0x2F,0xAF,0xF0,0xEA,0x82,0x43,0x98,0xF8,0x69,0x9C,0x89,0x79,0xC4,0x43,0x8E,
+ 0x46,0x72,0xE3,0x64,0x36,0x12,0xAF,0xF7,0x25,0x1E,0x38,0x89,0x90,0x77,0x7E,0xC3,
+ 0x6B,0x6A,0xB9,0xC3,0xCB,0x44,0x4B,0xAC,0x78,0x90,0x8B,0xE7,0xC7,0x2C,0x1E,0x4B,
+ 0x11,0x44,0xC8,0x34,0x52,0x27,0xCD,0x0A,0x5D,0x9F,0x85,0xC1,0x89,0xD5,0x1A,0x78,
+ 0xF2,0x95,0x10,0x53,0x32,0xDD,0x80,0x84,0x66,0x75,0xD9,0xB5,0x68,0x28,0xFB,0x61,
+ 0x2E,0xBE,0x84,0xA8,0x38,0xC0,0x99,0x12,0x86,0xA5,0x1E,0x67,0x64,0xAD,0x06,0x2E,
+ 0x2F,0xA9,0x70,0x85,0xC7,0x96,0x0F,0x7C,0x89,0x65,0xF5,0x8E,0x43,0x54,0x0E,0xAB,
+ 0xDD,0xA5,0x80,0x39,0x94,0x60,0xC0,0x34,0xC9,0x96,0x70,0x2C,0xA3,0x12,0xF5,0x1F,
+ 0x48,0x7B,0xBD,0x1C,0x7E,0x6B,0xB7,0x9D,0x90,0xF4,0x22,0x3B,0xAE,0xF8,0xFC,0x2A,
+ 0xCA,0xFA,0x82,0x52,0xA0,0xEF,0xAF,0x4B,0x55,0x93,0xEB,0xC1,0xB5,0xF0,0x22,0x8B,
+ 0xAC,0x34,0x4E,0x26,0x22,0x04,0xA1,0x87,0x2C,0x75,0x4A,0xB7,0xE5,0x7D,0x13,0xD7,
+ 0xB8,0x0C,0x64,0xC0,0x36,0xD2,0xC9,0x2F,0x86,0x12,0x8C,0x23,0x09,0xC1,0x1B,0x82,
+ 0x3B,0x73,0x49,0xA3,0x6A,0x57,0x87,0x94,0xE5,0xD6,0x78,0xC5,0x99,0x43,0x63,0xE3,
+ 0x4D,0xE0,0x77,0x2D,0xE1,0x65,0x99,0x72,0x69,0x04,0x1A,0x47,0x09,0xE6,0x0F,0x01,
+ 0x56,0x24,0xFB,0x1F,0xBF,0x0E,0x79,0xA9,0x58,0x2E,0xB9,0xC4,0x09,0x01,0x7E,0x95,
+ 0xBA,0x6D,0x00,0x06,0x3E,0xB2,0xEA,0x4A,0x10,0x39,0xD8,0xD0,0x2B,0xF5,0xBF,0xEC,
+ 0x75,0xBF,0x97,0x02,0xC5,0x09,0x1B,0x08,0xDC,0x55,0x37,0xE2,0x81,0xFB,0x37,0x84,
+ 0x43,0x62,0x20,0xCA,0xE7,0x56,0x4B,0x65,0xEA,0xFE,0x6C,0xC1,0x24,0x93,0x24,0xA1,
+ 0x34,0xEB,0x05,0xFF,0x9A,0x22,0xAE,0x9B,0x7D,0x3F,0xF1,0x65,0x51,0x0A,0xA6,0x30,
+ 0x6A,0xB3,0xF4,0x88,0x1C,0x80,0x0D,0xFC,0x72,0x8A,0xE8,0x83,0x5E,
+};
+
+#endif /* wosign_certs_h */
+++ /dev/null
-/*
- * si-84-sectrust-allowlist.c
- * Security
- *
- * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-
-#include "shared_regressions.h"
-
-/* On allow list until:
- Not After : Mar 9 07:45:00 2018 GMT
-*/
-static const UInt8 cert0[] = {
- 0x30,0x82,0x05,0x44,0x30,0x82,0x04,0x2c,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
- 0x9d,0x12,0x4b,0xdb,0x57,0xb7,0x9f,0xba,0x33,0xf6,0x44,0xd9,0x10,0x40,0x48,0x4c,
- 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,
- 0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,
- 0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,
- 0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x31,0x19,0x30,0x17,0x06,0x03,0x55,
- 0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,
- 0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x35,0x30,0x33,0x30,0x39,0x30,0x37,
- 0x34,0x35,0x30,0x30,0x5a,0x17,0x0d,0x31,0x38,0x30,0x33,0x30,0x39,0x30,0x37,0x34,
- 0x35,0x30,0x30,0x5a,0x30,0x79,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x53,0x17,
- 0x4e,0xac,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x07,0x1e,0x04,0x53,0x17,0x4e,
- 0xac,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x0a,0x1e,0x1a,0x53,0x17,0x4e,0xac,
- 0x74,0x5e,0x94,0xb1,0x5b,0x9d,0x4f,0xe1,0x60,0x6f,0x67,0x0d,0x52,0xa1,0x67,0x09,
- 0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x0b,0x1e,
- 0x06,0x7f,0x51,0x7e,0xdc,0x90,0xe8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,
- 0x13,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x30,
- 0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
- 0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,
- 0xfc,0x09,0x73,0x1d,0x18,0x75,0xbd,0x7f,0xf5,0xce,0x9e,0x6e,0x26,0x1c,0xbd,0xca,
- 0xc7,0x1b,0x75,0x45,0x13,0x1e,0xe4,0x52,0x7e,0x78,0xe9,0x1c,0x79,0xa1,0x02,0xd8,
- 0x3d,0xc6,0xc5,0x6f,0x7b,0xbd,0xae,0xc7,0x3b,0xe6,0x45,0xc2,0xe9,0xc9,0x32,0x2d,
- 0xd4,0xda,0x7a,0x93,0x79,0x30,0xce,0xec,0x6f,0xf5,0x0d,0x2d,0xde,0xa4,0xce,0xbd,
- 0x40,0xfb,0xda,0x7d,0x48,0x7d,0x98,0x02,0x17,0x75,0x99,0x65,0x68,0x1c,0xbb,0x92,
- 0x29,0x16,0xdc,0xc6,0x1d,0x1d,0x19,0x1b,0x94,0x17,0x6e,0x93,0xd8,0x57,0xaa,0x00,
- 0xf9,0xa2,0x37,0x9a,0xde,0x65,0xc2,0xce,0xa5,0xae,0x80,0xa7,0x56,0xab,0x8c,0xc8,
- 0x6a,0x3d,0xbe,0x86,0xe1,0x13,0x69,0x41,0x4b,0xe9,0xfa,0xd9,0xa5,0x63,0x8f,0xba,
- 0x02,0x15,0x09,0xca,0xf9,0x27,0x0f,0xea,0x90,0x4f,0x5d,0xa5,0x66,0x51,0xad,0xc8,
- 0xff,0x2d,0xf3,0xd4,0x7c,0xd3,0x06,0xe8,0xc2,0xdc,0x08,0x63,0x3d,0x69,0xb6,0x89,
- 0x5f,0x3f,0x9c,0xdc,0x21,0xa8,0xbd,0x0a,0xbe,0xc2,0x0e,0x08,0x06,0x05,0xb7,0x46,
- 0x96,0xec,0x08,0x5c,0xb9,0xef,0xfa,0x4b,0xd1,0x60,0x10,0xac,0xc8,0x88,0xbf,0xb7,
- 0xb1,0xb1,0x7a,0x55,0xdd,0xd9,0x96,0x06,0x5b,0xfb,0xc2,0xa5,0xd4,0x9c,0xde,0x24,
- 0x0c,0x7e,0x22,0x59,0xb0,0xa6,0x7a,0xc7,0x18,0x02,0x6c,0x1a,0x21,0x8c,0x79,0x8a,
- 0xc5,0xbb,0x10,0x54,0x1b,0x77,0x04,0xcf,0x46,0x60,0x36,0x42,0xfb,0x8a,0x13,0xf7,
- 0xa0,0xd6,0x03,0x33,0xb6,0xc4,0x1e,0x08,0x58,0x5d,0xb3,0xd3,0xc3,0x6c,0x0e,0x9f,
- 0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xfb,0x30,0x82,0x01,0xf7,0x30,0x09,0x06,
- 0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x73,0x06,0x08,0x2b,0x06,0x01,0x05,
- 0x05,0x07,0x01,0x01,0x04,0x67,0x30,0x65,0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05,
- 0x05,0x07,0x30,0x01,0x86,0x1c,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,
- 0x70,0x73,0x68,0x61,0x32,0x73,0x73,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
- 0x6e,0x2f,0x30,0x39,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x2d,
- 0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,
- 0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,
- 0x74,0x2f,0x53,0x48,0x41,0x32,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x36,0x06,
- 0x03,0x55,0x1d,0x11,0x04,0x2f,0x30,0x2d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,
- 0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,
- 0x71,0x62,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,0x71,
- 0x74,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,
- 0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x50,0x0e,0x94,
- 0x7e,0x68,0x20,0x2d,0x95,0x58,0x3f,0x8f,0x51,0xa6,0xdd,0x5a,0xb9,0xef,0xfe,0xf0,
- 0x50,0x30,0x1d,0x06,0x03,0x55,0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06,
- 0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02,
- 0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xb7,0xd1,0x59,
- 0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,
- 0x3c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,
- 0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x01,0x30,0x26,0x30,0x24,0x06,0x08,
- 0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,
- 0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,
- 0x73,0x2f,0x30,0x81,0x8f,0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x87,0x30,0x81,0x84,
- 0x30,0x4d,0xa0,0x4b,0xa0,0x49,0xa4,0x47,0x30,0x45,0x31,0x0b,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,
- 0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,
- 0x53,0x4c,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,0x63,0x72,0x6c,
- 0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,0x6c,0x31,0x30,
- 0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72,
- 0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,
- 0x6f,0x61,0x64,0x2f,0x73,0x68,0x61,0x32,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,
- 0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
- 0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x26,0xa8,0x7c,0x88,0x57,0xb7,0xe2,0xa0,
- 0xf5,0x55,0xbb,0x93,0xa1,0xea,0xc2,0x0a,0x82,0xa1,0x82,0x3d,0xe1,0x85,0xfe,0x26,
- 0x95,0x5f,0x16,0x13,0x88,0x87,0x2d,0x6f,0xbe,0x0a,0xe8,0xe7,0x04,0xcd,0xa5,0x9e,
- 0xac,0x69,0xd5,0xa0,0x81,0x27,0x91,0xdc,0xcd,0xa6,0xbd,0x62,0x0c,0x67,0x3f,0x39,
- 0xdf,0x23,0xa8,0xf5,0xd5,0xb6,0xa8,0x14,0x93,0x80,0x0b,0x17,0x04,0xbd,0x0a,0x75,
- 0x74,0x34,0x26,0xf6,0x46,0x82,0x34,0x1d,0x26,0x06,0x43,0x2a,0xd8,0xff,0x0e,0xf1,
- 0xf0,0xf1,0x74,0x8b,0x17,0x9a,0x6d,0x24,0x90,0x8d,0x35,0x69,0xc4,0xff,0xf7,0x6a,
- 0x81,0x00,0x27,0x11,0xd5,0xc7,0xc4,0xac,0x98,0x15,0x20,0xe7,0x90,0x8a,0xb7,0x3d,
- 0xdf,0xbf,0x18,0x7f,0x7c,0xa7,0x38,0x42,0xa7,0xe2,0x94,0xda,0xcb,0xb5,0x84,0x67,
- 0x9d,0x82,0x37,0x58,0xa0,0x7f,0x06,0xcb,0xf5,0x3b,0x22,0x8f,0x54,0x19,0x8e,0xad,
- 0x82,0x14,0xf3,0x8f,0xcd,0x55,0x93,0xb6,0xa7,0xdb,0xf5,0x25,0xd9,0x04,0x7c,0x69,
- 0xc7,0x08,0x7e,0x32,0xcb,0xce,0x9d,0xb2,0x45,0x25,0x61,0x6b,0x7b,0xd3,0xb0,0x2a,
- 0xd1,0xa8,0x1c,0xab,0x5b,0x3f,0x1d,0x8f,0xbd,0x46,0xb8,0x0d,0x33,0x4b,0xc9,0x3b,
- 0x94,0x7f,0xa8,0x28,0x0f,0xa8,0xb7,0xbc,0x0d,0xcf,0xf7,0x7e,0xc1,0xcf,0xc7,0xf2,
- 0x2f,0x1d,0x77,0xe4,0xdc,0x15,0xb0,0x42,0x0c,0x4d,0xd2,0x8d,0x6e,0x58,0x31,0x5b,
- 0x5f,0xc9,0x4f,0x43,0x53,0x76,0x7b,0x2a,0xd6,0x65,0x93,0x28,0xb4,0xb8,0xdc,0x3c,
- 0x3c,0x03,0xcc,0x5e,0x9f,0x52,0x28,0x9a,
-};
-
-/* On allow list until:
- Not After : Dec 24 08:34:15 2016 GMT
-*/
-static const UInt8 cert1[1475]={
- 0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x1A,
- 0x2F,0xDD,0xD9,0x35,0x3B,0x65,0xEE,0x1B,0xB4,0x66,0x19,0x4D,0xF3,0x10,0xE1,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,
- 0x30,0x06,0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,
- 0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,
- 0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,
- 0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0C,0x0C,0x43,0x4E,0x4E,0x49,
- 0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x32,
- 0x32,0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x17,0x0D,0x31,0x36,0x31,0x32,0x32,
- 0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x30,0x81,0xF3,0x31,0x1B,0x30,0x19,0x06,
- 0x03,0x55,0x04,0x0F,0x13,0x12,0x56,0x31,0x2E,0x30,0x2C,0x20,0x43,0x6C,0x61,0x75,
- 0x73,0x65,0x20,0x35,0x2E,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,
- 0x05,0x13,0x0F,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x33,0x39,0x33,0x39,
- 0x35,0x39,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,
- 0x02,0x01,0x03,0x13,0x02,0x43,0x4E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,
- 0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x07,0x53,0x69,0x63,0x68,0x75,0x61,
- 0x6E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,
- 0x01,0x01,0x13,0x07,0x63,0x68,0x65,0x6E,0x67,0x44,0x75,0x31,0x0B,0x30,0x09,0x06,
- 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,
- 0x08,0x1E,0x04,0x56,0xDB,0x5D,0xDD,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x07,
- 0x1E,0x04,0x62,0x10,0x90,0xFD,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x1E,
- 0x14,0x56,0xDB,0x5D,0xDD,0x9E,0x4F,0x59,0x29,0x62,0x95,0x8D,0x44,0x67,0x09,0x96,
- 0x50,0x51,0x6C,0x53,0xF8,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x0B,0x1E,0x06,
- 0x62,0x80,0x67,0x2F,0x90,0xE8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,
- 0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x82,
- 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
- 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x99,
- 0x31,0x25,0x93,0xE0,0x9A,0x65,0x36,0xCC,0x16,0x86,0xAF,0xBF,0x0D,0x2D,0x0B,0xE6,
- 0x9A,0xD5,0x00,0x89,0xAD,0x6B,0x49,0x59,0x10,0x74,0x3A,0xA7,0x4F,0xEB,0xBD,0xC0,
- 0xEE,0x46,0x1A,0x4E,0x9B,0x96,0x20,0xD7,0x2C,0xF8,0x93,0x5C,0x2A,0xAF,0x57,0x15,
- 0x0C,0x57,0x3A,0xD0,0x25,0x92,0x2E,0x18,0xB4,0xDF,0xD8,0x3E,0xA2,0xC0,0xC6,0x5E,
- 0x7A,0xD1,0xDA,0xAD,0x99,0x12,0x24,0x04,0xA1,0x42,0x5A,0xB0,0x42,0x3A,0x4F,0x02,
- 0xDE,0x8A,0x55,0xD7,0xB0,0x24,0x97,0x62,0xF9,0x95,0x70,0xFA,0xA8,0x81,0xFC,0x3A,
- 0xB5,0xA0,0x94,0x8E,0x42,0x89,0xF9,0x15,0x4B,0x06,0xD8,0xA1,0xC7,0xB0,0xC8,0x94,
- 0x03,0x57,0xF0,0x01,0xDB,0x0D,0x85,0xFD,0xA1,0xCD,0x1D,0x3C,0xF5,0x14,0x6C,0x79,
- 0x46,0xCF,0x00,0x3A,0x6C,0x74,0xD9,0x79,0xFD,0x9C,0xD9,0x61,0x7D,0x84,0x4F,0x82,
- 0x2A,0x40,0x00,0x58,0x2C,0xF0,0x3A,0xDF,0xD4,0x8A,0x39,0x24,0x5C,0xB1,0xA6,0xAD,
- 0x02,0x4C,0x16,0xCE,0x82,0xE6,0x22,0x32,0xC2,0x2A,0x93,0x94,0x25,0x5D,0x42,0xF9,
- 0xD2,0x2B,0xD5,0x9F,0xDB,0x45,0x51,0xE4,0x0E,0xD4,0x48,0x12,0xB1,0x67,0xF4,0x6D,
- 0x91,0x86,0xBC,0xFB,0xC6,0xE6,0xA0,0x7F,0x2B,0x8F,0xFB,0x67,0xEA,0x5D,0xAB,0x73,
- 0xDD,0x9D,0x40,0xFA,0xF7,0xDC,0xDE,0x48,0x20,0x47,0x32,0xC0,0xD1,0x98,0x4F,0x81,
- 0xDF,0xAF,0x96,0xDB,0x83,0xEE,0xC5,0x3A,0x4E,0x67,0xE1,0xF4,0x83,0x27,0x46,0x0D,
- 0x78,0xB1,0xC6,0x42,0xEF,0xD9,0x76,0xD3,0xAC,0x7C,0x5A,0xF8,0x09,0xCF,0x0B,0x02,
- 0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xE7,0x30,0x82,0x01,0xE3,0x30,0x09,0x06,0x03,
- 0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
- 0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
- 0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,
- 0x65,0x76,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x30,0x3C,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
- 0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,
- 0x6E,0x6C,0x6F,0x61,0x64,0x2F,0x63,0x65,0x72,0x74,0x2F,0x43,0x4E,0x4E,0x49,0x43,
- 0x45,0x56,0x53,0x53,0x4C,0x2E,0x63,0x65,0x72,0x30,0x18,0x06,0x03,0x55,0x1D,0x11,
- 0x04,0x11,0x30,0x0F,0x82,0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,
- 0x63,0x6F,0x6D,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,
- 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x04,0x26,0xBE,0x73,0x88,
- 0x8C,0xF6,0x64,0xBA,0xBB,0x09,0x34,0x7A,0x09,0xF9,0x51,0x57,0x43,0x8D,0x86,0x30,
- 0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
- 0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
- 0x14,0x0C,0xCF,0xB4,0x48,0x2C,0x50,0xE8,0x8B,0xD2,0x72,0xFD,0x1C,0xF0,0x2F,0xBC,
- 0x52,0xAB,0x2B,0x69,0x5E,0x30,0x3F,0x06,0x03,0x55,0x1D,0x20,0x04,0x38,0x30,0x36,
- 0x30,0x34,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x81,0xE9,0x0C,0x01,0x0A,0x30,0x26,
- 0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,
- 0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,
- 0x6E,0x2F,0x63,0x70,0x73,0x2F,0x30,0x81,0xA6,0x06,0x03,0x55,0x1D,0x1F,0x04,0x81,
- 0x9E,0x30,0x81,0x9B,0x30,0x66,0xA0,0x64,0xA0,0x62,0xA4,0x60,0x30,0x5E,0x31,0x0B,
- 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,0x30,0x06,
- 0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,0x74,0x65,
- 0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,0x6E,0x66,
- 0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,0x72,0x31,
- 0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x03,0x63,0x72,0x6C,0x31,0x0D,0x30,
- 0x0B,0x06,0x03,0x55,0x04,0x03,0x0C,0x04,0x63,0x72,0x6C,0x31,0x30,0x31,0xA0,0x2F,
- 0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,
- 0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64,
- 0x2F,0x65,0x76,0x63,0x72,0x6C,0x2F,0x63,0x72,0x6C,0x31,0x2E,0x63,0x72,0x6C,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
- 0x01,0x01,0x00,0xA3,0xDE,0x24,0x78,0xF5,0x07,0x23,0xEC,0x77,0x62,0x71,0x60,0x01,
- 0xAE,0xC7,0xBD,0x49,0x8D,0x40,0x0C,0x49,0xAE,0x1A,0x47,0x2B,0x22,0xAE,0x66,0x2B,
- 0x34,0x83,0xAD,0x17,0xA1,0x45,0xC7,0xEC,0x16,0x80,0x2F,0x24,0x41,0xDF,0xFF,0xB0,
- 0x9D,0xE0,0x47,0x51,0x53,0x10,0xDC,0x85,0xC3,0xF9,0x72,0x3A,0xC9,0x79,0x22,0x89,
- 0xD4,0xCB,0x40,0x60,0x7E,0x3E,0x86,0x52,0x01,0xD2,0xA5,0x41,0x57,0x0C,0xB0,0x5C,
- 0xDD,0x24,0x0E,0xB2,0xF4,0x7E,0xB7,0x45,0xCE,0xA2,0x1B,0x3B,0x77,0xC6,0x9B,0x1E,
- 0x7D,0x7F,0x42,0x53,0xE4,0xF4,0xE6,0x84,0xFD,0xCC,0x27,0xB2,0xC9,0x72,0x30,0x09,
- 0xEE,0xC7,0x8B,0xE5,0xBF,0x2C,0x3B,0x73,0xA0,0x9C,0xD8,0x3E,0x81,0xED,0xB4,0x74,
- 0x88,0x67,0x99,0x69,0xE5,0x3A,0x3C,0x5A,0xA4,0xE4,0xD3,0x6D,0xBF,0xF6,0xF0,0x0C,
- 0x92,0x9C,0xB4,0x53,0x39,0x70,0x9A,0x3D,0xF4,0x3F,0x9D,0x07,0x66,0x3F,0x85,0x09,
- 0x07,0x8E,0x5C,0x9D,0x83,0x23,0x0F,0x45,0xE7,0x3C,0xE5,0x7F,0x6C,0x0C,0x29,0x3B,
- 0x2B,0x5D,0xE2,0xB7,0xCB,0x0E,0xEF,0xC8,0x14,0x4C,0x30,0xD0,0xD0,0x9C,0x7D,0x8E,
- 0x67,0x94,0xD9,0xB2,0x71,0x7E,0x74,0x0F,0x5C,0xD7,0xB5,0xFB,0x35,0x13,0x3F,0x05,
- 0xD7,0x7C,0x08,0x2F,0x7A,0x31,0x78,0x99,0xF8,0x76,0x0D,0xB3,0xFB,0xD2,0xD3,0x6C,
- 0xC7,0x32,0x61,0x2E,0x8E,0x64,0x96,0xFD,0xB1,0xFA,0x73,0xC7,0x56,0x54,0x8B,0x0D,
- 0x27,0xD2,0x66,0x9E,0xA5,0xCB,0xCE,0xD0,0xA4,0x9C,0x03,0xDD,0x9D,0x1F,0xED,0x5E,
- 0x7A,0x73,0x5D,
-};
-
-/* expired:
- Not After : Oct 20 03:20:57 2015 GMT
-*/
-static const UInt8 cert1_expired[] = {
- 0x30,0x82,0x05,0xd6,0x30,0x82,0x04,0xbe,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1a,
- 0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x10,0xd5,0x30,
- 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
- 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,
- 0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,
- 0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,
- 0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,
- 0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,
- 0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x30,
- 0x32,0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x17,0x0d,0x31,0x35,0x31,0x30,0x32,
- 0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x30,0x82,0x01,0x05,0x31,0x1b,0x30,0x19,
- 0x06,0x03,0x55,0x04,0x0f,0x13,0x12,0x56,0x31,0x2e,0x30,0x2c,0x20,0x43,0x6c,0x61,
- 0x75,0x73,0x65,0x20,0x35,0x2e,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,
- 0x04,0x05,0x13,0x0f,0x34,0x34,0x30,0x33,0x30,0x31,0x35,0x30,0x33,0x34,0x32,0x36,
- 0x35,0x34,0x36,0x31,0x13,0x30,0x11,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,
- 0x3c,0x02,0x01,0x03,0x13,0x02,0x43,0x4e,0x31,0x1a,0x30,0x18,0x06,0x0b,0x2b,0x06,
- 0x01,0x04,0x01,0x82,0x37,0x3c,0x02,0x01,0x02,0x13,0x09,0x67,0x75,0x61,0x6e,0x67,
- 0x64,0x6f,0x6e,0x67,0x31,0x19,0x30,0x17,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,
- 0x37,0x3c,0x02,0x01,0x01,0x13,0x08,0x73,0x68,0x65,0x6e,0x7a,0x68,0x65,0x6e,0x31,
- 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,
- 0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x5e,0x7f,0x4e,0x1c,0x31,0x0d,0x30,0x0b,0x06,
- 0x03,0x55,0x04,0x07,0x1e,0x04,0x6d,0xf1,0x57,0x33,0x31,0x21,0x30,0x1f,0x06,0x03,
- 0x55,0x04,0x0a,0x1e,0x18,0x80,0x54,0x54,0x08,0x51,0x49,0x4f,0x0f,0x00,0x28,0x6d,
- 0xf1,0x57,0x33,0x00,0x29,0x67,0x09,0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x16,0x30,
- 0x14,0x06,0x03,0x55,0x04,0x0b,0x13,0x0d,0x49,0x54,0x20,0x44,0x65,0x70,0x61,0x72,
- 0x74,0x6d,0x65,0x6e,0x74,0x31,0x1a,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,
- 0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,
- 0x6d,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
- 0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,
- 0x01,0x00,0xc0,0x5c,0x75,0x0e,0x29,0x93,0xf9,0xc2,0x0f,0x9e,0x24,0xeb,0x6d,0xb8,
- 0xb5,0x09,0x79,0xfe,0xbb,0xa0,0x78,0x20,0xbf,0xeb,0xc3,0x3d,0x00,0xb2,0x75,0x20,
- 0xa1,0x26,0x40,0x9e,0x0e,0x38,0x3c,0x38,0x89,0x5a,0x4f,0x46,0x5d,0xaf,0x0f,0x49,
- 0x58,0xf5,0x9f,0x34,0x0f,0x1d,0x57,0xd0,0xa7,0x89,0x88,0x58,0xe6,0x00,0xca,0xde,
- 0x0e,0x61,0xc6,0x3f,0xf4,0x08,0x9e,0x4e,0xf9,0x8e,0xdc,0xc6,0x1f,0xab,0x56,0x38,
- 0xf7,0x8f,0xd4,0xb7,0x0c,0x77,0xf9,0xdf,0x02,0x26,0xc3,0xf3,0x2a,0x7e,0x7b,0x02,
- 0x89,0x75,0x50,0xf6,0x4b,0x98,0xe7,0x02,0xdc,0xe0,0xb2,0x57,0xa6,0x50,0xa3,0x27,
- 0x48,0xaf,0x26,0x6e,0xf5,0x47,0x04,0x9b,0x26,0x1f,0x10,0x84,0x26,0xbe,0x4e,0xa7,
- 0xd5,0x7d,0xad,0xe0,0x0f,0x78,0xfa,0x5e,0xcd,0xf1,0xce,0x6f,0x06,0x39,0x4b,0xa1,
- 0xd7,0xce,0x01,0xfb,0x58,0x8c,0x47,0x24,0xfd,0x9f,0x6e,0xb0,0x5b,0x51,0x62,0x6f,
- 0x9c,0xd5,0xaf,0xaf,0xc1,0x6d,0xcc,0x22,0x3e,0x04,0xcc,0xe8,0x41,0x98,0xc0,0xc7,
- 0xb0,0xf5,0x59,0x0e,0x26,0xed,0x1f,0x7b,0x0a,0xce,0xb6,0xa5,0xfe,0xa6,0xc7,0xba,
- 0x1b,0x6b,0x11,0xc6,0x15,0x10,0x5b,0x8b,0x34,0x14,0xd9,0x3c,0x4d,0xc6,0x6c,0x89,
- 0x01,0xf3,0xd1,0x5a,0xf3,0x2b,0x9b,0x28,0x16,0xbe,0x6d,0x43,0x66,0xf8,0x56,0x15,
- 0x3b,0xaf,0x79,0xda,0x46,0x22,0xd4,0x2b,0xd3,0x9d,0x99,0x53,0x2f,0xa0,0x39,0x59,
- 0x4e,0x22,0x54,0x1e,0x47,0xf5,0xa9,0xa9,0x4e,0xf5,0x1d,0x9d,0x98,0x45,0xc6,0x85,
- 0xae,0x01,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xeb,0x30,0x82,0x01,0xe7,0x30,
- 0x09,0x06,0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2b,0x06,
- 0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2b,0x06,
- 0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,
- 0x63,0x73,0x70,0x65,0x76,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x3c,
- 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,
- 0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
- 0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,0x74,0x2f,0x43,0x4e,
- 0x4e,0x49,0x43,0x45,0x56,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x1c,0x06,0x03,
- 0x55,0x1d,0x11,0x04,0x15,0x30,0x13,0x82,0x11,0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,
- 0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,
- 0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,
- 0x04,0x14,0xd7,0x06,0xeb,0x3b,0x83,0x70,0x55,0x58,0x9a,0x40,0x03,0xd5,0x7e,0x8e,
- 0xcb,0x49,0x23,0x10,0x67,0xc4,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,0x0c,0x30,
- 0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1f,0x06,0x03,0x55,
- 0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,
- 0xd2,0x72,0xfd,0x1c,0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x3f,0x06,0x03,
- 0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,
- 0x81,0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,
- 0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,
- 0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xa6,
- 0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x9e,0x30,0x81,0x9b,0x30,0x66,0xa0,0x64,0xa0,
- 0x62,0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
- 0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,
- 0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
- 0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
- 0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,
- 0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,
- 0x72,0x6c,0x31,0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,
- 0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,
- 0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x63,0x72,0x6c,0x2f,0x63,0x72,
- 0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
- 0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6e,0x84,0xe5,0x57,0x7e,0x96,
- 0xaf,0x39,0xbf,0xa0,0x2a,0xf2,0xd1,0x10,0x57,0x8e,0x3d,0x68,0x4d,0x61,0x35,0x97,
- 0xbb,0xed,0x7f,0x5e,0x4f,0x17,0x58,0x2f,0x4b,0x94,0x4f,0xda,0xd8,0x9c,0x78,0x52,
- 0x2e,0xec,0xcd,0x86,0x87,0xa1,0x64,0xdc,0x41,0x0e,0x44,0x23,0xdb,0x7d,0xc8,0x86,
- 0xef,0x07,0x29,0xaa,0x78,0x1b,0x95,0x84,0xb8,0xf9,0x60,0x95,0x89,0x3f,0x58,0x3d,
- 0x42,0x74,0x4b,0x82,0x0d,0x65,0x16,0x1a,0x70,0xaa,0x2d,0xb2,0xab,0x79,0x27,0x2e,
- 0x7e,0x6f,0x44,0xfb,0xdf,0xf5,0xff,0x3e,0xc3,0x67,0xa5,0xe1,0x6b,0xe3,0xf7,0xcc,
- 0x11,0x9f,0x2a,0xe8,0x87,0x46,0x3d,0x5c,0xbf,0x5f,0xca,0x9b,0x09,0xbe,0x0a,0x83,
- 0xb0,0x98,0x03,0x3a,0x67,0xb1,0xe9,0xa4,0x04,0x96,0x2b,0x24,0xe1,0xcd,0xc1,0x26,
- 0x88,0x76,0x10,0x41,0x85,0xf0,0x07,0xb0,0x4b,0x6b,0xd2,0x25,0x0f,0x12,0x52,0xea,
- 0x3b,0xac,0xc3,0xfa,0x56,0x5f,0xfb,0x3b,0x4b,0x86,0xf6,0x67,0x45,0x51,0xb4,0xb4,
- 0x94,0x98,0xa6,0xac,0x46,0x8b,0x42,0x94,0xff,0x9e,0x71,0x09,0x7c,0x87,0xb0,0x36,
- 0x70,0x8a,0x5e,0x88,0x33,0x79,0x85,0x78,0x30,0x56,0x4a,0x6a,0xfc,0x5b,0x34,0xe9,
- 0xb7,0x57,0xde,0xdc,0x0a,0x3c,0x1e,0x71,0xfc,0x23,0xc6,0x5a,0xd3,0x1a,0x50,0x06,
- 0xbe,0x9c,0x60,0xd5,0x36,0x44,0x65,0x59,0x89,0xe6,0xda,0x1b,0xc9,0x89,0x21,0xe0,
- 0x59,0x7d,0x25,0x4f,0x76,0x87,0x4f,0x7e,0xb1,0x1a,0x43,0xff,0x00,0xbb,0xc7,0xc5,
- 0x5e,0xcc,0xfd,0x4a,0x1b,0xc1,0x6e,0x75,0xd9,0xe6
-};
-
-/* On allow list until:
- Not After : Jun 6 02:00:32 2017 GMT
-*/
-static const UInt8 cert2[] = {
- 0x30,0x82,0x04,0x2d,0x30,0x82,0x03,0x15,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1c,
- 0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x11,0x3c,0x30,
- 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,
- 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,
- 0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,
- 0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,
- 0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x30,0x36,0x30,0x39,0x30,0x33,
- 0x33,0x36,0x33,0x37,0x5a,0x17,0x0d,0x31,0x37,0x30,0x36,0x30,0x36,0x30,0x32,0x30,
- 0x30,0x33,0x32,0x5a,0x30,0x54,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x43,0x4e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,0x77,0x77,
- 0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x31,0x17,0x30,0x15,0x06,0x03,
- 0x55,0x04,0x03,0x13,0x0e,0x6d,0x61,0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,
- 0x2e,0x63,0x6e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x77,0x77,
- 0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,
- 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,
- 0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xc7,0x2f,0x0e,0xba,0xf0,
- 0xff,0x9e,0x56,0x3b,0x88,0x3b,0x94,0x0d,0xc6,0x81,0x22,0xe7,0xeb,0x1b,0x22,0x1d,
- 0xb2,0x75,0x5b,0xae,0x41,0xea,0x55,0x6a,0x7c,0x95,0x85,0x3e,0x0e,0xd1,0x95,0xf4,
- 0x71,0xdf,0x7c,0x5c,0x8e,0xcc,0x25,0xb9,0xae,0x15,0xc9,0xf2,0xd0,0x30,0xe8,0x7c,
- 0x91,0x5d,0x24,0x09,0x93,0x23,0x3f,0x55,0x7b,0x09,0x17,0x82,0x37,0x0b,0xf8,0x1a,
- 0x6e,0xaa,0x08,0x0d,0xa8,0x2d,0xb7,0x6d,0x38,0x24,0xc0,0x48,0x5d,0x29,0x7a,0xe9,
- 0xac,0x4d,0x93,0xec,0xd0,0x6c,0x62,0x1e,0x17,0xe7,0x2d,0xd7,0x0b,0x64,0x8f,0x56,
- 0xd3,0x82,0x37,0xad,0x2d,0x28,0xe8,0x7e,0x9d,0x83,0x7d,0x6d,0x06,0xa2,0x36,0x62,
- 0x60,0x30,0xbe,0x31,0xf9,0x9e,0xe0,0xb7,0x5b,0x72,0x6e,0x16,0x36,0x75,0xdc,0x17,
- 0x56,0xff,0x5f,0x27,0x57,0x34,0xdc,0x2a,0x98,0xcd,0x9d,0x3f,0x5c,0x48,0x79,0x0b,
- 0xa5,0xcf,0x16,0x20,0xc5,0x57,0x5f,0xa6,0xd6,0x1d,0xd6,0x6a,0x17,0x89,0x2d,0xb8,
- 0xde,0xc5,0x30,0xe4,0xf0,0x39,0xf6,0x87,0x87,0x54,0x5c,0xc0,0x34,0x0f,0x1c,0xfb,
- 0xf0,0xe4,0xc5,0xde,0xe1,0xa7,0xcf,0x54,0x2a,0x02,0x20,0x94,0xf9,0xd1,0xf8,0xb6,
- 0x97,0xe2,0x3a,0x30,0x43,0x24,0x45,0x2d,0x9a,0xd3,0xe0,0x6a,0x70,0x41,0x96,0xf0,
- 0x4d,0x21,0x8d,0x61,0x2c,0x2c,0x56,0xda,0xec,0xc8,0xdc,0xbf,0xce,0x75,0x9d,0xd9,
- 0x5a,0x2d,0x39,0xc7,0xef,0x29,0x32,0xd6,0x6c,0xf8,0xc7,0x88,0x84,0xfc,0x51,0x5b,
- 0x11,0x44,0xde,0x87,0xd3,0x6f,0x05,0x0c,0x8e,0xc7,0x0f,0x02,0x03,0x01,0x00,0x01,
- 0xa3,0x82,0x01,0x19,0x30,0x82,0x01,0x15,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
- 0x18,0x30,0x16,0x80,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,0xfc,
- 0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x09,0x06,0x03,0x55,0x1d,0x13,
- 0x04,0x02,0x30,0x00,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,
- 0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,
- 0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,
- 0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,
- 0x2f,0x63,0x70,0x73,0x2f,0x30,0x3c,0x06,0x03,0x55,0x1d,0x1f,0x04,0x35,0x30,0x33,
- 0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,
- 0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,
- 0x6c,0x6f,0x61,0x64,0x2f,0x64,0x71,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,0x2e,
- 0x63,0x72,0x6c,0x30,0x27,0x06,0x03,0x55,0x1d,0x11,0x04,0x20,0x30,0x1e,0x82,0x0c,
- 0x77,0x77,0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x82,0x0e,0x6d,0x61,
- 0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,0x2e,0x63,0x6e,0x30,0x0b,0x06,0x03,
- 0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
- 0x04,0x16,0x04,0x14,0x00,0x8b,0xf0,0x61,0xdf,0xf1,0x0b,0x53,0xd8,0x52,0x97,0xfe,
- 0x23,0x9f,0x34,0x50,0x1d,0xac,0xec,0x90,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,
- 0x0c,0x30,0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x0d,0x06,
- 0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,
- 0x00,0x86,0x62,0x31,0x67,0xba,0x3e,0x2b,0x1f,0xf7,0xdd,0xc0,0x9b,0xa2,0x27,0xb5,
- 0x61,0x8c,0xd8,0x68,0xc1,0x58,0x47,0xb2,0x72,0xb9,0xfe,0x06,0x52,0x7d,0x92,0x35,
- 0x9b,0xa9,0x08,0xa7,0x3a,0x37,0x70,0x9d,0xe1,0x47,0xbe,0x3d,0x15,0x20,0x35,0x9a,
- 0x79,0x7c,0x16,0xe8,0x8e,0xa5,0x0f,0x42,0xd5,0x6b,0x5b,0x9e,0x55,0x2b,0xdd,0x35,
- 0x3e,0x32,0x41,0xef,0x14,0xa0,0x15,0x70,0xf8,0x8c,0x3f,0x9e,0xc0,0xc2,0x32,0x4d,
- 0x90,0x9a,0xd0,0x9b,0xc1,0x72,0x64,0x2f,0x2e,0x8c,0x44,0x80,0x5a,0x6f,0xb7,0x08,
- 0xa9,0x0e,0x76,0xa4,0x82,0xd6,0x2e,0x64,0xf6,0xe4,0x5e,0x1b,0xb4,0x09,0xbc,0x1d,
- 0x80,0x46,0xd7,0x35,0x7f,0x58,0x70,0x09,0x10,0x7a,0x1e,0xe5,0x28,0xf5,0x5a,0x28,
- 0x7e,0x54,0x52,0x88,0xe6,0x3f,0x4e,0x55,0xb3,0x15,0x67,0x4c,0xac,0x82,0xbb,0xf8,
- 0x98,0xd0,0xd2,0x69,0x17,0x70,0x6a,0x09,0x52,0x91,0xc1,0xe7,0xbb,0xa7,0xe8,0x78,
- 0xdb,0x57,0xa3,0x37,0x3f,0x3c,0x7f,0x80,0xc2,0x40,0x61,0xd2,0xe5,0x6f,0xe8,0x93,
- 0xa2,0xb7,0x84,0x00,0x4e,0x4d,0xed,0xf3,0x87,0x14,0x35,0xd2,0xdb,0xf6,0x6b,0xc0,
- 0x2a,0xb2,0x9c,0xc3,0x48,0xba,0xd0,0xb9,0x55,0xf2,0x1a,0x17,0xa0,0x0d,0x45,0x2c,
- 0x28,0x0a,0xba,0x60,0x4a,0xb8,0x73,0xd6,0xb0,0x83,0x6e,0x92,0x87,0x1f,0x39,0x91,
- 0xa5,0x4f,0xef,0xcb,0xf7,0xee,0x28,0x39,0x5e,0x21,0xf0,0xc1,0x91,0x23,0x24,0x78,
- 0xbc,0x01,0xb6,0xf1,0x4d,0x58,0x63,0xa6,0x89,0xf4,0x8b,0xa9,0xc9,0xad,0xfa,0xe1,
- 0x9b
-};
-
-static const UInt8 intermediate0[] = {
- 0x30,0x82,0x04,0x99,0x30,0x82,0x03,0x81,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
- 0x33,0x00,0x7c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,
- 0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
- 0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
- 0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
- 0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x32,0x31,0x38,
- 0x31,0x32,0x33,0x32,0x31,0x38,0x5a,0x17,0x0d,0x32,0x34,0x31,0x32,0x31,0x38,0x31,
- 0x32,0x33,0x32,0x31,0x38,0x5a,0x30,0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,
- 0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,
- 0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,
- 0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,
- 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
- 0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xf0,0xa3,0x8d,0x71,
- 0x34,0xfe,0x11,0x3c,0xc7,0x98,0x61,0x0b,0xc5,0xaa,0x7b,0x13,0xd9,0x40,0x7f,0x9b,
- 0x59,0xd0,0x4a,0xc0,0x93,0x45,0x5e,0x48,0xf1,0xfe,0xb1,0x8f,0xb9,0x4c,0xdf,0x53,
- 0x50,0x15,0x19,0xf9,0xea,0xe7,0x22,0x8d,0xa8,0xdb,0x09,0x45,0xa6,0x86,0xc6,0xf8,
- 0xd5,0xdc,0x55,0xb4,0x8f,0xeb,0x56,0x3d,0x1f,0x36,0xc7,0x95,0x55,0xf4,0x4e,0x11,
- 0xc7,0x08,0x6f,0xe8,0xf9,0x7f,0x9e,0x85,0x9a,0x65,0x10,0x9b,0x87,0x86,0xb4,0x42,
- 0x92,0xaf,0x3f,0x5b,0xd9,0x8b,0x2f,0x68,0xc2,0x08,0x58,0xf6,0xe4,0x5f,0x3b,0x79,
- 0x8b,0x9e,0xde,0xb1,0x48,0x1f,0x59,0x40,0xb9,0xea,0x24,0x07,0x66,0x97,0xf6,0x2f,
- 0x52,0xec,0x0c,0xc8,0x4e,0x65,0x5a,0x60,0x6f,0xe5,0x8f,0x9d,0xfd,0x6a,0xde,0x89,
- 0xe4,0x7a,0x4b,0xb6,0x1e,0x82,0x8d,0x9c,0xdd,0x8d,0x73,0x33,0x92,0xd3,0x46,0x8e,
- 0x9e,0x58,0x01,0xf3,0x2e,0x83,0xe0,0xd2,0x4a,0x13,0x94,0x2c,0xd0,0x8a,0x12,0xd0,
- 0x29,0x34,0xed,0x6b,0xea,0xc6,0xc9,0x14,0x7a,0x75,0x92,0x8e,0x42,0x7e,0xd2,0x76,
- 0x88,0xdb,0xad,0x9b,0x20,0xe2,0x30,0x94,0x97,0xa3,0xa3,0xae,0x52,0x4c,0x2d,0xa3,
- 0x77,0x79,0x74,0xf7,0x87,0x8c,0x86,0x8f,0xb3,0x63,0x51,0x3e,0xf6,0xc0,0x6e,0x25,
- 0x9b,0x0d,0xc1,0x99,0x4f,0xf2,0x5c,0x9d,0xf5,0x21,0x04,0x42,0xde,0x74,0x59,0xe4,
- 0x39,0x80,0x82,0x50,0x21,0xde,0x49,0xe3,0x14,0x83,0xa7,0xc8,0xce,0x6d,0xfa,0x49,
- 0x5b,0x5e,0x3f,0x55,0x65,0xc1,0x5d,0x57,0x41,0x00,0x7d,0x43,0x02,0x03,0x01,0x00,
- 0x01,0xa3,0x82,0x01,0xa4,0x30,0x82,0x01,0xa0,0x30,0x76,0x06,0x08,0x2b,0x06,0x01,
- 0x05,0x05,0x07,0x01,0x01,0x04,0x6a,0x30,0x68,0x30,0x29,0x06,0x08,0x2b,0x06,0x01,
- 0x05,0x05,0x07,0x30,0x01,0x86,0x1d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,
- 0x73,0x70,0x63,0x6e,0x6e,0x69,0x63,0x72,0x6f,0x6f,0x74,0x2e,0x63,0x6e,0x6e,0x69,
- 0x63,0x2e,0x63,0x6e,0x30,0x3b,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
- 0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,
- 0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,
- 0x65,0x72,0x74,0x2f,0x43,0x4e,0x4e,0x49,0x43,0x52,0x4f,0x4f,0x54,0x2e,0x63,0x65,
- 0x72,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x65,0xf2,
- 0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,
- 0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,
- 0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,
- 0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,0x24,
- 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,
- 0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
- 0x63,0x70,0x73,0x2f,0x30,0x81,0x86,0x06,0x03,0x55,0x1d,0x1f,0x04,0x7f,0x30,0x7d,
- 0x30,0x42,0xa0,0x40,0xa0,0x3e,0xa4,0x3c,0x30,0x3a,0x31,0x0b,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,
- 0x0c,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,
- 0x0c,0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,
- 0x63,0x72,0x6c,0x31,0x30,0x37,0xa0,0x35,0xa0,0x33,0x86,0x31,0x68,0x74,0x74,0x70,
- 0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
- 0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x73,0x68,0x61,
- 0x32,0x63,0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0b,0x06,
- 0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,
- 0x0e,0x04,0x16,0x04,0x14,0xb7,0xd1,0x59,0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,
- 0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,0x3c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
- 0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4f,0xc7,0x80,
- 0x5e,0x29,0x70,0x8c,0xd6,0x59,0xae,0x59,0x4f,0xd1,0xd8,0x41,0xa8,0xa7,0xa8,0x58,
- 0xa6,0x06,0x25,0xd2,0xf8,0x3c,0x13,0x52,0xec,0x51,0x54,0x38,0xb6,0x60,0xd0,0x95,
- 0xaf,0x30,0xbf,0x78,0xa3,0x19,0xfd,0x6b,0x54,0x98,0x49,0xc4,0x81,0x84,0xaa,0x51,
- 0x54,0xd3,0x95,0x9d,0x92,0x66,0x02,0x6e,0x55,0x4b,0xf1,0xe0,0x4e,0x02,0x05,0xb5,
- 0x67,0x3b,0x31,0x4d,0xb3,0xb3,0xb7,0xa2,0x13,0xff,0x28,0x10,0xbc,0xa4,0x9b,0x71,
- 0x4c,0x36,0x9c,0x60,0xac,0x65,0x7c,0x66,0x8a,0xb6,0x1c,0x7f,0xa1,0xad,0xe8,0x6e,
- 0xce,0x0b,0xee,0x85,0xe6,0x01,0xe5,0xab,0x7f,0x11,0x1f,0x33,0xd9,0x1d,0xa1,0x0c,
- 0xf2,0x3a,0x7e,0xdb,0xf5,0x63,0xe2,0x77,0xdb,0x01,0x1a,0x60,0xe8,0xfb,0x42,0xd4,
- 0xf3,0xdf,0x8d,0xec,0x4f,0x4f,0xc8,0xa7,0x24,0xf7,0xb5,0xb7,0x58,0xae,0xad,0x0c,
- 0x9b,0x7a,0x39,0x81,0xd9,0xd0,0x8a,0x18,0x28,0x8a,0xf2,0x91,0x88,0x11,0x3d,0xb1,
- 0x42,0x5d,0x0e,0x31,0xfe,0x00,0x99,0xfe,0x87,0x3f,0x8e,0xbd,0xef,0x83,0x72,0xd7,
- 0x49,0x22,0xfd,0x82,0xe2,0xfc,0xe8,0xe8,0xf7,0x4b,0xff,0xa5,0x62,0xec,0xd3,0x87,
- 0x51,0x6f,0x35,0xbc,0x51,0x54,0x6c,0x36,0xfe,0x88,0xcb,0xaf,0xb1,0x0e,0x7b,0x76,
- 0x9c,0x16,0x11,0xda,0x7f,0xd1,0xf4,0x85,0xce,0xb8,0x87,0x45,0x0c,0x43,0xe4,0xb3,
- 0x6f,0xbc,0x95,0xce,0x59,0x57,0xf3,0xb4,0xec,0xa8,0xc2,0x1f,0x98,0x77,0x93,0x7d,
- 0xad,0x92,0x4e,0xba,0xab,0x5d,0x45,0x93,0x7c,0xf0,0x17,0xcd,0xc7
-};
-
-static const UInt8 intermediate1[] = {
- 0x30,0x82,0x04,0xf8,0x30,0x82,0x03,0xe0,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x0b,
- 0x24,0x01,0xb7,0x39,0x86,0x38,0x3c,0x29,0xc2,0xf8,0x19,0x4d,0x23,0x10,0x7b,0x30,
- 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
- 0x8a,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,
- 0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,
- 0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,
- 0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,
- 0x65,0x72,0x31,0x47,0x30,0x45,0x06,0x03,0x55,0x04,0x03,0x0c,0x3e,0x43,0x68,0x69,
- 0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
- 0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
- 0x43,0x65,0x6e,0x74,0x65,0x72,0x20,0x45,0x56,0x20,0x43,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x65,0x73,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,0x0d,0x31,
- 0x30,0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x17,0x0d,0x32,0x30,
- 0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x30,0x58,0x31,0x0b,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,
- 0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,
- 0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,
- 0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x15,
- 0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x45,
- 0x56,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
- 0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,
- 0x0a,0x02,0x82,0x01,0x01,0x00,0xc9,0x8b,0x5d,0x84,0x90,0x33,0x98,0x83,0xdd,0xa1,
- 0x9a,0x76,0x4f,0xd2,0xff,0xf4,0xbc,0x5d,0x7f,0xd5,0x0c,0xdc,0xd1,0x58,0xe8,0x3a,
- 0xd7,0xab,0xa9,0x24,0x05,0x78,0x28,0x3d,0x64,0x03,0x7d,0x7f,0xee,0x16,0x3e,0x51,
- 0xc7,0x69,0xb4,0x06,0xe8,0xa5,0x3b,0x7a,0xf0,0xac,0xcd,0x9e,0xb4,0x00,0xbf,0x25,
- 0xe5,0xd9,0x95,0x45,0x31,0x20,0x59,0xed,0xf0,0xbc,0x86,0x02,0x9a,0xa6,0x52,0x73,
- 0xaf,0x02,0x09,0x22,0xf1,0x04,0x97,0xe3,0x15,0x8c,0x7e,0xa5,0xc7,0x37,0xbd,0x42,
- 0x4f,0x27,0x85,0x9d,0xb9,0x24,0x29,0xcb,0x4c,0xd4,0xd2,0xed,0x79,0x3b,0x39,0xa1,
- 0x08,0x26,0xba,0x14,0xb3,0x49,0x0f,0x8e,0xd7,0x9d,0x5f,0xde,0x72,0xf0,0x53,0xee,
- 0x8a,0x4e,0x6c,0x06,0x6f,0xea,0x9f,0x25,0x4a,0x23,0x80,0x7e,0x2e,0xb2,0x81,0x9d,
- 0x3b,0x4e,0xdf,0x73,0xbe,0x1b,0x89,0x10,0x89,0xf7,0xac,0xa0,0x2f,0xfb,0x71,0xc4,
- 0xe2,0xe9,0xd0,0x79,0xb7,0x54,0x9d,0xf6,0xcc,0x3a,0x6c,0x88,0x25,0xf4,0x0e,0xf4,
- 0x49,0xa1,0x23,0xd2,0xe2,0x71,0xb8,0x1c,0x44,0x46,0xb4,0x70,0x5d,0x5d,0xab,0x7f,
- 0x0e,0x27,0x8d,0x4b,0xf4,0xe1,0x52,0x88,0x58,0xf9,0xec,0x1e,0xbb,0x56,0x1f,0x37,
- 0x1a,0xce,0x74,0xf3,0x6d,0x63,0xbc,0x18,0xa8,0x95,0x30,0x8b,0x16,0xe2,0x9f,0x0a,
- 0x89,0xe0,0x36,0xba,0x0f,0x90,0x5e,0x67,0x6c,0x04,0x77,0xfa,0xd1,0x6e,0xdb,0x1c,
- 0x3c,0x1f,0x9f,0x83,0xb5,0x4b,0xc8,0x4e,0x90,0xf8,0x02,0x26,0x2e,0xce,0x7c,0xe6,
- 0x3e,0xe8,0x0e,0xf0,0x77,0xf1,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0x89,0x30,
- 0x82,0x01,0x85,0x30,0x34,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,
- 0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,
- 0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x72,0x6f,0x6f,0x74,
- 0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,
- 0x04,0x18,0x30,0x16,0x80,0x14,0x7c,0x72,0x4b,0x39,0xc7,0xc0,0xdb,0x62,0xa5,0x4f,
- 0x9b,0xaa,0x18,0x34,0x92,0xa2,0xca,0x83,0x82,0x59,0x30,0x0f,0x06,0x03,0x55,0x1d,
- 0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,
- 0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,
- 0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,
- 0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,
- 0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xaa,0x06,
- 0x03,0x55,0x1d,0x1f,0x04,0x81,0xa2,0x30,0x81,0x9f,0x30,0x66,0xa0,0x64,0xa0,0x62,
- 0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
- 0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,
- 0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,
- 0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,
- 0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,
- 0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,
- 0x6c,0x31,0x30,0x35,0xa0,0x33,0xa0,0x31,0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,
- 0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,
- 0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x72,0x6f,0x6f,0x74,0x63,0x72,0x6c,
- 0x2f,0x63,0x72,0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,
- 0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
- 0x04,0x16,0x04,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,0xd2,0x72,0xfd,0x1c,
- 0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
- 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0xf9,0xad,0x13,
- 0x7b,0x62,0x9b,0x8b,0xa5,0xfd,0x52,0x5d,0xd1,0x13,0xca,0x28,0x92,0xdc,0xc3,0x84,
- 0x3d,0xf1,0xc5,0x9b,0x2a,0xc3,0x15,0xfc,0x1d,0x4f,0x30,0x54,0x77,0x9a,0x5a,0x5a,
- 0x1b,0x07,0xbb,0xf7,0x7e,0xea,0x47,0x01,0xc7,0x6d,0x30,0xe0,0x2e,0xcc,0x44,0xea,
- 0x6c,0xa5,0xcd,0x42,0x86,0x38,0xf5,0x88,0x9c,0xff,0x74,0xc1,0x3d,0x70,0xfa,0x9a,
- 0x54,0xbd,0x37,0xb0,0x38,0x9f,0xb6,0xe4,0x51,0xec,0x24,0xa0,0xa4,0xbe,0x9f,0x6e,
- 0xad,0x3b,0x0f,0x30,0xa0,0xd2,0x37,0x67,0x9b,0xc2,0x6f,0xd5,0xfd,0x9a,0xfd,0xc6,
- 0x56,0x08,0x64,0x84,0x74,0x12,0xfe,0xa8,0xe3,0x26,0x4a,0x08,0x2f,0xdb,0x32,0x9a,
- 0xae,0xaf,0x01,0x75,0xf0,0x7b,0x28,0xb6,0xb2,0x4a,0xf0,0xd8,0xfd,0xb4,0x11,0xf5,
- 0x26,0x31,0x49,0xd1,0x82,0x91,0x04,0x3b,0x4b,0x79,0x3c,0x57,0x2e,0x38,0x9f,0x9a,
- 0xfd,0xdf,0x53,0xd9,0xbd,0x48,0x96,0xfb,0xbb,0x21,0x64,0xdd,0xec,0x68,0xc3,0x77,
- 0x7d,0x41,0xcf,0x7c,0x2f,0xa8,0x87,0xf0,0x8f,0xf0,0x0c,0xdd,0x3f,0x88,0x5c,0x23,
- 0x49,0x26,0x1b,0x60,0xff,0xbc,0x9e,0xb8,0xc0,0xf6,0xe0,0x21,0xf1,0x44,0x44,0x21,
- 0x81,0x06,0x9b,0x39,0xf0,0xaf,0xf0,0x5c,0x44,0x44,0xc7,0x51,0xf2,0x1d,0xf3,0x06,
- 0x1a,0x14,0x04,0xd1,0xa4,0xed,0x92,0x39,0x21,0x77,0xe9,0x77,0x1f,0xd6,0x80,0x5e,
- 0x42,0xb4,0xd5,0x44,0xd1,0xd2,0xd6,0x84,0xca,0xa5,0xb8,0xee,0x48,0x4f,0x93,0x2d,
- 0xca,0x82,0x46,0xff,0x77,0x5b,0x18,0x79,0x88,0x14,0x4c,0x0d
-};
-
-static const UInt8 intermediate2[] = {
- 0x30,0x82,0x03,0xca,0x30,0x82,0x02,0xb2,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
- 0x33,0x00,0x65,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,
- 0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
- 0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
- 0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
- 0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x30,0x31,0x32,0x31,0x35,
- 0x30,0x35,0x30,0x37,0x30,0x30,0x5a,0x17,0x0d,0x32,0x30,0x31,0x32,0x31,0x35,0x30,
- 0x35,0x30,0x37,0x30,0x30,0x5a,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,
- 0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,
- 0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,
- 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,
- 0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa8,0x7f,0xa9,
- 0x2d,0x47,0xc3,0xdb,0xdb,0x10,0x79,0xa0,0xae,0xd5,0x80,0xfa,0x5b,0xbe,0x64,0x5f,
- 0x26,0xb9,0x5a,0x84,0x0d,0x1b,0x56,0x14,0x49,0xe1,0xda,0xfb,0x83,0x07,0xaf,0x80,
- 0x2d,0x93,0xbf,0x44,0xd9,0x85,0x1f,0x18,0xb0,0xe1,0xb9,0x06,0x34,0x24,0xd1,0xf9,
- 0x9f,0x34,0xe0,0x26,0x3e,0xce,0x57,0xca,0x30,0x3b,0xae,0x44,0x55,0x47,0x7f,0x2e,
- 0xe5,0xe8,0x51,0x55,0x90,0x95,0x23,0xde,0xd3,0xb4,0x88,0xf8,0x33,0x1e,0x5e,0xe6,
- 0x2b,0xae,0x9b,0x94,0x2c,0xec,0xd9,0xc9,0x47,0x67,0x14,0x54,0x6a,0x33,0x6f,0xe1,
- 0x0c,0x7f,0x0f,0xa0,0x7e,0xb5,0xc3,0x0f,0x63,0x4f,0xdf,0x38,0x9d,0x73,0xea,0x9f,
- 0xaa,0x34,0x30,0xbf,0xba,0x83,0x56,0x65,0x26,0x90,0x01,0xf6,0xfc,0x93,0xc6,0x2b,
- 0xcc,0xf2,0x90,0x7d,0x2a,0x31,0xe1,0xcd,0x0f,0x23,0xd1,0x78,0x2b,0x49,0xc5,0x21,
- 0x77,0xc9,0x8b,0x02,0x70,0xf1,0xc2,0xa3,0xdf,0xca,0xb7,0x73,0x06,0x76,0xfd,0xcb,
- 0xc0,0xc9,0x23,0x21,0x17,0x34,0x1c,0x80,0xa9,0xc6,0x92,0x95,0xd0,0xc6,0xeb,0x83,
- 0x56,0xb0,0x98,0x90,0x50,0xf4,0xcf,0x9b,0x3b,0x2d,0x3e,0xcf,0x94,0x27,0x69,0x9f,
- 0xdc,0x66,0xfb,0x05,0x0c,0xe3,0x99,0x1e,0x06,0x86,0xd9,0xe6,0xf5,0x6c,0xfe,0x98,
- 0x5d,0x61,0xb1,0x89,0x01,0xc4,0x7f,0x48,0x68,0x62,0x06,0x26,0x95,0x40,0xcd,0x93,
- 0x46,0xf8,0xb0,0x8d,0x28,0x3a,0xc7,0x0e,0x46,0x42,0x9f,0x32,0xc3,0xc6,0x78,0xc7,
- 0x10,0xd5,0x37,0xff,0x17,0x4c,0x24,0x60,0xc6,0xd5,0x18,0x9a,0x7d,0x02,0x03,0x01,
- 0x00,0x01,0xa3,0x81,0xe5,0x30,0x81,0xe2,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
- 0x18,0x30,0x16,0x80,0x14,0x65,0xf2,0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,
- 0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,
- 0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,
- 0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,
- 0x0c,0x01,0x06,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,
- 0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,
- 0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x3e,0x06,0x03,0x55,
- 0x1d,0x1f,0x04,0x37,0x30,0x35,0x30,0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,
- 0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
- 0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x63,
- 0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,
- 0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,
- 0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,
- 0xfc,0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x0d,0x06,0x09,0x2a,0x86,
- 0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xb6,0x37,
- 0x1c,0xdb,0x09,0x29,0xbd,0x24,0x76,0x1b,0x7f,0x6b,0x36,0x25,0xd2,0x43,0xf2,0x09,
- 0x22,0x63,0x3f,0x8e,0xd6,0x15,0xf9,0x9c,0x36,0xc9,0xb1,0x1c,0x10,0x61,0x39,0x24,
- 0x96,0x76,0xa4,0xa3,0x70,0xa4,0xe5,0x52,0xc1,0xba,0xb9,0xbb,0x72,0x1a,0xdc,0x76,
- 0x05,0x86,0x45,0x03,0x0a,0xb8,0x95,0xd5,0xb2,0x63,0xb4,0x7b,0x9a,0x00,0xd5,0x31,
- 0x76,0x50,0x25,0xc0,0x98,0x17,0xc9,0xfa,0x57,0x36,0x50,0x1f,0x66,0x2b,0xb1,0xd1,
- 0xe6,0xcf,0x14,0x56,0xf2,0xb9,0x9f,0xa9,0x6f,0x2d,0x15,0xb7,0x66,0x46,0x9e,0x85,
- 0x7c,0x68,0xbd,0xf3,0x5f,0x9f,0xbf,0xbe,0xf8,0xf9,0x7f,0x7b,0x1b,0xca,0x51,0xc2,
- 0xae,0x43,0x20,0x83,0x90,0xab,0xb5,0x70,0x73,0x42,0xa9,0xc1,0xd5,0x4f,0x89,0xcf,
- 0x72,0xba,0x86,0x5c,0xd8,0x8c,0xaf,0x85,0xf1,0x3d,0x52,0x23,0xac,0x68,0x05,0x73,
- 0xca,0x36,0x7c,0x12,0x86,0xae,0xdc,0xda,0x91,0x40,0x1f,0xe0,0x6b,0x26,0x43,0x64,
- 0xe9,0x5f,0x71,0xbf,0x22,0x6c,0x6e,0xd1,0x32,0x0c,0x7c,0x07,0x36,0x3a,0x09,0xef,
- 0xe7,0xa7,0x9b,0x73,0x19,0xe3,0x6a,0xd2,0x41,0x43,0x23,0xef,0x63,0x30,0xa0,0x34,
- 0x12,0x2c,0xe5,0x23,0x5f,0x46,0x87,0xcc,0xf1,0x2f,0x0b,0xd1,0x72,0x58,0xc5,0x36,
- 0xcb,0x4e,0x00,0x5f,0x15,0x80,0x0a,0x05,0xb5,0x34,0x34,0x9c,0x19,0x20,0xc1,0x5b,
- 0x80,0x98,0x96,0x42,0x01,0x54,0x6c,0x65,0x4e,0xc5,0x2b,0x04,0x55,0x63,0x71,0x5e,
- 0x99,0x79,0xc5,0xfb,0x03,0xbf,0x27,0x56,0xa6,0xdf,0x3a,0x4c,0xea,0x63
-};
-
-
-/* subject:/C=RU/CN=telegram.im */
-/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
-/* Not After : Sep 3 23:57:19 2019 GMT */
-
-unsigned char leafOnAllowList_Cert[1719]={
- 0x30,0x82,0x06,0xB3,0x30,0x82,0x05,0x9B,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x31,
- 0x4E,0xCD,0xA3,0x65,0x0B,0x68,0x8D,0x7D,0x77,0xD3,0x5A,0x00,0x4A,0xC5,0x94,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
- 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
- 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
- 0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
- 0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
- 0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x39,0x30,0x33,0x32,
- 0x33,0x35,0x37,0x31,0x39,0x5A,0x17,0x0D,0x31,0x39,0x30,0x39,0x30,0x33,0x32,0x33,
- 0x35,0x37,0x31,0x39,0x5A,0x30,0x23,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
- 0x13,0x02,0x52,0x55,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x0C,0x0B,0x74,
- 0x65,0x6C,0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x82,0x02,0x22,0x30,0x0D,
- 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,
- 0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xCA,0xCD,0x7B,0x38,0x40,
- 0x59,0xBD,0xD7,0x0D,0xB4,0xDA,0xA7,0x43,0x3F,0x64,0xE7,0xD5,0x88,0x4A,0xA3,0x7D,
- 0xA1,0x8A,0x6C,0x3B,0x1B,0xE0,0xE4,0xE0,0x82,0xCD,0xD3,0x38,0x7D,0x6E,0x49,0x0F,
- 0x56,0x2D,0xA7,0x3A,0x1D,0x7A,0x5C,0x48,0x0D,0x15,0xBD,0x68,0xC0,0x24,0xAE,0x9B,
- 0x03,0x33,0x5E,0xBB,0x12,0x13,0x32,0xDA,0xAF,0xAD,0xEB,0x36,0x76,0x6F,0xBD,0x91,
- 0xF0,0xC1,0xC6,0x14,0xE1,0xDA,0x88,0x32,0x47,0x26,0x5C,0x92,0x5D,0xE1,0xA4,0x3E,
- 0x99,0xCD,0x5B,0xFB,0x92,0x3C,0xA9,0x56,0xEC,0x6B,0xA9,0xEB,0xB0,0x34,0x89,0x4B,
- 0x96,0x1A,0x57,0x0D,0x5F,0x94,0x7C,0x25,0x67,0xCE,0xC0,0x6A,0xB1,0x73,0xE4,0xB3,
- 0x56,0xD8,0xE9,0x09,0x4F,0x5D,0x91,0xBB,0x5E,0x6C,0x13,0xE7,0x18,0xDB,0x62,0x0D,
- 0xDA,0xB9,0xCD,0x97,0xC1,0xD4,0x35,0x0F,0x1A,0x4B,0xCA,0xFC,0x9D,0x88,0xD1,0xE4,
- 0xFC,0x1D,0x43,0x7E,0xE7,0x1A,0xEB,0xED,0x1F,0x7D,0x1F,0x2B,0xF9,0x3A,0x0D,0x06,
- 0x03,0x3F,0x2D,0xAF,0xF4,0xDB,0xCC,0x91,0x7B,0xF7,0x9D,0xAA,0x13,0x41,0xC0,0x57,
- 0x8F,0x3E,0xE2,0xCA,0x45,0x7D,0x35,0x1B,0x0C,0x51,0x53,0x81,0x05,0x74,0x88,0xA2,
- 0x37,0x9B,0x26,0x34,0xAE,0x49,0xB6,0x97,0x9F,0x81,0xFB,0x45,0x7F,0x65,0x82,0x1F,
- 0x8E,0xC1,0xF0,0xC0,0x63,0x1F,0x7B,0xE4,0x45,0xA7,0x4C,0x1C,0x09,0x10,0xF6,0x8A,
- 0x81,0x8E,0x3B,0x6E,0xFF,0x15,0x53,0x9D,0x36,0x2F,0x52,0x01,0x0C,0x34,0x59,0x12,
- 0x9C,0xCA,0xAF,0xF5,0x58,0x31,0x37,0xE6,0x44,0xE5,0x0D,0xDB,0x0F,0x43,0xA3,0x09,
- 0x79,0x78,0x00,0x3D,0x7F,0x3B,0x2F,0xB8,0x28,0x58,0x79,0x35,0xEE,0xA1,0xDA,0x1B,
- 0xF2,0x8F,0x9C,0xAB,0x3F,0x38,0xB5,0x88,0x85,0x78,0x48,0xAA,0x67,0x41,0x0A,0xAB,
- 0x1D,0x89,0xE1,0x60,0x39,0x9A,0x6B,0x88,0xE3,0xB9,0x78,0x02,0x2F,0x74,0x58,0xDD,
- 0xBD,0xEE,0x51,0x8E,0xA9,0x1E,0x5E,0xFD,0x84,0x2B,0x94,0x55,0x14,0xAE,0x68,0x71,
- 0x73,0xC7,0xE3,0xAE,0x9E,0xD9,0x54,0xB4,0x6D,0xE1,0x9A,0x10,0x1A,0x51,0x68,0x13,
- 0x8E,0x51,0x18,0xBF,0xA8,0x7C,0x1A,0x18,0x2C,0xCE,0xF6,0x56,0xFD,0x9E,0xDC,0x97,
- 0xE8,0x95,0x08,0xDA,0xC6,0xBC,0x8C,0x9C,0xDC,0x70,0x45,0xFD,0xD2,0x3E,0x83,0xE3,
- 0x01,0x23,0xD4,0x74,0x6D,0xFD,0x2B,0x55,0x97,0x99,0x96,0xEB,0xD3,0x2D,0x5A,0xA7,
- 0xEF,0xC8,0x89,0x4C,0xA3,0xC1,0xDA,0x17,0xD0,0xDE,0x9C,0xB6,0xA3,0x1D,0x14,0x05,
- 0x65,0xCA,0x5C,0x32,0xD0,0x58,0x62,0xAA,0x56,0x72,0x90,0x02,0xC0,0xFC,0xB6,0x85,
- 0x5A,0x53,0xC2,0xC1,0x31,0xAE,0xD6,0xC8,0x54,0xBE,0x78,0xE2,0x44,0x41,0x58,0xC3,
- 0xEE,0xA7,0x38,0x6D,0x4E,0xAF,0xF1,0xD2,0xD1,0xD9,0xB1,0x17,0x5D,0x10,0x00,0x1D,
- 0x8A,0x07,0xF6,0x5C,0x2C,0x1D,0x2B,0xDB,0xDE,0x3C,0x5B,0x22,0xC4,0xBB,0x27,0xC6,
- 0x5A,0x78,0x25,0x7A,0x8F,0x86,0x42,0x6A,0x82,0xD3,0x7C,0xCA,0x07,0x62,0x23,0x09,
- 0x44,0xEE,0x3B,0xEF,0x0E,0xB7,0x1A,0xA4,0x4D,0xBB,0x93,0xFD,0x83,0xCD,0x67,0x22,
- 0x4B,0xE9,0x37,0x23,0x99,0x3F,0xD7,0xD4,0xEE,0x5C,0x4B,0x02,0x03,0x01,0x00,0x01,
- 0xA3,0x82,0x02,0xAF,0x30,0x82,0x02,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
- 0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,
- 0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,
- 0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x2A,0x36,0x37,
- 0x39,0xD2,0xCA,0x66,0xB3,0xF8,0x12,0x94,0x78,0xB1,0xD9,0x18,0x1C,0x11,0xD9,0x7C,
- 0xD7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,
- 0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
- 0xA8,0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,
- 0x30,0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,
- 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,
- 0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,
- 0x65,0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,
- 0x05,0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
- 0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,
- 0x2E,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,
- 0x72,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,
- 0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,
- 0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,
- 0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,
- 0x30,0x16,0x06,0x03,0x55,0x1D,0x11,0x04,0x0F,0x30,0x0D,0x82,0x0B,0x74,0x65,0x6C,
- 0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x4F,0x06,0x03,0x55,0x1D,0x20,0x04,
- 0x48,0x30,0x46,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3A,0x06,
- 0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x01,0x01,0x02,0x30,0x2B,0x30,0x29,
- 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,
- 0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,
- 0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x82,0x01,0x06,0x06,0x0A,0x2B,
- 0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF7,0x04,0x81,0xF4,0x00,
- 0xF2,0x00,0x77,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE,0x3A,0x8C,0xEE,0xB9,
- 0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1,0x0A,0x67,0xAC,0xBB,
- 0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x56,0xF2,0x97,0xEB,0x40,0x00,0x00,0x04,0x03,
- 0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xBC,0xC2,0x3C,0xA9,0x92,0x2F,0x3D,0x59,0x3C,
- 0x82,0x38,0xD6,0x1A,0x83,0x95,0x04,0x15,0x1C,0x85,0x19,0x8F,0x12,0x33,0x01,0x1B,
- 0xB1,0xCF,0xBE,0xE6,0xC1,0x6F,0xBE,0x02,0x21,0x00,0xB2,0x3B,0x8C,0xA0,0xB0,0x9C,
- 0xCF,0xBA,0xFA,0x4E,0xBA,0xE7,0x95,0x85,0x89,0x5C,0xE1,0x5F,0x34,0x7A,0xA8,0xCB,
- 0x19,0xC8,0x0C,0xED,0x3A,0xA4,0xE2,0x29,0xCD,0xBF,0x00,0x77,0x00,0xA4,0xB9,0x09,
- 0x90,0xB4,0x18,0x58,0x14,0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,
- 0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,
- 0x56,0xF2,0x97,0xEC,0x65,0x00,0x00,0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,
- 0x96,0x67,0x94,0x08,0x36,0x41,0xF7,0x3F,0x97,0x0B,0xAE,0xAB,0x2F,0xD4,0x0C,0xE5,
- 0xFA,0x3F,0xB2,0x0B,0x4F,0x57,0x1C,0xDF,0x0A,0xF4,0xE7,0x04,0x59,0x1F,0x0D,0xEF,
- 0x02,0x21,0x00,0xBC,0xB5,0xAD,0xF5,0x60,0x34,0x47,0xD5,0x23,0x08,0x12,0xDE,0x8F,
- 0xC7,0xE9,0x14,0x0C,0x02,0x25,0x0B,0x6D,0xB8,0xBF,0x1C,0x0D,0x65,0xEC,0x86,0x9B,
- 0x30,0x88,0x2F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
- 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x9A,0xD3,0xED,0xF3,0xA8,0x95,0x4E,0x35,
- 0x96,0xFF,0xA4,0xF1,0x61,0xB1,0x97,0xCA,0xF1,0xC8,0xDC,0x82,0x51,0xB9,0x29,0x3D,
- 0x77,0x59,0x96,0xF4,0x32,0x1F,0xCC,0xF9,0xC6,0x71,0x9E,0x6E,0xB4,0x83,0xFC,0xD9,
- 0xBF,0x21,0x43,0xAF,0xEB,0xB1,0x37,0x36,0x91,0x26,0x72,0xF8,0xAA,0x3A,0x38,0xBE,
- 0x51,0x27,0xBB,0x07,0x48,0x92,0x4E,0xFA,0xA0,0x5A,0x00,0x0D,0x81,0xCB,0x3B,0x17,
- 0x4E,0x04,0x0A,0xF7,0x0E,0x53,0xCD,0xAC,0x5E,0xC8,0xA5,0xE3,0x31,0x6E,0x9F,0x45,
- 0x65,0xA1,0x81,0x5C,0x98,0xF9,0x7E,0x07,0xC1,0x05,0x92,0xBD,0xCD,0xEA,0x5C,0xC7,
- 0x0B,0xC1,0x22,0x8F,0x13,0x7E,0xA2,0xB5,0xE2,0x88,0xBF,0x00,0xF0,0xC5,0xCA,0x99,
- 0xB2,0x59,0x9E,0x6E,0x71,0x35,0x49,0xC5,0xAF,0xAB,0x9B,0x80,0x2A,0xE1,0x8F,0x82,
- 0x98,0x43,0x54,0x8D,0x7A,0x28,0x98,0xA4,0xAE,0xDE,0x29,0xCC,0x15,0xBF,0x2E,0x4F,
- 0xD8,0x70,0x2E,0x8F,0xD8,0xE0,0xB9,0xC0,0x37,0x67,0x7A,0x29,0x35,0x0B,0xCD,0x7D,
- 0xF9,0x59,0x4A,0x6C,0x1C,0x87,0x31,0x2C,0x85,0x83,0x08,0x4E,0xAB,0xED,0xA1,0xEF,
- 0x76,0x90,0x32,0x71,0x6D,0xE6,0x13,0xE5,0x70,0xB8,0x7B,0xF3,0x6C,0x47,0x04,0xDE,
- 0xCC,0x61,0x67,0x5D,0x98,0xC0,0xDB,0x7D,0x24,0x3D,0x60,0xA9,0x60,0x9D,0xD8,0xC7,
- 0x27,0x8C,0x5F,0xA7,0x5A,0xE9,0x58,0x2C,0x2A,0x03,0x92,0xB6,0xF1,0x51,0xC6,0x1D,
- 0xA4,0x7B,0xDF,0xE6,0xF3,0x1A,0xD4,0x23,0x6C,0x4E,0x8D,0x5F,0xFB,0x98,0xD2,0xB3,
- 0x0B,0x73,0x41,0xB6,0x5C,0x84,0xEF,
-};
-
-/* subject:/CN=mmime.info */
-/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
-/* Not After : Sep 12 17:15:48 2016 GMT */
-
-unsigned char leafNotOnAllowList_Cert[1343]={
- 0x30,0x82,0x05,0x3B,0x30,0x82,0x04,0x23,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x6A,
- 0xC3,0x4F,0x8F,0xC7,0x97,0x97,0x53,0xE4,0x61,0x64,0x13,0xC4,0x2E,0x92,0x9B,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
- 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
- 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
- 0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
- 0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
- 0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x31,0x32,0x31,
- 0x37,0x31,0x35,0x34,0x38,0x5A,0x17,0x0D,0x31,0x36,0x30,0x39,0x31,0x32,0x31,0x37,
- 0x31,0x35,0x34,0x38,0x5A,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
- 0x0C,0x0A,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x82,0x01,0x22,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
- 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB6,0x88,0xD4,
- 0xC3,0xBE,0x56,0x7F,0xB1,0xF1,0x48,0x37,0x71,0x3F,0xC7,0x72,0x53,0x95,0x64,0xAC,
- 0x60,0xF6,0x8C,0x01,0x15,0x2C,0xBD,0x6D,0x43,0x3F,0x8F,0x50,0x12,0x03,0x72,0x0C,
- 0x0D,0x37,0xD7,0x00,0x13,0xEC,0x49,0xC5,0xCF,0x00,0xE1,0x84,0x01,0x8B,0x1A,0xD7,
- 0x6D,0x8A,0xC7,0xB9,0xA7,0x3F,0x3A,0xE5,0xDD,0x1A,0xC9,0xCD,0x30,0xB5,0x74,0x0B,
- 0xFD,0x3C,0x70,0x8D,0xCF,0xCC,0xB7,0xB7,0x52,0x95,0x47,0xDB,0x47,0x2F,0x9C,0x5C,
- 0x06,0x6B,0x3D,0xA4,0xE5,0x42,0x6C,0x85,0x69,0xF3,0x35,0x07,0x3C,0xEF,0xA2,0xFB,
- 0x81,0x3F,0xF6,0x1C,0x51,0x17,0xA6,0x19,0x70,0xF3,0x02,0x43,0x8C,0xC3,0x42,0xED,
- 0xFE,0xF7,0x5F,0xD1,0xF3,0xBB,0x46,0xE9,0x11,0xB8,0x39,0x2E,0xE6,0x8E,0x00,0x48,
- 0x66,0xDF,0x78,0xDE,0x1A,0x27,0x71,0xF1,0x13,0x37,0xC7,0x65,0xA0,0x03,0x41,0xF9,
- 0xB2,0xE1,0x82,0x54,0x38,0x60,0x7E,0x1A,0x5A,0x77,0xC6,0x6E,0x9C,0x91,0x06,0x62,
- 0x84,0xA6,0x91,0xF0,0x3E,0x10,0x4F,0x83,0x1D,0x87,0x94,0xEB,0x0F,0x14,0x91,0xEC,
- 0x58,0xFC,0x15,0x60,0x16,0xF6,0xCD,0x88,0xF7,0x7C,0xE9,0x26,0x71,0x3C,0x14,0x3E,
- 0xD0,0xE0,0x06,0x3B,0xC2,0xAC,0xC0,0x16,0x16,0x0B,0x43,0xD2,0x92,0x96,0x84,0xC9,
- 0x65,0x6E,0xC9,0x76,0x8A,0xE3,0x5B,0x96,0xDE,0xB9,0x57,0xB0,0x7C,0xC2,0xE9,0x74,
- 0x2D,0x6D,0x6F,0x58,0x23,0xC9,0xEB,0xB3,0x63,0xB6,0x18,0xC6,0xD6,0x6B,0xF0,0x88,
- 0xAC,0x2D,0x3E,0x05,0x6D,0x00,0xC0,0x25,0x9A,0x4C,0x3E,0xFE,0xA5,0x02,0x03,0x01,
- 0x00,0x01,0xA3,0x82,0x02,0x45,0x30,0x82,0x02,0x41,0x30,0x0B,0x06,0x03,0x55,0x1D,
- 0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,
- 0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06,
- 0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,
- 0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3D,0xAB,0x6A,0xB5,
- 0xCC,0x2F,0xFE,0x38,0x1F,0xEF,0x88,0xA0,0xF7,0xBC,0x2A,0x44,0xEA,0x9E,0xE6,0xBD,
- 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,0x16,
- 0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,0xA8,
- 0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,0x30,
- 0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,0x68,
- 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x36,0x2E,0x77,0x6F,0x73,0x69,
- 0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,0x65,
- 0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
- 0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x36,
- 0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2E,
- 0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,0x72,
- 0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0,
- 0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x36,0x2E,
- 0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,0x73,
- 0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,0x30,
- 0x81,0xB6,0x06,0x03,0x55,0x1D,0x11,0x04,0x81,0xAE,0x30,0x81,0xAB,0x82,0x0A,0x6D,
- 0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0E,0x77,0x77,0x77,0x2E,0x6D,
- 0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x63,0x6C,0x6F,0x75,0x64,
- 0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x12,0x77,0x65,0x62,
- 0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
- 0x0E,0x76,0x70,0x6E,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
- 0x11,0x62,0x61,0x63,0x6B,0x75,0x70,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,
- 0x66,0x6F,0x82,0x10,0x66,0x69,0x6C,0x65,0x73,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,
- 0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,
- 0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x73,0x68,0x61,0x72,0x65,0x2E,0x6D,0x6D,0x69,
- 0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6E,0x65,0x77,0x73,0x2E,0x6D,0x6D,
- 0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x51,0x06,0x03,0x55,0x1D,0x20,0x04,
- 0x4A,0x30,0x48,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3C,0x06,
- 0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,0x2B,
- 0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,
- 0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,
- 0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,0x2A,
- 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x7A,
- 0x93,0xB0,0x04,0xAB,0xCA,0x53,0x61,0x83,0xC4,0xDC,0x8B,0xE9,0xA5,0x62,0x46,0x9E,
- 0x22,0x7A,0xBB,0x23,0x32,0xC9,0xC8,0x55,0xA7,0x87,0x53,0x68,0x61,0xF4,0x14,0x9B,
- 0xA6,0xC1,0xC2,0x2D,0xF1,0xD6,0x2F,0x58,0x6D,0xCC,0xF9,0x47,0x4F,0x49,0x82,0xDD,
- 0xFA,0x61,0xD4,0xE1,0x99,0xB3,0x1E,0x5A,0x44,0x1E,0xA3,0xC2,0x1E,0x83,0x4F,0x9C,
- 0xB8,0xBC,0x25,0xCD,0x32,0x13,0xCA,0xA8,0xEC,0x17,0xD6,0xEB,0x96,0x38,0xFF,0x26,
- 0xF7,0x76,0x85,0xA0,0x96,0x7C,0x70,0xCE,0xFC,0xBF,0x23,0x1D,0xF8,0xFB,0x0F,0x3E,
- 0xA8,0x22,0xF4,0xE6,0x96,0xD7,0x38,0xF3,0xCE,0xA2,0xDE,0xD3,0xAA,0x11,0x61,0x2E,
- 0x41,0xBF,0xE0,0xAD,0x65,0x88,0x06,0xB4,0x8E,0x45,0x38,0xEB,0x48,0xA5,0xEB,0xE6,
- 0x88,0xD2,0x0D,0x83,0x8B,0x6A,0x2A,0x97,0xC6,0xBD,0x01,0x39,0x71,0x0A,0xDA,0xF3,
- 0x2A,0x8D,0x7F,0x5C,0xCC,0xF0,0x05,0x17,0x99,0x98,0x11,0xD3,0x43,0x23,0xCE,0x91,
- 0x55,0x02,0x7E,0x93,0x1B,0x37,0xE9,0x81,0x84,0x7D,0xEE,0x80,0x0D,0x69,0xF5,0x77,
- 0x20,0x8B,0x39,0x7F,0x4E,0x52,0x94,0xED,0x07,0x76,0xF0,0xB6,0x12,0x39,0xDA,0xEB,
- 0x80,0x42,0x02,0xD4,0xFE,0xE6,0x42,0xB7,0xC5,0xA8,0xEC,0xA6,0x83,0x9C,0x68,0x60,
- 0x9A,0x52,0xF2,0x7F,0xF6,0x48,0x92,0x93,0x10,0x43,0xDE,0x5E,0x75,0x18,0x1B,0x22,
- 0x12,0x3F,0xEB,0x7A,0x38,0x6E,0x73,0xBD,0x6A,0x2C,0xE6,0x07,0xEA,0xFC,0x50,0x31,
- 0x54,0xC3,0x7B,0xD1,0x0B,0xC1,0x78,0x9D,0x6E,0xF2,0xAF,0x65,0xB9,0xF1,0xB5,
-};
-
-/* subject:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
-/* issuer :/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
-/* Not After : Nov 8 00:58:58 2029 GMT */
-
-unsigned char ca1_Cert[1456]={
- 0x30,0x82,0x05,0xAC,0x30,0x82,0x03,0x94,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x38,
- 0xF6,0x45,0xC1,0xE2,0x5D,0x91,0x2C,0xCE,0x3B,0x2B,0x39,0x12,0x31,0x74,0x0D,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
- 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
- 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
- 0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x6F,0x66,0x20,0x57,
- 0x6F,0x53,0x69,0x67,0x6E,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x31,0x30,0x38,0x30,
- 0x30,0x35,0x38,0x35,0x38,0x5A,0x17,0x0D,0x32,0x39,0x31,0x31,0x30,0x38,0x30,0x30,
- 0x35,0x38,0x35,0x38,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
- 0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,
- 0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,
- 0x31,0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,
- 0x6E,0x20,0x43,0x41,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,
- 0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x47,0x32,0x30,0x82,0x01,0x22,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
- 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE3,0xB4,0x80,
- 0x0E,0x6B,0x30,0x50,0x82,0x2F,0x1F,0xE7,0x9D,0xBF,0xF8,0x7C,0x42,0x25,0xED,0xAE,
- 0x61,0xC4,0xEB,0x86,0x87,0x23,0x7F,0x11,0x1F,0xC0,0x93,0x5F,0x1B,0x92,0x90,0x1E,
- 0x77,0x8C,0xBC,0x76,0xF7,0xFB,0x0A,0xA5,0xD5,0x7D,0xAC,0xDC,0x4B,0x18,0xD8,0x58,
- 0x2E,0xDF,0x46,0x6B,0x34,0x0F,0x45,0x64,0x60,0x84,0xC2,0xEB,0x9A,0x0E,0x51,0xD4,
- 0x2A,0x54,0x51,0x3E,0x27,0x3B,0x64,0x68,0x86,0x6F,0x7C,0x6B,0x00,0x3C,0x99,0xF6,
- 0x4C,0xA8,0x45,0x27,0xAD,0xA5,0xCB,0x2B,0x37,0xED,0x59,0xC3,0x52,0x4C,0x4F,0xDE,
- 0x34,0x9C,0xF2,0xB7,0xD1,0xFA,0x58,0xCB,0xE5,0x62,0x9E,0x55,0x46,0x5C,0xB7,0xC5,
- 0x8D,0x38,0x24,0x35,0xEF,0x97,0x2C,0x7C,0x65,0x10,0x0D,0xEF,0x9F,0x97,0x08,0xD5,
- 0xE5,0xB3,0x12,0x7A,0x92,0xDD,0xFE,0x88,0x0F,0x8F,0xA4,0xAF,0xBD,0xC5,0xD6,0x36,
- 0xF7,0x41,0x1B,0xE8,0x59,0xDD,0x86,0xFF,0x35,0xBF,0xED,0xE4,0xD1,0xA0,0x93,0x6E,
- 0x51,0xA8,0x99,0xCB,0xDF,0xDD,0xBE,0x71,0x88,0xC3,0xDA,0xB1,0x65,0xCC,0x7B,0x95,
- 0xC4,0x66,0x8F,0xBE,0x4E,0x06,0x7F,0x9B,0x53,0x8C,0x6B,0x3C,0xCE,0x97,0x26,0x82,
- 0x1F,0x17,0x30,0xBA,0x3F,0xC8,0xDE,0xCC,0x0B,0xA1,0xB4,0xEF,0x12,0x3D,0x93,0xCB,
- 0x08,0x30,0xE7,0x1A,0x98,0x97,0x80,0x3A,0x26,0x84,0x8F,0xFE,0x73,0x74,0x95,0x53,
- 0x0F,0x51,0xB2,0xAA,0x89,0x57,0xF4,0x96,0x40,0x72,0x13,0x1D,0xE4,0x67,0x98,0x4E,
- 0x8F,0xC6,0x40,0x0B,0xF5,0x1D,0x0C,0x45,0x2D,0xE0,0xD5,0x92,0x83,0x02,0x03,0x01,
- 0x00,0x01,0xA3,0x82,0x01,0x76,0x30,0x82,0x01,0x72,0x30,0x0E,0x06,0x03,0x55,0x1D,
- 0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,
- 0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,
- 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
- 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x30,0x06,
- 0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F,
- 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,0x2E,0x77,0x6F,0x73,
- 0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,
- 0x72,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x66,0x30,0x64,0x30,
- 0x27,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,
- 0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
- 0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05,
- 0x05,0x07,0x30,0x02,0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
- 0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,
- 0x67,0x32,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,
- 0x63,0x65,0x72,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xA7,
- 0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
- 0xA8,0xC7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE1,
- 0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,
- 0xFE,0xFB,0x3E,0x30,0x47,0x06,0x03,0x55,0x1D,0x20,0x04,0x40,0x30,0x3E,0x30,0x3C,
- 0x06,0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,
- 0x2B,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,
- 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
- 0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
- 0x96,0x5A,0xDF,0x96,0x91,0x17,0x68,0x90,0x5D,0x2F,0xB4,0x32,0x15,0x80,0x03,0x03,
- 0x0B,0xE9,0x1C,0xB7,0x73,0x6C,0xDA,0xA8,0xFA,0x94,0xDD,0xDD,0x3E,0x34,0x2B,0x2E,
- 0x80,0x93,0x6C,0xFA,0xA6,0x67,0xD3,0x1B,0x7A,0x82,0x41,0xCE,0x9E,0xFF,0x3F,0xEF,
- 0xB2,0x83,0x6A,0x9E,0xFC,0x32,0xFD,0x44,0xF3,0x82,0x66,0xAA,0xCF,0x44,0x2F,0xB3,
- 0x37,0x41,0xF0,0x79,0x12,0xE3,0x02,0x27,0x86,0x48,0x92,0xBE,0xCF,0x56,0xD7,0xCB,
- 0xD7,0xE7,0x1E,0x25,0x9D,0x41,0xDB,0x0A,0xE7,0x33,0x12,0x58,0xAD,0x95,0xD8,0x9E,
- 0xD4,0xB7,0x95,0x29,0xBA,0xFE,0xFF,0xDF,0x80,0xA4,0x77,0x5B,0x15,0x62,0x0F,0x69,
- 0xF8,0x87,0x6D,0x74,0xEA,0x85,0xA2,0x76,0x5D,0x9F,0x95,0x2E,0x03,0xBC,0x8A,0xF9,
- 0x8A,0xAC,0x81,0x64,0x50,0xF2,0x0B,0x45,0x4B,0xEC,0x97,0x30,0x39,0x74,0xE5,0xA7,
- 0x7E,0x16,0x24,0x62,0x2B,0x50,0xF1,0x5C,0xD8,0x4F,0xCD,0x2E,0xA2,0x18,0x25,0xA3,
- 0xCE,0xF6,0x1F,0x60,0xDD,0x15,0xDE,0x20,0x15,0x1B,0x0E,0x7F,0xAF,0x85,0xD9,0x40,
- 0xAC,0x07,0x2A,0x34,0xDD,0x51,0xB0,0x1A,0xA8,0xE6,0x0E,0x9F,0x5F,0xDB,0x46,0x70,
- 0xE6,0xF5,0xD9,0x25,0x1C,0xF0,0x1D,0xE5,0x42,0xA1,0x2D,0x22,0x9D,0x6E,0x11,0xC9,
- 0x8D,0xA6,0x65,0xBC,0x0E,0xAA,0x76,0x73,0xC8,0x56,0x60,0x2F,0xFB,0x3F,0x86,0xB9,
- 0xA5,0xF5,0x33,0xEF,0xD5,0x13,0x1F,0x49,0x4C,0x38,0x07,0x9E,0x59,0x22,0x5A,0xC7,
- 0x4E,0xD9,0x25,0x24,0xBA,0x53,0x70,0xFC,0x63,0x2A,0x54,0x51,0xEB,0xC3,0x4B,0x41,
- 0x7D,0xE4,0xE8,0x3C,0x2C,0xA5,0x76,0x5A,0xBF,0xD9,0x4C,0xA8,0x0D,0xAE,0x52,0x6E,
- 0xA5,0x5D,0x98,0x3D,0x6C,0x90,0x6D,0x78,0x1F,0xC3,0x70,0x95,0x86,0x07,0x3F,0x54,
- 0xE3,0xEA,0x8A,0x81,0x64,0x62,0x9A,0x8F,0x31,0xAF,0x7B,0x2A,0x7E,0x92,0x22,0xC3,
- 0x8E,0xCC,0x53,0xAC,0xC7,0x9C,0x99,0x11,0x2B,0x48,0x3F,0x52,0x71,0x2B,0x6E,0xC0,
- 0xE1,0xB3,0x0A,0xE5,0x03,0x62,0xD7,0x89,0x18,0x28,0x4C,0x0A,0x8D,0x3F,0x0B,0x45,
- 0x89,0x81,0x8B,0x88,0xA4,0x93,0xC2,0x7F,0x44,0xE5,0x1E,0x5B,0x40,0x00,0xFC,0x2F,
- 0xCC,0x3B,0xF8,0x6A,0x79,0x31,0xFD,0x44,0x14,0xB6,0x8F,0x48,0x85,0x4C,0xAB,0x0A,
- 0x9D,0xBB,0x37,0x0A,0xFC,0x51,0x19,0xE0,0xFE,0x59,0x6A,0x3B,0x8F,0x60,0x62,0xA7,
- 0x07,0x82,0xAF,0x08,0x66,0xA0,0xF2,0xDA,0x60,0x02,0xEA,0xD8,0x34,0x7E,0x57,0x71,
- 0xA1,0xB5,0xFE,0x69,0xD7,0xFB,0xDD,0x5A,0x9C,0xF3,0xFF,0xC4,0xEA,0xCD,0x74,0xFA,
- 0x94,0x70,0xD3,0x58,0x92,0xCE,0xAF,0x12,0xE4,0x6E,0xEB,0xDD,0xB8,0xAF,0x1D,0xE2,
- 0x65,0xD4,0x46,0xEA,0x0B,0x3E,0xE3,0x68,0x0E,0x0A,0x4C,0x27,0x83,0x50,0x91,0x06,
- 0xC6,0x7B,0xF8,0xFA,0x9B,0x26,0xED,0x2C,0x0E,0x67,0xB8,0x6C,0xE5,0x2C,0x98,0x6D,
- 0x5F,0x7A,0x28,0xC3,0x84,0x3C,0x03,0x0D,0xF7,0xE2,0x03,0xE1,0x94,0xC2,0x58,0x27,
- 0xF8,0x4D,0x81,0x59,0x2F,0xF1,0x7C,0x61,0xC9,0x57,0x5D,0xBD,0xDC,0x9C,0x80,0xD0,
- 0x64,0xDF,0x7C,0x87,0x78,0x85,0xE6,0x94,0x8B,0x70,0x8B,0x05,0x47,0xE4,0xC8,0x7B,
-};
-
-/* subject:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
-/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
-/* Not After : Dec 31 23:59:59 2019 GMT */
-
-unsigned char ca2_Cert[1632]={
- 0x30,0x82,0x06,0x5C,0x30,0x82,0x04,0x44,0xA0,0x03,0x02,0x01,0x02,0x02,0x07,0x19,
- 0xC2,0x85,0x30,0xE9,0x3B,0x36,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
- 0x01,0x01,0x0B,0x05,0x00,0x30,0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
- 0x13,0x02,0x49,0x4C,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,
- 0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,
- 0x06,0x03,0x55,0x04,0x0B,0x13,0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,
- 0x67,0x69,0x74,0x61,0x6C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
- 0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,
- 0x04,0x03,0x13,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
- 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
- 0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x32,0x32,
- 0x34,0x36,0x33,0x36,0x5A,0x17,0x0D,0x31,0x39,0x31,0x32,0x33,0x31,0x32,0x33,0x35,
- 0x39,0x35,0x39,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,
- 0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,
- 0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
- 0x79,0x20,0x6F,0x66,0x20,0x57,0x6F,0x53,0x69,0x67,0x6E,0x30,0x82,0x02,0x22,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
- 0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xBD,0xCA,0x8D,0xAC,
- 0xB8,0x91,0x15,0x56,0x97,0x7B,0x6B,0x5C,0x7A,0xC2,0xDE,0x6B,0xD9,0xA1,0xB0,0xC3,
- 0x10,0x23,0xFA,0xA7,0xA1,0xB2,0xCC,0x31,0xFA,0x3E,0xD9,0xA6,0x29,0x6F,0x16,0x3D,
- 0xE0,0x6B,0xF8,0xB8,0x40,0x5F,0xDB,0x39,0xA8,0x00,0x7A,0x8B,0xA0,0x4D,0x54,0x7D,
- 0xC2,0x22,0x78,0xFC,0x8E,0x09,0xB8,0xA8,0x85,0xD7,0xCC,0x95,0x97,0x4B,0x74,0xD8,
- 0x9E,0x7E,0xF0,0x00,0xE4,0x0E,0x89,0xAE,0x49,0x28,0x44,0x1A,0x10,0x99,0x32,0x0F,
- 0x25,0x88,0x53,0xA4,0x0D,0xB3,0x0F,0x12,0x08,0x16,0x0B,0x03,0x71,0x27,0x1C,0x7F,
- 0xE1,0xDB,0xD2,0xFD,0x67,0x68,0xC4,0x05,0x5D,0x0A,0x0E,0x5D,0x70,0xD7,0xD8,0x97,
- 0xA0,0xBC,0x53,0x41,0x9A,0x91,0x8D,0xF4,0x9E,0x36,0x66,0x7A,0x7E,0x56,0xC1,0x90,
- 0x5F,0xE6,0xB1,0x68,0x20,0x36,0xA4,0x8C,0x24,0x2C,0x2C,0x47,0x0B,0x59,0x76,0x66,
- 0x30,0xB5,0xBE,0xDE,0xED,0x8F,0xF8,0x9D,0xD3,0xBB,0x01,0x30,0xE6,0xF2,0xF3,0x0E,
- 0xE0,0x2C,0x92,0x80,0xF3,0x85,0xF9,0x28,0x8A,0xB4,0x54,0x2E,0x9A,0xED,0xF7,0x76,
- 0xFC,0x15,0x68,0x16,0xEB,0x4A,0x6C,0xEB,0x2E,0x12,0x8F,0xD4,0xCF,0xFE,0x0C,0xC7,
- 0x5C,0x1D,0x0B,0x7E,0x05,0x32,0xBE,0x5E,0xB0,0x09,0x2A,0x42,0xD5,0xC9,0x4E,0x90,
- 0xB3,0x59,0x0D,0xBB,0x7A,0x7E,0xCD,0xD5,0x08,0x5A,0xB4,0x7F,0xD8,0x1C,0x69,0x11,
- 0xF9,0x27,0x0F,0x7B,0x06,0xAF,0x54,0x83,0x18,0x7B,0xE1,0xDD,0x54,0x7A,0x51,0x68,
- 0x6E,0x77,0xFC,0xC6,0xBF,0x52,0x4A,0x66,0x46,0xA1,0xB2,0x67,0x1A,0xBB,0xA3,0x4F,
- 0x77,0xA0,0xBE,0x5D,0xFF,0xFC,0x56,0x0B,0x43,0x72,0x77,0x90,0xCA,0x9E,0xF9,0xF2,
- 0x39,0xF5,0x0D,0xA9,0xF4,0xEA,0xD7,0xE7,0xB3,0x10,0x2F,0x30,0x42,0x37,0x21,0xCC,
- 0x30,0x70,0xC9,0x86,0x98,0x0F,0xCC,0x58,0x4D,0x83,0xBB,0x7D,0xE5,0x1A,0xA5,0x37,
- 0x8D,0xB6,0xAC,0x32,0x97,0x00,0x3A,0x63,0x71,0x24,0x1E,0x9E,0x37,0xC4,0xFF,0x74,
- 0xD4,0x37,0xC0,0xE2,0xFE,0x88,0x46,0x60,0x11,0xDD,0x08,0x3F,0x50,0x36,0xAB,0xB8,
- 0x7A,0xA4,0x95,0x62,0x6A,0x6E,0xB0,0xCA,0x6A,0x21,0x5A,0x69,0xF3,0xF3,0xFB,0x1D,
- 0x70,0x39,0x95,0xF3,0xA7,0x6E,0xA6,0x81,0x89,0xA1,0x88,0xC5,0x3B,0x71,0xCA,0xA3,
- 0x52,0xEE,0x83,0xBB,0xFD,0xA0,0x77,0xF4,0xE4,0x6F,0xE7,0x42,0xDB,0x6D,0x4A,0x99,
- 0x8A,0x34,0x48,0xBC,0x17,0xDC,0xE4,0x80,0x08,0x22,0xB6,0xF2,0x31,0xC0,0x3F,0x04,
- 0x3E,0xEB,0x9F,0x20,0x79,0xD6,0xB8,0x06,0x64,0x64,0x02,0x31,0xD7,0xA9,0xCD,0x52,
- 0xFB,0x84,0x45,0x69,0x09,0x00,0x2A,0xDC,0x55,0x8B,0xC4,0x06,0x46,0x4B,0xC0,0x4A,
- 0x1D,0x09,0x5B,0x39,0x28,0xFD,0xA9,0xAB,0xCE,0x00,0xF9,0x2E,0x48,0x4B,0x26,0xE6,
- 0x30,0x4C,0xA5,0x58,0xCA,0xB4,0x44,0x82,0x4F,0xE7,0x91,0x1E,0x33,0xC3,0xB0,0x93,
- 0xFF,0x11,0xFC,0x81,0xD2,0xCA,0x1F,0x71,0x29,0xDD,0x76,0x4F,0x92,0x25,0xAF,0x1D,
- 0x81,0xB7,0x0F,0x2F,0x8C,0xC3,0x06,0xCC,0x2F,0x27,0xA3,0x4A,0xE4,0x0E,0x99,0xBA,
- 0x7C,0x1E,0x45,0x1F,0x7F,0xAA,0x19,0x45,0x96,0xFD,0xFC,0x3D,0x02,0x03,0x01,0x00,
- 0x01,0xA3,0x82,0x01,0x07,0x30,0x82,0x01,0x03,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
- 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06,
- 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
- 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xE1,0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,
- 0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,0xFE,0xFB,0x3E,0x30,0x1F,0x06,0x03,
- 0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,
- 0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,0x43,0xD0,0x41,0xAE,0xF2,0x30,0x69,0x06,
- 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x5D,0x30,0x5B,0x30,0x27,0x06,
- 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,0x70,0x3A,
- 0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,
- 0x63,0x6F,0x6D,0x2F,0x63,0x61,0x30,0x30,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
- 0x30,0x02,0x86,0x24,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x2E,0x73,
- 0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74,
- 0x73,0x2F,0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x32,0x06,0x03,0x55,0x1D,0x1F,0x04,
- 0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3A,
- 0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,
- 0x6F,0x6D,0x2F,0x73,0x66,0x73,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
- 0xB6,0x6D,0xF8,0x70,0xFB,0xE2,0x0D,0x4C,0x98,0xB3,0x07,0x49,0x15,0xF5,0x04,0xC4,
- 0x6C,0xCA,0xCA,0xF5,0x68,0xA0,0x08,0xFE,0x12,0x6D,0x9C,0x04,0x06,0xC9,0xAD,0x9A,
- 0x91,0x52,0x3E,0x78,0xC4,0x5C,0xEE,0x9F,0x54,0x1D,0xEE,0xE3,0xF1,0x5E,0x30,0xC9,
- 0x49,0xE1,0x39,0xE0,0xA6,0x9D,0x36,0x6C,0x57,0xFA,0xE6,0x34,0x4F,0x55,0xE8,0x87,
- 0xA8,0x2C,0xDD,0x05,0xF1,0x58,0x12,0x91,0xE8,0xCA,0xCE,0x28,0x78,0x8F,0xDF,0x07,
- 0x85,0x01,0xA5,0xDC,0x45,0x96,0x05,0xD4,0x80,0xB2,0x2B,0x05,0x9A,0xCB,0x9A,0xA5,
- 0x8B,0xE0,0x3A,0x67,0xE6,0x73,0x47,0xBE,0x4A,0xFD,0x27,0xB1,0x88,0xEF,0xE6,0xCA,
- 0xCF,0x8D,0x0E,0x26,0x9F,0xFA,0x5F,0x57,0x78,0xAD,0x6D,0xFE,0xAE,0x9B,0x35,0x08,
- 0xB1,0xC3,0xBA,0xC1,0x00,0x4A,0x4B,0x7D,0x14,0xBD,0xF7,0xF1,0xD3,0x55,0x18,0xAC,
- 0xD0,0x33,0x70,0x88,0x6D,0xC4,0x09,0x71,0x14,0xA6,0x2B,0x4F,0x88,0x81,0xE7,0x0B,
- 0x00,0x37,0xA9,0x15,0x7D,0x7E,0xD7,0x01,0x96,0x3F,0x2F,0xAF,0x7B,0x62,0xAE,0x0A,
- 0x4A,0xBF,0x4B,0x39,0x2E,0x35,0x10,0x8B,0xFE,0x04,0x39,0xE4,0x3C,0x3A,0x0C,0x09,
- 0x56,0x40,0x3A,0xB5,0xF4,0xC2,0x68,0x0C,0xB5,0xF9,0x52,0xCD,0xEE,0x9D,0xF8,0x98,
- 0xFC,0x78,0xE7,0x58,0x47,0x8F,0x1C,0x73,0x58,0x69,0x33,0xAB,0xFF,0xDD,0xDF,0x8E,
- 0x24,0x01,0x77,0x98,0x19,0x3A,0xB0,0x66,0x79,0xBC,0xE1,0x08,0xA3,0x0E,0x4F,0xC1,
- 0x04,0xB3,0xF3,0x01,0xC8,0xEB,0xD3,0x59,0x1C,0x35,0xD2,0x93,0x1E,0x70,0x65,0x82,
- 0x7F,0xDB,0xCF,0xFB,0xC8,0x99,0x12,0x60,0xC3,0x44,0x6F,0x3A,0x80,0x4B,0xD7,0xBE,
- 0x21,0xAA,0x14,0x7A,0x64,0xCB,0xDD,0x37,0x43,0x45,0x5B,0x32,0x2E,0x45,0xF0,0xD9,
- 0x59,0x1F,0x6B,0x18,0xF0,0x7C,0xE9,0x55,0x36,0x19,0x61,0x5F,0xB5,0x7D,0xF1,0x8D,
- 0xBD,0x88,0xE4,0x75,0x4B,0x98,0xDD,0x27,0xB0,0xE4,0x84,0x44,0x2A,0x61,0x84,0x57,
- 0x05,0x82,0x11,0x1F,0xAA,0x35,0x58,0xF3,0x20,0x0E,0xAF,0x59,0xEF,0xFA,0x55,0x72,
- 0x72,0x0D,0x26,0xD0,0x9B,0x53,0x49,0xAC,0xCE,0x37,0x2E,0x65,0x61,0xFF,0xF6,0xEC,
- 0x1B,0xEA,0xF6,0xF1,0xA6,0xD3,0xD1,0xB5,0x7B,0xBE,0x35,0xF4,0x22,0xC1,0xBC,0x8D,
- 0x01,0xBD,0x68,0x5E,0x83,0x0D,0x2F,0xEC,0xD6,0xDA,0x63,0x0C,0x27,0xD1,0x54,0x3E,
- 0xE4,0xA8,0xD3,0xCE,0x4B,0x32,0xB8,0x91,0x94,0xFF,0xFB,0x5B,0x49,0x2D,0x75,0x18,
- 0xA8,0xBA,0x71,0x9A,0x3B,0xAE,0xD9,0xC0,0xA9,0x4F,0x87,0x91,0xED,0x8B,0x7B,0x6B,
- 0x20,0x98,0x89,0x39,0x83,0x4F,0x80,0xC4,0x69,0xCC,0x17,0xC9,0xC8,0x4E,0xBE,0xE4,
- 0xA9,0xA5,0x81,0x76,0x70,0x06,0x04,0x32,0xCD,0x83,0x65,0xF4,0xBC,0x7D,0x3E,0x13,
- 0xBC,0xD2,0xE8,0x6F,0x63,0xAA,0xB5,0x3B,0xDA,0x8D,0x86,0x32,0x82,0x78,0x9D,0xD9,
- 0xCC,0xFF,0xBF,0x57,0x64,0x74,0xED,0x28,0x3D,0x44,0x62,0x15,0x61,0x4B,0xF7,0x94,
- 0xB0,0x0D,0x2A,0x67,0x1C,0xF0,0xCB,0x9B,0xA5,0x92,0xBF,0xF8,0x41,0x5A,0xC1,0x3D,
- 0x60,0xED,0x9F,0xBB,0xB8,0x6D,0x9B,0xCE,0xA9,0x6A,0x16,0x3F,0x7E,0xEA,0x06,0xF1,
-};
-
-/* subject:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
-/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
-/* Not After : Sep 17 19:46:36 2036 GMT */
-
-unsigned char root_Cert[1997]={
- 0x30,0x82,0x07,0xC9,0x30,0x82,0x05,0xB1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
- 0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,
- 0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,
- 0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,
- 0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,
- 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,
- 0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,
- 0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
- 0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,
- 0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x17,
- 0x0D,0x33,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x30,0x7D,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,0x30,
- 0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,
- 0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,0x22,
- 0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,0x43,
- 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,
- 0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,0x61,
- 0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
- 0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x02,
- 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
- 0x03,0x82,0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xC1,0x88,
- 0xDB,0x09,0xBC,0x6C,0x46,0x7C,0x78,0x9F,0x95,0x7B,0xB5,0x33,0x90,0xF2,0x72,0x62,
- 0xD6,0xC1,0x36,0x20,0x22,0x24,0x5E,0xCE,0xE9,0x77,0xF2,0x43,0x0A,0xA2,0x06,0x64,
- 0xA4,0xCC,0x8E,0x36,0xF8,0x38,0xE6,0x23,0xF0,0x6E,0x6D,0xB1,0x3C,0xDD,0x72,0xA3,
- 0x85,0x1C,0xA1,0xD3,0x3D,0xB4,0x33,0x2B,0xD3,0x2F,0xAF,0xFE,0xEA,0xB0,0x41,0x59,
- 0x67,0xB6,0xC4,0x06,0x7D,0x0A,0x9E,0x74,0x85,0xD6,0x79,0x4C,0x80,0x37,0x7A,0xDF,
- 0x39,0x05,0x52,0x59,0xF7,0xF4,0x1B,0x46,0x43,0xA4,0xD2,0x85,0x85,0xD2,0xC3,0x71,
- 0xF3,0x75,0x62,0x34,0xBA,0x2C,0x8A,0x7F,0x1E,0x8F,0xEE,0xED,0x34,0xD0,0x11,0xC7,
- 0x96,0xCD,0x52,0x3D,0xBA,0x33,0xD6,0xDD,0x4D,0xDE,0x0B,0x3B,0x4A,0x4B,0x9F,0xC2,
- 0x26,0x2F,0xFA,0xB5,0x16,0x1C,0x72,0x35,0x77,0xCA,0x3C,0x5D,0xE6,0xCA,0xE1,0x26,
- 0x8B,0x1A,0x36,0x76,0x5C,0x01,0xDB,0x74,0x14,0x25,0xFE,0xED,0xB5,0xA0,0x88,0x0F,
- 0xDD,0x78,0xCA,0x2D,0x1F,0x07,0x97,0x30,0x01,0x2D,0x72,0x79,0xFA,0x46,0xD6,0x13,
- 0x2A,0xA8,0xB9,0xA6,0xAB,0x83,0x49,0x1D,0xE5,0xF2,0xEF,0xDD,0xE4,0x01,0x8E,0x18,
- 0x0A,0x8F,0x63,0x53,0x16,0x85,0x62,0xA9,0x0E,0x19,0x3A,0xCC,0xB5,0x66,0xA6,0xC2,
- 0x6B,0x74,0x07,0xE4,0x2B,0xE1,0x76,0x3E,0xB4,0x6D,0xD8,0xF6,0x44,0xE1,0x73,0x62,
- 0x1F,0x3B,0xC4,0xBE,0xA0,0x53,0x56,0x25,0x6C,0x51,0x09,0xF7,0xAA,0xAB,0xCA,0xBF,
- 0x76,0xFD,0x6D,0x9B,0xF3,0x9D,0xDB,0xBF,0x3D,0x66,0xBC,0x0C,0x56,0xAA,0xAF,0x98,
- 0x48,0x95,0x3A,0x4B,0xDF,0xA7,0x58,0x50,0xD9,0x38,0x75,0xA9,0x5B,0xEA,0x43,0x0C,
- 0x02,0xFF,0x99,0xEB,0xE8,0x6C,0x4D,0x70,0x5B,0x29,0x65,0x9C,0xDD,0xAA,0x5D,0xCC,
- 0xAF,0x01,0x31,0xEC,0x0C,0xEB,0xD2,0x8D,0xE8,0xEA,0x9C,0x7B,0xE6,0x6E,0xF7,0x27,
- 0x66,0x0C,0x1A,0x48,0xD7,0x6E,0x42,0xE3,0x3F,0xDE,0x21,0x3E,0x7B,0xE1,0x0D,0x70,
- 0xFB,0x63,0xAA,0xA8,0x6C,0x1A,0x54,0xB4,0x5C,0x25,0x7A,0xC9,0xA2,0xC9,0x8B,0x16,
- 0xA6,0xBB,0x2C,0x7E,0x17,0x5E,0x05,0x4D,0x58,0x6E,0x12,0x1D,0x01,0xEE,0x12,0x10,
- 0x0D,0xC6,0x32,0x7F,0x18,0xFF,0xFC,0xF4,0xFA,0xCD,0x6E,0x91,0xE8,0x36,0x49,0xBE,
- 0x1A,0x48,0x69,0x8B,0xC2,0x96,0x4D,0x1A,0x12,0xB2,0x69,0x17,0xC1,0x0A,0x90,0xD6,
- 0xFA,0x79,0x22,0x48,0xBF,0xBA,0x7B,0x69,0xF8,0x70,0xC7,0xFA,0x7A,0x37,0xD8,0xD8,
- 0x0D,0xD2,0x76,0x4F,0x57,0xFF,0x90,0xB7,0xE3,0x91,0xD2,0xDD,0xEF,0xC2,0x60,0xB7,
- 0x67,0x3A,0xDD,0xFE,0xAA,0x9C,0xF0,0xD4,0x8B,0x7F,0x72,0x22,0xCE,0xC6,0x9F,0x97,
- 0xB6,0xF8,0xAF,0x8A,0xA0,0x10,0xA8,0xD9,0xFB,0x18,0xC6,0xB6,0xB5,0x5C,0x52,0x3C,
- 0x89,0xB6,0x19,0x2A,0x73,0x01,0x0A,0x0F,0x03,0xB3,0x12,0x60,0xF2,0x7A,0x2F,0x81,
- 0xDB,0xA3,0x6E,0xFF,0x26,0x30,0x97,0xF5,0x8B,0xDD,0x89,0x57,0xB6,0xAD,0x3D,0xB3,
- 0xAF,0x2B,0xC5,0xB7,0x76,0x02,0xF0,0xA5,0xD6,0x2B,0x9A,0x86,0x14,0x2A,0x72,0xF6,
- 0xE3,0x33,0x8C,0x5D,0x09,0x4B,0x13,0xDF,0xBB,0x8C,0x74,0x13,0x52,0x4B,0x02,0x03,
- 0x01,0x00,0x01,0xA3,0x82,0x02,0x52,0x30,0x82,0x02,0x4E,0x30,0x0C,0x06,0x03,0x55,
- 0x1D,0x13,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,
- 0x04,0x04,0x03,0x02,0x01,0xAE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
- 0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,
- 0x43,0xD0,0x41,0xAE,0xF2,0x30,0x64,0x06,0x03,0x55,0x1D,0x1F,0x04,0x5D,0x30,0x5B,
- 0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,
- 0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,
- 0x2F,0x73,0x66,0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x2B,
- 0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,
- 0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x73,0x66,
- 0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x82,0x01,0x5D,0x06,
- 0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x54,0x30,0x82,0x01,0x50,0x30,0x82,0x01,0x4C,
- 0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x81,0xB5,0x37,0x01,0x01,0x01,0x30,0x82,0x01,
- 0x3B,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x23,0x68,
- 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,
- 0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,
- 0x64,0x66,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29,
- 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,
- 0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x69,0x6E,0x74,0x65,0x72,0x6D,0x65,
- 0x64,0x69,0x61,0x74,0x65,0x2E,0x70,0x64,0x66,0x30,0x81,0xD0,0x06,0x08,0x2B,0x06,
- 0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xC3,0x30,0x27,0x16,0x20,0x53,0x74,0x61,
- 0x72,0x74,0x20,0x43,0x6F,0x6D,0x6D,0x65,0x72,0x63,0x69,0x61,0x6C,0x20,0x28,0x53,
- 0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x29,0x20,0x4C,0x74,0x64,0x2E,0x30,0x03,0x02,
- 0x01,0x01,0x1A,0x81,0x97,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x20,0x4C,0x69,0x61,
- 0x62,0x69,0x6C,0x69,0x74,0x79,0x2C,0x20,0x72,0x65,0x61,0x64,0x20,0x74,0x68,0x65,
- 0x20,0x73,0x65,0x63,0x74,0x69,0x6F,0x6E,0x20,0x2A,0x4C,0x65,0x67,0x61,0x6C,0x20,
- 0x4C,0x69,0x6D,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2A,0x20,0x6F,0x66,0x20,
- 0x74,0x68,0x65,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
- 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
- 0x72,0x69,0x74,0x79,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x76,0x61,0x69,
- 0x6C,0x61,0x62,0x6C,0x65,0x20,0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
- 0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,
- 0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,0x64,0x66,0x30,0x11,0x06,0x09,
- 0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x00,0x07,0x30,
- 0x38,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,0x04,0x2B,0x16,0x29,
- 0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,
- 0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
- 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
- 0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0x16,0x6C,0x99,
- 0xF4,0x66,0x0C,0x34,0xF5,0xD0,0x85,0x5E,0x7D,0x0A,0xEC,0xDA,0x10,0x4E,0x38,0x1C,
- 0x5E,0xDF,0xA6,0x25,0x05,0x4B,0x91,0x32,0xC1,0xE8,0x3B,0xF1,0x3D,0xDD,0x44,0x09,
- 0x5B,0x07,0x49,0x8A,0x29,0xCB,0x66,0x02,0xB7,0xB1,0x9A,0xF7,0x25,0x98,0x09,0x3C,
- 0x8E,0x1B,0xE1,0xDD,0x36,0x87,0x2B,0x4B,0xBB,0x68,0xD3,0x39,0x66,0x3D,0xA0,0x26,
- 0xC7,0xF2,0x39,0x91,0x1D,0x51,0xAB,0x82,0x7B,0x7E,0xD5,0xCE,0x5A,0xE4,0xE2,0x03,
- 0x57,0x70,0x69,0x97,0x08,0xF9,0x5E,0x58,0xA6,0x0A,0xDF,0x8C,0x06,0x9A,0x45,0x16,
- 0x16,0x38,0x0A,0x5E,0x57,0xF6,0x62,0xC7,0x7A,0x02,0x05,0xE6,0xBC,0x1E,0xB5,0xF2,
- 0x9E,0xF4,0xA9,0x29,0x83,0xF8,0xB2,0x14,0xE3,0x6E,0x28,0x87,0x44,0xC3,0x90,0x1A,
- 0xDE,0x38,0xA9,0x3C,0xAC,0x43,0x4D,0x64,0x45,0xCE,0xDD,0x28,0xA9,0x5C,0xF2,0x73,
- 0x7B,0x04,0xF8,0x17,0xE8,0xAB,0xB1,0xF3,0x2E,0x5C,0x64,0x6E,0x73,0x31,0x3A,0x12,
- 0xB8,0xBC,0xB3,0x11,0xE4,0x7D,0x8F,0x81,0x51,0x9A,0x3B,0x8D,0x89,0xF4,0x4D,0x93,
- 0x66,0x7B,0x3C,0x03,0xED,0xD3,0x9A,0x1D,0x9A,0xF3,0x65,0x50,0xF5,0xA0,0xD0,0x75,
- 0x9F,0x2F,0xAF,0xF0,0xEA,0x82,0x43,0x98,0xF8,0x69,0x9C,0x89,0x79,0xC4,0x43,0x8E,
- 0x46,0x72,0xE3,0x64,0x36,0x12,0xAF,0xF7,0x25,0x1E,0x38,0x89,0x90,0x77,0x7E,0xC3,
- 0x6B,0x6A,0xB9,0xC3,0xCB,0x44,0x4B,0xAC,0x78,0x90,0x8B,0xE7,0xC7,0x2C,0x1E,0x4B,
- 0x11,0x44,0xC8,0x34,0x52,0x27,0xCD,0x0A,0x5D,0x9F,0x85,0xC1,0x89,0xD5,0x1A,0x78,
- 0xF2,0x95,0x10,0x53,0x32,0xDD,0x80,0x84,0x66,0x75,0xD9,0xB5,0x68,0x28,0xFB,0x61,
- 0x2E,0xBE,0x84,0xA8,0x38,0xC0,0x99,0x12,0x86,0xA5,0x1E,0x67,0x64,0xAD,0x06,0x2E,
- 0x2F,0xA9,0x70,0x85,0xC7,0x96,0x0F,0x7C,0x89,0x65,0xF5,0x8E,0x43,0x54,0x0E,0xAB,
- 0xDD,0xA5,0x80,0x39,0x94,0x60,0xC0,0x34,0xC9,0x96,0x70,0x2C,0xA3,0x12,0xF5,0x1F,
- 0x48,0x7B,0xBD,0x1C,0x7E,0x6B,0xB7,0x9D,0x90,0xF4,0x22,0x3B,0xAE,0xF8,0xFC,0x2A,
- 0xCA,0xFA,0x82,0x52,0xA0,0xEF,0xAF,0x4B,0x55,0x93,0xEB,0xC1,0xB5,0xF0,0x22,0x8B,
- 0xAC,0x34,0x4E,0x26,0x22,0x04,0xA1,0x87,0x2C,0x75,0x4A,0xB7,0xE5,0x7D,0x13,0xD7,
- 0xB8,0x0C,0x64,0xC0,0x36,0xD2,0xC9,0x2F,0x86,0x12,0x8C,0x23,0x09,0xC1,0x1B,0x82,
- 0x3B,0x73,0x49,0xA3,0x6A,0x57,0x87,0x94,0xE5,0xD6,0x78,0xC5,0x99,0x43,0x63,0xE3,
- 0x4D,0xE0,0x77,0x2D,0xE1,0x65,0x99,0x72,0x69,0x04,0x1A,0x47,0x09,0xE6,0x0F,0x01,
- 0x56,0x24,0xFB,0x1F,0xBF,0x0E,0x79,0xA9,0x58,0x2E,0xB9,0xC4,0x09,0x01,0x7E,0x95,
- 0xBA,0x6D,0x00,0x06,0x3E,0xB2,0xEA,0x4A,0x10,0x39,0xD8,0xD0,0x2B,0xF5,0xBF,0xEC,
- 0x75,0xBF,0x97,0x02,0xC5,0x09,0x1B,0x08,0xDC,0x55,0x37,0xE2,0x81,0xFB,0x37,0x84,
- 0x43,0x62,0x20,0xCA,0xE7,0x56,0x4B,0x65,0xEA,0xFE,0x6C,0xC1,0x24,0x93,0x24,0xA1,
- 0x34,0xEB,0x05,0xFF,0x9A,0x22,0xAE,0x9B,0x7D,0x3F,0xF1,0x65,0x51,0x0A,0xA6,0x30,
- 0x6A,0xB3,0xF4,0x88,0x1C,0x80,0x0D,0xFC,0x72,0x8A,0xE8,0x83,0x5E,
-};
-
-
-static SecCertificateRef createCertFromStaticData(const UInt8 *certData, CFIndex certLength)
-{
- SecCertificateRef cert = NULL;
- CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, certData, certLength, kCFAllocatorNull);
- if (data) {
- cert = SecCertificateCreateWithData(NULL, data);
- CFRelease(data);
- }
- return cert;
-}
-
-static void TestLeafOnAllowList()
-{
- SecCertificateRef certs[4];
- SecPolicyRef policy = NULL;
- SecTrustRef trust = NULL;
- CFDateRef date = NULL;
- CFArrayRef certArray = NULL;
- CFArrayRef anchorsArray = NULL;
-
- isnt(certs[0] = createCertFromStaticData(leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)),
- NULL, "allowlist: create leaf cert");
- isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
- NULL, "allowlist: create intermediate ca 1");
- isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
- NULL, "allowlist: create intermediate ca 2");
- isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
- NULL, "allowlist: create root");
-
- isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
- NULL, "allowlist: create cert array");
-
- /* create a trust reference with basic policy */
- isnt(policy = SecPolicyCreateBasicX509(), NULL, "allowlist: create policy");
- ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "allowlist: create trust");
-
- /* set evaluate date: September 12, 2016 at 1:30:00 PM PDT */
- isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "allowlist: create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "allowlist: set verify date");
-
- /* use a known root CA at this point in time to anchor the chain */
- isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
- NULL, "allowlist: create anchors array");
- ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "allowlist: set anchors");
-
- SecTrustResultType trustResult = kSecTrustResultInvalid;
- ok_status(SecTrustEvaluate(trust, &trustResult), "allowlist: evaluate");
-
- /* expected result is kSecTrustResultUnspecified since cert is on allow list and its issuer chains to a trusted root */
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
-
- /* clean up */
- for(CFIndex idx=0; idx < 4; idx++) {
- if (certs[idx]) { CFRelease(certs[idx]); }
- }
- if (policy) { CFRelease(policy); }
- if (trust) { CFRelease(trust); }
- if (date) { CFRelease(date); }
- if (certArray) { CFRelease(certArray); }
- if (anchorsArray) { CFRelease(anchorsArray); }
-}
-
-static void TestLeafNotOnAllowList()
-{
- SecCertificateRef certs[4];
- SecPolicyRef policy = NULL;
- SecTrustRef trust = NULL;
- CFDateRef date = NULL;
- CFArrayRef certArray = NULL;
- CFArrayRef anchorsArray = NULL;
-
- isnt(certs[0] = createCertFromStaticData(leafNotOnAllowList_Cert, sizeof(leafNotOnAllowList_Cert)),
- NULL, "!allowlist: create leaf cert");
- isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
- NULL, "!allowlist: create intermediate ca 1");
- isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
- NULL, "!allowlist: create intermediate ca 2");
- isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
- NULL, "!allowlist: create root");
-
- isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
- NULL, "!allowlist: create cert array");
-
- /* create a trust reference with basic policy */
- isnt(policy = SecPolicyCreateBasicX509(), NULL, "!allowlist: create policy");
- ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "!allowlist: create trust");
-
- /* set evaluate date: September 7, 2016 at 9:00:00 PM PDT */
- isnt(date = CFDateCreate(NULL, 495000000.0), NULL, "!allowlist: create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "!allowlist: set verify date");
-
- /* use a known root CA at this point in time to anchor the chain */
- isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
- NULL, "allowlist: create anchors array");
- ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "!allowlist: set anchors");
-
- SecTrustResultType trustResult = kSecTrustResultInvalid;
- ok_status(SecTrustEvaluate(trust, &trustResult), "!allowlist: evaluate");
-
- /* expected result is kSecTrustResultRecoverableTrustFailure (if issuer is distrusted)
- or kSecTrustResultFatalTrustFailure (if issuer is revoked), since cert is not on allow list */
- ok(trustResult == kSecTrustResultRecoverableTrustFailure ||
- trustResult == kSecTrustResultFatalTrustFailure,
- "trustResult 5 or 6 expected (got %d)", (int)trustResult);
-
- /* clean up */
- for(CFIndex idx=0; idx < 4; idx++) {
- if (certs[idx]) { CFRelease(certs[idx]); }
- }
- if (policy) { CFRelease(policy); }
- if (trust) { CFRelease(trust); }
- if (date) { CFRelease(date); }
- if (certArray) { CFRelease(certArray); }
- if (anchorsArray) { CFRelease(anchorsArray); }
-}
-
-static void TestAllowListForRootCA(void)
-{
- SecCertificateRef test0[2] = {NULL,NULL};
- SecCertificateRef test1[2] = {NULL,NULL};
- SecCertificateRef test1e[2] = {NULL,NULL};
- SecCertificateRef test2[2] = {NULL,NULL};
- SecPolicyRef policy = NULL;
- SecTrustRef trust = NULL;
- CFDateRef date = NULL;
- SecTrustResultType trustResult;
-
- isnt(test0[0] = createCertFromStaticData(cert0, sizeof(cert0)),
- NULL, "create first leaf");
- isnt(test1[0] = createCertFromStaticData(cert1, sizeof(cert1)),
- NULL, "create second leaf");
- isnt(test1e[0] = createCertFromStaticData(cert1_expired, sizeof(cert1_expired)),
- NULL, "create second leaf (expired)");
- isnt(test2[0] = createCertFromStaticData(cert2, sizeof(cert2)),
- NULL, "create third leaf");
-
- isnt(test0[1] = createCertFromStaticData(intermediate0, sizeof(intermediate0)),
- NULL, "create intermediate");
- isnt(test1[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
- NULL, "create intermediate");
- isnt(test1e[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
- NULL, "create intermediate");
- isnt(test2[1] = createCertFromStaticData(intermediate2, sizeof(intermediate2)),
- NULL, "create intermediate");
-
- CFArrayRef certs0 = CFArrayCreate(kCFAllocatorDefault, (const void **)test0, 2, &kCFTypeArrayCallBacks);
- CFArrayRef certs1 = CFArrayCreate(kCFAllocatorDefault, (const void **)test1, 2, &kCFTypeArrayCallBacks);
- CFArrayRef certs1e = CFArrayCreate(kCFAllocatorDefault, (const void **)test1e, 2, &kCFTypeArrayCallBacks);
- CFArrayRef certs2 = CFArrayCreate(kCFAllocatorDefault, (const void **)test2, 2, &kCFTypeArrayCallBacks);
-
- /*
- * Whitelisted certificates issued by untrusted root CA.
- */
- isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy");
- ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust");
- /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
- isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- if (trust) { CFRelease(trust); }
- if (date) { CFRelease(date); }
-
- ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust");
- /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
- isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- if (trust) { CFRelease(trust); }
- if (date) { CFRelease(date); }
-
- ok_status(SecTrustCreateWithCertificates(certs2, policy, &trust), "create trust");
- /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
- isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- /*
- * Same certificate, on allow list but past expiration. Expect to fail.
- */
- if (date) { CFRelease(date); }
- isnt(date = CFDateCreate(NULL, 667680000.0), NULL, "create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set date to far future so certs are expired");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- if (trust) { CFRelease(trust); }
- if (date) { CFRelease(date); }
-
- /*
- * Expired certificate not on allow list. Expect to fail.
- */
- ok_status(SecTrustCreateWithCertificates(certs1e, policy, &trust), "create trust");
- /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
- isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
- ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- if (trust) { CFRelease(trust); }
- if (date) { CFRelease(date); }
-
-
- /* Clean up. */
- if (policy) { CFRelease(policy); }
- if (certs0) { CFRelease(certs0); }
- if (certs1) { CFRelease(certs1); }
- if (certs1e) { CFRelease(certs1e); }
- if (certs2) { CFRelease(certs2); }
-
- if (test0[0]) { CFRelease(test0[0]); }
- if (test0[1]) { CFRelease(test0[1]); }
- if (test1[0]) { CFRelease(test1[0]); }
- if (test1[1]) { CFRelease(test1[1]); }
- if (test1e[0]) { CFRelease(test1e[0]); }
- if (test1e[1]) { CFRelease(test1e[1]); }
- if (test2[0]) { CFRelease(test2[0]); }
- if (test2[1]) { CFRelease(test2[1]); }
-}
-
-static void tests(void)
-{
- TestAllowListForRootCA();
- TestLeafOnAllowList();
- TestLeafNotOnAllowList();
-}
-
-int si_84_sectrust_allowlist(int argc, char *const *argv)
-{
- plan_tests(59);
- tests();
-
- return 0;
-}
static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key);
+static Boolean SecCTKKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+ SecCTKKeyData *kd = key->key;
+ CFTypeRef acm_reference = NULL;
+
+ static const CFStringRef *const knownUseFlags[] = {
+ &kSecUseOperationPrompt,
+ &kSecUseAuthenticationContext,
+ &kSecUseAuthenticationUI,
+ &kSecUseCallerName,
+ &kSecUseCredentialReference,
+ };
+
+ // Check, whether name is part of known use flags.
+ bool isUseFlag = false;
+ for (size_t i = 0; i < array_size(knownUseFlags); i++) {
+ if (CFEqual(*knownUseFlags[i], name)) {
+ isUseFlag = true;
+ break;
+ }
+ }
+
+ if (CFEqual(name, kSecUseAuthenticationContext)) {
+ // Preprocess LAContext to ACMRef value.
+ if (value != NULL) {
+ require_quiet(acm_reference = SecItemAttributesCopyPreparedAuthContext(value, error), out);
+ value = acm_reference;
+ }
+ name = kSecUseCredentialReference;
+ }
+
+ if (isUseFlag) {
+ // Release existing token connection to enforce creation of new connection with new auth params.
+ CFReleaseNull(kd->token);
+ if (value != NULL) {
+ CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name, value);
+ } else {
+ CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name);
+ }
+ } else {
+ if (kd->params == NULL) {
+ kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ }
+ if (value != NULL) {
+ CFDictionarySetValue(kd->params, name, value);
+ } else {
+ CFDictionaryRemoveValue(kd->params, name);
+ }
+ }
+
+out:
+ CFReleaseSafe(acm_reference);
+ return TRUE;
+}
+
static SecKeyDescriptor kSecCTKKeyDescriptor = {
.version = kSecKeyDescriptorVersion,
.name = "CTKKey",
.copyPublic = SecCTKKeyCopyPublicOctets,
.copyOperationResult = SecCTKKeyCopyOperationResult,
.createDuplicate = SecCTKKeyCreateDuplicate,
+ .setParameter = SecCTKKeySetParameter,
};
static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key) {
CFReleaseSafe(outputAttributes);
return attestationData;
}
-
-Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
- CFTypeRef acm_reference = NULL;
- require_action_quiet(key->key_class == &kSecCTKKeyDescriptor, out,
- SecError(errSecUnimplemented, error, CFSTR("SecKeySetParameter() not supported for key %@"), key));
- SecCTKKeyData *kd = key->key;
-
- static const CFStringRef *const knownUseFlags[] = {
- &kSecUseOperationPrompt,
- &kSecUseAuthenticationContext,
- &kSecUseAuthenticationUI,
- &kSecUseCallerName,
- &kSecUseCredentialReference,
- };
-
- // Check, whether name is part of known use flags.
- bool isUseFlag = false;
- for (size_t i = 0; i < array_size(knownUseFlags); i++) {
- if (CFEqual(*knownUseFlags[i], name)) {
- isUseFlag = true;
- break;
- }
- }
-
- if (CFEqual(name, kSecUseAuthenticationContext)) {
- // Preprocess LAContext to ACMRef value.
- if (value != NULL) {
- require_quiet(acm_reference = SecItemAttributesCopyPreparedAuthContext(value, error), out);
- value = acm_reference;
- }
- name = kSecUseCredentialReference;
- }
-
- if (isUseFlag) {
- // Release existing token connection to enforce creation of new connection with new auth params.
- CFReleaseNull(kd->token);
- if (value != NULL) {
- CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name, value);
- } else {
- CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name);
- }
- } else {
- if (kd->params == NULL) {
- kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- }
- if (value != NULL) {
- CFDictionarySetValue(kd->params, name, value);
- } else {
- CFDictionaryRemoveValue(kd->params, name);
- }
- }
-
-out:
- CFReleaseSafe(acm_reference);
- return TRUE;
-}
/* Return the DER encoded subject sequence for the receiving certificates subject. */
CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate);
-/* Return the content of a DER encoded X.501 name (without the tag and length
- fields) for the receiving certificates issuer. */
-CFDataRef SecCertificateGetNormalizedIssuerContent(SecCertificateRef certificate);
-
-/* Return the content of a DER encoded X.501 name (without the tag and length
- fields) for the receiving certificates subject. */
-CFDataRef SecCertificateGetNormalizedSubjectContent(SecCertificateRef certificate);
-
/* Return the normalized name or NULL if it fails to parse */
CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name);
return false;
}
-static bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath) {
+bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath) {
CFDictionaryRef keySizes = NULL;
CFNumberRef rsaSize = NULL, ecSize = NULL;
bool result = true;
bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath);
+bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath);
+
CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath,
CFAbsoluteTime verifyTime);
CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate);
#endif
+/* Return the content of a DER encoded X.501 name (without the tag and length
+ fields) for the receiving certificates issuer. */
+CFDataRef SecCertificateGetNormalizedIssuerContent(SecCertificateRef certificate);
+
+/* Return the content of a DER encoded X.501 name (without the tag and length
+ fields) for the receiving certificates subject. */
+CFDataRef SecCertificateGetNormalizedSubjectContent(SecCertificateRef certificate);
+
/* Return an array of CFStringRefs representing the ip addresses in the
certificate if any. */
CFArrayRef SecCertificateCopyIPAddresses(SecCertificateRef certificate);
_SecCertificatePathGetRoot
_SecCertificatePathGetUsageConstraintsAtIndex
_SecCertificatePathHasWeakHash
+_SecCertificatePathHasWeakKeySize
_SecCertificatePathIsAnchored
_SecCertificatePathIsValid
_SecCertificatePathScore
#include <pwd.h>
#include <grp.h>
#include <unistd.h>
-#ifndef SECITEM_SHIM_OSX
#include <libDER/asn1Types.h>
-#endif // *** END SECITEM_SHIM_OSX ***
#include <utilities/SecDb.h>
#include <IOKit/IOReturn.h>
CFDictionarySetValue(SecCFDictionaryCOWGetMutable(attrs), kSecMatchPolicy, objectReadyForXPC);
CFRelease(objectReadyForXPC);
}
-#ifndef SECITEM_SHIM_OSX
value = CFDictionaryGetValue(attrs->dictionary, kSecAttrIssuer);
if (value) {
/* convert DN to canonical issuer, if value is DN (top level sequence) */
}
}
}
-#endif
ok = true;
bool ok = false;
CFArrayRef ac_pairs = NULL;
SecCFDictionaryCOW auth_options = { NULL };
+ //We need to create shared LAContext for Mail to reduce popups with Auth UI.
+ //This app-hack will be removed by:<rdar://problem/28305552>
+ static CFTypeRef sharedLAContext = NULL;
+ static CFDataRef sharedACMContext = NULL;
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ CFBundleRef bundle = CFBundleGetMainBundle();
+ CFStringRef bundleName = (bundle != NULL)?CFBundleGetIdentifier(bundle):NULL;
+ if (bundleName && CFEqual(bundleName, CFSTR("com.apple.mail"))) {
+ sharedLAContext = LACreateNewContextWithACMContext(NULL, error);
+ sharedACMContext = (sharedLAContext != NULL)?LACopyACMContext(sharedLAContext, error):NULL;
+ }
+ });
+ if (sharedLAContext && sharedACMContext &&
+ (auth_params->dictionary == NULL || (CFDictionaryGetValue(auth_params->dictionary, kSecUseAuthenticationContext) == NULL &&
+ CFDictionaryGetValue(auth_params->dictionary, kSecUseCredentialReference) == NULL))) {
+ CFDictionarySetValue(SecCFDictionaryCOWGetMutable(auth_params), kSecUseAuthenticationContext, sharedLAContext);
+ CFDictionarySetValue(SecCFDictionaryCOWGetMutable(auth_params), kSecUseCredentialReference, sharedACMContext);
+ }
for (uint32_t i = 0;; ++i) {
// If the operation succeeded or failed with other than auth-needed error, just leave.
}
}
+Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+ if (key->key_class->version >= 4 && key->key_class->setParameter) {
+ return key->key_class->setParameter(key, name, value, error);
+ } else {
+ return SecError(errSecUnimplemented, error, CFSTR("setParameter not implemented for %@"), key);
+ }
+}
+
#pragma mark Generic algorithm adaptor lookup and invocation
static CFTypeRef SecKeyCopyBackendOperationResult(SecKeyOperationContext *context, SecKeyAlgorithm algorithm,
CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
- CFTypeRef result = NULL;
+ CFTypeRef result = kCFNull;
assert(CFArrayGetCount(context->algorithm) > 0);
if (context->key->key_class->version >= 4 && context->key->key_class->copyOperationResult != NULL) {
return context->key->key_class->copyOperationResult(context->key, context->operation, algorithm,
typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
+typedef Boolean (*SecKeySetParameterMethod)(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error);
/*!
@abstract Performs cryptographic operation with the key.
SecKeyCopyOperationResultMethod copyOperationResult;
SecKeyIsEqualMethod isEqual;
SecKeyCreateDuplicateMethod createDuplicate;
+ SecKeySetParameterMethod setParameter;
#endif
} SecKeyDescriptor;
@param error Error which gathers more information when something went wrong.
@discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
- to SecKey implementation backend (currently only CTK-based token backend is supported). Parameter names and types are
- a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
+ to SecKey implementation backend. Parameter names and types are either generic kSecUse*** attributes or are a contract between
+ SecKey user (application) and backend and in this case are not interpreted by SecKey layer in any way.
*/
Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
return result;
}
+#ifdef TARGET_OS_OSX
+static void set_ku_from_properties(SecPolicyRef policy, CFDictionaryRef properties);
+#endif
+
SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
CFDictionaryRef properties) {
// Creates a policy reference for a given policy object identifier.
secerror("ERROR: policy \"%@\" is unsupported", policyIdentifier);
}
+#ifdef TARGET_OS_OSX
+ set_ku_from_properties(policy, properties);
+#endif
errOut:
return policy;
}
}
}
+#ifdef TARGET_OS_OSX
+ set_ku_from_properties(policyRef, properties);
+#endif
CFRelease(oid);
return result;
}
}
}
+#ifdef TARGET_OS_OSX
+static void set_ku_from_properties(SecPolicyRef policy, CFDictionaryRef properties) {
+ if (!policy || !properties) {
+ return;
+ }
+
+ CFStringRef keyNames[] = { kSecPolicyKU_DigitalSignature, kSecPolicyKU_NonRepudiation, kSecPolicyKU_KeyEncipherment, kSecPolicyKU_DataEncipherment,
+ kSecPolicyKU_KeyAgreement, kSecPolicyKU_KeyCertSign, kSecPolicyKU_CRLSign, kSecPolicyKU_EncipherOnly, kSecPolicyKU_DecipherOnly };
+
+ uint32_t keyUsageValues[] = { kSecKeyUsageDigitalSignature, kSecKeyUsageNonRepudiation, kSecKeyUsageKeyEncipherment, kSecKeyUsageDataEncipherment,
+ kSecKeyUsageKeyAgreement, kSecKeyUsageKeyCertSign, kSecKeyUsageCRLSign, kSecKeyUsageEncipherOnly, kSecKeyUsageDecipherOnly };
+
+ bool haveKeyUsage = false;
+ CFTypeRef keyUsageBoolean;
+ for (uint32_t i = 0; i < sizeof(keyNames) / sizeof(CFStringRef); ++i) {
+ if (CFDictionaryGetValueIfPresent(properties, keyNames[i], (const void**)&keyUsageBoolean)) {
+ if (CFEqual(keyUsageBoolean, kCFBooleanTrue)) {
+ haveKeyUsage = true;
+ break;
+ }
+ }
+ }
+
+ if (!haveKeyUsage) {
+ return;
+ }
+
+ CFMutableDictionaryRef options = (CFMutableDictionaryRef) policy->_options;
+ if (!options) {
+ options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if (!options) return;
+ policy->_options = options;
+ } else {
+ CFDictionaryRemoveValue(options, kSecPolicyCheckKeyUsage);
+ }
+
+ for (uint32_t i = 0; i < sizeof(keyNames) / sizeof(CFStringRef); ++i) {
+ if (CFDictionaryGetValueIfPresent(properties, keyNames[i], (const void**)&keyUsageBoolean)) {
+ if (CFEqual(keyUsageBoolean, kCFBooleanTrue)) {
+ add_ku(options, keyUsageValues[i]);
+ }
+ }
+ }
+}
+#endif
+
static void add_oid(CFMutableDictionaryRef options, CFStringRef policy_key, const DERItem *oid) {
CFDataRef oid_data = CFDataCreate(kCFAllocatorDefault,
oid ? oid->data : NULL,
return success;
}
+static bool SecPolicyAddStrongKeySizeOptions(CFMutableDictionaryRef options) {
+ bool success = false;
+ CFDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+
+ /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+ require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+ require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+ const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+ const void *values[] = { rsaSize, ecSize };
+ require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+ add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+ success = true;
+
+errOut:
+ CFReleaseSafe(keySizes);
+ CFReleaseSafe(rsaSize);
+ CFReleaseSafe(ecSize);
+ return success;
+}
+
static bool isAppleOid(CFStringRef oid) {
if (!SecCertificateIsOidString(oid)) {
return false;
return false;
}
-static bool allowTestHierarchyForPolicy(CFStringRef policyName) {
+static bool isCFPreferenceInSecurityDomain(CFStringRef setting) {
+ /* For backwards compatibility reasons we have to check both "com.apple.security"
+ and "com.apple.Security". */
+ return (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL) ||
+ CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL));
+}
+
+static bool allowTestHierarchyForPolicy(CFStringRef policyName, bool isSSL) {
bool allow = false;
+
CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("ApplePinningAllowTestCerts%@"), policyName);
require(setting, fail);
- if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL)) {
+ if (isCFPreferenceInSecurityDomain(setting)) {
allow = true;
} else {
secnotice("pinningQA", "could not enable test hierarchy: %@ not true", setting);
}
CFRelease(setting);
+
+ if (!allow && isSSL) {
+ if (isCFPreferenceInSecurityDomain(CFSTR("AppleServerAuthenticationAllowUAT"))) {
+ allow = true;
+ } else {
+ secnotice("pinningQA", "could not enable test hierarchy: AppleServerAuthenticationAllowUAT not true");
+ }
+ }
+
fail:
return allow;
}
return false;
}
- if (allowTestHierarchyForPolicy(policyName)) {
+ if (allowTestHierarchyForPolicy(policyName, false)) {
CFDictionarySetValue(appleAnchorOptions,
kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
}
SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) {
CFMutableDictionaryRef options = NULL;
- CFDictionaryRef keySizes = NULL;
- CFNumberRef rsaSize = NULL, ecSize = NULL;
SecPolicyRef result = NULL;
if (!policyName || !intermediateMarkerOID || !leafMarkerOID) {
add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
/* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
- require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
- require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
- const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
- const void *values[] = { rsaSize, ecSize };
- require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
- &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- add_element(options, kSecPolicyCheckKeySize, keySizes);
+ require(SecPolicyAddStrongKeySizeOptions(options), errOut);
require(result = SecPolicyCreate(kSecPolicyAppleGenericApplePinned,
policyName, options), errOut);
errOut:
CFReleaseSafe(options);
- CFReleaseSafe(keySizes);
- CFReleaseSafe(rsaSize);
- CFReleaseSafe(ecSize);
return result;
}
if (SecIsInternalRelease()) {
CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationNoPinning%@"), service);
require(setting, fail);
- if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) {
+ if(isCFPreferenceInSecurityDomain(setting)) {
pinningRequired = false;
} else {
secnotice("pinningQA", "could not disable pinning: %@ not true", setting);
}
CFRelease(setting);
+
+ if (!pinningRequired) {
+ goto fail;
+ }
+
+ if(isCFPreferenceInSecurityDomain(CFSTR("AppleServerAuthenticationNoPinning"))) {
+ pinningRequired = false;
+ } else {
+ secnotice("pinningQA", "could not disable pinning: AppleServerAuthenticationNoPinning not true");
+ }
} else {
secnotice("pinningQA", "could not disable pinning: not an internal release");
}
SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) {
- CFMutableDictionaryRef options = NULL;
+ CFMutableDictionaryRef options = NULL, appleAnchorOptions = NULL;
SecPolicyRef result = NULL;
if (!policyName || !hostname || !leafMarkerOID) {
}
if (requireUATPinning(policyName)) {
+ require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+
+ SecPolicyAddBasicX509Options(options);
+
+ /* Anchored to the Apple Roots */
+ require_quiet(appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL), errOut);
+ if (allowTestHierarchyForPolicy(policyName, true)) {
+ CFDictionarySetValue(appleAnchorOptions,
+ kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+ }
+ add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+
+ /* Exactly 3 certs in the chain */
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
if (intermediateMarkerOID) {
- require(result = SecPolicyCreateApplePinned(policyName, intermediateMarkerOID, leafMarkerOID), errOut);
+ /* Intermediate marker OID matches input OID */
+ if (!isAppleOid(intermediateMarkerOID)) {
+ secwarning("creating an Apple pinning policy with a non-Apple OID: %@", intermediateMarkerOID);
+ }
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, intermediateMarkerOID);
} else {
- require(result = SecPolicyCreateApplePinned(policyName, CFSTR("1.2.840.113635.100.6.2.12"), leafMarkerOID), errOut);
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.12"));
}
- require_action(options = CFDictionaryCreateMutableCopy(NULL, 0, result->_options), errOut, CFReleaseNull(result));
+ /* Leaf marker OID matches input OID */
+ if (!isAppleOid(leafMarkerOID)) {
+ secwarning("creating an Apple pinning policy with a non-Apple OID: %@", leafMarkerOID);
+ }
+ add_leaf_marker_string(options, leafMarkerOID);
+
+ /* New leaf marker OID format */
+ add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOID);
/* ServerAuth EKU is in leaf cert */
add_eku_string(options, CFSTR("1.3.6.1.5.5.7.3.1"));
/* Hostname is in leaf cert */
add_element(options, kSecPolicyCheckSSLHostname, hostname);
- /* New leaf marker OID format */
- add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOID);
+ /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+ require(SecPolicyAddStrongKeySizeOptions(options), errOut);
+
+ /* Check revocation using any available method */
+ add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+
+ require(result = SecPolicyCreate(kSecPolicyAppleGenericAppleSSLPinned,
+ policyName, options), errOut);
- CFReleaseSafe(result->_options);
- result->_options = CFRetainSafe(options);
} else {
result = SecPolicyCreateSSL(true, hostname);
+ SecPolicySetOid(result, kSecPolicyAppleGenericAppleSSLPinned);
}
- SecPolicySetOid(result, kSecPolicyAppleGenericAppleSSLPinned);
-
errOut:
CFReleaseSafe(options);
+ CFReleaseSafe(appleAnchorOptions);
return result;
}
appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
require(appleAnchorOptions, errOut);
- if (allowTestHierarchyForPolicy(kSecPolicyNameiPhoneApplicationSigning)) {
+ if (allowTestHierarchyForPolicy(kSecPolicyNameiPhoneApplicationSigning, false)) {
/* Allow a test hierarchy-signed cert with prod name/OIDs */
CFDictionarySetValue(appleAnchorOptions,
kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
allowUATRoot(bool allowNonProd, CFStringRef service, CFDictionaryRef context)
{
bool UATAllowed = false;
+ CFStringRef setting = NULL;
if (SecIsInternalRelease() || allowNonProd) {
- CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationAllowUAT%@"), service);
+ setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationAllowUAT%@"), service);
CFTypeRef value = NULL;
require(setting, fail);
UATAllowed = true;
}
- if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) {
+ if (isCFPreferenceInSecurityDomain(setting)) {
UATAllowed = true;
}
if (!UATAllowed) {
secnotice("pinningQA", "could not enable test cert: %@ not true", setting);
+ } else {
+ goto fail;
+ }
+
+ if (isCFPreferenceInSecurityDomain(CFSTR("AppleServerAuthenticationAllowUAT"))) {
+ UATAllowed = true;
+ } else {
+ secnotice("pinningQA", "could not enable test hierarchy: AppleServerAuthenticationAllowUAT not true");
}
- CFRelease(setting);
} else {
secnotice("pinningQA", "could not enable test cert: not an internal release");
}
fail:
+ CFReleaseNull(setting);
return UATAllowed;
}
* Require pinning to the Apple CA's (and if UAT environment,
* include the Apple Test CA's as anchors).
*/
-
appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
require(appleAnchorOptions, errOut);
- if (allowUAT || allowTestHierarchyForPolicy(service)) {
+ if (allowUAT || allowTestHierarchyForPolicy(service, true)) {
/* Note: SecPolicyServer won't allow the test roots for non-internal devices */
CFDictionarySetValue(appleAnchorOptions,
kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
// Apple anchors, allowing test anchors for internal releases properly configured
appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
require(appleAnchorOptions, errOut);
- if (allowUAT || allowTestHierarchyForPolicy(kSecPolicyNameAppleHomeKitServerAuth)) {
+ if (allowUAT || allowTestHierarchyForPolicy(kSecPolicyNameAppleHomeKitServerAuth, true)) {
CFDictionarySetValue(appleAnchorOptions,
kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
}
add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
/* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
- require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
- require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
- const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
- const void *values[] = { rsaSize, ecSize };
- require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks), errOut);
- add_element(options, kSecPolicyCheckKeySize, keySizes);
-
+ require(SecPolicyAddStrongKeySizeOptions(options), errOut);
require(result = SecPolicyCreate(kSecPolicyAppleSoftwareSigning,
kSecPolicyNameAppleSoftwareSigning, options), errOut);
/* Anchored to the SEP Root CA. Allow alternative root for developers */
require(SecPolicyAddAnchorSHA256Options(options, SEPRootCA_SHA256),errOut);
if (testRootHash && SecIsInternalRelease() && !SecIsProductionFused() &&
- allowTestHierarchyForPolicy(kSecPolicyNameAppleUniqueDeviceCertificate)
+ allowTestHierarchyForPolicy(kSecPolicyNameAppleUniqueDeviceCertificate, false)
&& (kSecPolicySHA256Size == CFDataGetLength(testRootHash))) {
add_element(options, kSecPolicyCheckAnchorSHA256, testRootHash);
}
add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
/* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
- require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
- require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
- const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
- const void *values[] = { rsaSize, ecSize };
- require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
- &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- add_element(options, kSecPolicyCheckKeySize, keySizes);
+ require(SecPolicyAddStrongKeySizeOptions(options), errOut);
require(result = SecPolicyCreate(kSecPolicyAppleWarsaw,
kSecPolicyNameAppleWarsaw, options), errOut);
add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.50"));
/* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
- require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
- require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
- const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
- const void *values[] = { rsaSize, ecSize };
- require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
- &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- add_element(options, kSecPolicyCheckKeySize, keySizes);
+ require(SecPolicyAddStrongKeySizeOptions(options), errOut);
require(result = SecPolicyCreate(kSecPolicyAppleSecureIOStaticAsset,
kSecPolicyNameAppleSecureIOStaticAsset, options), errOut);
return true;
}
-#if 0
/* We have a wildcard reference identifier that looks like "*." followed by 2 or
more labels. Use CFNetwork's function for determining if those labels comprise
a top-level domain. We need to dlopen since CFNetwork is a client of ours. */
dispatch_once(&onceToken, ^{
void *framework = dlopen("/System/Library/Frameworks/CFNetwork.framework/CFNetwork", RTLD_LAZY);
if (framework) {
- CFNIsDomainTopLevelFunctionPtr = dlsym(framework, "_CFHostIsDomainTopLevel");
+ CFNIsDomainTopLevelFunctionPtr = dlsym(framework, "_CFHostIsDomainTopLevelForCertificatePolicy");
}
});
CFReleaseNull(presentedDomain);
return result;
}
-#endif
/* Compare hostname, to a server name obtained from the server's cert
Obtained from the SubjectAltName or the CommonName entry in the Subject.
/* must not occur before single-label TLD */
require_quiet(count > 2 && ix != count - 2, noMatch);
-#if 0
- // <rdar://26563617>, check removed due to <rdar://26552669>
+
/* must not occur before a multi-label gTLD */
require_quiet(!SecDNSIsTLD(presented), noMatch);
-#endif
} else {
/* partial-label wildcards are disallowed */
CFRange partialRange = CFStringFind(plabel, CFSTR("*"), 0);
OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn, CFStringRef account, CFStringRef password, CFErrorRef *error);
OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn, CFStringRef account, CFArrayRef *credentials, CFErrorRef *error);
+#if TARGET_OS_IOS
OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn,
CFStringRef account,
CFDictionaryAddValue(args, kSecAttrAccount, account);
}
if (password) {
-#if TARGET_OS_IPHONE && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_WATCH && !TARGET_OS_TV
CFDictionaryAddValue(args, kSecSharedPassword, password);
-#else
- CFDictionaryAddValue(args, CFSTR("spwd"), password);
-#endif
}
status = SecOSStatusWith(^bool (CFErrorRef *error) {
CFTypeRef raw_result = NULL;
return status;
}
+#endif /* TARGET_OS_IOS */
void SecAddSharedWebCredential(CFStringRef fqdn,
CFStringRef account,
{
__block CFErrorRef error = NULL;
__block dispatch_queue_t dst_queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0);
- dispatch_retain(dst_queue);
+#if TARGET_OS_IOS
/* sanity check input arguments */
CFStringRef errStr = NULL;
completionHandler(error);
}
CFReleaseSafe(error);
- dispatch_release(dst_queue);
});
return;
}
completionHandler(error);
}
CFReleaseSafe(error);
- dispatch_release(dst_queue);
});
});
-
+#else
+ SecError(errSecParam, &error, CFSTR("SharedWebCredentials not supported on this platform"));
+ dispatch_async(dst_queue, ^{
+ if (completionHandler) {
+ completionHandler(error);
+ }
+ CFReleaseSafe(error);
+ });
+#endif
}
+#if TARGET_OS_IOS
OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn,
CFStringRef account,
CFArrayRef *credentials,
});
return status;
-
}
+#endif /* TARGET_OS_IOS */
void SecRequestSharedWebCredential(CFStringRef fqdn,
CFStringRef account,
void (^completionHandler)(CFArrayRef credentials, CFErrorRef error))
{
- __block CFArrayRef result = NULL;
__block CFErrorRef error = NULL;
__block dispatch_queue_t dst_queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0);
- dispatch_retain(dst_queue);
+#if TARGET_OS_IOS
+ __block CFArrayRef result = NULL;
/* sanity check input arguments, if provided */
CFStringRef errStr = NULL;
}
CFReleaseSafe(error);
CFReleaseSafe(result);
- dispatch_release(dst_queue);
});
return;
}
}
CFReleaseSafe(error);
CFReleaseSafe(result);
- dispatch_release(dst_queue);
});
});
+#else
+ SecError(errSecParam, &error, CFSTR("SharedWebCredentials not supported on this platform"));
+ dispatch_async(dst_queue, ^{
+ if (completionHandler) {
+ completionHandler(NULL, error);
+ }
+ CFReleaseSafe(error);
+ });
+#endif
}
}
}
-
CFArrayAppendValue(context, key);
}
+static bool isPrintableString(CFStringRef theString){
+ bool result = false;
+ CFCharacterSetRef controlSet = CFCharacterSetGetPredefined(kCFCharacterSetControl);
+ CFCharacterSetRef newlineSet = CFCharacterSetGetPredefined(kCFCharacterSetNewline);
+ CFCharacterSetRef illegalSet = CFCharacterSetGetPredefined(kCFCharacterSetIllegal);
+
+ CFMutableCharacterSetRef unacceptable = CFCharacterSetCreateMutableCopy(kCFAllocatorDefault, controlSet);
+ CFCharacterSetUnion(unacceptable, newlineSet);
+ CFCharacterSetUnion(unacceptable, illegalSet);
+ result = CFStringFindCharacterFromSet(theString, unacceptable, CFRangeMake(0, CFStringGetLength(theString)), 0, NULL);
+ CFReleaseNull(unacceptable);
+ return result;
+}
+
static void display_item(const void *v_item, void *context) {
CFDictionaryRef item = (CFDictionaryRef)v_item;
CFIndex dict_count, key_ix, key_count;
CFDataRef v_d = (CFDataRef)value;
CFStringRef v_s = CFStringCreateFromExternalRepresentation(
kCFAllocatorDefault, v_d, kCFStringEncodingUTF8);
+
if (v_s) {
- CFStringAppend(line, CFSTR("/"));
- CFStringAppend(line, v_s);
- CFStringAppend(line, CFSTR("/ "));
- CFRelease(v_s);
+ if(!isPrintableString(v_s))
+ CFStringAppend(line, CFSTR("not printable "));
+ else{
+ CFStringAppend(line, CFSTR("/"));
+ CFStringAppend(line, v_s);
+ CFStringAppend(line, CFSTR("/ "));
+ }
}
+ CFReleaseNull(v_s);
+
const uint8_t *bytes = CFDataGetBytePtr(v_d);
CFIndex len = CFDataGetLength(v_d);
for (jx = 0; jx < len; ++jx) {
pthread_setspecific(taskThreadKey, client.task);
#endif
client.accessGroups = SecTaskCopyAccessGroups(client.task);
+
+#if TARGET_OS_IOS
if (operation == sec_add_shared_web_credential_id || operation == sec_copy_shared_web_credential_id) {
domains = SecTaskCopySharedWebCredentialDomains(client.task);
}
+#endif
+
#if TARGET_OS_IPHONE
client.allowSystemKeychain = SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateSystemKeychain);
client.isNetworkExtension = SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateNetworkExtension);
}
case sec_add_shared_web_credential_id:
{
+#if TARGET_OS_IOS
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFTypeRef result = NULL;
+
CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFReleaseSafe(appID);
CFReleaseNull(query);
}
+#else
+ SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
+#endif
break;
}
case sec_copy_shared_web_credential_id:
{
+#if TARGET_OS_IOS
CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
if (query) {
CFTypeRef result = NULL;
CFReleaseSafe(appID);
CFReleaseNull(query);
}
+#else
+ SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
+#endif
break;
}
case sec_get_log_settings_id:
0C0BDB611756882A00BC1A7E /* secd_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C0BDB601756882A00BC1A7E /* secd_regressions.h */; };
0C0BDB63175688DA00BC1A7E /* secd-01-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C0BDB62175688DA00BC1A7E /* secd-01-items.c */; };
0C0C887A1CCED00E00617D1B /* shared_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = D40771B21C9B4CE50016AA66 /* shared_regressions.h */; };
+ 0C27C3E81D6F8BB1008CB02F /* secd-201-coders.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C87F8301D6F838200A9EC17 /* secd-201-coders.c */; };
0C3276C31CB329AB005D6DDC /* secd_77_ids_messaging.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */; };
0C60F39C1CAF0E8E00221D24 /* secd-76-idstransport.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */; };
0C664AE8175951270092D3D9 /* secd-02-upgrade-while-locked.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C664AE7175951270092D3D9 /* secd-02-upgrade-while-locked.c */; };
0CBF93F9177B7CFC001E5658 /* secd-04-corrupted-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBF93F6177B7CFC001E5658 /* secd-04-corrupted-items.c */; };
0CBF93FC177BA9D9001E5658 /* secd-05-corrupted-items.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CBF93FB177BA9D9001E5658 /* secd-05-corrupted-items.m */; };
0CE7ABDF171383E30088968F /* keychain_backup.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CE7ABDE171383E30088968F /* keychain_backup.c */; };
+ 0CFDBAD91D6FC58D00826CDE /* SOSEnginePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CFDBAD81D6FC58D00826CDE /* SOSEnginePriv.h */; };
18270F5914CF654400B05E7F /* client.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD560614CB6E7A008233F2 /* client.c */; };
18AD560F14CB6E7A008233F2 /* securityd_client.h in Headers */ = {isa = PBXBuildFile; fileRef = 18AD560814CB6E7A008233F2 /* securityd_client.h */; };
18AD566714CB70A8008233F2 /* SecItem.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563714CB6EB9008233F2 /* SecItem.c */; };
446BB5E518F83172005D1B83 /* SecAccessControl.c in Sources */ = {isa = PBXBuildFile; fileRef = C6766767189884D200E9A12C /* SecAccessControl.c */; };
4477A8D918F28AB700B5BB9F /* si-78-query-attrs.c in Sources */ = {isa = PBXBuildFile; fileRef = 4477A8D718F28AAE00B5BB9F /* si-78-query-attrs.c */; };
448305101B46FB8700326450 /* ios8-inet-keychain-2.h in Headers */ = {isa = PBXBuildFile; fileRef = 4483050F1B46FB8700326450 /* ios8-inet-keychain-2.h */; };
- 448305111B46FC0D00326450 /* secd-35-keychain-migrate-inet.c in Sources */ = {isa = PBXBuildFile; fileRef = 4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */; };
449265291AB0D6FF00644D4C /* SecCTKKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 449265271AB0D6FF00644D4C /* SecCTKKey.c */; };
4492652A1AB0D6FF00644D4C /* SecCTKKeyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 449265281AB0D6FF00644D4C /* SecCTKKeyPriv.h */; };
4802A59816D7156D0059E5B9 /* SOSUserKeygen.h in Headers */ = {isa = PBXBuildFile; fileRef = 4802A59716D711190059E5B9 /* SOSUserKeygen.h */; settings = {ATTRIBUTES = (); }; };
BE53FA301B0AC5C300719A63 /* SecKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563C14CB6EB9008233F2 /* SecKey.c */; };
BE53FA311B0AC65500719A63 /* SecECKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562C14CB6EB9008233F2 /* SecECKey.c */; };
BE53FA321B0AC65B00719A63 /* SecRSAKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564714CB6EB9008233F2 /* SecRSAKey.c */; };
- BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */ = {isa = PBXBuildFile; fileRef = BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */; };
+ BE5C5BD11D8C90F500A97339 /* si-84-sectrust-allowlist.m in Sources */ = {isa = PBXBuildFile; fileRef = BE5C5BD01D8C90C200A97339 /* si-84-sectrust-allowlist.m */; };
BE5EC1F018C80108005E7682 /* swcagent_client.c in Sources */ = {isa = PBXBuildFile; fileRef = BEF9640A18B418A400813FA3 /* swcagent_client.c */; };
BE62D7601747FF3E001EAA9D /* si-72-syncableitems.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */; };
BE642BB2188F32C200C899A2 /* SecSharedCredential.c in Sources */ = {isa = PBXBuildFile; fileRef = BE642BB1188F32C200C899A2 /* SecSharedCredential.c */; };
D48C567D1C73E5C300E41928 /* SecPolicyLeafCallbacks.c in Sources */ = {isa = PBXBuildFile; fileRef = D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */; };
D4A919771CA9A3DD003D2ADA /* si-95-cms-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */; };
D4A919781CA9A3DD003D2ADA /* si-95-cms-basic.h in Headers */ = {isa = PBXBuildFile; fileRef = D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */; };
+ D4B2E7941DAEFBB500F79E03 /* wosign_certs.h in Headers */ = {isa = PBXBuildFile; fileRef = D4B2E7911DAEFBB500F79E03 /* wosign_certs.h */; };
+ D4B2E7951DAEFBB500F79E03 /* date_testing_certs.h in Headers */ = {isa = PBXBuildFile; fileRef = D4B2E7921DAEFBB500F79E03 /* date_testing_certs.h */; };
+ D4B2E7961DAEFBB500F79E03 /* cnnic_certs.h in Headers */ = {isa = PBXBuildFile; fileRef = D4B2E7931DAEFBB500F79E03 /* cnnic_certs.h */; };
D4CBC1481BE9A89E00C5795E /* si-89-cms-hash-agility.c in Sources */ = {isa = PBXBuildFile; fileRef = D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */; };
D4CBC1491BE9A89E00C5795E /* si-89-cms-hash-agility.h in Headers */ = {isa = PBXBuildFile; fileRef = D4CBC1471BE9A89E00C5795E /* si-89-cms-hash-agility.h */; };
D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */; };
E7FEFB87169E363300E18152 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 521C0B9815FA5C4A00604B61 /* Foundation.framework */; };
E7FEFB91169E36D800E18152 /* keychain_sync.c in Sources */ = {isa = PBXBuildFile; fileRef = E7FEFB90169E36D800E18152 /* keychain_sync.c */; };
EB3409AF1C1D5BBE00D77661 /* secd-20-keychain_upgrade.m in Sources */ = {isa = PBXBuildFile; fileRef = EB3409AE1C1D5BB300D77661 /* secd-20-keychain_upgrade.m */; };
+ EB36F0421D9041FC0094C601 /* secd-35-keychain-migrate-inet.c in Sources */ = {isa = PBXBuildFile; fileRef = 4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */; };
+ EB36F0431D9041FC0094C601 /* secd-36-ks-encrypt.m in Sources */ = {isa = PBXBuildFile; fileRef = EB36F0401D9041F40094C601 /* secd-36-ks-encrypt.m */; };
EB6432BD1C510A6E00B671F2 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = EB6432BC1C510A6E00B671F2 /* SecDigest.c */; };
EB6432BE1C510A6E00B671F2 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = EB6432BC1C510A6E00B671F2 /* SecDigest.c */; };
EB69AB041BF3C42F00913AF1 /* SecEMCS.m in Sources */ = {isa = PBXBuildFile; fileRef = EB69AB031BF3C42F00913AF1 /* SecEMCS.m */; };
0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = secd_77_ids_messaging.c; sourceTree = "<group>"; };
0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-76-idstransport.c"; sourceTree = "<group>"; };
0C664AE7175951270092D3D9 /* secd-02-upgrade-while-locked.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = "secd-02-upgrade-while-locked.c"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
+ 0C87F8301D6F838200A9EC17 /* secd-201-coders.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-201-coders.c"; sourceTree = "<group>"; };
0CBF93F5177B7CFC001E5658 /* secd-03-corrupted-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-03-corrupted-items.c"; sourceTree = "<group>"; };
0CBF93F6177B7CFC001E5658 /* secd-04-corrupted-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-04-corrupted-items.c"; sourceTree = "<group>"; };
0CBF93FB177BA9D9001E5658 /* secd-05-corrupted-items.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-05-corrupted-items.m"; sourceTree = "<group>"; };
0CE7ABDE171383E30088968F /* keychain_backup.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = keychain_backup.c; sourceTree = "<group>"; };
+ 0CFDBAD81D6FC58D00826CDE /* SOSEnginePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSEnginePriv.h; sourceTree = "<group>"; };
18270C9714CF1AAD00B05E7F /* base.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = base.xcconfig; sourceTree = "<group>"; };
18270C9814CF1AAD00B05E7F /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = debug.xcconfig; sourceTree = "<group>"; };
18270C9914CF1AAD00B05E7F /* lib.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = lib.xcconfig; sourceTree = "<group>"; };
BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecSignatureVerificationSupport.c; sourceTree = "<group>"; };
BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSignatureVerificationSupport.h; sourceTree = "<group>"; };
BE556A5D19550E1600E6EE8C /* SecPolicyCerts.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecPolicyCerts.h; sourceTree = "<group>"; };
- BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-whitelist.c"; sourceTree = "<group>"; };
+ BE5C5BD01D8C90C200A97339 /* si-84-sectrust-allowlist.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-84-sectrust-allowlist.m"; sourceTree = "<group>"; };
BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-72-syncableitems.c"; sourceTree = "<group>"; };
BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-70-sectrust-unified.c"; sourceTree = "<group>"; };
BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSharedCredential.h; sourceTree = "<group>"; };
D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecPolicyLeafCallbacks.c; sourceTree = "<group>"; };
D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-95-cms-basic.c"; sourceTree = "<group>"; };
D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-95-cms-basic.h"; sourceTree = "<group>"; };
+ D4B2E7911DAEFBB500F79E03 /* wosign_certs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wosign_certs.h; path = "si-84-sectrust-allowlist/wosign_certs.h"; sourceTree = "<group>"; };
+ D4B2E7921DAEFBB500F79E03 /* date_testing_certs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = date_testing_certs.h; path = "si-84-sectrust-allowlist/date_testing_certs.h"; sourceTree = "<group>"; };
+ D4B2E7931DAEFBB500F79E03 /* cnnic_certs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cnnic_certs.h; path = "si-84-sectrust-allowlist/cnnic_certs.h"; sourceTree = "<group>"; };
D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-85-sectrust-ssl-policy.c"; sourceTree = "<group>"; };
D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-85-sectrust-ssl-policy.h"; sourceTree = "<group>"; };
D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-89-cms-hash-agility.c"; sourceTree = "<group>"; };
E7FEFB8C169E363300E18152 /* libSOSCommands.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSOSCommands.a; sourceTree = BUILT_PRODUCTS_DIR; };
E7FEFB90169E36D800E18152 /* keychain_sync.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = keychain_sync.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
EB3409AE1C1D5BB300D77661 /* secd-20-keychain_upgrade.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-20-keychain_upgrade.m"; sourceTree = "<group>"; };
+ EB36F0401D9041F40094C601 /* secd-36-ks-encrypt.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-36-ks-encrypt.m"; sourceTree = "<group>"; };
EB6432BC1C510A6E00B671F2 /* SecDigest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDigest.c; sourceTree = "<group>"; };
EB69AB031BF3C42F00913AF1 /* SecEMCS.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecEMCS.m; sourceTree = "<group>"; };
EB69AB051BF425F300913AF1 /* si-90-emcs.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-90-emcs.m"; sourceTree = "<group>"; };
D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */,
440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */,
BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */,
- BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */,
+ D48D56CC1DAEC030005AA1C0 /* si-84-sectrust-allowlist */,
+ BE5C5BD01D8C90C200A97339 /* si-84-sectrust-allowlist.m */,
D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */,
D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */,
D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */,
4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.m */,
529F46F11AEC759E0002392C /* secd-34-backup-der-parse.c */,
4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */,
+ EB36F0401D9041F40094C601 /* secd-36-ks-encrypt.m */,
E75AB9191AE9958300C5EF3F /* secd-40-cc-gestalt.c */,
E79D62B9176798BF005A9743 /* secd-50-account.c */,
523CBBF71B3227A2002C0884 /* secd-49-manifests.c */,
E739A9DC1D318FA4003C088A /* secd-130-other-peer-views.c */,
CD35B8291C2650FE00E0852A /* secd-154-engine-backoff.c */,
48B5888B1D00ED9000E0C5A7 /* secd-200-logstate.c */,
+ 0C87F8301D6F838200A9EC17 /* secd-201-coders.c */,
E7A10FAA1771245D00C4602F /* SOSAccountTesting.h */,
E79D62BE1767A547005A9743 /* SecdTestKeychainUtilities.c */,
E79D62BF1767A55F005A9743 /* SecdTestKeychainUtilities.h */,
name = SharedWebCredentialAgent;
sourceTree = "<group>";
};
+ D48D56CC1DAEC030005AA1C0 /* si-84-sectrust-allowlist */ = {
+ isa = PBXGroup;
+ children = (
+ D4B2E7911DAEFBB500F79E03 /* wosign_certs.h */,
+ D4B2E7921DAEFBB500F79E03 /* date_testing_certs.h */,
+ D4B2E7931DAEFBB500F79E03 /* cnnic_certs.h */,
+ );
+ name = "si-84-sectrust-allowlist";
+ sourceTree = "<group>";
+ };
E71049F4169E023B00DB0045 /* SecurityTool */ = {
isa = PBXGroup;
children = (
4C8BDDA117B4FE9400C20EA5 /* SOSDigestVector.h */,
4C9DC91C15B602910036D941 /* SOSEngine.c */,
4C9DC91915B602760036D941 /* SOSEngine.h */,
+ 0CFDBAD81D6FC58D00826CDE /* SOSEnginePriv.h */,
4C8BDD9E17B4FDE100C20EA5 /* SOSManifest.c */,
4C8BDD9C17B4FD2A00C20EA5 /* SOSManifest.h */,
4CBDB30B17B70206002FA799 /* SOSMessage.c */,
D44C81EA1CD1947200BE9A0D /* si-97-sectrust-path-scoring.h in Headers */,
D43091561D84D80B004097DA /* si-25-cms-skid.h in Headers */,
D4653DEB1C9E2299002ED6D5 /* si-28-sectrustsettings.h in Headers */,
+ D4B2E7961DAEFBB500F79E03 /* cnnic_certs.h in Headers */,
+ D4B2E7941DAEFBB500F79E03 /* wosign_certs.h in Headers */,
+ D4B2E7951DAEFBB500F79E03 /* date_testing_certs.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
CDE5F8A41AF025D60074958E /* SOSPeerInfoCollections.h in Headers */,
CDE5F8B51AF026470074958E /* SOSTransportKeyParameter.h in Headers */,
CDE5F8851AF025B30074958E /* SOSConcordanceTrust.h in Headers */,
+ 0CFDBAD91D6FC58D00826CDE /* SOSEnginePriv.h in Headers */,
CDE5F8AD1AF026470074958E /* SOSTransport.h in Headers */,
CDE5F8801AF025AC0074958E /* SOSRingTypes.h in Headers */,
4C8BDD9D17B4FD2A00C20EA5 /* SOSManifest.h in Headers */,
5E0CE1651CB6347300E75776 /* secd-83-item-match-valid-on-date.m in Sources */,
4CC62F221B4EF136009FEF0E /* secd-75-engine-views.c in Sources */,
F9EF72F21AC0F98400A4D24A /* secd-70-engine-smash.c in Sources */,
+ 0C27C3E81D6F8BB1008CB02F /* secd-201-coders.c in Sources */,
5384299418E492A300E91AFE /* secd-70-otr-remote.c in Sources */,
E7F18557177A502900177B23 /* secd-56-account-apply.c in Sources */,
EB69AB071BF4332700913AF1 /* si-90-emcs.m in Sources */,
0CBF93F8177B7CFC001E5658 /* secd-03-corrupted-items.c in Sources */,
E75AB91B1AE9964800C5EF3F /* secd-40-cc-gestalt.c in Sources */,
0CBF93FC177BA9D9001E5658 /* secd-05-corrupted-items.m in Sources */,
+ EB36F0421D9041FC0094C601 /* secd-35-keychain-migrate-inet.c in Sources */,
5E0CE1671CB6348D00E75776 /* secd-83-item-match-trusted.m in Sources */,
527258D11981C00F003CFCEC /* secd-70-engine.c in Sources */,
E7850ED11BB30E87002A54CA /* secd-65-account-retirement-reset.c in Sources */,
4C495EDF1982145200BC1809 /* SOSTestDevice.c in Sources */,
E78A9AB21D34263100006B5B /* secd-130-other-peer-views.c in Sources */,
+ EB36F0431D9041FC0094C601 /* secd-36-ks-encrypt.m in Sources */,
0CBF93F9177B7CFC001E5658 /* secd-04-corrupted-items.c in Sources */,
4898223A17BDB277003BEF32 /* secd-52-account-changed.c in Sources */,
0C062B1F175E784B00806CFE /* secd-30-keychain-upgrade.c in Sources */,
486C6C691795F9D600387075 /* secd-61-account-leave-not-in-kansas-anymore.c in Sources */,
E79D62BD176799EE005A9743 /* SOSTestDataSource.c in Sources */,
EBF2D7661C1E482B006AB6FF /* secd-21-transmogrify.m in Sources */,
- 448305111B46FC0D00326450 /* secd-35-keychain-migrate-inet.c in Sources */,
4469FC2D1AA0A6D00021AA26 /* secd-33-keychain-ctk.m in Sources */,
E79D62BC176799DB005A9743 /* SOSRegressionUtilities.c in Sources */,
E7A10FAC1771246A00C4602F /* secd-55-account-circle.c in Sources */,
D4D887571CED0B9400DC7583 /* si-27-sectrust-exceptions.c in Sources */,
0982E02C1D19695B0060002E /* si-44-seckey-ec.m in Sources */,
D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */,
- BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */,
+ BE5C5BD11D8C90F500A97339 /* si-84-sectrust-allowlist.m in Sources */,
D4D886F01CEC008600DC7583 /* si-23-sectrust-ocsp.c in Sources */,
D4D8875E1CED490700DC7583 /* si-74-OTAPKISigner.c in Sources */,
D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */,
#import <utilities/SecFileLocations.h>
#import <utilities/fileIo.h>
-#import <securityd/SOSCloudCircleServer.h>
#import <securityd/SecItemServer.h>
#import <Security/SecBasePriv.h>
--- /dev/null
+/*
+ * Copyright (c) 2013-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+//
+// secd_201_coders
+// sec
+//
+
+#include <stdio.h>
+
+
+
+
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <CoreFoundation/CFDictionary.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
+#include "SOSCloudKeychainLogging.h"
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include "SOSTestDataSource.h"
+#include "SOSTestDevice.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+
+#include "SOSAccountTesting.h"
+
+#include "SecdTestKeychainUtilities.h"
+
+static int kTestTestCount = 182;
+
+static void TestSOSEngineDoOnQueue(SOSEngineRef engine, dispatch_block_t action)
+{
+ dispatch_sync(engine->queue, action);
+}
+
+static bool SOSAccountIsThisPeerIDMe(SOSAccountRef account, CFStringRef peerID) {
+ SOSPeerInfoRef mypi = SOSFullPeerInfoGetPeerInfo(account->my_identity);
+ CFStringRef myPeerID = SOSPeerInfoGetPeerID(mypi);
+
+ return myPeerID && CFEqualSafe(myPeerID, peerID);
+}
+
+static bool TestSOSEngineDoTxnOnQueue(SOSEngineRef engine, CFErrorRef *error, void(^transaction)(SOSTransactionRef txn, bool *commit))
+{
+ return SOSDataSourceWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn, bool *commit) {
+ TestSOSEngineDoOnQueue(engine, ^{ transaction(txn, commit); });
+ });
+}
+
+static void compareCoders(CFMutableDictionaryRef beforeCoders, CFMutableDictionaryRef afterCoderState)
+{
+ CFDictionaryForEach(beforeCoders, ^(const void *key, const void *value) {
+ CFStringRef beforePeerid = (CFStringRef)key;
+ SOSCoderRef beforeCoderData = (SOSCoderRef)value;
+ SOSCoderRef afterCoderData = (SOSCoderRef)CFDictionaryGetValue(afterCoderState, beforePeerid);
+ ok(CFEqual(beforeCoderData,afterCoderData));
+ });
+}
+
+static void ids_test_sync(SOSAccountRef alice_account, SOSAccountRef bob_account){
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ __block bool SyncingCompletedOverIDS = false;
+ __block CFErrorRef localError = NULL;
+ __block bool done = false;
+ do{
+ SOSCircleForEachValidPeer(alice_account->trusted_circle, alice_account->user_public, ^(SOSPeerInfoRef peer) {
+ if (!SOSAccountIsThisPeerIDMe(alice_account, SOSPeerInfoGetPeerID(peer))) {
+ if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), peer) &&
+ SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), peer)){
+ secnotice("IDS Transport","Syncing with IDS capable peers using IDS!");
+
+ CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+ CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(alice_account->trusted_circle), ids);
+ SOSEngineRef alice_engine = SOSTransportMessageGetEngine(alice_account->ids_message_transport);
+
+ //testing loading and saving coders
+ ok(alice_engine->coders);
+ CFMutableDictionaryRef beforeCoders = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(alice_engine->coders), alice_engine->coders);
+ TestSOSEngineDoTxnOnQueue(alice_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+ ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(alice_account->ids_message_transport), txn, &localError));
+ });
+
+ ok(alice_engine->coders);
+
+ TestSOSEngineDoTxnOnQueue(alice_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+ ok(SOSTestEngineSaveCoders(alice_engine, txn, &localError));
+ });
+
+ compareCoders(beforeCoders, alice_engine->coders);
+
+ //syncing with all peers
+ SyncingCompletedOverIDS = SOSTransportMessageSyncWithPeers(alice_account->ids_message_transport, circleToIdsId, &localError);
+
+ //testing load after sync with all peers
+ CFMutableDictionaryRef codersAfterSyncBeforeLoad = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(alice_engine->coders), alice_engine->coders);
+ TestSOSEngineDoTxnOnQueue(alice_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+ ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(alice_account->ids_message_transport), txn, &localError));
+ });
+ compareCoders(codersAfterSyncBeforeLoad, alice_engine->coders);
+
+ CFReleaseNull(codersAfterSyncBeforeLoad);
+ CFReleaseNull(beforeCoders);
+ CFReleaseNull(circleToIdsId);
+ CFReleaseNull(ids);
+ }
+ }
+ });
+
+ ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL);
+
+ SOSCircleForEachValidPeer(bob_account->trusted_circle, bob_account->user_public, ^(SOSPeerInfoRef peer) {
+ if (!SOSAccountIsThisPeerIDMe(bob_account, SOSPeerInfoGetPeerID(peer))) {
+ if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), peer) &&
+ SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), peer)){
+ secnotice("IDS Transport","Syncing with IDS capable peers using IDS!");
+
+ CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+ CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(bob_account->trusted_circle), ids);
+ SOSEngineRef bob_engine = SOSTransportMessageGetEngine(bob_account->ids_message_transport);
+
+ //testing loading and saving coders
+ ok(bob_engine->coders);
+ CFMutableDictionaryRef beforeCoders = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(bob_engine->coders), bob_engine->coders);
+ TestSOSEngineDoTxnOnQueue(bob_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+ ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(bob_account->ids_message_transport), txn, &localError));
+ });
+
+ ok(bob_engine->coders);
+
+ TestSOSEngineDoTxnOnQueue(bob_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+ ok(SOSTestEngineSaveCoders(bob_engine, txn, &localError));
+ });
+
+ compareCoders(beforeCoders, bob_engine->coders);
+
+ SyncingCompletedOverIDS &= SOSTransportMessageSyncWithPeers(bob_account->ids_message_transport, circleToIdsId, &localError);
+
+ //testing load after sync with all peers
+ CFMutableDictionaryRef codersAfterSyncBeforeLoad = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(bob_engine->coders), bob_engine->coders);
+ TestSOSEngineDoTxnOnQueue(bob_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+ ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(bob_account->ids_message_transport), txn, &localError));
+ });
+ compareCoders(codersAfterSyncBeforeLoad, bob_engine->coders);
+ CFReleaseNull(codersAfterSyncBeforeLoad);
+ CFReleaseNull(beforeCoders);
+ CFReleaseNull(circleToIdsId);
+ CFReleaseNull(ids);
+ }
+ }
+ });
+
+ if(CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(alice_account->ids_message_transport)) == 0 && CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(bob_account->ids_message_transport)) == 0){
+ done = true;
+ break;
+ }
+
+ ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL);
+
+ }while(done == false);
+ CFReleaseNull(changes);
+
+ ok(SyncingCompletedOverIDS, "synced items over IDS");
+
+}
+
+static void tests(void)
+{
+
+ __block CFErrorRef error = NULL;
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFDataRef cfwrong_password = CFDataCreate(NULL, (uint8_t *) "NotFooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ // Bob wins writing at this point, feed the changes back to alice.
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+ ok(SOSAccountTryUserCredentials(alice_account, cfaccount, cfpassword, &error), "Credential trying (%@)", error);
+ CFReleaseNull(error);
+ ok(!SOSAccountTryUserCredentials(alice_account, cfaccount, cfwrong_password, &error), "Credential failing (%@)", error);
+ CFReleaseNull(cfwrong_password);
+ is(error ? CFErrorGetCode(error) : 0, kSOSErrorWrongPassword, "Expected SOSErrorWrongPassword");
+ CFReleaseNull(error);
+
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ ok(SOSAccountHasCompletedInitialSync(alice_account), "Alice thinks she's completed initial sync");
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ {
+ CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
+
+ ok(applicants && CFArrayGetCount(applicants) == 1, "See one applicant %@ (%@)", applicants, error);
+ ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Alice accepts (%@)", error);
+ CFReleaseNull(error);
+ CFReleaseNull(applicants);
+ }
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+ accounts_agree("bob&alice pair", bob_account, alice_account);
+
+ CFArrayRef peers = SOSAccountCopyPeers(alice_account, &error);
+ ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
+ CFReleaseNull(peers);
+
+ //creating test devices
+ CFIndex version = 0;
+
+ // Optionally prefix each peer with name to make them more unique.
+ CFArrayRef deviceIDs = CFArrayCreateForCFTypes(kCFAllocatorDefault,SOSAccountGetMyPeerID(alice_account), SOSAccountGetMyPeerID(bob_account), NULL);
+ CFSetRef views = SOSViewsCopyTestV2Default();
+ CFMutableArrayRef peerMetas = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFStringRef deviceID;
+ CFArrayForEachC(deviceIDs, deviceID) {
+ SOSPeerMetaRef peerMeta = SOSPeerMetaCreateWithComponents(deviceID, views, NULL);
+ CFArrayAppendValue(peerMetas, peerMeta);
+ CFReleaseNull(peerMeta);
+ }
+
+ CFReleaseNull(views);
+ CFArrayForEachC(deviceIDs, deviceID) {
+ SOSTestDeviceRef device = SOSTestDeviceCreateWithDbNamed(kCFAllocatorDefault, deviceID, deviceID);
+ SOSTestDeviceSetPeerIDs(device, peerMetas, version, NULL);
+
+ if(CFEqualSafe(deviceID, SOSAccountGetMyPeerID(alice_account))){
+ alice_account->factory = device->dsf;
+ SOSTestDeviceAddGenericItem(device, CFSTR("Alice"), CFSTR("Alice-add"));
+ }
+ else{
+ bob_account->factory = device->dsf;
+ SOSTestDeviceAddGenericItem(device, CFSTR("Bob"), CFSTR("Bob-add"));
+ }
+
+ CFReleaseNull(device);
+ }
+ CFReleaseNull(deviceIDs);
+ CFReleaseNull(peerMetas);
+
+ SOSUnregisterAllTransportMessages();
+ CFArrayRemoveAllValues(message_transports);
+
+ alice_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(alice_account, CFSTR("Alice"), CFSTR("TestSource"), &error);
+ bob_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(bob_account, CFSTR("Bob"), CFSTR("TestSource"), &error);
+
+ bool result = SOSAccountModifyCircle(alice_account, &error, ^bool(SOSCircleRef circle) {
+ CFErrorRef localError = NULL;
+
+ SOSFullPeerInfoUpdateTransportType(alice_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+ SOSFullPeerInfoUpdateTransportPreference(alice_account->my_identity, kCFBooleanFalse, &localError);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(alice_account->my_identity, kCFBooleanTrue, &localError);
+
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), NULL);
+ });
+
+ ok(result, "Alice account update circle with transport type");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ result = SOSAccountModifyCircle(bob_account, &error, ^bool(SOSCircleRef circle) {
+ CFErrorRef localError = NULL;
+
+ SOSFullPeerInfoUpdateTransportType(bob_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+ SOSFullPeerInfoUpdateTransportPreference(bob_account->my_identity, kCFBooleanFalse, &localError);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(bob_account->my_identity, kCFBooleanTrue, &localError);
+
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), NULL);
+ });
+
+ ok(result, "Bob account update circle with transport type");
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ CFStringRef alice_transportType =SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(alice_account));
+ CFStringRef bob_accountTransportType = SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(bob_account));
+ ok(CFEqualSafe(alice_transportType, CFSTR("IDS2.0")), "Alice transport type not IDS");
+ ok(CFEqualSafe(bob_accountTransportType, CFSTR("IDS2.0")), "Bob transport type not IDS");
+
+ CFReleaseNull(alice_transportType);
+ CFReleaseNull(bob_accountTransportType);
+
+ SOSTransportMessageIDSTestSetName(alice_account->ids_message_transport, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSTestGetName(alice_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(alice_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+ SOSTransportMessageIDSTestSetName(bob_account->ids_message_transport, CFSTR("Bob Account"));
+ ok(SOSTransportMessageIDSTestGetName(bob_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(bob_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+
+ ok(SOSAccountSetMyDSID(alice_account, CFSTR("Alice"),&error), "Setting IDS device ID");
+ CFStringRef alice_dsid = SOSAccountCopyDeviceID(alice_account, &error);
+ ok(CFEqualSafe(alice_dsid, CFSTR("Alice")), "Getting IDS device ID");
+
+ ok(SOSAccountSetMyDSID(bob_account, CFSTR("Bob"),&error), "Setting IDS device ID");
+ CFStringRef bob_dsid = SOSAccountCopyDeviceID(bob_account, &error);
+ ok(CFEqualSafe(bob_dsid, CFSTR("Bob")), "Getting IDS device ID");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+ ok(SOSAccountEnsurePeerRegistration(alice_account, NULL), "ensure peer registration - alice");
+ ok(SOSAccountEnsurePeerRegistration(bob_account, NULL), "ensure peer registration - bob");
+
+ ids_test_sync(alice_account, bob_account);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+ CFReleaseNull(alice_account);
+ CFReleaseNull(bob_account);
+
+}
+
+int secd_201_coders(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
--- /dev/null
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include "secd_regressions.h"
+
+#include <Security/Security.h>
+
+#include <utilities/SecCFWrappers.h>
+#include "SecDbKeychainItem.h"
+
+#include <TargetConditionals.h>
+
+#if USE_KEYSTORE
+#include <libaks.h>
+
+#include "SecdTestKeychainUtilities.h"
+
+int secd_36_ks_encrypt(int argc, char *const *argv)
+{
+ plan_tests(8);
+
+ keybag_handle_t keybag;
+ keybag_state_t state;
+ CFDictionaryRef data = NULL;
+ CFDataRef enc = NULL;
+ CFErrorRef error = NULL;
+ SecAccessControlRef ac = NULL;
+ bool ret;
+
+ char passcode[] = "password";
+ int passcode_len = sizeof(passcode) - 1;
+
+
+ /* Create and lock custom keybag */
+ is(kIOReturnSuccess, aks_create_bag(passcode, passcode_len, kAppleKeyStoreDeviceBag, &keybag), "create keybag");
+ is(kIOReturnSuccess, aks_get_lock_state(keybag, &state), "get keybag state");
+ is(0, (int)(state&keybag_state_locked), "keybag unlocked");
+
+ data = (__bridge CFDictionaryRef)@{
+ (id)kSecValueData : @"secret here",
+ };
+
+ ok(ac = SecAccessControlCreate(NULL, &error), "SecAccessControlCreate: %@", error);
+ ok(SecAccessControlSetProtection(ac, kSecAttrAccessibleWhenUnlocked, &error), "SecAccessControlSetProtection: %@", error);
+
+ ret = ks_encrypt_data(keybag, ac, NULL, data, NULL, &enc, true, &error);
+ is(true, ret);
+
+ CFReleaseNull(ac);
+
+ {
+ CFMutableDictionaryRef attributes = NULL;
+ uint32_t version = 0;
+
+ ret = ks_decrypt_data(keybag, kAKSKeyOpDecrypt, &ac, NULL, enc, NULL, NULL, &attributes, &version, &error);
+ is(true, ret, "ks_decrypt_data: %@", error);
+
+ ok(CFEqual(SecAccessControlGetProtection(ac), kSecAttrAccessibleWhenUnlocked), "AccessControl protection is: %@", SecAccessControlGetProtection(ac));
+
+ CFReleaseNull(ac);
+ }
+
+ CFReleaseNull(error);
+ CFReleaseNull(enc);
+
+ return 0;
+}
+
+#else /* !USE_KEYSTORE */
+
+int secd_36_ks_encrypt(int argc, char *const *argv)
+{
+ plan_tests(1);
+ ok(true);
+ return 0;
+}
+#endif /* USE_KEYSTORE */
#include "secd_regressions.h"
#include "SecdTestKeychainUtilities.h"
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <Security/SecureObjectSync/SOSPeer.h>
#include <Security/SecBase64.h>
#include <Security/SecItem.h>
OFF_ONE_TEST(secd_32_restore_bad_backup)
ONE_TEST(secd_33_keychain_ctk)
ONE_TEST(secd_35_keychain_migrate_inet)
+ONE_TEST(secd_36_ks_encrypt)
ONE_TEST(secd_40_cc_gestalt)
ONE_TEST(secd_50_account)
ONE_TEST(secd_49_manifests)
ONE_TEST(secd_100_initialsync)
ONE_TEST(secd_130_other_peer_views)
ONE_TEST(secd_200_logstate)
+ONE_TEST(secd_201_coders)
+
#include <securityd/asynchttp.h>
#include <stdlib.h>
+#define MAX_CA_ISSUERS 3
+#define CA_ISSUERS_REQUEST_THRESHOLD 10
+
+
/* CA Issuer lookup code. */
typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
}
static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
- while (request->issuerIX < CFArrayGetCount(request->issuers)) {
+ CFIndex count = CFArrayGetCount(request->issuers);
+ if (count >= CA_ISSUERS_REQUEST_THRESHOLD) {
+ secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count);
+ request->callback(request->context, NULL);
+ SecCAIssuerRequestRelease(request);
+ return true;
+ }
+ while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) {
CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
request->issuerIX++);
CFStringRef scheme = CFURLCopyScheme(issuer);
const SecDbClass *class;
keyclass_t keyclass;
keybag_handle_t keybag;
- //sqlite3_int64 _rowid;
- //CFDataRef _primaryKey;
- //CFDataRef _sha1;
- //CFDataRef _edata;
enum SecDbItemState _edataState;
CFMutableDictionaryRef attributes;
- CFTypeRef credHandle;
+ CFDataRef credHandle;
CFTypeRef cryptoOp;
CFArrayRef callerAccessGroups;
};
const int16_t kIVSizeAESGCM = 12;
// echo "keychainblobstaticiv" | openssl dgst -sha256 | cut -c1-24 | xargs -I {} echo "0x{}" | xxd -r | xxd -p -i
-// 0x1e, 0xa0, 0x5c, 0xa9, 0x98, 0x2e, 0x87, 0xdc, 0xf1, 0x45, 0xe8, 0x24
-
-
static const uint8_t gcmIV[kIVSizeAESGCM] = {
0x1e, 0xa0, 0x5c, 0xa9, 0x98, 0x2e, 0x87, 0xdc, 0xf1, 0x45, 0xe8, 0x24
};
-
/* Given plainText create and return a CFDataRef containing:
BULK_KEY = RandomKey()
version || keyclass|ACL || KeyStore_WRAP(keyclass, BULK_KEY) ||
size_t blobLen = CFDataGetLength(blob);
const uint8_t *cursor = CFDataGetBytePtr(blob);
keyclass_t keyclass;
- uint32_t wrapped_key_size;
- /* Check for underflow, ensuring we have at least one full AES block left. */
- if (blobLen < sizeof(version) + sizeof(keyclass) +
- CFDataGetLength(bulkKey) + v0KeyWrapOverHead + 16) {
- ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow"));
+ if (blobLen < sizeof(version)) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (length)"));
goto out;
}
}
cursor += sizeof(version);
-
- size_t minimum_blob_len = sizeof(version) + 16;
- size_t ctLen = blobLen - sizeof(version);
+ blobLen -= sizeof(version);
bool hasProtectionData = (version >= 4);
if (hasProtectionData) {
/* Deserialize SecAccessControl object from the blob. */
- uint32_t prot_length = *((uint32_t *)cursor);
+ uint32_t prot_length;
+
+ /*
+ * Parse proto length
+ */
+
+ if (blobLen < sizeof(prot_length)) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (prot_length)"));
+ goto out;
+ }
+
+ prot_length = *((uint32_t *)cursor);
cursor += sizeof(prot_length);
+ blobLen -= sizeof(prot_length);
+
+ /*
+ * Parse proto itself
+ */
+
+ if (blobLen < prot_length) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (prot)"));
+ goto out;
+ }
CFTypeRef protection = kc_copy_protection_from(cursor, cursor + prot_length);
if (!protection) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
goto out;
- }
- else {
+ } else {
access_control = SecAccessControlCreate(NULL, NULL);
require_quiet(access_control, out);
ok = SecAccessControlSetProtection(access_control, protection, NULL);
}
cursor += prot_length;
+ blobLen -= prot_length;
- minimum_blob_len += sizeof(prot_length) + prot_length;
- ctLen -= sizeof(prot_length) + prot_length;
-
- /* Get numeric value of keyclass from the access_control. */
+ /*
+ * Get numeric value of keyclass from the access_control.
+ */
keyclass = kc_parse_keyclass(SecAccessControlGetProtection(access_control), error);
if (!keyclass) {
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
goto out;
}
} else {
+ if (blobLen < sizeof(keyclass)) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (keyclass)"));
+ goto out;
+ }
+
keyclass = *((keyclass_t *)cursor);
- //secerror("class: %d keyclass: %d", keyclass, keyclass & key_class_last);
+
#if USE_KEYSTORE
CFTypeRef protection = kc_encode_keyclass(keyclass & key_class_last); // mask out generation
#else
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: SecAccessControlSetProtection failed")));
cursor += sizeof(keyclass);
-
- minimum_blob_len += sizeof(keyclass);
- ctLen -= sizeof(keyclass);
+ blobLen -= sizeof(keyclass);
}
size_t tagLen = 0;
+ uint32_t wrapped_key_size = 0;
+
switch (version) {
case 0:
wrapped_key_size = (uint32_t)CFDataGetLength(bulkKey) + v0KeyWrapOverHead;
case 5:
case 6:
tagLen = 16;
- minimum_blob_len -= 16; // Remove PKCS7 padding block requirement
- ctLen -= tagLen; // Remove tagLen from ctLen
/* DROPTHROUGH */
case 1:
+ if (blobLen < sizeof(wrapped_key_size)) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (wrapped_key_size)"));
+ goto out;
+ }
wrapped_key_size = *((uint32_t *)cursor);
+
cursor += sizeof(wrapped_key_size);
- minimum_blob_len += sizeof(wrapped_key_size);
- ctLen -= sizeof(wrapped_key_size);
+ blobLen -= sizeof(wrapped_key_size);
+
break;
default:
ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid version %d"), version);
goto out;
}
- /* Validate key wrap length against total length */
- require(blobLen - minimum_blob_len - tagLen >= wrapped_key_size, out);
- ctLen -= wrapped_key_size;
- if (version < 2 && (ctLen & 0xF) != 0) {
- ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid version"));
+ if (blobLen < tagLen + wrapped_key_size) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (wrapped_key/taglen)"));
goto out;
}
+ size_t ctLen = blobLen - tagLen - wrapped_key_size;
+
+ /*
+ * Pre-version 2 have some additial constraints since it use AES in CBC mode
+ */
+ if (version < 2) {
+ if (ctLen < kCCBlockSizeAES128) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (CBC check)"));
+ goto out;
+ }
+ if ((ctLen & 0xF) != 0) {
+ ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid length on CBC data"));
+ goto out;
+ }
+ }
+
#if USE_KEYSTORE
if (hasProtectionData) {
if (caller_access_groups) {
require_quiet(ok = ks_delete_acl(ref_key, ed_data, acm_context, caller_access_groups_data, access_control, error), out);
attributes = CFRetainSafe(authenticated_attributes);
goto out;
+ } else {
+ ok = SecError(errSecInternal, error, CFSTR("ks_decrypt_data: invalid operation"));
+ goto out;
}
} else
#endif
}
if (iv) {
- // AAD is (version || ac_data || key_wrapped_size)
+ // AAD is (version || ... [|| key_wrapped_size ])
aad = CFDataGetBytePtr(blob);
aadLen = cursor - aad;
}
static bool kc_attribs_key_encrypted_data_from_blob(keybag_handle_t keybag, const SecDbClass *class, const void *blob_data, size_t blob_data_len, SecAccessControlRef access_control, uint32_t version,
CFMutableDictionaryRef *authenticated_attributes, aks_ref_key_t *ref_key, CFDataRef *encrypted_data, CFErrorRef *error)
{
- bool ok = false;
+ CFMutableDictionaryRef acl = NULL;
CFDictionaryRef blob_dict = NULL;
+ aks_ref_key_t tmp_ref_key = NULL;
CFDataRef key_data = NULL;
CFDataRef ed = NULL;
- aks_ref_key_t tmp_ref_key = NULL;
+ bool ok = false;
der_decode_plist(NULL, kCFPropertyListImmutable, (CFPropertyListRef*)&blob_dict, NULL, blob_data, blob_data + blob_data_len);
require_action_quiet(blob_dict, out, SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: failed to decode 'blob data'")));
require_action_quiet(ed, out, SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: failed to decode 'encrypted data'")));
require_action_quiet(key_data, out, SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: failed to decode 'key data'")));
- CFMutableDictionaryRef acl = NULL;
const void *external_data = NULL;
size_t external_data_len = 0;
require_quiet(external_data = ks_ref_key_get_external_data(keybag, key_data, &tmp_ref_key, &external_data_len, error), out);
if (acl) {
/* v4 data format used wrong ACL placement, for backward compatibility we have to support both formats */
- if (version == 4)
+ if (version == 4) {
SecAccessControlSetConstraints(access_control, acl);
- else
- SecAccessControlSetConstraints(access_control, CFDictionaryGetValue(acl, kAKSKeyAcl));
+ } else {
+ CFDictionaryRef constraints = CFDictionaryGetValue(acl, kAKSKeyAcl);
+ require_action_quiet(isDictionary(constraints), out,
+ SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: acl missing")));
+ SecAccessControlSetConstraints(access_control, constraints);
+ }
/* v4/v5 data format usualy does not contain kAKSKeyOpEncrypt, so add kAKSKeyOpEncrypt if is missing */
if (version < 6) {
SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpEncrypt, kCFBooleanTrue, NULL);
}
- CFRelease(acl);
}
if (encrypted_data)
CFReleaseSafe(blob_dict);
CFReleaseSafe(key_data);
CFReleaseSafe(ed);
-
+ CFReleaseSafe(acl);
+
+
return ok;
}
/* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */
SecAccessControlRef q_access_control;
- CFTypeRef q_use_cred_handle;
+ CFDataRef q_use_cred_handle;
// Flag indicating that ui-protected items should be simply skipped
// instead of reporting them to the client as an error.
#include <securityd/SecItemBackupServer.h>
#include <securityd/SecItemServer.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
#include <Security/SecureObjectSync/SOSPeer.h>
#include <Security/SecureObjectSync/SOSBackupSliceKeyBag.h>
#include <Security/SecureObjectSync/SOSViews.h>
int SecServerItemBackupHandoffFD(CFStringRef backupName, CFErrorRef *error) {
__block int fd = -1;
if (!withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
- SOSEngineForPeerIDNoCoder(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
+ SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
fd = SOSPeerHandoffFD(peer, error);
});
}) && fd >= 0) {
optional data, class and persistent ref results. This is so we can use
the CFDictionaryCreate() api here rather than appending to a
mutable dictionary. */
-static CF_RETURNS_RETAINED CFTypeRef handle_result(Query *q, CFMutableDictionaryRef item,
- sqlite_int64 rowid) {
+static CF_RETURNS_RETAINED CFTypeRef
+handle_result(Query *q,
+ CFMutableDictionaryRef item,
+ sqlite_int64 rowid)
+{
CFTypeRef a_result;
CFDataRef data;
data = CFDictionaryGetValue(item, kSecValueData);
Query *q = c->q;
sqlite_int64 rowid = sqlite3_column_int64(stmt, 0);
- CFMutableDictionaryRef item;
+ CFMutableDictionaryRef item = NULL;
bool ok = s3dl_item_from_col(stmt, q, 1, c->accessGroups, &item, NULL, &q->q_error);
if (!ok) {
OSStatus status = SecErrorGetOSStatus(q->q_error);
CFStringAppend(sql, q->q_class->name);
SecDbAppendWhereClause(sql, q, accessGroups);
}
- SecDbAppendLimit(sql, q->q_limit);
+ //do not append limit for all queries which needs filtering
+ if (q->q_match_issuer == NULL && q->q_match_policy == NULL && q->q_match_valid_on_date == NULL && q->q_match_trusted_only == NULL) {
+ SecDbAppendLimit(sql, q->q_limit);
+ }
return sql;
}
if (sql_ok)
sql_ok = sqlBindWhereClause(stmt, q, accessGroups, ¶m, error);
if (sql_ok) {
- SecDbForEach(stmt, error, ^bool (int row_index) {
+ SecDbForEach(dbt, stmt, error, ^bool (int row_index) {
handle_row(stmt, context);
bool needs_auth = q->q_error && CFErrorGetCode(q->q_error) == errSecAuthNeeded;
#include <Security/SecTrustInternal.h>
#include <Security/SecCertificatePriv.h>
+#if USE_KEYSTORE
+#include <MobileKeyBag/MobileKeyBag.h>
+#endif
// TODO: Make this include work on both platforms. rdar://problem/16526848
#if TARGET_OS_EMBEDDED
#include <Security/SecEntitlements.h>
-#include <MobileKeyBag/MobileKeyBag.h>
#else
/* defines from <Security/SecEntitlements.h> */
#define kSecEntitlementAssociatedDomains CFSTR("com.apple.developer.associated-domains")
});
}
+#if USE_KEYSTORE
+/*
+ * Similar to ks_open_keybag, but goes through MKB interface
+ */
+static bool mkb_open_keybag(CFDataRef keybag, CFDataRef password, MKBKeyBagHandleRef *handle, CFErrorRef *error) {
+ kern_return_t rc;
+ MKBKeyBagHandleRef mkbhandle = NULL;
+
+ rc = MKBKeyBagCreateWithData(keybag, &mkbhandle);
+ if (rc != kMobileKeyBagSuccess) {
+ return SecKernError(rc, error, CFSTR("MKBKeyBagCreateWithData failed: %d"), rc);
+ }
+
+ if (password) {
+ rc = MKBKeyBagUnlock(mkbhandle, password);
+ if (rc != kMobileKeyBagSuccess) {
+ CFRelease(mkbhandle);
+ return SecKernError(rc, error, CFSTR("failed to unlock bag: %d"), rc);
+ }
+ }
+
+ *handle = mkbhandle;
+
+ return true;
+}
+#endif
+
+
static CFDataRef SecServerKeychainCreateBackup(SecDbConnectionRef dbt, SecurityClient *client, CFDataRef keybag,
CFDataRef password, CFErrorRef *error) {
CFDataRef backup = NULL;
keybag_handle_t backup_keybag;
- if (ks_open_keybag(keybag, password, &backup_keybag, error)) {
- /* Export from system keybag to backup keybag. */
- backup = SecServerExportBackupableKeychain(dbt, client, KEYBAG_DEVICE, backup_keybag, error);
- if (!ks_close_keybag(backup_keybag, error)) {
- CFReleaseNull(backup);
- }
- }
+#if USE_KEYSTORE
+ MKBKeyBagHandleRef mkbhandle = NULL;
+ require(mkb_open_keybag(keybag, password, &mkbhandle, error), out);
+
+ require_noerr(MKBKeyBagGetAKSHandle(mkbhandle, &backup_keybag), out);
+
+#else
+ backup_keybag = KEYBAG_NONE;
+#endif
+ /* Export from system keybag to backup keybag. */
+ backup = SecServerExportBackupableKeychain(dbt, client, KEYBAG_DEVICE, backup_keybag, error);
+
+out:
+#if USE_KEYSTORE
+ if (mkbhandle)
+ CFRelease(mkbhandle);
+#endif
return backup;
}
CFDataRef password,
CFErrorRef *error)
{
+ bool ok = false;
keybag_handle_t backup_keybag;
- if (!ks_open_keybag(keybag, password, &backup_keybag, error))
- return false;
+#if USE_KEYSTORE
+ MKBKeyBagHandleRef mkbhandle = NULL;
+ require(mkb_open_keybag(keybag, password, &mkbhandle, error), out);
+ require_noerr(MKBKeyBagGetAKSHandle(mkbhandle, &backup_keybag), out);
+#else
+ backup_keybag = KEYBAG_NONE;
+#endif
/* Import from backup keybag to system keybag. */
- bool ok = SecServerImportBackupableKeychain(dbt, client, backup_keybag, KEYBAG_DEVICE,
- backup, error);
- ok &= ks_close_keybag(backup_keybag, error);
+ require(SecServerImportBackupableKeychain(dbt, client, backup_keybag, KEYBAG_DEVICE, backup, error), out);
+ ok = true;
+out:
+#if USE_KEYSTORE
+ if (mkbhandle)
+ CFRelease(mkbhandle);
+#endif
return ok;
}
// MARK: -
// MARK: Shared web credentials
+#if TARGET_OS_IOS
+
/* constants */
#define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v);
return ok;
}
+#endif /* TARGET_OS_IOS */
+
+
// MARK: -
// MARK: Keychain backup
bool _SecServerTransmogrifyToSystemKeychain(SecurityClient *client, CFErrorRef *error);
bool _SecServerTransmogrifyToSyncBubble(CFArrayRef services, uid_t uid, SecurityClient *client, CFErrorRef *error);
bool _SecServerDeleteMUSERViews(SecurityClient *client, uid_t uid, CFErrorRef *error);
-#endif
bool _SecAddSharedWebCredential(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
bool _SecCopySharedWebCredential(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
+#endif /* TARGET_OS_IOS */
// Hack to log objects from inside SOS code
void SecItemServerAppendItemDescription(CFMutableStringRef desc, CFDictionaryRef object);
{
keybag_handle_t handle = bad_keybag_handle;
keybag_handle_t special_handle = bad_keybag_handle;
-#if TARGET_OS_MAC && !TARGET_OS_EMBEDDED
+#if TARGET_OS_OSX
special_handle = session_keybag_handle;
#elif TARGET_OS_EMBEDDED
special_handle = device_keybag_handle;
+#else
+#error "supported keybag target"
#endif
+
kern_return_t kr = aks_get_system(special_handle, &handle);
if (kr != kIOReturnSuccess) {
#if TARGET_OS_EMBEDDED
}
}
+#define MAX_OCSP_RESPONDERS 3
+#define OCSP_REQUEST_THRESHOLD 10
+
/* Return the next responder we should contact for this rvc or NULL if we
exhausted them all. */
static CFURLRef SecORVCGetNextResponder(SecORVCRef rvc) {
CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
if (ocspResponders) {
CFIndex responderCount = CFArrayGetCount(ocspResponders);
- while (rvc->responderIX < responderCount) {
+ if (responderCount >= OCSP_REQUEST_THRESHOLD) {
+ secnotice("rvc", "too many ocsp responders (%ld)", (long)responderCount);
+ return NULL;
+ }
+ while (rvc->responderIX < responderCount && rvc->responderIX < MAX_OCSP_RESPONDERS) {
CFURLRef responder = CFArrayGetValueAtIndex(ocspResponders, rvc->responderIX);
rvc->responderIX++;
CFStringRef scheme = CFURLCopyScheme(responder);
// nothing yet
}
+#define MAX_CRL_DPS 3
+#define CRL_REQUEST_THRESHOLD 10
+
static CFURLRef SecCRVCGetNextDistributionPoint(SecCRVCRef rvc) {
SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
CFArrayRef crlDPs = SecCertificateGetCRLDistributionPoints(cert);
if (crlDPs) {
CFIndex crlDPCount = CFArrayGetCount(crlDPs);
- while (rvc->distributionPointIX < crlDPCount) {
+ if (crlDPCount >= CRL_REQUEST_THRESHOLD) {
+ secnotice("rvc", "too many CRL DP entries (%ld)", (long)crlDPCount);
+ return NULL;
+ }
+ while (rvc->distributionPointIX < crlDPCount && rvc->distributionPointIX < MAX_CRL_DPS) {
CFURLRef distributionPoint = CFArrayGetValueAtIndex(crlDPs, rvc->distributionPointIX);
rvc->distributionPointIX++;
CFStringRef scheme = CFURLCopyScheme(distributionPoint);
policy_tree_prune(&pvc->valid_policy_tree);
}
pvc->policyIX = 0;
- pvc->result = true;
+
+ /* Since we don't run the LeafChecks again, we need to preserve the
+ * result the leaf had. */
+ pvc->result = (details) ? (CFDictionaryGetCount(CFArrayGetValueAtIndex(details, 0)) == 0)
+ : true;
}
SecPolicyRef SecPVCGetPolicy(SecPVCRef pvc) {
tmpStringValue = CFStringCreateCopy(NULL, stringValue);
}
if (policyIX >= 0 && policyIX < CFArrayGetCount(pvc->policies)) {
- SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, policyIX);
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, policyIX);
/* Have to look for all the possible locations of name string */
CFStringRef policyString = NULL;
policyString = CFDictionaryGetValue(policy->_options, kSecPolicyCheckSSLHostname);
return shouldDeny;
}
+#define kSecPolicySHA256Size 32
+static const UInt8 kTestDateConstraintsRoot[kSecPolicySHA256Size] = {
+ 0x51,0xA0,0xF3,0x1F,0xC0,0x1D,0xEC,0x87,0x32,0xB6,0xFD,0x13,0x6A,0x43,0x4D,0x6C,
+ 0x87,0xCD,0x62,0xE0,0x38,0xB4,0xFB,0xD6,0x40,0xB0,0xFD,0x62,0x4D,0x1F,0xCF,0x6D
+};
+static const UInt8 kWS_CA1_G2[kSecPolicySHA256Size] = {
+ 0xD4,0x87,0xA5,0x6F,0x83,0xB0,0x74,0x82,0xE8,0x5E,0x96,0x33,0x94,0xC1,0xEC,0xC2,
+ 0xC9,0xE5,0x1D,0x09,0x03,0xEE,0x94,0x6B,0x02,0xC3,0x01,0x58,0x1E,0xD9,0x9E,0x16
+};
+static const UInt8 kWS_CA1_NEW[kSecPolicySHA256Size] = {
+ 0x4B,0x22,0xD5,0xA6,0xAE,0xC9,0x9F,0x3C,0xDB,0x79,0xAA,0x5E,0xC0,0x68,0x38,0x47,
+ 0x9C,0xD5,0xEC,0xBA,0x71,0x64,0xF7,0xF2,0x2D,0xC1,0xD6,0x5F,0x63,0xD8,0x57,0x08
+};
+static const UInt8 kWS_CA2_NEW[kSecPolicySHA256Size] = {
+ 0xD6,0xF0,0x34,0xBD,0x94,0xAA,0x23,0x3F,0x02,0x97,0xEC,0xA4,0x24,0x5B,0x28,0x39,
+ 0x73,0xE4,0x47,0xAA,0x59,0x0F,0x31,0x0C,0x77,0xF4,0x8F,0xDF,0x83,0x11,0x22,0x54
+};
+static const UInt8 kWS_ECC[kSecPolicySHA256Size] = {
+ 0x8B,0x45,0xDA,0x1C,0x06,0xF7,0x91,0xEB,0x0C,0xAB,0xF2,0x6B,0xE5,0x88,0xF5,0xFB,
+ 0x23,0x16,0x5C,0x2E,0x61,0x4B,0xF8,0x85,0x56,0x2D,0x0D,0xCE,0x50,0xB2,0x9B,0x02
+};
+static const UInt8 kSC_SFSCA[kSecPolicySHA256Size] = {
+ 0xC7,0x66,0xA9,0xBE,0xF2,0xD4,0x07,0x1C,0x86,0x3A,0x31,0xAA,0x49,0x20,0xE8,0x13,
+ 0xB2,0xD1,0x98,0x60,0x8C,0xB7,0xB7,0xCF,0xE2,0x11,0x43,0xB8,0x36,0xDF,0x09,0xEA
+};
+static const UInt8 kSC_SHA2[kSecPolicySHA256Size] = {
+ 0xE1,0x78,0x90,0xEE,0x09,0xA3,0xFB,0xF4,0xF4,0x8B,0x9C,0x41,0x4A,0x17,0xD6,0x37,
+ 0xB7,0xA5,0x06,0x47,0xE9,0xBC,0x75,0x23,0x22,0x72,0x7F,0xCC,0x17,0x42,0xA9,0x11
+};
+static const UInt8 kSC_G2[kSecPolicySHA256Size] = {
+ 0xC7,0xBA,0x65,0x67,0xDE,0x93,0xA7,0x98,0xAE,0x1F,0xAA,0x79,0x1E,0x71,0x2D,0x37,
+ 0x8F,0xAE,0x1F,0x93,0xC4,0x39,0x7F,0xEA,0x44,0x1B,0xB7,0xCB,0xE6,0xFD,0x59,0x95
+};
+
+bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc) {
+ static CFSetRef sConstrainedRoots = NULL;
+ static dispatch_once_t _t;
+ dispatch_once(&_t, ^{
+ const UInt8 *v_hashes[] = {
+ kWS_CA1_G2, kWS_CA1_NEW, kWS_CA2_NEW, kWS_ECC,
+ kSC_SFSCA, kSC_SHA2, kSC_G2, kTestDateConstraintsRoot
+ };
+ CFMutableSetRef set = CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks);
+ CFIndex ix, count = sizeof(v_hashes)/sizeof(*v_hashes);
+ for (ix=0; ix<count; ix++) {
+ CFDataRef hash = CFDataCreateWithBytesNoCopy(NULL, v_hashes[ix],
+ kSecPolicySHA256Size, kCFAllocatorNull);
+ if (hash) {
+ CFSetAddValue(set, hash);
+ CFRelease(hash);
+ }
+ }
+ sConstrainedRoots = set;
+ });
+
+ bool shouldDeny = false;
+ CFIndex certIX, certCount = SecCertificatePathGetCount(pvc->path);
+ for (certIX = certCount - 1; certIX >= 0 && !shouldDeny; certIX--) {
+ SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(pvc->path, certIX);
+ CFDataRef sha256 = SecCertificateCopySHA256Digest(cert);
+ if (sha256 && CFSetContainsValue(sConstrainedRoots, sha256)) {
+ /* matched a constrained root; check notBefore dates on all its children. */
+ CFIndex childIX = certIX;
+ while (--childIX >= 0) {
+ SecCertificateRef child = SecCertificatePathGetCertificateAtIndex(pvc->path, childIX);
+ /* 1 Dec 2016 00:00:00 GMT */
+ if (child && (CFAbsoluteTime)502243200.0 <= SecCertificateNotValidBefore(child)) {
+ SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey, certIX, kCFBooleanFalse, true);
+ shouldDeny = true;
+ break;
+ }
+ }
+ }
+ CFReleaseNull(sha256);
+ }
+ return shouldDeny;
+}
+
/* AUDIT[securityd](done):
policy->_options is a caller provided dictionary, only its cf type has
been checked.
}
CFArrayRef policies = pvc->policies;
- CFIndex count = CFArrayGetCount(policies);
- for (; pvc->policyIX < count; ++pvc->policyIX) {
+ CFIndex count = CFArrayGetCount(policies);
+ for (; pvc->policyIX < count; ++pvc->policyIX) {
/* Validate all keys for all policies. */
pvc->callbacks = gSecPolicyPathCallbacks;
- SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFDictionaryApplyFunction(policy->_options, SecPVCValidateKey, pvc);
if (!pvc->result && !pvc->details)
return completed;
- }
+ }
/* Check whether the TrustSettings say to deny a cert in the path. */
(void)SecPVCCheckUsageConstraints(pvc);
+ /* Check for issuer date constraints. */
+ (void)SecPVCCheckIssuerDateConstraints(pvc);
+
/* Check the things we can't check statically for the certificate path. */
/* Critical Extensions, chainLength. */
bool SecPVCCheckUsageConstraints(SecPVCRef pvc);
+bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc);
+
__END_DECLS
#endif /* !_SECURITY_SECPOLICYSERVER_H_ */
#include <Security/SecCertificateInternal.h>
#include <Security/SecCertificatePath.h>
#include <Security/SecFramework.h>
+#include <Security/SecPolicyPriv.h>
#include <Security/SecPolicyInternal.h>
#include <Security/SecTrustSettingsPriv.h>
+#include <Security/SecTask.h>
#include <CoreFoundation/CFRuntime.h>
#include <CoreFoundation/CFSet.h>
#include <CoreFoundation/CFString.h>
#include <string.h>
#include <stdlib.h>
#include <limits.h>
+#include <sys/codesign.h>
#include <Security/SecBase.h>
#include "SecRSAKey.h"
#include <libDER/oids.h>
#include "personalization.h"
#include <utilities/SecInternalReleasePriv.h>
+#if TARGET_OS_OSX
+#include <Security/SecTaskPriv.h>
+#endif
+
/********************************************************
***************** OTA Trust support ********************
if (SecCertificatePathIsAnchored(path)) {
secdebug("trust", "Adding candidate %@", path);
CFArrayAppendValue(builder->candidatePaths, path);
- return false;
}
+ /* The path is not partial if the last cert is self-signed. */
+ if ((SecCertificatePathSelfSignedIndex(path) >= 0) &&
+ (SecCertificatePathSelfSignedIndex(path) == SecCertificatePathGetCount(path)-1)) {
+ return false;
+ }
}
return true;
}
/* Accept a partial path if certificate is on the allow list
- and is temporally valid. */
- if (completed && pvc->is_allowlisted &&
+ and is temporally valid and passed all PVC checks. */
+ if (completed && pvc->is_allowlisted && pvc->result &&
builder->bestPathScore < ACCEPT_PATH_SCORE &&
SecCertificatePathIsValid(pvc->path, pvc->verifyTime)) {
builder->bestPathScore += ACCEPT_PATH_SCORE;
return completed;
}
+
static bool SecPathBuilderReportResult(SecPathBuilderRef builder) {
SecPVCRef pvc = &builder->path;
bool haveRevocationResponse = false;
}
SecTrustResultType result = kSecTrustResultInvalid;
- if (builder->bestPathScore > ACCEPT_PATH_SCORE) {
- result = kSecTrustResultUnspecified;
- } else if (builder->denyBestPath) {
+ if (builder->denyBestPath) {
result = kSecTrustResultDeny;
+ } else if (builder->bestPathScore > ACCEPT_PATH_SCORE) {
+ result = kSecTrustResultUnspecified;
} else {
result = kSecTrustResultRecoverableTrustFailure;
}
static struct securityd spi = {
#if !TRUSTD_SERVER
+ /* Trustd must xpc to secd to use these. */
.sec_item_add = _SecItemAdd,
.sec_item_copy_matching = _SecItemCopyMatching,
.sec_item_update = _SecItemUpdate,
.sec_item_delete = _SecItemDelete,
+#if TARGET_OS_IOS
.sec_add_shared_web_credential = _SecAddSharedWebCredential,
.sec_copy_shared_web_credential = _SecCopySharedWebCredential,
+#endif
.sec_trust_store_for_domain = SecTrustStoreForDomainName,
.sec_trust_store_contains = SecTrustStoreContainsCertificateWithDigest,
.sec_trust_store_set_trust_settings = _SecTrustStoreSetTrustSettings,
.sec_trust_store_remove_certificate = SecTrustStoreRemoveCertificateWithDigest,
.sec_truststore_remove_all = _SecTrustStoreRemoveAll,
.sec_item_delete_all = _SecItemDeleteAll,
-#endif /* !TRUSTD_SERVER */
+#endif
+#if TRUSTD_SERVER || TARGET_OS_IPHONE
+ /* Local trust evaluation only occurs in trustd and iOS securityd */
.sec_trust_evaluate = SecTrustServerEvaluate,
+#endif
#if !TRUSTD_SERVER
+ /* Trustd must xpc to secd to use these. */
.sec_keychain_backup = _SecServerKeychainCreateBackup,
.sec_keychain_restore = _SecServerKeychainRestore,
.sec_keychain_backup_syncable = _SecServerBackupSyncable,
<key>ChainLength</key>
<integer>3</integer>
</dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleSSLPinned</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-Test-NewOidStyle</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.63</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>TLSPinningTest</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.27.42</string>
+ <key>SecPolicyName</key>
+ <string>tlspinningtest.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>test_new_oids</string>
+ <key>Intermediates</key>
+ <string>TestAppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-09-01T16:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>ApplePinningAllowTestCertsTLSPinningTest</string>
+ </dict>
<dict>
<key>MajorTestName</key>
<string>AppleSSLPinned</string>
<key>MajorTestName</key>
<string>AppleSSLPinned</string>
<key>MinorTestName</key>
- <string>NegativeTest-TestHierarchy</string>
+ <string>PositiveTest-TestHierarchy</string>
<key>Policies</key>
<dict>
<key>PolicyIdentifier</key>
<key>VerifyDate</key>
<date>2016-03-01T20:00:00Z</date>
</dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EscrowProxyCompatibility</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.73</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p97-escrowproxy.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>escrowproxy</string>
+ <key>Intermediates</key>
+ <string>AppleISTCA2G1</string>
+ <key>Anchors</key>
+ <string>GeoTrustGlobalCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>VerifyDate</key>
+ <date>2016-10-04T19:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EscrowProxyCompatibility</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.43</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p97-escrowproxy.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>escrowproxy</string>
+ <key>Intermediates</key>
+ <string>AppleISTCA2G1</string>
+ <key>Anchors</key>
+ <string>GeoTrustGlobalCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>VerifyDate</key>
+ <date>2016-10-04T19:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EscrowProxyCompatibility</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-TrustedIntermediate</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.73</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p97-escrowproxy.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>escrowproxy</string>
+ <key>Intermediates</key>
+ <string>AppleISTCA2G1</string>
+ <key>Anchors</key>
+ <array>
+ <string>AppleISTCA2G1</string>
+ <string>GeoTrustGlobalCA</string>
+ </array>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>VerifyDate</key>
+ <date>2016-10-04T19:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MMCSCompatibility</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.74</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p98-content.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>mmcs</string>
+ <key>Intermediates</key>
+ <string>AppleISTCA2G1</string>
+ <key>Anchors</key>
+ <string>GeoTrustGlobalCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>VerifyDate</key>
+ <date>2016-10-04T19:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MMCSCompatibility</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.45</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p98-content.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>mmcs</string>
+ <key>Intermediates</key>
+ <string>AppleISTCA2G1</string>
+ <key>Anchors</key>
+ <string>GeoTrustGlobalCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>VerifyDate</key>
+ <date>2016-10-04T19:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>TLDWildcard</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-CookieTLD</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.3</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>content.googleapis.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>googleapis</string>
+ <key>Intermediates</key>
+ <string>GoogleInternetAuthority</string>
+ <key>Anchors</key>
+ <string>GeoTrustGlobalCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>VerifyDate</key>
+ <date>2016-10-04T19:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LASecureStaticIOAssets</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.75</string>
+ </dict>
+ <key>Leaf</key>
+ <string>LASecureIOStaticAssetSigning</string>
+ <key>Intermediates</key>
+ <string>AppleSystemIntegration2CA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LASecureStaticIOAssets</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.75</string>
+ </dict>
+ <key>Leaf</key>
+ <string>LASecureIOStaticAssetSigningTest</string>
+ <key>Intermediates</key>
+ <string>TestAppleSystemIntegration2CA</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LASecureStaticIOAssets</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.75</string>
+ </dict>
+ <key>Leaf</key>
+ <string>LASecureIOStaticAssetSigningTest</string>
+ <key>Intermediates</key>
+ <string>TestAppleSystemIntegration2CA</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>EnableTestCertificates</key>
+ <string>AllowAppleTestCertificatesSecureIOStaticAsset</string>
+ </dict>
</array>
</plist>
TestCountEncryptKeypairRun + (TestCountEncryptRun * 6) + (1 * 1) +
TestCountEncryptKeypairRun + (TestCountEncryptRun * 7) + (1 * 0);
-static const int TestCount = TestCountEncryption;
+static void test_bad_input(NSInteger keySizeInBits, NSInteger inputSize, SecKeyAlgorithm algorithm) {
+ NSError *error;
+ NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};
+
+ error = nil;
+ id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
+ ok(privateKey != nil, "generate private key (error %@)", error);
+ id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
+
+ NSData *input, *output;
+
+ error = nil;
+ input = [NSMutableData dataWithLength:inputSize];
+ output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
+ ok(output, "encryption succeeds at the border size %d (key=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, algorithm);
+ is((NSInteger)output.length, keySizeInBits / 8, "Unexpected output block size");
+
+ input = [NSMutableData dataWithLength:inputSize + 1];
+ output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
+ ok(output == nil, "encryption did not fail for border size %d (key=%dbytes, output=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, (int)output.length, algorithm);
+ is_status((OSStatus)error.code, errSecParam, "Fails with errSecParam for too long input (%@)", algorithm);
+}
+static const int TestCountBadInputSizeStep = 5;
+
+static void test_bad_input_size() {
+ test_bad_input(1024, 128, kSecKeyAlgorithmRSAEncryptionRaw);
+ test_bad_input(2048, 256, kSecKeyAlgorithmRSAEncryptionRaw);
+ test_bad_input(1024, 128 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
+ test_bad_input(2048, 256 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
+ test_bad_input(1024, 128 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
+ test_bad_input(2048, 256 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
+ test_bad_input(1024, 128 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
+ test_bad_input(2048, 256 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
+}
+static const int TestCountBadInputSize = TestCountBadInputSizeStep * 8;
+
+static const int TestCount =
+TestCountEncryption +
+TestCountBadInputSize;
+
int si_44_seckey_rsa(int argc, char *const *argv) {
plan_tests(TestCount);
@autoreleasepool {
test_encryption();
+ test_bad_input_size();
}
return 0;
SecDbTransactionSource source;
bool isCorrupted;
int maybeCorruptedCode;
+ bool hasIOFailure;
CFErrorRef corruptionError;
sqlite3 *handle;
// Pending deletions and additions for the current transaction
CFRelease(msg);
}
+ dbconn->hasIOFailure |= (SQLITE_IOERR == code);
+
/* If it's already corrupted, don't try to recover */
if (dbconn->isCorrupted) {
CFStringRef reason = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
return false;
}
- dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_IOERR == code) || (SQLITE_CANTOPEN == code);
+ dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_CANTOPEN == code);
if (dbconn->isCorrupted) {
/* Run integrity check and only make dbconn->isCorrupted true and
run the corruption handler if the integrity check conclusively fails. */
dbconn->source = NULL;
dbconn->isCorrupted = false;
dbconn->maybeCorruptedCode = 0;
+ dbconn->hasIOFailure = false;
dbconn->corruptionError = NULL;
dbconn->handle = NULL;
dbconn->changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
secerror("Unable to create database: %@", localError);
if (localError && CFEqual(CFErrorGetDomain(localError), kSecDbErrorDomain)) {
int code = (int)CFErrorGetCode(localError);
- dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_IOERR == code) || (SQLITE_CANTOPEN == code);
+ dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_CANTOPEN == code);
}
// If the open failure isn't due to corruption, propagte the error.
ok = dbconn->isCorrupted;
SecDbRef db = dbconn->db;
secinfo("dbconn", "release %@", dbconn);
dispatch_sync(db->queue, ^{
- CFIndex count = CFArrayGetCount(db->connections);
- // Add back possible writable dbconn to the pool.
bool readOnly = SecDbConnectionIsReadOnly(dbconn);
- CFArrayInsertValueAtIndex(db->connections, readOnly ? count : 0, dbconn);
- // Remove the last (probably read-only) dbconn from the pool.
- if (count >= kSecDbMaxIdleHandles) {
- CFArrayRemoveValueAtIndex(db->connections, count);
+ if (dbconn->hasIOFailure) {
+ // Something wrong on the file layer (e.g. revoked file descriptor for networked home)
+ // so we don't trust our existing connections anymore.
+ CFArrayRemoveAllValues(db->connections);
+ } else {
+ CFIndex count = CFArrayGetCount(db->connections);
+ // Add back possible writable dbconn to the pool.
+ CFArrayInsertValueAtIndex(db->connections, readOnly ? count : 0, dbconn);
+ // Remove the last (probably read-only) dbconn from the pool.
+ if (count >= kSecDbMaxIdleHandles) {
+ CFArrayRemoveValueAtIndex(db->connections, count);
+ }
}
// Signal after we have put the connection back in the pool of connections
dispatch_semaphore_signal(readOnly ? db->read_semaphore : db->write_semaphore);
/* SecDbForEach returns true if all SQLITE_ROW returns of sqlite3_step() return true from the row block.
If the row block returns false and doesn't set an error (to indicate it has reached a limit),
this entire function returns false. In that case no error will be set. */
-bool SecDbForEach(sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index)) {
+bool SecDbForEach(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index)) {
bool result = false;
for (int row_ix = 0;;++row_ix) {
int s3e = sqlite3_step(stmt);
if (s3e == SQLITE_DONE) {
result = true;
} else {
+ dbconn->hasIOFailure |= (s3e == SQLITE_IOERR);
SecDbErrorWithStmt(s3e, stmt, error, CFSTR("step[%d]"), row_ix);
}
break;
sqlite3_stmt *SecDbCopyStmt(SecDbConnectionRef dbconn, CFStringRef sql, CFStringRef *tail, CFErrorRef *error);
bool SecDbReleaseCachedStmt(SecDbConnectionRef dbconn, CFStringRef sql, sqlite3_stmt *stmt, CFErrorRef *error);
bool SecDbWithSQL(SecDbConnectionRef dbconn, CFStringRef sql, CFErrorRef *error, bool(^perform)(sqlite3_stmt *stmt));
-bool SecDbForEach(sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index));
+bool SecDbForEach(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index));
// Mark the database as corrupted.
void SecDbCorrupt(SecDbConnectionRef dbconn, CFErrorRef error);
_kSSLSessionConfig_RC4_fallback
_kSSLSessionConfig_TLSv1_fallback
_kSSLSessionConfig_TLSv1_RC4_fallback
+_kSSLSessionConfig_3DES_fallback
+_kSSLSessionConfig_TLSv1_3DES_fallback
_kSSLSessionConfig_legacy_DHE
_kSSLSessionConfig_anonymous
MTL_ENABLE_DEBUG_INFO = YES;
ONLY_ACTIVE_ARCH = YES;
OTHER_LDFLAGS = (
- "-laks",
+ "$(APPLE_AKS_LIBRARY)",
"-lACM",
"-framework",
SystemConfiguration,
INSTALL_PATH = /AppleInternal/Tests/Security/;
MTL_ENABLE_DEBUG_INFO = NO;
OTHER_LDFLAGS = (
- "-laks",
+ "$(APPLE_AKS_LIBRARY)",
"-lACM",
"-framework",
SystemConfiguration,
argument = "secd_95_escrow_persistence"
isEnabled = "NO">
</CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_201_coders"
+ isEnabled = "NO">
+ </CommandLineArgument>
<CommandLineArgument
argument = "-v"
isEnabled = "NO">
<string>apple.co.uk</string>
<key>Result</key>
<string>kSecTrustResultRecoverableTrustFailure</string>
- <key>Reason</key>
- <string>rdar://problem/26555272</string>
</dict>
<key>Test12</key>
<dict>
goto cleanup;
}
+ if(!partitionidsinput) {
+ result = 2;
+ goto cleanup;
+ }
+
if(!password) {
char* cpassword = prompt_password(keychainName);
if (!cpassword) {
free(cpassword);
}
- if(!partitionidsinput || !password) {
- result = 2;
- goto cleanup;
- }
-
result = keychain_set_partition_list(kc, query, password, partitionidsinput);
cleanup:
Find a generic password item.
.It Nm delete-generic-password
Delete a generic password item.
+.It Nm set-generic-password-partition-list
+Set the partition list of a generic password item.
.It Nm find-internet-password
Find an internet password item.
.It Nm delete-internet-password
Delete an internet password item.
+.It Nm set-internet-password-partition-list
+Set the partition list of a internet password item.
+.It Nm find-key
+Find keys in the keychain
+.It Nm set-key-partition-list
+Set the partition list of a key.
.It Nm find-certificate
Find a certificate item.
.It Nm find-identity
.El
.El
.It
+.Nm find-key
+.Op Ar options...
+.Op Ar keychain...
+.Bl -item -offset -indent
+Search the keychain for keys.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl a Ar application-label
+Match "application label" string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl d
+Match keys that can decrypt
+.It Fl D Ar description
+Match "description" string
+.It Fl e
+Match keys that can encrypt
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl r
+Match keys that can derive
+.It Fl s
+Match keys that can sign
+.It Fl t Ar type
+Type of key to find: one of "symmetric", "public", or "private"
+.It Fl u
+Match keys that can unwrap
+.It Fl v
+Match keys that can verify
+.It Fl w
+Match keys that can wrap
+.El
+.El
+.It
+.Nm set-generic-password-partition-list
+.Op Fl a Ar account
+.Op Fl s Ar service
+.Op Fl S Ar <partition list (comma separated)>
+.Op Fl k Ar <keychain password>
+.Op Ar options...
+.Op Ar keychain
+.Bl -item -offset -indent
+Sets the "partition list" for a generic password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl S Ar partition-list
+Comma-separated partition list. See output of "security dump-keychain" for examples.
+.It Fl k Ar password
+Password for keychain
+.It Fl a Ar account
+Match account string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl C Ar type
+Match type (four-character code)
+.It Fl D Ar kind
+Match kind string
+.It Fl G Ar value
+Match value string (generic attribute)
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl s Ar service
+Match service string
+.El
+.El
+.It
+.Nm set-internet-password-partition-list
+.Op Fl a Ar account
+.Op Fl s Ar server
+.Op Fl S Ar <partition list (comma separated)>
+.Op Fl k Ar <keychain password>
+.Op Ar options...
+.Op Ar keychain
+.Bl -item -offset -indent
+Sets the "partition list" for an internet password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl S Ar partition-list
+Comma-separated partition list. See output of "security dump-keychain" for examples.
+.It Fl k Ar password
+Password for keychain
+.It Fl a Ar account
+Match account string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl C Ar type
+Match type (four-character code)
+.It Fl d Ar securityDomain
+Match securityDomain string
+.It Fl D Ar kind
+Match kind string
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl p Ar path
+Match path string
+.It Fl P Ar port
+Match port number
+.It Fl r Ar protocol
+Match protocol (four-character code)
+.It Fl s Ar server
+Match server string
+.It Fl t Ar authenticationType
+Match authenticationType (four-character code)
+.El
+.El
+.It
+.Nm set-key-partition-list
+.Op Fl S Ar <partition list (comma separated)>
+.Op Fl k Ar <keychain password>
+.Op Ar options...
+.Op Ar keychain
+.Bl -item -offset -indent
+Sets the "partition list" for a key. The "partition list" is an extra parameter in the ACL which limits access to the key based on an application's code signature. You must present the keychain's password to change a partition list. If you'd like to run /usr/bin/codesign with the key, "apple:" must be an element of the partition list.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl S Ar partition-list
+Comma-separated partition list. See output of "security dump-keychain" for examples.
+.It Fl k Ar password
+Password for keychain
+.It Fl a Ar application-label
+Match "application label" string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl d
+Match keys that can decrypt
+.It Fl D Ar description
+Match "description" string
+.It Fl e
+Match keys that can encrypt
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl r
+Match keys that can derive
+.It Fl s
+Match keys that can sign
+.It Fl t Ar type
+Type of key to find: one of "symmetric", "public", or "private"
+.It Fl u
+Match keys that can unwrap
+.It Fl v
+Match keys that can verify
+.It Fl w
+Match keys that can wrap
+.El
+.El
+.It
.Nm find-certificate
.Op Fl h
.Op Fl a
" -k The password for the keychain (required)\n"
"If no keychains are specified to search, the default search list is used.\n"
"Use of the -k option is insecure. Omit it to be prompted.\n",
- "Set the partition ID list of a generic password item."},
+ "Set the partition list of a generic password item."},
{ "find-internet-password", keychain_find_internet_password,
"[-a account] [-s server] [options...] [-g] [keychain...]\n"
"If no keychains are specified to search, the default search list is used.\n"
"Use of the -k option is insecure. Omit it to be prompted.\n",
- "Set the partition ID list of a internet password item."},
+ "Set the partition list of a internet password item."},
{ "find-key", keychain_find_key,
"[options...] [keychain...]\n"
" -k password for keychain (required)\n"
"If no keychains are specified to search, the default search list is used.",
- "Set the partition ID list of a key."},
+ "Set the partition list of a key."},
{ "find-certificate", keychain_find_certificate,
"[-a] [-c name] [-e emailAddress] [-m] [-p] [-Z] [keychain...]\n"
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
+ <key>SoftResourceLimits</key>
+ <dict>
+ <key>NumberOfFiles</key>
+ <integer>2000</integer>
+ </dict>
<key>Label</key>
<string>com.apple.securityd</string>
<key>ProgramArguments</key>
rc = aks_unlock_bag(session_handle, secret, secret_len);
done:
+ syslog(LOG_NOTICE, "aks_unlock_bag result: (%ld)", (long)rc);
return rc;
}
// will end up trying to create the system keychain and causes a hang.
// Avoid this by checking for the presence of the db first.
if((!env.database) || env.database->dbVersion() < SecurityServer::CommonBlob::version_partition) {
- secnotice("integrity", "no db or old db version, skipping");
+ secinfo("integrity", "no db or old db version, skipping");
return;
}
#define AUTH_XPC_ITEM_FLAGS "_item_flags"
#define AUTH_XPC_ITEM_VALUE "_item_value"
#define AUTH_XPC_ITEM_TYPE "_item_type"
+#define AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH "_item_sensitive_value_length"
#define AUTH_XPC_REQUEST_METHOD_KEY "_agent_request_key"
#define AUTH_XPC_REQUEST_METHOD_CREATE "_agent_request_create"
size_t length;
const void *data = xpc_dictionary_get_data(item, AUTH_XPC_ITEM_VALUE, &length);
- void *dataCopy = malloc(length);
- memcpy(dataCopy, data, length);
+ void *dataCopy = 0;
+
+ // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+ bool sensitive = xpc_dictionary_get_value(item, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+ if (sensitive) {
+ size_t sensitiveLength = (size_t)xpc_dictionary_get_uint64(item, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+ dataCopy = malloc(sensitiveLength);
+ memcpy(dataCopy, data, sensitiveLength);
+ memset_s((void *)data, length, 0, sensitiveLength); // clear the sensitive data, memset_s is never optimized away
+ length = sensitiveLength;
+ } else {
+ dataCopy = malloc(length);
+ memcpy(dataCopy, data, length);
+ }
uint64_t flags = xpc_dictionary_get_uint64(item, AUTH_XPC_ITEM_FLAGS);
AuthItemRef nextItem(name, AuthValueOverlay((uint32_t)length, dataCopy), (uint32_t)flags);
// bump the send-rights count on the reply port so we keep the right after replying
mClientPort.modRefs(MACH_PORT_RIGHT_SEND, +1);
- secnotice("SS", "New client connection %p: %d %d", this, rPort.port(), proc.uid());
+ secinfo("SS", "New client connection %p: %d %d", this, rPort.port(), proc.uid());
}
//
Connection::~Connection()
{
- secnotice("SS", "releasing client connection %p", this);
+ secinfo("SS", "releasing client connection %p", this);
assert(!agentWait);
}
//
void Connection::guestRef(SecGuestRef newGuest, SecCSFlags flags)
{
- secnotice("SS", "Connection %p switches to guest 0x%x", this, newGuest);
+ secinfo("SS", "Connection %p switches to guest 0x%x", this, newGuest);
mGuestRef = newGuest;
}
assert(state == idle);
mClientPort.modRefs(MACH_PORT_RIGHT_SEND, -1); // discard surplus send right
assert(mClientPort.getRefs(MACH_PORT_RIGHT_SEND) == 1); // one left for final reply
- secnotice("SS", "Connection %p terminated", this);
+ secinfo("SS", "Connection %p terminated", this);
}
mClientPort.destroy(); // dead as a doornail already
switch (state) {
case idle:
- secnotice("SS", "Connection %p aborted", this);
+ secinfo("SS", "Connection %p aborted", this);
break;
case busy:
state = dying; // shoot me soon, please
- secnotice("SS", "Connection %p abort deferred (busy)", this);
+ secinfo("SS", "Connection %p abort deferred (busy)", this);
break;
default:
assert(false); // impossible (we hope)
mOverrideReturn = CSSM_OK; // clear override
break;
case busy:
- secnotice("SS", "Attempt to re-enter connection %p(port %d)", this, mClientPort.port());
+ secinfo("SS", "Attempt to re-enter connection %p(port %d)", this, mClientPort.port());
CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR); //@@@ some state-error code instead?
default:
assert(false);
state = idle;
return;
case dying:
- secnotice("SS", "Connection %p abort resuming", this);
+ secinfo("SS", "Connection %p abort resuming", this);
return;
default:
assert(false);
// if for some reason we are locked lets unlock so later we don't try and throw up SecurityAgent dialog
bool locked = false;
if ((service_client_kb_is_locked(&context, &locked, NULL) == KB_Success) && locked) {
- service_client_kb_unlock(&context, new_secret, new_secret_len);
+ rc = service_client_kb_unlock(&context, new_secret, new_secret_len);
+ if (rc != KB_Success) {
+ syslog(LOG_ERR, "Failed to unlock iCloud keychain for uid %d (%d)", context.s_uid, (int)rc);
+ }
}
}
DbIdentifier ident(id, blob->randomSignature);
Session &session = process().session();
RefPointer<KeychainDbCommon> com;
- secnotice("kccommon", "looking for a common at %s", ident.dbName());
+ secinfo("kccommon", "looking for a common at %s", ident.dbName());
if (KeychainDbCommon::find(ident, session, com)) {
- secnotice("kccommon", "found %p", com.get());
parent(*com);
secinfo("KCdb", "joining keychain %p %s with common %p", this, (char*)this->dbName(), &common());
} else {
// DbCommon not present; make a new one
- secnotice("kccommon", "no common found");
+ secinfo("kccommon", "no common found");
parent(*com);
common().mParams = blob->params;
secinfo("KCdb", "making keychain %p %s with common %p", this, (char*)this->dbName(), &common());
for (CommonSet::const_iterator it = mCommonSet.begin(); it != mCommonSet.end(); ++it) {
if (&session == &(*it)->session() && ident == (*it)->identifier()) {
common = *it;
- secnotice("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
+ secinfo("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
return true;
}
}
for (CommonSet::const_iterator it = mCommonSet.begin(); it != mCommonSet.end(); ++it) {
if (&session == &(*it)->session() && ident == (*it)->identifier()) {
common = *it;
- secnotice("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
+ secinfo("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
return true;
}
}
common = new KeychainDbCommon(session, ident);
}
- secnotice("kccommon", "made a new common for %s at %p", ident.dbName(), common.get());
+ secinfo("kccommon", "made a new common for %s at %p", ident.dbName(), common.get());
// Can't call insert() here, because it grabs the write lock (which we have).
common->insertHoldingLock();
RefPointer<KeychainDbCommon> newCommon;
if(KeychainDbCommon::find(ident, process().session(), newCommon, CommonBlob::version_none, &src.common())) {
// A common already existed. Write over it, but note that everything may go horribly from here on out.
- secnotice("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
+ secinfo("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
newCommon->cloneFrom(src.common());
}
RefPointer<KeychainDbCommon> newCommon;
if(KeychainDbCommon::find(ident, process().session(), newCommon, requestedVersion)) {
// A common already existed here. Write over it, but note that everything may go horribly from here on out.
- secnotice("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
+ secinfo("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
newCommon->cloneFrom(src.common(), requestedVersion);
}
newCommon->initializeKeybag();
void KeychainDatabase::makeUnlocked(const AccessCredentials *cred, bool unlockKeybag)
{
if (isLocked()) {
- secinfo("KCdb", "%p(%p) unlocking for makeUnlocked()", this, &common());
+ secnotice("KCdb", "%p(%p) unlocking for makeUnlocked()", this, &common());
assert(mBlob || (mValidData && common().hasMaster()));
establishOldSecrets(cred);
common().setUnlocked(); // mark unlocked
}
}
if (!mValidData) { // need to decode to get our ACLs, master secret available
- secinfo("KCdb", "%p(%p) is unlocked; decoding for makeUnlocked()", this, &common());
+ secnotice("KCdb", "%p(%p) is unlocked; decoding for makeUnlocked()", this, &common());
if (!decode())
CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
}
|| ServerChild::find<ServerChild>(this->pid())) // securityd's child; do not mark this txn dirty
VProc::Transaction::deactivate();
- secnotice("SS", "%p client new: pid:%d session:%d %s taskPort:%d uid:%d gid:%d", this, this->pid(), this->session().sessionId(),
+ secinfo("SS", "%p client new: pid:%d session:%d %s taskPort:%d uid:%d gid:%d", this, this->pid(), this->session().sessionId(),
(char *)codePath(this->processCode()).c_str(), taskPort.port(), mUid, mGid);
}
//
Process::~Process()
{
- secnotice("SS", "%p client release: %d", this, this->pid());
+ secinfo("SS", "%p client release: %d", this, this->pid());
// release our name for the process's task port
if (mTaskPort)
// unbounded time, including calls out to token daemons etc.
StLock<Mutex> serverLock(*this);
- secnotice("SSports", "port %d is dead", port.port());
-
+
// is it a connection?
PortMap<Connection>::iterator conIt = mConnections.find(port);
if (conIt != mConnections.end()) {
- secnotice("SS", "%p dead connection %d", this, port.port());
+ secinfo("SS", "%p dead connection %d", this, port.port());
RefPointer<Connection> con = conIt->second;
mConnections.erase(conIt);
serverLock.unlock();
// is it a process?
PortMap<Process>::iterator procIt = mProcesses.find(port);
if (procIt != mProcesses.end()) {
- secnotice("SS", "%p dead process %d", this, port.port());
+ secinfo("SS", "%p dead process %d", this, port.port());
RefPointer<Process> proc = procIt->second;
mPids.erase(proc->pid());
mProcesses.erase(procIt);
//
void Server::notifyNoSenders(Port port, mach_port_mscount_t)
{
- secnotice("SS", "%p dead session %d", this, port.port());
+ secinfo("SS", "%p dead session %d", this, port.port());
}
-APPLE_AKS_LIBRARY[sdk=macosx*] = -L$(SDKROOT)/usr/local/lib -laks
-APPLE_AKS_LIBRARY[sdk=iphoneos*] = -L$(SDKROOT)/usr/local/lib -laks
-APPLE_AKS_LIBRARY[sdk=watchos*] = -L$(SDKROOT)/usr/local/lib -laks
-APPLE_AKS_LIBRARY[sdk=tvos*] = -L$(SDKROOT)/usr/local/lib -laks
+APPLE_AKS_LIBRARY[sdk=macosx*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
+APPLE_AKS_LIBRARY[sdk=iphoneos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
+APPLE_AKS_LIBRARY[sdk=watchos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
+APPLE_AKS_LIBRARY[sdk=tvos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
FRAMEWORK_SEARCH_PATHS = $(inherited) $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks $(DEVELOPER_LIBRARY_DIR)
projects / apple / security.git / commitdiff
