From: Apple <opensource@apple.com>
Date: Thu, 15 Dec 2016 17:34:58 +0000 (+0000)
Subject: Security-57740.31.2.tar.gz
X-Git-Tag: macos-10122^0
X-Git-Url: https://git.saurik.com/apple/security.git/commitdiff_plain/b04fe171f0375ecd5d8a24747ca1dff85720a0ca

Security-57740.31.2.tar.gz
---

diff --git a/IDSKeychainSyncingProxy/IDSProxy.m b/IDSKeychainSyncingProxy/IDSProxy.m
index c5d349f1..4ab776bc 100644
--- a/IDSKeychainSyncingProxy/IDSProxy.m
+++ b/IDSKeychainSyncingProxy/IDSProxy.m
@@ -44,6 +44,7 @@
 #import <os/activity.h>
 
 #include <utilities/SecAKSWrappers.h>
+#include <utilities/SecCFWrappers.h>
 #include <utilities/SecCFRelease.h>
 #include <AssertMacros.h>
 
@@ -317,7 +318,6 @@ CFIndex SECD_RUN_AS_ROOT_ERROR = 1041;
             bool handledSettingID = false;
             handledSettingID = SOSCCSetDeviceID((__bridge CFStringRef) deviceID, &localError);
             if(!handledSettingID && localError != NULL){
-
                 if(CFErrorGetCode(localError) == SECD_RUN_AS_ROOT_ERROR){
                     secerror("SETTING RUN AS ROOT ERROR: %@", localError);
                     _isSecDRunningAsRoot = true;
@@ -331,9 +331,12 @@ CFIndex SECD_RUN_AS_ROOT_ERROR = 1041;
                     _doesSecDHavePeer = false;
                 }
             }
+            else
+                _setIDSDeviceID = NO;
+            
             CFReleaseNull(localError);
             dispatch_async(queue, ^{
-                done(nil, NO, handledSettingID);
+                done(nil, NO, YES);
             });
         }];
     }
@@ -378,9 +381,6 @@ fail:
             
             _shadowDoSetIDSDeviceID = NO;
             
-            if(_setIDSDeviceID && !_isLocked && _isSecDRunningAsRoot == false && _doesSecDHavePeer)
-                [self doSetIDSDeviceID];
-            
             xpc_transaction_end();
         });
     });
diff --git a/KVSKeychainSyncingProxy/CKDKVSProxy.h b/KVSKeychainSyncingProxy/CKDKVSProxy.h
index e6f2023d..af3fd3d7 100644
--- a/KVSKeychainSyncingProxy/CKDKVSProxy.h
+++ b/KVSKeychainSyncingProxy/CKDKVSProxy.h
@@ -139,7 +139,8 @@ typedef void (^FreshnessResponseBlock)(bool success, NSError *err);
 - (NSMutableDictionary *)copyValues:(NSSet *)keysOfInterest;
 
 - (void) doAfterFlush: (dispatch_block_t) block;
-- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout;
+- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration,
+                               dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration, NSError* error))) callout;
 - (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError **error)) handleKeys;
 
 - (void)recordWriteToKVS:(NSDictionary *)values;
diff --git a/KVSKeychainSyncingProxy/CKDKVSProxy.m b/KVSKeychainSyncingProxy/CKDKVSProxy.m
index 213a4a27..ce02841d 100644
--- a/KVSKeychainSyncingProxy/CKDKVSProxy.m
+++ b/KVSKeychainSyncingProxy/CKDKVSProxy.m
@@ -37,7 +37,7 @@
 #import "CKDSecuritydAccount.h"
 
 #include <Security/SecureObjectSync/SOSARCDefines.h>
-#include <Security/SecureObjectSync/SOSKVSKeys.h>
+#include <utilities/SecCFWrappers.h>
 
 #include "SOSCloudKeychainConstants.h"
 
@@ -84,6 +84,11 @@ static NSString *kMonitorThirdMinute = @"CThirdMinute";
 static NSString *kMonitorFourthMinute = @"DFourthMinute";
 static NSString *kMonitorFifthMinute = @"EFifthMinute";
 static NSString *kMonitorWroteInTimeSlice = @"TimeSlice";
+const CFStringRef kSOSKVSKeyParametersKey = CFSTR(">KeyParameters");
+const CFStringRef kSOSKVSInitialSyncKey = CFSTR("^InitialSync");
+const CFStringRef kSOSKVSAccountChangedKey = CFSTR("^AccountChanged");
+const CFStringRef kSOSKVSRequiredKey = CFSTR("^Required");
+const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID");
 
 #define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
 
@@ -818,7 +823,8 @@ static NSString* asNSString(NSObject* object) {
         _shadowFlushBlock = block;
 }
 
-- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout
+- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration,
+                               dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration, NSError* error))) callout
 {
     // In CKDKVSProxy's serial queue
 
@@ -842,7 +848,7 @@ static NSString* asNSString(NSObject* object) {
             _shadowSyncWithPeersPending = NO;
         });
 
-        callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, _ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration) {
+        callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, _ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration, NSError* failure) {
             secdebug("event", "%@ %s%s before callout handled: %s%s", self, mySyncWithPeersPending ? "S" : "s", myEnsurePeerRegistration ? "E" : "e", handledSyncWithPeers ? "S" : "s", handledEnsurePeerRegistration ? "E" : "e");
             
             // In CKDKVSProxy's serial queue
@@ -902,6 +908,10 @@ static NSString* asNSString(NSObject* object) {
                 dispatch_async(_calloutQueue, _shadowFlushBlock);
                 _shadowFlushBlock = NULL;
             }
+
+            if (failure) {
+                [self updateIsLocked];
+            }
             
             xpc_transaction_end();
         });
@@ -909,7 +919,7 @@ static NSString* asNSString(NSObject* object) {
 }
 
 - (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError** error)) handleKeys {
-    [self calloutWith: ^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+    [self calloutWith: ^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool, NSError*)) {
         NSError* error = NULL;
 
         secnotice("CloudKeychainProxy", "send keys: %@", pending);
@@ -920,7 +930,7 @@ static NSString* asNSString(NSObject* object) {
                 secerror("%@ ensurePeerRegistration failed: %@", self, error);
             }
 
-            done(handled, NO, NO);
+            done(handled, NO, NO, error);
         });
     }];
 }
@@ -928,12 +938,12 @@ static NSString* asNSString(NSObject* object) {
 - (void) doEnsurePeerRegistration
 {
     NSObject<CKDAccount>* accountDelegate = [self account];
-    [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+    [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool, NSError*)) {
         NSError* error = nil;
         bool handledEnsurePeerRegistration = [accountDelegate ensurePeerRegistration:&error];
         secnotice("EnsurePeerRegistration", "%@ ensurePeerRegistration called, %@ (%@)", self, handledEnsurePeerRegistration ? @"success" : @"failure", error);
         dispatch_async(queue, ^{
-            done(nil, NO, handledEnsurePeerRegistration);
+            done(nil, NO, handledEnsurePeerRegistration, error);
         });
     }];
 }
@@ -941,7 +951,7 @@ static NSString* asNSString(NSObject* object) {
 - (void) doSyncWithAllPeers
 {
     NSObject<CKDAccount>* accountDelegate = [self account];
-    [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+    [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool, NSError*)) {
         NSError* error = NULL;
         SyncWithAllPeersReason reason = [accountDelegate syncWithAllPeers: &error];
         dispatch_async(queue, ^{
@@ -963,7 +973,7 @@ static NSString* asNSString(NSObject* object) {
                 secerror("%@ syncWithAllPeers %@, unknown reason: %d", self, error, reason);
             }
             
-            done(nil, handledSyncWithPeers, false);
+            done(nil, handledSyncWithPeers, false, error);
         });
     }];
 }
diff --git a/Keychain/SyncViewController.m b/Keychain/SyncViewController.m
index 20c5e490..e354d219 100644
--- a/Keychain/SyncViewController.m
+++ b/Keychain/SyncViewController.m
@@ -20,7 +20,6 @@
 
 #import <QuartzCore/QuartzCore.h>
 #import <Regressions/SOSTestDataSource.h>
-#import <securityd/SOSCloudCircleServer.h>
 #import <CKBridge/SOSCloudKeychainConstants.h>
 #import "PeerListCell.h"
 #import <utilities/SecCFRelease.h>
diff --git a/Keychain/ToolsViewController.m b/Keychain/ToolsViewController.m
index b42c91d2..9128d5da 100644
--- a/Keychain/ToolsViewController.m
+++ b/Keychain/ToolsViewController.m
@@ -21,7 +21,6 @@
 
 #import <QuartzCore/QuartzCore.h>
 #include <Regressions/SOSTestDataSource.h>
-#include <securityd/SOSCloudCircleServer.h>
 #include <CKBridge/SOSCloudKeychainConstants.h>
 //#import "PeerListCell.h"
 
diff --git a/OSX/OSX.xcodeproj/project.pbxproj b/OSX/OSX.xcodeproj/project.pbxproj
index 030366f7..a7d31e3d 100644
--- a/OSX/OSX.xcodeproj/project.pbxproj
+++ b/OSX/OSX.xcodeproj/project.pbxproj
@@ -468,6 +468,9 @@
 		7A21DAE619B7F27C0007D37F /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
 		8E64DB4A1C17C26F0076C9DF /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
 		8E64DB4B1C17C2830076C9DF /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
+		8EC74B8D1DA578EE00D7D801 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */; };
+		8EC74BB21DA57A0300D7D801 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */; };
+		8EC74BB31DA57B1000D7D801 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */; };
 		AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; };
 		AC5688BC18B4396D00F0526C /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = AC5688BA18B4396D00F0526C /* SecCMS.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		ACB6171918B5231800EBEDD7 /* libsecurity_smime_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */; };
@@ -2642,6 +2645,7 @@
 		721680A8179B40F600406BB4 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
 		721680AA179B40F600406BB4 /* iCloudStats.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = iCloudStats.1; sourceTree = "<group>"; };
 		721680BD179B4F9100406BB4 /* com.apple.iCloudStats.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.iCloudStats.plist; sourceTree = "<group>"; };
+		8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileKeyBag.framework; path = System/Library/PrivateFrameworks/MobileKeyBag.framework; sourceTree = SDKROOT; };
 		AC5688BA18B4396D00F0526C /* SecCMS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCMS.h; path = libsecurity_smime/lib/SecCMS.h; sourceTree = SOURCE_ROOT; };
 		BE48AE211ADF1DF4000836C1 /* trustd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = trustd; sourceTree = BUILT_PRODUCTS_DIR; };
 		BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.trustd.agent.plist; sourceTree = "<group>"; };
@@ -2752,6 +2756,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				8EC74BB31DA57B1000D7D801 /* MobileKeyBag.framework in Frameworks */,
 				D447C0E71D2C9C390082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */,
 				5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */,
 				187A05B1170393FF0038C158 /* libaks.a in Frameworks */,
@@ -2843,6 +2848,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				8EC74BB21DA57A0300D7D801 /* MobileKeyBag.framework in Frameworks */,
 				6C721DB11D3D18D700888AE1 /* login.framework in Frameworks */,
 				D447C0C21D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */,
 				5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */,
@@ -2991,6 +2997,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				8EC74B8D1DA578EE00D7D801 /* MobileKeyBag.framework in Frameworks */,
 				6C721DD61D3D18EC00888AE1 /* login.framework in Frameworks */,
 				D45FC3E41C9E06B500509CDA /* libSecureObjectSync.a in Frameworks */,
 				D4DDD3D01BE3EC0300E8AE2D /* libDiagnosticMessagesClient.dylib in Frameworks */,
@@ -3146,6 +3153,7 @@
 		1807384D146D0D4E00F05C24 /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
+				8EC74B8C1DA578EE00D7D801 /* MobileKeyBag.framework */,
 				DCA28DF61D629C6D00201446 /* libsqlite3.dylib */,
 				6C721DB01D3D18D700888AE1 /* login.framework */,
 				D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */,
@@ -6650,6 +6658,10 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_ARC = YES;
 				CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
+				FRAMEWORK_SEARCH_PATHS = (
+					"$(inherited)",
+					"$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+				);
 				HEADER_SEARCH_PATHS = (
 					"$(inherited)",
 					"$(PROJECT_DIR)/sec",
@@ -6678,6 +6690,10 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_OBJC_ARC = YES;
 				CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
+				FRAMEWORK_SEARCH_PATHS = (
+					"$(inherited)",
+					"$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+				);
 				HEADER_SEARCH_PATHS = (
 					"$(inherited)",
 					"$(PROJECT_DIR)/sec",
diff --git a/OSX/authd/authd_private.h b/OSX/authd/authd_private.h
index d1a6404d..78bf06d2 100644
--- a/OSX/authd/authd_private.h
+++ b/OSX/authd/authd_private.h
@@ -59,6 +59,7 @@ extern "C" {
 #define AUTH_XPC_ITEM_FLAGS "_item_flags"
 #define AUTH_XPC_ITEM_VALUE "_item_value"
 #define AUTH_XPC_ITEM_TYPE  "_item_type"
+#define AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH "_item_sensitive_value_length"
 
 #define AUTH_XPC_REQUEST_METHOD_KEY "_agent_request_key"
 #define AUTH_XPC_REQUEST_METHOD_CREATE "_agent_request_create"
diff --git a/OSX/authd/authitems.c b/OSX/authd/authitems.c
index 4bfe9c9a..abac3452 100644
--- a/OSX/authd/authitems.c
+++ b/OSX/authd/authitems.c
@@ -6,6 +6,7 @@
 
 #include "authutilities.h"
 #include <Security/AuthorizationTags.h>
+#include <dispatch/private.h>
 
 typedef struct _auth_item_s * auth_item_t;
 
@@ -59,7 +60,22 @@ auth_item_copy_auth_item_xpc(auth_item_t item)
     xpc_object_t xpc_data = xpc_dictionary_create(NULL, NULL, 0);
     xpc_dictionary_set_string(xpc_data, AUTH_XPC_ITEM_NAME, item->data.name);
     if (item->data.value) {
-        xpc_dictionary_set_data(xpc_data, AUTH_XPC_ITEM_VALUE, item->data.value, item->data.valueLength);
+        // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+        bool sensitive = strcmp(item->data.name, "password") == 0;
+        if (sensitive) {
+            vm_address_t vmBytes = 0;
+            size_t xpcOutOfBandBlockSize = (item->data.valueLength > 32768 ? item->data.valueLength : 32768); // min 16K on 64-bit systems and 12K on 32-bit systems
+            vm_allocate(mach_task_self(), &vmBytes, xpcOutOfBandBlockSize, VM_FLAGS_ANYWHERE);
+            memcpy((void *)vmBytes, item->data.value, item->data.valueLength);
+            dispatch_data_t dispData = dispatch_data_create((void *)vmBytes, xpcOutOfBandBlockSize, DISPATCH_TARGET_QUEUE_DEFAULT, DISPATCH_DATA_DESTRUCTOR_VM_DEALLOCATE); // out-of-band mapping
+            xpc_object_t xpcData = xpc_data_create_with_dispatch_data(dispData);
+            dispatch_release(dispData);
+            xpc_dictionary_set_value(xpc_data, AUTH_XPC_ITEM_VALUE, xpcData);
+            xpc_release(xpcData);
+            xpc_dictionary_set_uint64(xpc_data, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH, item->data.valueLength);
+        } else {
+            xpc_dictionary_set_data(xpc_data, AUTH_XPC_ITEM_VALUE, item->data.value, item->data.valueLength);
+        }
     }
     xpc_dictionary_set_uint64(xpc_data, AUTH_XPC_ITEM_FLAGS, item->data.flags);
     xpc_dictionary_set_uint64(xpc_data, AUTH_XPC_ITEM_TYPE, item->type);
@@ -240,14 +256,25 @@ auth_item_create_with_xpc(xpc_object_t data)
     item->data.name = _copy_string(xpc_dictionary_get_string(data, AUTH_XPC_ITEM_NAME));
     item->data.flags = (uint32_t)xpc_dictionary_get_uint64(data, AUTH_XPC_ITEM_FLAGS);
     item->type = (uint32_t)xpc_dictionary_get_uint64(data, AUTH_XPC_ITEM_TYPE);
-    
+
     size_t len;
     const void * value = xpc_dictionary_get_data(data, AUTH_XPC_ITEM_VALUE, &len);
     if (value) {
-        item->bufLen = len;
-        item->data.valueLength = len;
-        item->data.value = calloc(1u, len);
-        memcpy(item->data.value, value, len);
+        // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+        bool sensitive = xpc_dictionary_get_value(data, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+        if (sensitive) {
+            size_t sensitiveLength = (size_t)xpc_dictionary_get_uint64(data, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+            item->bufLen = sensitiveLength;
+            item->data.valueLength = sensitiveLength;
+            item->data.value = calloc(1u, sensitiveLength);
+            memcpy(item->data.value, value, sensitiveLength);
+            memset_s((void *)value, len, 0, sensitiveLength); // clear the sensitive data, memset_s is never optimized away
+        } else {
+            item->bufLen = len;
+            item->data.valueLength = len;
+            item->data.value = calloc(1u, len);
+            memcpy(item->data.value, value, len);
+        }
     }
     
 done:
diff --git a/OSX/authd/authorization.plist b/OSX/authd/authorization.plist
index 96879f0d..9b798966 100644
--- a/OSX/authd/authorization.plist
+++ b/OSX/authd/authorization.plist
@@ -265,8 +265,10 @@ See remaining rules for examples.
 			<key>rule</key>
 			<array>
 				<string>is-root</string>
-				<string>entitled-admin-or-authenticate-admin</string>
+				<string>entitled-admin-or-authenticate-admin-nonshared</string>
 			</array>
+			<key>version</key>
+			<integer>1</integer>
 		</dict>
 		<key>com.apple.SoftwareUpdate.modify-settings</key>
 		<dict>
@@ -393,6 +395,15 @@ See remaining rules for examples.
 				<string>builtin:generic-unlock</string>
 			</array>
 		</dict>
+		<key>com.apple.builtin.sc-kc-new-passphrase</key>
+		<dict>
+			<key>class</key>
+			<string>evaluate-mechanisms</string>
+			<key>mechanisms</key>
+			<array>
+				<string>builtin:generic-new-passphrase</string>
+			</array>
+		</dict>
 		<key>com.apple.container-repair</key>
 		<dict>
 			<key>class</key>
@@ -891,7 +902,7 @@ See remaining rules for examples.
 				<string>loginwindow:done</string>
 			</array>
 			<key>version</key>
-			<integer>4</integer>
+			<integer>6</integer>
 		</dict>
 		<key>system.login.fus</key>
 		<dict>
@@ -1587,6 +1598,19 @@ See remaining rules for examples.
 			<key>timeout</key>
 			<integer>0</integer>
 		</dict>
+		<key>authenticate-admin-nonshared</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Authenticate as an administrator.</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>timeout</key>
+			<integer>30</integer>
+			<key>version</key>
+			<integer>1</integer>
+		</dict>
 		<key>authenticate-admin-30</key>
 		<dict>
 			<key>class</key>
@@ -1761,6 +1785,30 @@ See remaining rules for examples.
 				<string>entitled</string>
 			</array>
 		</dict>
+		<key>entitled-admin-nonshared</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>2</integer>
+			<key>rule</key>
+			<array>
+				<string>is-admin-nonshared</string>
+				<string>entitled</string>
+			</array>
+		</dict>
+		<key>entitled-admin-or-authenticate-admin-nonshared</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>entitled-admin-nonshared</string>
+				<string>authenticate-admin-nonshared</string>
+			</array>
+		</dict>
 		<key>entitled-admin-or-authenticate-admin</key>
 		<dict>
 			<key>class</key>
@@ -1858,6 +1906,17 @@ See remaining rules for examples.
 			<key>shared</key>
 			<true/>
 		</dict>
+		<key>is-admin-nonshared</key>
+		<dict>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Verify that the user asking for authorization is an administrator - nonshared right.</string>
+			<key>group</key>
+			<string>admin</string>
+		</dict>
 		<key>is-appstore</key>
 		<dict>
 			<key>authenticate-user</key>
diff --git a/OSX/authd/authutilities.c b/OSX/authd/authutilities.c
index 8d5d0544..c1dac101 100644
--- a/OSX/authd/authutilities.c
+++ b/OSX/authd/authutilities.c
@@ -50,6 +50,7 @@ DeserializeItemSet(const xpc_object_t data)
         require_action(set->items != NULL, done, set->count = 0);
         
         xpc_array_apply(data, ^bool(size_t index, xpc_object_t value) {
+            void *dataCopy = 0;
             require(xpc_get_type(value) == XPC_TYPE_DICTIONARY, done);
             size_t nameLen = 0;
             const char * name = xpc_dictionary_get_string(value, AUTH_XPC_ITEM_NAME);
@@ -63,14 +64,32 @@ DeserializeItemSet(const xpc_object_t data)
             set->items[index].flags = (uint32_t)xpc_dictionary_get_uint64(value, AUTH_XPC_ITEM_FLAGS);
             size_t len;
             const void * valueData = xpc_dictionary_get_data(value, AUTH_XPC_ITEM_VALUE, &len);
+
+            // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+            if (xpc_dictionary_get_value(value, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH) != NULL) {
+                size_t sensitiveLength = (size_t)xpc_dictionary_get_uint64(value, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+                dataCopy = malloc(sensitiveLength);
+                require(dataCopy != NULL, done);
+                memcpy(dataCopy, valueData, sensitiveLength);
+                memset_s((void *)valueData, len, 0, sensitiveLength); // clear the sensitive data, memset_s is never optimized away
+                len = sensitiveLength;
+            } else {
+                dataCopy = malloc(len);
+                require(dataCopy != NULL, done);
+                memcpy(dataCopy, valueData, len);
+            }
+
             set->items[index].valueLength = len;
             if (len) {
                 set->items[index].value = calloc(1u, len);
                 require(set->items[index].value != NULL, done);
                 
-                memcpy(set->items[index].value, valueData, len);
+                memcpy(set->items[index].value, dataCopy, len);
             }
+
         done:
+            if (dataCopy)
+                free(dataCopy);
             return true;
         });
     }
diff --git a/OSX/authd/engine.c b/OSX/authd/engine.c
index 0ef521ba..4a460508 100644
--- a/OSX/authd/engine.c
+++ b/OSX/authd/engine.c
@@ -1091,8 +1091,10 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en
 
 			if (rule && _preevaluate_rule(engine, rule)) {
 				password_only = true;
+                CFReleaseSafe(rule);
 				return false;
 			}
+            CFReleaseSafe(rule);
 			return true;
 		});
 		authdb_connection_release(&dbconn); // release db handle
diff --git a/OSX/config/lib.xcconfig b/OSX/config/lib.xcconfig
index 467c0360..116ab911 100644
--- a/OSX/config/lib.xcconfig
+++ b/OSX/config/lib.xcconfig
@@ -7,6 +7,8 @@ CODE_SIGN_IDENTITY =
 
 HEADER_SEARCH_PATHS = $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(BUILT_PRODUCTS_DIR) $(PROJECT_DIR)/lib $(PROJECT_DIR)/../utilities $(inherited)
 
+FRAMEWORK_SEARCH_PATHS = $(inherited) $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks
+
 SKIP_INSTALL = YES
 
 ALWAYS_SEARCH_USER_PATHS = YES
diff --git a/OSX/lib/en.lproj/authorization.prompts.strings b/OSX/lib/en.lproj/authorization.prompts.strings
index bab9a0cc..1facfb91 100644
--- a/OSX/lib/en.lproj/authorization.prompts.strings
+++ b/OSX/lib/en.lproj/authorization.prompts.strings
@@ -155,3 +155,6 @@
 "system.preferences.continuity" = "__APPNAME__ is trying to unlock the Touch ID preferences.";
 
 "com.apple.ctkbind.admin" = "__APPNAME__ is trying to pair the current user with the SmartCard identity.";
+
+"com.apple.builtin.sc-kc-new-passphrase" = "The system will now create a keychain to store your secrets. Your smart card will automatically unlock it. Please choose a password that can unlock it separately. You may use your account password or pick another one. For security reasons, do not use your smart card PIN or similar text.";
+
diff --git a/OSX/lib/security.exp-in b/OSX/lib/security.exp-in
index 8752c7d0..cade2ae3 100644
--- a/OSX/lib/security.exp-in
+++ b/OSX/lib/security.exp-in
@@ -1769,6 +1769,7 @@ _SecCertificatePathGetNextSourceIndex
 _SecCertificatePathGetRoot
 _SecCertificatePathGetUsageConstraintsAtIndex
 _SecCertificatePathHasWeakHash
+_SecCertificatePathHasWeakKeySize
 _SecCertificatePathIsAnchored
 _SecCertificatePathIsValid
 _SecCertificatePathScore
@@ -2605,6 +2606,8 @@ _kSSLSessionConfig_standard
 _kSSLSessionConfig_RC4_fallback
 _kSSLSessionConfig_TLSv1_fallback
 _kSSLSessionConfig_TLSv1_RC4_fallback
+_kSSLSessionConfig_3DES_fallback
+_kSSLSessionConfig_TLSv1_3DES_fallback
 _kSSLSessionConfig_legacy_DHE
 _kSSLSessionConfig_anonymous
 
diff --git a/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp b/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp
index 7ce18248..c4ab9826 100644
--- a/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp
+++ b/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp
@@ -190,6 +190,7 @@ void CryptKit::FEEBinaryKey::generateKeyBlob(
 			break;
 		default:
 			/* not reached */
+            badFormat = true;
 			break;
 	}
 	
diff --git a/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c b/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c
index e3c84f90..da3050ab 100644
--- a/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c
+++ b/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c
@@ -46,6 +46,8 @@
 #include <CoreFoundation/CFDictionary.h>
 
 
+#if !SECTRUST_OSX
+
 static CFStringRef kSecSystemTrustStoreBundlePath = CFSTR("/System/Library/Security/Certificates.bundle");
 
 static CFURLRef SecSystemTrustStoreCopyResourceURL(CFStringRef resourceName,
@@ -220,3 +222,13 @@ errout:
 	return result;
 }
 
+#else
+
+/* Legacy code path, only known to be used by IdentityCursorPolicyAndID::next. (rdar://28622060) */
+
+CSSM_RETURN tpCheckCertificateAllowList(TPCertGroup &certGroup) {
+	return CSSMERR_TP_NOT_TRUSTED;
+}
+
+#endif /* !SECTRUST_OSX */
+
diff --git a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
index 6c90551d..aeecd442 100644
--- a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
+++ b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
@@ -292,6 +292,8 @@
 #define AGENT_HINT_LOGIN_KC_CUST_STR2 "loginKCCreate:customStr2"
 #define AGENT_HINT_LOGIN_KC_USER_HAS_OTHER_KCS_STR "loginKCCreate:moreThanOneKeychainExists"
 
+#define AGENT_HINT_IGNORE_SESSION "ignore-session-state"
+
 /* Keychain synchronization */
 // iDisk keychain blob metainfo dictionary; follows "defaults" naming
 #define AGENT_HINT_KCSYNC_DICT "com.apple.keychainsync.dictionary"
diff --git a/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp b/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp
index 1930ad9c..15a6f695 100644
--- a/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp
+++ b/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp
@@ -82,7 +82,7 @@ DatabaseSession::DbDelete(const char *inDbName,
 {
     // The databaseManager will notify all its DbContext instances
     // that the database is question is being deleted.
-	secnotice("dbsession", "DbDelete of %s", inDbName); 
+	secinfo("dbsession", "DbDelete of %s", inDbName);
     mDatabaseManager.dbDelete(*this, DbName(inDbName, CssmNetAddress::optional(inDbLocation)), inAccessCred);
 }
 
@@ -97,7 +97,7 @@ DatabaseSession::DbCreate(const char *inDbName,
                           CSSM_DB_HANDLE &outDbHandle)
 {
 	outDbHandle = CSSM_INVALID_HANDLE;	// CDSA 2.0 says to set this if we fail
-	secnotice("dbsession", "DbCreate of %s", inDbName);
+	secinfo("dbsession", "DbCreate of %s", inDbName);
 	
     outDbHandle = insertDbContext(mDatabaseManager.dbCreate(*this,
                                                             DbName(inDbName, CssmNetAddress::optional(inDbLocation)),
@@ -117,7 +117,7 @@ DatabaseSession::DbOpen(const char *inDbName,
                         CSSM_DB_HANDLE &outDbHandle)
 {
 	DOCDebug("DatabaseSession::DbOpen: dbName %s", inDbName);
-	secnotice("dbsession", "DbOpen of %s", inDbName);
+	secinfo("dbsession", "DbOpen of %s", inDbName);
 	outDbHandle = CSSM_INVALID_HANDLE;	// CDSA 2.0 says to set this if we fail 
     outDbHandle = insertDbContext(mDatabaseManager.dbOpen(*this,
                                                           DbName(inDbName, CssmNetAddress::optional(inDbLocation)),
diff --git a/OSX/libsecurity_cdsa_utils/lib/cuOidParser.cpp b/OSX/libsecurity_cdsa_utils/lib/cuOidParser.cpp
index 7b2b7def..d52276b6 100644
--- a/OSX/libsecurity_cdsa_utils/lib/cuOidParser.cpp
+++ b/OSX/libsecurity_cdsa_utils/lib/cuOidParser.cpp
@@ -1,26 +1,26 @@
 /*
- * Copyright (c) 2002-2003,2011-2012,2014 Apple Inc. All Rights Reserved.
- * 
+ * Copyright (c) 2002-2003,2011-2012,2014-2016 Apple Inc. All Rights Reserved.
+ *
  * The contents of this file constitute Original Code as defined in and are
  * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. 
+ * You may not use this file except in compliance with the License.
  * Please obtain a copy of the License at http://www.apple.com/publicsource
  * and read it before using this file.
- * 
+ *
  * This Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights 
+ * Please see the License for the specific language governing rights
  * and limitations under the License.
  */
- 
+
 /*
- * cuOidParser.cpp - parse an Intel-style OID, with the assistance 
+ * cuOidParser.cpp - parse an Intel-style OID, with the assistance
  * of dumpasn1.cfg
  */
- 
+
 #include <Security/cssmtype.h>
 #include <string.h>
 #include <stdlib.h>
@@ -45,7 +45,7 @@ static const char 	*CONFIG_FILE2 = 	CONFIG_FILE_NAME;
 static const char 	*OID_ENTRY_START = "OID = ";
 static const char 	*OID_DESCR_START = "Description = ";
 /*
- * Read entire file with extra bytes left over in the mallocd buffer. 
+ * Read entire file with extra bytes left over in the mallocd buffer.
  */
 static
 int readFileExtra(
@@ -59,7 +59,7 @@ int readFileExtra(
 	unsigned char *buf;
 	struct stat	sb;
 	size_t size;
-	
+
 	*numBytes = 0;
 	*bytes = NULL;
 	fd = open(fileName, O_RDONLY, 0);
@@ -98,7 +98,7 @@ errOut:
 }
 
 /*
- * Attempt to read dumpasn1.cfg from various places. If we can't find it, 
+ * Attempt to read dumpasn1.cfg from various places. If we can't find it,
  * printOid() function will just print raw bytes as it
  * would if the .cfg file did not contain the desired OID.
  */
@@ -106,28 +106,36 @@ static CSSM_DATA_PTR readConfig()
 {
 	CSSM_DATA_PTR	configData = NULL;
 	int				rtn;
-	
+
 	configData = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
 	if(configData == NULL) {
 		return NULL;
 	}
 	/* malloc one extra byte, we'll null it later */
-	rtn = readFileExtra(CONFIG_FILE1, 1, &configData->Data, 
+	rtn = readFileExtra(CONFIG_FILE1, 1, &configData->Data,
 		&configData->Length);
 	if(rtn) {
-		rtn = readFileExtra(CONFIG_FILE2, 1, &configData->Data, 
+		rtn = readFileExtra(CONFIG_FILE2, 1, &configData->Data,
 				&configData->Length);
 	}
 	if(rtn) {
-		char fileName[100];
 		char *localBuildDir  = getenv(CONFIG_FILE_ENV);
 		if(localBuildDir == NULL) {
 			rtn = 1;
 		}
 		else {
-			sprintf(fileName,  "%s/%s", localBuildDir, CONFIG_FILE_NAME);
-			rtn = readFileExtra(fileName, 1, &configData->Data, 
-				&configData->Length);
+			char *pathBuf = NULL;
+			rtn = asprintf(&pathBuf, "%s/%s", localBuildDir, CONFIG_FILE_NAME);
+			if (rtn < 1 || !pathBuf) {
+				rtn = 1;
+			}
+			else {
+				rtn = readFileExtra(pathBuf, 1, &configData->Data,
+						&configData->Length);
+			}
+			if (pathBuf) {
+				free(pathBuf);
+			}
 		}
 	}
 	if(rtn == 0) {
@@ -142,17 +150,17 @@ static CSSM_DATA_PTR readConfig()
 }
 
 /*
- * The heart of this module. 
+ * The heart of this module.
  *
- * -- Convert Intel-style OID to a string which might be found 
+ * -- Convert Intel-style OID to a string which might be found
  *    in the config file
  * -- search config file for that string
  * -- if found, use that entry in config file to output meaningful
  *    string and return CSSM_TRUE. Else return CSSM_FALSE.
  */
 static CSSM_BOOL parseOidWithConfig(
-	const CSSM_DATA_PTR configData, 
-	const CSSM_OID_PTR	oid, 
+	const CSSM_DATA_PTR configData,
+	const CSSM_OID_PTR	oid,
 	char				*strBuf)
 {
 	char				*fullOidStr = NULL;
@@ -166,13 +174,13 @@ static CSSM_BOOL parseOidWithConfig(
 	char				*nextNl;		// next NL if any
 	char				*eol;			// end of line
 	int					len;
-	
+
 	if(configData == NULL) {
 		return CSSM_FALSE;
 	}
-	
+
 	/* cook up a full OID string, with tag and length */
-	fullOidStr = (char *)malloc((3 * oid->Length) +		
+	fullOidStr = (char *)malloc((3 * oid->Length) +
 												// 2 chars plus space per byte
 		strlen(OID_ENTRY_START) +				// "OID = "
 		6 +										// 06 xx - tag and length
@@ -181,7 +189,7 @@ static CSSM_BOOL parseOidWithConfig(
 		return CSSM_FALSE;
 	}
 	/* subsequent errors to errOut: */
-	
+
 	sprintf(fullOidStr, "OID = 06 %02X", (unsigned)oid->Length);
 	cp = fullOidStr + strlen(fullOidStr);
 	for(i=0; i<oid->Length; i++) {
@@ -190,24 +198,24 @@ static CSSM_BOOL parseOidWithConfig(
 		/* add one byte */
 		sprintf(cp, " %02X", oid->Data[i]);
 	}
-	
-	/* 
+
+	/*
 	 * Let's play it loose and assume that there are no embedded NULLs
 	 * in the config file. Thus we can use the spiffy string functions
-	 * in stdlib. 
+	 * in stdlib.
 	 */
 	ourEntry = strstr((char *)configData->Data, fullOidStr);
 	if(ourEntry == NULL) {
 		brtn = CSSM_FALSE;
 		goto errOut;
 	}
-	
+
 	/* get position of NEXT full entry - may be NULL (end of file) */
 	nextEntry = strstr(ourEntry+1, OID_ENTRY_START);
-	
+
 	/* get position of our entry's description line */
 	descStart = strstr(ourEntry+1, OID_DESCR_START);
-	
+
 	/* handle not found/overflow */
 	if( (descStart == NULL) ||			// no more description lines
 	    ( (descStart > nextEntry) &&  	// no description in THIS entry
@@ -215,13 +223,13 @@ static CSSM_BOOL parseOidWithConfig(
 		brtn = CSSM_FALSE;
 		goto errOut;
 	}
-	
+
 	/* set descStart to after the leader */
 	descStart += strlen(OID_DESCR_START);
-	
-	/* 
+
+	/*
 	 * descStart points to the text we're interested in.
-	 * First find end of line, any style. 
+	 * First find end of line, any style.
 	 */
 	nextNl = strchr(descStart, '\n');
 	nextCr = strchr(descStart, '\r');
@@ -242,7 +250,7 @@ static CSSM_BOOL parseOidWithConfig(
 	else {
 		eol = nextCr;
 	}
-	
+
 	/* caller's string buf = remainder of description line */
 	len = (int)(eol - descStart);
 	if(len > (OID_PARSER_STRING_SIZE - 1)) {
@@ -251,7 +259,7 @@ static CSSM_BOOL parseOidWithConfig(
 	}
 	memcpy(strBuf, descStart, len);
 	strBuf[len] = '\0';
-	brtn = CSSM_TRUE; 
+	brtn = CSSM_TRUE;
 errOut:
 	if(fullOidStr != NULL) {
 		free(fullOidStr);
@@ -291,10 +299,10 @@ void OidParser::oidParse(
 {
 	unsigned i;
 	CSSM_OID oid;
-	
+
 	oid.Data = (uint8  *)oidp;
 	oid.Length = oidLen;
-	
+
 	if((oidLen == 0) || (oidp == NULL)) {
 		strcpy(strBuf, "EMPTY");
 		return;
@@ -302,7 +310,7 @@ void OidParser::oidParse(
 	if(parseOidWithConfig(configData, &oid, strBuf) == CSSM_FALSE) {
 		/* no config file, just dump the bytes */
 		char cbuf[8];
-		
+
 		sprintf(strBuf, "OID : < 06 %02X ", (unsigned)oid.Length);
 		for(i=0; i<oid.Length; i++) {
 			sprintf(cbuf, "%02X ", oid.Data[i]);
diff --git a/OSX/libsecurity_filedb/lib/AtomicFile.cpp b/OSX/libsecurity_filedb/lib/AtomicFile.cpp
index 6095fb0f..6d2f8696 100644
--- a/OSX/libsecurity_filedb/lib/AtomicFile.cpp
+++ b/OSX/libsecurity_filedb/lib/AtomicFile.cpp
@@ -158,7 +158,7 @@ AtomicFile::create(mode_t mode)
 		// Now that we have created the lock and the new db file create a tempfile
 		// object.
 		RefPointer<AtomicTempFile> temp(new AtomicTempFile(*this, lock, mode));
-		secnotice("atomicfile", "%p created %s", this, path);
+		secinfo("atomicfile", "%p created %s", this, path);
 		return temp;
 	}
 	catch (...)
@@ -202,7 +202,7 @@ AtomicFile::mode() const
 	if (::stat(path, &st) == -1)
 	{
 		int error = errno;
-		secnotice("atomicfile", "stat %s: %s", path, strerror(error));
+		secinfo("atomicfile", "stat %s: %s", path, strerror(error));
 		UnixError::throwMe(error);
 	}
 	return st.st_mode;
@@ -397,7 +397,7 @@ AtomicBufferedFile::~AtomicBufferedFile()
 
 	if (mBuffer)
 	{
-		secnotice("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
+		secinfo("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
 		unloadBuffer();
 	}
 }
@@ -419,7 +419,7 @@ AtomicBufferedFile::open()
     if (mFileRef == -1)
     {
         int error = errno;
-		secnotice("atomicfile", "open %s: %s", path, strerror(error));
+		secinfo("atomicfile", "open %s: %s", path, strerror(error));
 
         // Do the obvious error code translations here.
 		// @@@ Consider moving these up a level.
@@ -440,7 +440,7 @@ AtomicBufferedFile::open()
 	else
 	{
 		int error = errno;
-		secnotice("atomicfile", "lseek(%s, END): %s", path, strerror(error));
+		secinfo("atomicfile", "lseek(%s, END): %s", path, strerror(error));
 		AtomicFile::rclose(mFileRef);
 		mFileRef = -1;
 		UnixError::throwMe(error);
@@ -471,7 +471,7 @@ AtomicBufferedFile::loadBuffer()
     mBuffer = new uint8[mLength];
     if(lseek(mFileRef, 0, SEEK_SET) < 0) {
         int error = errno;
-        secnotice("atomicfile", "lseek(%s, BEGINNING): %s", mPath.c_str(), strerror(error));
+        secinfo("atomicfile", "lseek(%s, BEGINNING): %s", mPath.c_str(), strerror(error));
         UnixError::throwMe(error);
     }
     ssize_t pos = 0;
@@ -485,7 +485,7 @@ AtomicBufferedFile::loadBuffer()
             if (errno != EINTR)
             {
                 int error = errno;
-                secnotice("atomicfile", "read(%s, %zd): %s", mPath.c_str(), bytesToRead, strerror(error));
+                secinfo("atomicfile", "read(%s, %zd): %s", mPath.c_str(), bytesToRead, strerror(error));
                 if (mFileRef >= 0) {
                     AtomicFile::rclose(mFileRef);
                     mFileRef = -1;
@@ -514,20 +514,20 @@ AtomicBufferedFile::read(off_t inOffset, off_t inLength, off_t &outLength)
 {
 	if (mFileRef < 0)
 	{
-		secnotice("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
+		secinfo("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
 		open();
 	}
 
 	off_t bytesLeft = inLength;
 	if (mBuffer)
 	{
-		secnotice("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
+		secinfo("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
 		unloadBuffer();
 	}
 
 	loadBuffer();
 	
-	secnotice("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
+	secinfo("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
 	
 	off_t maxEnd = inOffset + inLength;
 	if (maxEnd > mLength)
@@ -625,7 +625,7 @@ AtomicTempFile::create(mode_t mode)
     if (mFileRef == -1)
     {
         int error = errno;
-		secnotice("atomicfile", "open %s: %s", path, strerror(error));
+		secnotice("atomicfile", "create %s: %s", path, strerror(error));
 
         // Do the obvious error code translations here.
 		// @@@ Consider moving these up a level.
@@ -752,7 +752,7 @@ AtomicTempFile::fsync()
 			UnixError::throwMe(error);
 		}
 
-		secnotice("atomicfile", "%p fsynced %s", this, mPath.c_str());
+		secinfo("atomicfile", "%p fsynced %s", this, mPath.c_str());
 	}
 }
 
@@ -1112,7 +1112,7 @@ NetworkFileLocker::lock(mode_t mode)
 		else
 			doSyslog = true;
 
-		secnotice("atomicfile", "Locking %s", path);          /* in order to cater for clock skew: get */
+		secinfo("atomicfile", "Locking %s", path);          /* in order to cater for clock skew: get */
 		if (!xcreat(path, mode, t))    /* time t from the filesystem */
 		{
 			/* lock acquired, hurray! */
diff --git a/OSX/libsecurity_keychain/lib/CCallbackMgr.cp b/OSX/libsecurity_keychain/lib/CCallbackMgr.cp
index e85f9c05..3eedfb2f 100644
--- a/OSX/libsecurity_keychain/lib/CCallbackMgr.cp
+++ b/OSX/libsecurity_keychain/lib/CCallbackMgr.cp
@@ -320,6 +320,7 @@ void CCallbackMgr::consume (SecurityServer::NotificationDomain domain, SecurityS
             StLock<Mutex>_(*globals().storageManager.getStorageManagerMutex());
 			DLDbIdentifier dbid = NameValueDictionary::MakeDLDbIdentifierFromNameValueDictionary(dictionary);
 			thisKeychain = globals().storageManager.keychain(dbid);
+            globals().storageManager.tickleKeychain(thisKeychain);
 		}
 
 		const NameValuePair* item = dictionary.FindByName(ITEM_KEY);
diff --git a/OSX/libsecurity_keychain/lib/Item.cpp b/OSX/libsecurity_keychain/lib/Item.cpp
index 07907423..2c571084 100644
--- a/OSX/libsecurity_keychain/lib/Item.cpp
+++ b/OSX/libsecurity_keychain/lib/Item.cpp
@@ -470,8 +470,6 @@ void ItemImpl::computeDigestFromDictionary(CssmOwnedData &sha2, DbAttributes* db
 }
 
 void ItemImpl::addIntegrity(Access &access, bool force) {
-    secnotice("integrity", "called");
-
     if(!force && (!mKeychain || !mKeychain->hasIntegrityProtection())) {
         secnotice("integrity", "skipping integrity add due to keychain version\n");
         return;
@@ -881,8 +879,6 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
     AclFactory aclFactory;
     const AccessCredentials *nullCred = aclFactory.nullCred();
 
-    secnotice("integrity", "called");
-
     bool haveOldUniqueId = !!mUniqueId.get();
     SSDbUniqueRecord ssUniqueId(NULL);
     SSGroup ssGroup(NULL);
@@ -1318,6 +1314,8 @@ void
 ItemImpl::modifyContent(const SecKeychainAttributeList *attrList, UInt32 dataLength, const void *inData)
 {
 	StLock<Mutex>_(mMutex);
+    unique_ptr<StReadWriteLock> __(mKeychain == NULL ? NULL : new StReadWriteLock(*(mKeychain->getKeychainReadWriteLock()), StReadWriteLock::Write));
+
 	if (!mDbAttributes.get())
 	{
 		mDbAttributes.reset(new DbAttributes());
diff --git a/OSX/libsecurity_keychain/lib/KCCursor.cpp b/OSX/libsecurity_keychain/lib/KCCursor.cpp
index b252dd9c..d6b6e332 100644
--- a/OSX/libsecurity_keychain/lib/KCCursor.cpp
+++ b/OSX/libsecurity_keychain/lib/KCCursor.cpp
@@ -61,8 +61,7 @@ KCCursorImpl::KCCursorImpl(const StorageManager::KeychainList &searchList, SecIt
 	mAllFailed(true),
     mDeleteInvalidRecords(false),
     mIsNewKeychain(true),
-	mMutex(Mutex::recursive),
-    mKeychainReadLock(NULL)
+	mMutex(Mutex::recursive)
 {
     recordType(Schema::recordTypeFor(itemClass));
 
@@ -119,8 +118,7 @@ KCCursorImpl::KCCursorImpl(const StorageManager::KeychainList &searchList, const
 	mAllFailed(true),
     mDeleteInvalidRecords(false),
     mIsNewKeychain(true),
-	mMutex(Mutex::recursive),
-    mKeychainReadLock(NULL)
+	mMutex(Mutex::recursive)
 {
 	if (!attrList) // No additional selectionPredicates: we are done
 		return;
@@ -174,9 +172,6 @@ KCCursorImpl::KCCursorImpl(const StorageManager::KeychainList &searchList, const
 
 KCCursorImpl::~KCCursorImpl() throw()
 {
-    if(mKeychainReadLock) {
-        delete mKeychainReadLock;
-    }
 }
 
 //static ModuleNexus<Mutex> gActivationMutex;
@@ -226,6 +221,10 @@ KCCursorImpl::next(Item &item)
             }
 
             Keychain &kc = *mCurrent;
+
+            // Grab a read lock on the keychain
+            StReadWriteLock __(*(kc->getKeychainReadWriteLock()), StReadWriteLock::Read);
+
             Mutex* mutex = kc->getKeychainMutex();
             StLock<Mutex> _(*mutex);
 
@@ -322,7 +321,6 @@ KCCursorImpl::next(Item &item)
                 }
             }
         }
-        // release the Keychain lock before checking item integrity to avoid deadlock
 
 		item = tempItem;
 
@@ -370,18 +368,9 @@ void KCCursorImpl::newKeychain(StorageManager::KeychainList::iterator kcIter) {
         return;
     }
 
-    // Always lose the last keychain's lock
-    if(mKeychainReadLock) {
-        delete mKeychainReadLock;
-        mKeychainReadLock = NULL;
-    }
-
     if(kcIter != mSearchList.end()) {
         (*kcIter)->performKeychainUpgradeIfNeeded();
         (*kcIter)->tickle();
-
-        // Grab a read lock on the keychain
-        mKeychainReadLock = new StReadWriteLock(*((*kcIter)->getKeychainReadWriteLock()), StReadWriteLock::Read);
     }
 
     // Mark down that this function has been called
diff --git a/OSX/libsecurity_keychain/lib/KCCursor.h b/OSX/libsecurity_keychain/lib/KCCursor.h
index de0fe7a3..91027f16 100644
--- a/OSX/libsecurity_keychain/lib/KCCursor.h
+++ b/OSX/libsecurity_keychain/lib/KCCursor.h
@@ -73,7 +73,6 @@ private:
 
 protected:
 	Mutex mMutex;
-    StReadWriteLock* mKeychainReadLock;
 
     // Call this every time we switch to a new keychain
     // Will:
diff --git a/OSX/libsecurity_keychain/lib/KeyItem.h b/OSX/libsecurity_keychain/lib/KeyItem.h
index ede8dd64..54691919 100644
--- a/OSX/libsecurity_keychain/lib/KeyItem.h
+++ b/OSX/libsecurity_keychain/lib/KeyItem.h
@@ -169,6 +169,7 @@ struct OpaqueSecKeyRef {
     const SecKeyDescriptor *key_class;
     SecKeyRef cdsaKey;
     Security::KeychainCore::KeyItem *key;
+    SecCredentialType credentialType;
 };
 
 #endif // !_SECURITY_KEYITEM_H_
diff --git a/OSX/libsecurity_keychain/lib/Keychains.cpp b/OSX/libsecurity_keychain/lib/Keychains.cpp
index 06c4bddc..4a144c56 100644
--- a/OSX/libsecurity_keychain/lib/Keychains.cpp
+++ b/OSX/libsecurity_keychain/lib/Keychains.cpp
@@ -739,6 +739,8 @@ KeychainImpl::authenticate(const CSSM_ACCESS_CREDENTIALS *cred)
 UInt32
 KeychainImpl::status() const
 {
+    StLock<Mutex>_(mMutex);
+
 	// @@@ We should figure out the read/write status though a DL passthrough
 	// or some other way. Also should locked be unlocked read only or just
 	// read-only?
@@ -809,6 +811,8 @@ void KeychainImpl::completeAdd(Item &inItem, PrimaryKey &primaryKey)
 void
 KeychainImpl::addCopy(Item &inItem)
 {
+    StReadWriteLock _(mRWLock, StReadWriteLock::Write);
+
 	Keychain keychain(this);
 	PrimaryKey primaryKey = inItem->addWithCopyInfo(keychain, true);
 	completeAdd(inItem, primaryKey);
@@ -818,6 +822,9 @@ KeychainImpl::addCopy(Item &inItem)
 void
 KeychainImpl::add(Item &inItem)
 {
+    // Make sure we hold a write lock on ourselves when we do this
+    StReadWriteLock _(mRWLock, StReadWriteLock::Write);
+
 	Keychain keychain(this);
 	PrimaryKey primaryKey = inItem->add(keychain);
 	completeAdd(inItem, primaryKey);
@@ -875,6 +882,8 @@ KeychainImpl::didUpdate(const Item &inItem, PrimaryKey &oldPK,
 void
 KeychainImpl::deleteItem(Item &inoutItem)
 {
+    StReadWriteLock _(mRWLock, StReadWriteLock::Write);
+
 	{
 		// item must be persistent
 		if (!inoutItem->isPersistent())
@@ -1423,7 +1432,7 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
 
     // We only want to upgrade file-based Apple keychains. Check the GUID.
     if(mDb->dl()->guid() != gGuidAppleCSPDL) {
-        secnotice("integrity", "skipping upgrade for %s due to guid mismatch\n", mDb->name());
+        secinfo("integrity", "skipping upgrade for %s due to guid mismatch\n", mDb->name());
         return false;
     }
 
@@ -1434,7 +1443,7 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
 
     // Don't upgrade the System root certificate keychain (to make old tp code happy)
     if(strncmp(mDb->name(), SYSTEM_ROOT_STORE_PATH, strlen(SYSTEM_ROOT_STORE_PATH)) == 0) {
-        secnotice("integrity", "skipping upgrade for %s\n", mDb->name());
+        secinfo("integrity", "skipping upgrade for %s\n", mDb->name());
         return false;
     }
 
@@ -1539,7 +1548,7 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
             secnotice("integrity", "Couldn't read System.keychain key, skipping update");
         }
     } else {
-        secnotice("integrity", "not attempting migration for %s version %d (%d %d %d)", path.c_str(), dbBlobVersion, inHomeLibraryKeychains, endsWithKeychainDb, isSystemKeychain);
+        secinfo("integrity", "not attempting migration for %s version %d (%d %d %d)", path.c_str(), dbBlobVersion, inHomeLibraryKeychains, endsWithKeychainDb, isSystemKeychain);
 
         // Since we don't believe any migration needs to be done here, mark the
         // migration as "attempted" to short-circuit future checks.
@@ -1744,6 +1753,9 @@ uint32 KeychainImpl::attemptKeychainMigration(const string oldPath, const uint32
                         if (cssme.osStatus() == CSSMERR_DL_RECORD_NOT_FOUND) {
                             secnotice("integrity", "deleting corrupt (Not Found) record");
                             keychain->deleteItem(item);
+                        } else if(cssme.osStatus() == CSSMERR_CSP_INVALID_KEY) {
+                            secnotice("integrity", "deleting corrupt key record");
+                            keychain->deleteItem(item);
                         } else {
                             throw;
                         }
@@ -1889,6 +1901,8 @@ bool KeychainImpl::mayDelete()
 }
 
 bool KeychainImpl::hasIntegrityProtection() {
+    StLock<Mutex>_(mMutex);
+
     // This keychain only supports integrity if there's a database attached, that database is an Apple CSPDL, and the blob version is high enough
     if(mDb && (mDb->dl()->guid() == gGuidAppleCSPDL)) {
         if(mDb->dbBlobVersion() >= SecurityServer::DbBlob::version_partition) {
diff --git a/OSX/libsecurity_keychain/lib/Keychains.h b/OSX/libsecurity_keychain/lib/Keychains.h
index 0e0c87f9..7667b7ae 100644
--- a/OSX/libsecurity_keychain/lib/Keychains.h
+++ b/OSX/libsecurity_keychain/lib/Keychains.h
@@ -317,7 +317,7 @@ private:
 	DefaultCredentials mCustomUnlockCreds;
 	bool mIsInBatchMode;
 	EventBuffer *mEventBuffer;
-	Mutex mMutex;
+    mutable Mutex mMutex;
 
     // Now that we sometimes change the database object, Db object
     // creation/returning needs a mutex. You should only hold this if you're
diff --git a/OSX/libsecurity_keychain/lib/SecBridge.h b/OSX/libsecurity_keychain/lib/SecBridge.h
index 8486ad2a..7cfad673 100644
--- a/OSX/libsecurity_keychain/lib/SecBridge.h
+++ b/OSX/libsecurity_keychain/lib/SecBridge.h
@@ -149,7 +149,11 @@ extern "C" bool SecError(OSStatus status, CFErrorRef *error, CFStringRef format,
 
 #define END_SECKEYAPI }\
 catch (const MacOSError &err) { SecError(err.osStatus(), error, CFSTR("%s"), err.what()); result = NULL; } \
-catch (const CommonError &err) { SecError(SecKeychainErrFromOSStatus(err.osStatus()), error, CFSTR("%s"), err.what()); result = NULL; } \
+catch (const CommonError &err) { \
+	if (err.osStatus() != CSSMERR_CSP_INVALID_DIGEST_ALGORITHM) { \
+    	OSStatus status = SecKeychainErrFromOSStatus(err.osStatus()); if (status == errSecInputLengthError) status = errSecParam; \
+    	SecError(status, error, CFSTR("%s"), err.what()); result = NULL; } \
+	} \
 catch (const std::bad_alloc &) { SecError(errSecAllocate, error, CFSTR("allocation failed")); result = NULL; } \
 catch (...) { SecError(errSecInternalComponent, error, CFSTR("internal error")); result = NULL; } \
 return result;
diff --git a/OSX/libsecurity_keychain/lib/SecCertificate.cpp b/OSX/libsecurity_keychain/lib/SecCertificate.cpp
index b9086d28..ff0f1ceb 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificate.cpp
+++ b/OSX/libsecurity_keychain/lib/SecCertificate.cpp
@@ -38,6 +38,7 @@
 // %%% used by SecCertificate{Copy,Set}Preference
 #include <Security/SecKeychainItemPriv.h>
 #include <Security/SecIdentityPriv.h>
+#include <Security/SecItemPriv.h>
 #include <security_keychain/KCCursor.h>
 #include <security_cdsa_utilities/Schema.h>
 #include <security_cdsa_utils/cuCdsaUtils.h>
@@ -649,6 +650,24 @@ OSStatus
 SecCertificateFindByIssuerAndSN(CFTypeRef keychainOrArray,const CSSM_DATA *issuer,
 	const CSSM_DATA *serialNumber, SecCertificateRef *certificate)
 {
+    if (issuer && serialNumber) {
+        CFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+        CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+        CFDictionarySetValue(query, kSecAttrNoLegacy, kCFBooleanTrue);
+
+        CFRef<CFDataRef> issuerData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)issuer->Data, issuer->Length, kCFAllocatorNull);
+        CFDictionarySetValue(query, kSecAttrIssuer, issuerData);
+
+        CFRef<CFDataRef> serialNumberData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)serialNumber->Data, serialNumber->Length, kCFAllocatorNull);
+        CFDictionarySetValue(query, kSecAttrSerialNumber, serialNumberData);
+
+        OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)certificate);
+        if (status == errSecSuccess) {
+            return status;
+        }
+    }
+
 	BEGIN_SECAPI
 
 	StorageManager::KeychainList keychains;
@@ -672,7 +691,22 @@ OSStatus
 SecCertificateFindBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID,
 	SecCertificateRef *certificate)
 {
-	BEGIN_SECAPI
+    if (subjectKeyID) {
+        CFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+        CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+        CFDictionarySetValue(query, kSecAttrNoLegacy, kCFBooleanTrue);
+
+        CFRef<CFDataRef> subjectKeyIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)subjectKeyID->Data, subjectKeyID->Length, kCFAllocatorNull);
+        CFDictionarySetValue(query, kSecAttrSubjectKeyID, subjectKeyIDData);
+
+        OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)certificate);
+        if (status == errSecSuccess) {
+            return status;
+        }
+    }
+
+    BEGIN_SECAPI
 
 	StorageManager::KeychainList keychains;
 	globals().storageManager.optionalSearchList(keychainOrArray, keychains);
@@ -694,7 +728,26 @@ SecCertificateFindBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *sub
 OSStatus
 SecCertificateFindByEmail(CFTypeRef keychainOrArray, const char *emailAddress, SecCertificateRef *certificate)
 {
-	BEGIN_SECAPI
+    if (emailAddress) {
+        CFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+        CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+        CFDictionarySetValue(query, kSecAttrNoLegacy, kCFBooleanTrue);
+
+        CFRef<CFStringRef> emailAddressString = CFStringCreateWithCString(kCFAllocatorDefault, emailAddress, kCFStringEncodingUTF8);
+        CFTypeRef keys[] = { kSecPolicyName };
+        CFTypeRef values[] = { emailAddressString };
+        CFRef<CFDictionaryRef> properties = CFDictionaryCreate(kCFAllocatorDefault, keys, values, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        CFRef<SecPolicyRef> policy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, properties);
+        CFDictionarySetValue(query, kSecMatchPolicy, policy);
+
+        OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)certificate);
+        if (status == errSecSuccess) {
+            return status;
+        }
+    }
+
+    BEGIN_SECAPI
 
 	StorageManager::KeychainList keychains;
 	globals().storageManager.optionalSearchList(keychainOrArray, keychains);
diff --git a/OSX/libsecurity_keychain/lib/SecCertificateP.c b/OSX/libsecurity_keychain/lib/SecCertificateP.c
index 611d9d57..b6f064f0 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificateP.c
+++ b/OSX/libsecurity_keychain/lib/SecCertificateP.c
@@ -3655,6 +3655,9 @@ CFDataRef SecCertificateGetNormalizedSubjectContentP(
  */
 CFDataRef SecCertificateCopyNormalizedIssuerSequenceP(
     SecCertificateRefP certificate) {
+	if (!certificate || !certificate->_normalizedIssuer) {
+		return NULL;
+	}
 	DERItem tmpdi;
 	tmpdi.data = (DERByte *)CFDataGetBytePtr(certificate->_normalizedIssuer);
 	tmpdi.length = CFDataGetLength(certificate->_normalizedIssuer);
@@ -3668,6 +3671,9 @@ CFDataRef SecCertificateCopyNormalizedIssuerSequenceP(
  */
 CFDataRef SecCertificateCopyNormalizedSubjectSequenceP(
     SecCertificateRefP certificate) {
+	if (!certificate || !certificate->_normalizedSubject) {
+		return NULL;
+	}
 	DERItem tmpdi;
 	tmpdi.data = (DERByte *)CFDataGetBytePtr(certificate->_normalizedSubject);
 	tmpdi.length = CFDataGetLength(certificate->_normalizedSubject);
diff --git a/OSX/libsecurity_keychain/lib/SecItem.cpp b/OSX/libsecurity_keychain/lib/SecItem.cpp
index c4f4fd3b..6dad3d2e 100644
--- a/OSX/libsecurity_keychain/lib/SecItem.cpp
+++ b/OSX/libsecurity_keychain/lib/SecItem.cpp
@@ -43,6 +43,7 @@
 
 #include <AssertMacros.h>
 #include <syslog.h>
+#include <dlfcn.h>
 
 #include <Security/SecTrustedApplication.h>
 #include <Security/SecTrustedApplicationPriv.h>
@@ -50,6 +51,10 @@
 #include <Security/SecCodePriv.h>
 #include <Security/SecRequirement.h>
 
+#include <login/SessionAgentCom.h>
+#include <login/SessionAgentStatusCom.h>
+
+
 const uint8_t kUUIDStringLength = 36;
 
 OSStatus SecItemAdd_osx(CFDictionaryRef attributes, CFTypeRef *result);
@@ -4371,11 +4376,18 @@ SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
 		CFDictionaryAddValue(query, kSecMatchSearchList, combinedSearchList);
 		CFRelease(combinedSearchList);
 	}
-	CFDictionaryAddValue(query, kSecAttrSubject, normalizedIssuer);
 
-	/* Get all certificates matching our query. */
 	CFTypeRef results = NULL;
-	status = SecItemCopyMatching_osx(query, &results);
+	if (normalizedIssuer) {
+		/* Look up certs whose subject is the same as this cert's issuer. */
+		CFDictionaryAddValue(query, kSecAttrSubject, normalizedIssuer);
+		status = SecItemCopyMatching_osx(query, &results);
+	}
+	else {
+		/* Cannot match anything without an issuer! */
+		status = errSecItemNotFound;
+	}
+
 	if ((status != errSecSuccess) && (status != errSecItemNotFound)) {
 		secitemlog(LOG_WARNING, "SecItemCopyParentCertificates: %d", (int)status);
 	}
@@ -4680,6 +4692,33 @@ SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_i
 	}
 }
 
+static bool
+ShouldTryUnlockKeybag(OSErr status)
+{
+    static typeof(SASSessionStateForUser) *soft_SASSessionStateForUser = NULL;
+	static dispatch_once_t onceToken;
+	static void *framework;
+
+	if (status != errSecInteractionNotAllowed)
+		return false;
+
+    dispatch_once(&onceToken, ^{
+		framework = dlopen("/System/Library/PrivateFrameworks/login.framework/login", RTLD_LAZY);
+		if (framework == NULL)
+			return;
+		soft_SASSessionStateForUser = (typeof(soft_SASSessionStateForUser)) dlsym(framework, "SASSessionStateForUser");
+    });
+
+    if (soft_SASSessionStateForUser == NULL)
+        return false;
+
+    SessionAgentState sessionState = soft_SASSessionStateForUser(getuid());
+    if(sessionState != kSA_state_desktopshowing)
+        return false;
+
+    return true;
+}
+
 OSStatus
 SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
 {
@@ -4705,9 +4744,10 @@ SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
 		}
 		else {
 			status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
-            if(status_ios == errSecInteractionNotAllowed) {
+            if(ShouldTryUnlockKeybag(status_ios)) {
                 // The keybag is locked. Attempt to unlock it...
-                if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+				secitemlog(LOG_WARNING, "SecItemCopyMatching triggering SecurityAgent");
+                if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
                     CFReleaseNull(result_ios);
                     status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
                 }
@@ -4765,8 +4805,9 @@ SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
 			status = errSecParam;
 		} else {
             status = SecItemAdd_ios(attrs_ios, &result_ios);
-            if(status == errSecInteractionNotAllowed) {
+            if(ShouldTryUnlockKeybag(status)) {
                 // The keybag is locked. Attempt to unlock it...
+				secitemlog(LOG_WARNING, "SecItemAdd triggering SecurityAgent");
                 if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
                     CFReleaseNull(result_ios);
                     status = SecItemAdd_ios(attrs_ios, &result_ios);
@@ -4818,17 +4859,19 @@ SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
 		else {
             if (SecItemHasSynchronizableUpdate(true, attributesToUpdate)) {
                 status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
-                if(status_ios == errSecInteractionNotAllowed) {
+                if(ShouldTryUnlockKeybag(status_ios)) {
                     // The keybag is locked. Attempt to unlock it...
-                    if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+					secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent");
+                    if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
                         status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
                     }
                 }
             } else {
                 status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
-                if(status_ios == errSecInteractionNotAllowed) {
+                if(ShouldTryUnlockKeybag(status_ios)) {
                     // The keybag is locked. Attempt to unlock it...
-                    if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+					secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent");
+                    if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
                         status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
                     }
                 }
@@ -4884,12 +4927,6 @@ SecItemDelete(CFDictionaryRef query)
 			status_ios = errSecParam;
 		} else {
             status_ios = SecItemDelete_ios(attrs_ios);
-            if(status_ios == errSecInteractionNotAllowed) {
-                // The keybag is locked. Attempt to unlock it...
-                if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
-                    status_ios = SecItemDelete_ios(attrs_ios);
-                }
-            }
 			CFRelease(attrs_ios);
 		}
 		secitemlog(LOG_NOTICE, "SecItemDelete_ios result: %d", status_ios);
@@ -4917,9 +4954,10 @@ OSStatus
 SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
 {
 	OSStatus status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
-    if(status == errSecInteractionNotAllowed) {
+    if(ShouldTryUnlockKeybag(status)) {
         // The keybag is locked. Attempt to unlock it...
-        if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+        if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) {
+			secitemlog(LOG_WARNING, "SecItemUpdateTokenItems triggering SecurityAgent");
             status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
         }
     }
diff --git a/OSX/libsecurity_keychain/lib/SecKey.cpp b/OSX/libsecurity_keychain/lib/SecKey.cpp
index a80fe3be..2c2bd87d 100644
--- a/OSX/libsecurity_keychain/lib/SecKey.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKey.cpp
@@ -54,6 +54,7 @@ static OSStatus
 SecCDSAKeyInit(SecKeyRef key, const uint8_t *keyData, CFIndex keyDataLength, SecKeyEncoding encoding) {
     key->key = const_cast<KeyItem *>(reinterpret_cast<const KeyItem *>(keyData));
     key->key->initializeWithSecKeyRef(key);
+    key->credentialType = kSecCredentialTypeDefault;
     return errSecSuccess;
 }
 
@@ -526,7 +527,7 @@ static SecKeyRef SecCDSAKeyCopyPublicKey(SecKeyRef privateKey) {
 
 static KeyItem *SecCDSAKeyPrepareParameters(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
                                             CSSM_ALGORITHMS &baseAlgorithm, CSSM_ALGORITHMS &secondaryAlgorithm,
-                                            CSSM_ALGORITHMS &paddingAlgorithm) {
+                                            CSSM_ALGORITHMS &paddingAlgorithm, CFIndex &inputSizeLimit) {
     KeyItem *keyItem = key->key;
     CSSM_KEYCLASS keyClass = keyItem->key()->header().keyClass();
     baseAlgorithm = keyItem->key()->header().algorithm();
@@ -537,27 +538,35 @@ static KeyItem *SecCDSAKeyPrepareParameters(SecKeyRef key, SecKeyOperationType o
                 if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureRaw)) {
                     secondaryAlgorithm = CSSM_ALGID_NONE;
                     paddingAlgorithm = CSSM_PADDING_NONE;
+                    inputSizeLimit = 0;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw)) {
                     secondaryAlgorithm = CSSM_ALGID_NONE;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = -11;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1)) {
                     secondaryAlgorithm = CSSM_ALGID_SHA1;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = 20;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224)) {
                     secondaryAlgorithm = CSSM_ALGID_SHA224;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = 224 / 8;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256)) {
                     secondaryAlgorithm = CSSM_ALGID_SHA256;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = 256 / 8;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384)) {
                     secondaryAlgorithm = CSSM_ALGID_SHA384;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = 384 / 8;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512)) {
                     secondaryAlgorithm = CSSM_ALGID_SHA512;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = 512 / 8;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5)) {
                     secondaryAlgorithm = CSSM_ALGID_MD5;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = 16;
                 } else {
                     return NULL;
                 }
@@ -566,9 +575,11 @@ static KeyItem *SecCDSAKeyPrepareParameters(SecKeyRef key, SecKeyOperationType o
                 if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionRaw)) {
                     secondaryAlgorithm = CSSM_ALGID_NONE;
                     paddingAlgorithm = CSSM_PADDING_NONE;
+                    inputSizeLimit = 0;
                 } else if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionPKCS1)) {
                     secondaryAlgorithm = CSSM_ALGID_NONE;
                     paddingAlgorithm = CSSM_PADDING_PKCS1;
+                    inputSizeLimit = operation == kSecKeyOperationTypeEncrypt ? -11 : 0;
                 } else {
                     return NULL;
                 }
@@ -629,21 +640,29 @@ static CFTypeRef SecCDSAKeyCopyOperationResult(SecKeyRef key, SecKeyOperationTyp
                                                CFArrayRef allAlgorithms, SecKeyOperationMode mode,
                                                CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
     BEGIN_SECKEYAPI(CFTypeRef, kCFNull)
+    CFIndex inputSizeLimit = 0;
     CSSM_ALGORITHMS baseAlgorithm, secondaryAlgorithm, paddingAlgorithm;
-    KeyItem *keyItem = SecCDSAKeyPrepareParameters(key, operation, algorithm, baseAlgorithm, secondaryAlgorithm, paddingAlgorithm);
+    KeyItem *keyItem = SecCDSAKeyPrepareParameters(key, operation, algorithm, baseAlgorithm, secondaryAlgorithm, paddingAlgorithm, inputSizeLimit);
     if (keyItem == NULL) {
         // Operation/algorithm/key combination is not supported.
         return kCFNull;
     } else if (mode == kSecKeyOperationModeCheckIfSupported) {
         // Operation is supported and caller wants to just know that.
         return kCFBooleanTrue;
+    } else if (baseAlgorithm == CSSM_ALGID_RSA) {
+        if (inputSizeLimit <= 0) {
+            inputSizeLimit += SecCDSAKeyGetBlockSize(key);
+        }
+        if (CFDataGetLength((CFDataRef)in1) > inputSizeLimit) {
+            MacOSError::throwMe(errSecParam);
+        }
     }
 
     switch (operation) {
         case kSecKeyOperationTypeSign: {
             CssmClient::Sign signContext(keyItem->csp(), baseAlgorithm, secondaryAlgorithm);
             signContext.key(keyItem->key());
-            signContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_SIGN, kSecCredentialTypeDefault));
+            signContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_SIGN, key->credentialType));
             signContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlgorithm);
             CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
             CssmAutoData signature(signContext.allocator());
@@ -654,7 +673,7 @@ static CFTypeRef SecCDSAKeyCopyOperationResult(SecKeyRef key, SecKeyOperationTyp
         case kSecKeyOperationTypeVerify: {
             CssmClient::Verify verifyContext(keyItem->csp(), baseAlgorithm, secondaryAlgorithm);
             verifyContext.key(keyItem->key());
-            verifyContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ANY, kSecCredentialTypeDefault));
+            verifyContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ANY, key->credentialType));
             verifyContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlgorithm);
             CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
             verifyContext.verify(CssmData(CFDataRef(input)), CssmData(CFRef<CFDataRef>::check(in2, errSecParam)));
@@ -665,7 +684,7 @@ static CFTypeRef SecCDSAKeyCopyOperationResult(SecKeyRef key, SecKeyOperationTyp
             CssmClient::Encrypt encryptContext(keyItem->csp(), baseAlgorithm);
             encryptContext.key(keyItem->key());
             encryptContext.padding(paddingAlgorithm);
-            encryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ENCRYPT, kSecCredentialTypeDefault));
+            encryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ENCRYPT, key->credentialType));
             CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
             CssmAutoData output(encryptContext.allocator()), remainingData(encryptContext.allocator());
             size_t length = encryptContext.encrypt(CssmData(CFDataRef(input)), output.get(), remainingData.get());
@@ -679,7 +698,7 @@ static CFTypeRef SecCDSAKeyCopyOperationResult(SecKeyRef key, SecKeyOperationTyp
             CssmClient::Decrypt decryptContext(keyItem->csp(), baseAlgorithm);
             decryptContext.key(keyItem->key());
             decryptContext.padding(paddingAlgorithm);
-            decryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DECRYPT, kSecCredentialTypeDefault));
+            decryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DECRYPT, key->credentialType));
             CssmAutoData output(decryptContext.allocator()), remainingData(decryptContext.allocator());
             size_t length = decryptContext.decrypt(CssmData(CFRef<CFDataRef>::check(in1, errSecParam)),
                                                    output.get(), remainingData.get());
@@ -730,7 +749,7 @@ static CFTypeRef SecCDSAKeyCopyOperationResult(SecKeyRef key, SecKeyOperationTyp
     END_SECKEYAPI
 }
 
-static Boolean SecCDSAIsEqual(SecKeyRef key1, SecKeyRef key2) {
+static Boolean SecCDSAKeyIsEqual(SecKeyRef key1, SecKeyRef key2) {
     CFErrorRef *error;
     BEGIN_SECKEYAPI(Boolean, false)
 
@@ -739,6 +758,19 @@ static Boolean SecCDSAIsEqual(SecKeyRef key1, SecKeyRef key2) {
     END_SECKEYAPI
 }
 
+static Boolean SecCDSAKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+    BEGIN_SECKEYAPI(Boolean, false)
+
+    if (CFEqual(name, kSecUseAuthenticationUI)) {
+        key->credentialType = CFEqual(value, kSecUseAuthenticationUIAllow) ? kSecCredentialTypeDefault : kSecCredentialTypeNoUI;
+        result = true;
+    } else {
+        result = SecError(errSecUnimplemented, error, CFSTR("Unsupported parameter '%@' for SecKeyCDSASetParameter"), name);
+    }
+
+    END_SECKEYAPI
+}
+
 const SecKeyDescriptor kSecCDSAKeyDescriptor = {
     .version = kSecKeyDescriptorVersion,
     .name = "CDSAKey",
@@ -752,7 +784,8 @@ const SecKeyDescriptor kSecCDSAKeyDescriptor = {
     .copyExternalRepresentation = SecCDSAKeyCopyExternalRepresentation,
     .copyPublicKey = SecCDSAKeyCopyPublicKey,
     .copyOperationResult = SecCDSAKeyCopyOperationResult,
-    .isEqual = SecCDSAIsEqual,
+    .isEqual = SecCDSAKeyIsEqual,
+    .setParameter = SecCDSAKeySetParameter,
 };
 
 namespace Security {
diff --git a/OSX/libsecurity_keychain/lib/SecKeyPriv.h b/OSX/libsecurity_keychain/lib/SecKeyPriv.h
index bf97e64a..ee9aa3fe 100644
--- a/OSX/libsecurity_keychain/lib/SecKeyPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecKeyPriv.h
@@ -130,6 +130,7 @@ typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErr
 typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
 typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
 typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
+typedef Boolean (*SecKeySetParameterMethod)(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error);
 
 /*!
  @abstract Performs cryptographic operation with the key.
@@ -197,6 +198,7 @@ typedef struct __SecKeyDescriptor {
     SecKeyCopyOperationResultMethod copyOperationResult;
     SecKeyIsEqualMethod isEqual;
     SecKeyCreateDuplicateMethod createDuplicate;
+    SecKeySetParameterMethod setParameter;
 #endif
 } SecKeyDescriptor;
 
@@ -528,8 +530,8 @@ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AV
  @param error Error which gathers more information when something went wrong.
 
  @discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
- to SecKey implementation backend (currently only CTK-based token backend is supported).  Parameter names and types are
- a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
+ to SecKey implementation backend.  Parameter names and types are either generic kSecUse*** attributes or are a contract between
+ SecKey user (application) and backend and in this case are not interpreted by SecKey layer in any way.
  */
 Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
diff --git a/OSX/libsecurity_keychain/lib/SecKeychain.cpp b/OSX/libsecurity_keychain/lib/SecKeychain.cpp
index d307e2bd..842c2dfe 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychain.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKeychain.cpp
@@ -892,6 +892,7 @@ SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, con
 	}
 	catch (CommonError &e)
 	{
+        secnotice("KCLogin", "SecKeychainLogin failed: %d, password was%s supplied", (int)e.osStatus(), password?"":" not");
 		if (e.osStatus() == CSSMERR_DL_OPERATION_AUTH_DENIED)
 		{
 			return errSecAuthFailed;
@@ -901,7 +902,12 @@ SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, con
 			return e.osStatus();
 		}
 	}
-	
+
+    catch (...) {
+        __secapiresult=errSecInternalComponent;
+    }
+    secnotice("KCLogin", "SecKeychainLogin result: %d, password was%s supplied", (int)__secapiresult, password?"":" not");
+
     END_SECAPI
 }
 
@@ -1443,7 +1449,7 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
 		AuthorizationRef authorizationRef;
 		result = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorizationRef);
 		if (result != errAuthorizationSuccess) {
-			secinfo("SecKeychain", "failed to create authorization");
+			secnotice("SecKeychain", "failed to create authorization");
 			return result;
 		}
 
@@ -1455,17 +1461,19 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
 		UInt32 pathLength = PATH_MAX;
 		result = SecKeychainGetPath(userKeychain, &pathLength, pathName);
 		if (result != errSecSuccess) {
-			secinfo("SecKeychain", "Failed to get kc path: %d", (int) result);
+			secnotice("SecKeychain", "failed to create authorization");
 			return result;
 		}
 
 		Boolean checkPwd = TRUE;
+		Boolean ignoreSession = TRUE;
 		AuthorizationItem envItems[] = {
 			{AGENT_HINT_KEYCHAIN_PATH, pathLength, pathName, 0},
-			{AGENT_HINT_KEYCHAIN_CHECK, sizeof(checkPwd), &checkPwd}
+			{AGENT_HINT_KEYCHAIN_CHECK, sizeof(checkPwd), &checkPwd},
+			{AGENT_HINT_IGNORE_SESSION, sizeof(ignoreSession), &ignoreSession}
 		};
 
-		AuthorizationEnvironment environment  = {2, envItems};
+		AuthorizationEnvironment environment  = {3, envItems};
 		AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
 		result = AuthorizationCopyRights(authorizationRef, &myRights, &environment, flags, &authorizedRights);
 		if (authorizedRights)
@@ -1483,7 +1491,7 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
 		}
 		AuthorizationFree(authorizationRef, kAuthorizationFlagDefaults);
 		if (result != errAuthorizationSuccess) {
-			secinfo("SecKeychain", "did not get authorization to pair the card");
+			secnotice("SecKeychain", "did not get authorization to pair the card");
 			return result;
 		}
 	} else {
@@ -1491,7 +1499,7 @@ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringR
 	}
 
 	if (!pwd) {
-		secinfo("SecKeychain", "did not get kcpass");
+		secnotice("SecKeychain", "did not get kcpass");
 		return errSecInternalComponent;
 	}
 
diff --git a/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp b/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp
index 55c09939..bdf7053c 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp
+++ b/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp
@@ -51,7 +51,14 @@
  * MARK: CFRunloop
  */
 
-static OSStatus SecLegacySourceChanged(__unused SecKeychainEvent keychainEvent, __unused SecKeychainCallbackInfo *info, __unused void *context) {
+static OSStatus SecLegacySourceChanged(SecKeychainEvent keychainEvent, SecKeychainCallbackInfo *info, __unused void *context) {
+    if (keychainEvent == kSecAddEvent || keychainEvent == kSecDeleteEvent || keychainEvent == kSecUpdateEvent) {
+        /* We don't need to purge the cache if the item changed wasn't a cert */
+        SecKeychainItemRef item = info->item;
+        if (item && CFGetTypeID(item) != SecCertificateGetTypeID()) {
+            return 0;
+        }
+    }
     // Purge keychain parent cache
     SecItemParentCachePurge();
     // Purge unrestricted roots cache
diff --git a/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp b/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp
index aa0c5ab1..b04b1ba2 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp
+++ b/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp
@@ -54,6 +54,7 @@
 #include <vector>
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreFoundation/CFPreferences.h>
+#include <utilities/SecCFRelease.h>
 
 #define trustSettingsDbg(args...)	secinfo("trustSettings", ## args)
 
@@ -889,30 +890,34 @@ OSStatus SecTrustSettingsCopyCertificates(
 }
 
 static CFArrayRef gUserAdminCerts = NULL;
+static bool gUserAdminCertsCacheBuilt = false;
 static ReadWriteLock gUserAdminCertsLock;
 
 void SecTrustSettingsPurgeUserAdminCertsCache(void) {
     StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
-    if (gUserAdminCerts) {
-        CFRelease(gUserAdminCerts);
-        gUserAdminCerts = NULL;
-    }
+    CFReleaseNull(gUserAdminCerts);
+    gUserAdminCertsCacheBuilt = false;
 }
 
 OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
-    CFArrayRef  *certArray)
+                                                             CFArrayRef  *certArray)
 {
     TS_REQUIRED(certArray);
     OSStatus result = errSecSuccess;
 
-    { /* Only hold the lock for the check */
+    { /* Hold the read lock for the check */
         StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Read);
-        if (gUserAdminCerts) {
-            *certArray = (CFArrayRef)CFRetain(gUserAdminCerts);
-            return errSecSuccess;
+        if (gUserAdminCertsCacheBuilt) {
+            if (gUserAdminCerts) {
+                *certArray = (CFArrayRef)CFRetain(gUserAdminCerts);
+                return errSecSuccess;
+            } else {
+                return errSecNoTrustSettings;
+            }
         }
     }
 
+    /* There were no cached results. We'll have to recreate them. */
     CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
     if (!outArray) {
         return errSecAllocate;
@@ -931,7 +936,7 @@ OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
         CFRelease(adminTrusted);
     }
 
-    /* Lack of trust settings for a domain results in an error. Only fail
+    /* Lack of trust settings for a domain results in an error above. Only fail
      * if we weren't able to get trust settings for both domains. */
     if (userStatus != errSecSuccess && adminStatus != errSecSuccess) {
         result = userStatus;
@@ -944,11 +949,12 @@ OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
 
     *certArray = outArray;
 
-    if (certArray && *certArray) {
+    /* For valid results, update the global cache */
+    if (result == errSecSuccess || result == errSecNoTrustSettings) {
         StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
-        if (!gUserAdminCerts) {
-            gUserAdminCerts = (CFArrayRef)CFRetain(*certArray);
-        }
+        CFReleaseNull(gUserAdminCerts);
+        gUserAdminCerts = (CFArrayRef)CFRetainSafe(outArray);
+        gUserAdminCertsCacheBuilt = true;
     }
 
     return result;
diff --git a/OSX/libsecurity_keychain/lib/StorageManager.cpp b/OSX/libsecurity_keychain/lib/StorageManager.cpp
index fb7d24a7..810f4c11 100644
--- a/OSX/libsecurity_keychain/lib/StorageManager.cpp
+++ b/OSX/libsecurity_keychain/lib/StorageManager.cpp
@@ -47,6 +47,7 @@
 #include <Security/AuthorizationTagsPriv.h>
 #include <Security/SecTask.h>
 #include <security_keychain/SecCFTypes.h>
+#include <Security/SecCFAllocator.h>
 #include "TrustSettingsSchema.h"
 #include <security_cdsa_client/wrapkey.h>
 #include <securityd_client/ssblob.h>
@@ -153,23 +154,32 @@ StorageManager::keychain(const DLDbIdentifier &dLDbIdentifier)
 	if (!dLDbIdentifier)
 		return Keychain();
 
-    DLDbIdentifier dldbi = mungeDLDbIdentifier(dLDbIdentifier, false);
+    KeychainMap::iterator it = mKeychainMap.end();
 
-    KeychainMap::iterator it = mKeychainMap.find(dldbi);
-    if (it != mKeychainMap.end())
-	{
+    // If we have a keychain object for the munged keychain, return that.
+    // Don't hit the filesystem to check file status if we've already done that work...
+    DLDbIdentifier munge_dldbi = forceMungeDLDbIDentifier(dLDbIdentifier);
+    it = mKeychainMap.find(munge_dldbi);
+    if (it != mKeychainMap.end()) {
         return it->second;
-	}
+    }
 
     // If we have a keychain object for the un/demunged keychain, return that.
-    // We might be in the middle of an upgrade...
+    // We might be in the middle of an upgrade, where the -db file exists as a bit-perfect copy of the original file.
     DLDbIdentifier demunge_dldbi = demungeDLDbIdentifier(dLDbIdentifier);
     it = mKeychainMap.find(demunge_dldbi);
     if (it != mKeychainMap.end()) {
-        secnotice("integrity", "returning unmunged keychain ref");
         return it->second;
     }
 
+    // Okay, we haven't seen this keychain before. Do the full process...
+    DLDbIdentifier dldbi = mungeDLDbIdentifier(dLDbIdentifier, false);
+    it = mKeychainMap.find(dldbi); // Almost certain not to find it here
+    if (it != mKeychainMap.end())
+	{
+        return it->second;
+	}
+
 	if (gServerMode) {
 		secnotice("servermode", "keychain reference in server mode");
 		return Keychain();
@@ -234,12 +244,18 @@ StorageManager::mungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier, bool i
         string pathdb = makeKeychainDbFilename(path);
 
         struct stat st;
-        int stat_result;
-        stat_result = ::stat(path.c_str(), &st);
-        bool path_exists = (stat_result == 0);
 
-        stat_result = ::stat(pathdb.c_str(), &st);
-        bool pathdb_exists = (stat_result == 0);
+        int path_stat_err = 0;
+        bool path_exists = (::stat(path.c_str(), &st) == 0);
+        if(!path_exists) {
+            path_stat_err = errno;
+        }
+
+        int pathdb_stat_err = 0;
+        bool pathdb_exists = (::stat(pathdb.c_str(), &st) == 0);
+        if(!pathdb_exists) {
+            pathdb_stat_err = errno;
+        }
 
         // If protections are off, don't change the requested filename.
         // If protictions are on and the -db file exists, always use it.
@@ -257,19 +273,30 @@ StorageManager::mungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier, bool i
         bool switchPaths = shouldCreateProtected && (pathdb_exists || (!pathdb_exists && !path_exists) || isReset);
 
         if(switchPaths) {
-            secnotice("integrity", "switching to keychain-db: %s from %s (%d %d %d %d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, pathdb_exists);
+            secinfo("integrity", "switching to keychain-db: %s from %s (%d %d %d_%d %d_%d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, path_stat_err, pathdb_exists, pathdb_stat_err);
             path = pathdb;
         } else {
-            secnotice("integrity", "not switching: %s from %s (%d %d %d %d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, pathdb_exists);
+            secinfo("integrity", "not switching: %s from %s (%d %d %d_%d %d_%d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, path_stat_err, pathdb_exists, pathdb_stat_err);
         }
-    } else {
-        secnotice("integrity", "not switching as we're not in ~/Library/Keychains/: %s (%d)", path.c_str(), isReset);
     }
 
     DLDbIdentifier id(dLDbIdentifier.ssuid(), path.c_str(), dLDbIdentifier.dbLocation());
     return id;
 }
 
+DLDbIdentifier
+StorageManager::forceMungeDLDbIDentifier(const DLDbIdentifier& dLDbIdentifier) {
+    if(!dLDbIdentifier.dbName() || dLDbIdentifier.mImpl == NULL) {
+        return dLDbIdentifier;
+    }
+
+    string path = dLDbIdentifier.dbName();
+    string pathdb = makeKeychainDbFilename(path);
+
+    DLDbIdentifier id(dLDbIdentifier.ssuid(), pathdb.c_str(), dLDbIdentifier.dbLocation());
+    return id;
+}
+
 DLDbIdentifier
 StorageManager::demungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier) {
     if(dLDbIdentifier.dbName() == NULL) {
@@ -391,6 +418,7 @@ StorageManager::tickleKeychain(KeychainImpl *keychainImpl) {
         if(kcImpl->mCacheTimer) {
             // Update the cache timer to be seconds from now
             dispatch_source_set_timer(kcImpl->mCacheTimer, dispatch_time(DISPATCH_TIME_NOW, seconds * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, NSEC_PER_SEC/2);
+            secdebug("keychain", "updating cache on %p %s", kcImpl, kcImpl->name());
 
             // We've added an extra retain to this keychain right before invoking this block. Release it.
             CFRelease(kcHandle);
@@ -399,8 +427,10 @@ StorageManager::tickleKeychain(KeychainImpl *keychainImpl) {
             // No cache timer; make one.
             kcImpl->mCacheTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, release_queue);
             dispatch_source_set_timer(kcImpl->mCacheTimer, dispatch_time(DISPATCH_TIME_NOW, seconds * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, NSEC_PER_SEC/2);
+            secdebug("keychain", "taking cache on %p %s", kcImpl, kcImpl->name());
 
             dispatch_source_set_event_handler(kcImpl->mCacheTimer, ^{
+                secdebug("keychain", "releasing cache on %p %s", kcImpl, kcImpl->name());
                 dispatch_source_cancel(kcImpl->mCacheTimer);
                 dispatch_release(kcImpl->mCacheTimer);
                 kcImpl->mCacheTimer = NULL;
@@ -626,6 +656,14 @@ StorageManager::loginKeychain()
 	MacOSError::throwMe(errSecNoSuchKeychain);
 }
 
+DLDbIdentifier
+StorageManager::loginKeychainDLDbIdentifer()
+{
+    StLock<Mutex>_(mMutex);
+    DLDbIdentifier loginDLDbIdentifier(mSavedList.loginDLDbIdentifier());
+    return mungeDLDbIdentifier(loginDLDbIdentifier, false);
+}
+
 void
 StorageManager::loginKeychain(Keychain keychain)
 {
@@ -782,7 +820,8 @@ void StorageManager::forceRemoveFromCache(KeychainImpl* inKeychainImpl) {
     }
 }
 
-void StorageManager::renameUnique(Keychain keychain, CFStringRef newName, bool appendDbSuffix)
+// If you pass NULL as the keychain, you must pass an oldName.
+void StorageManager::renameUnique(Keychain keychain, CFStringRef oldName, CFStringRef newName, bool appendDbSuffix)
 {
 	StLock<Mutex>_(mMutex);
 
@@ -811,10 +850,24 @@ void StorageManager::renameUnique(Keychain keychain, CFStringRef newName, bool a
                     struct stat filebuf;
                     if ( lstat(toUseBuff2, &filebuf) )
                     {
-                        rename(keychain, toUseBuff2);
-						KeychainList kcList;
-						kcList.push_back(keychain);
-						remove(kcList, false);
+                        if(keychain) {
+                            rename(keychain, toUseBuff2);
+                            KeychainList kcList;
+                            kcList.push_back(keychain);
+                            remove(kcList, false);
+                        } else {
+                            // We don't have a Keychain object, so force the rename here if possible
+                            char oldNameCString[MAXPATHLEN];
+                            if ( CFStringGetCString(oldName, oldNameCString, MAXPATHLEN, kCFStringEncodingUTF8) ) {
+                                int result = ::rename(oldNameCString, toUseBuff2);
+                                secnotice("KClogin", "keychain force rename to %s: %d %d", newNameCString, result, (result == 0) ? 0 : errno);
+                                if(result != 0) {
+                                    UnixError::throwMe(errno);
+                                }
+                            } else {
+                                secnotice("KClogin", "path is wrong, quitting");
+                            }
+                        }
                         doneCreating = true;
                     }
                     else
@@ -1466,12 +1519,78 @@ void StorageManager::login(UInt32 nameLength, const void *name,
         }
     }
 
-    // if login.keychain does not exist at this point, create it
-    if (!loginKeychainExists || (isReset && !loginKeychainDbExists)) {
+	// is it token login?
+	CFRef<CFDictionaryRef> tokenLoginContext;
+	CFRef<CFStringRef> smartCardPassword;
+	OSStatus tokenContextStatus = TokenLoginGetContext(password, passwordLength, tokenLoginContext.take());
+	// if login.keychain does not exist at this point, create it
+	if (!loginKeychainExists || (isReset && !loginKeychainDbExists)) {
+		// when we creating new KC and user is logged using token (i.e. smart card), we have to get
+		// the password for that account first
+		if (tokenContextStatus == errSecSuccess) {
+			secnotice("KCLogin", "Going to create login keychain for sc login");
+			AuthorizationRef authRef;
+			OSStatus status = AuthorizationCreate(NULL, NULL, 0, &authRef);
+			if (status == errSecSuccess) {
+				AuthorizationItem right = { "com.apple.builtin.sc-kc-new-passphrase", 0, NULL, 0 };
+				AuthorizationItemSet rightSet = { 1, &right };
+
+				uint32_t reason, tries;
+				reason = 0;
+				tries = 0;
+				AuthorizationItem envRights[] = {
+					{ AGENT_HINT_RETRY_REASON, sizeof(reason), &reason, 0 },
+					{ AGENT_HINT_TRIES, sizeof(tries), &tries, 0 }};
+
+				AuthorizationItemSet envSet = { sizeof(envRights) / sizeof(*envRights), envRights };
+				status = AuthorizationCopyRights(authRef, &rightSet, &envSet, kAuthorizationFlagDefaults|kAuthorizationFlagInteractionAllowed|kAuthorizationFlagExtendRights, NULL);
+				if (status == errSecSuccess) {
+					AuthorizationItemSet *returnedInfo;
+					status = AuthorizationCopyInfo(authRef, NULL, &returnedInfo);
+					if (status == errSecSuccess) {
+						if (returnedInfo && (returnedInfo->count > 0)) {
+							for (uint32_t index = 0; index < returnedInfo->count; index++) {
+								AuthorizationItem &item = returnedInfo->items[index];
+								if (!strcmp(AGENT_PASSWORD, item.name)) {
+									CFIndex len = item.valueLength;
+									if (len) {
+										secnotice("KCLogin", "User entered pwd");
+										smartCardPassword = CFStringCreateWithBytes(SecCFAllocatorZeroize(), (UInt8 *)item.value, (CFIndex)len, kCFStringEncodingUTF8, TRUE);
+										memset(item.value, 0, len);
+									}
+								}
+							}
+						}
+					}
+					AuthorizationFreeItemSet(returnedInfo);
+				}
+				AuthorizationFree(authRef, 0);
+			}
+		}
+
         // but don't add it to the search list yet; we'll do that later
         Keychain theKeychain = makeKeychain(loginDLDbIdentifier, false, true);
-        secnotice("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
-        theKeychain->create(passwordLength, password);
+		secnotice("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+		if (tokenContextStatus == errSecSuccess) {
+			if (smartCardPassword.get()) {
+				CFIndex length = CFStringGetLength(smartCardPassword);
+				CFIndex maxSize = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
+				char *buffer = (char *)malloc(maxSize);
+				if (CFStringGetCString(smartCardPassword, buffer, maxSize, kCFStringEncodingUTF8)) {
+					secnotice("KCLogin", "Keychain is created using password provided by sc user");
+					theKeychain->create((UInt32)strlen(buffer), buffer);
+					memset(buffer, 0, maxSize);
+				} else {
+					secnotice("KCLogin", "Conversion failed");
+					MacOSError::throwMe(errSecNotAvailable);
+				}
+			} else {
+				secnotice("KCLogin", "User did not provide kc password");
+				MacOSError::throwMe(errSecNotAvailable);
+			}
+		} else {
+			theKeychain->create(passwordLength, password);
+		}
         secnotice("KCLogin", "Login keychain created successfully");
         loginKeychainExists = true;
         // Set the prefs for this new login keychain.
@@ -1558,10 +1677,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
         }
     }
 
-	// is it token login?
-	CFRef<CFDictionaryRef> tokenLoginContext;
-	OSStatus status = TokenLoginGetContext(password, passwordLength, tokenLoginContext.take());
-	if (!loginUnlocked || status == errSecSuccess) {
+	if (!loginUnlocked || tokenContextStatus == errSecSuccess) {
 		Keychain theKeychain(keychain(loginDLDbIdentifier));
 		bool tokenLoginDataUpdated = false;
 
@@ -1570,7 +1686,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
 
 			CFRef<CFDictionaryRef> tokenLoginData;
 			if (tokenLoginContext) {
-				status = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
+				OSStatus status = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
 				if (status != errSecSuccess) {
 					if (tokenLoginDataUpdated) {
 						loginResult = status;
@@ -1578,7 +1694,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
 					}
 					// updating unlock key fails if it is not token login
 					secnotice("KCLogin", "Error %d, reconstructing unlock data", (int)status);
-					status = TokenLoginUpdateUnlockData(tokenLoginContext);
+					status = TokenLoginUpdateUnlockData(tokenLoginContext, smartCardPassword);
 					if (status == errSecSuccess) {
 						loginResult = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
 						if (loginResult != errSecSuccess) {
@@ -1593,7 +1709,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
 				// first try to unlock login keychain because if this fails, token keychain unlock fails as well
 				if (tokenLoginData) {
 					secnotice("KCLogin", "Going to unlock keybag using scBlob");
-					status = TokenLoginUnlockKeybag(tokenLoginContext, tokenLoginData);
+					OSStatus status = TokenLoginUnlockKeybag(tokenLoginContext, tokenLoginData);
 					secnotice("KCLogin", "Keybag unlock result %d", (int)status);
 					if (status)
 						CssmError::throwMe(status); // to trigger login data regeneration
@@ -1609,7 +1725,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
                 key.header().KeyAttr = 0;
                 CFRef<CFDataRef> tokenLoginUnlockKey;
 				if (tokenLoginData) {
-					status = TokenLoginGetUnlockKey(tokenLoginContext, tokenLoginUnlockKey.take());
+					OSStatus status = TokenLoginGetUnlockKey(tokenLoginContext, tokenLoginUnlockKey.take());
 					if (status)
 						CssmError::throwMe(status); // to trigger login data regeneration
 					key.KeyData = CssmData(tokenLoginUnlockKey.get());
@@ -1642,7 +1758,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
             } catch (const CssmError &e) {
                 if (tokenLoginData && !tokenLoginDataUpdated) {
                     // token login unlock key was invalid
-                    loginResult = TokenLoginUpdateUnlockData(tokenLoginContext);
+					loginResult = TokenLoginUpdateUnlockData(tokenLoginContext, smartCardPassword);
                     if (loginResult == errSecSuccess) {
                         tokenLoginDataUpdated = true;
                         continue;
@@ -1770,6 +1886,8 @@ void StorageManager::resetKeychain(Boolean resetSearchList)
 	StLock<Mutex>_(mMutex);
 
     // Clear the keychain search list.
+    Keychain keychain = NULL;
+    DLDbIdentifier dldbi;
     try
     {
         if ( resetSearchList )
@@ -1780,14 +1898,33 @@ void StorageManager::resetKeychain(Boolean resetSearchList)
         // Get a reference to the existing login keychain...
         // If we don't have one, we throw (not requiring a rename).
         //
-        Keychain keychain = loginKeychain();
+        keychain = loginKeychain();
+    } catch(const CommonError& e) {
+        secnotice("KClogin", "Failed to open login keychain due to an error: %s", e.what());
+
+        // Set up fallback rename.
+        dldbi = loginKeychainDLDbIdentifer();
+
+        struct stat exists;
+        if(::stat(dldbi.dbName(), &exists) != 0) {
+            // no file exists, everything is fine
+            secnotice("KClogin", "no file exists; resetKeychain() is done");
+            return;
+        }
+    }
+
+    try{
         //
         // Rename the existing login.keychain (i.e. put it aside).
         //
         CFMutableStringRef newName = NULL;
         newName = CFStringCreateMutable(NULL, 0);
         CFStringRef currName = NULL;
-        currName = CFStringCreateWithCString(NULL, keychain->name(), kCFStringEncodingUTF8);
+        if(keychain) {
+            currName = CFStringCreateWithCString(NULL, keychain->name(), kCFStringEncodingUTF8);
+        } else {
+            currName = CFStringCreateWithCString(NULL, dldbi.dbName(), kCFStringEncodingUTF8);
+        }
         if ( newName && currName )
         {
             CFStringAppend(newName, currName);
@@ -1808,22 +1945,35 @@ void StorageManager::resetKeychain(Boolean resetSearchList)
             CFStringAppend(newName, CFSTR(kKeychainRenamedSuffix));	// add "_renamed_"
             try
             {
-                renameUnique(keychain, newName, hasDbSuffix);
+                secnotice("KClogin", "attempting keychain rename to %@", newName);
+                renameUnique(keychain, currName, newName, hasDbSuffix);
             }
-            catch(...)
+            catch(const CommonError& e)
             {
                 // we need to release 'newName' & 'currName'
+                secnotice("KClogin", "Failed to renameUnique due to an error: %s", e.what());
+            }
+            catch(...)
+            {
+                secnotice("KClogin", "Failed to renameUnique due to an unknown error");
             }
         }	 // else, let the login call report a duplicate
+        else {
+            secnotice("KClogin", "don't have paths, quitting");
+        }
         if ( newName )
             CFRelease(newName);
         if ( currName )
             CFRelease(currName);
     }
+    catch(const CommonError& e) {
+        secnotice("KClogin", "Failed to reset login keychain due to an error: %s", e.what());
+    }
     catch(...)
     {
         // We either don't have a login keychain, or there was a
         // failure to rename the existing one.
+        secnotice("KClogin", "Failed to reset keychain due to an unknown error");
     }
 }
 
diff --git a/OSX/libsecurity_keychain/lib/StorageManager.h b/OSX/libsecurity_keychain/lib/StorageManager.h
index 33f03033..520823fc 100644
--- a/OSX/libsecurity_keychain/lib/StorageManager.h
+++ b/OSX/libsecurity_keychain/lib/StorageManager.h
@@ -113,7 +113,7 @@ public:
 	void setSearchList(SecPreferencesDomain domain, const KeychainList &keychainList);
 
     void rename(Keychain keychain, const char* newName);
-    void renameUnique(Keychain keychain, CFStringRef newName, bool appendDbSuffix);
+    void renameUnique(Keychain keychain, CFStringRef oldName, CFStringRef newName, bool appendDbSuffix);
 
 	// Iff keychainOrArray is NULL return the default KeychainList in keychainList otherwise
 	// if keychainOrArray is a CFArrayRef containing SecKeychainRef's convernt it to KeychainList,
@@ -147,6 +147,8 @@ public:
 	void defaultKeychain(const Keychain &keychain);
 
 	Keychain loginKeychain();
+    DLDbIdentifier loginKeychainDLDbIdentifer();
+
 	void loginKeychain(Keychain keychain);
 	
 	Keychain defaultKeychain(SecPreferencesDomain domain);
@@ -184,6 +186,9 @@ public:
     //  Otherwise, leave it alone.
     static DLDbIdentifier mungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier, bool isReset);
 
+    // Change the DLDbIdentifier to always use the pattern ending with "-db".
+    static DLDbIdentifier forceMungeDLDbIDentifier(const DLDbIdentifier& dLDbIdentifier);
+
     // Due to compatibility requirements, we need the DLDbListCFPref lists to
     // never see a ".keychain-db" filename. Call this function to give them what
     // they need.
diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.cpp b/OSX/libsecurity_keychain/lib/TokenLogin.cpp
index 03255cd2..888b4081 100644
--- a/OSX/libsecurity_keychain/lib/TokenLogin.cpp
+++ b/OSX/libsecurity_keychain/lib/TokenLogin.cpp
@@ -308,7 +308,17 @@ OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginD
 	return errSecSuccess;
 }
 
-OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context)
+OSStatus TokenLoginGetPin(CFDictionaryRef context, CFStringRef *pin)
+{
+	if (!pin || !context) {
+		return errSecParam;
+	}
+	*pin = getPin(context);
+
+	return errSecSuccess;
+}
+
+OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef password)
 {
 	if (!context) {
 		return errSecParam;
@@ -321,7 +331,7 @@ OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context)
 		return result;
 	}
 
-    return SecKeychainStoreUnlockKeyWithPubKeyHash(getPubKeyHash(context), getTokenId(context), getPubKeyHashWrap(context), loginKeychain, NULL);
+    return SecKeychainStoreUnlockKeyWithPubKeyHash(getPubKeyHash(context), getTokenId(context), getPubKeyHashWrap(context), loginKeychain, password);
 }
 
 OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob)
diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.h b/OSX/libsecurity_keychain/lib/TokenLogin.h
index b7976bf8..f19a52e0 100644
--- a/OSX/libsecurity_keychain/lib/TokenLogin.h
+++ b/OSX/libsecurity_keychain/lib/TokenLogin.h
@@ -32,9 +32,10 @@ extern "C" {
 
 OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64TokenLoginDataLength, CFDictionaryRef *context);
 OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginData);
+OSStatus TokenLoginGetPin(CFDictionaryRef context, CFStringRef *pin);
 
 OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob);
-OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context);
+OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef password);
 OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef loginData);
 OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash);
 
diff --git a/OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c b/OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c
index 1e0b3bcc..882cbc9a 100644
--- a/OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c
+++ b/OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c
@@ -188,7 +188,7 @@ certTests(SecKeychainRef keychain)
 	CFRelease(certificate);
 
 	ok_status(SecKeychainDelete(keychain), "SecKeychainDelete");
-	is(CFGetRetainCount(keychain), 1, "keychain retain count is 1");
+	cmp_ok(CFGetRetainCount(keychain), >=, 1, "keychain retain count is 1");
 	CFRelease(keychain);
 }
 
diff --git a/OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c b/OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c
index f22e12f8..aee9f4bc 100644
--- a/OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c
+++ b/OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c
@@ -33,9 +33,9 @@ static void tests(void)
     ok_status(SecKeychainItemFreeContent(&attrList, data), "SecKeychainItemCopyContent");
 
 	is(CFGetRetainCount(item), 1, "item retaincount is 1");
-	is(CFGetRetainCount(keychain), 2, "keychain retaincount is 2");
+	cmp_ok(CFGetRetainCount(keychain), >=, 2, "keychain retaincount is at least 2");
 	CFRelease(item);
-	is(CFGetRetainCount(keychain), 1, "keychain retaincount is 1");
+	cmp_ok(CFGetRetainCount(keychain), >=, 1, "keychain retaincount is at least 1");
 	ok_status(SecKeychainDelete(keychain), "delete keychain");
 	CFRelease(keychain);
 }
diff --git a/OSX/libsecurity_keychain/regressions/kc-18-find-combined.c b/OSX/libsecurity_keychain/regressions/kc-18-find-combined.c
index c19ac9d2..12de9f6f 100644
--- a/OSX/libsecurity_keychain/regressions/kc-18-find-combined.c
+++ b/OSX/libsecurity_keychain/regressions/kc-18-find-combined.c
@@ -316,61 +316,61 @@ unsigned char Test_codesign[]={
 };
 unsigned int Test_7875801__Code_Signing__cer_len = 999;
 
-/* Test certificate for S/MIME policy (encrypt only, no sign), expires April 2026
+/* Test certificate for S/MIME policy (encrypt only, no sign), expires September 2026
  */
 unsigned char Test_smime_encryptonly[]={
         0x30, 0x82, 0x04, 0x07, 0x30, 0x82, 0x02, 0xef, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x02, 0xb8, 0x95, 0x23, 0x30,
         0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30,
-        0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-        0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f, 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
-        0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
-        0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12,
-        0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x23,
+        0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+        0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f, 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
+        0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x43, 0x41, 0x31, 0x10,
+        0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x14, 0x30, 0x12,
+        0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x23,
         0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x73, 0x6d, 0x69, 0x6d, 0x65,
         0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31,
-        0x36, 0x30, 0x34, 0x30, 0x34, 0x32, 0x32, 0x32, 0x32, 0x33, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x32,
-        0x32, 0x32, 0x32, 0x32, 0x33, 0x36, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+        0x36, 0x30, 0x39, 0x32, 0x30, 0x31, 0x32, 0x30, 0x32, 0x31, 0x33, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x39, 0x31, 0x38,
+        0x31, 0x32, 0x30, 0x32, 0x31, 0x33, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
         0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f,
-        0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
-        0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f,
-        0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b,
-        0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07,
-        0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48,
+        0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65,
+        0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b,
+        0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x43, 0x41, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b,
+        0x13, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b,
+        0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48,
         0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61,
         0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
         0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
-        0x00, 0xc6, 0x5a, 0xe9, 0x94, 0x4a, 0x9e, 0x4d, 0x47, 0xa3, 0x9d, 0x06, 0xb3, 0xd5, 0x05, 0xad, 0x05, 0x71, 0xaf, 0x93,
-        0x42, 0x9d, 0x02, 0x58, 0x33, 0x30, 0xee, 0xcb, 0xe4, 0x96, 0x24, 0x4b, 0x35, 0x0b, 0x6a, 0x58, 0xd0, 0xe7, 0x13, 0x5b,
-        0xd5, 0xd3, 0xa1, 0x99, 0x55, 0xff, 0xe9, 0x3b, 0xe7, 0x20, 0x4e, 0x9e, 0x6b, 0xcd, 0x86, 0x47, 0xd7, 0xf6, 0x67, 0xc2,
-        0xde, 0x51, 0xbc, 0x58, 0xd8, 0xc8, 0xe1, 0xb6, 0x42, 0xc5, 0xe9, 0x9e, 0x65, 0x3a, 0x04, 0xab, 0x47, 0x1b, 0xc8, 0xfe,
-        0xb6, 0xb2, 0x47, 0x03, 0xc4, 0xa4, 0xb8, 0xaf, 0x31, 0xe7, 0x10, 0x7b, 0x4a, 0x4b, 0x29, 0x09, 0x91, 0xc2, 0xd2, 0x1f,
-        0x42, 0x9a, 0x77, 0xc2, 0x08, 0x98, 0x53, 0x32, 0x8f, 0x8c, 0xa7, 0x06, 0xa5, 0x05, 0x9e, 0xeb, 0xc9, 0x5b, 0x7a, 0x5c,
-        0xb3, 0xd7, 0x91, 0x6f, 0xea, 0xa1, 0x4f, 0x93, 0x9b, 0xa6, 0xf5, 0xdb, 0x32, 0x3b, 0x71, 0xfd, 0x07, 0xa4, 0x30, 0x30,
-        0x35, 0xfa, 0x6c, 0x77, 0x76, 0x98, 0x99, 0x3a, 0x19, 0xcd, 0x7c, 0x5d, 0xc5, 0x70, 0x86, 0xaf, 0xf9, 0x9e, 0xa1, 0x45,
-        0x5e, 0x6d, 0x03, 0x63, 0x3b, 0x4a, 0xcc, 0x14, 0xda, 0x75, 0xc2, 0xf1, 0x8f, 0x51, 0xd3, 0x80, 0x5f, 0xf7, 0x52, 0xd0,
-        0x04, 0x1b, 0x37, 0x6e, 0x3a, 0xfe, 0xcc, 0x5d, 0xba, 0xbe, 0x0f, 0x1a, 0xd8, 0x31, 0xd4, 0x7b, 0xf2, 0x20, 0x22, 0x56,
-        0xd1, 0x84, 0x8f, 0x12, 0x4a, 0x81, 0xa5, 0xeb, 0x7f, 0x8b, 0x4b, 0x21, 0x02, 0xeb, 0xb4, 0x6e, 0xb6, 0x3c, 0x3c, 0x15,
-        0x09, 0xa4, 0x79, 0x7c, 0x3e, 0x45, 0xf3, 0xe7, 0x84, 0x10, 0xc9, 0x45, 0x86, 0xd5, 0xda, 0x9e, 0xdf, 0x7d, 0x05, 0xcc,
-        0xdf, 0x1a, 0x30, 0x8f, 0xea, 0x57, 0x9a, 0x72, 0xb0, 0x58, 0x95, 0x6b, 0x9e, 0xe8, 0x94, 0xf2, 0x8d, 0x02, 0x03, 0x01,
+        0x00, 0xd5, 0x9e, 0xf0, 0xe6, 0x4e, 0x8d, 0x1d, 0x0f, 0x62, 0x75, 0x1a, 0x5d, 0xd7, 0x19, 0x34, 0xf0, 0x27, 0xaf, 0x35,
+        0xbb, 0x6d, 0xfe, 0x1b, 0xe5, 0xfd, 0xd5, 0x54, 0x77, 0x4a, 0x2f, 0x1d, 0x50, 0x51, 0xbb, 0x6e, 0x55, 0x9e, 0xfe, 0xcd,
+        0x40, 0xe0, 0xe1, 0xa5, 0xfb, 0xef, 0x8c, 0x6b, 0x49, 0x7e, 0x73, 0x5c, 0x19, 0x44, 0xad, 0x50, 0xbc, 0x10, 0xf9, 0x66,
+        0xcf, 0x17, 0xd4, 0x63, 0x8d, 0x6b, 0x4b, 0x61, 0x09, 0x5e, 0xe7, 0xf2, 0xbf, 0x20, 0x78, 0xf4, 0xe4, 0x71, 0x81, 0xba,
+        0xb9, 0xb0, 0x0e, 0x8c, 0x58, 0xfd, 0x23, 0x67, 0x67, 0x38, 0x4b, 0xcd, 0x23, 0xb3, 0x76, 0x20, 0x51, 0x99, 0xb7, 0x7a,
+        0xc4, 0x34, 0xd4, 0xca, 0x50, 0xc1, 0x16, 0x4d, 0xcf, 0x60, 0x3c, 0xc2, 0x29, 0x06, 0x9b, 0x48, 0x35, 0xdb, 0x7e, 0x1a,
+        0xf8, 0x5d, 0x0e, 0x72, 0xa7, 0x01, 0x02, 0xb4, 0x26, 0x40, 0x81, 0xf3, 0xa8, 0x28, 0x0e, 0x53, 0x79, 0x55, 0x19, 0x13,
+        0xe1, 0xd9, 0x41, 0x78, 0xe6, 0x68, 0x96, 0x91, 0xf9, 0xc9, 0xbf, 0x60, 0xd4, 0x88, 0xdf, 0x26, 0x19, 0xc6, 0xd5, 0xc4,
+        0x3f, 0x70, 0x1f, 0xc0, 0x8f, 0x2c, 0x3d, 0x49, 0xba, 0x79, 0xd8, 0xcd, 0x6d, 0xcc, 0x88, 0xde, 0x86, 0xd4, 0x19, 0x89,
+        0x1b, 0x1c, 0xbd, 0xd8, 0xeb, 0xc6, 0x81, 0xdb, 0xb7, 0x57, 0x53, 0xeb, 0x92, 0xbf, 0xf8, 0x1b, 0xd8, 0x4a, 0xe7, 0xee,
+        0x83, 0x01, 0xf7, 0xae, 0xf4, 0x25, 0x2b, 0x6f, 0x17, 0xf4, 0xa0, 0xb8, 0x7f, 0x87, 0x20, 0x4f, 0xfd, 0xac, 0x59, 0x00,
+        0x80, 0x5e, 0x20, 0x02, 0x5a, 0x41, 0x76, 0xf2, 0x57, 0x97, 0x29, 0xa9, 0x87, 0xae, 0x79, 0xb7, 0x3f, 0x95, 0x2f, 0x37,
+        0x6e, 0xbf, 0x1f, 0x6d, 0xe2, 0x27, 0x39, 0x1c, 0xf2, 0x0b, 0x8f, 0xe4, 0xff, 0x60, 0x5d, 0x8f, 0xeb, 0x02, 0x03, 0x01,
         0x00, 0x01, 0xa3, 0x4b, 0x30, 0x49, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
-        0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
+        0x05, 0x20, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
         0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x18, 0x30, 0x16, 0x81, 0x14, 0x73,
         0x6d, 0x69, 0x6d, 0x65, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
-        0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x79,
-        0xc0, 0x92, 0xf8, 0xfd, 0xac, 0x3f, 0x21, 0x3a, 0x1b, 0x7c, 0x2b, 0xc9, 0x0a, 0x62, 0xb6, 0xe2, 0x1d, 0x3b, 0x67, 0x4b,
-        0x4b, 0xf8, 0xe8, 0xbe, 0xd8, 0x8e, 0x71, 0x07, 0x4a, 0x6e, 0xbd, 0x07, 0xc8, 0xd0, 0x86, 0x9c, 0xdb, 0xd5, 0x43, 0x23,
-        0xc3, 0x56, 0x03, 0x45, 0xa6, 0xab, 0xf8, 0xba, 0xc2, 0xba, 0xd8, 0x78, 0x33, 0x49, 0xaa, 0x82, 0xb4, 0x0c, 0x6c, 0x9b,
-        0x4c, 0x5b, 0x9d, 0x4f, 0xb5, 0xd8, 0xd9, 0x0f, 0x33, 0x21, 0x27, 0x8c, 0x99, 0xa0, 0xb6, 0xe0, 0xfb, 0x40, 0x4e, 0x88,
-        0x36, 0x91, 0x42, 0x3f, 0xcc, 0x52, 0x3f, 0x39, 0x82, 0x3d, 0xbd, 0x43, 0x45, 0xf4, 0x1c, 0x17, 0x4c, 0x29, 0x63, 0x5d,
-        0x12, 0xdd, 0x16, 0x8a, 0xa3, 0x6a, 0x81, 0x21, 0xbc, 0x55, 0x10, 0xfa, 0x88, 0x95, 0x80, 0x5d, 0x6a, 0xeb, 0x96, 0x54,
-        0x37, 0x94, 0x07, 0x28, 0x06, 0x0f, 0x62, 0x7e, 0x6f, 0x3d, 0x9e, 0xe7, 0x1d, 0x0e, 0x35, 0xb5, 0x89, 0x07, 0x04, 0xd6,
-        0x70, 0x69, 0x43, 0x8b, 0x44, 0xdb, 0xb5, 0x0b, 0xc8, 0x80, 0xc5, 0xe9, 0x8f, 0xe4, 0xa7, 0x75, 0x32, 0xa6, 0x47, 0xdc,
-        0xc9, 0x68, 0x26, 0x85, 0x96, 0x8c, 0x15, 0x47, 0xe0, 0x4f, 0x13, 0x81, 0x97, 0xae, 0x7c, 0xc5, 0x1c, 0xda, 0x22, 0xef,
-        0x39, 0xef, 0xe8, 0x8f, 0xbb, 0x33, 0xd3, 0x40, 0x12, 0x45, 0xcd, 0x05, 0x81, 0x39, 0xdc, 0x88, 0x9f, 0xd2, 0x3e, 0x20,
-        0xe5, 0xec, 0xf9, 0x39, 0xc5, 0x55, 0xeb, 0x97, 0x7f, 0x67, 0x36, 0x80, 0xfa, 0x2a, 0xe1, 0xf4, 0x36, 0x03, 0xe5, 0xe2,
-        0xa8, 0x75, 0x0e, 0x58, 0x21, 0xdf, 0x86, 0x38, 0x49, 0x19, 0x6f, 0x00, 0x3b, 0x8c, 0x57, 0x8c, 0xa7, 0x60, 0xf8, 0xda,
-        0x01, 0xbc, 0xbc, 0xe5, 0x77, 0x81, 0xeb, 0xda, 0xd6, 0xd6, 0x6e, 0xa4, 0x1a, 0x09, 0x3c
+        0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x0a,
+        0x49, 0x1f, 0xbe, 0xda, 0xa3, 0x8f, 0x78, 0x2c, 0x19, 0x6d, 0xd1, 0xa4, 0xa8, 0x8d, 0xa1, 0x00, 0xee, 0x8f, 0xa4, 0xd3,
+        0x2b, 0x73, 0xad, 0x46, 0x00, 0x44, 0x40, 0x18, 0xc7, 0x7a, 0xbd, 0x5c, 0x21, 0x80, 0x91, 0xfe, 0xa0, 0x48, 0xfe, 0x00,
+        0x3f, 0xf3, 0xc3, 0xb5, 0x26, 0xf0, 0xf2, 0xfa, 0x6e, 0xf2, 0x64, 0x45, 0x59, 0x41, 0xbd, 0x6f, 0xc2, 0xb6, 0xf8, 0xba,
+        0xc4, 0x75, 0x6a, 0x41, 0xd1, 0x0a, 0x6d, 0x1f, 0xd4, 0xe0, 0xec, 0x77, 0x7a, 0x5f, 0xa8, 0x44, 0x2e, 0xb3, 0x96, 0xe4,
+        0x62, 0x8e, 0xa2, 0x58, 0x85, 0x77, 0x21, 0x4f, 0x70, 0xed, 0x38, 0x5a, 0x69, 0x36, 0x8e, 0xf5, 0x3f, 0x4b, 0x25, 0x40,
+        0xe4, 0x4a, 0x00, 0xef, 0x14, 0xe4, 0xa3, 0xad, 0xaa, 0xbc, 0xdc, 0x18, 0x5f, 0xc5, 0xe9, 0xc1, 0xfe, 0xe4, 0x68, 0x52,
+        0x30, 0x87, 0x1e, 0x80, 0x4d, 0xa6, 0xf5, 0xfd, 0x0d, 0x15, 0x00, 0x06, 0xd8, 0x05, 0x82, 0x2d, 0x94, 0x44, 0x80, 0x8f,
+        0x1b, 0xac, 0x18, 0x9f, 0x51, 0x40, 0x47, 0x29, 0x4f, 0x7b, 0xb8, 0xbb, 0x03, 0xdd, 0x8a, 0x01, 0x4f, 0xd0, 0x4e, 0x21,
+        0xf5, 0xc3, 0x64, 0x2f, 0xa6, 0xe3, 0x81, 0x8d, 0x65, 0xc0, 0x6a, 0x17, 0x1d, 0xc5, 0xdf, 0xa6, 0x07, 0x7c, 0x48, 0x59,
+        0x35, 0x78, 0x02, 0x29, 0xa0, 0xbe, 0x25, 0x39, 0xdf, 0x51, 0x30, 0x7b, 0x2a, 0x19, 0xd0, 0x33, 0xcd, 0x07, 0x61, 0x38,
+        0x18, 0x46, 0xc7, 0x16, 0x8b, 0xcd, 0xa9, 0xbf, 0x22, 0xd0, 0xf7, 0xd1, 0xa4, 0x32, 0x80, 0x9f, 0x2e, 0x17, 0x0a, 0x17,
+        0xbc, 0x48, 0xf3, 0x2c, 0x6d, 0x40, 0x3b, 0xf0, 0xf5, 0x0b, 0x10, 0x98, 0x93, 0x50, 0xcc, 0x46, 0x64, 0x57, 0x6d, 0xb5,
+        0xa0, 0xda, 0x8f, 0xd7, 0xc6, 0x0a, 0x01, 0x1d, 0x89, 0x0b, 0x2f, 0xe3, 0x98, 0xcc, 0x9a
 };
 unsigned int Test_Encryption__S_MIME__cer_len = 1035;
 
@@ -1682,6 +1682,7 @@ static int FindCertificateForSMIMEEncryption(SecKeychainRef keychain,
 	CFTypeRef returnType,
 	CFTypeRef matchLimit,
 	CFIndex minMatchesExpected,
+    CFIndex maxMatchesExpected,
 	OSStatus expected)
 {
 	/* create a SecPolicyRef for S/MIME */
@@ -1725,7 +1726,7 @@ static int FindCertificateForSMIMEEncryption(SecKeychainRef keychain,
 	OSStatus status = SecItemCopyMatching(query, &results);
 
 	if (!status && results) {
-		status = CheckResults(results, minMatchesExpected, MAXITEMS);
+		status = CheckResults(results, minMatchesExpected, maxMatchesExpected);
 		CFRelease(results);
 	}
 	if (query)
@@ -2946,7 +2947,7 @@ static int TestCertificateLookup(SecKeychainRef keychain)
 	// look up cert by email address for SMIME encryption, date valid today, want array of all results as SecCertificateRef
 	// (note that a date value of kCFNull is interpreted as the current date)
 	result += FindCertificateForSMIMEEncryption(keychain, CFSTR("smime-test@apple.com"), kCFNull,
-			kSecReturnRef, kSecMatchLimitAll, 1, noErr);
+			kSecReturnRef, kSecMatchLimitAll, 1, 1, noErr);
 
     CFReleaseSafe(sslPolicy);
     CFReleaseSafe(codeSigningPolicy);
@@ -3013,7 +3014,7 @@ static int TestPreferredCertificateLookup(SecKeychainRef keychain)
 		++result;
 
 	// define a valid date for this preferred certificate (typically this would just be kCFNull in a real program, meaning "now")
-	CFGregorianDate aCurrentGDate = { 2016, 7, 27, 21, 0, 0 }; // Jul 27 2016 9:00 PM
+	CFGregorianDate aCurrentGDate = { 2016, 9, 27, 21, 0, 0 }; // September 27 2016 9:00 PM
 	CFDateRef aCurrentDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aCurrentGDate, NULL));
 	if (FindPreferredCertificateForSMIMEEncryption(keychain, CFSTR("smime-test@apple.com"), aCurrentDate))
 		++result;
diff --git a/OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c b/OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c
index 0f7adeec..af040fc3 100644
--- a/OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c
+++ b/OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c
@@ -78,11 +78,11 @@ static void tests()
 	CFRelease(original);
 	is(CFGetRetainCount(copy), 1, "copy retaincount is 1");
 	CFRelease(copy);
-	is(CFGetRetainCount(source), 1, "source retaincount is 1");
+	cmp_ok(CFGetRetainCount(source), >=, 1, "source keychain retaincount is 1");
 	ok_status(SecKeychainDelete(source), "delete keychain source");
 	CFRelease(source);
 	ok_status(SecKeychainDelete(dest), "delete keychain dest");
-	is(CFGetRetainCount(dest), 1, "dest retaincount is 1");
+	cmp_ok(CFGetRetainCount(dest), >=, 1, "dest retaincount is 1");
 	CFRelease(dest);
 }
 
diff --git a/OSX/libsecurity_keychain/regressions/si-33-keychain-backup.c b/OSX/libsecurity_keychain/regressions/si-33-keychain-backup.c
index 8112f864..cdbfc900 100644
--- a/OSX/libsecurity_keychain/regressions/si-33-keychain-backup.c
+++ b/OSX/libsecurity_keychain/regressions/si-33-keychain-backup.c
@@ -32,12 +32,13 @@
 #include <libaks.h>
 #include <AssertMacros.h>
 
+#define DATA_ARG(x) (x) ? CFDataGetBytePtr((x)) : NULL, (x) ? (int)CFDataGetLength((x)) : 0
 
 static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
 {
     keybag_handle_t handle = bad_keybag_handle;
     
-    if (aks_create_bag(NULL, 0, bag_type, &handle) == 0) {
+    if (aks_create_bag(DATA_ARG(password), bag_type, &handle) == 0) {
         void * keybag = NULL;
         int keybag_size = 0;
         if (aks_save_bag(handle, &keybag, &keybag_size) == 0) {
@@ -66,7 +67,9 @@ static void tests(void)
     CFDictionaryAddValue(query, kSecValueData, pwdata);
     CFDictionaryAddValue(query, kSecAttrSynchronizable, kCFBooleanTrue);
     
-    CFDataRef keybag = NULL, password = NULL;
+    CFDataRef keybag = NULL;
+    const char *p = "sup3rsekretpassc0de";
+    CFDataRef password = CFDataCreate(NULL, (UInt8 *)p, strlen(p));
     
     keybag = create_keybag(kAppleKeyStoreAsymmetricBackupBag, password);
     
@@ -94,6 +97,7 @@ static void tests(void)
     ok_status(SecItemDelete(query), "delete restored item");
     
     if (backup) { CFRelease(backup); }
+    if (password) { CFRelease(password); }
 }
 
 int si_33_keychain_backup(int argc, char *const *argv)
diff --git a/OSX/libsecurity_smime/lib/cmsmessage.c b/OSX/libsecurity_smime/lib/cmsmessage.c
index 75512389..211f7355 100644
--- a/OSX/libsecurity_smime/lib/cmsmessage.c
+++ b/OSX/libsecurity_smime/lib/cmsmessage.c
@@ -137,7 +137,6 @@ SecCmsMessageDestroy(SecCmsMessageRef cmsg)
     /* if poolp is not NULL, cmsg is the owner of its arena */
     if (cmsg->poolp_is_ours) {
 	PORT_FreeArena (cmsg->poolp, PR_FALSE);	/* XXX clear it? */
-        cmsg->poolp = NULL;
     }
 }
 
diff --git a/OSX/libsecurity_ssl/lib/SecureTransport.h b/OSX/libsecurity_ssl/lib/SecureTransport.h
index 89afee8c..e815d88f 100644
--- a/OSX/libsecurity_ssl/lib/SecureTransport.h
+++ b/OSX/libsecurity_ssl/lib/SecureTransport.h
@@ -311,26 +311,30 @@ typedef CF_ENUM(int, SSLConnectionType)
  * Predefined TLS configurations constants
  */
 
-/* Default configuration - currently same as kSSLSessionConfig_standard */
+/* Default configuration (has 3DES, no RC4) */
 extern const CFStringRef kSSLSessionConfig_default;
 /* ATS v1 Config: TLS v1.2, only PFS ciphersuites */
 extern const CFStringRef kSSLSessionConfig_ATSv1;
 /* ATS v1 Config without PFS: TLS v1.2, include non PFS ciphersuites */
 extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS;
-/* TLS v1.2 to TLS v1.0, with default ciphersuites (no RC4) */
+/* TLS v1.2 to TLS v1.0, with default ciphersuites (no 3DES, no RC4) */
 extern const CFStringRef kSSLSessionConfig_standard;
-/* TLS v1.2 to TLS v1.0, with defaults ciphersuites + RC4 */
+/* TLS v1.2 to TLS v1.0, with default ciphersuites + RC4 + 3DES */
 extern const CFStringRef kSSLSessionConfig_RC4_fallback;
-/* TLS v1.0 only, with defaults ciphersuites + fallback SCSV */
+/* TLS v1.0 only, with default ciphersuites + fallback SCSV */
 extern const CFStringRef kSSLSessionConfig_TLSv1_fallback;
-/* TLS v1.0, with defaults ciphersuites + RC4 + fallback SCSV */
+/* TLS v1.0, with default ciphersuites + RC4 + 3DES + fallback SCSV */
 extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback;
 /* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
 extern const CFStringRef kSSLSessionConfig_legacy;
-/* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
+/* TLS v1.2 to TLS v1.0, default + RC4 + DHE ciphersuites */
 extern const CFStringRef kSSLSessionConfig_legacy_DHE;
 /* TLS v1.2, anonymous ciphersuites only */
 extern const CFStringRef kSSLSessionConfig_anonymous;
+/* TLS v1.2 to TLS v1.0, has 3DES, no RC4 */
+extern const CFStringRef kSSLSessionConfig_3DES_fallback;
+/* TLS v1.0, with default ciphersuites + 3DES, no RC4 */
+extern const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback;
 
 
 /******************
diff --git a/OSX/libsecurity_ssl/lib/sslContext.c b/OSX/libsecurity_ssl/lib/sslContext.c
index 89f89687..21dd4628 100644
--- a/OSX/libsecurity_ssl/lib/sslContext.c
+++ b/OSX/libsecurity_ssl/lib/sslContext.c
@@ -2547,6 +2547,9 @@ const CFStringRef kSSLSessionConfig_TLSv1_fallback = CFSTR("TLSv1_fallback");
 const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback = CFSTR("TLSv1_RC4_fallback");
 const CFStringRef kSSLSessionConfig_legacy_DHE = CFSTR("legacy_DHE");
 const CFStringRef kSSLSessionConfig_anonymous = CFSTR("anonymous");
+const CFStringRef kSSLSessionConfig_3DES_fallback = CFSTR("3DES_fallback");
+const CFStringRef kSSLSessionConfig_TLSv1_3DES_fallback = CFSTR("TLSv1_3DES_fallback");
+
 
 static
 tls_handshake_config_t SSLSessionConfig_to_tls_handshake_config(CFStringRef config)
@@ -2563,6 +2566,10 @@ tls_handshake_config_t SSLSessionConfig_to_tls_handshake_config(CFStringRef conf
         return tls_handshake_config_TLSv1_RC4_fallback;
     } else if(CFEqual(config, kSSLSessionConfig_RC4_fallback)){
         return tls_handshake_config_RC4_fallback;
+    } else if(CFEqual(config, kSSLSessionConfig_3DES_fallback)){
+        return tls_handshake_config_3DES_fallback;
+    } else if(CFEqual(config, kSSLSessionConfig_TLSv1_3DES_fallback)){
+        return tls_handshake_config_TLSv1_3DES_fallback;
     } else if(CFEqual(config, kSSLSessionConfig_legacy)){
         return tls_handshake_config_legacy;
     } else if(CFEqual(config, kSSLSessionConfig_legacy_DHE)){
diff --git a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
index 2ed75a8b..b6f43b2d 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
@@ -141,6 +141,27 @@ const SSLCipherSuite legacy_DHE_ciphersuites[] = {
 
 
 const SSLCipherSuite standard_ciphersuites[] = {
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_RSA_WITH_AES_256_GCM_SHA384,
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+};
+
+const SSLCipherSuite default_ciphersuites[] = {
     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
@@ -393,7 +414,7 @@ test_default(SSLProtocolSide side)
 
     /* The order of this tests does matter, be careful when adding tests */
     ok(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client");
-    ok(!test_GetEnabledCiphers(ssl, sizeof(standard_ciphersuites)/sizeof(SSLCipherSuite), standard_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
+    ok(!test_GetEnabledCiphers(ssl, sizeof(default_ciphersuites)/sizeof(SSLCipherSuite), default_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
 
     CFRelease(ssl); ssl=NULL;
 
@@ -412,7 +433,7 @@ out:
 
 int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
 {
-    plan_tests(154);
+    plan_tests(178);
 
     test_dhe(kSSLClientSide, true);
     test_dhe(kSSLServerSide, true);
@@ -433,10 +454,12 @@ int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
     TEST_CONFIG(kSSLSessionConfig_legacy_DHE, legacy_DHE_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_standard, standard_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites);
-    TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, standard_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, default_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites);
-    TEST_CONFIG(kSSLSessionConfig_default, standard_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_default, default_ciphersuites);
     TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_3DES_fallback, default_ciphersuites);
+    TEST_CONFIG(kSSLSessionConfig_TLSv1_3DES_fallback, default_ciphersuites);
 
     return 0;
 }
diff --git a/OSX/libsecurity_utilities/lib/threading.h b/OSX/libsecurity_utilities/lib/threading.h
index 34a47636..4de9ab4f 100644
--- a/OSX/libsecurity_utilities/lib/threading.h
+++ b/OSX/libsecurity_utilities/lib/threading.h
@@ -287,7 +287,7 @@ public:
     };
     StReadWriteLock(ReadWriteLock &lck, Type type) : mType(type), mIsLocked(false), mRWLock(lck)
                        { lock(); }
-    ~StReadWriteLock() { if(mIsLocked) mRWLock.unlock(); }
+    ~StReadWriteLock() { if(mIsLocked) unlock(); }
 
     bool lock();
     void unlock();
diff --git a/OSX/libsecurityd/lib/ssblob.cpp b/OSX/libsecurityd/lib/ssblob.cpp
index 3f2fa514..a283ad30 100644
--- a/OSX/libsecurityd/lib/ssblob.cpp
+++ b/OSX/libsecurityd/lib/ssblob.cpp
@@ -100,7 +100,7 @@ void CommonBlob::initialize(uint32 version)
 {
     magic = magicNumber;
 
-    secnotice("integrity", "creating a keychain with version %d", version);
+    secinfo("integrity", "creating a keychain with version %d", version);
     this->blobVersion = version;
 }
 
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSChangeTracker.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSChangeTracker.c
index dc590e4a..42463be1 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSChangeTracker.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSChangeTracker.c
@@ -27,7 +27,7 @@
 
 #include <Security/SecureObjectSync/SOSChangeTracker.h>
 #include <Security/SecureObjectSync/SOSDigestVector.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 #include <Security/SecureObjectSync/SOSManifest.h>
 #include <Security/SecureObjectSync/SOSInternal.h>
 #include <utilities/SecCFError.h>
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c
index 5a40b8f6..c0f00fc3 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c
@@ -32,7 +32,7 @@
 #include <Security/SecureObjectSync/SOSCircle.h>
 #include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
 #include <Security/SecureObjectSync/SOSInternal.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 #include <Security/SecureObjectSync/SOSPeer.h>
 #include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
 #include <Security/SecureObjectSync/SOSGenCount.h>
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c
index bc070180..090eba1e 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c
@@ -1382,33 +1382,33 @@ static bool sosIsViewSetSyncing(size_t n, CFStringRef *views) {
 }
 
 bool SOSCCIsIcloudKeychainSyncing(void) {
-    CFStringRef views[] = { kSOSViewAutofillPasswords, kSOSViewSafariCreditCards };
-    return sosIsViewSetSyncing(1, views);
+    CFStringRef views[] = { kSOSViewWiFi, kSOSViewAutofillPasswords, kSOSViewSafariCreditCards, kSOSViewOtherSyncable };
+    return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
 }
 
 bool SOSCCIsSafariSyncing(void) {
     CFStringRef views[] = { kSOSViewAutofillPasswords, kSOSViewSafariCreditCards };
-    return sosIsViewSetSyncing(2, views);
+    return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
 }
 
 bool SOSCCIsAppleTVSyncing(void) {
     CFStringRef views[] = { kSOSViewAppleTV };
-    return sosIsViewSetSyncing(1, views);
+    return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
 }
 
 bool SOSCCIsHomeKitSyncing(void) {
     CFStringRef views[] = { kSOSViewHomeKit };
-    return sosIsViewSetSyncing(1, views);
+    return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
 }
 
 bool SOSCCIsWiFiSyncing(void) {
     CFStringRef views[] = { kSOSViewWiFi };
-    return sosIsViewSetSyncing(1, views);
+    return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
 }
 
 bool SOSCCIsContinuityUnlockSyncing(void) {
     CFStringRef views[] = { kSOSViewContinuityUnlock };
-    return sosIsViewSetSyncing(1, views);
+    return sosIsViewSetSyncing(sizeof(views)/sizeof(views[0]), views);
 }
 
 
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c
index 5e6e9ae3..d422d2f6 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c
@@ -69,8 +69,7 @@ CFGiblisWithCompareFor(SOSCoder)
 static CFStringRef SOSCoderCopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) {
     SOSCoderRef coder = (SOSCoderRef)cf;
     if(coder){
-        CFStringRef desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Coder %@ %@ %@ %s%s>"),
-                                                    coder->peer_id,
+        CFStringRef desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Coder %@ %@ %s%s>"),
                                                     coder->sessRef,
                                                     coder->hashOfLastReceived,
                                                     coder->waitingForDataPacket ? "W" : "w",
@@ -101,10 +100,6 @@ static const char *SOSCoderString(SOSCoderStatus coderStatus) {
     }
 }
 
-CFStringRef SOSCoderGetID(SOSCoderRef coder) {
-    return coder->peer_id;
-}
-
 /*
  static void logRawCoderMessage(const uint8_t* der, uint8_t* der_end, bool encoding)
 {
@@ -424,7 +419,6 @@ static void SOSCoderDestroy(CFTypeRef cf)
     if (coder) {
         CFReleaseNull(coder->sessRef);
         CFReleaseNull(coder->pendingResponse);
-        CFReleaseNull(coder->peer_id);
         CFReleaseNull(coder->hashOfLastReceived);
     }
 }
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c
index 66f53239..80579496 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c
@@ -27,7 +27,7 @@
  */
 
 #include <Security/SecureObjectSync/SOSChangeTracker.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 #include <Security/SecureObjectSync/SOSDigestVector.h>
 #include <Security/SecureObjectSync/SOSInternal.h>
 #include <Security/SecureObjectSync/SOSPeer.h>
@@ -82,8 +82,9 @@ static CFStringRef kSOSEngineTraceDateKey = CFSTR("traceDate");
 //----------------------------------------------------------------------------------------
 // MARK: Engine state v2
 //----------------------------------------------------------------------------------------
-
+#if !TARGET_IPHONE_SIMULATOR
 static const CFIndex kCurrentEngineVersion = 2;
+#endif
 // Keychain/datasource items
 // Used for the kSecAttrAccount when saving in the datasource with dsSetStateWithKey
 // Class D [kSecAttrAccessibleAlwaysPrivate/kSecAttrAccessibleAlwaysThisDeviceOnly]
@@ -97,7 +98,9 @@ static CFStringRef kSOSEngineCoders = CFSTR("engine-coders");
 
 // Keys for individual dictionaries
 //  engine-state-v2
+#if !TARGET_IPHONE_SIMULATOR
 static CFStringRef kSOSEngineStateVersionKey = CFSTR("engine-stateVersion");
+#endif
 
 // Current save/load routines
 // SOSEngineCreate/SOSEngineLoad/SOSEngineSetState
@@ -156,48 +159,16 @@ static CFStringRef kSOSEngineStateVersionKey = CFSTR("engine-stateVersion");
 
  */
 
-/* SOSEngine implementation. */
-struct __OpaqueSOSEngine {
-    CFRuntimeBase _base;
-    SOSDataSourceRef dataSource;
-    CFStringRef myID;                       // My peerID in the circle
-    // We need to address the issues of corrupt keychain items
-    SOSManifestRef unreadable;              // Possibly by having a set of unreadable items, to which we
-    // add any corrupted items in the db that have yet to be deleted.
-    // This happens if we notce corruption during a (read only) query.
-    // We would also perma-subtract unreadable from manifest whenever
-    // anyone asked for manifest.  This result would be cached in
-    // The manifestCache below, so we just need a key into the cache
-    CFDataRef localMinusUnreadableDigest;   // or a digest (CFDataRef of the right size).
-
-    CFMutableDictionaryRef manifestCache;       // digest -> ( refcount, manifest )
-    CFMutableDictionaryRef peerMap;             // peerId -> SOSPeerRef
-    CFDictionaryRef viewNameSet2ChangeTracker;  // CFSetRef of CFStringRef -> SOSChangeTrackerRef
-    CFDictionaryRef viewName2ChangeTracker;     // CFStringRef -> SOSChangeTrackerRef
-    CFArrayRef peerIDs;
-    CFDateRef lastTraceDate;                    // Last time we did a CloudKeychainTrace
-    CFMutableDictionaryRef coders;
-    bool haveLoadedCoders;
-    
-    bool dirty;
-    bool codersNeedSaving;
 
-    dispatch_queue_t queue;                     // Engine queue
-
-    dispatch_source_t save_timer;               // Engine state save timer
-    bool save_timer_pending;                    // Engine state timer running, read/modify on engine queue
-
-    dispatch_queue_t syncCompleteQueue;              // Non-retained queue for async notificaion
-    SOSEnginePeerInSyncBlock syncCompleteListener;   // Block to call to notify the listener.
-};
 
 static bool SOSEngineLoad(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
 static bool SOSEngineSetPeers_locked(SOSEngineRef engine, SOSPeerMetaRef myPeerMeta, CFArrayRef trustedPeerMetas, CFArrayRef untrustedPeerMetas);
 static void SOSEngineApplyPeerState(SOSEngineRef engine, CFDictionaryRef peerStateMap);
 static void SOSEngineSynthesizePeerMetas(SOSEngineRef engine, CFMutableArrayRef trustedPeersMetas, CFMutableArrayRef untrustedPeers);
 static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+#if !TARGET_IPHONE_SIMULATOR
 static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
-
+#endif
 static CFStringRef SOSPeerIDArrayCreateString(CFArrayRef peerIDs) {
     return peerIDs ? CFStringCreateByCombiningStrings(kCFAllocatorDefault, peerIDs, CFSTR(" ")) : CFSTR("");
 }
@@ -406,7 +377,7 @@ CFMutableArrayRef SOSEngineCopyPersistedManifestArray(SOSEngineRef engine, CFDic
     }
     return manifests;
 }
-
+#if !TARGET_IPHONE_SIMULATOR
 static CFDictionaryRef SOSEngineCopyEncodedManifestCache_locked(SOSEngineRef engine, CFErrorRef *error) {
     CFMutableDictionaryRef mfc = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
     SOSEngineForEachPeer_locked(engine, ^(SOSPeerRef peer) {
@@ -414,42 +385,6 @@ static CFDictionaryRef SOSEngineCopyEncodedManifestCache_locked(SOSEngineRef eng
     });
     return mfc;
 }
-
-#if 0
-static bool SOSEngineGCManifests_locked(SOSEngineRef engine, CFErrorRef *error) {
-    __block struct SOSDigestVector mdInCache = SOSDigestVectorInit;
-    __block struct SOSDigestVector mdInUse = SOSDigestVectorInit;
-    struct SOSDigestVector mdUnused = SOSDigestVectorInit;
-    struct SOSDigestVector mdMissing = SOSDigestVectorInit;
-    bool ok = true;
-
-    SOSEngineForEachPeer_locked(engine, ^(SOSPeerRef peer) {
-        SOSPeerMarkDigestsInUse(peer, &mdInUse);
-    });
-
-    if (engine->manifestCache) {
-        CFDictionaryForEach(engine->manifestCache, ^(const void *key, const void *value) {
-            CFDataRef digest = (CFDataRef)key;
-            if (isData(digest))
-                SOSDigestVectorAppend(&mdInCache, CFDataGetBytePtr(digest));
-        });
-        
-        // Delete unused manifests.
-        SOSDigestVectorDiff(&mdInCache, &mdInUse, &mdUnused, &mdMissing);
-        SOSManifestRef unused = SOSManifestCreateWithDigestVector(&mdUnused, NULL);
-        SOSManifestForEach(unused, ^(CFDataRef digest, bool *stop) {
-            if (digest)
-                CFDictionaryRemoveValue(engine->manifestCache, digest);
-        });
-        CFReleaseSafe(unused);
-    }
-
-    SOSDigestVectorFree(&mdInCache);
-    SOSDigestVectorFree(&mdInUse);
-    SOSDigestVectorFree(&mdUnused);
-    SOSDigestVectorFree(&mdMissing);
-    return ok;
-}
 #endif
 
 //
@@ -502,11 +437,8 @@ static SOSCoderRef SOSEngineGetCoderInTx_locked(SOSEngineRef engine, SOSTransact
     return coder;
 }
 
-static SOSCoderRef SOSEngineGetCoder_locked(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error) {
-    return SOSEngineGetCoderInTx_locked(engine, NULL, peerID, error);
-}
-
-static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, CFStringRef peerID, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, SOSCoderRef ourCoder, CFErrorRef *error) {
+static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, SOSTransactionRef txn, CFStringRef peerID, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, SOSCoderRef ourCoder, CFErrorRef *error) {
+    //have to have caused coder loading, transactions do this.
     if (!ourCoder || !SOSCoderIsFor(ourCoder, peerInfo, myPeerInfo)) {
         secinfo("coder", "New coder for id %@.", peerID);
         CFErrorRef localError = NULL;
@@ -517,7 +449,9 @@ static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, CFStringRef peerID,
             return false;
         }
         CFDictionarySetValue(engine->coders, peerID, coder);
+        secdebug("coder", "setting coder for peerid: %@, coder: %@", peerID, coder);
         CFReleaseNull(coder);
+        engine->codersNeedSaving = true;
     }
     return true;
 }
@@ -525,9 +459,12 @@ static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, CFStringRef peerID,
 bool SOSEngineInitializePeerCoder(SOSEngineRef engine, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
     __block bool ok = true;
     CFStringRef peerID = SOSPeerInfoGetPeerID(peerInfo);
-    ok &= SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
-        ok = SOSEngineEnsureCoder_locked(engine, peerID, myPeerInfo, peerInfo, coder, error);
+
+    ok &= SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) {
+        ok = SOSEngineEnsureCoder_locked(engine, txn, peerID, myPeerInfo, peerInfo, coder, error);
+        *forceSaveState = ok;
     });
+
     return ok;
 }
 
@@ -539,7 +476,7 @@ static bool SOSEngineGCPeerState_locked(SOSEngineRef engine, CFErrorRef *error)
 //exit:
     return ok;
 }
-
+#if !TARGET_IPHONE_SIMULATOR
 static CFMutableDictionaryRef SOSEngineCopyPeerState_locked(SOSEngineRef engine, CFErrorRef *error) {
     CFMutableDictionaryRef peerState = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
     CFDictionaryForEach(engine->peerMap, ^(const void *key, const void *value) {
@@ -564,13 +501,14 @@ static CFMutableDictionaryRef SOSEngineCopyPeerState_locked(SOSEngineRef engine,
     });
     return peerState;
 }
-
+#endif
 static CFMutableDictionaryRef SOSEngineCopyPeerCoders_locked(SOSEngineRef engine, CFErrorRef *error) {
     CFMutableDictionaryRef coders = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
     CFDictionaryForEach(engine->peerMap, ^(const void *key, const void *value) {
         CFDataRef coderData = NULL;
         CFErrorRef localError = NULL;
         bool ok = SOSEngineCopyCoderData(engine, (CFStringRef)key, &coderData, &localError);
+
         if (!ok) {
             secnotice("engine", "%@ no coder for peer: %@", key, localError);
         }
@@ -592,6 +530,7 @@ static CFMutableDictionaryRef SOSEngineCopyPeerCoders_locked(SOSEngineRef engine
 static CFDataRef SOSEngineCopyCoders(SOSEngineRef engine, CFErrorRef *error) {
     // Copy the CFDataRef version of the coders into a dictionary, which is then DER-encoded for saving
     CFDictionaryRef coders = SOSEngineCopyPeerCoders_locked(engine, error);
+    secdebug("coders", "copying coders! %@", coders);
     CFDataRef der = CFPropertyListCreateDERData(kCFAllocatorDefault, coders, error);
     CFReleaseSafe(coders);
     return der;
@@ -600,6 +539,11 @@ static CFDataRef SOSEngineCopyCoders(SOSEngineRef engine, CFErrorRef *error) {
 static bool SOSEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
     // MUST hold engine lock
     // Device must be unlocked for this to succeed
+
+    if(!engine->haveLoadedCoders){
+        secdebug("coders", "attempting to save coders before we have loaded them!");
+    }
+    
     bool ok = true;
     if (engine->codersNeedSaving) {
         CFDataRef derCoders = SOSEngineCopyCoders(engine, error);
@@ -607,12 +551,18 @@ static bool SOSEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFEr
                                                             kSOSEngineProtectionDomainClassA, derCoders, error);
         if (ok) {
             engine->codersNeedSaving = false;
+            secnotice("coder", "saved coders: %@", engine->coders);
         }
         CFReleaseSafe(derCoders);
     }
     return ok;
 }
 
+bool SOSTestEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error){
+    return SOSEngineSaveCoders(engine, txn, error);
+}
+#if !TARGET_IPHONE_SIMULATOR
+
 static CFDictionaryRef SOSEngineCopyBasicState(SOSEngineRef engine, CFErrorRef *error) {
     // Create a version of the in-memory engine state for saving to disk
     CFMutableDictionaryRef state = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
@@ -626,7 +576,6 @@ static CFDictionaryRef SOSEngineCopyBasicState(SOSEngineRef engine, CFErrorRef *
     SOSPersistCFIndex(state, kSOSEngineStateVersionKey, kCurrentEngineVersion);
     return state;
 }
-
 static bool SOSEngineDoSaveOneState(SOSEngineRef engine, SOSTransactionRef txn, CFStringRef key, CFStringRef pdmn,
                                     CFDictionaryRef state, CFErrorRef *error) {
     CFDataRef derState = CFPropertyListCreateDERData(kCFAllocatorDefault, state, error);
@@ -634,7 +583,6 @@ static bool SOSEngineDoSaveOneState(SOSEngineRef engine, SOSTransactionRef txn,
     CFReleaseSafe(derState);
     return ok;
 }
-
 static bool SOSEngineDoSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
     bool ok = true;
 
@@ -656,81 +604,14 @@ static bool SOSEngineDoSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorR
 
     return ok;
 }
-
-#if ENGINE_DELAY_SAVE
-
-#define SOSENGINE_SAVE_TIMEOUT  (NSEC_PER_MSEC * 500ull)
-#define SOSENGINE_SAVE_LEEWAY  (NSEC_PER_MSEC * 500ull)
-#define SOSENGINE_SAVE_MAX_DELAY  (NSEC_PER_MSEC * 500ull)
-
-#if !(TARGET_IPHONE_SIMULATOR)
-static void SOSEngineShouldSave(SOSEngineRef engine) {
-    bool start_timer = false;
-
-    if (engine->save_timer == NULL) {
-        // Schedule the timer to fire on a concurrent queue, so we can follow
-        // the proper procedure of acquiring a dataSource and then engine queues.
-        engine->save_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0));
-        dispatch_source_set_event_handler(engine->save_timer, ^{
-            CFErrorRef dsWithError = NULL;
-
-            // Start with clearing the pending state so that any other caller
-            // get their own timer, worse case it that we get a duplicate store.
-            dispatch_sync(engine->queue, ^{
-                engine->save_timer_pending = false;
-            });
-
-            if (engine->dataSource) {
-                if (!SOSDataSourceWith(engine->dataSource, &dsWithError, ^(SOSTransactionRef txn, bool *commit) {
-                    dispatch_sync(engine->queue, ^{
-                        CFErrorRef saveError = NULL;
-                        if (!SOSEngineDoSave(engine, txn, &saveError)) {
-                            secerrorq("Failed to save engine state: %@", saveError);
-                            CFReleaseNull(saveError);
-                        }
-                    });
-                })) {
-                    secerrorq("Failed to open dataSource to save engine state: %@", dsWithError);
-                    CFReleaseNull(dsWithError);
-                }
-            }
-
-            xpc_transaction_end();
-        });
-        start_timer = true;
-        assert(engine->save_timer_pending == false);
-    }
-
-    if (engine->save_timer_pending)
-        return;
-
-    engine->save_timer_pending = true;
-
-    // Start a trasaction, then start the timer, the handler for the timer will end
-    // the transaction.
-    xpc_transaction_begin();
-
-    // Set the timer's fire time to now + SOSENGINE_SAVE_TIMEOUT seconds with a SOSENGINE_SAVE_LEEWAY fuzz factor.
-    dispatch_source_set_timer(engine->save_timer,
-                              dispatch_time(DISPATCH_TIME_NOW, SOSENGINE_SAVE_TIMEOUT),
-                              DISPATCH_TIME_FOREVER, SOSENGINE_SAVE_LEEWAY);
-
-    if (start_timer)
-        dispatch_resume(engine->save_timer);
-
-}
 #endif
 
-#endif /* ENGINE_DELAY_SAVE */
-
 static bool SOSEngineSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
     // Don't save engine state from tests
     if (!engine->dataSource)
         return true;
-#if (TARGET_IPHONE_SIMULATOR) || !ENGINE_DELAY_SAVE
+#if !TARGET_IPHONE_SIMULATOR
     return SOSEngineDoSave(engine, txn, error);
-#else
-    SOSEngineShouldSave(engine);
 #endif
     return true;
 }
@@ -815,33 +696,31 @@ static CFMutableDictionaryRef derStateToDictionaryCopy(CFDataRef state, CFErrorR
     }
     return stateDict;
 }
+bool TestSOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error)
+{
+    return SOSEngineLoadCoders(engine, txn, error);
+}
 
 static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
     // Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine
     bool ok = true;
     CFDataRef derCoders = NULL;
     CFMutableDictionaryRef codersDict = NULL;
-
     derCoders = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineCoders, kSOSEngineProtectionDomainClassA, txn, error);
     require_quiet(derCoders, xit);
     codersDict = derStateToDictionaryCopy(derCoders, error);
     require_quiet(codersDict, xit);
-
     CFDictionaryForEach(engine->peerMap, ^(const void *peerID, const void *peerState) {
         if (peerID) {
-            if (!CFDictionaryContainsKey(engine->coders, peerID)) {
-                CFDataRef coderData = asData(CFDictionaryGetValue(codersDict, peerID), NULL);
+            CFTypeRef coderRef = CFDictionaryGetValue(codersDict, peerID);
+            if (coderRef) {
+                CFDataRef coderData = asData(coderRef, NULL);
                 if (coderData) {
                     CFErrorRef createError = NULL;
                     SOSCoderRef coder = SOSCoderCreateFromData(coderData, &createError);
                     if (coder) {
-                        // Sanity check
-                        CFStringRef coderid = SOSCoderGetID(coder);
-                        if (!CFEqualSafe(coderid, (CFStringRef)peerID)) {
-                            secerror("Coder id %@ on disk does not match: %@", coderid, peerID);
-                        } else {
-                            CFDictionaryAddValue(engine->coders, peerID, coder);
-                        }
+                        CFDictionaryAddValue(engine->coders, peerID, coder);
+                        secnotice("coder", "adding coder: %@ for peerid: %@", coder, peerID);
                     } else {
                         secnotice("coder", "Coder for '%@' failed to create: %@", peerID, createError);
                     }
@@ -850,18 +729,26 @@ static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFEr
                 } else {
                     // Needed a coder, didn't find one, notify the account to help us out.
                     // Next attempt to sync will fix this
+                    secnotice("coder", "coder for %@ was not cf data: %@", peerID, coderData);
                     SOSCCEnsurePeerRegistration();
                 }
             }
+            else{
+                secnotice("coder", "didn't find coder for peer: %@ engine dictionary: %@", peerID, codersDict);
+                SOSCCEnsurePeerRegistration();
+            }
 
         }
     });
+
+    engine->haveLoadedCoders = true;
+
 xit:
     CFReleaseNull(derCoders);
     CFReleaseNull(codersDict);
     return ok;
 }
-
+#if !TARGET_IPHONE_SIMULATOR
 static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
 //    SOSDataSourceDeleteStateWithKey(engine->dataSource, kSOSEngineState, kSOSEngineProtectionDomainClassD, txn, error);
 
@@ -876,7 +763,7 @@ static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, C
     CFReleaseSafe(derState);
     return ok;
 }
-
+#endif
 static bool SOSEngineLoad(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
     // Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine
     bool ok = true;
@@ -1276,13 +1163,15 @@ static bool SOSEngineUpdateChanges_locked(SOSEngineRef engine, SOSTransactionRef
                 // Only consider writing if we're in the WillCommit phase.
                 // DidCommit phases happen outside the database lock and
                 // writing to the DBConn will cause deadlocks.
-                if (mappedItemChanged) {
+                if (mappedItemChanged || source == kSOSDataSourceSOSTransaction) {
                     // Write SOSEngine and SOSPeer state to disk
+                    secnotice("engine", "saving engine state");
                     ok &= SOSEngineSave(engine, txn, error);
                 } else {
                     secnotice("engine", "Not saving engine state, nothing changed.");
                 }
             }
+
             break;
         }
     }
@@ -1607,32 +1496,33 @@ static bool SOSEngineSetPeers_locked(SOSEngineRef engine, SOSPeerMetaRef myPeerM
     // Start with no coders
     CFMutableDictionaryRef codersToKeep = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
 
-    // If we're the same peerID we keep known peers (both trusted and untrusted)
-    if (CFEqualSafe(myPeerID, engine->myID)) {
-        void (^copyPeerMetasCoder)(const void *value) = ^(const void*element) {
-            SOSPeerMetaRef peerMeta = (SOSPeerMetaRef) element;
+    if(engine->haveLoadedCoders){
+        // If we're the same peerID we keep known peers (both trusted and untrusted)
+        if (CFEqualSafe(myPeerID, engine->myID)) {
+            void (^copyPeerMetasCoder)(const void *value) = ^(const void*element) {
+                SOSPeerMetaRef peerMeta = (SOSPeerMetaRef) element;
 
-            CFStringRef currentID = SOSPeerMetaGetComponents(peerMeta, NULL, NULL, NULL);
-            if (currentID) {
-                SOSCoderRef coder = (SOSCoderRef) CFDictionaryGetValue(engine->coders, currentID);
-                if (coder) {
-                    CFDictionarySetValue(codersToKeep, currentID, coder);
+                CFStringRef currentID = SOSPeerMetaGetComponents(peerMeta, NULL, NULL, NULL);
+                if (currentID) {
+                    SOSCoderRef coder = (SOSCoderRef) CFDictionaryGetValue(engine->coders, currentID);
+                    if (coder) {
+                        CFDictionarySetValue(codersToKeep, currentID, coder);
+                    }
                 }
-            }
-        };
+            };
 
-        if (trustedPeerMetas) {
-            CFArrayForEach(trustedPeerMetas, copyPeerMetasCoder);
-        }
-        if (untrustedPeerMetas) {
-            CFArrayForEach(untrustedPeerMetas, copyPeerMetasCoder);
+            if (trustedPeerMetas) {
+                CFArrayForEach(trustedPeerMetas, copyPeerMetasCoder);
+            }
+            if (untrustedPeerMetas) {
+                CFArrayForEach(untrustedPeerMetas, copyPeerMetasCoder);
+            }
         }
-    }
-
-    CFTransferRetained(engine->coders, codersToKeep);
-    engine->codersNeedSaving = true;
 
+        engine->codersNeedSaving = true;
+    }
     CFRetainAssign(engine->myID, myPeerID);
+    CFTransferRetained(engine->coders, codersToKeep);
 
     // Remake engine->peerMap from both trusted and untrusted peers
     SOSEngineReferenceChangeTrackers(engine, trustedPeerMetas, untrustedPeerMetas, desc);
@@ -2733,8 +2623,6 @@ void SOSEngineCircleChanged(SOSEngineRef engine, CFStringRef myPeerID, CFArrayRe
     __block bool peersOrViewsChanged = false;
     SOSEngineDoOnQueue(engine, ^{
         peersOrViewsChanged = SOSEngineCircleChanged_locked(engine, myPeerID, trustedPeers, untrustedPeers);
-        engine->dirty = peersOrViewsChanged;
-        engine->codersNeedSaving = peersOrViewsChanged;
     });
 
     __block bool ok = true;
@@ -2798,7 +2686,7 @@ SOSPeerRef SOSEngineCopyPeerWithID(SOSEngineRef engine, CFStringRef peer_id, CFE
     return peer;
 }
 
-bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer)) {
+bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer)) {
     __block bool ok = true;
     SOSDataSourceReadWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn) {
         SOSEngineDoOnQueue(engine, ^{
@@ -2815,24 +2703,6 @@ bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorR
     return ok;
 }
 
-bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder)) {
-    __block bool ok = true;
-    SOSDataSourceReadWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn) {
-        SOSEngineDoOnQueue(engine, ^{
-            SOSPeerRef peer = SOSEngineCopyPeerWithID_locked(engine, peerID, error);
-            if (peer) {
-                SOSCoderRef coder = SOSEngineGetCoder_locked(engine, peerID, NULL);
-                forPeer(txn, peer, coder);
-                CFRelease(peer);
-            } else {
-                ok = false;
-            }
-        });
-    });
-
-    return ok;
-}
-
 bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState)) {
     __block bool result = true;
     result &= SOSEngineDoTxnOnQueue(engine, error, ^(SOSTransactionRef txn, bool *commit) {
@@ -2855,7 +2725,7 @@ bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *er
 
 CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, SOSEnginePeerMessageSentBlock *sentBlock, CFErrorRef *error) {
     __block CFDataRef message = NULL;
-    SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
+    SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
         message = SOSEngineCreateMessage_locked(engine, txn, peer, error, sentBlock);
     });
     return message;
@@ -2871,7 +2741,7 @@ bool SOSEngineSetPeerConfirmedManifest(SOSEngineRef engine, CFStringRef backupNa
                                        CFDataRef keybagDigest, CFDataRef manifestData, CFErrorRef *error) {
     __block bool ok = true;
 
-    ok &= SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
+    ok &= SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
         bool dirty = false;
         bool incomplete = false;
         SOSManifestRef confirmed = NULL;
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h
index c1f334bd..4d90cfae 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h
@@ -100,8 +100,7 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef t
 SOSPeerRef SOSEngineCopyPeerWithID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error);
 
 // Operate on a peer with a given peer_id under the engine lock
-bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder));
-bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer));
+bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer));
 
 // Modify a peer inside a transaction under then engine lock and optionally force an engine state save when done.
 bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState));
@@ -130,6 +129,8 @@ CFArrayRef SOSEngineCopyPeerConfirmedDigests(SOSEngineRef engine, CFErrorRef *er
 // Private do not use!
 SOSDataSourceRef SOSEngineGetDataSource(SOSEngineRef engine);
 bool SOSTestEngineSaveWithDER(SOSEngineRef engine, CFDataRef derState, CFErrorRef *error);
+bool SOSTestEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+bool TestSOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
 
 // MARK: Sync completion notification registration
 
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEnginePriv.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSEnginePriv.h
new file mode 100644
index 00000000..f66de33a
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEnginePriv.h
@@ -0,0 +1,48 @@
+//
+//  SOSEnginePriv.h
+//  sec
+//
+//
+
+#ifndef SOSEnginePriv_h
+#define SOSEnginePriv_h
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreFoundation/CFRuntime.h>
+#include <Security/SecureObjectSync/SOSEngine.h>
+
+/* SOSEngine implementation. */
+struct __OpaqueSOSEngine {
+    CFRuntimeBase _base;
+    SOSDataSourceRef dataSource;
+    CFStringRef myID;                       // My peerID in the circle
+    // We need to address the issues of corrupt keychain items
+    SOSManifestRef unreadable;              // Possibly by having a set of unreadable items, to which we
+    // add any corrupted items in the db that have yet to be deleted.
+    // This happens if we notce corruption during a (read only) query.
+    // We would also perma-subtract unreadable from manifest whenever
+    // anyone asked for manifest.  This result would be cached in
+    // The manifestCache below, so we just need a key into the cache
+    CFDataRef localMinusUnreadableDigest;   // or a digest (CFDataRef of the right size).
+
+    CFMutableDictionaryRef manifestCache;       // digest -> ( refcount, manifest )
+    CFMutableDictionaryRef peerMap;             // peerId -> SOSPeerRef
+    CFDictionaryRef viewNameSet2ChangeTracker;  // CFSetRef of CFStringRef -> SOSChangeTrackerRef
+    CFDictionaryRef viewName2ChangeTracker;     // CFStringRef -> SOSChangeTrackerRef
+    CFArrayRef peerIDs;
+    CFDateRef lastTraceDate;                    // Last time we did a CloudKeychainTrace
+    CFMutableDictionaryRef coders;
+    bool haveLoadedCoders;
+
+    bool codersNeedSaving;
+
+    dispatch_queue_t queue;                     // Engine queue
+
+    dispatch_source_t save_timer;               // Engine state save timer
+    bool save_timer_pending;                    // Engine state timer running, read/modify on engine queue
+
+    dispatch_queue_t syncCompleteQueue;              // Non-retained queue for async notificaion
+    SOSEnginePeerInSyncBlock syncCompleteListener;   // Block to call to notify the listener.
+};
+
+#endif /* SOSEnginePriv_h */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c
index ef4f0640..ea916a4c 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c
@@ -27,6 +27,7 @@
 #include <Security/SecureObjectSync/SOSCoder.h>
 #include <Security/SecureObjectSync/SOSAccount.h>
 #include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 
 #include <utilities/debugging.h>
 #include <utilities/SecCFWrappers.h>
@@ -104,6 +105,7 @@ xit:
 
 bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error) {
     bool ok = false;
+    secnotice("transport", "coder state: %@", coder);
     require_action_quiet(coder, xit, secerror("%@ getCoder: %@", peer_id, error ? *error : NULL));
 
     if (SOSCoderCanWrap(coder)) {
@@ -119,6 +121,7 @@ bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSTransactionRef txn,
                 secnotice("transport", "%@ SOSCoderWrap failed: %@", peer_id, *error);
             } else {
                 CFRetainAssign(*message_to_send, codedMessage);
+                engine->codersNeedSaving = true;
             }
             CFReleaseNull(codedMessage);
         } else {
@@ -128,6 +131,7 @@ bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSTransactionRef txn,
         CFReleaseNull(message);
     } else {
         *message_to_send = SOSCoderCopyPendingResponse(coder);
+        engine->codersNeedSaving = true;
         secinfo("transport", "%@ negotiating, %@", peer_id, message_to_send ? CFSTR("sending negotiation message.") : CFSTR("waiting for negotiation message."));
         *sent = Block_copy(^(bool wasSent){
             if (wasSent)
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c
index 69896bcf..282866ad 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c
@@ -124,28 +124,33 @@ bool SOSTransportMessageSendMessageIfNeeded(SOSTransportMessageRef transport, CF
     __block bool ok = true;
     SOSEngineRef engine = SOSTransportMessageGetEngine(transport);
 
-    ok &= SOSEngineForPeerID(engine, peer_id, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
-        // Now under engine lock do stuff
-        CFDataRef message_to_send = NULL;
-        SOSEnginePeerMessageSentBlock sent = NULL;
-        ok = SOSPeerCoderSendMessageIfNeeded(engine, txn, peer, coder, &message_to_send, circle_id, peer_id, &sent, error);
-        if (message_to_send) {
-            CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
-                                                                     peer_id, message_to_send,
-                                                                     NULL);
-            CFDictionaryRef circle_peers = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
-                                                                        circle_id, peer_dict,
-                                                                        NULL);
-            ok = ok && SOSTransportMessageSendMessages(transport, circle_peers, error);
-
-            SOSPeerCoderConsume(&sent, ok);
-
-            CFReleaseSafe(peer_dict);
-            CFReleaseSafe(circle_peers);
-        }
+    ok &= SOSEngineWithPeerID(engine, peer_id, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) {
+            // Now under engine lock do stuff
+            CFDataRef message_to_send = NULL;
+            SOSEnginePeerMessageSentBlock sent = NULL;
+            ok = SOSPeerCoderSendMessageIfNeeded(engine, txn, peer, coder, &message_to_send, circle_id, peer_id, &sent, error);
+            if (message_to_send) {
+                CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+                                                                         peer_id, message_to_send,
+                                                                         NULL);
+                CFDictionaryRef circle_peers = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+                                                                            circle_id, peer_dict,
+                                                                            NULL);
+                ok = ok && SOSTransportMessageSendMessages(transport, circle_peers, error);
+
+                SOSPeerCoderConsume(&sent, ok);
+
+                CFReleaseSafe(peer_dict);
+                CFReleaseSafe(circle_peers);
+            }else{
+                secnotice("transport", "no message to send to peer: %@", peer_id);
+            }
+        
+            Block_release(sent);
+            CFReleaseSafe(message_to_send);
 
-        Block_release(sent);
-        CFReleaseSafe(message_to_send);
+        *forceSaveState = ok;
     });
+
     return ok;
 }
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.h
index 37c4c961..58c00a96 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.h
@@ -3,7 +3,7 @@
 #define SOSTransportMessage_h
 
 #include <Security/SecureObjectSync/SOSAccount.h>
-#include <Security/SecureObjectSync/SOSEngine.h> // TODO: Remove when SOSEnginePeerMessageSentBlock moves to SOSPeer.h
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 #include <CoreFoundation/CFRuntime.h>
 
 typedef struct __OpaqueSOSTransportMessage *SOSTransportMessageRef;
diff --git a/OSX/sec/SOSCircle/Tool/keychain_log.h b/OSX/sec/SOSCircle/Tool/keychain_log.h
index f0b98a15..e10ab237 100644
--- a/OSX/sec/SOSCircle/Tool/keychain_log.h
+++ b/OSX/sec/SOSCircle/Tool/keychain_log.h
@@ -38,5 +38,6 @@ SECURITY_COMMAND(
                  "    -i     info (current status)\n"
                  "    -D     [itemName]  dump contents of KVS\n"
                  "    -L     list all known view and their status\n"
+                 "    -M string   place a mark in the syslog - category \"mark\"\n"
                  "\n",
                  "iCloud Keychain Logging")
diff --git a/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c b/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c
index 1369991d..28392c45 100644
--- a/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c
+++ b/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c
@@ -331,6 +331,7 @@ static io_connect_t connect_to_keystore(void)
     }
 	return keystore;
 }
+#define DATA_ARG(x) (x) ? CFDataGetBytePtr((x)) : NULL, (x) ? (int)CFDataGetLength((x)) : 0
 
 static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
 {
@@ -349,7 +350,7 @@ static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
 
     kernResult = IOConnectCallMethod(keystore,
                                      kAppleKeyStoreKeyBagCreate,
-                                     inputs, num_inputs, NULL, 0,
+                                     inputs, num_inputs, DATA_ARG(password),
                                      outputs, &num_outputs, NULL, 0);
 
     if (kernResult) {
diff --git a/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c b/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c
index 9e10fffb..258830d0 100644
--- a/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c
+++ b/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c
@@ -24,7 +24,7 @@
 
 #include "Security_regressions.h"
 
-#if !TARGET_OS_WATCH && !TARGET_OS_TV
+#if TARGET_OS_IOS
 
 #define WAIT_WHILE(X) { while ((X)) { (void)CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, TRUE); } }
 
@@ -161,7 +161,7 @@ static void tests(void)
 
 int si_76_shared_credentials(int argc, char *const *argv)
 {
-#if !TARGET_OS_WATCH && !TARGET_OS_TV
+#if TARGET_OS_IOS
 		plan_tests(12);
 		tests();
 #else
diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist.m b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist.m
new file mode 100644
index 00000000..97f17bcf
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist.m
@@ -0,0 +1,406 @@
+/*
+ *  si-84-sectrust-allowlist.c
+ *  Security
+ *
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ */
+
+#include <AssertMacros.h>
+#import <Foundation/Foundation.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
+#include <utilities/SecCFRelease.h>
+#include <AssertMacros.h>
+
+#include "shared_regressions.h"
+
+#include "si-84-sectrust-allowlist/cnnic_certs.h"
+#include "si-84-sectrust-allowlist/wosign_certs.h"
+#include "si-84-sectrust-allowlist/date_testing_certs.h"
+
+
+static SecCertificateRef createCertFromStaticData(const UInt8 *certData, CFIndex certLength)
+{
+    SecCertificateRef cert = NULL;
+    CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, certData, certLength, kCFAllocatorNull);
+    if (data) {
+        cert = SecCertificateCreateWithData(NULL, data);
+        CFRelease(data);
+    }
+    return cert;
+}
+
+static void TestLeafOnAllowList()
+{
+    SecCertificateRef certs[4];
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    CFDateRef date = NULL;
+    CFArrayRef certArray = NULL;
+    CFArrayRef anchorsArray = NULL;
+
+    isnt(certs[0] = createCertFromStaticData(leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)),
+         NULL, "allowlist: create leaf cert");
+    isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
+         NULL, "allowlist: create intermediate ca 1");
+    isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
+         NULL, "allowlist: create intermediate ca 2");
+    isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
+         NULL, "allowlist: create root");
+
+    isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
+         NULL, "allowlist: create cert array");
+
+    /* create a trust reference with basic policy */
+    isnt(policy = SecPolicyCreateBasicX509(), NULL, "allowlist: create policy");
+    ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "allowlist: create trust");
+
+    /* set evaluate date: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "allowlist: create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "allowlist: set verify date");
+
+    /* use a known root CA at this point in time to anchor the chain */
+    isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
+         NULL, "allowlist: create anchors array");
+    ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "allowlist: set anchors");
+
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+    ok_status(SecTrustEvaluate(trust, &trustResult), "allowlist: evaluate");
+
+    /* expected result is kSecTrustResultUnspecified since cert is on allow list and its issuer chains to a trusted root */
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+
+    /* clean up */
+    for(CFIndex idx=0; idx < 4; idx++) {
+        if (certs[idx]) { CFRelease(certs[idx]); }
+    }
+    if (policy) { CFRelease(policy); }
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+    if (certArray) { CFRelease(certArray); }
+    if (anchorsArray) { CFRelease(anchorsArray); }
+}
+
+static void TestLeafNotOnAllowList()
+{
+    SecCertificateRef certs[4];
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    CFDateRef date = NULL;
+    CFArrayRef certArray = NULL;
+    CFArrayRef anchorsArray = NULL;
+
+    isnt(certs[0] = createCertFromStaticData(leafNotOnAllowList_Cert, sizeof(leafNotOnAllowList_Cert)),
+         NULL, "!allowlist: create leaf cert");
+    isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
+         NULL, "!allowlist: create intermediate ca 1");
+    isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
+         NULL, "!allowlist: create intermediate ca 2");
+    isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
+         NULL, "!allowlist: create root");
+
+    isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
+         NULL, "!allowlist: create cert array");
+
+    /* create a trust reference with basic policy */
+    isnt(policy = SecPolicyCreateBasicX509(), NULL, "!allowlist: create policy");
+    ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "!allowlist: create trust");
+
+    /* set evaluate date: September 7, 2016 at 9:00:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495000000.0), NULL, "!allowlist: create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "!allowlist: set verify date");
+
+    /* use a known root CA at this point in time to anchor the chain */
+    isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
+         NULL, "allowlist: create anchors array");
+    ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "!allowlist: set anchors");
+
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+    ok_status(SecTrustEvaluate(trust, &trustResult), "!allowlist: evaluate");
+
+    /* expected result is kSecTrustResultRecoverableTrustFailure (if issuer is distrusted)
+     or kSecTrustResultFatalTrustFailure (if issuer is revoked), since cert is not on allow list */
+    ok(trustResult == kSecTrustResultRecoverableTrustFailure ||
+       trustResult == kSecTrustResultFatalTrustFailure,
+       "trustResult 5 or 6 expected (got %d)", (int)trustResult);
+
+    /* clean up */
+    for(CFIndex idx=0; idx < 4; idx++) {
+        if (certs[idx]) { CFRelease(certs[idx]); }
+    }
+    if (policy) { CFRelease(policy); }
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+    if (certArray) { CFRelease(certArray); }
+    if (anchorsArray) { CFRelease(anchorsArray); }
+}
+
+static void TestAllowListForRootCA(void)
+{
+    SecCertificateRef test0[2] = {NULL,NULL};
+    SecCertificateRef test1[2] = {NULL,NULL};
+    SecCertificateRef test1e[2] = {NULL,NULL};
+    SecCertificateRef test2[2] = {NULL,NULL};
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    CFDateRef date = NULL;
+    SecTrustResultType trustResult;
+
+    isnt(test0[0] = createCertFromStaticData(cert0, sizeof(cert0)),
+            NULL, "create first leaf");
+    isnt(test1[0] = createCertFromStaticData(cert1, sizeof(cert1)),
+         NULL, "create second leaf");
+    isnt(test1e[0] = createCertFromStaticData(cert1_expired, sizeof(cert1_expired)),
+         NULL, "create second leaf (expired)");
+    isnt(test2[0] = createCertFromStaticData(cert2, sizeof(cert2)),
+         NULL, "create third leaf");
+
+    isnt(test0[1] = createCertFromStaticData(intermediate0, sizeof(intermediate0)),
+         NULL, "create intermediate");
+    isnt(test1[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
+         NULL, "create intermediate");
+    isnt(test1e[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
+         NULL, "create intermediate");
+    isnt(test2[1] = createCertFromStaticData(intermediate2, sizeof(intermediate2)),
+         NULL, "create intermediate");
+
+    CFArrayRef certs0 = CFArrayCreate(kCFAllocatorDefault, (const void **)test0, 2, &kCFTypeArrayCallBacks);
+    CFArrayRef certs1 = CFArrayCreate(kCFAllocatorDefault, (const void **)test1, 2, &kCFTypeArrayCallBacks);
+    CFArrayRef certs1e = CFArrayCreate(kCFAllocatorDefault, (const void **)test1e, 2, &kCFTypeArrayCallBacks);
+    CFArrayRef certs2 = CFArrayCreate(kCFAllocatorDefault, (const void **)test2, 2, &kCFTypeArrayCallBacks);
+
+    /*
+     * Whitelisted certificates issued by untrusted root CA.
+     */
+    isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy");
+    ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+    ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+    ok_status(SecTrustCreateWithCertificates(certs2, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+       (int)trustResult);
+    /*
+     * Same certificate, on allow list but past expiration. Expect to fail.
+     */
+    if (date) { CFRelease(date); }
+    isnt(date = CFDateCreate(NULL, 667680000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set date to far future so certs are expired");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+    /*
+     * Expired certificate not on allow list. Expect to fail.
+     */
+    ok_status(SecTrustCreateWithCertificates(certs1e, policy, &trust), "create trust");
+    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
+    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
+    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
+       (int)trustResult);
+    if (trust) { CFRelease(trust); }
+    if (date) { CFRelease(date); }
+
+
+    /* Clean up. */
+    if (policy) { CFRelease(policy); }
+    if (certs0) { CFRelease(certs0); }
+    if (certs1) { CFRelease(certs1); }
+    if (certs1e) { CFRelease(certs1e); }
+    if (certs2) { CFRelease(certs2); }
+
+    if (test0[0]) { CFRelease(test0[0]); }
+    if (test0[1]) { CFRelease(test0[1]); }
+    if (test1[0]) { CFRelease(test1[0]); }
+    if (test1[1]) { CFRelease(test1[1]); }
+    if (test1e[0]) { CFRelease(test1e[0]); }
+    if (test1e[1]) { CFRelease(test1e[1]); }
+    if (test2[0]) { CFRelease(test2[0]); }
+    if (test2[1]) { CFRelease(test2[1]); }
+}
+
+static void TestDateBasedAllowListForRootCA(void) {
+    SecCertificateRef root = NULL, beforeInt = NULL, afterInt = NULL,
+    beforeLeaf = NULL, afterLeaf = NULL;
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    NSArray *anchors = nil, *certs = nil;
+    NSDate *verifyDate = nil;
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+
+    require(root = SecCertificateCreateWithBytes(NULL, _datetest_root, sizeof(_datetest_root)), out);
+    require(beforeInt = SecCertificateCreateWithBytes(NULL, _datetest_before_int, sizeof(_datetest_before_int)), out);
+    require(afterInt = SecCertificateCreateWithBytes(NULL, _datetest_after_int, sizeof(_datetest_after_int)), out);
+    require(beforeLeaf = SecCertificateCreateWithBytes(NULL, _datetest_before_leaf, sizeof(_datetest_before_leaf)), out);
+    require(afterLeaf = SecCertificateCreateWithBytes(NULL, _datetest_after_leaf, sizeof(_datetest_after_leaf)), out);
+
+    anchors = @[(__bridge id)root];
+    require(policy = SecPolicyCreateSSL(true, CFSTR("testserver.apple.com")), out);
+    verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:504000000.0];  /* 21 Dec 2016 */
+
+    /* Leaf issued before cutoff should pass */
+    certs = @[(__bridge id)beforeLeaf, (__bridge id)beforeInt];
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultUnspecified, "leaf issued before cutoff failed evaluation");
+    CFReleaseNull(trust);
+    trustResult = kSecTrustResultInvalid;
+
+    /* Leaf issued after cutoff should fail */
+    certs = @[(__bridge id)afterLeaf, (__bridge id)beforeInt];
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultFatalTrustFailure, "leaf issued after cutoff succeeded evaluation");
+    CFReleaseNull(trust);
+    trustResult = kSecTrustResultInvalid;
+
+    /* Intermediate issued after cutoff should fail (even for leaf issued before) */
+    certs = @[(__bridge id)beforeLeaf, (__bridge id)afterInt];
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultFatalTrustFailure, "intermediate issued after cutoff succeeded evaluation");
+    CFReleaseNull(trust);
+    trustResult = kSecTrustResultInvalid;
+
+    /* Intermediate issued after cutoff should fail */
+    certs = @[(__bridge id)afterLeaf, (__bridge id)afterInt];
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultFatalTrustFailure, "intermediate issued before cutoff succeeded evaluation");
+    CFReleaseNull(trust);
+    trustResult = kSecTrustResultInvalid;
+
+    /* Leaf issued before cutoff should choose acceptable path */
+    certs = @[(__bridge id)beforeLeaf, (__bridge id) afterInt, (__bridge id)beforeInt];
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultUnspecified, "leaf issued before cutoff failed evaluation (multi-path)");
+    CFReleaseNull(trust);
+    trustResult = kSecTrustResultInvalid;
+
+    /* No good path for leaf issued after cutoff */
+    certs = @[(__bridge id)afterLeaf, (__bridge id)beforeInt, (__bridge id)afterInt];
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultFatalTrustFailure, "leaf issued after cutoff succeeded evaluation (multi-path)");
+
+out:
+    CFReleaseNull(root);
+    CFReleaseNull(beforeInt);
+    CFReleaseNull(afterInt);
+    CFReleaseNull(beforeLeaf);
+    CFReleaseNull(afterLeaf);
+    CFReleaseNull(policy);
+    CFReleaseNull(trust);
+}
+
+static void TestLeafOnAllowListOtherFailures(void)
+{
+    SecCertificateRef certs[4];
+    SecPolicyRef policy = NULL;
+    SecTrustRef trust = NULL;
+    NSArray *anchors = nil, *certArray = nil;
+    NSDate *verifyDate = nil;
+    SecTrustResultType trustResult = kSecTrustResultInvalid;
+
+    memset(certs, 0, 4 * sizeof(SecCertificateRef));
+
+    require(certs[0] = SecCertificateCreateWithBytes(NULL, leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)), out);
+    require(certs[1] = SecCertificateCreateWithBytes(NULL, ca1_Cert, sizeof(ca1_Cert)), out);
+    require(certs[2] = SecCertificateCreateWithBytes(NULL, ca2_Cert, sizeof(ca2_Cert)), out);
+    require(certs[3] = SecCertificateCreateWithBytes(NULL, root_Cert, sizeof(root_Cert)), out);
+
+    anchors = @[(__bridge id)certs[3]];
+    certArray = @[(__bridge id)certs[0], (__bridge id)certs[1], (__bridge id)certs[2], (__bridge id)certs[3]];
+    verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:495405000.0];
+
+    /* Mismatched hostname, should fail */
+    require(policy = SecPolicyCreateSSL(true, (__bridge CFStringRef)@"wrong.hostname.com"), out);
+    require_noerr(SecTrustCreateWithCertificates((__bridge CFArrayRef)certArray, policy, &trust), out);
+    require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out);
+    require_noerr(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultRecoverableTrustFailure, "hostname failure with cert on allow list succeeded evaluation");
+    CFReleaseNull(policy);
+    trustResult = kSecTrustResultInvalid;
+
+    /* Wrong EKU, should fail */
+    require(policy = SecPolicyCreateCodeSigning(), out);
+    require_noerr(SecTrustSetPolicies(trust, policy), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultRecoverableTrustFailure, "EKU failure with cert on allow list succeeded evaluation");
+    CFReleaseNull(policy);
+    trustResult = kSecTrustResultInvalid;
+
+    /* Apple pinning policy, should fail */
+    require(policy = SecPolicyCreateAppleSSLPinned((__bridge CFStringRef)@"aPolicy",
+                                                   (__bridge CFStringRef)@"telegram.im", NULL,
+                                                   (__bridge CFStringRef)@"1.2.840.113635.100.6.27.12"), out);
+    require_noerr(SecTrustSetPolicies(trust, policy), out);
+    require_noerr(SecTrustEvaluate(trust, &trustResult), out);
+    is(trustResult, kSecTrustResultRecoverableTrustFailure, "Apple pinning policy with cert on allow list succeeded evaluation");
+
+    out:
+    CFReleaseNull(certs[0]);
+    CFReleaseNull(certs[1]);
+    CFReleaseNull(certs[2]);
+    CFReleaseNull(certs[3]);
+    CFReleaseNull(policy);
+    CFReleaseNull(trust);
+}
+
+static void tests(void)
+{
+    TestAllowListForRootCA();
+    TestLeafOnAllowList();
+    TestLeafNotOnAllowList();
+    TestDateBasedAllowListForRootCA();
+    TestLeafOnAllowListOtherFailures();
+}
+
+int si_84_sectrust_allowlist(int argc, char *const *argv)
+{
+    plan_tests(68);
+    tests();
+
+    return 0;
+}
diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/cnnic_certs.h b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/cnnic_certs.h
new file mode 100644
index 00000000..50e99fdf
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/cnnic_certs.h
@@ -0,0 +1,600 @@
+/*
+ *  cnnic_certs.h
+ *  Security
+ *
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ */
+
+#ifndef cnnic_certs_h
+#define cnnic_certs_h
+
+
+/* On allow list until:
+ Not After : Mar  9 07:45:00 2018 GMT
+ */
+static const UInt8 cert0[] = {
+    0x30,0x82,0x05,0x44,0x30,0x82,0x04,0x2c,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+    0x9d,0x12,0x4b,0xdb,0x57,0xb7,0x9f,0xba,0x33,0xf6,0x44,0xd9,0x10,0x40,0x48,0x4c,
+    0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,
+    0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,
+    0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,
+    0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x31,0x19,0x30,0x17,0x06,0x03,0x55,
+    0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,
+    0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x35,0x30,0x33,0x30,0x39,0x30,0x37,
+    0x34,0x35,0x30,0x30,0x5a,0x17,0x0d,0x31,0x38,0x30,0x33,0x30,0x39,0x30,0x37,0x34,
+    0x35,0x30,0x30,0x5a,0x30,0x79,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x53,0x17,
+    0x4e,0xac,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x07,0x1e,0x04,0x53,0x17,0x4e,
+    0xac,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x0a,0x1e,0x1a,0x53,0x17,0x4e,0xac,
+    0x74,0x5e,0x94,0xb1,0x5b,0x9d,0x4f,0xe1,0x60,0x6f,0x67,0x0d,0x52,0xa1,0x67,0x09,
+    0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x0b,0x1e,
+    0x06,0x7f,0x51,0x7e,0xdc,0x90,0xe8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,
+    0x13,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x30,
+    0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
+    0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,
+    0xfc,0x09,0x73,0x1d,0x18,0x75,0xbd,0x7f,0xf5,0xce,0x9e,0x6e,0x26,0x1c,0xbd,0xca,
+    0xc7,0x1b,0x75,0x45,0x13,0x1e,0xe4,0x52,0x7e,0x78,0xe9,0x1c,0x79,0xa1,0x02,0xd8,
+    0x3d,0xc6,0xc5,0x6f,0x7b,0xbd,0xae,0xc7,0x3b,0xe6,0x45,0xc2,0xe9,0xc9,0x32,0x2d,
+    0xd4,0xda,0x7a,0x93,0x79,0x30,0xce,0xec,0x6f,0xf5,0x0d,0x2d,0xde,0xa4,0xce,0xbd,
+    0x40,0xfb,0xda,0x7d,0x48,0x7d,0x98,0x02,0x17,0x75,0x99,0x65,0x68,0x1c,0xbb,0x92,
+    0x29,0x16,0xdc,0xc6,0x1d,0x1d,0x19,0x1b,0x94,0x17,0x6e,0x93,0xd8,0x57,0xaa,0x00,
+    0xf9,0xa2,0x37,0x9a,0xde,0x65,0xc2,0xce,0xa5,0xae,0x80,0xa7,0x56,0xab,0x8c,0xc8,
+    0x6a,0x3d,0xbe,0x86,0xe1,0x13,0x69,0x41,0x4b,0xe9,0xfa,0xd9,0xa5,0x63,0x8f,0xba,
+    0x02,0x15,0x09,0xca,0xf9,0x27,0x0f,0xea,0x90,0x4f,0x5d,0xa5,0x66,0x51,0xad,0xc8,
+    0xff,0x2d,0xf3,0xd4,0x7c,0xd3,0x06,0xe8,0xc2,0xdc,0x08,0x63,0x3d,0x69,0xb6,0x89,
+    0x5f,0x3f,0x9c,0xdc,0x21,0xa8,0xbd,0x0a,0xbe,0xc2,0x0e,0x08,0x06,0x05,0xb7,0x46,
+    0x96,0xec,0x08,0x5c,0xb9,0xef,0xfa,0x4b,0xd1,0x60,0x10,0xac,0xc8,0x88,0xbf,0xb7,
+    0xb1,0xb1,0x7a,0x55,0xdd,0xd9,0x96,0x06,0x5b,0xfb,0xc2,0xa5,0xd4,0x9c,0xde,0x24,
+    0x0c,0x7e,0x22,0x59,0xb0,0xa6,0x7a,0xc7,0x18,0x02,0x6c,0x1a,0x21,0x8c,0x79,0x8a,
+    0xc5,0xbb,0x10,0x54,0x1b,0x77,0x04,0xcf,0x46,0x60,0x36,0x42,0xfb,0x8a,0x13,0xf7,
+    0xa0,0xd6,0x03,0x33,0xb6,0xc4,0x1e,0x08,0x58,0x5d,0xb3,0xd3,0xc3,0x6c,0x0e,0x9f,
+    0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xfb,0x30,0x82,0x01,0xf7,0x30,0x09,0x06,
+    0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x73,0x06,0x08,0x2b,0x06,0x01,0x05,
+    0x05,0x07,0x01,0x01,0x04,0x67,0x30,0x65,0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05,
+    0x05,0x07,0x30,0x01,0x86,0x1c,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,
+    0x70,0x73,0x68,0x61,0x32,0x73,0x73,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
+    0x6e,0x2f,0x30,0x39,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x2d,
+    0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,
+    0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,
+    0x74,0x2f,0x53,0x48,0x41,0x32,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x36,0x06,
+    0x03,0x55,0x1d,0x11,0x04,0x2f,0x30,0x2d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,
+    0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,
+    0x71,0x62,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,0x71,
+    0x74,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,
+    0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x50,0x0e,0x94,
+    0x7e,0x68,0x20,0x2d,0x95,0x58,0x3f,0x8f,0x51,0xa6,0xdd,0x5a,0xb9,0xef,0xfe,0xf0,
+    0x50,0x30,0x1d,0x06,0x03,0x55,0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06,
+    0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02,
+    0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xb7,0xd1,0x59,
+    0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,
+    0x3c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,
+    0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x01,0x30,0x26,0x30,0x24,0x06,0x08,
+    0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,
+    0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,
+    0x73,0x2f,0x30,0x81,0x8f,0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x87,0x30,0x81,0x84,
+    0x30,0x4d,0xa0,0x4b,0xa0,0x49,0xa4,0x47,0x30,0x45,0x31,0x0b,0x30,0x09,0x06,0x03,
+    0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,
+    0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,
+    0x53,0x4c,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,0x63,0x72,0x6c,
+    0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,0x6c,0x31,0x30,
+    0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72,
+    0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,
+    0x6f,0x61,0x64,0x2f,0x73,0x68,0x61,0x32,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,
+    0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
+    0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x26,0xa8,0x7c,0x88,0x57,0xb7,0xe2,0xa0,
+    0xf5,0x55,0xbb,0x93,0xa1,0xea,0xc2,0x0a,0x82,0xa1,0x82,0x3d,0xe1,0x85,0xfe,0x26,
+    0x95,0x5f,0x16,0x13,0x88,0x87,0x2d,0x6f,0xbe,0x0a,0xe8,0xe7,0x04,0xcd,0xa5,0x9e,
+    0xac,0x69,0xd5,0xa0,0x81,0x27,0x91,0xdc,0xcd,0xa6,0xbd,0x62,0x0c,0x67,0x3f,0x39,
+    0xdf,0x23,0xa8,0xf5,0xd5,0xb6,0xa8,0x14,0x93,0x80,0x0b,0x17,0x04,0xbd,0x0a,0x75,
+    0x74,0x34,0x26,0xf6,0x46,0x82,0x34,0x1d,0x26,0x06,0x43,0x2a,0xd8,0xff,0x0e,0xf1,
+    0xf0,0xf1,0x74,0x8b,0x17,0x9a,0x6d,0x24,0x90,0x8d,0x35,0x69,0xc4,0xff,0xf7,0x6a,
+    0x81,0x00,0x27,0x11,0xd5,0xc7,0xc4,0xac,0x98,0x15,0x20,0xe7,0x90,0x8a,0xb7,0x3d,
+    0xdf,0xbf,0x18,0x7f,0x7c,0xa7,0x38,0x42,0xa7,0xe2,0x94,0xda,0xcb,0xb5,0x84,0x67,
+    0x9d,0x82,0x37,0x58,0xa0,0x7f,0x06,0xcb,0xf5,0x3b,0x22,0x8f,0x54,0x19,0x8e,0xad,
+    0x82,0x14,0xf3,0x8f,0xcd,0x55,0x93,0xb6,0xa7,0xdb,0xf5,0x25,0xd9,0x04,0x7c,0x69,
+    0xc7,0x08,0x7e,0x32,0xcb,0xce,0x9d,0xb2,0x45,0x25,0x61,0x6b,0x7b,0xd3,0xb0,0x2a,
+    0xd1,0xa8,0x1c,0xab,0x5b,0x3f,0x1d,0x8f,0xbd,0x46,0xb8,0x0d,0x33,0x4b,0xc9,0x3b,
+    0x94,0x7f,0xa8,0x28,0x0f,0xa8,0xb7,0xbc,0x0d,0xcf,0xf7,0x7e,0xc1,0xcf,0xc7,0xf2,
+    0x2f,0x1d,0x77,0xe4,0xdc,0x15,0xb0,0x42,0x0c,0x4d,0xd2,0x8d,0x6e,0x58,0x31,0x5b,
+    0x5f,0xc9,0x4f,0x43,0x53,0x76,0x7b,0x2a,0xd6,0x65,0x93,0x28,0xb4,0xb8,0xdc,0x3c,
+    0x3c,0x03,0xcc,0x5e,0x9f,0x52,0x28,0x9a,
+};
+
+/* On allow list until:
+ Not After : Dec 24 08:34:15 2016 GMT
+ */
+static const UInt8 cert1[1475]={
+    0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x1A,
+    0x2F,0xDD,0xD9,0x35,0x3B,0x65,0xEE,0x1B,0xB4,0x66,0x19,0x4D,0xF3,0x10,0xE1,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,
+    0x30,0x06,0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,
+    0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,
+    0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,
+    0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0C,0x0C,0x43,0x4E,0x4E,0x49,
+    0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x32,
+    0x32,0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x17,0x0D,0x31,0x36,0x31,0x32,0x32,
+    0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x30,0x81,0xF3,0x31,0x1B,0x30,0x19,0x06,
+    0x03,0x55,0x04,0x0F,0x13,0x12,0x56,0x31,0x2E,0x30,0x2C,0x20,0x43,0x6C,0x61,0x75,
+    0x73,0x65,0x20,0x35,0x2E,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,
+    0x05,0x13,0x0F,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x33,0x39,0x33,0x39,
+    0x35,0x39,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,
+    0x02,0x01,0x03,0x13,0x02,0x43,0x4E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,
+    0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x07,0x53,0x69,0x63,0x68,0x75,0x61,
+    0x6E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,
+    0x01,0x01,0x13,0x07,0x63,0x68,0x65,0x6E,0x67,0x44,0x75,0x31,0x0B,0x30,0x09,0x06,
+    0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,
+    0x08,0x1E,0x04,0x56,0xDB,0x5D,0xDD,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x07,
+    0x1E,0x04,0x62,0x10,0x90,0xFD,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x1E,
+    0x14,0x56,0xDB,0x5D,0xDD,0x9E,0x4F,0x59,0x29,0x62,0x95,0x8D,0x44,0x67,0x09,0x96,
+    0x50,0x51,0x6C,0x53,0xF8,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x0B,0x1E,0x06,
+    0x62,0x80,0x67,0x2F,0x90,0xE8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,
+    0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x82,
+    0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
+    0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x99,
+    0x31,0x25,0x93,0xE0,0x9A,0x65,0x36,0xCC,0x16,0x86,0xAF,0xBF,0x0D,0x2D,0x0B,0xE6,
+    0x9A,0xD5,0x00,0x89,0xAD,0x6B,0x49,0x59,0x10,0x74,0x3A,0xA7,0x4F,0xEB,0xBD,0xC0,
+    0xEE,0x46,0x1A,0x4E,0x9B,0x96,0x20,0xD7,0x2C,0xF8,0x93,0x5C,0x2A,0xAF,0x57,0x15,
+    0x0C,0x57,0x3A,0xD0,0x25,0x92,0x2E,0x18,0xB4,0xDF,0xD8,0x3E,0xA2,0xC0,0xC6,0x5E,
+    0x7A,0xD1,0xDA,0xAD,0x99,0x12,0x24,0x04,0xA1,0x42,0x5A,0xB0,0x42,0x3A,0x4F,0x02,
+    0xDE,0x8A,0x55,0xD7,0xB0,0x24,0x97,0x62,0xF9,0x95,0x70,0xFA,0xA8,0x81,0xFC,0x3A,
+    0xB5,0xA0,0x94,0x8E,0x42,0x89,0xF9,0x15,0x4B,0x06,0xD8,0xA1,0xC7,0xB0,0xC8,0x94,
+    0x03,0x57,0xF0,0x01,0xDB,0x0D,0x85,0xFD,0xA1,0xCD,0x1D,0x3C,0xF5,0x14,0x6C,0x79,
+    0x46,0xCF,0x00,0x3A,0x6C,0x74,0xD9,0x79,0xFD,0x9C,0xD9,0x61,0x7D,0x84,0x4F,0x82,
+    0x2A,0x40,0x00,0x58,0x2C,0xF0,0x3A,0xDF,0xD4,0x8A,0x39,0x24,0x5C,0xB1,0xA6,0xAD,
+    0x02,0x4C,0x16,0xCE,0x82,0xE6,0x22,0x32,0xC2,0x2A,0x93,0x94,0x25,0x5D,0x42,0xF9,
+    0xD2,0x2B,0xD5,0x9F,0xDB,0x45,0x51,0xE4,0x0E,0xD4,0x48,0x12,0xB1,0x67,0xF4,0x6D,
+    0x91,0x86,0xBC,0xFB,0xC6,0xE6,0xA0,0x7F,0x2B,0x8F,0xFB,0x67,0xEA,0x5D,0xAB,0x73,
+    0xDD,0x9D,0x40,0xFA,0xF7,0xDC,0xDE,0x48,0x20,0x47,0x32,0xC0,0xD1,0x98,0x4F,0x81,
+    0xDF,0xAF,0x96,0xDB,0x83,0xEE,0xC5,0x3A,0x4E,0x67,0xE1,0xF4,0x83,0x27,0x46,0x0D,
+    0x78,0xB1,0xC6,0x42,0xEF,0xD9,0x76,0xD3,0xAC,0x7C,0x5A,0xF8,0x09,0xCF,0x0B,0x02,
+    0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xE7,0x30,0x82,0x01,0xE3,0x30,0x09,0x06,0x03,
+    0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+    0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+    0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,
+    0x65,0x76,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x30,0x3C,0x06,0x08,0x2B,
+    0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+    0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,
+    0x6E,0x6C,0x6F,0x61,0x64,0x2F,0x63,0x65,0x72,0x74,0x2F,0x43,0x4E,0x4E,0x49,0x43,
+    0x45,0x56,0x53,0x53,0x4C,0x2E,0x63,0x65,0x72,0x30,0x18,0x06,0x03,0x55,0x1D,0x11,
+    0x04,0x11,0x30,0x0F,0x82,0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,
+    0x63,0x6F,0x6D,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,
+    0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x04,0x26,0xBE,0x73,0x88,
+    0x8C,0xF6,0x64,0xBA,0xBB,0x09,0x34,0x7A,0x09,0xF9,0x51,0x57,0x43,0x8D,0x86,0x30,
+    0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
+    0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
+    0x14,0x0C,0xCF,0xB4,0x48,0x2C,0x50,0xE8,0x8B,0xD2,0x72,0xFD,0x1C,0xF0,0x2F,0xBC,
+    0x52,0xAB,0x2B,0x69,0x5E,0x30,0x3F,0x06,0x03,0x55,0x1D,0x20,0x04,0x38,0x30,0x36,
+    0x30,0x34,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x81,0xE9,0x0C,0x01,0x0A,0x30,0x26,
+    0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,
+    0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,
+    0x6E,0x2F,0x63,0x70,0x73,0x2F,0x30,0x81,0xA6,0x06,0x03,0x55,0x1D,0x1F,0x04,0x81,
+    0x9E,0x30,0x81,0x9B,0x30,0x66,0xA0,0x64,0xA0,0x62,0xA4,0x60,0x30,0x5E,0x31,0x0B,
+    0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,0x30,0x06,
+    0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,0x74,0x65,
+    0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,0x6E,0x66,
+    0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,0x72,0x31,
+    0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x03,0x63,0x72,0x6C,0x31,0x0D,0x30,
+    0x0B,0x06,0x03,0x55,0x04,0x03,0x0C,0x04,0x63,0x72,0x6C,0x31,0x30,0x31,0xA0,0x2F,
+    0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,
+    0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64,
+    0x2F,0x65,0x76,0x63,0x72,0x6C,0x2F,0x63,0x72,0x6C,0x31,0x2E,0x63,0x72,0x6C,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
+    0x01,0x01,0x00,0xA3,0xDE,0x24,0x78,0xF5,0x07,0x23,0xEC,0x77,0x62,0x71,0x60,0x01,
+    0xAE,0xC7,0xBD,0x49,0x8D,0x40,0x0C,0x49,0xAE,0x1A,0x47,0x2B,0x22,0xAE,0x66,0x2B,
+    0x34,0x83,0xAD,0x17,0xA1,0x45,0xC7,0xEC,0x16,0x80,0x2F,0x24,0x41,0xDF,0xFF,0xB0,
+    0x9D,0xE0,0x47,0x51,0x53,0x10,0xDC,0x85,0xC3,0xF9,0x72,0x3A,0xC9,0x79,0x22,0x89,
+    0xD4,0xCB,0x40,0x60,0x7E,0x3E,0x86,0x52,0x01,0xD2,0xA5,0x41,0x57,0x0C,0xB0,0x5C,
+    0xDD,0x24,0x0E,0xB2,0xF4,0x7E,0xB7,0x45,0xCE,0xA2,0x1B,0x3B,0x77,0xC6,0x9B,0x1E,
+    0x7D,0x7F,0x42,0x53,0xE4,0xF4,0xE6,0x84,0xFD,0xCC,0x27,0xB2,0xC9,0x72,0x30,0x09,
+    0xEE,0xC7,0x8B,0xE5,0xBF,0x2C,0x3B,0x73,0xA0,0x9C,0xD8,0x3E,0x81,0xED,0xB4,0x74,
+    0x88,0x67,0x99,0x69,0xE5,0x3A,0x3C,0x5A,0xA4,0xE4,0xD3,0x6D,0xBF,0xF6,0xF0,0x0C,
+    0x92,0x9C,0xB4,0x53,0x39,0x70,0x9A,0x3D,0xF4,0x3F,0x9D,0x07,0x66,0x3F,0x85,0x09,
+    0x07,0x8E,0x5C,0x9D,0x83,0x23,0x0F,0x45,0xE7,0x3C,0xE5,0x7F,0x6C,0x0C,0x29,0x3B,
+    0x2B,0x5D,0xE2,0xB7,0xCB,0x0E,0xEF,0xC8,0x14,0x4C,0x30,0xD0,0xD0,0x9C,0x7D,0x8E,
+    0x67,0x94,0xD9,0xB2,0x71,0x7E,0x74,0x0F,0x5C,0xD7,0xB5,0xFB,0x35,0x13,0x3F,0x05,
+    0xD7,0x7C,0x08,0x2F,0x7A,0x31,0x78,0x99,0xF8,0x76,0x0D,0xB3,0xFB,0xD2,0xD3,0x6C,
+    0xC7,0x32,0x61,0x2E,0x8E,0x64,0x96,0xFD,0xB1,0xFA,0x73,0xC7,0x56,0x54,0x8B,0x0D,
+    0x27,0xD2,0x66,0x9E,0xA5,0xCB,0xCE,0xD0,0xA4,0x9C,0x03,0xDD,0x9D,0x1F,0xED,0x5E,
+    0x7A,0x73,0x5D,
+};
+
+/* expired:
+ Not After : Oct 20 03:20:57 2015 GMT
+ */
+static const UInt8 cert1_expired[] = {
+    0x30,0x82,0x05,0xd6,0x30,0x82,0x04,0xbe,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1a,
+    0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x10,0xd5,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
+    0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,
+    0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,
+    0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,
+    0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,
+    0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,
+    0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x30,
+    0x32,0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x17,0x0d,0x31,0x35,0x31,0x30,0x32,
+    0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x30,0x82,0x01,0x05,0x31,0x1b,0x30,0x19,
+    0x06,0x03,0x55,0x04,0x0f,0x13,0x12,0x56,0x31,0x2e,0x30,0x2c,0x20,0x43,0x6c,0x61,
+    0x75,0x73,0x65,0x20,0x35,0x2e,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,
+    0x04,0x05,0x13,0x0f,0x34,0x34,0x30,0x33,0x30,0x31,0x35,0x30,0x33,0x34,0x32,0x36,
+    0x35,0x34,0x36,0x31,0x13,0x30,0x11,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,
+    0x3c,0x02,0x01,0x03,0x13,0x02,0x43,0x4e,0x31,0x1a,0x30,0x18,0x06,0x0b,0x2b,0x06,
+    0x01,0x04,0x01,0x82,0x37,0x3c,0x02,0x01,0x02,0x13,0x09,0x67,0x75,0x61,0x6e,0x67,
+    0x64,0x6f,0x6e,0x67,0x31,0x19,0x30,0x17,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,
+    0x37,0x3c,0x02,0x01,0x01,0x13,0x08,0x73,0x68,0x65,0x6e,0x7a,0x68,0x65,0x6e,0x31,
+    0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,
+    0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x5e,0x7f,0x4e,0x1c,0x31,0x0d,0x30,0x0b,0x06,
+    0x03,0x55,0x04,0x07,0x1e,0x04,0x6d,0xf1,0x57,0x33,0x31,0x21,0x30,0x1f,0x06,0x03,
+    0x55,0x04,0x0a,0x1e,0x18,0x80,0x54,0x54,0x08,0x51,0x49,0x4f,0x0f,0x00,0x28,0x6d,
+    0xf1,0x57,0x33,0x00,0x29,0x67,0x09,0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x16,0x30,
+    0x14,0x06,0x03,0x55,0x04,0x0b,0x13,0x0d,0x49,0x54,0x20,0x44,0x65,0x70,0x61,0x72,
+    0x74,0x6d,0x65,0x6e,0x74,0x31,0x1a,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,
+    0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,
+    0x6d,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
+    0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,
+    0x01,0x00,0xc0,0x5c,0x75,0x0e,0x29,0x93,0xf9,0xc2,0x0f,0x9e,0x24,0xeb,0x6d,0xb8,
+    0xb5,0x09,0x79,0xfe,0xbb,0xa0,0x78,0x20,0xbf,0xeb,0xc3,0x3d,0x00,0xb2,0x75,0x20,
+    0xa1,0x26,0x40,0x9e,0x0e,0x38,0x3c,0x38,0x89,0x5a,0x4f,0x46,0x5d,0xaf,0x0f,0x49,
+    0x58,0xf5,0x9f,0x34,0x0f,0x1d,0x57,0xd0,0xa7,0x89,0x88,0x58,0xe6,0x00,0xca,0xde,
+    0x0e,0x61,0xc6,0x3f,0xf4,0x08,0x9e,0x4e,0xf9,0x8e,0xdc,0xc6,0x1f,0xab,0x56,0x38,
+    0xf7,0x8f,0xd4,0xb7,0x0c,0x77,0xf9,0xdf,0x02,0x26,0xc3,0xf3,0x2a,0x7e,0x7b,0x02,
+    0x89,0x75,0x50,0xf6,0x4b,0x98,0xe7,0x02,0xdc,0xe0,0xb2,0x57,0xa6,0x50,0xa3,0x27,
+    0x48,0xaf,0x26,0x6e,0xf5,0x47,0x04,0x9b,0x26,0x1f,0x10,0x84,0x26,0xbe,0x4e,0xa7,
+    0xd5,0x7d,0xad,0xe0,0x0f,0x78,0xfa,0x5e,0xcd,0xf1,0xce,0x6f,0x06,0x39,0x4b,0xa1,
+    0xd7,0xce,0x01,0xfb,0x58,0x8c,0x47,0x24,0xfd,0x9f,0x6e,0xb0,0x5b,0x51,0x62,0x6f,
+    0x9c,0xd5,0xaf,0xaf,0xc1,0x6d,0xcc,0x22,0x3e,0x04,0xcc,0xe8,0x41,0x98,0xc0,0xc7,
+    0xb0,0xf5,0x59,0x0e,0x26,0xed,0x1f,0x7b,0x0a,0xce,0xb6,0xa5,0xfe,0xa6,0xc7,0xba,
+    0x1b,0x6b,0x11,0xc6,0x15,0x10,0x5b,0x8b,0x34,0x14,0xd9,0x3c,0x4d,0xc6,0x6c,0x89,
+    0x01,0xf3,0xd1,0x5a,0xf3,0x2b,0x9b,0x28,0x16,0xbe,0x6d,0x43,0x66,0xf8,0x56,0x15,
+    0x3b,0xaf,0x79,0xda,0x46,0x22,0xd4,0x2b,0xd3,0x9d,0x99,0x53,0x2f,0xa0,0x39,0x59,
+    0x4e,0x22,0x54,0x1e,0x47,0xf5,0xa9,0xa9,0x4e,0xf5,0x1d,0x9d,0x98,0x45,0xc6,0x85,
+    0xae,0x01,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xeb,0x30,0x82,0x01,0xe7,0x30,
+    0x09,0x06,0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2b,0x06,
+    0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2b,0x06,
+    0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,
+    0x63,0x73,0x70,0x65,0x76,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x3c,
+    0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,
+    0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+    0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,0x74,0x2f,0x43,0x4e,
+    0x4e,0x49,0x43,0x45,0x56,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x1c,0x06,0x03,
+    0x55,0x1d,0x11,0x04,0x15,0x30,0x13,0x82,0x11,0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,
+    0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,
+    0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,
+    0x04,0x14,0xd7,0x06,0xeb,0x3b,0x83,0x70,0x55,0x58,0x9a,0x40,0x03,0xd5,0x7e,0x8e,
+    0xcb,0x49,0x23,0x10,0x67,0xc4,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,0x0c,0x30,
+    0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1f,0x06,0x03,0x55,
+    0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,
+    0xd2,0x72,0xfd,0x1c,0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x3f,0x06,0x03,
+    0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,
+    0x81,0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,
+    0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,
+    0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xa6,
+    0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x9e,0x30,0x81,0x9b,0x30,0x66,0xa0,0x64,0xa0,
+    0x62,0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+    0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,
+    0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
+    0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
+    0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,
+    0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,
+    0x72,0x6c,0x31,0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,
+    0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,
+    0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x63,0x72,0x6c,0x2f,0x63,0x72,
+    0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
+    0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6e,0x84,0xe5,0x57,0x7e,0x96,
+    0xaf,0x39,0xbf,0xa0,0x2a,0xf2,0xd1,0x10,0x57,0x8e,0x3d,0x68,0x4d,0x61,0x35,0x97,
+    0xbb,0xed,0x7f,0x5e,0x4f,0x17,0x58,0x2f,0x4b,0x94,0x4f,0xda,0xd8,0x9c,0x78,0x52,
+    0x2e,0xec,0xcd,0x86,0x87,0xa1,0x64,0xdc,0x41,0x0e,0x44,0x23,0xdb,0x7d,0xc8,0x86,
+    0xef,0x07,0x29,0xaa,0x78,0x1b,0x95,0x84,0xb8,0xf9,0x60,0x95,0x89,0x3f,0x58,0x3d,
+    0x42,0x74,0x4b,0x82,0x0d,0x65,0x16,0x1a,0x70,0xaa,0x2d,0xb2,0xab,0x79,0x27,0x2e,
+    0x7e,0x6f,0x44,0xfb,0xdf,0xf5,0xff,0x3e,0xc3,0x67,0xa5,0xe1,0x6b,0xe3,0xf7,0xcc,
+    0x11,0x9f,0x2a,0xe8,0x87,0x46,0x3d,0x5c,0xbf,0x5f,0xca,0x9b,0x09,0xbe,0x0a,0x83,
+    0xb0,0x98,0x03,0x3a,0x67,0xb1,0xe9,0xa4,0x04,0x96,0x2b,0x24,0xe1,0xcd,0xc1,0x26,
+    0x88,0x76,0x10,0x41,0x85,0xf0,0x07,0xb0,0x4b,0x6b,0xd2,0x25,0x0f,0x12,0x52,0xea,
+    0x3b,0xac,0xc3,0xfa,0x56,0x5f,0xfb,0x3b,0x4b,0x86,0xf6,0x67,0x45,0x51,0xb4,0xb4,
+    0x94,0x98,0xa6,0xac,0x46,0x8b,0x42,0x94,0xff,0x9e,0x71,0x09,0x7c,0x87,0xb0,0x36,
+    0x70,0x8a,0x5e,0x88,0x33,0x79,0x85,0x78,0x30,0x56,0x4a,0x6a,0xfc,0x5b,0x34,0xe9,
+    0xb7,0x57,0xde,0xdc,0x0a,0x3c,0x1e,0x71,0xfc,0x23,0xc6,0x5a,0xd3,0x1a,0x50,0x06,
+    0xbe,0x9c,0x60,0xd5,0x36,0x44,0x65,0x59,0x89,0xe6,0xda,0x1b,0xc9,0x89,0x21,0xe0,
+    0x59,0x7d,0x25,0x4f,0x76,0x87,0x4f,0x7e,0xb1,0x1a,0x43,0xff,0x00,0xbb,0xc7,0xc5,
+    0x5e,0xcc,0xfd,0x4a,0x1b,0xc1,0x6e,0x75,0xd9,0xe6
+};
+
+/* On allow list until:
+ Not After : Jun  6 02:00:32 2017 GMT
+ */
+static const UInt8 cert2[] = {
+    0x30,0x82,0x04,0x2d,0x30,0x82,0x03,0x15,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1c,
+    0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x11,0x3c,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,
+    0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,
+    0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,
+    0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,
+    0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x30,0x36,0x30,0x39,0x30,0x33,
+    0x33,0x36,0x33,0x37,0x5a,0x17,0x0d,0x31,0x37,0x30,0x36,0x30,0x36,0x30,0x32,0x30,
+    0x30,0x33,0x32,0x5a,0x30,0x54,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x43,0x4e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,0x77,0x77,
+    0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x31,0x17,0x30,0x15,0x06,0x03,
+    0x55,0x04,0x03,0x13,0x0e,0x6d,0x61,0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,
+    0x2e,0x63,0x6e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x77,0x77,
+    0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,
+    0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,
+    0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xc7,0x2f,0x0e,0xba,0xf0,
+    0xff,0x9e,0x56,0x3b,0x88,0x3b,0x94,0x0d,0xc6,0x81,0x22,0xe7,0xeb,0x1b,0x22,0x1d,
+    0xb2,0x75,0x5b,0xae,0x41,0xea,0x55,0x6a,0x7c,0x95,0x85,0x3e,0x0e,0xd1,0x95,0xf4,
+    0x71,0xdf,0x7c,0x5c,0x8e,0xcc,0x25,0xb9,0xae,0x15,0xc9,0xf2,0xd0,0x30,0xe8,0x7c,
+    0x91,0x5d,0x24,0x09,0x93,0x23,0x3f,0x55,0x7b,0x09,0x17,0x82,0x37,0x0b,0xf8,0x1a,
+    0x6e,0xaa,0x08,0x0d,0xa8,0x2d,0xb7,0x6d,0x38,0x24,0xc0,0x48,0x5d,0x29,0x7a,0xe9,
+    0xac,0x4d,0x93,0xec,0xd0,0x6c,0x62,0x1e,0x17,0xe7,0x2d,0xd7,0x0b,0x64,0x8f,0x56,
+    0xd3,0x82,0x37,0xad,0x2d,0x28,0xe8,0x7e,0x9d,0x83,0x7d,0x6d,0x06,0xa2,0x36,0x62,
+    0x60,0x30,0xbe,0x31,0xf9,0x9e,0xe0,0xb7,0x5b,0x72,0x6e,0x16,0x36,0x75,0xdc,0x17,
+    0x56,0xff,0x5f,0x27,0x57,0x34,0xdc,0x2a,0x98,0xcd,0x9d,0x3f,0x5c,0x48,0x79,0x0b,
+    0xa5,0xcf,0x16,0x20,0xc5,0x57,0x5f,0xa6,0xd6,0x1d,0xd6,0x6a,0x17,0x89,0x2d,0xb8,
+    0xde,0xc5,0x30,0xe4,0xf0,0x39,0xf6,0x87,0x87,0x54,0x5c,0xc0,0x34,0x0f,0x1c,0xfb,
+    0xf0,0xe4,0xc5,0xde,0xe1,0xa7,0xcf,0x54,0x2a,0x02,0x20,0x94,0xf9,0xd1,0xf8,0xb6,
+    0x97,0xe2,0x3a,0x30,0x43,0x24,0x45,0x2d,0x9a,0xd3,0xe0,0x6a,0x70,0x41,0x96,0xf0,
+    0x4d,0x21,0x8d,0x61,0x2c,0x2c,0x56,0xda,0xec,0xc8,0xdc,0xbf,0xce,0x75,0x9d,0xd9,
+    0x5a,0x2d,0x39,0xc7,0xef,0x29,0x32,0xd6,0x6c,0xf8,0xc7,0x88,0x84,0xfc,0x51,0x5b,
+    0x11,0x44,0xde,0x87,0xd3,0x6f,0x05,0x0c,0x8e,0xc7,0x0f,0x02,0x03,0x01,0x00,0x01,
+    0xa3,0x82,0x01,0x19,0x30,0x82,0x01,0x15,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
+    0x18,0x30,0x16,0x80,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,0xfc,
+    0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x09,0x06,0x03,0x55,0x1d,0x13,
+    0x04,0x02,0x30,0x00,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,
+    0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,
+    0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,
+    0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,
+    0x2f,0x63,0x70,0x73,0x2f,0x30,0x3c,0x06,0x03,0x55,0x1d,0x1f,0x04,0x35,0x30,0x33,
+    0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,
+    0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,
+    0x6c,0x6f,0x61,0x64,0x2f,0x64,0x71,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,0x2e,
+    0x63,0x72,0x6c,0x30,0x27,0x06,0x03,0x55,0x1d,0x11,0x04,0x20,0x30,0x1e,0x82,0x0c,
+    0x77,0x77,0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x82,0x0e,0x6d,0x61,
+    0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,0x2e,0x63,0x6e,0x30,0x0b,0x06,0x03,
+    0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
+    0x04,0x16,0x04,0x14,0x00,0x8b,0xf0,0x61,0xdf,0xf1,0x0b,0x53,0xd8,0x52,0x97,0xfe,
+    0x23,0x9f,0x34,0x50,0x1d,0xac,0xec,0x90,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,
+    0x0c,0x30,0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x0d,0x06,
+    0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,
+    0x00,0x86,0x62,0x31,0x67,0xba,0x3e,0x2b,0x1f,0xf7,0xdd,0xc0,0x9b,0xa2,0x27,0xb5,
+    0x61,0x8c,0xd8,0x68,0xc1,0x58,0x47,0xb2,0x72,0xb9,0xfe,0x06,0x52,0x7d,0x92,0x35,
+    0x9b,0xa9,0x08,0xa7,0x3a,0x37,0x70,0x9d,0xe1,0x47,0xbe,0x3d,0x15,0x20,0x35,0x9a,
+    0x79,0x7c,0x16,0xe8,0x8e,0xa5,0x0f,0x42,0xd5,0x6b,0x5b,0x9e,0x55,0x2b,0xdd,0x35,
+    0x3e,0x32,0x41,0xef,0x14,0xa0,0x15,0x70,0xf8,0x8c,0x3f,0x9e,0xc0,0xc2,0x32,0x4d,
+    0x90,0x9a,0xd0,0x9b,0xc1,0x72,0x64,0x2f,0x2e,0x8c,0x44,0x80,0x5a,0x6f,0xb7,0x08,
+    0xa9,0x0e,0x76,0xa4,0x82,0xd6,0x2e,0x64,0xf6,0xe4,0x5e,0x1b,0xb4,0x09,0xbc,0x1d,
+    0x80,0x46,0xd7,0x35,0x7f,0x58,0x70,0x09,0x10,0x7a,0x1e,0xe5,0x28,0xf5,0x5a,0x28,
+    0x7e,0x54,0x52,0x88,0xe6,0x3f,0x4e,0x55,0xb3,0x15,0x67,0x4c,0xac,0x82,0xbb,0xf8,
+    0x98,0xd0,0xd2,0x69,0x17,0x70,0x6a,0x09,0x52,0x91,0xc1,0xe7,0xbb,0xa7,0xe8,0x78,
+    0xdb,0x57,0xa3,0x37,0x3f,0x3c,0x7f,0x80,0xc2,0x40,0x61,0xd2,0xe5,0x6f,0xe8,0x93,
+    0xa2,0xb7,0x84,0x00,0x4e,0x4d,0xed,0xf3,0x87,0x14,0x35,0xd2,0xdb,0xf6,0x6b,0xc0,
+    0x2a,0xb2,0x9c,0xc3,0x48,0xba,0xd0,0xb9,0x55,0xf2,0x1a,0x17,0xa0,0x0d,0x45,0x2c,
+    0x28,0x0a,0xba,0x60,0x4a,0xb8,0x73,0xd6,0xb0,0x83,0x6e,0x92,0x87,0x1f,0x39,0x91,
+    0xa5,0x4f,0xef,0xcb,0xf7,0xee,0x28,0x39,0x5e,0x21,0xf0,0xc1,0x91,0x23,0x24,0x78,
+    0xbc,0x01,0xb6,0xf1,0x4d,0x58,0x63,0xa6,0x89,0xf4,0x8b,0xa9,0xc9,0xad,0xfa,0xe1,
+    0x9b
+};
+
+static const UInt8 intermediate0[] = {
+    0x30,0x82,0x04,0x99,0x30,0x82,0x03,0x81,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
+    0x33,0x00,0x7c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,
+    0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+    0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
+    0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
+    0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x32,0x31,0x38,
+    0x31,0x32,0x33,0x32,0x31,0x38,0x5a,0x17,0x0d,0x32,0x34,0x31,0x32,0x31,0x38,0x31,
+    0x32,0x33,0x32,0x31,0x38,0x5a,0x30,0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,
+    0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,
+    0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,
+    0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+    0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xf0,0xa3,0x8d,0x71,
+    0x34,0xfe,0x11,0x3c,0xc7,0x98,0x61,0x0b,0xc5,0xaa,0x7b,0x13,0xd9,0x40,0x7f,0x9b,
+    0x59,0xd0,0x4a,0xc0,0x93,0x45,0x5e,0x48,0xf1,0xfe,0xb1,0x8f,0xb9,0x4c,0xdf,0x53,
+    0x50,0x15,0x19,0xf9,0xea,0xe7,0x22,0x8d,0xa8,0xdb,0x09,0x45,0xa6,0x86,0xc6,0xf8,
+    0xd5,0xdc,0x55,0xb4,0x8f,0xeb,0x56,0x3d,0x1f,0x36,0xc7,0x95,0x55,0xf4,0x4e,0x11,
+    0xc7,0x08,0x6f,0xe8,0xf9,0x7f,0x9e,0x85,0x9a,0x65,0x10,0x9b,0x87,0x86,0xb4,0x42,
+    0x92,0xaf,0x3f,0x5b,0xd9,0x8b,0x2f,0x68,0xc2,0x08,0x58,0xf6,0xe4,0x5f,0x3b,0x79,
+    0x8b,0x9e,0xde,0xb1,0x48,0x1f,0x59,0x40,0xb9,0xea,0x24,0x07,0x66,0x97,0xf6,0x2f,
+    0x52,0xec,0x0c,0xc8,0x4e,0x65,0x5a,0x60,0x6f,0xe5,0x8f,0x9d,0xfd,0x6a,0xde,0x89,
+    0xe4,0x7a,0x4b,0xb6,0x1e,0x82,0x8d,0x9c,0xdd,0x8d,0x73,0x33,0x92,0xd3,0x46,0x8e,
+    0x9e,0x58,0x01,0xf3,0x2e,0x83,0xe0,0xd2,0x4a,0x13,0x94,0x2c,0xd0,0x8a,0x12,0xd0,
+    0x29,0x34,0xed,0x6b,0xea,0xc6,0xc9,0x14,0x7a,0x75,0x92,0x8e,0x42,0x7e,0xd2,0x76,
+    0x88,0xdb,0xad,0x9b,0x20,0xe2,0x30,0x94,0x97,0xa3,0xa3,0xae,0x52,0x4c,0x2d,0xa3,
+    0x77,0x79,0x74,0xf7,0x87,0x8c,0x86,0x8f,0xb3,0x63,0x51,0x3e,0xf6,0xc0,0x6e,0x25,
+    0x9b,0x0d,0xc1,0x99,0x4f,0xf2,0x5c,0x9d,0xf5,0x21,0x04,0x42,0xde,0x74,0x59,0xe4,
+    0x39,0x80,0x82,0x50,0x21,0xde,0x49,0xe3,0x14,0x83,0xa7,0xc8,0xce,0x6d,0xfa,0x49,
+    0x5b,0x5e,0x3f,0x55,0x65,0xc1,0x5d,0x57,0x41,0x00,0x7d,0x43,0x02,0x03,0x01,0x00,
+    0x01,0xa3,0x82,0x01,0xa4,0x30,0x82,0x01,0xa0,0x30,0x76,0x06,0x08,0x2b,0x06,0x01,
+    0x05,0x05,0x07,0x01,0x01,0x04,0x6a,0x30,0x68,0x30,0x29,0x06,0x08,0x2b,0x06,0x01,
+    0x05,0x05,0x07,0x30,0x01,0x86,0x1d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,
+    0x73,0x70,0x63,0x6e,0x6e,0x69,0x63,0x72,0x6f,0x6f,0x74,0x2e,0x63,0x6e,0x6e,0x69,
+    0x63,0x2e,0x63,0x6e,0x30,0x3b,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
+    0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,
+    0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,
+    0x65,0x72,0x74,0x2f,0x43,0x4e,0x4e,0x49,0x43,0x52,0x4f,0x4f,0x54,0x2e,0x63,0x65,
+    0x72,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x65,0xf2,
+    0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,
+    0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,
+    0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,
+    0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,0x24,
+    0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,
+    0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+    0x63,0x70,0x73,0x2f,0x30,0x81,0x86,0x06,0x03,0x55,0x1d,0x1f,0x04,0x7f,0x30,0x7d,
+    0x30,0x42,0xa0,0x40,0xa0,0x3e,0xa4,0x3c,0x30,0x3a,0x31,0x0b,0x30,0x09,0x06,0x03,
+    0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,
+    0x0c,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,
+    0x0c,0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,
+    0x63,0x72,0x6c,0x31,0x30,0x37,0xa0,0x35,0xa0,0x33,0x86,0x31,0x68,0x74,0x74,0x70,
+    0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
+    0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x73,0x68,0x61,
+    0x32,0x63,0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0b,0x06,
+    0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,
+    0x0e,0x04,0x16,0x04,0x14,0xb7,0xd1,0x59,0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,
+    0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,0x3c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+    0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4f,0xc7,0x80,
+    0x5e,0x29,0x70,0x8c,0xd6,0x59,0xae,0x59,0x4f,0xd1,0xd8,0x41,0xa8,0xa7,0xa8,0x58,
+    0xa6,0x06,0x25,0xd2,0xf8,0x3c,0x13,0x52,0xec,0x51,0x54,0x38,0xb6,0x60,0xd0,0x95,
+    0xaf,0x30,0xbf,0x78,0xa3,0x19,0xfd,0x6b,0x54,0x98,0x49,0xc4,0x81,0x84,0xaa,0x51,
+    0x54,0xd3,0x95,0x9d,0x92,0x66,0x02,0x6e,0x55,0x4b,0xf1,0xe0,0x4e,0x02,0x05,0xb5,
+    0x67,0x3b,0x31,0x4d,0xb3,0xb3,0xb7,0xa2,0x13,0xff,0x28,0x10,0xbc,0xa4,0x9b,0x71,
+    0x4c,0x36,0x9c,0x60,0xac,0x65,0x7c,0x66,0x8a,0xb6,0x1c,0x7f,0xa1,0xad,0xe8,0x6e,
+    0xce,0x0b,0xee,0x85,0xe6,0x01,0xe5,0xab,0x7f,0x11,0x1f,0x33,0xd9,0x1d,0xa1,0x0c,
+    0xf2,0x3a,0x7e,0xdb,0xf5,0x63,0xe2,0x77,0xdb,0x01,0x1a,0x60,0xe8,0xfb,0x42,0xd4,
+    0xf3,0xdf,0x8d,0xec,0x4f,0x4f,0xc8,0xa7,0x24,0xf7,0xb5,0xb7,0x58,0xae,0xad,0x0c,
+    0x9b,0x7a,0x39,0x81,0xd9,0xd0,0x8a,0x18,0x28,0x8a,0xf2,0x91,0x88,0x11,0x3d,0xb1,
+    0x42,0x5d,0x0e,0x31,0xfe,0x00,0x99,0xfe,0x87,0x3f,0x8e,0xbd,0xef,0x83,0x72,0xd7,
+    0x49,0x22,0xfd,0x82,0xe2,0xfc,0xe8,0xe8,0xf7,0x4b,0xff,0xa5,0x62,0xec,0xd3,0x87,
+    0x51,0x6f,0x35,0xbc,0x51,0x54,0x6c,0x36,0xfe,0x88,0xcb,0xaf,0xb1,0x0e,0x7b,0x76,
+    0x9c,0x16,0x11,0xda,0x7f,0xd1,0xf4,0x85,0xce,0xb8,0x87,0x45,0x0c,0x43,0xe4,0xb3,
+    0x6f,0xbc,0x95,0xce,0x59,0x57,0xf3,0xb4,0xec,0xa8,0xc2,0x1f,0x98,0x77,0x93,0x7d,
+    0xad,0x92,0x4e,0xba,0xab,0x5d,0x45,0x93,0x7c,0xf0,0x17,0xcd,0xc7
+};
+
+static const UInt8 intermediate1[] = {
+    0x30,0x82,0x04,0xf8,0x30,0x82,0x03,0xe0,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x0b,
+    0x24,0x01,0xb7,0x39,0x86,0x38,0x3c,0x29,0xc2,0xf8,0x19,0x4d,0x23,0x10,0x7b,0x30,
+    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
+    0x8a,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,
+    0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,
+    0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,
+    0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,
+    0x65,0x72,0x31,0x47,0x30,0x45,0x06,0x03,0x55,0x04,0x03,0x0c,0x3e,0x43,0x68,0x69,
+    0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
+    0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
+    0x43,0x65,0x6e,0x74,0x65,0x72,0x20,0x45,0x56,0x20,0x43,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x65,0x73,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,0x0d,0x31,
+    0x30,0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x17,0x0d,0x32,0x30,
+    0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x30,0x58,0x31,0x0b,0x30,
+    0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,
+    0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,
+    0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,
+    0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x15,
+    0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x45,
+    0x56,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+    0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,
+    0x0a,0x02,0x82,0x01,0x01,0x00,0xc9,0x8b,0x5d,0x84,0x90,0x33,0x98,0x83,0xdd,0xa1,
+    0x9a,0x76,0x4f,0xd2,0xff,0xf4,0xbc,0x5d,0x7f,0xd5,0x0c,0xdc,0xd1,0x58,0xe8,0x3a,
+    0xd7,0xab,0xa9,0x24,0x05,0x78,0x28,0x3d,0x64,0x03,0x7d,0x7f,0xee,0x16,0x3e,0x51,
+    0xc7,0x69,0xb4,0x06,0xe8,0xa5,0x3b,0x7a,0xf0,0xac,0xcd,0x9e,0xb4,0x00,0xbf,0x25,
+    0xe5,0xd9,0x95,0x45,0x31,0x20,0x59,0xed,0xf0,0xbc,0x86,0x02,0x9a,0xa6,0x52,0x73,
+    0xaf,0x02,0x09,0x22,0xf1,0x04,0x97,0xe3,0x15,0x8c,0x7e,0xa5,0xc7,0x37,0xbd,0x42,
+    0x4f,0x27,0x85,0x9d,0xb9,0x24,0x29,0xcb,0x4c,0xd4,0xd2,0xed,0x79,0x3b,0x39,0xa1,
+    0x08,0x26,0xba,0x14,0xb3,0x49,0x0f,0x8e,0xd7,0x9d,0x5f,0xde,0x72,0xf0,0x53,0xee,
+    0x8a,0x4e,0x6c,0x06,0x6f,0xea,0x9f,0x25,0x4a,0x23,0x80,0x7e,0x2e,0xb2,0x81,0x9d,
+    0x3b,0x4e,0xdf,0x73,0xbe,0x1b,0x89,0x10,0x89,0xf7,0xac,0xa0,0x2f,0xfb,0x71,0xc4,
+    0xe2,0xe9,0xd0,0x79,0xb7,0x54,0x9d,0xf6,0xcc,0x3a,0x6c,0x88,0x25,0xf4,0x0e,0xf4,
+    0x49,0xa1,0x23,0xd2,0xe2,0x71,0xb8,0x1c,0x44,0x46,0xb4,0x70,0x5d,0x5d,0xab,0x7f,
+    0x0e,0x27,0x8d,0x4b,0xf4,0xe1,0x52,0x88,0x58,0xf9,0xec,0x1e,0xbb,0x56,0x1f,0x37,
+    0x1a,0xce,0x74,0xf3,0x6d,0x63,0xbc,0x18,0xa8,0x95,0x30,0x8b,0x16,0xe2,0x9f,0x0a,
+    0x89,0xe0,0x36,0xba,0x0f,0x90,0x5e,0x67,0x6c,0x04,0x77,0xfa,0xd1,0x6e,0xdb,0x1c,
+    0x3c,0x1f,0x9f,0x83,0xb5,0x4b,0xc8,0x4e,0x90,0xf8,0x02,0x26,0x2e,0xce,0x7c,0xe6,
+    0x3e,0xe8,0x0e,0xf0,0x77,0xf1,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0x89,0x30,
+    0x82,0x01,0x85,0x30,0x34,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,
+    0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,
+    0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x72,0x6f,0x6f,0x74,
+    0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,
+    0x04,0x18,0x30,0x16,0x80,0x14,0x7c,0x72,0x4b,0x39,0xc7,0xc0,0xdb,0x62,0xa5,0x4f,
+    0x9b,0xaa,0x18,0x34,0x92,0xa2,0xca,0x83,0x82,0x59,0x30,0x0f,0x06,0x03,0x55,0x1d,
+    0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,
+    0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,
+    0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,
+    0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,
+    0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xaa,0x06,
+    0x03,0x55,0x1d,0x1f,0x04,0x81,0xa2,0x30,0x81,0x9f,0x30,0x66,0xa0,0x64,0xa0,0x62,
+    0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+    0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,
+    0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,
+    0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,
+    0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,
+    0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,
+    0x6c,0x31,0x30,0x35,0xa0,0x33,0xa0,0x31,0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,
+    0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,
+    0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x72,0x6f,0x6f,0x74,0x63,0x72,0x6c,
+    0x2f,0x63,0x72,0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,
+    0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
+    0x04,0x16,0x04,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,0xd2,0x72,0xfd,0x1c,
+    0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+    0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0xf9,0xad,0x13,
+    0x7b,0x62,0x9b,0x8b,0xa5,0xfd,0x52,0x5d,0xd1,0x13,0xca,0x28,0x92,0xdc,0xc3,0x84,
+    0x3d,0xf1,0xc5,0x9b,0x2a,0xc3,0x15,0xfc,0x1d,0x4f,0x30,0x54,0x77,0x9a,0x5a,0x5a,
+    0x1b,0x07,0xbb,0xf7,0x7e,0xea,0x47,0x01,0xc7,0x6d,0x30,0xe0,0x2e,0xcc,0x44,0xea,
+    0x6c,0xa5,0xcd,0x42,0x86,0x38,0xf5,0x88,0x9c,0xff,0x74,0xc1,0x3d,0x70,0xfa,0x9a,
+    0x54,0xbd,0x37,0xb0,0x38,0x9f,0xb6,0xe4,0x51,0xec,0x24,0xa0,0xa4,0xbe,0x9f,0x6e,
+    0xad,0x3b,0x0f,0x30,0xa0,0xd2,0x37,0x67,0x9b,0xc2,0x6f,0xd5,0xfd,0x9a,0xfd,0xc6,
+    0x56,0x08,0x64,0x84,0x74,0x12,0xfe,0xa8,0xe3,0x26,0x4a,0x08,0x2f,0xdb,0x32,0x9a,
+    0xae,0xaf,0x01,0x75,0xf0,0x7b,0x28,0xb6,0xb2,0x4a,0xf0,0xd8,0xfd,0xb4,0x11,0xf5,
+    0x26,0x31,0x49,0xd1,0x82,0x91,0x04,0x3b,0x4b,0x79,0x3c,0x57,0x2e,0x38,0x9f,0x9a,
+    0xfd,0xdf,0x53,0xd9,0xbd,0x48,0x96,0xfb,0xbb,0x21,0x64,0xdd,0xec,0x68,0xc3,0x77,
+    0x7d,0x41,0xcf,0x7c,0x2f,0xa8,0x87,0xf0,0x8f,0xf0,0x0c,0xdd,0x3f,0x88,0x5c,0x23,
+    0x49,0x26,0x1b,0x60,0xff,0xbc,0x9e,0xb8,0xc0,0xf6,0xe0,0x21,0xf1,0x44,0x44,0x21,
+    0x81,0x06,0x9b,0x39,0xf0,0xaf,0xf0,0x5c,0x44,0x44,0xc7,0x51,0xf2,0x1d,0xf3,0x06,
+    0x1a,0x14,0x04,0xd1,0xa4,0xed,0x92,0x39,0x21,0x77,0xe9,0x77,0x1f,0xd6,0x80,0x5e,
+    0x42,0xb4,0xd5,0x44,0xd1,0xd2,0xd6,0x84,0xca,0xa5,0xb8,0xee,0x48,0x4f,0x93,0x2d,
+    0xca,0x82,0x46,0xff,0x77,0x5b,0x18,0x79,0x88,0x14,0x4c,0x0d
+};
+
+static const UInt8 intermediate2[] = {
+    0x30,0x82,0x03,0xca,0x30,0x82,0x02,0xb2,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
+    0x33,0x00,0x65,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,
+    0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
+    0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
+    0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
+    0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x30,0x31,0x32,0x31,0x35,
+    0x30,0x35,0x30,0x37,0x30,0x30,0x5a,0x17,0x0d,0x32,0x30,0x31,0x32,0x31,0x35,0x30,
+    0x35,0x30,0x37,0x30,0x30,0x5a,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,
+    0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,
+    0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,
+    0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,
+    0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa8,0x7f,0xa9,
+    0x2d,0x47,0xc3,0xdb,0xdb,0x10,0x79,0xa0,0xae,0xd5,0x80,0xfa,0x5b,0xbe,0x64,0x5f,
+    0x26,0xb9,0x5a,0x84,0x0d,0x1b,0x56,0x14,0x49,0xe1,0xda,0xfb,0x83,0x07,0xaf,0x80,
+    0x2d,0x93,0xbf,0x44,0xd9,0x85,0x1f,0x18,0xb0,0xe1,0xb9,0x06,0x34,0x24,0xd1,0xf9,
+    0x9f,0x34,0xe0,0x26,0x3e,0xce,0x57,0xca,0x30,0x3b,0xae,0x44,0x55,0x47,0x7f,0x2e,
+    0xe5,0xe8,0x51,0x55,0x90,0x95,0x23,0xde,0xd3,0xb4,0x88,0xf8,0x33,0x1e,0x5e,0xe6,
+    0x2b,0xae,0x9b,0x94,0x2c,0xec,0xd9,0xc9,0x47,0x67,0x14,0x54,0x6a,0x33,0x6f,0xe1,
+    0x0c,0x7f,0x0f,0xa0,0x7e,0xb5,0xc3,0x0f,0x63,0x4f,0xdf,0x38,0x9d,0x73,0xea,0x9f,
+    0xaa,0x34,0x30,0xbf,0xba,0x83,0x56,0x65,0x26,0x90,0x01,0xf6,0xfc,0x93,0xc6,0x2b,
+    0xcc,0xf2,0x90,0x7d,0x2a,0x31,0xe1,0xcd,0x0f,0x23,0xd1,0x78,0x2b,0x49,0xc5,0x21,
+    0x77,0xc9,0x8b,0x02,0x70,0xf1,0xc2,0xa3,0xdf,0xca,0xb7,0x73,0x06,0x76,0xfd,0xcb,
+    0xc0,0xc9,0x23,0x21,0x17,0x34,0x1c,0x80,0xa9,0xc6,0x92,0x95,0xd0,0xc6,0xeb,0x83,
+    0x56,0xb0,0x98,0x90,0x50,0xf4,0xcf,0x9b,0x3b,0x2d,0x3e,0xcf,0x94,0x27,0x69,0x9f,
+    0xdc,0x66,0xfb,0x05,0x0c,0xe3,0x99,0x1e,0x06,0x86,0xd9,0xe6,0xf5,0x6c,0xfe,0x98,
+    0x5d,0x61,0xb1,0x89,0x01,0xc4,0x7f,0x48,0x68,0x62,0x06,0x26,0x95,0x40,0xcd,0x93,
+    0x46,0xf8,0xb0,0x8d,0x28,0x3a,0xc7,0x0e,0x46,0x42,0x9f,0x32,0xc3,0xc6,0x78,0xc7,
+    0x10,0xd5,0x37,0xff,0x17,0x4c,0x24,0x60,0xc6,0xd5,0x18,0x9a,0x7d,0x02,0x03,0x01,
+    0x00,0x01,0xa3,0x81,0xe5,0x30,0x81,0xe2,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
+    0x18,0x30,0x16,0x80,0x14,0x65,0xf2,0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,
+    0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,
+    0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,
+    0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,
+    0x0c,0x01,0x06,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,
+    0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,
+    0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x3e,0x06,0x03,0x55,
+    0x1d,0x1f,0x04,0x37,0x30,0x35,0x30,0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,
+    0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
+    0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x63,
+    0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,
+    0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,
+    0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,
+    0xfc,0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x0d,0x06,0x09,0x2a,0x86,
+    0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xb6,0x37,
+    0x1c,0xdb,0x09,0x29,0xbd,0x24,0x76,0x1b,0x7f,0x6b,0x36,0x25,0xd2,0x43,0xf2,0x09,
+    0x22,0x63,0x3f,0x8e,0xd6,0x15,0xf9,0x9c,0x36,0xc9,0xb1,0x1c,0x10,0x61,0x39,0x24,
+    0x96,0x76,0xa4,0xa3,0x70,0xa4,0xe5,0x52,0xc1,0xba,0xb9,0xbb,0x72,0x1a,0xdc,0x76,
+    0x05,0x86,0x45,0x03,0x0a,0xb8,0x95,0xd5,0xb2,0x63,0xb4,0x7b,0x9a,0x00,0xd5,0x31,
+    0x76,0x50,0x25,0xc0,0x98,0x17,0xc9,0xfa,0x57,0x36,0x50,0x1f,0x66,0x2b,0xb1,0xd1,
+    0xe6,0xcf,0x14,0x56,0xf2,0xb9,0x9f,0xa9,0x6f,0x2d,0x15,0xb7,0x66,0x46,0x9e,0x85,
+    0x7c,0x68,0xbd,0xf3,0x5f,0x9f,0xbf,0xbe,0xf8,0xf9,0x7f,0x7b,0x1b,0xca,0x51,0xc2,
+    0xae,0x43,0x20,0x83,0x90,0xab,0xb5,0x70,0x73,0x42,0xa9,0xc1,0xd5,0x4f,0x89,0xcf,
+    0x72,0xba,0x86,0x5c,0xd8,0x8c,0xaf,0x85,0xf1,0x3d,0x52,0x23,0xac,0x68,0x05,0x73,
+    0xca,0x36,0x7c,0x12,0x86,0xae,0xdc,0xda,0x91,0x40,0x1f,0xe0,0x6b,0x26,0x43,0x64,
+    0xe9,0x5f,0x71,0xbf,0x22,0x6c,0x6e,0xd1,0x32,0x0c,0x7c,0x07,0x36,0x3a,0x09,0xef,
+    0xe7,0xa7,0x9b,0x73,0x19,0xe3,0x6a,0xd2,0x41,0x43,0x23,0xef,0x63,0x30,0xa0,0x34,
+    0x12,0x2c,0xe5,0x23,0x5f,0x46,0x87,0xcc,0xf1,0x2f,0x0b,0xd1,0x72,0x58,0xc5,0x36,
+    0xcb,0x4e,0x00,0x5f,0x15,0x80,0x0a,0x05,0xb5,0x34,0x34,0x9c,0x19,0x20,0xc1,0x5b,
+    0x80,0x98,0x96,0x42,0x01,0x54,0x6c,0x65,0x4e,0xc5,0x2b,0x04,0x55,0x63,0x71,0x5e,
+    0x99,0x79,0xc5,0xfb,0x03,0xbf,0x27,0x56,0xa6,0xdf,0x3a,0x4c,0xea,0x63
+};
+
+#endif /* cnnic_certs_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/date_testing_certs.h b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/date_testing_certs.h
new file mode 100644
index 00000000..415bc06e
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/date_testing_certs.h
@@ -0,0 +1,378 @@
+/*
+ *  date_testing_certs.h
+ *  Security
+ *
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+#ifndef date_testing_certs_h
+#define date_testing_certs_h
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* SHA256: 51a0f31fc01dec8732b6fd136a434d6c87cd62e038b4fbd640b0fd624d1fcf6d */
+unsigned char _datetest_root[994]={
+    0x30,0x82,0x03,0xDE,0x30,0x82,0x02,0xC6,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+    0xAB,0x16,0xC1,0x56,0x85,0x86,0xE5,0xC8,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+    0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,
+    0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+    0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+    0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+    0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,
+    0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,
+    0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,
+    0x72,0x69,0x6E,0x67,0x31,0x1E,0x30,0x1C,0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,
+    0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,
+    0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,0x31,0x30,0x31,0x32,0x31,0x38,
+    0x31,0x35,0x34,0x39,0x5A,0x17,0x0D,0x32,0x36,0x31,0x30,0x31,0x30,0x31,0x38,0x31,
+    0x35,0x34,0x39,0x5A,0x30,0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,
+    0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,
+    0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,
+    0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,
+    0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,
+    0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,
+    0x67,0x31,0x1E,0x30,0x1C,0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,0x65,0x6E,0x79,
+    0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x20,0x43,
+    0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+    0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,
+    0x01,0x00,0xF0,0x5A,0x62,0x0B,0xEA,0xD6,0xD6,0x78,0x94,0xEE,0x71,0xB5,0xF8,0x42,
+    0xBB,0xF2,0x2F,0xC6,0xFB,0x53,0x7E,0xE4,0xF5,0xC9,0x8F,0x94,0xBC,0x02,0xB9,0x12,
+    0x8E,0x5D,0xB4,0x12,0xE3,0x73,0xBD,0xD8,0x1A,0x3F,0x2D,0xBC,0x39,0x31,0x42,0x02,
+    0x74,0xE7,0x93,0xB4,0x2B,0x6F,0xA9,0x42,0x8A,0xD4,0x0E,0xC9,0x96,0x90,0xE5,0xF6,
+    0xAD,0xD7,0x7E,0x58,0xBA,0x6B,0xBD,0xBF,0xFC,0x8F,0x1E,0xD4,0xBE,0xD1,0x11,0x4B,
+    0x7D,0x8A,0xD0,0x36,0xAD,0x2A,0x9A,0x37,0x5B,0xDF,0xCB,0x66,0x85,0x85,0x4F,0xD6,
+    0x6F,0xEB,0xB3,0xC8,0xF7,0x6C,0x42,0x2E,0xE9,0xD6,0x84,0xD7,0x0F,0xD5,0x97,0xFD,
+    0x4F,0x31,0x33,0x1B,0x5B,0x23,0x56,0x1B,0x7C,0x1E,0x11,0x51,0xE8,0x14,0x22,0x50,
+    0x15,0x3D,0x01,0x1F,0x02,0x36,0x44,0x64,0x70,0xB3,0x7A,0xF7,0xF6,0xDA,0x14,0x9E,
+    0x39,0xC3,0xD1,0x9E,0xED,0x70,0x2C,0x4E,0xA5,0xA5,0x1C,0xB7,0xEE,0xEF,0x4E,0x90,
+    0x5D,0xF9,0x34,0xBB,0xA7,0xDF,0xD4,0xC5,0xEB,0x84,0xC4,0x3B,0x3D,0xCA,0x9A,0x9C,
+    0xAD,0xB1,0x24,0xD4,0xD1,0x82,0xCC,0x1A,0xC4,0xEF,0xAE,0xB1,0xF0,0x12,0x28,0x37,
+    0x40,0x45,0x83,0xBF,0x39,0xC7,0x90,0xB6,0x23,0x63,0xAD,0xC8,0xB9,0xF4,0x80,0x4B,
+    0x91,0x91,0x64,0xDD,0x05,0x5E,0x0A,0x36,0xAB,0x7A,0x32,0xBA,0x05,0xBC,0x62,0x93,
+    0xDE,0x5D,0xBA,0x2B,0x91,0xF2,0xD6,0x49,0x61,0x08,0x98,0xA2,0xD2,0x6E,0xF2,0x2D,
+    0x4D,0x90,0x65,0x51,0x9C,0xC0,0x79,0x33,0x08,0xE1,0x7F,0xC0,0x09,0xCF,0x4D,0xB3,
+    0x25,0x1F,0x02,0x03,0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,
+    0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,
+    0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,
+    0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x4D,0xA5,0xDB,0xEF,0x4F,0xCD,
+    0x74,0xE6,0x2A,0xB1,0xDC,0x5C,0xBE,0x12,0x04,0x94,0xEC,0x4A,0x66,0xD3,0x30,0x0D,
+    0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,
+    0x01,0x00,0x06,0x5E,0xFD,0x98,0x73,0xA7,0x69,0xE2,0xAE,0x1C,0x06,0x00,0xD1,0x7C,
+    0x59,0x70,0xB9,0x85,0xAF,0xB8,0xC0,0xAB,0x3B,0x60,0x64,0x0B,0x1B,0x81,0xA7,0x7D,
+    0x5A,0xC4,0xDA,0x94,0x2B,0xBC,0xA7,0xDA,0x24,0x4E,0x83,0x21,0x12,0xFA,0x93,0x3E,
+    0x67,0x38,0x37,0xBD,0x2B,0xEB,0x19,0xA4,0x08,0x73,0xB1,0x27,0x84,0x67,0x10,0x48,
+    0x50,0x94,0x4C,0x55,0x0D,0x23,0x9F,0x0A,0xB2,0x18,0x6F,0xC1,0xE0,0x13,0xC2,0x2D,
+    0x29,0x52,0xBA,0x4F,0x01,0x2C,0xD6,0x9E,0x73,0x5B,0x74,0x8A,0x0D,0x8C,0x1E,0x15,
+    0x70,0x7E,0x9B,0xE0,0xCC,0xB2,0x6E,0xFE,0x44,0xD4,0xD0,0x76,0x41,0x95,0xFE,0x11,
+    0xAA,0x4E,0x07,0xC6,0xBA,0x4B,0x46,0x02,0x0E,0xFC,0x4A,0xB9,0x15,0x2D,0x80,0xB5,
+    0x33,0xE3,0x4E,0x41,0x46,0x05,0xEB,0x0A,0x15,0x43,0xC6,0x6A,0xC5,0x2B,0x53,0x49,
+    0x49,0x61,0x57,0x0D,0x8D,0x42,0x63,0xB2,0xA6,0xC5,0xA5,0x23,0x3B,0xAC,0x50,0xDC,
+    0x05,0x41,0x53,0x74,0xC5,0x67,0xA1,0x69,0xA6,0x66,0x4D,0x0F,0xF8,0x94,0x54,0x4B,
+    0xA5,0x31,0x81,0xE8,0x3A,0x5C,0x02,0x84,0x56,0xFF,0xBE,0x13,0x15,0x95,0xC9,0xAF,
+    0x17,0x77,0xD0,0x38,0x38,0x12,0xF9,0xA8,0x93,0x77,0x2F,0xCD,0x40,0x60,0xBC,0xCF,
+    0x35,0x1C,0xE4,0xBD,0x5E,0x8D,0x96,0x19,0xB7,0x50,0x7E,0xED,0x44,0x1C,0x8C,0x08,
+    0x6B,0xEE,0xEE,0xC9,0x8C,0xD6,0xDC,0x61,0x2C,0xD2,0x35,0x5E,0xB7,0x4C,0x58,0xFC,
+    0x5D,0x62,0xEA,0xED,0x68,0xE8,0x1F,0xB1,0x0A,0x39,0x5C,0x29,0xBC,0x42,0x09,0xBA,
+    0x4F,0x35,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* Not Before: Oct 15 00:00:00 2016 GMT */
+/* X509v3 Subject Key Identifier: E7:C3:06:5B:22:E0:EC:DA:8C:80:00:D9:0C:AC:0B:78:D4:68:C5:B7 */
+unsigned char _datetest_before_int[1050]={
+    0x30,0x82,0x04,0x16,0x30,0x82,0x02,0xFE,0xA0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+    0x9A,0x17,0xF8,0x6F,0x33,0x3D,0xAB,0x4C,0xD3,0xFB,0x3A,0x6D,0xCF,0x05,0x94,0xEC,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
+    0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,
+    0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,
+    0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,
+    0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+    0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,
+    0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,
+    0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x1E,0x30,0x1C,
+    0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,
+    0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+    0x31,0x36,0x31,0x30,0x31,0x35,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,
+    0x37,0x31,0x30,0x31,0x32,0x31,0x38,0x32,0x38,0x31,0x38,0x5A,0x30,0x81,0x9C,0x31,
+    0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+    0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,
+    0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,
+    0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,
+    0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,
+    0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,0x03,0x55,
+    0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,
+    0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,0x72,0x6D,
+    0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x82,0x01,0x22,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+    0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xF0,0xCB,0x1D,0x6C,
+    0x7D,0xC1,0x90,0xB7,0xD9,0xB5,0x66,0x61,0x5E,0x34,0x76,0x14,0xFA,0xF8,0xB4,0xE1,
+    0x6D,0x67,0xB0,0x9E,0xB9,0x93,0xB0,0xBE,0x15,0xA4,0xAB,0x76,0x23,0x0D,0x5C,0xC0,
+    0x4D,0xB6,0x9F,0xCC,0x9B,0x3A,0x7E,0x50,0x13,0xE6,0x46,0x39,0xB1,0xE9,0x5F,0xB3,
+    0xD7,0x86,0xA4,0x23,0xA5,0x27,0xDC,0x20,0x6A,0x64,0xD8,0x0A,0xCD,0x5F,0xEE,0x40,
+    0x16,0xCE,0x4D,0xB9,0xCF,0xA2,0x62,0xC8,0x01,0x70,0x7F,0x8D,0x42,0x46,0xB1,0xF2,
+    0x80,0x57,0xD5,0x82,0x53,0xEF,0xF2,0x16,0xA4,0xD5,0x07,0xE2,0xA7,0x7A,0x5E,0xD5,
+    0x5A,0x4F,0x58,0x88,0xF7,0xEB,0x1B,0x58,0x91,0x6D,0x4E,0xD8,0xCC,0x9F,0xA6,0x98,
+    0x05,0xE6,0xFB,0xC2,0x55,0xCA,0xD9,0x7E,0xC8,0xAA,0xC2,0x92,0xC1,0x73,0xBB,0xEC,
+    0x89,0x51,0x1C,0x6B,0x0C,0xE5,0x7D,0xF8,0x54,0xBE,0xF7,0x67,0x8C,0xEE,0xE4,0xBB,
+    0xFF,0xB9,0x15,0x4F,0xD7,0x1B,0x76,0xF7,0x37,0xEF,0xB0,0xA0,0x2A,0x22,0x4D,0x4B,
+    0x2A,0xDE,0x3D,0x37,0x28,0x4A,0x79,0xF6,0xC7,0xE3,0x51,0xEC,0xC4,0x2F,0xDA,0xC1,
+    0xBA,0x1A,0xFF,0xDD,0x43,0x2A,0x44,0xD4,0x94,0xDC,0xEE,0xDB,0xC3,0xF2,0xB4,0x76,
+    0x01,0xF7,0x69,0x48,0x11,0x67,0xAC,0x3C,0x1C,0xE0,0xEF,0x88,0x77,0x70,0x66,0x39,
+    0x17,0xAA,0xD8,0x2C,0x67,0xE3,0xC3,0x2B,0xCD,0xC4,0xB9,0xC8,0xCD,0xA9,0xA4,0xC1,
+    0x24,0xDF,0x8E,0x4D,0xE0,0x03,0x1E,0x40,0xAB,0xDD,0x10,0xE7,0xB5,0x93,0x1F,0xF2,
+    0xC9,0xCC,0x91,0x3A,0x8D,0x52,0xC9,0x3D,0x7D,0x4D,0xA0,0xBB,0x02,0x03,0x01,0x00,
+    0x01,0xA3,0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+    0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,
+    0x04,0x04,0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+    0x14,0xE7,0xC3,0x06,0x5B,0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,
+    0x78,0xD4,0x68,0xC5,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+    0x80,0x14,0x4D,0xA5,0xDB,0xEF,0x4F,0xCD,0x74,0xE6,0x2A,0xB1,0xDC,0x5C,0xBE,0x12,
+    0x04,0x94,0xEC,0x4A,0x66,0xD3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+    0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x08,0xDC,0x9E,0xA4,0x60,0xDF,
+    0x04,0x27,0xB5,0x01,0x63,0xDA,0xE3,0x6C,0x58,0x1D,0xB8,0xE8,0x17,0x06,0x4F,0x86,
+    0xC8,0x97,0x65,0xF5,0x6D,0x39,0x51,0x0F,0xD4,0xF9,0xAD,0xCF,0x8C,0x08,0x7C,0xAC,
+    0x26,0xD1,0x43,0xB2,0x79,0x7E,0x13,0xCD,0xF2,0x9D,0x30,0xC4,0x63,0xF2,0x5E,0x72,
+    0x1A,0x0F,0x41,0x47,0x69,0x98,0x00,0xF0,0x4D,0x93,0x44,0x8A,0x26,0xDE,0x24,0xC0,
+    0x66,0xA3,0xB0,0x20,0xAD,0x33,0xEB,0xF2,0x0A,0xDD,0x65,0xF4,0x9D,0x29,0x10,0x88,
+    0x5B,0xFF,0x1C,0x76,0x71,0x42,0xE9,0x6F,0xBD,0xAE,0xA6,0xBB,0x4B,0xFF,0x30,0xA0,
+    0x6E,0x47,0x85,0x12,0x6E,0x81,0xFC,0xB0,0x51,0x5F,0xB4,0xE9,0xCC,0x83,0x0E,0xC5,
+    0xEC,0x41,0x6F,0x28,0x28,0xF0,0x51,0x4A,0x42,0x7C,0xCF,0xAE,0x8B,0xD8,0x09,0x44,
+    0x32,0x27,0x07,0x57,0x86,0x1B,0xB6,0xF3,0xAF,0xCA,0x1C,0x2F,0xDD,0x1C,0x58,0x17,
+    0xF4,0x13,0xA3,0x4F,0x72,0x60,0x71,0x39,0xEE,0x8E,0xF2,0x9D,0x40,0xCA,0x39,0x63,
+    0xFD,0x1F,0x8C,0x2C,0xFD,0x62,0xA8,0x0E,0xC3,0x04,0x62,0x9D,0x79,0x11,0xD2,0x5C,
+    0x09,0xE5,0x27,0x50,0x3A,0x62,0x93,0xC5,0xA5,0x60,0xFB,0xE5,0x7F,0xB6,0x46,0xD5,
+    0xA8,0xF8,0x38,0x05,0x94,0xCD,0x47,0x5B,0xA0,0xA4,0x67,0xB8,0x81,0x99,0xA2,0x92,
+    0xEB,0x13,0x37,0x56,0xD6,0xAC,0x80,0xA6,0x7F,0x1A,0xBB,0x14,0x68,0x72,0x04,0xBD,
+    0xD7,0xEE,0x8F,0x48,0x56,0xC7,0xDF,0x86,0xBB,0x76,0xE4,0xE3,0xE3,0x46,0xF3,0x8B,
+    0x51,0x22,0xD6,0xD2,0xB9,0xAA,0x15,0xA2,0xB4,0xAC,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Test CA */
+/* Not Before: Dec  1 00:01:00 2016 GMT */
+/* X509v3 Subject Key Identifier: E7:C3:06:5B:22:E0:EC:DA:8C:80:00:D9:0C:AC:0B:78:D4:68:C5:B7 */
+unsigned char _datetest_after_int[1050]={
+    0x30,0x82,0x04,0x16,0x30,0x82,0x02,0xFE,0xA0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
+    0x9A,0x17,0xF8,0x6F,0x33,0x3D,0xAB,0x4C,0xD3,0xFB,0x3A,0x6D,0xCF,0x05,0x94,0xEE,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
+    0x81,0x8A,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,
+    0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,
+    0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,
+    0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+    0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,
+    0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,
+    0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x1E,0x30,0x1C,
+    0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,
+    0x44,0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+    0x31,0x36,0x31,0x32,0x30,0x31,0x30,0x30,0x30,0x31,0x30,0x30,0x5A,0x17,0x0D,0x31,
+    0x37,0x31,0x30,0x31,0x32,0x32,0x30,0x33,0x34,0x34,0x38,0x5A,0x30,0x81,0x9C,0x31,
+    0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+    0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,
+    0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,
+    0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,
+    0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,
+    0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,0x03,0x55,
+    0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,0x61,0x74,
+    0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,0x72,0x6D,
+    0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x82,0x01,0x22,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+    0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xF0,0xCB,0x1D,0x6C,
+    0x7D,0xC1,0x90,0xB7,0xD9,0xB5,0x66,0x61,0x5E,0x34,0x76,0x14,0xFA,0xF8,0xB4,0xE1,
+    0x6D,0x67,0xB0,0x9E,0xB9,0x93,0xB0,0xBE,0x15,0xA4,0xAB,0x76,0x23,0x0D,0x5C,0xC0,
+    0x4D,0xB6,0x9F,0xCC,0x9B,0x3A,0x7E,0x50,0x13,0xE6,0x46,0x39,0xB1,0xE9,0x5F,0xB3,
+    0xD7,0x86,0xA4,0x23,0xA5,0x27,0xDC,0x20,0x6A,0x64,0xD8,0x0A,0xCD,0x5F,0xEE,0x40,
+    0x16,0xCE,0x4D,0xB9,0xCF,0xA2,0x62,0xC8,0x01,0x70,0x7F,0x8D,0x42,0x46,0xB1,0xF2,
+    0x80,0x57,0xD5,0x82,0x53,0xEF,0xF2,0x16,0xA4,0xD5,0x07,0xE2,0xA7,0x7A,0x5E,0xD5,
+    0x5A,0x4F,0x58,0x88,0xF7,0xEB,0x1B,0x58,0x91,0x6D,0x4E,0xD8,0xCC,0x9F,0xA6,0x98,
+    0x05,0xE6,0xFB,0xC2,0x55,0xCA,0xD9,0x7E,0xC8,0xAA,0xC2,0x92,0xC1,0x73,0xBB,0xEC,
+    0x89,0x51,0x1C,0x6B,0x0C,0xE5,0x7D,0xF8,0x54,0xBE,0xF7,0x67,0x8C,0xEE,0xE4,0xBB,
+    0xFF,0xB9,0x15,0x4F,0xD7,0x1B,0x76,0xF7,0x37,0xEF,0xB0,0xA0,0x2A,0x22,0x4D,0x4B,
+    0x2A,0xDE,0x3D,0x37,0x28,0x4A,0x79,0xF6,0xC7,0xE3,0x51,0xEC,0xC4,0x2F,0xDA,0xC1,
+    0xBA,0x1A,0xFF,0xDD,0x43,0x2A,0x44,0xD4,0x94,0xDC,0xEE,0xDB,0xC3,0xF2,0xB4,0x76,
+    0x01,0xF7,0x69,0x48,0x11,0x67,0xAC,0x3C,0x1C,0xE0,0xEF,0x88,0x77,0x70,0x66,0x39,
+    0x17,0xAA,0xD8,0x2C,0x67,0xE3,0xC3,0x2B,0xCD,0xC4,0xB9,0xC8,0xCD,0xA9,0xA4,0xC1,
+    0x24,0xDF,0x8E,0x4D,0xE0,0x03,0x1E,0x40,0xAB,0xDD,0x10,0xE7,0xB5,0x93,0x1F,0xF2,
+    0xC9,0xCC,0x91,0x3A,0x8D,0x52,0xC9,0x3D,0x7D,0x4D,0xA0,0xBB,0x02,0x03,0x01,0x00,
+    0x01,0xA3,0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+    0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,
+    0x04,0x04,0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+    0x14,0xE7,0xC3,0x06,0x5B,0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,
+    0x78,0xD4,0x68,0xC5,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+    0x80,0x14,0x4D,0xA5,0xDB,0xEF,0x4F,0xCD,0x74,0xE6,0x2A,0xB1,0xDC,0x5C,0xBE,0x12,
+    0x04,0x94,0xEC,0x4A,0x66,0xD3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+    0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x82,0xDE,0x0F,0x06,0xD4,0xC3,
+    0x55,0xD1,0xC9,0x9A,0xDF,0x87,0x69,0xA8,0xA2,0x11,0x12,0x73,0xF4,0x8B,0x98,0x02,
+    0xA6,0xE0,0xB1,0x11,0x0E,0xEB,0xC3,0x3B,0x1D,0x8B,0xBF,0x45,0x4B,0x24,0xEA,0x7A,
+    0xEF,0x70,0x2A,0xAB,0xE4,0xB6,0xA1,0xB1,0x66,0x5E,0x12,0x09,0x49,0x93,0x6A,0x4B,
+    0x3A,0x10,0xD1,0xEE,0xA0,0x6D,0xC7,0x19,0x5B,0xE0,0x75,0x2F,0x3F,0xFB,0x66,0x1F,
+    0x91,0x86,0x30,0x5A,0xC6,0x77,0xED,0x06,0x85,0xF8,0x65,0x96,0x48,0x30,0x32,0x25,
+    0x93,0x59,0x51,0x2D,0x7D,0x20,0x12,0x9A,0x87,0x07,0x40,0x8C,0x8F,0x81,0xD8,0xF8,
+    0xF2,0xF2,0x3E,0xF3,0xF3,0xC8,0x7D,0x7A,0xAA,0xE3,0xF7,0xCD,0x9D,0x69,0x6F,0x85,
+    0x15,0xCD,0x18,0xC0,0xBB,0x6E,0x27,0xAD,0xD3,0x9A,0xD2,0x6A,0x42,0x02,0x0C,0xDB,
+    0xF5,0x0C,0x85,0xC3,0xB3,0xDB,0x4C,0x28,0x61,0x82,0xC8,0x88,0x44,0x95,0x08,0xBE,
+    0x24,0x07,0xEA,0xD2,0x4C,0x0A,0xA9,0x2E,0x47,0x28,0xDE,0xF3,0x24,0xDC,0x22,0x57,
+    0xA4,0x5D,0x04,0x22,0x28,0xC6,0x4F,0xBD,0x2E,0xB7,0xD4,0x2C,0x06,0x0E,0x22,0xF5,
+    0x05,0xA6,0x76,0x8E,0x77,0xFD,0x1C,0xA1,0x4E,0x10,0x1D,0x82,0x74,0x73,0x06,0x47,
+    0xC2,0xD2,0xF7,0x59,0xD5,0xBF,0x64,0x77,0xBB,0x47,0x15,0x23,0x4B,0x78,0x7C,0x51,
+    0x34,0xF0,0xF7,0x04,0xE1,0x5C,0xED,0x28,0x55,0x7B,0xC1,0x07,0x52,0x2A,0x86,0x48,
+    0xEB,0x8C,0xC2,0x55,0x56,0xDA,0x98,0xF3,0x5C,0x8F,0x21,0x70,0xDD,0xFB,0xA4,0x61,
+    0x2F,0x57,0xE7,0x0B,0x70,0x2F,0x00,0x72,0x79,0x3C,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Testing Before Leaf */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* Not Before: Oct 15 00:00:00 2016 GMT */
+unsigned char _datetest_before_leaf[1109]={
+    0x30,0x82,0x04,0x51,0x30,0x82,0x03,0x39,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x4C,
+    0x3E,0x59,0xB4,0xB4,0x96,0x67,0xC6,0x13,0xB0,0xB4,0x67,0x03,0xB9,0x27,0xAE,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,
+    0x9C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
+    0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,
+    0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,
+    0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
+    0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,
+    0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,
+    0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,
+    0x03,0x55,0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,
+    0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,
+    0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x1E,0x17,
+    0x0D,0x31,0x36,0x31,0x30,0x31,0x35,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,
+    0x31,0x37,0x31,0x30,0x31,0x32,0x31,0x38,0x33,0x38,0x30,0x38,0x5A,0x30,0x81,0x91,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
+    0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,
+    0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,
+    0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+    0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,
+    0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,
+    0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,
+    0x55,0x04,0x03,0x0C,0x1C,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x54,0x65,
+    0x73,0x74,0x69,0x6E,0x67,0x20,0x42,0x65,0x66,0x6F,0x72,0x65,0x20,0x4C,0x65,0x61,
+    0x66,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+    0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,
+    0x01,0x00,0xB5,0x10,0x30,0xBE,0xE6,0x80,0x11,0x8B,0x5B,0xD8,0xDD,0xFE,0x66,0x19,
+    0x8A,0xBC,0x01,0x29,0xA8,0x85,0x25,0xDB,0xF0,0x33,0xA9,0x5F,0x34,0xFC,0x7A,0xB7,
+    0x19,0xD1,0x4A,0x7C,0xC9,0xBE,0x9C,0x8E,0xD3,0xB6,0xAA,0x48,0x97,0x53,0xBF,0x20,
+    0x1D,0x81,0xAC,0x87,0xCA,0x60,0xC0,0xD5,0xC5,0x9E,0x86,0x48,0xA4,0xBD,0xB2,0x9E,
+    0x88,0x92,0x2C,0x6C,0x8D,0xAC,0xC5,0x65,0x6C,0x5C,0x38,0x4E,0x1A,0xDC,0x00,0x70,
+    0xCA,0x68,0x33,0x38,0x10,0xE0,0x5F,0xAC,0x8C,0x47,0x73,0xA5,0xC6,0xC7,0x2C,0x4C,
+    0xB8,0xBB,0xE7,0x6C,0x42,0x6C,0x11,0x8C,0x2C,0x5E,0xBC,0x4C,0x87,0x1E,0xDE,0x2C,
+    0xDE,0x40,0x7E,0xB9,0x32,0x7D,0x73,0x5B,0xF8,0x59,0x50,0x71,0x1E,0x43,0x06,0x89,
+    0x09,0xC3,0x3B,0xC2,0xEB,0xD5,0x26,0x50,0x0D,0x98,0x09,0xE7,0x50,0x39,0x87,0x3C,
+    0x06,0x5E,0xFF,0x4E,0xD4,0x9C,0x53,0xF9,0xBD,0x3E,0x5E,0x73,0x8B,0xBC,0xE5,0x3E,
+    0xD2,0x96,0x4D,0xE5,0x1E,0x24,0x3D,0x34,0xA8,0x7C,0xB9,0x55,0xC0,0xA6,0x61,0x69,
+    0xC2,0xCF,0x1F,0x67,0x45,0xC6,0x3A,0x56,0x1F,0xD2,0x93,0x32,0x3F,0x1A,0x60,0x6B,
+    0x5B,0xCD,0x1A,0x6D,0x54,0x8C,0xF4,0x3F,0x4D,0x2B,0xA8,0xE7,0x2D,0xF8,0x12,0x39,
+    0xCC,0xE6,0x41,0x35,0xD0,0x27,0xE5,0x20,0x15,0xFD,0xF0,0xC4,0xDF,0x7C,0x13,0x65,
+    0x1B,0xD8,0x54,0x9D,0x68,0xDC,0xAA,0x51,0xD3,0x6C,0x4F,0x6C,0x16,0x83,0xC6,0x3F,
+    0xF9,0x95,0xFF,0xE6,0x4B,0x23,0x4B,0xE1,0x5D,0x02,0xC5,0x14,0x03,0x3A,0x0A,0xFB,
+    0xAB,0x1B,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x97,0x30,0x81,0x94,0x30,0x0C,0x06,
+    0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55,
+    0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,
+    0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,
+    0x30,0x1F,0x06,0x03,0x55,0x1D,0x11,0x04,0x18,0x30,0x16,0x82,0x14,0x74,0x65,0x73,
+    0x74,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,
+    0x6D,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x52,0xBB,0x5E,0x78,
+    0x5F,0x54,0xE6,0xD9,0x56,0x8B,0xE9,0x31,0xE7,0x9A,0x68,0xF2,0x96,0xB5,0x34,0xA4,
+    0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE7,0xC3,0x06,
+    0x5B,0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,0x78,0xD4,0x68,0xC5,
+    0xB7,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,
+    0x03,0x82,0x01,0x01,0x00,0x2B,0x8A,0xFF,0xC4,0x3F,0x5C,0x0C,0x98,0x78,0x65,0xC2,
+    0x5C,0x41,0x26,0xA1,0x1F,0x08,0xAB,0x6C,0xB2,0xF9,0xF3,0x6C,0x71,0xDA,0xD6,0xCB,
+    0x40,0x2C,0xE8,0xA2,0x06,0x66,0xF0,0xD0,0x93,0x7B,0x0A,0x29,0xBB,0x9C,0x12,0xF5,
+    0xE0,0xFF,0xC5,0x58,0xB2,0x95,0x25,0x29,0x1E,0x8B,0xFE,0xCC,0x8F,0xC7,0x5E,0x76,
+    0x58,0x5E,0x27,0x29,0x47,0xC4,0x1B,0xC1,0xEB,0x22,0x2E,0xDB,0xE2,0x7F,0x38,0x09,
+    0x14,0xAC,0x94,0xF6,0xFB,0x16,0x21,0x08,0x11,0x20,0x2B,0x2A,0xB5,0x22,0xD3,0x31,
+    0x43,0xB0,0x4E,0xE8,0x33,0x3B,0xDC,0x10,0x56,0xDE,0x55,0xC8,0x9A,0x31,0x6C,0x52,
+    0x6D,0xE9,0x79,0x70,0xEB,0xCD,0xD8,0x27,0x32,0xF6,0x30,0x7D,0x48,0xAF,0xB5,0xD8,
+    0xBD,0xF3,0x68,0xEC,0xB0,0x7F,0x5A,0x52,0x9A,0x5A,0xF1,0x8E,0xCD,0x94,0x37,0x16,
+    0xA2,0x75,0x3C,0x0E,0xDA,0xDE,0x12,0x33,0xAE,0x04,0xAB,0x27,0xDE,0xD1,0x60,0x13,
+    0x0C,0x67,0x07,0x2A,0x7C,0xF2,0x46,0x74,0x3C,0x79,0x9B,0x6D,0xF3,0x2D,0x2E,0x69,
+    0xDD,0xF4,0xEA,0xEC,0xD2,0xDD,0x85,0x79,0x77,0xCD,0x20,0xA9,0x19,0x3F,0x99,0xBB,
+    0xA4,0x8A,0x78,0xBE,0x0E,0xEC,0xB9,0x91,0xAD,0xB6,0xFC,0xFB,0xCF,0xCF,0x71,0xBF,
+    0x3C,0x13,0x2F,0xEB,0xD8,0xC8,0x22,0xC3,0x07,0xBB,0xCB,0x95,0x39,0xD4,0x61,0xDF,
+    0x4F,0x87,0x41,0xCA,0xDD,0xD8,0x54,0xD7,0xDE,0x9C,0x13,0xF6,0x69,0x90,0xEE,0xE8,
+    0xF8,0x0B,0x83,0x38,0x31,0x4C,0x67,0x96,0xF6,0x4A,0x77,0x00,0x41,0x11,0x91,0x77,
+    0xC2,0x05,0x60,0x30,0x8C,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Testing After Leaf */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Denylist Date Testing Intermediate CA 1 */
+/* Not Before: Dec  1 00:01:00 2016 GMT */
+unsigned char _datetest_after_leaf[1108]={
+    0x30,0x82,0x04,0x50,0x30,0x82,0x03,0x38,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x4C,
+    0x3E,0x59,0xB4,0xB4,0x96,0x67,0xC6,0x13,0xB0,0xB4,0x67,0x03,0xB9,0x27,0xAF,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,
+    0x9C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
+    0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,
+    0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,
+    0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
+    0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,
+    0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,
+    0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x30,0x30,0x2E,0x06,
+    0x03,0x55,0x04,0x03,0x0C,0x27,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x44,
+    0x61,0x74,0x65,0x20,0x54,0x65,0x73,0x74,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,
+    0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x20,0x43,0x41,0x20,0x31,0x30,0x1E,0x17,
+    0x0D,0x31,0x36,0x31,0x32,0x30,0x31,0x30,0x30,0x30,0x31,0x30,0x30,0x5A,0x17,0x0D,
+    0x31,0x37,0x31,0x30,0x31,0x32,0x31,0x38,0x33,0x38,0x34,0x37,0x5A,0x30,0x81,0x90,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
+    0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,
+    0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,
+    0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+    0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,
+    0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,
+    0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x24,0x30,0x22,0x06,0x03,
+    0x55,0x04,0x03,0x0C,0x1B,0x44,0x65,0x6E,0x79,0x6C,0x69,0x73,0x74,0x20,0x54,0x65,
+    0x73,0x74,0x69,0x6E,0x67,0x20,0x41,0x66,0x74,0x65,0x72,0x20,0x4C,0x65,0x61,0x66,
+    0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
+    0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,
+    0x00,0xE9,0xD1,0x18,0x04,0x41,0x52,0x27,0x4F,0x91,0x31,0xBD,0xF2,0x9F,0x11,0x8F,
+    0x50,0xF6,0x5C,0xD2,0x6F,0x8B,0x7F,0xDA,0x20,0x50,0x92,0x7F,0x7D,0x61,0x6E,0x52,
+    0x74,0xE1,0x66,0x14,0x70,0xAD,0x9E,0x84,0xF2,0x71,0x23,0xC7,0xC6,0xFD,0x58,0xE3,
+    0x5B,0x37,0xFF,0x8F,0x72,0xC9,0x4D,0x71,0x20,0xA0,0x7F,0x23,0xD5,0xF5,0xC1,0x37,
+    0x01,0x57,0x1C,0x8F,0x8E,0xD1,0x59,0xED,0x26,0x41,0xED,0xE7,0x47,0x86,0xCE,0xBB,
+    0x27,0x45,0xAC,0x08,0x51,0xAB,0x3E,0xD8,0x92,0x98,0x6D,0x88,0x24,0xD1,0x56,0x8D,
+    0xED,0x81,0xCE,0xBA,0x8F,0x9E,0x8E,0x9E,0x81,0x29,0xC5,0x9C,0x32,0x75,0xC6,0x5D,
+    0xDE,0x1E,0x61,0x38,0xD7,0x89,0x41,0x17,0xAC,0xDC,0xB9,0x98,0xC4,0x7E,0xA7,0xC0,
+    0x3B,0xB9,0xF2,0xA0,0xB0,0x88,0x3E,0x84,0xBC,0x28,0x1D,0x5B,0x35,0x92,0xCC,0xCB,
+    0x9B,0x4E,0xD3,0xF2,0x2F,0x9B,0x77,0xC5,0xB1,0x08,0x18,0x86,0xF1,0x1E,0x47,0xDD,
+    0x9A,0x94,0x5E,0xEF,0xE7,0x32,0xAD,0xD0,0x3C,0x65,0x81,0x5D,0xD7,0x94,0x56,0xCA,
+    0x95,0xEA,0x4C,0x87,0xE1,0x48,0xC0,0xB9,0xA7,0x23,0xED,0x0F,0xFC,0x56,0x38,0x10,
+    0x4E,0x7F,0xB3,0x73,0x0B,0x3A,0xCB,0xB9,0x89,0x15,0xA9,0xBD,0x81,0xB9,0x9F,0xD9,
+    0x53,0x2E,0x73,0x95,0x2D,0xA9,0x81,0x85,0xA7,0xC2,0x0B,0xA2,0xDE,0x6F,0x41,0x72,
+    0x05,0x50,0xE5,0xB4,0x10,0xD4,0xE7,0xF2,0x76,0x48,0xCC,0x2A,0x2C,0x44,0x74,0xF1,
+    0x5E,0x0A,0xB5,0x02,0x55,0x25,0x54,0x29,0x92,0x6F,0x0A,0x78,0x33,0xBB,0x8C,0x01,
+    0x1F,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x97,0x30,0x81,0x94,0x30,0x0C,0x06,0x03,
+    0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,
+    0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,
+    0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,
+    0x1F,0x06,0x03,0x55,0x1D,0x11,0x04,0x18,0x30,0x16,0x82,0x14,0x74,0x65,0x73,0x74,
+    0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
+    0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x1F,0xBA,0x32,0x4F,0x63,
+    0xBA,0x31,0x1E,0xA3,0x91,0xFC,0x59,0x84,0x62,0xA9,0x52,0x22,0xC6,0xF1,0xAB,0x30,
+    0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE7,0xC3,0x06,0x5B,
+    0x22,0xE0,0xEC,0xDA,0x8C,0x80,0x00,0xD9,0x0C,0xAC,0x0B,0x78,0xD4,0x68,0xC5,0xB7,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,
+    0x82,0x01,0x01,0x00,0x86,0xFF,0xC5,0xB6,0xB6,0x57,0x9A,0x6B,0xA3,0x83,0xFA,0x97,
+    0xA3,0xCB,0x4F,0xA3,0x44,0xB9,0x0A,0x89,0xC7,0x09,0xE3,0x9F,0x61,0x45,0x80,0x11,
+    0x1C,0x8F,0x81,0x12,0x96,0x55,0x91,0xD7,0x93,0x70,0x7A,0x24,0x1D,0xA5,0xFE,0x8C,
+    0xD9,0x0C,0x74,0x2A,0xB8,0x0C,0xF9,0xBC,0xA7,0xFE,0xC8,0x03,0x1F,0xC8,0x55,0xEF,
+    0xC2,0x54,0x81,0x4D,0xA1,0x88,0x1F,0x88,0x74,0x12,0xE3,0xA2,0x58,0x9D,0x66,0x89,
+    0x8F,0xBB,0x0F,0xB7,0xE5,0x9F,0xF0,0x81,0x0E,0xFC,0x0E,0x3D,0x33,0xB1,0x9D,0xDD,
+    0x82,0x3E,0xF8,0xF2,0x10,0x50,0x1B,0xEB,0x19,0x44,0x5F,0x74,0x2E,0x98,0x68,0x3C,
+    0xF7,0x08,0x2F,0x8B,0xB7,0x67,0x14,0xC5,0xC1,0x33,0xBB,0xA8,0xDF,0x47,0xFE,0x3D,
+    0x24,0x36,0xD3,0xA7,0x8F,0xAC,0x9E,0x2E,0x49,0xFC,0xB1,0x68,0x93,0x9E,0x10,0x99,
+    0x35,0x7F,0xC6,0xBF,0xFD,0x90,0x32,0xCB,0x73,0x57,0x65,0x11,0xDF,0xEB,0x64,0x23,
+    0xDD,0x67,0xCC,0x8A,0x00,0xDA,0x0F,0x09,0x66,0xEE,0x72,0xCC,0x73,0x93,0x92,0xC5,
+    0x53,0xF4,0x60,0xF1,0xAB,0x3E,0x8B,0x4B,0xEF,0x2C,0xCF,0xDA,0x70,0x4D,0x50,0xB0,
+    0x10,0x87,0x97,0x87,0x26,0xA2,0x39,0x16,0xD2,0xEA,0xDC,0x42,0xE7,0xF0,0xED,0x53,
+    0xD5,0xFF,0x61,0x1E,0x93,0x22,0xD7,0x59,0xDA,0xAC,0xCD,0x81,0x9E,0xD8,0x72,0x13,
+    0x52,0x6B,0xEE,0x86,0xA1,0x37,0x6C,0xBA,0xA2,0x60,0xB2,0xCC,0xA1,0x51,0xA8,0x57,
+    0x80,0xCA,0x9C,0xAF,0x03,0xAB,0xBD,0xC3,0x13,0xAA,0x46,0xBD,0x3B,0x99,0xE6,0x6F,
+    0x7B,0x93,0x90,0xB6,
+};
+
+#endif /* date_testing_certs_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/wosign_certs.h b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/wosign_certs.h
new file mode 100644
index 00000000..068394c4
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-allowlist/wosign_certs.h
@@ -0,0 +1,558 @@
+/*
+ *  wosign_certs.c
+ *  Security
+ *
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+
+#ifndef wosign_certs_h
+#define wosign_certs_h
+
+
+/* subject:/C=RU/CN=telegram.im */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* Not After : Sep  3 23:57:19 2019 GMT */
+
+unsigned char leafOnAllowList_Cert[1719]={
+    0x30,0x82,0x06,0xB3,0x30,0x82,0x05,0x9B,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x31,
+    0x4E,0xCD,0xA3,0x65,0x0B,0x68,0x8D,0x7D,0x77,0xD3,0x5A,0x00,0x4A,0xC5,0x94,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
+    0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+    0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x39,0x30,0x33,0x32,
+    0x33,0x35,0x37,0x31,0x39,0x5A,0x17,0x0D,0x31,0x39,0x30,0x39,0x30,0x33,0x32,0x33,
+    0x35,0x37,0x31,0x39,0x5A,0x30,0x23,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x52,0x55,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x0C,0x0B,0x74,
+    0x65,0x6C,0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x82,0x02,0x22,0x30,0x0D,
+    0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,
+    0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xCA,0xCD,0x7B,0x38,0x40,
+    0x59,0xBD,0xD7,0x0D,0xB4,0xDA,0xA7,0x43,0x3F,0x64,0xE7,0xD5,0x88,0x4A,0xA3,0x7D,
+    0xA1,0x8A,0x6C,0x3B,0x1B,0xE0,0xE4,0xE0,0x82,0xCD,0xD3,0x38,0x7D,0x6E,0x49,0x0F,
+    0x56,0x2D,0xA7,0x3A,0x1D,0x7A,0x5C,0x48,0x0D,0x15,0xBD,0x68,0xC0,0x24,0xAE,0x9B,
+    0x03,0x33,0x5E,0xBB,0x12,0x13,0x32,0xDA,0xAF,0xAD,0xEB,0x36,0x76,0x6F,0xBD,0x91,
+    0xF0,0xC1,0xC6,0x14,0xE1,0xDA,0x88,0x32,0x47,0x26,0x5C,0x92,0x5D,0xE1,0xA4,0x3E,
+    0x99,0xCD,0x5B,0xFB,0x92,0x3C,0xA9,0x56,0xEC,0x6B,0xA9,0xEB,0xB0,0x34,0x89,0x4B,
+    0x96,0x1A,0x57,0x0D,0x5F,0x94,0x7C,0x25,0x67,0xCE,0xC0,0x6A,0xB1,0x73,0xE4,0xB3,
+    0x56,0xD8,0xE9,0x09,0x4F,0x5D,0x91,0xBB,0x5E,0x6C,0x13,0xE7,0x18,0xDB,0x62,0x0D,
+    0xDA,0xB9,0xCD,0x97,0xC1,0xD4,0x35,0x0F,0x1A,0x4B,0xCA,0xFC,0x9D,0x88,0xD1,0xE4,
+    0xFC,0x1D,0x43,0x7E,0xE7,0x1A,0xEB,0xED,0x1F,0x7D,0x1F,0x2B,0xF9,0x3A,0x0D,0x06,
+    0x03,0x3F,0x2D,0xAF,0xF4,0xDB,0xCC,0x91,0x7B,0xF7,0x9D,0xAA,0x13,0x41,0xC0,0x57,
+    0x8F,0x3E,0xE2,0xCA,0x45,0x7D,0x35,0x1B,0x0C,0x51,0x53,0x81,0x05,0x74,0x88,0xA2,
+    0x37,0x9B,0x26,0x34,0xAE,0x49,0xB6,0x97,0x9F,0x81,0xFB,0x45,0x7F,0x65,0x82,0x1F,
+    0x8E,0xC1,0xF0,0xC0,0x63,0x1F,0x7B,0xE4,0x45,0xA7,0x4C,0x1C,0x09,0x10,0xF6,0x8A,
+    0x81,0x8E,0x3B,0x6E,0xFF,0x15,0x53,0x9D,0x36,0x2F,0x52,0x01,0x0C,0x34,0x59,0x12,
+    0x9C,0xCA,0xAF,0xF5,0x58,0x31,0x37,0xE6,0x44,0xE5,0x0D,0xDB,0x0F,0x43,0xA3,0x09,
+    0x79,0x78,0x00,0x3D,0x7F,0x3B,0x2F,0xB8,0x28,0x58,0x79,0x35,0xEE,0xA1,0xDA,0x1B,
+    0xF2,0x8F,0x9C,0xAB,0x3F,0x38,0xB5,0x88,0x85,0x78,0x48,0xAA,0x67,0x41,0x0A,0xAB,
+    0x1D,0x89,0xE1,0x60,0x39,0x9A,0x6B,0x88,0xE3,0xB9,0x78,0x02,0x2F,0x74,0x58,0xDD,
+    0xBD,0xEE,0x51,0x8E,0xA9,0x1E,0x5E,0xFD,0x84,0x2B,0x94,0x55,0x14,0xAE,0x68,0x71,
+    0x73,0xC7,0xE3,0xAE,0x9E,0xD9,0x54,0xB4,0x6D,0xE1,0x9A,0x10,0x1A,0x51,0x68,0x13,
+    0x8E,0x51,0x18,0xBF,0xA8,0x7C,0x1A,0x18,0x2C,0xCE,0xF6,0x56,0xFD,0x9E,0xDC,0x97,
+    0xE8,0x95,0x08,0xDA,0xC6,0xBC,0x8C,0x9C,0xDC,0x70,0x45,0xFD,0xD2,0x3E,0x83,0xE3,
+    0x01,0x23,0xD4,0x74,0x6D,0xFD,0x2B,0x55,0x97,0x99,0x96,0xEB,0xD3,0x2D,0x5A,0xA7,
+    0xEF,0xC8,0x89,0x4C,0xA3,0xC1,0xDA,0x17,0xD0,0xDE,0x9C,0xB6,0xA3,0x1D,0x14,0x05,
+    0x65,0xCA,0x5C,0x32,0xD0,0x58,0x62,0xAA,0x56,0x72,0x90,0x02,0xC0,0xFC,0xB6,0x85,
+    0x5A,0x53,0xC2,0xC1,0x31,0xAE,0xD6,0xC8,0x54,0xBE,0x78,0xE2,0x44,0x41,0x58,0xC3,
+    0xEE,0xA7,0x38,0x6D,0x4E,0xAF,0xF1,0xD2,0xD1,0xD9,0xB1,0x17,0x5D,0x10,0x00,0x1D,
+    0x8A,0x07,0xF6,0x5C,0x2C,0x1D,0x2B,0xDB,0xDE,0x3C,0x5B,0x22,0xC4,0xBB,0x27,0xC6,
+    0x5A,0x78,0x25,0x7A,0x8F,0x86,0x42,0x6A,0x82,0xD3,0x7C,0xCA,0x07,0x62,0x23,0x09,
+    0x44,0xEE,0x3B,0xEF,0x0E,0xB7,0x1A,0xA4,0x4D,0xBB,0x93,0xFD,0x83,0xCD,0x67,0x22,
+    0x4B,0xE9,0x37,0x23,0x99,0x3F,0xD7,0xD4,0xEE,0x5C,0x4B,0x02,0x03,0x01,0x00,0x01,
+    0xA3,0x82,0x02,0xAF,0x30,0x82,0x02,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
+    0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,
+    0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,
+    0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,
+    0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x2A,0x36,0x37,
+    0x39,0xD2,0xCA,0x66,0xB3,0xF8,0x12,0x94,0x78,0xB1,0xD9,0x18,0x1C,0x11,0xD9,0x7C,
+    0xD7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,
+    0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
+    0xA8,0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,
+    0x30,0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,
+    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,
+    0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,
+    0x65,0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,
+    0x05,0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
+    0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,
+    0x2E,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,
+    0x72,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,
+    0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,
+    0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,
+    0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,
+    0x30,0x16,0x06,0x03,0x55,0x1D,0x11,0x04,0x0F,0x30,0x0D,0x82,0x0B,0x74,0x65,0x6C,
+    0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x4F,0x06,0x03,0x55,0x1D,0x20,0x04,
+    0x48,0x30,0x46,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3A,0x06,
+    0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x01,0x01,0x02,0x30,0x2B,0x30,0x29,
+    0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,
+    0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,
+    0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x82,0x01,0x06,0x06,0x0A,0x2B,
+    0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF7,0x04,0x81,0xF4,0x00,
+    0xF2,0x00,0x77,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE,0x3A,0x8C,0xEE,0xB9,
+    0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1,0x0A,0x67,0xAC,0xBB,
+    0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x56,0xF2,0x97,0xEB,0x40,0x00,0x00,0x04,0x03,
+    0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xBC,0xC2,0x3C,0xA9,0x92,0x2F,0x3D,0x59,0x3C,
+    0x82,0x38,0xD6,0x1A,0x83,0x95,0x04,0x15,0x1C,0x85,0x19,0x8F,0x12,0x33,0x01,0x1B,
+    0xB1,0xCF,0xBE,0xE6,0xC1,0x6F,0xBE,0x02,0x21,0x00,0xB2,0x3B,0x8C,0xA0,0xB0,0x9C,
+    0xCF,0xBA,0xFA,0x4E,0xBA,0xE7,0x95,0x85,0x89,0x5C,0xE1,0x5F,0x34,0x7A,0xA8,0xCB,
+    0x19,0xC8,0x0C,0xED,0x3A,0xA4,0xE2,0x29,0xCD,0xBF,0x00,0x77,0x00,0xA4,0xB9,0x09,
+    0x90,0xB4,0x18,0x58,0x14,0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,
+    0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,
+    0x56,0xF2,0x97,0xEC,0x65,0x00,0x00,0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,
+    0x96,0x67,0x94,0x08,0x36,0x41,0xF7,0x3F,0x97,0x0B,0xAE,0xAB,0x2F,0xD4,0x0C,0xE5,
+    0xFA,0x3F,0xB2,0x0B,0x4F,0x57,0x1C,0xDF,0x0A,0xF4,0xE7,0x04,0x59,0x1F,0x0D,0xEF,
+    0x02,0x21,0x00,0xBC,0xB5,0xAD,0xF5,0x60,0x34,0x47,0xD5,0x23,0x08,0x12,0xDE,0x8F,
+    0xC7,0xE9,0x14,0x0C,0x02,0x25,0x0B,0x6D,0xB8,0xBF,0x1C,0x0D,0x65,0xEC,0x86,0x9B,
+    0x30,0x88,0x2F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+    0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x9A,0xD3,0xED,0xF3,0xA8,0x95,0x4E,0x35,
+    0x96,0xFF,0xA4,0xF1,0x61,0xB1,0x97,0xCA,0xF1,0xC8,0xDC,0x82,0x51,0xB9,0x29,0x3D,
+    0x77,0x59,0x96,0xF4,0x32,0x1F,0xCC,0xF9,0xC6,0x71,0x9E,0x6E,0xB4,0x83,0xFC,0xD9,
+    0xBF,0x21,0x43,0xAF,0xEB,0xB1,0x37,0x36,0x91,0x26,0x72,0xF8,0xAA,0x3A,0x38,0xBE,
+    0x51,0x27,0xBB,0x07,0x48,0x92,0x4E,0xFA,0xA0,0x5A,0x00,0x0D,0x81,0xCB,0x3B,0x17,
+    0x4E,0x04,0x0A,0xF7,0x0E,0x53,0xCD,0xAC,0x5E,0xC8,0xA5,0xE3,0x31,0x6E,0x9F,0x45,
+    0x65,0xA1,0x81,0x5C,0x98,0xF9,0x7E,0x07,0xC1,0x05,0x92,0xBD,0xCD,0xEA,0x5C,0xC7,
+    0x0B,0xC1,0x22,0x8F,0x13,0x7E,0xA2,0xB5,0xE2,0x88,0xBF,0x00,0xF0,0xC5,0xCA,0x99,
+    0xB2,0x59,0x9E,0x6E,0x71,0x35,0x49,0xC5,0xAF,0xAB,0x9B,0x80,0x2A,0xE1,0x8F,0x82,
+    0x98,0x43,0x54,0x8D,0x7A,0x28,0x98,0xA4,0xAE,0xDE,0x29,0xCC,0x15,0xBF,0x2E,0x4F,
+    0xD8,0x70,0x2E,0x8F,0xD8,0xE0,0xB9,0xC0,0x37,0x67,0x7A,0x29,0x35,0x0B,0xCD,0x7D,
+    0xF9,0x59,0x4A,0x6C,0x1C,0x87,0x31,0x2C,0x85,0x83,0x08,0x4E,0xAB,0xED,0xA1,0xEF,
+    0x76,0x90,0x32,0x71,0x6D,0xE6,0x13,0xE5,0x70,0xB8,0x7B,0xF3,0x6C,0x47,0x04,0xDE,
+    0xCC,0x61,0x67,0x5D,0x98,0xC0,0xDB,0x7D,0x24,0x3D,0x60,0xA9,0x60,0x9D,0xD8,0xC7,
+    0x27,0x8C,0x5F,0xA7,0x5A,0xE9,0x58,0x2C,0x2A,0x03,0x92,0xB6,0xF1,0x51,0xC6,0x1D,
+    0xA4,0x7B,0xDF,0xE6,0xF3,0x1A,0xD4,0x23,0x6C,0x4E,0x8D,0x5F,0xFB,0x98,0xD2,0xB3,
+    0x0B,0x73,0x41,0xB6,0x5C,0x84,0xEF,
+};
+
+/* subject:/CN=mmime.info */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* Not After : Sep 12 17:15:48 2016 GMT */
+
+unsigned char leafNotOnAllowList_Cert[1343]={
+    0x30,0x82,0x05,0x3B,0x30,0x82,0x04,0x23,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x6A,
+    0xC3,0x4F,0x8F,0xC7,0x97,0x97,0x53,0xE4,0x61,0x64,0x13,0xC4,0x2E,0x92,0x9B,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
+    0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+    0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x31,0x32,0x31,
+    0x37,0x31,0x35,0x34,0x38,0x5A,0x17,0x0D,0x31,0x36,0x30,0x39,0x31,0x32,0x31,0x37,
+    0x31,0x35,0x34,0x38,0x5A,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
+    0x0C,0x0A,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x82,0x01,0x22,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
+    0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB6,0x88,0xD4,
+    0xC3,0xBE,0x56,0x7F,0xB1,0xF1,0x48,0x37,0x71,0x3F,0xC7,0x72,0x53,0x95,0x64,0xAC,
+    0x60,0xF6,0x8C,0x01,0x15,0x2C,0xBD,0x6D,0x43,0x3F,0x8F,0x50,0x12,0x03,0x72,0x0C,
+    0x0D,0x37,0xD7,0x00,0x13,0xEC,0x49,0xC5,0xCF,0x00,0xE1,0x84,0x01,0x8B,0x1A,0xD7,
+    0x6D,0x8A,0xC7,0xB9,0xA7,0x3F,0x3A,0xE5,0xDD,0x1A,0xC9,0xCD,0x30,0xB5,0x74,0x0B,
+    0xFD,0x3C,0x70,0x8D,0xCF,0xCC,0xB7,0xB7,0x52,0x95,0x47,0xDB,0x47,0x2F,0x9C,0x5C,
+    0x06,0x6B,0x3D,0xA4,0xE5,0x42,0x6C,0x85,0x69,0xF3,0x35,0x07,0x3C,0xEF,0xA2,0xFB,
+    0x81,0x3F,0xF6,0x1C,0x51,0x17,0xA6,0x19,0x70,0xF3,0x02,0x43,0x8C,0xC3,0x42,0xED,
+    0xFE,0xF7,0x5F,0xD1,0xF3,0xBB,0x46,0xE9,0x11,0xB8,0x39,0x2E,0xE6,0x8E,0x00,0x48,
+    0x66,0xDF,0x78,0xDE,0x1A,0x27,0x71,0xF1,0x13,0x37,0xC7,0x65,0xA0,0x03,0x41,0xF9,
+    0xB2,0xE1,0x82,0x54,0x38,0x60,0x7E,0x1A,0x5A,0x77,0xC6,0x6E,0x9C,0x91,0x06,0x62,
+    0x84,0xA6,0x91,0xF0,0x3E,0x10,0x4F,0x83,0x1D,0x87,0x94,0xEB,0x0F,0x14,0x91,0xEC,
+    0x58,0xFC,0x15,0x60,0x16,0xF6,0xCD,0x88,0xF7,0x7C,0xE9,0x26,0x71,0x3C,0x14,0x3E,
+    0xD0,0xE0,0x06,0x3B,0xC2,0xAC,0xC0,0x16,0x16,0x0B,0x43,0xD2,0x92,0x96,0x84,0xC9,
+    0x65,0x6E,0xC9,0x76,0x8A,0xE3,0x5B,0x96,0xDE,0xB9,0x57,0xB0,0x7C,0xC2,0xE9,0x74,
+    0x2D,0x6D,0x6F,0x58,0x23,0xC9,0xEB,0xB3,0x63,0xB6,0x18,0xC6,0xD6,0x6B,0xF0,0x88,
+    0xAC,0x2D,0x3E,0x05,0x6D,0x00,0xC0,0x25,0x9A,0x4C,0x3E,0xFE,0xA5,0x02,0x03,0x01,
+    0x00,0x01,0xA3,0x82,0x02,0x45,0x30,0x82,0x02,0x41,0x30,0x0B,0x06,0x03,0x55,0x1D,
+    0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,
+    0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06,
+    0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,
+    0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3D,0xAB,0x6A,0xB5,
+    0xCC,0x2F,0xFE,0x38,0x1F,0xEF,0x88,0xA0,0xF7,0xBC,0x2A,0x44,0xEA,0x9E,0xE6,0xBD,
+    0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,0x16,
+    0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,0xA8,
+    0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,0x30,
+    0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x36,0x2E,0x77,0x6F,0x73,0x69,
+    0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,0x65,
+    0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+    0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x36,
+    0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2E,
+    0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,0x72,
+    0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0,
+    0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x36,0x2E,
+    0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,0x73,
+    0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,0x30,
+    0x81,0xB6,0x06,0x03,0x55,0x1D,0x11,0x04,0x81,0xAE,0x30,0x81,0xAB,0x82,0x0A,0x6D,
+    0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0E,0x77,0x77,0x77,0x2E,0x6D,
+    0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x63,0x6C,0x6F,0x75,0x64,
+    0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x12,0x77,0x65,0x62,
+    0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
+    0x0E,0x76,0x70,0x6E,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
+    0x11,0x62,0x61,0x63,0x6B,0x75,0x70,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,
+    0x66,0x6F,0x82,0x10,0x66,0x69,0x6C,0x65,0x73,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,
+    0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,
+    0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x73,0x68,0x61,0x72,0x65,0x2E,0x6D,0x6D,0x69,
+    0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6E,0x65,0x77,0x73,0x2E,0x6D,0x6D,
+    0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x51,0x06,0x03,0x55,0x1D,0x20,0x04,
+    0x4A,0x30,0x48,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3C,0x06,
+    0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,0x2B,
+    0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,
+    0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,
+    0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,0x2A,
+    0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x7A,
+    0x93,0xB0,0x04,0xAB,0xCA,0x53,0x61,0x83,0xC4,0xDC,0x8B,0xE9,0xA5,0x62,0x46,0x9E,
+    0x22,0x7A,0xBB,0x23,0x32,0xC9,0xC8,0x55,0xA7,0x87,0x53,0x68,0x61,0xF4,0x14,0x9B,
+    0xA6,0xC1,0xC2,0x2D,0xF1,0xD6,0x2F,0x58,0x6D,0xCC,0xF9,0x47,0x4F,0x49,0x82,0xDD,
+    0xFA,0x61,0xD4,0xE1,0x99,0xB3,0x1E,0x5A,0x44,0x1E,0xA3,0xC2,0x1E,0x83,0x4F,0x9C,
+    0xB8,0xBC,0x25,0xCD,0x32,0x13,0xCA,0xA8,0xEC,0x17,0xD6,0xEB,0x96,0x38,0xFF,0x26,
+    0xF7,0x76,0x85,0xA0,0x96,0x7C,0x70,0xCE,0xFC,0xBF,0x23,0x1D,0xF8,0xFB,0x0F,0x3E,
+    0xA8,0x22,0xF4,0xE6,0x96,0xD7,0x38,0xF3,0xCE,0xA2,0xDE,0xD3,0xAA,0x11,0x61,0x2E,
+    0x41,0xBF,0xE0,0xAD,0x65,0x88,0x06,0xB4,0x8E,0x45,0x38,0xEB,0x48,0xA5,0xEB,0xE6,
+    0x88,0xD2,0x0D,0x83,0x8B,0x6A,0x2A,0x97,0xC6,0xBD,0x01,0x39,0x71,0x0A,0xDA,0xF3,
+    0x2A,0x8D,0x7F,0x5C,0xCC,0xF0,0x05,0x17,0x99,0x98,0x11,0xD3,0x43,0x23,0xCE,0x91,
+    0x55,0x02,0x7E,0x93,0x1B,0x37,0xE9,0x81,0x84,0x7D,0xEE,0x80,0x0D,0x69,0xF5,0x77,
+    0x20,0x8B,0x39,0x7F,0x4E,0x52,0x94,0xED,0x07,0x76,0xF0,0xB6,0x12,0x39,0xDA,0xEB,
+    0x80,0x42,0x02,0xD4,0xFE,0xE6,0x42,0xB7,0xC5,0xA8,0xEC,0xA6,0x83,0x9C,0x68,0x60,
+    0x9A,0x52,0xF2,0x7F,0xF6,0x48,0x92,0x93,0x10,0x43,0xDE,0x5E,0x75,0x18,0x1B,0x22,
+    0x12,0x3F,0xEB,0x7A,0x38,0x6E,0x73,0xBD,0x6A,0x2C,0xE6,0x07,0xEA,0xFC,0x50,0x31,
+    0x54,0xC3,0x7B,0xD1,0x0B,0xC1,0x78,0x9D,0x6E,0xF2,0xAF,0x65,0xB9,0xF1,0xB5,
+};
+
+/* subject:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
+/* issuer :/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
+/* Not After : Nov  8 00:58:58 2029 GMT */
+
+unsigned char ca1_Cert[1456]={
+    0x30,0x82,0x05,0xAC,0x30,0x82,0x03,0x94,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x38,
+    0xF6,0x45,0xC1,0xE2,0x5D,0x91,0x2C,0xCE,0x3B,0x2B,0x39,0x12,0x31,0x74,0x0D,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
+    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
+    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
+    0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x6F,0x66,0x20,0x57,
+    0x6F,0x53,0x69,0x67,0x6E,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x31,0x30,0x38,0x30,
+    0x30,0x35,0x38,0x35,0x38,0x5A,0x17,0x0D,0x32,0x39,0x31,0x31,0x30,0x38,0x30,0x30,
+    0x35,0x38,0x35,0x38,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,
+    0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,
+    0x31,0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,
+    0x6E,0x20,0x43,0x41,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,
+    0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x47,0x32,0x30,0x82,0x01,0x22,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
+    0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE3,0xB4,0x80,
+    0x0E,0x6B,0x30,0x50,0x82,0x2F,0x1F,0xE7,0x9D,0xBF,0xF8,0x7C,0x42,0x25,0xED,0xAE,
+    0x61,0xC4,0xEB,0x86,0x87,0x23,0x7F,0x11,0x1F,0xC0,0x93,0x5F,0x1B,0x92,0x90,0x1E,
+    0x77,0x8C,0xBC,0x76,0xF7,0xFB,0x0A,0xA5,0xD5,0x7D,0xAC,0xDC,0x4B,0x18,0xD8,0x58,
+    0x2E,0xDF,0x46,0x6B,0x34,0x0F,0x45,0x64,0x60,0x84,0xC2,0xEB,0x9A,0x0E,0x51,0xD4,
+    0x2A,0x54,0x51,0x3E,0x27,0x3B,0x64,0x68,0x86,0x6F,0x7C,0x6B,0x00,0x3C,0x99,0xF6,
+    0x4C,0xA8,0x45,0x27,0xAD,0xA5,0xCB,0x2B,0x37,0xED,0x59,0xC3,0x52,0x4C,0x4F,0xDE,
+    0x34,0x9C,0xF2,0xB7,0xD1,0xFA,0x58,0xCB,0xE5,0x62,0x9E,0x55,0x46,0x5C,0xB7,0xC5,
+    0x8D,0x38,0x24,0x35,0xEF,0x97,0x2C,0x7C,0x65,0x10,0x0D,0xEF,0x9F,0x97,0x08,0xD5,
+    0xE5,0xB3,0x12,0x7A,0x92,0xDD,0xFE,0x88,0x0F,0x8F,0xA4,0xAF,0xBD,0xC5,0xD6,0x36,
+    0xF7,0x41,0x1B,0xE8,0x59,0xDD,0x86,0xFF,0x35,0xBF,0xED,0xE4,0xD1,0xA0,0x93,0x6E,
+    0x51,0xA8,0x99,0xCB,0xDF,0xDD,0xBE,0x71,0x88,0xC3,0xDA,0xB1,0x65,0xCC,0x7B,0x95,
+    0xC4,0x66,0x8F,0xBE,0x4E,0x06,0x7F,0x9B,0x53,0x8C,0x6B,0x3C,0xCE,0x97,0x26,0x82,
+    0x1F,0x17,0x30,0xBA,0x3F,0xC8,0xDE,0xCC,0x0B,0xA1,0xB4,0xEF,0x12,0x3D,0x93,0xCB,
+    0x08,0x30,0xE7,0x1A,0x98,0x97,0x80,0x3A,0x26,0x84,0x8F,0xFE,0x73,0x74,0x95,0x53,
+    0x0F,0x51,0xB2,0xAA,0x89,0x57,0xF4,0x96,0x40,0x72,0x13,0x1D,0xE4,0x67,0x98,0x4E,
+    0x8F,0xC6,0x40,0x0B,0xF5,0x1D,0x0C,0x45,0x2D,0xE0,0xD5,0x92,0x83,0x02,0x03,0x01,
+    0x00,0x01,0xA3,0x82,0x01,0x76,0x30,0x82,0x01,0x72,0x30,0x0E,0x06,0x03,0x55,0x1D,
+    0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,
+    0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,
+    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+    0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x30,0x06,
+    0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F,
+    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,0x2E,0x77,0x6F,0x73,
+    0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,
+    0x72,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x66,0x30,0x64,0x30,
+    0x27,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,
+    0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
+    0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05,
+    0x05,0x07,0x30,0x02,0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
+    0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,
+    0x67,0x32,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,
+    0x63,0x65,0x72,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xA7,
+    0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
+    0xA8,0xC7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE1,
+    0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,
+    0xFE,0xFB,0x3E,0x30,0x47,0x06,0x03,0x55,0x1D,0x20,0x04,0x40,0x30,0x3E,0x30,0x3C,
+    0x06,0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,
+    0x2B,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
+    0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
+    0x96,0x5A,0xDF,0x96,0x91,0x17,0x68,0x90,0x5D,0x2F,0xB4,0x32,0x15,0x80,0x03,0x03,
+    0x0B,0xE9,0x1C,0xB7,0x73,0x6C,0xDA,0xA8,0xFA,0x94,0xDD,0xDD,0x3E,0x34,0x2B,0x2E,
+    0x80,0x93,0x6C,0xFA,0xA6,0x67,0xD3,0x1B,0x7A,0x82,0x41,0xCE,0x9E,0xFF,0x3F,0xEF,
+    0xB2,0x83,0x6A,0x9E,0xFC,0x32,0xFD,0x44,0xF3,0x82,0x66,0xAA,0xCF,0x44,0x2F,0xB3,
+    0x37,0x41,0xF0,0x79,0x12,0xE3,0x02,0x27,0x86,0x48,0x92,0xBE,0xCF,0x56,0xD7,0xCB,
+    0xD7,0xE7,0x1E,0x25,0x9D,0x41,0xDB,0x0A,0xE7,0x33,0x12,0x58,0xAD,0x95,0xD8,0x9E,
+    0xD4,0xB7,0x95,0x29,0xBA,0xFE,0xFF,0xDF,0x80,0xA4,0x77,0x5B,0x15,0x62,0x0F,0x69,
+    0xF8,0x87,0x6D,0x74,0xEA,0x85,0xA2,0x76,0x5D,0x9F,0x95,0x2E,0x03,0xBC,0x8A,0xF9,
+    0x8A,0xAC,0x81,0x64,0x50,0xF2,0x0B,0x45,0x4B,0xEC,0x97,0x30,0x39,0x74,0xE5,0xA7,
+    0x7E,0x16,0x24,0x62,0x2B,0x50,0xF1,0x5C,0xD8,0x4F,0xCD,0x2E,0xA2,0x18,0x25,0xA3,
+    0xCE,0xF6,0x1F,0x60,0xDD,0x15,0xDE,0x20,0x15,0x1B,0x0E,0x7F,0xAF,0x85,0xD9,0x40,
+    0xAC,0x07,0x2A,0x34,0xDD,0x51,0xB0,0x1A,0xA8,0xE6,0x0E,0x9F,0x5F,0xDB,0x46,0x70,
+    0xE6,0xF5,0xD9,0x25,0x1C,0xF0,0x1D,0xE5,0x42,0xA1,0x2D,0x22,0x9D,0x6E,0x11,0xC9,
+    0x8D,0xA6,0x65,0xBC,0x0E,0xAA,0x76,0x73,0xC8,0x56,0x60,0x2F,0xFB,0x3F,0x86,0xB9,
+    0xA5,0xF5,0x33,0xEF,0xD5,0x13,0x1F,0x49,0x4C,0x38,0x07,0x9E,0x59,0x22,0x5A,0xC7,
+    0x4E,0xD9,0x25,0x24,0xBA,0x53,0x70,0xFC,0x63,0x2A,0x54,0x51,0xEB,0xC3,0x4B,0x41,
+    0x7D,0xE4,0xE8,0x3C,0x2C,0xA5,0x76,0x5A,0xBF,0xD9,0x4C,0xA8,0x0D,0xAE,0x52,0x6E,
+    0xA5,0x5D,0x98,0x3D,0x6C,0x90,0x6D,0x78,0x1F,0xC3,0x70,0x95,0x86,0x07,0x3F,0x54,
+    0xE3,0xEA,0x8A,0x81,0x64,0x62,0x9A,0x8F,0x31,0xAF,0x7B,0x2A,0x7E,0x92,0x22,0xC3,
+    0x8E,0xCC,0x53,0xAC,0xC7,0x9C,0x99,0x11,0x2B,0x48,0x3F,0x52,0x71,0x2B,0x6E,0xC0,
+    0xE1,0xB3,0x0A,0xE5,0x03,0x62,0xD7,0x89,0x18,0x28,0x4C,0x0A,0x8D,0x3F,0x0B,0x45,
+    0x89,0x81,0x8B,0x88,0xA4,0x93,0xC2,0x7F,0x44,0xE5,0x1E,0x5B,0x40,0x00,0xFC,0x2F,
+    0xCC,0x3B,0xF8,0x6A,0x79,0x31,0xFD,0x44,0x14,0xB6,0x8F,0x48,0x85,0x4C,0xAB,0x0A,
+    0x9D,0xBB,0x37,0x0A,0xFC,0x51,0x19,0xE0,0xFE,0x59,0x6A,0x3B,0x8F,0x60,0x62,0xA7,
+    0x07,0x82,0xAF,0x08,0x66,0xA0,0xF2,0xDA,0x60,0x02,0xEA,0xD8,0x34,0x7E,0x57,0x71,
+    0xA1,0xB5,0xFE,0x69,0xD7,0xFB,0xDD,0x5A,0x9C,0xF3,0xFF,0xC4,0xEA,0xCD,0x74,0xFA,
+    0x94,0x70,0xD3,0x58,0x92,0xCE,0xAF,0x12,0xE4,0x6E,0xEB,0xDD,0xB8,0xAF,0x1D,0xE2,
+    0x65,0xD4,0x46,0xEA,0x0B,0x3E,0xE3,0x68,0x0E,0x0A,0x4C,0x27,0x83,0x50,0x91,0x06,
+    0xC6,0x7B,0xF8,0xFA,0x9B,0x26,0xED,0x2C,0x0E,0x67,0xB8,0x6C,0xE5,0x2C,0x98,0x6D,
+    0x5F,0x7A,0x28,0xC3,0x84,0x3C,0x03,0x0D,0xF7,0xE2,0x03,0xE1,0x94,0xC2,0x58,0x27,
+    0xF8,0x4D,0x81,0x59,0x2F,0xF1,0x7C,0x61,0xC9,0x57,0x5D,0xBD,0xDC,0x9C,0x80,0xD0,
+    0x64,0xDF,0x7C,0x87,0x78,0x85,0xE6,0x94,0x8B,0x70,0x8B,0x05,0x47,0xE4,0xC8,0x7B,
+};
+
+/* subject:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
+/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* Not After : Dec 31 23:59:59 2019 GMT */
+
+unsigned char ca2_Cert[1632]={
+    0x30,0x82,0x06,0x5C,0x30,0x82,0x04,0x44,0xA0,0x03,0x02,0x01,0x02,0x02,0x07,0x19,
+    0xC2,0x85,0x30,0xE9,0x3B,0x36,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+    0x01,0x01,0x0B,0x05,0x00,0x30,0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+    0x13,0x02,0x49,0x4C,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,
+    0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,
+    0x06,0x03,0x55,0x04,0x0B,0x13,0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,
+    0x67,0x69,0x74,0x61,0x6C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+    0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,
+    0x04,0x03,0x13,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
+    0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+    0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x32,0x32,
+    0x34,0x36,0x33,0x36,0x5A,0x17,0x0D,0x31,0x39,0x31,0x32,0x33,0x31,0x32,0x33,0x35,
+    0x39,0x35,0x39,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,
+    0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,
+    0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
+    0x79,0x20,0x6F,0x66,0x20,0x57,0x6F,0x53,0x69,0x67,0x6E,0x30,0x82,0x02,0x22,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+    0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xBD,0xCA,0x8D,0xAC,
+    0xB8,0x91,0x15,0x56,0x97,0x7B,0x6B,0x5C,0x7A,0xC2,0xDE,0x6B,0xD9,0xA1,0xB0,0xC3,
+    0x10,0x23,0xFA,0xA7,0xA1,0xB2,0xCC,0x31,0xFA,0x3E,0xD9,0xA6,0x29,0x6F,0x16,0x3D,
+    0xE0,0x6B,0xF8,0xB8,0x40,0x5F,0xDB,0x39,0xA8,0x00,0x7A,0x8B,0xA0,0x4D,0x54,0x7D,
+    0xC2,0x22,0x78,0xFC,0x8E,0x09,0xB8,0xA8,0x85,0xD7,0xCC,0x95,0x97,0x4B,0x74,0xD8,
+    0x9E,0x7E,0xF0,0x00,0xE4,0x0E,0x89,0xAE,0x49,0x28,0x44,0x1A,0x10,0x99,0x32,0x0F,
+    0x25,0x88,0x53,0xA4,0x0D,0xB3,0x0F,0x12,0x08,0x16,0x0B,0x03,0x71,0x27,0x1C,0x7F,
+    0xE1,0xDB,0xD2,0xFD,0x67,0x68,0xC4,0x05,0x5D,0x0A,0x0E,0x5D,0x70,0xD7,0xD8,0x97,
+    0xA0,0xBC,0x53,0x41,0x9A,0x91,0x8D,0xF4,0x9E,0x36,0x66,0x7A,0x7E,0x56,0xC1,0x90,
+    0x5F,0xE6,0xB1,0x68,0x20,0x36,0xA4,0x8C,0x24,0x2C,0x2C,0x47,0x0B,0x59,0x76,0x66,
+    0x30,0xB5,0xBE,0xDE,0xED,0x8F,0xF8,0x9D,0xD3,0xBB,0x01,0x30,0xE6,0xF2,0xF3,0x0E,
+    0xE0,0x2C,0x92,0x80,0xF3,0x85,0xF9,0x28,0x8A,0xB4,0x54,0x2E,0x9A,0xED,0xF7,0x76,
+    0xFC,0x15,0x68,0x16,0xEB,0x4A,0x6C,0xEB,0x2E,0x12,0x8F,0xD4,0xCF,0xFE,0x0C,0xC7,
+    0x5C,0x1D,0x0B,0x7E,0x05,0x32,0xBE,0x5E,0xB0,0x09,0x2A,0x42,0xD5,0xC9,0x4E,0x90,
+    0xB3,0x59,0x0D,0xBB,0x7A,0x7E,0xCD,0xD5,0x08,0x5A,0xB4,0x7F,0xD8,0x1C,0x69,0x11,
+    0xF9,0x27,0x0F,0x7B,0x06,0xAF,0x54,0x83,0x18,0x7B,0xE1,0xDD,0x54,0x7A,0x51,0x68,
+    0x6E,0x77,0xFC,0xC6,0xBF,0x52,0x4A,0x66,0x46,0xA1,0xB2,0x67,0x1A,0xBB,0xA3,0x4F,
+    0x77,0xA0,0xBE,0x5D,0xFF,0xFC,0x56,0x0B,0x43,0x72,0x77,0x90,0xCA,0x9E,0xF9,0xF2,
+    0x39,0xF5,0x0D,0xA9,0xF4,0xEA,0xD7,0xE7,0xB3,0x10,0x2F,0x30,0x42,0x37,0x21,0xCC,
+    0x30,0x70,0xC9,0x86,0x98,0x0F,0xCC,0x58,0x4D,0x83,0xBB,0x7D,0xE5,0x1A,0xA5,0x37,
+    0x8D,0xB6,0xAC,0x32,0x97,0x00,0x3A,0x63,0x71,0x24,0x1E,0x9E,0x37,0xC4,0xFF,0x74,
+    0xD4,0x37,0xC0,0xE2,0xFE,0x88,0x46,0x60,0x11,0xDD,0x08,0x3F,0x50,0x36,0xAB,0xB8,
+    0x7A,0xA4,0x95,0x62,0x6A,0x6E,0xB0,0xCA,0x6A,0x21,0x5A,0x69,0xF3,0xF3,0xFB,0x1D,
+    0x70,0x39,0x95,0xF3,0xA7,0x6E,0xA6,0x81,0x89,0xA1,0x88,0xC5,0x3B,0x71,0xCA,0xA3,
+    0x52,0xEE,0x83,0xBB,0xFD,0xA0,0x77,0xF4,0xE4,0x6F,0xE7,0x42,0xDB,0x6D,0x4A,0x99,
+    0x8A,0x34,0x48,0xBC,0x17,0xDC,0xE4,0x80,0x08,0x22,0xB6,0xF2,0x31,0xC0,0x3F,0x04,
+    0x3E,0xEB,0x9F,0x20,0x79,0xD6,0xB8,0x06,0x64,0x64,0x02,0x31,0xD7,0xA9,0xCD,0x52,
+    0xFB,0x84,0x45,0x69,0x09,0x00,0x2A,0xDC,0x55,0x8B,0xC4,0x06,0x46,0x4B,0xC0,0x4A,
+    0x1D,0x09,0x5B,0x39,0x28,0xFD,0xA9,0xAB,0xCE,0x00,0xF9,0x2E,0x48,0x4B,0x26,0xE6,
+    0x30,0x4C,0xA5,0x58,0xCA,0xB4,0x44,0x82,0x4F,0xE7,0x91,0x1E,0x33,0xC3,0xB0,0x93,
+    0xFF,0x11,0xFC,0x81,0xD2,0xCA,0x1F,0x71,0x29,0xDD,0x76,0x4F,0x92,0x25,0xAF,0x1D,
+    0x81,0xB7,0x0F,0x2F,0x8C,0xC3,0x06,0xCC,0x2F,0x27,0xA3,0x4A,0xE4,0x0E,0x99,0xBA,
+    0x7C,0x1E,0x45,0x1F,0x7F,0xAA,0x19,0x45,0x96,0xFD,0xFC,0x3D,0x02,0x03,0x01,0x00,
+    0x01,0xA3,0x82,0x01,0x07,0x30,0x82,0x01,0x03,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+    0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06,
+    0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
+    0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xE1,0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,
+    0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,0xFE,0xFB,0x3E,0x30,0x1F,0x06,0x03,
+    0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,
+    0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,0x43,0xD0,0x41,0xAE,0xF2,0x30,0x69,0x06,
+    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x5D,0x30,0x5B,0x30,0x27,0x06,
+    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,0x70,0x3A,
+    0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,
+    0x63,0x6F,0x6D,0x2F,0x63,0x61,0x30,0x30,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
+    0x30,0x02,0x86,0x24,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x2E,0x73,
+    0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74,
+    0x73,0x2F,0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x32,0x06,0x03,0x55,0x1D,0x1F,0x04,
+    0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3A,
+    0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,
+    0x6F,0x6D,0x2F,0x73,0x66,0x73,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
+    0xB6,0x6D,0xF8,0x70,0xFB,0xE2,0x0D,0x4C,0x98,0xB3,0x07,0x49,0x15,0xF5,0x04,0xC4,
+    0x6C,0xCA,0xCA,0xF5,0x68,0xA0,0x08,0xFE,0x12,0x6D,0x9C,0x04,0x06,0xC9,0xAD,0x9A,
+    0x91,0x52,0x3E,0x78,0xC4,0x5C,0xEE,0x9F,0x54,0x1D,0xEE,0xE3,0xF1,0x5E,0x30,0xC9,
+    0x49,0xE1,0x39,0xE0,0xA6,0x9D,0x36,0x6C,0x57,0xFA,0xE6,0x34,0x4F,0x55,0xE8,0x87,
+    0xA8,0x2C,0xDD,0x05,0xF1,0x58,0x12,0x91,0xE8,0xCA,0xCE,0x28,0x78,0x8F,0xDF,0x07,
+    0x85,0x01,0xA5,0xDC,0x45,0x96,0x05,0xD4,0x80,0xB2,0x2B,0x05,0x9A,0xCB,0x9A,0xA5,
+    0x8B,0xE0,0x3A,0x67,0xE6,0x73,0x47,0xBE,0x4A,0xFD,0x27,0xB1,0x88,0xEF,0xE6,0xCA,
+    0xCF,0x8D,0x0E,0x26,0x9F,0xFA,0x5F,0x57,0x78,0xAD,0x6D,0xFE,0xAE,0x9B,0x35,0x08,
+    0xB1,0xC3,0xBA,0xC1,0x00,0x4A,0x4B,0x7D,0x14,0xBD,0xF7,0xF1,0xD3,0x55,0x18,0xAC,
+    0xD0,0x33,0x70,0x88,0x6D,0xC4,0x09,0x71,0x14,0xA6,0x2B,0x4F,0x88,0x81,0xE7,0x0B,
+    0x00,0x37,0xA9,0x15,0x7D,0x7E,0xD7,0x01,0x96,0x3F,0x2F,0xAF,0x7B,0x62,0xAE,0x0A,
+    0x4A,0xBF,0x4B,0x39,0x2E,0x35,0x10,0x8B,0xFE,0x04,0x39,0xE4,0x3C,0x3A,0x0C,0x09,
+    0x56,0x40,0x3A,0xB5,0xF4,0xC2,0x68,0x0C,0xB5,0xF9,0x52,0xCD,0xEE,0x9D,0xF8,0x98,
+    0xFC,0x78,0xE7,0x58,0x47,0x8F,0x1C,0x73,0x58,0x69,0x33,0xAB,0xFF,0xDD,0xDF,0x8E,
+    0x24,0x01,0x77,0x98,0x19,0x3A,0xB0,0x66,0x79,0xBC,0xE1,0x08,0xA3,0x0E,0x4F,0xC1,
+    0x04,0xB3,0xF3,0x01,0xC8,0xEB,0xD3,0x59,0x1C,0x35,0xD2,0x93,0x1E,0x70,0x65,0x82,
+    0x7F,0xDB,0xCF,0xFB,0xC8,0x99,0x12,0x60,0xC3,0x44,0x6F,0x3A,0x80,0x4B,0xD7,0xBE,
+    0x21,0xAA,0x14,0x7A,0x64,0xCB,0xDD,0x37,0x43,0x45,0x5B,0x32,0x2E,0x45,0xF0,0xD9,
+    0x59,0x1F,0x6B,0x18,0xF0,0x7C,0xE9,0x55,0x36,0x19,0x61,0x5F,0xB5,0x7D,0xF1,0x8D,
+    0xBD,0x88,0xE4,0x75,0x4B,0x98,0xDD,0x27,0xB0,0xE4,0x84,0x44,0x2A,0x61,0x84,0x57,
+    0x05,0x82,0x11,0x1F,0xAA,0x35,0x58,0xF3,0x20,0x0E,0xAF,0x59,0xEF,0xFA,0x55,0x72,
+    0x72,0x0D,0x26,0xD0,0x9B,0x53,0x49,0xAC,0xCE,0x37,0x2E,0x65,0x61,0xFF,0xF6,0xEC,
+    0x1B,0xEA,0xF6,0xF1,0xA6,0xD3,0xD1,0xB5,0x7B,0xBE,0x35,0xF4,0x22,0xC1,0xBC,0x8D,
+    0x01,0xBD,0x68,0x5E,0x83,0x0D,0x2F,0xEC,0xD6,0xDA,0x63,0x0C,0x27,0xD1,0x54,0x3E,
+    0xE4,0xA8,0xD3,0xCE,0x4B,0x32,0xB8,0x91,0x94,0xFF,0xFB,0x5B,0x49,0x2D,0x75,0x18,
+    0xA8,0xBA,0x71,0x9A,0x3B,0xAE,0xD9,0xC0,0xA9,0x4F,0x87,0x91,0xED,0x8B,0x7B,0x6B,
+    0x20,0x98,0x89,0x39,0x83,0x4F,0x80,0xC4,0x69,0xCC,0x17,0xC9,0xC8,0x4E,0xBE,0xE4,
+    0xA9,0xA5,0x81,0x76,0x70,0x06,0x04,0x32,0xCD,0x83,0x65,0xF4,0xBC,0x7D,0x3E,0x13,
+    0xBC,0xD2,0xE8,0x6F,0x63,0xAA,0xB5,0x3B,0xDA,0x8D,0x86,0x32,0x82,0x78,0x9D,0xD9,
+    0xCC,0xFF,0xBF,0x57,0x64,0x74,0xED,0x28,0x3D,0x44,0x62,0x15,0x61,0x4B,0xF7,0x94,
+    0xB0,0x0D,0x2A,0x67,0x1C,0xF0,0xCB,0x9B,0xA5,0x92,0xBF,0xF8,0x41,0x5A,0xC1,0x3D,
+    0x60,0xED,0x9F,0xBB,0xB8,0x6D,0x9B,0xCE,0xA9,0x6A,0x16,0x3F,0x7E,0xEA,0x06,0xF1,
+};
+
+/* subject:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
+/* Not After : Sep 17 19:46:36 2036 GMT */
+
+unsigned char root_Cert[1997]={
+    0x30,0x82,0x07,0xC9,0x30,0x82,0x05,0xB1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
+    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
+    0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,
+    0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,
+    0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,
+    0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,
+    0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,
+    0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,
+    0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
+    0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,
+    0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x17,
+    0x0D,0x33,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x30,0x7D,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,0x30,
+    0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,
+    0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,0x22,
+    0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,0x43,
+    0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,
+    0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,0x61,
+    0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+    0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x02,
+    0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
+    0x03,0x82,0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xC1,0x88,
+    0xDB,0x09,0xBC,0x6C,0x46,0x7C,0x78,0x9F,0x95,0x7B,0xB5,0x33,0x90,0xF2,0x72,0x62,
+    0xD6,0xC1,0x36,0x20,0x22,0x24,0x5E,0xCE,0xE9,0x77,0xF2,0x43,0x0A,0xA2,0x06,0x64,
+    0xA4,0xCC,0x8E,0x36,0xF8,0x38,0xE6,0x23,0xF0,0x6E,0x6D,0xB1,0x3C,0xDD,0x72,0xA3,
+    0x85,0x1C,0xA1,0xD3,0x3D,0xB4,0x33,0x2B,0xD3,0x2F,0xAF,0xFE,0xEA,0xB0,0x41,0x59,
+    0x67,0xB6,0xC4,0x06,0x7D,0x0A,0x9E,0x74,0x85,0xD6,0x79,0x4C,0x80,0x37,0x7A,0xDF,
+    0x39,0x05,0x52,0x59,0xF7,0xF4,0x1B,0x46,0x43,0xA4,0xD2,0x85,0x85,0xD2,0xC3,0x71,
+    0xF3,0x75,0x62,0x34,0xBA,0x2C,0x8A,0x7F,0x1E,0x8F,0xEE,0xED,0x34,0xD0,0x11,0xC7,
+    0x96,0xCD,0x52,0x3D,0xBA,0x33,0xD6,0xDD,0x4D,0xDE,0x0B,0x3B,0x4A,0x4B,0x9F,0xC2,
+    0x26,0x2F,0xFA,0xB5,0x16,0x1C,0x72,0x35,0x77,0xCA,0x3C,0x5D,0xE6,0xCA,0xE1,0x26,
+    0x8B,0x1A,0x36,0x76,0x5C,0x01,0xDB,0x74,0x14,0x25,0xFE,0xED,0xB5,0xA0,0x88,0x0F,
+    0xDD,0x78,0xCA,0x2D,0x1F,0x07,0x97,0x30,0x01,0x2D,0x72,0x79,0xFA,0x46,0xD6,0x13,
+    0x2A,0xA8,0xB9,0xA6,0xAB,0x83,0x49,0x1D,0xE5,0xF2,0xEF,0xDD,0xE4,0x01,0x8E,0x18,
+    0x0A,0x8F,0x63,0x53,0x16,0x85,0x62,0xA9,0x0E,0x19,0x3A,0xCC,0xB5,0x66,0xA6,0xC2,
+    0x6B,0x74,0x07,0xE4,0x2B,0xE1,0x76,0x3E,0xB4,0x6D,0xD8,0xF6,0x44,0xE1,0x73,0x62,
+    0x1F,0x3B,0xC4,0xBE,0xA0,0x53,0x56,0x25,0x6C,0x51,0x09,0xF7,0xAA,0xAB,0xCA,0xBF,
+    0x76,0xFD,0x6D,0x9B,0xF3,0x9D,0xDB,0xBF,0x3D,0x66,0xBC,0x0C,0x56,0xAA,0xAF,0x98,
+    0x48,0x95,0x3A,0x4B,0xDF,0xA7,0x58,0x50,0xD9,0x38,0x75,0xA9,0x5B,0xEA,0x43,0x0C,
+    0x02,0xFF,0x99,0xEB,0xE8,0x6C,0x4D,0x70,0x5B,0x29,0x65,0x9C,0xDD,0xAA,0x5D,0xCC,
+    0xAF,0x01,0x31,0xEC,0x0C,0xEB,0xD2,0x8D,0xE8,0xEA,0x9C,0x7B,0xE6,0x6E,0xF7,0x27,
+    0x66,0x0C,0x1A,0x48,0xD7,0x6E,0x42,0xE3,0x3F,0xDE,0x21,0x3E,0x7B,0xE1,0x0D,0x70,
+    0xFB,0x63,0xAA,0xA8,0x6C,0x1A,0x54,0xB4,0x5C,0x25,0x7A,0xC9,0xA2,0xC9,0x8B,0x16,
+    0xA6,0xBB,0x2C,0x7E,0x17,0x5E,0x05,0x4D,0x58,0x6E,0x12,0x1D,0x01,0xEE,0x12,0x10,
+    0x0D,0xC6,0x32,0x7F,0x18,0xFF,0xFC,0xF4,0xFA,0xCD,0x6E,0x91,0xE8,0x36,0x49,0xBE,
+    0x1A,0x48,0x69,0x8B,0xC2,0x96,0x4D,0x1A,0x12,0xB2,0x69,0x17,0xC1,0x0A,0x90,0xD6,
+    0xFA,0x79,0x22,0x48,0xBF,0xBA,0x7B,0x69,0xF8,0x70,0xC7,0xFA,0x7A,0x37,0xD8,0xD8,
+    0x0D,0xD2,0x76,0x4F,0x57,0xFF,0x90,0xB7,0xE3,0x91,0xD2,0xDD,0xEF,0xC2,0x60,0xB7,
+    0x67,0x3A,0xDD,0xFE,0xAA,0x9C,0xF0,0xD4,0x8B,0x7F,0x72,0x22,0xCE,0xC6,0x9F,0x97,
+    0xB6,0xF8,0xAF,0x8A,0xA0,0x10,0xA8,0xD9,0xFB,0x18,0xC6,0xB6,0xB5,0x5C,0x52,0x3C,
+    0x89,0xB6,0x19,0x2A,0x73,0x01,0x0A,0x0F,0x03,0xB3,0x12,0x60,0xF2,0x7A,0x2F,0x81,
+    0xDB,0xA3,0x6E,0xFF,0x26,0x30,0x97,0xF5,0x8B,0xDD,0x89,0x57,0xB6,0xAD,0x3D,0xB3,
+    0xAF,0x2B,0xC5,0xB7,0x76,0x02,0xF0,0xA5,0xD6,0x2B,0x9A,0x86,0x14,0x2A,0x72,0xF6,
+    0xE3,0x33,0x8C,0x5D,0x09,0x4B,0x13,0xDF,0xBB,0x8C,0x74,0x13,0x52,0x4B,0x02,0x03,
+    0x01,0x00,0x01,0xA3,0x82,0x02,0x52,0x30,0x82,0x02,0x4E,0x30,0x0C,0x06,0x03,0x55,
+    0x1D,0x13,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,
+    0x04,0x04,0x03,0x02,0x01,0xAE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+    0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,
+    0x43,0xD0,0x41,0xAE,0xF2,0x30,0x64,0x06,0x03,0x55,0x1D,0x1F,0x04,0x5D,0x30,0x5B,
+    0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,
+    0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,
+    0x2F,0x73,0x66,0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x2B,
+    0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,
+    0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x73,0x66,
+    0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x82,0x01,0x5D,0x06,
+    0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x54,0x30,0x82,0x01,0x50,0x30,0x82,0x01,0x4C,
+    0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x81,0xB5,0x37,0x01,0x01,0x01,0x30,0x82,0x01,
+    0x3B,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x23,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,
+    0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,
+    0x64,0x66,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29,
+    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,
+    0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x69,0x6E,0x74,0x65,0x72,0x6D,0x65,
+    0x64,0x69,0x61,0x74,0x65,0x2E,0x70,0x64,0x66,0x30,0x81,0xD0,0x06,0x08,0x2B,0x06,
+    0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xC3,0x30,0x27,0x16,0x20,0x53,0x74,0x61,
+    0x72,0x74,0x20,0x43,0x6F,0x6D,0x6D,0x65,0x72,0x63,0x69,0x61,0x6C,0x20,0x28,0x53,
+    0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x29,0x20,0x4C,0x74,0x64,0x2E,0x30,0x03,0x02,
+    0x01,0x01,0x1A,0x81,0x97,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x20,0x4C,0x69,0x61,
+    0x62,0x69,0x6C,0x69,0x74,0x79,0x2C,0x20,0x72,0x65,0x61,0x64,0x20,0x74,0x68,0x65,
+    0x20,0x73,0x65,0x63,0x74,0x69,0x6F,0x6E,0x20,0x2A,0x4C,0x65,0x67,0x61,0x6C,0x20,
+    0x4C,0x69,0x6D,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2A,0x20,0x6F,0x66,0x20,
+    0x74,0x68,0x65,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
+    0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+    0x72,0x69,0x74,0x79,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x76,0x61,0x69,
+    0x6C,0x61,0x62,0x6C,0x65,0x20,0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+    0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,
+    0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,0x64,0x66,0x30,0x11,0x06,0x09,
+    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x00,0x07,0x30,
+    0x38,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,0x04,0x2B,0x16,0x29,
+    0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,
+    0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+    0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+    0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0x16,0x6C,0x99,
+    0xF4,0x66,0x0C,0x34,0xF5,0xD0,0x85,0x5E,0x7D,0x0A,0xEC,0xDA,0x10,0x4E,0x38,0x1C,
+    0x5E,0xDF,0xA6,0x25,0x05,0x4B,0x91,0x32,0xC1,0xE8,0x3B,0xF1,0x3D,0xDD,0x44,0x09,
+    0x5B,0x07,0x49,0x8A,0x29,0xCB,0x66,0x02,0xB7,0xB1,0x9A,0xF7,0x25,0x98,0x09,0x3C,
+    0x8E,0x1B,0xE1,0xDD,0x36,0x87,0x2B,0x4B,0xBB,0x68,0xD3,0x39,0x66,0x3D,0xA0,0x26,
+    0xC7,0xF2,0x39,0x91,0x1D,0x51,0xAB,0x82,0x7B,0x7E,0xD5,0xCE,0x5A,0xE4,0xE2,0x03,
+    0x57,0x70,0x69,0x97,0x08,0xF9,0x5E,0x58,0xA6,0x0A,0xDF,0x8C,0x06,0x9A,0x45,0x16,
+    0x16,0x38,0x0A,0x5E,0x57,0xF6,0x62,0xC7,0x7A,0x02,0x05,0xE6,0xBC,0x1E,0xB5,0xF2,
+    0x9E,0xF4,0xA9,0x29,0x83,0xF8,0xB2,0x14,0xE3,0x6E,0x28,0x87,0x44,0xC3,0x90,0x1A,
+    0xDE,0x38,0xA9,0x3C,0xAC,0x43,0x4D,0x64,0x45,0xCE,0xDD,0x28,0xA9,0x5C,0xF2,0x73,
+    0x7B,0x04,0xF8,0x17,0xE8,0xAB,0xB1,0xF3,0x2E,0x5C,0x64,0x6E,0x73,0x31,0x3A,0x12,
+    0xB8,0xBC,0xB3,0x11,0xE4,0x7D,0x8F,0x81,0x51,0x9A,0x3B,0x8D,0x89,0xF4,0x4D,0x93,
+    0x66,0x7B,0x3C,0x03,0xED,0xD3,0x9A,0x1D,0x9A,0xF3,0x65,0x50,0xF5,0xA0,0xD0,0x75,
+    0x9F,0x2F,0xAF,0xF0,0xEA,0x82,0x43,0x98,0xF8,0x69,0x9C,0x89,0x79,0xC4,0x43,0x8E,
+    0x46,0x72,0xE3,0x64,0x36,0x12,0xAF,0xF7,0x25,0x1E,0x38,0x89,0x90,0x77,0x7E,0xC3,
+    0x6B,0x6A,0xB9,0xC3,0xCB,0x44,0x4B,0xAC,0x78,0x90,0x8B,0xE7,0xC7,0x2C,0x1E,0x4B,
+    0x11,0x44,0xC8,0x34,0x52,0x27,0xCD,0x0A,0x5D,0x9F,0x85,0xC1,0x89,0xD5,0x1A,0x78,
+    0xF2,0x95,0x10,0x53,0x32,0xDD,0x80,0x84,0x66,0x75,0xD9,0xB5,0x68,0x28,0xFB,0x61,
+    0x2E,0xBE,0x84,0xA8,0x38,0xC0,0x99,0x12,0x86,0xA5,0x1E,0x67,0x64,0xAD,0x06,0x2E,
+    0x2F,0xA9,0x70,0x85,0xC7,0x96,0x0F,0x7C,0x89,0x65,0xF5,0x8E,0x43,0x54,0x0E,0xAB,
+    0xDD,0xA5,0x80,0x39,0x94,0x60,0xC0,0x34,0xC9,0x96,0x70,0x2C,0xA3,0x12,0xF5,0x1F,
+    0x48,0x7B,0xBD,0x1C,0x7E,0x6B,0xB7,0x9D,0x90,0xF4,0x22,0x3B,0xAE,0xF8,0xFC,0x2A,
+    0xCA,0xFA,0x82,0x52,0xA0,0xEF,0xAF,0x4B,0x55,0x93,0xEB,0xC1,0xB5,0xF0,0x22,0x8B,
+    0xAC,0x34,0x4E,0x26,0x22,0x04,0xA1,0x87,0x2C,0x75,0x4A,0xB7,0xE5,0x7D,0x13,0xD7,
+    0xB8,0x0C,0x64,0xC0,0x36,0xD2,0xC9,0x2F,0x86,0x12,0x8C,0x23,0x09,0xC1,0x1B,0x82,
+    0x3B,0x73,0x49,0xA3,0x6A,0x57,0x87,0x94,0xE5,0xD6,0x78,0xC5,0x99,0x43,0x63,0xE3,
+    0x4D,0xE0,0x77,0x2D,0xE1,0x65,0x99,0x72,0x69,0x04,0x1A,0x47,0x09,0xE6,0x0F,0x01,
+    0x56,0x24,0xFB,0x1F,0xBF,0x0E,0x79,0xA9,0x58,0x2E,0xB9,0xC4,0x09,0x01,0x7E,0x95,
+    0xBA,0x6D,0x00,0x06,0x3E,0xB2,0xEA,0x4A,0x10,0x39,0xD8,0xD0,0x2B,0xF5,0xBF,0xEC,
+    0x75,0xBF,0x97,0x02,0xC5,0x09,0x1B,0x08,0xDC,0x55,0x37,0xE2,0x81,0xFB,0x37,0x84,
+    0x43,0x62,0x20,0xCA,0xE7,0x56,0x4B,0x65,0xEA,0xFE,0x6C,0xC1,0x24,0x93,0x24,0xA1,
+    0x34,0xEB,0x05,0xFF,0x9A,0x22,0xAE,0x9B,0x7D,0x3F,0xF1,0x65,0x51,0x0A,0xA6,0x30,
+    0x6A,0xB3,0xF4,0x88,0x1C,0x80,0x0D,0xFC,0x72,0x8A,0xE8,0x83,0x5E,
+};
+
+#endif /* wosign_certs_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c
deleted file mode 100644
index 9603fb89..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c
+++ /dev/null
@@ -1,1386 +0,0 @@
-/*
- *  si-84-sectrust-allowlist.c
- *  Security
- *
- * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-
-#include "shared_regressions.h"
-
-/* On allow list until:
-   Not After : Mar  9 07:45:00 2018 GMT
-*/
-static const UInt8 cert0[] = {
-    0x30,0x82,0x05,0x44,0x30,0x82,0x04,0x2c,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00,
-    0x9d,0x12,0x4b,0xdb,0x57,0xb7,0x9f,0xba,0x33,0xf6,0x44,0xd9,0x10,0x40,0x48,0x4c,
-    0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,
-    0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,
-    0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,
-    0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x31,0x19,0x30,0x17,0x06,0x03,0x55,
-    0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,
-    0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x35,0x30,0x33,0x30,0x39,0x30,0x37,
-    0x34,0x35,0x30,0x30,0x5a,0x17,0x0d,0x31,0x38,0x30,0x33,0x30,0x39,0x30,0x37,0x34,
-    0x35,0x30,0x30,0x5a,0x30,0x79,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
-    0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x53,0x17,
-    0x4e,0xac,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x07,0x1e,0x04,0x53,0x17,0x4e,
-    0xac,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x0a,0x1e,0x1a,0x53,0x17,0x4e,0xac,
-    0x74,0x5e,0x94,0xb1,0x5b,0x9d,0x4f,0xe1,0x60,0x6f,0x67,0x0d,0x52,0xa1,0x67,0x09,
-    0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x0b,0x1e,
-    0x06,0x7f,0x51,0x7e,0xdc,0x90,0xe8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,
-    0x13,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x30,
-    0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,
-    0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,
-    0xfc,0x09,0x73,0x1d,0x18,0x75,0xbd,0x7f,0xf5,0xce,0x9e,0x6e,0x26,0x1c,0xbd,0xca,
-    0xc7,0x1b,0x75,0x45,0x13,0x1e,0xe4,0x52,0x7e,0x78,0xe9,0x1c,0x79,0xa1,0x02,0xd8,
-    0x3d,0xc6,0xc5,0x6f,0x7b,0xbd,0xae,0xc7,0x3b,0xe6,0x45,0xc2,0xe9,0xc9,0x32,0x2d,
-    0xd4,0xda,0x7a,0x93,0x79,0x30,0xce,0xec,0x6f,0xf5,0x0d,0x2d,0xde,0xa4,0xce,0xbd,
-    0x40,0xfb,0xda,0x7d,0x48,0x7d,0x98,0x02,0x17,0x75,0x99,0x65,0x68,0x1c,0xbb,0x92,
-    0x29,0x16,0xdc,0xc6,0x1d,0x1d,0x19,0x1b,0x94,0x17,0x6e,0x93,0xd8,0x57,0xaa,0x00,
-    0xf9,0xa2,0x37,0x9a,0xde,0x65,0xc2,0xce,0xa5,0xae,0x80,0xa7,0x56,0xab,0x8c,0xc8,
-    0x6a,0x3d,0xbe,0x86,0xe1,0x13,0x69,0x41,0x4b,0xe9,0xfa,0xd9,0xa5,0x63,0x8f,0xba,
-    0x02,0x15,0x09,0xca,0xf9,0x27,0x0f,0xea,0x90,0x4f,0x5d,0xa5,0x66,0x51,0xad,0xc8,
-    0xff,0x2d,0xf3,0xd4,0x7c,0xd3,0x06,0xe8,0xc2,0xdc,0x08,0x63,0x3d,0x69,0xb6,0x89,
-    0x5f,0x3f,0x9c,0xdc,0x21,0xa8,0xbd,0x0a,0xbe,0xc2,0x0e,0x08,0x06,0x05,0xb7,0x46,
-    0x96,0xec,0x08,0x5c,0xb9,0xef,0xfa,0x4b,0xd1,0x60,0x10,0xac,0xc8,0x88,0xbf,0xb7,
-    0xb1,0xb1,0x7a,0x55,0xdd,0xd9,0x96,0x06,0x5b,0xfb,0xc2,0xa5,0xd4,0x9c,0xde,0x24,
-    0x0c,0x7e,0x22,0x59,0xb0,0xa6,0x7a,0xc7,0x18,0x02,0x6c,0x1a,0x21,0x8c,0x79,0x8a,
-    0xc5,0xbb,0x10,0x54,0x1b,0x77,0x04,0xcf,0x46,0x60,0x36,0x42,0xfb,0x8a,0x13,0xf7,
-    0xa0,0xd6,0x03,0x33,0xb6,0xc4,0x1e,0x08,0x58,0x5d,0xb3,0xd3,0xc3,0x6c,0x0e,0x9f,
-    0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xfb,0x30,0x82,0x01,0xf7,0x30,0x09,0x06,
-    0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x73,0x06,0x08,0x2b,0x06,0x01,0x05,
-    0x05,0x07,0x01,0x01,0x04,0x67,0x30,0x65,0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05,
-    0x05,0x07,0x30,0x01,0x86,0x1c,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,
-    0x70,0x73,0x68,0x61,0x32,0x73,0x73,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
-    0x6e,0x2f,0x30,0x39,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x2d,
-    0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,
-    0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,
-    0x74,0x2f,0x53,0x48,0x41,0x32,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x36,0x06,
-    0x03,0x55,0x1d,0x11,0x04,0x2f,0x30,0x2d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,
-    0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,
-    0x71,0x62,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,0x71,
-    0x74,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,
-    0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x50,0x0e,0x94,
-    0x7e,0x68,0x20,0x2d,0x95,0x58,0x3f,0x8f,0x51,0xa6,0xdd,0x5a,0xb9,0xef,0xfe,0xf0,
-    0x50,0x30,0x1d,0x06,0x03,0x55,0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06,
-    0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02,
-    0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xb7,0xd1,0x59,
-    0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,
-    0x3c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,
-    0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x01,0x30,0x26,0x30,0x24,0x06,0x08,
-    0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,
-    0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,
-    0x73,0x2f,0x30,0x81,0x8f,0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x87,0x30,0x81,0x84,
-    0x30,0x4d,0xa0,0x4b,0xa0,0x49,0xa4,0x47,0x30,0x45,0x31,0x0b,0x30,0x09,0x06,0x03,
-    0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,
-    0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,
-    0x53,0x4c,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,0x63,0x72,0x6c,
-    0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,0x6c,0x31,0x30,
-    0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72,
-    0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,
-    0x6f,0x61,0x64,0x2f,0x73,0x68,0x61,0x32,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,
-    0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
-    0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x26,0xa8,0x7c,0x88,0x57,0xb7,0xe2,0xa0,
-    0xf5,0x55,0xbb,0x93,0xa1,0xea,0xc2,0x0a,0x82,0xa1,0x82,0x3d,0xe1,0x85,0xfe,0x26,
-    0x95,0x5f,0x16,0x13,0x88,0x87,0x2d,0x6f,0xbe,0x0a,0xe8,0xe7,0x04,0xcd,0xa5,0x9e,
-    0xac,0x69,0xd5,0xa0,0x81,0x27,0x91,0xdc,0xcd,0xa6,0xbd,0x62,0x0c,0x67,0x3f,0x39,
-    0xdf,0x23,0xa8,0xf5,0xd5,0xb6,0xa8,0x14,0x93,0x80,0x0b,0x17,0x04,0xbd,0x0a,0x75,
-    0x74,0x34,0x26,0xf6,0x46,0x82,0x34,0x1d,0x26,0x06,0x43,0x2a,0xd8,0xff,0x0e,0xf1,
-    0xf0,0xf1,0x74,0x8b,0x17,0x9a,0x6d,0x24,0x90,0x8d,0x35,0x69,0xc4,0xff,0xf7,0x6a,
-    0x81,0x00,0x27,0x11,0xd5,0xc7,0xc4,0xac,0x98,0x15,0x20,0xe7,0x90,0x8a,0xb7,0x3d,
-    0xdf,0xbf,0x18,0x7f,0x7c,0xa7,0x38,0x42,0xa7,0xe2,0x94,0xda,0xcb,0xb5,0x84,0x67,
-    0x9d,0x82,0x37,0x58,0xa0,0x7f,0x06,0xcb,0xf5,0x3b,0x22,0x8f,0x54,0x19,0x8e,0xad,
-    0x82,0x14,0xf3,0x8f,0xcd,0x55,0x93,0xb6,0xa7,0xdb,0xf5,0x25,0xd9,0x04,0x7c,0x69,
-    0xc7,0x08,0x7e,0x32,0xcb,0xce,0x9d,0xb2,0x45,0x25,0x61,0x6b,0x7b,0xd3,0xb0,0x2a,
-    0xd1,0xa8,0x1c,0xab,0x5b,0x3f,0x1d,0x8f,0xbd,0x46,0xb8,0x0d,0x33,0x4b,0xc9,0x3b,
-    0x94,0x7f,0xa8,0x28,0x0f,0xa8,0xb7,0xbc,0x0d,0xcf,0xf7,0x7e,0xc1,0xcf,0xc7,0xf2,
-    0x2f,0x1d,0x77,0xe4,0xdc,0x15,0xb0,0x42,0x0c,0x4d,0xd2,0x8d,0x6e,0x58,0x31,0x5b,
-    0x5f,0xc9,0x4f,0x43,0x53,0x76,0x7b,0x2a,0xd6,0x65,0x93,0x28,0xb4,0xb8,0xdc,0x3c,
-    0x3c,0x03,0xcc,0x5e,0x9f,0x52,0x28,0x9a,
-};
-
-/* On allow list until:
-   Not After : Dec 24 08:34:15 2016 GMT
-*/
-static const UInt8 cert1[1475]={
-	0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x1A,
-	0x2F,0xDD,0xD9,0x35,0x3B,0x65,0xEE,0x1B,0xB4,0x66,0x19,0x4D,0xF3,0x10,0xE1,0x30,
-	0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
-	0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,
-	0x30,0x06,0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,
-	0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,
-	0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,
-	0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0C,0x0C,0x43,0x4E,0x4E,0x49,
-	0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x32,
-	0x32,0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x17,0x0D,0x31,0x36,0x31,0x32,0x32,
-	0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x30,0x81,0xF3,0x31,0x1B,0x30,0x19,0x06,
-	0x03,0x55,0x04,0x0F,0x13,0x12,0x56,0x31,0x2E,0x30,0x2C,0x20,0x43,0x6C,0x61,0x75,
-	0x73,0x65,0x20,0x35,0x2E,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,
-	0x05,0x13,0x0F,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x33,0x39,0x33,0x39,
-	0x35,0x39,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,
-	0x02,0x01,0x03,0x13,0x02,0x43,0x4E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,
-	0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x07,0x53,0x69,0x63,0x68,0x75,0x61,
-	0x6E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,
-	0x01,0x01,0x13,0x07,0x63,0x68,0x65,0x6E,0x67,0x44,0x75,0x31,0x0B,0x30,0x09,0x06,
-	0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,
-	0x08,0x1E,0x04,0x56,0xDB,0x5D,0xDD,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x07,
-	0x1E,0x04,0x62,0x10,0x90,0xFD,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x1E,
-	0x14,0x56,0xDB,0x5D,0xDD,0x9E,0x4F,0x59,0x29,0x62,0x95,0x8D,0x44,0x67,0x09,0x96,
-	0x50,0x51,0x6C,0x53,0xF8,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x0B,0x1E,0x06,
-	0x62,0x80,0x67,0x2F,0x90,0xE8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,
-	0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x82,
-	0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
-	0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x99,
-	0x31,0x25,0x93,0xE0,0x9A,0x65,0x36,0xCC,0x16,0x86,0xAF,0xBF,0x0D,0x2D,0x0B,0xE6,
-	0x9A,0xD5,0x00,0x89,0xAD,0x6B,0x49,0x59,0x10,0x74,0x3A,0xA7,0x4F,0xEB,0xBD,0xC0,
-	0xEE,0x46,0x1A,0x4E,0x9B,0x96,0x20,0xD7,0x2C,0xF8,0x93,0x5C,0x2A,0xAF,0x57,0x15,
-	0x0C,0x57,0x3A,0xD0,0x25,0x92,0x2E,0x18,0xB4,0xDF,0xD8,0x3E,0xA2,0xC0,0xC6,0x5E,
-	0x7A,0xD1,0xDA,0xAD,0x99,0x12,0x24,0x04,0xA1,0x42,0x5A,0xB0,0x42,0x3A,0x4F,0x02,
-	0xDE,0x8A,0x55,0xD7,0xB0,0x24,0x97,0x62,0xF9,0x95,0x70,0xFA,0xA8,0x81,0xFC,0x3A,
-	0xB5,0xA0,0x94,0x8E,0x42,0x89,0xF9,0x15,0x4B,0x06,0xD8,0xA1,0xC7,0xB0,0xC8,0x94,
-	0x03,0x57,0xF0,0x01,0xDB,0x0D,0x85,0xFD,0xA1,0xCD,0x1D,0x3C,0xF5,0x14,0x6C,0x79,
-	0x46,0xCF,0x00,0x3A,0x6C,0x74,0xD9,0x79,0xFD,0x9C,0xD9,0x61,0x7D,0x84,0x4F,0x82,
-	0x2A,0x40,0x00,0x58,0x2C,0xF0,0x3A,0xDF,0xD4,0x8A,0x39,0x24,0x5C,0xB1,0xA6,0xAD,
-	0x02,0x4C,0x16,0xCE,0x82,0xE6,0x22,0x32,0xC2,0x2A,0x93,0x94,0x25,0x5D,0x42,0xF9,
-	0xD2,0x2B,0xD5,0x9F,0xDB,0x45,0x51,0xE4,0x0E,0xD4,0x48,0x12,0xB1,0x67,0xF4,0x6D,
-	0x91,0x86,0xBC,0xFB,0xC6,0xE6,0xA0,0x7F,0x2B,0x8F,0xFB,0x67,0xEA,0x5D,0xAB,0x73,
-	0xDD,0x9D,0x40,0xFA,0xF7,0xDC,0xDE,0x48,0x20,0x47,0x32,0xC0,0xD1,0x98,0x4F,0x81,
-	0xDF,0xAF,0x96,0xDB,0x83,0xEE,0xC5,0x3A,0x4E,0x67,0xE1,0xF4,0x83,0x27,0x46,0x0D,
-	0x78,0xB1,0xC6,0x42,0xEF,0xD9,0x76,0xD3,0xAC,0x7C,0x5A,0xF8,0x09,0xCF,0x0B,0x02,
-	0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xE7,0x30,0x82,0x01,0xE3,0x30,0x09,0x06,0x03,
-	0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
-	0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
-	0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,
-	0x65,0x76,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x30,0x3C,0x06,0x08,0x2B,
-	0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
-	0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,
-	0x6E,0x6C,0x6F,0x61,0x64,0x2F,0x63,0x65,0x72,0x74,0x2F,0x43,0x4E,0x4E,0x49,0x43,
-	0x45,0x56,0x53,0x53,0x4C,0x2E,0x63,0x65,0x72,0x30,0x18,0x06,0x03,0x55,0x1D,0x11,
-	0x04,0x11,0x30,0x0F,0x82,0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,
-	0x63,0x6F,0x6D,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,
-	0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x04,0x26,0xBE,0x73,0x88,
-	0x8C,0xF6,0x64,0xBA,0xBB,0x09,0x34,0x7A,0x09,0xF9,0x51,0x57,0x43,0x8D,0x86,0x30,
-	0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
-	0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
-	0x14,0x0C,0xCF,0xB4,0x48,0x2C,0x50,0xE8,0x8B,0xD2,0x72,0xFD,0x1C,0xF0,0x2F,0xBC,
-	0x52,0xAB,0x2B,0x69,0x5E,0x30,0x3F,0x06,0x03,0x55,0x1D,0x20,0x04,0x38,0x30,0x36,
-	0x30,0x34,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x81,0xE9,0x0C,0x01,0x0A,0x30,0x26,
-	0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,
-	0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,
-	0x6E,0x2F,0x63,0x70,0x73,0x2F,0x30,0x81,0xA6,0x06,0x03,0x55,0x1D,0x1F,0x04,0x81,
-	0x9E,0x30,0x81,0x9B,0x30,0x66,0xA0,0x64,0xA0,0x62,0xA4,0x60,0x30,0x5E,0x31,0x0B,
-	0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,0x30,0x06,
-	0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,0x74,0x65,
-	0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,0x6E,0x66,
-	0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,0x72,0x31,
-	0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x03,0x63,0x72,0x6C,0x31,0x0D,0x30,
-	0x0B,0x06,0x03,0x55,0x04,0x03,0x0C,0x04,0x63,0x72,0x6C,0x31,0x30,0x31,0xA0,0x2F,
-	0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,
-	0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64,
-	0x2F,0x65,0x76,0x63,0x72,0x6C,0x2F,0x63,0x72,0x6C,0x31,0x2E,0x63,0x72,0x6C,0x30,
-	0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
-	0x01,0x01,0x00,0xA3,0xDE,0x24,0x78,0xF5,0x07,0x23,0xEC,0x77,0x62,0x71,0x60,0x01,
-	0xAE,0xC7,0xBD,0x49,0x8D,0x40,0x0C,0x49,0xAE,0x1A,0x47,0x2B,0x22,0xAE,0x66,0x2B,
-	0x34,0x83,0xAD,0x17,0xA1,0x45,0xC7,0xEC,0x16,0x80,0x2F,0x24,0x41,0xDF,0xFF,0xB0,
-	0x9D,0xE0,0x47,0x51,0x53,0x10,0xDC,0x85,0xC3,0xF9,0x72,0x3A,0xC9,0x79,0x22,0x89,
-	0xD4,0xCB,0x40,0x60,0x7E,0x3E,0x86,0x52,0x01,0xD2,0xA5,0x41,0x57,0x0C,0xB0,0x5C,
-	0xDD,0x24,0x0E,0xB2,0xF4,0x7E,0xB7,0x45,0xCE,0xA2,0x1B,0x3B,0x77,0xC6,0x9B,0x1E,
-	0x7D,0x7F,0x42,0x53,0xE4,0xF4,0xE6,0x84,0xFD,0xCC,0x27,0xB2,0xC9,0x72,0x30,0x09,
-	0xEE,0xC7,0x8B,0xE5,0xBF,0x2C,0x3B,0x73,0xA0,0x9C,0xD8,0x3E,0x81,0xED,0xB4,0x74,
-	0x88,0x67,0x99,0x69,0xE5,0x3A,0x3C,0x5A,0xA4,0xE4,0xD3,0x6D,0xBF,0xF6,0xF0,0x0C,
-	0x92,0x9C,0xB4,0x53,0x39,0x70,0x9A,0x3D,0xF4,0x3F,0x9D,0x07,0x66,0x3F,0x85,0x09,
-	0x07,0x8E,0x5C,0x9D,0x83,0x23,0x0F,0x45,0xE7,0x3C,0xE5,0x7F,0x6C,0x0C,0x29,0x3B,
-	0x2B,0x5D,0xE2,0xB7,0xCB,0x0E,0xEF,0xC8,0x14,0x4C,0x30,0xD0,0xD0,0x9C,0x7D,0x8E,
-	0x67,0x94,0xD9,0xB2,0x71,0x7E,0x74,0x0F,0x5C,0xD7,0xB5,0xFB,0x35,0x13,0x3F,0x05,
-	0xD7,0x7C,0x08,0x2F,0x7A,0x31,0x78,0x99,0xF8,0x76,0x0D,0xB3,0xFB,0xD2,0xD3,0x6C,
-	0xC7,0x32,0x61,0x2E,0x8E,0x64,0x96,0xFD,0xB1,0xFA,0x73,0xC7,0x56,0x54,0x8B,0x0D,
-	0x27,0xD2,0x66,0x9E,0xA5,0xCB,0xCE,0xD0,0xA4,0x9C,0x03,0xDD,0x9D,0x1F,0xED,0x5E,
-	0x7A,0x73,0x5D,
-};
-
-/* expired:
-   Not After : Oct 20 03:20:57 2015 GMT
-*/
-static const UInt8 cert1_expired[] = {
-    0x30,0x82,0x05,0xd6,0x30,0x82,0x04,0xbe,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1a,
-    0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x10,0xd5,0x30,
-    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x58,
-    0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,
-    0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,
-    0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,
-    0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,
-    0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,
-    0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x30,
-    0x32,0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x17,0x0d,0x31,0x35,0x31,0x30,0x32,
-    0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x30,0x82,0x01,0x05,0x31,0x1b,0x30,0x19,
-    0x06,0x03,0x55,0x04,0x0f,0x13,0x12,0x56,0x31,0x2e,0x30,0x2c,0x20,0x43,0x6c,0x61,
-    0x75,0x73,0x65,0x20,0x35,0x2e,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,
-    0x04,0x05,0x13,0x0f,0x34,0x34,0x30,0x33,0x30,0x31,0x35,0x30,0x33,0x34,0x32,0x36,
-    0x35,0x34,0x36,0x31,0x13,0x30,0x11,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,0x37,
-    0x3c,0x02,0x01,0x03,0x13,0x02,0x43,0x4e,0x31,0x1a,0x30,0x18,0x06,0x0b,0x2b,0x06,
-    0x01,0x04,0x01,0x82,0x37,0x3c,0x02,0x01,0x02,0x13,0x09,0x67,0x75,0x61,0x6e,0x67,
-    0x64,0x6f,0x6e,0x67,0x31,0x19,0x30,0x17,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,
-    0x37,0x3c,0x02,0x01,0x01,0x13,0x08,0x73,0x68,0x65,0x6e,0x7a,0x68,0x65,0x6e,0x31,
-    0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,
-    0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x5e,0x7f,0x4e,0x1c,0x31,0x0d,0x30,0x0b,0x06,
-    0x03,0x55,0x04,0x07,0x1e,0x04,0x6d,0xf1,0x57,0x33,0x31,0x21,0x30,0x1f,0x06,0x03,
-    0x55,0x04,0x0a,0x1e,0x18,0x80,0x54,0x54,0x08,0x51,0x49,0x4f,0x0f,0x00,0x28,0x6d,
-    0xf1,0x57,0x33,0x00,0x29,0x67,0x09,0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x16,0x30,
-    0x14,0x06,0x03,0x55,0x04,0x0b,0x13,0x0d,0x49,0x54,0x20,0x44,0x65,0x70,0x61,0x72,
-    0x74,0x6d,0x65,0x6e,0x74,0x31,0x1a,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,
-    0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,
-    0x6d,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
-    0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,
-    0x01,0x00,0xc0,0x5c,0x75,0x0e,0x29,0x93,0xf9,0xc2,0x0f,0x9e,0x24,0xeb,0x6d,0xb8,
-    0xb5,0x09,0x79,0xfe,0xbb,0xa0,0x78,0x20,0xbf,0xeb,0xc3,0x3d,0x00,0xb2,0x75,0x20,
-    0xa1,0x26,0x40,0x9e,0x0e,0x38,0x3c,0x38,0x89,0x5a,0x4f,0x46,0x5d,0xaf,0x0f,0x49,
-    0x58,0xf5,0x9f,0x34,0x0f,0x1d,0x57,0xd0,0xa7,0x89,0x88,0x58,0xe6,0x00,0xca,0xde,
-    0x0e,0x61,0xc6,0x3f,0xf4,0x08,0x9e,0x4e,0xf9,0x8e,0xdc,0xc6,0x1f,0xab,0x56,0x38,
-    0xf7,0x8f,0xd4,0xb7,0x0c,0x77,0xf9,0xdf,0x02,0x26,0xc3,0xf3,0x2a,0x7e,0x7b,0x02,
-    0x89,0x75,0x50,0xf6,0x4b,0x98,0xe7,0x02,0xdc,0xe0,0xb2,0x57,0xa6,0x50,0xa3,0x27,
-    0x48,0xaf,0x26,0x6e,0xf5,0x47,0x04,0x9b,0x26,0x1f,0x10,0x84,0x26,0xbe,0x4e,0xa7,
-    0xd5,0x7d,0xad,0xe0,0x0f,0x78,0xfa,0x5e,0xcd,0xf1,0xce,0x6f,0x06,0x39,0x4b,0xa1,
-    0xd7,0xce,0x01,0xfb,0x58,0x8c,0x47,0x24,0xfd,0x9f,0x6e,0xb0,0x5b,0x51,0x62,0x6f,
-    0x9c,0xd5,0xaf,0xaf,0xc1,0x6d,0xcc,0x22,0x3e,0x04,0xcc,0xe8,0x41,0x98,0xc0,0xc7,
-    0xb0,0xf5,0x59,0x0e,0x26,0xed,0x1f,0x7b,0x0a,0xce,0xb6,0xa5,0xfe,0xa6,0xc7,0xba,
-    0x1b,0x6b,0x11,0xc6,0x15,0x10,0x5b,0x8b,0x34,0x14,0xd9,0x3c,0x4d,0xc6,0x6c,0x89,
-    0x01,0xf3,0xd1,0x5a,0xf3,0x2b,0x9b,0x28,0x16,0xbe,0x6d,0x43,0x66,0xf8,0x56,0x15,
-    0x3b,0xaf,0x79,0xda,0x46,0x22,0xd4,0x2b,0xd3,0x9d,0x99,0x53,0x2f,0xa0,0x39,0x59,
-    0x4e,0x22,0x54,0x1e,0x47,0xf5,0xa9,0xa9,0x4e,0xf5,0x1d,0x9d,0x98,0x45,0xc6,0x85,
-    0xae,0x01,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xeb,0x30,0x82,0x01,0xe7,0x30,
-    0x09,0x06,0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2b,0x06,
-    0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2b,0x06,
-    0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,
-    0x63,0x73,0x70,0x65,0x76,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x3c,
-    0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,
-    0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
-    0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,0x74,0x2f,0x43,0x4e,
-    0x4e,0x49,0x43,0x45,0x56,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x1c,0x06,0x03,
-    0x55,0x1d,0x11,0x04,0x15,0x30,0x13,0x82,0x11,0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,
-    0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,
-    0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,
-    0x04,0x14,0xd7,0x06,0xeb,0x3b,0x83,0x70,0x55,0x58,0x9a,0x40,0x03,0xd5,0x7e,0x8e,
-    0xcb,0x49,0x23,0x10,0x67,0xc4,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,0x0c,0x30,
-    0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1f,0x06,0x03,0x55,
-    0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,
-    0xd2,0x72,0xfd,0x1c,0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x3f,0x06,0x03,
-    0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,
-    0x81,0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,
-    0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,
-    0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xa6,
-    0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x9e,0x30,0x81,0x9b,0x30,0x66,0xa0,0x64,0xa0,
-    0x62,0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
-    0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,
-    0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
-    0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
-    0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,
-    0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,
-    0x72,0x6c,0x31,0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,
-    0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,
-    0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x63,0x72,0x6c,0x2f,0x63,0x72,
-    0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
-    0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6e,0x84,0xe5,0x57,0x7e,0x96,
-    0xaf,0x39,0xbf,0xa0,0x2a,0xf2,0xd1,0x10,0x57,0x8e,0x3d,0x68,0x4d,0x61,0x35,0x97,
-    0xbb,0xed,0x7f,0x5e,0x4f,0x17,0x58,0x2f,0x4b,0x94,0x4f,0xda,0xd8,0x9c,0x78,0x52,
-    0x2e,0xec,0xcd,0x86,0x87,0xa1,0x64,0xdc,0x41,0x0e,0x44,0x23,0xdb,0x7d,0xc8,0x86,
-    0xef,0x07,0x29,0xaa,0x78,0x1b,0x95,0x84,0xb8,0xf9,0x60,0x95,0x89,0x3f,0x58,0x3d,
-    0x42,0x74,0x4b,0x82,0x0d,0x65,0x16,0x1a,0x70,0xaa,0x2d,0xb2,0xab,0x79,0x27,0x2e,
-    0x7e,0x6f,0x44,0xfb,0xdf,0xf5,0xff,0x3e,0xc3,0x67,0xa5,0xe1,0x6b,0xe3,0xf7,0xcc,
-    0x11,0x9f,0x2a,0xe8,0x87,0x46,0x3d,0x5c,0xbf,0x5f,0xca,0x9b,0x09,0xbe,0x0a,0x83,
-    0xb0,0x98,0x03,0x3a,0x67,0xb1,0xe9,0xa4,0x04,0x96,0x2b,0x24,0xe1,0xcd,0xc1,0x26,
-    0x88,0x76,0x10,0x41,0x85,0xf0,0x07,0xb0,0x4b,0x6b,0xd2,0x25,0x0f,0x12,0x52,0xea,
-    0x3b,0xac,0xc3,0xfa,0x56,0x5f,0xfb,0x3b,0x4b,0x86,0xf6,0x67,0x45,0x51,0xb4,0xb4,
-    0x94,0x98,0xa6,0xac,0x46,0x8b,0x42,0x94,0xff,0x9e,0x71,0x09,0x7c,0x87,0xb0,0x36,
-    0x70,0x8a,0x5e,0x88,0x33,0x79,0x85,0x78,0x30,0x56,0x4a,0x6a,0xfc,0x5b,0x34,0xe9,
-    0xb7,0x57,0xde,0xdc,0x0a,0x3c,0x1e,0x71,0xfc,0x23,0xc6,0x5a,0xd3,0x1a,0x50,0x06,
-    0xbe,0x9c,0x60,0xd5,0x36,0x44,0x65,0x59,0x89,0xe6,0xda,0x1b,0xc9,0x89,0x21,0xe0,
-    0x59,0x7d,0x25,0x4f,0x76,0x87,0x4f,0x7e,0xb1,0x1a,0x43,0xff,0x00,0xbb,0xc7,0xc5,
-    0x5e,0xcc,0xfd,0x4a,0x1b,0xc1,0x6e,0x75,0xd9,0xe6
-};
-
-/* On allow list until:
-   Not After : Jun  6 02:00:32 2017 GMT
-*/
-static const UInt8 cert2[] = {
-    0x30,0x82,0x04,0x2d,0x30,0x82,0x03,0x15,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1c,
-    0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x11,0x3c,0x30,
-    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,
-    0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,
-    0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,
-    0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,
-    0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x30,0x36,0x30,0x39,0x30,0x33,
-    0x33,0x36,0x33,0x37,0x5a,0x17,0x0d,0x31,0x37,0x30,0x36,0x30,0x36,0x30,0x32,0x30,
-    0x30,0x33,0x32,0x5a,0x30,0x54,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
-    0x02,0x43,0x4e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,0x77,0x77,
-    0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x31,0x17,0x30,0x15,0x06,0x03,
-    0x55,0x04,0x03,0x13,0x0e,0x6d,0x61,0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,
-    0x2e,0x63,0x6e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x77,0x77,
-    0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,
-    0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,
-    0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xc7,0x2f,0x0e,0xba,0xf0,
-    0xff,0x9e,0x56,0x3b,0x88,0x3b,0x94,0x0d,0xc6,0x81,0x22,0xe7,0xeb,0x1b,0x22,0x1d,
-    0xb2,0x75,0x5b,0xae,0x41,0xea,0x55,0x6a,0x7c,0x95,0x85,0x3e,0x0e,0xd1,0x95,0xf4,
-    0x71,0xdf,0x7c,0x5c,0x8e,0xcc,0x25,0xb9,0xae,0x15,0xc9,0xf2,0xd0,0x30,0xe8,0x7c,
-    0x91,0x5d,0x24,0x09,0x93,0x23,0x3f,0x55,0x7b,0x09,0x17,0x82,0x37,0x0b,0xf8,0x1a,
-    0x6e,0xaa,0x08,0x0d,0xa8,0x2d,0xb7,0x6d,0x38,0x24,0xc0,0x48,0x5d,0x29,0x7a,0xe9,
-    0xac,0x4d,0x93,0xec,0xd0,0x6c,0x62,0x1e,0x17,0xe7,0x2d,0xd7,0x0b,0x64,0x8f,0x56,
-    0xd3,0x82,0x37,0xad,0x2d,0x28,0xe8,0x7e,0x9d,0x83,0x7d,0x6d,0x06,0xa2,0x36,0x62,
-    0x60,0x30,0xbe,0x31,0xf9,0x9e,0xe0,0xb7,0x5b,0x72,0x6e,0x16,0x36,0x75,0xdc,0x17,
-    0x56,0xff,0x5f,0x27,0x57,0x34,0xdc,0x2a,0x98,0xcd,0x9d,0x3f,0x5c,0x48,0x79,0x0b,
-    0xa5,0xcf,0x16,0x20,0xc5,0x57,0x5f,0xa6,0xd6,0x1d,0xd6,0x6a,0x17,0x89,0x2d,0xb8,
-    0xde,0xc5,0x30,0xe4,0xf0,0x39,0xf6,0x87,0x87,0x54,0x5c,0xc0,0x34,0x0f,0x1c,0xfb,
-    0xf0,0xe4,0xc5,0xde,0xe1,0xa7,0xcf,0x54,0x2a,0x02,0x20,0x94,0xf9,0xd1,0xf8,0xb6,
-    0x97,0xe2,0x3a,0x30,0x43,0x24,0x45,0x2d,0x9a,0xd3,0xe0,0x6a,0x70,0x41,0x96,0xf0,
-    0x4d,0x21,0x8d,0x61,0x2c,0x2c,0x56,0xda,0xec,0xc8,0xdc,0xbf,0xce,0x75,0x9d,0xd9,
-    0x5a,0x2d,0x39,0xc7,0xef,0x29,0x32,0xd6,0x6c,0xf8,0xc7,0x88,0x84,0xfc,0x51,0x5b,
-    0x11,0x44,0xde,0x87,0xd3,0x6f,0x05,0x0c,0x8e,0xc7,0x0f,0x02,0x03,0x01,0x00,0x01,
-    0xa3,0x82,0x01,0x19,0x30,0x82,0x01,0x15,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
-    0x18,0x30,0x16,0x80,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,0xfc,
-    0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x09,0x06,0x03,0x55,0x1d,0x13,
-    0x04,0x02,0x30,0x00,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,
-    0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,
-    0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,
-    0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,
-    0x2f,0x63,0x70,0x73,0x2f,0x30,0x3c,0x06,0x03,0x55,0x1d,0x1f,0x04,0x35,0x30,0x33,
-    0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,
-    0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,
-    0x6c,0x6f,0x61,0x64,0x2f,0x64,0x71,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,0x2e,
-    0x63,0x72,0x6c,0x30,0x27,0x06,0x03,0x55,0x1d,0x11,0x04,0x20,0x30,0x1e,0x82,0x0c,
-    0x77,0x77,0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x82,0x0e,0x6d,0x61,
-    0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,0x2e,0x63,0x6e,0x30,0x0b,0x06,0x03,
-    0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
-    0x04,0x16,0x04,0x14,0x00,0x8b,0xf0,0x61,0xdf,0xf1,0x0b,0x53,0xd8,0x52,0x97,0xfe,
-    0x23,0x9f,0x34,0x50,0x1d,0xac,0xec,0x90,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,
-    0x0c,0x30,0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x0d,0x06,
-    0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,
-    0x00,0x86,0x62,0x31,0x67,0xba,0x3e,0x2b,0x1f,0xf7,0xdd,0xc0,0x9b,0xa2,0x27,0xb5,
-    0x61,0x8c,0xd8,0x68,0xc1,0x58,0x47,0xb2,0x72,0xb9,0xfe,0x06,0x52,0x7d,0x92,0x35,
-    0x9b,0xa9,0x08,0xa7,0x3a,0x37,0x70,0x9d,0xe1,0x47,0xbe,0x3d,0x15,0x20,0x35,0x9a,
-    0x79,0x7c,0x16,0xe8,0x8e,0xa5,0x0f,0x42,0xd5,0x6b,0x5b,0x9e,0x55,0x2b,0xdd,0x35,
-    0x3e,0x32,0x41,0xef,0x14,0xa0,0x15,0x70,0xf8,0x8c,0x3f,0x9e,0xc0,0xc2,0x32,0x4d,
-    0x90,0x9a,0xd0,0x9b,0xc1,0x72,0x64,0x2f,0x2e,0x8c,0x44,0x80,0x5a,0x6f,0xb7,0x08,
-    0xa9,0x0e,0x76,0xa4,0x82,0xd6,0x2e,0x64,0xf6,0xe4,0x5e,0x1b,0xb4,0x09,0xbc,0x1d,
-    0x80,0x46,0xd7,0x35,0x7f,0x58,0x70,0x09,0x10,0x7a,0x1e,0xe5,0x28,0xf5,0x5a,0x28,
-    0x7e,0x54,0x52,0x88,0xe6,0x3f,0x4e,0x55,0xb3,0x15,0x67,0x4c,0xac,0x82,0xbb,0xf8,
-    0x98,0xd0,0xd2,0x69,0x17,0x70,0x6a,0x09,0x52,0x91,0xc1,0xe7,0xbb,0xa7,0xe8,0x78,
-    0xdb,0x57,0xa3,0x37,0x3f,0x3c,0x7f,0x80,0xc2,0x40,0x61,0xd2,0xe5,0x6f,0xe8,0x93,
-    0xa2,0xb7,0x84,0x00,0x4e,0x4d,0xed,0xf3,0x87,0x14,0x35,0xd2,0xdb,0xf6,0x6b,0xc0,
-    0x2a,0xb2,0x9c,0xc3,0x48,0xba,0xd0,0xb9,0x55,0xf2,0x1a,0x17,0xa0,0x0d,0x45,0x2c,
-    0x28,0x0a,0xba,0x60,0x4a,0xb8,0x73,0xd6,0xb0,0x83,0x6e,0x92,0x87,0x1f,0x39,0x91,
-    0xa5,0x4f,0xef,0xcb,0xf7,0xee,0x28,0x39,0x5e,0x21,0xf0,0xc1,0x91,0x23,0x24,0x78,
-    0xbc,0x01,0xb6,0xf1,0x4d,0x58,0x63,0xa6,0x89,0xf4,0x8b,0xa9,0xc9,0xad,0xfa,0xe1,
-    0x9b
-};
-
-static const UInt8 intermediate0[] = {
-    0x30,0x82,0x04,0x99,0x30,0x82,0x03,0x81,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
-    0x33,0x00,0x7c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,
-    0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
-    0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
-    0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
-    0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x32,0x31,0x38,
-    0x31,0x32,0x33,0x32,0x31,0x38,0x5a,0x17,0x0d,0x32,0x34,0x31,0x32,0x31,0x38,0x31,
-    0x32,0x33,0x32,0x31,0x38,0x5a,0x30,0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
-    0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,
-    0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,
-    0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,
-    0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,
-    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
-    0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xf0,0xa3,0x8d,0x71,
-    0x34,0xfe,0x11,0x3c,0xc7,0x98,0x61,0x0b,0xc5,0xaa,0x7b,0x13,0xd9,0x40,0x7f,0x9b,
-    0x59,0xd0,0x4a,0xc0,0x93,0x45,0x5e,0x48,0xf1,0xfe,0xb1,0x8f,0xb9,0x4c,0xdf,0x53,
-    0x50,0x15,0x19,0xf9,0xea,0xe7,0x22,0x8d,0xa8,0xdb,0x09,0x45,0xa6,0x86,0xc6,0xf8,
-    0xd5,0xdc,0x55,0xb4,0x8f,0xeb,0x56,0x3d,0x1f,0x36,0xc7,0x95,0x55,0xf4,0x4e,0x11,
-    0xc7,0x08,0x6f,0xe8,0xf9,0x7f,0x9e,0x85,0x9a,0x65,0x10,0x9b,0x87,0x86,0xb4,0x42,
-    0x92,0xaf,0x3f,0x5b,0xd9,0x8b,0x2f,0x68,0xc2,0x08,0x58,0xf6,0xe4,0x5f,0x3b,0x79,
-    0x8b,0x9e,0xde,0xb1,0x48,0x1f,0x59,0x40,0xb9,0xea,0x24,0x07,0x66,0x97,0xf6,0x2f,
-    0x52,0xec,0x0c,0xc8,0x4e,0x65,0x5a,0x60,0x6f,0xe5,0x8f,0x9d,0xfd,0x6a,0xde,0x89,
-    0xe4,0x7a,0x4b,0xb6,0x1e,0x82,0x8d,0x9c,0xdd,0x8d,0x73,0x33,0x92,0xd3,0x46,0x8e,
-    0x9e,0x58,0x01,0xf3,0x2e,0x83,0xe0,0xd2,0x4a,0x13,0x94,0x2c,0xd0,0x8a,0x12,0xd0,
-    0x29,0x34,0xed,0x6b,0xea,0xc6,0xc9,0x14,0x7a,0x75,0x92,0x8e,0x42,0x7e,0xd2,0x76,
-    0x88,0xdb,0xad,0x9b,0x20,0xe2,0x30,0x94,0x97,0xa3,0xa3,0xae,0x52,0x4c,0x2d,0xa3,
-    0x77,0x79,0x74,0xf7,0x87,0x8c,0x86,0x8f,0xb3,0x63,0x51,0x3e,0xf6,0xc0,0x6e,0x25,
-    0x9b,0x0d,0xc1,0x99,0x4f,0xf2,0x5c,0x9d,0xf5,0x21,0x04,0x42,0xde,0x74,0x59,0xe4,
-    0x39,0x80,0x82,0x50,0x21,0xde,0x49,0xe3,0x14,0x83,0xa7,0xc8,0xce,0x6d,0xfa,0x49,
-    0x5b,0x5e,0x3f,0x55,0x65,0xc1,0x5d,0x57,0x41,0x00,0x7d,0x43,0x02,0x03,0x01,0x00,
-    0x01,0xa3,0x82,0x01,0xa4,0x30,0x82,0x01,0xa0,0x30,0x76,0x06,0x08,0x2b,0x06,0x01,
-    0x05,0x05,0x07,0x01,0x01,0x04,0x6a,0x30,0x68,0x30,0x29,0x06,0x08,0x2b,0x06,0x01,
-    0x05,0x05,0x07,0x30,0x01,0x86,0x1d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,
-    0x73,0x70,0x63,0x6e,0x6e,0x69,0x63,0x72,0x6f,0x6f,0x74,0x2e,0x63,0x6e,0x6e,0x69,
-    0x63,0x2e,0x63,0x6e,0x30,0x3b,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
-    0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,
-    0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,
-    0x65,0x72,0x74,0x2f,0x43,0x4e,0x4e,0x49,0x43,0x52,0x4f,0x4f,0x54,0x2e,0x63,0x65,
-    0x72,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x65,0xf2,
-    0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,
-    0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,
-    0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,
-    0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,0x24,
-    0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,
-    0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
-    0x63,0x70,0x73,0x2f,0x30,0x81,0x86,0x06,0x03,0x55,0x1d,0x1f,0x04,0x7f,0x30,0x7d,
-    0x30,0x42,0xa0,0x40,0xa0,0x3e,0xa4,0x3c,0x30,0x3a,0x31,0x0b,0x30,0x09,0x06,0x03,
-    0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,
-    0x0c,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,
-    0x0c,0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,
-    0x63,0x72,0x6c,0x31,0x30,0x37,0xa0,0x35,0xa0,0x33,0x86,0x31,0x68,0x74,0x74,0x70,
-    0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,
-    0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x73,0x68,0x61,
-    0x32,0x63,0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0b,0x06,
-    0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,
-    0x0e,0x04,0x16,0x04,0x14,0xb7,0xd1,0x59,0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,
-    0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,0x3c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
-    0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4f,0xc7,0x80,
-    0x5e,0x29,0x70,0x8c,0xd6,0x59,0xae,0x59,0x4f,0xd1,0xd8,0x41,0xa8,0xa7,0xa8,0x58,
-    0xa6,0x06,0x25,0xd2,0xf8,0x3c,0x13,0x52,0xec,0x51,0x54,0x38,0xb6,0x60,0xd0,0x95,
-    0xaf,0x30,0xbf,0x78,0xa3,0x19,0xfd,0x6b,0x54,0x98,0x49,0xc4,0x81,0x84,0xaa,0x51,
-    0x54,0xd3,0x95,0x9d,0x92,0x66,0x02,0x6e,0x55,0x4b,0xf1,0xe0,0x4e,0x02,0x05,0xb5,
-    0x67,0x3b,0x31,0x4d,0xb3,0xb3,0xb7,0xa2,0x13,0xff,0x28,0x10,0xbc,0xa4,0x9b,0x71,
-    0x4c,0x36,0x9c,0x60,0xac,0x65,0x7c,0x66,0x8a,0xb6,0x1c,0x7f,0xa1,0xad,0xe8,0x6e,
-    0xce,0x0b,0xee,0x85,0xe6,0x01,0xe5,0xab,0x7f,0x11,0x1f,0x33,0xd9,0x1d,0xa1,0x0c,
-    0xf2,0x3a,0x7e,0xdb,0xf5,0x63,0xe2,0x77,0xdb,0x01,0x1a,0x60,0xe8,0xfb,0x42,0xd4,
-    0xf3,0xdf,0x8d,0xec,0x4f,0x4f,0xc8,0xa7,0x24,0xf7,0xb5,0xb7,0x58,0xae,0xad,0x0c,
-    0x9b,0x7a,0x39,0x81,0xd9,0xd0,0x8a,0x18,0x28,0x8a,0xf2,0x91,0x88,0x11,0x3d,0xb1,
-    0x42,0x5d,0x0e,0x31,0xfe,0x00,0x99,0xfe,0x87,0x3f,0x8e,0xbd,0xef,0x83,0x72,0xd7,
-    0x49,0x22,0xfd,0x82,0xe2,0xfc,0xe8,0xe8,0xf7,0x4b,0xff,0xa5,0x62,0xec,0xd3,0x87,
-    0x51,0x6f,0x35,0xbc,0x51,0x54,0x6c,0x36,0xfe,0x88,0xcb,0xaf,0xb1,0x0e,0x7b,0x76,
-    0x9c,0x16,0x11,0xda,0x7f,0xd1,0xf4,0x85,0xce,0xb8,0x87,0x45,0x0c,0x43,0xe4,0xb3,
-    0x6f,0xbc,0x95,0xce,0x59,0x57,0xf3,0xb4,0xec,0xa8,0xc2,0x1f,0x98,0x77,0x93,0x7d,
-    0xad,0x92,0x4e,0xba,0xab,0x5d,0x45,0x93,0x7c,0xf0,0x17,0xcd,0xc7
-};
-
-static const UInt8 intermediate1[] = {
-    0x30,0x82,0x04,0xf8,0x30,0x82,0x03,0xe0,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x0b,
-    0x24,0x01,0xb7,0x39,0x86,0x38,0x3c,0x29,0xc2,0xf8,0x19,0x4d,0x23,0x10,0x7b,0x30,
-    0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x81,
-    0x8a,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,
-    0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,
-    0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,
-    0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,
-    0x65,0x72,0x31,0x47,0x30,0x45,0x06,0x03,0x55,0x04,0x03,0x0c,0x3e,0x43,0x68,0x69,
-    0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,
-    0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,
-    0x43,0x65,0x6e,0x74,0x65,0x72,0x20,0x45,0x56,0x20,0x43,0x65,0x72,0x74,0x69,0x66,
-    0x69,0x63,0x61,0x74,0x65,0x73,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,0x0d,0x31,
-    0x30,0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x17,0x0d,0x32,0x30,
-    0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x30,0x58,0x31,0x0b,0x30,
-    0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,
-    0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,
-    0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,
-    0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x15,
-    0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x45,
-    0x56,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
-    0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,
-    0x0a,0x02,0x82,0x01,0x01,0x00,0xc9,0x8b,0x5d,0x84,0x90,0x33,0x98,0x83,0xdd,0xa1,
-    0x9a,0x76,0x4f,0xd2,0xff,0xf4,0xbc,0x5d,0x7f,0xd5,0x0c,0xdc,0xd1,0x58,0xe8,0x3a,
-    0xd7,0xab,0xa9,0x24,0x05,0x78,0x28,0x3d,0x64,0x03,0x7d,0x7f,0xee,0x16,0x3e,0x51,
-    0xc7,0x69,0xb4,0x06,0xe8,0xa5,0x3b,0x7a,0xf0,0xac,0xcd,0x9e,0xb4,0x00,0xbf,0x25,
-    0xe5,0xd9,0x95,0x45,0x31,0x20,0x59,0xed,0xf0,0xbc,0x86,0x02,0x9a,0xa6,0x52,0x73,
-    0xaf,0x02,0x09,0x22,0xf1,0x04,0x97,0xe3,0x15,0x8c,0x7e,0xa5,0xc7,0x37,0xbd,0x42,
-    0x4f,0x27,0x85,0x9d,0xb9,0x24,0x29,0xcb,0x4c,0xd4,0xd2,0xed,0x79,0x3b,0x39,0xa1,
-    0x08,0x26,0xba,0x14,0xb3,0x49,0x0f,0x8e,0xd7,0x9d,0x5f,0xde,0x72,0xf0,0x53,0xee,
-    0x8a,0x4e,0x6c,0x06,0x6f,0xea,0x9f,0x25,0x4a,0x23,0x80,0x7e,0x2e,0xb2,0x81,0x9d,
-    0x3b,0x4e,0xdf,0x73,0xbe,0x1b,0x89,0x10,0x89,0xf7,0xac,0xa0,0x2f,0xfb,0x71,0xc4,
-    0xe2,0xe9,0xd0,0x79,0xb7,0x54,0x9d,0xf6,0xcc,0x3a,0x6c,0x88,0x25,0xf4,0x0e,0xf4,
-    0x49,0xa1,0x23,0xd2,0xe2,0x71,0xb8,0x1c,0x44,0x46,0xb4,0x70,0x5d,0x5d,0xab,0x7f,
-    0x0e,0x27,0x8d,0x4b,0xf4,0xe1,0x52,0x88,0x58,0xf9,0xec,0x1e,0xbb,0x56,0x1f,0x37,
-    0x1a,0xce,0x74,0xf3,0x6d,0x63,0xbc,0x18,0xa8,0x95,0x30,0x8b,0x16,0xe2,0x9f,0x0a,
-    0x89,0xe0,0x36,0xba,0x0f,0x90,0x5e,0x67,0x6c,0x04,0x77,0xfa,0xd1,0x6e,0xdb,0x1c,
-    0x3c,0x1f,0x9f,0x83,0xb5,0x4b,0xc8,0x4e,0x90,0xf8,0x02,0x26,0x2e,0xce,0x7c,0xe6,
-    0x3e,0xe8,0x0e,0xf0,0x77,0xf1,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0x89,0x30,
-    0x82,0x01,0x85,0x30,0x34,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,
-    0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,
-    0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x72,0x6f,0x6f,0x74,
-    0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,
-    0x04,0x18,0x30,0x16,0x80,0x14,0x7c,0x72,0x4b,0x39,0xc7,0xc0,0xdb,0x62,0xa5,0x4f,
-    0x9b,0xaa,0x18,0x34,0x92,0xa2,0xca,0x83,0x82,0x59,0x30,0x0f,0x06,0x03,0x55,0x1d,
-    0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,
-    0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,
-    0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,
-    0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,
-    0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xaa,0x06,
-    0x03,0x55,0x1d,0x1f,0x04,0x81,0xa2,0x30,0x81,0x9f,0x30,0x66,0xa0,0x64,0xa0,0x62,
-    0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
-    0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,
-    0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,
-    0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,
-    0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,
-    0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,
-    0x6c,0x31,0x30,0x35,0xa0,0x33,0xa0,0x31,0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,
-    0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,
-    0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x72,0x6f,0x6f,0x74,0x63,0x72,0x6c,
-    0x2f,0x63,0x72,0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,
-    0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,
-    0x04,0x16,0x04,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,0xd2,0x72,0xfd,0x1c,
-    0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
-    0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0xf9,0xad,0x13,
-    0x7b,0x62,0x9b,0x8b,0xa5,0xfd,0x52,0x5d,0xd1,0x13,0xca,0x28,0x92,0xdc,0xc3,0x84,
-    0x3d,0xf1,0xc5,0x9b,0x2a,0xc3,0x15,0xfc,0x1d,0x4f,0x30,0x54,0x77,0x9a,0x5a,0x5a,
-    0x1b,0x07,0xbb,0xf7,0x7e,0xea,0x47,0x01,0xc7,0x6d,0x30,0xe0,0x2e,0xcc,0x44,0xea,
-    0x6c,0xa5,0xcd,0x42,0x86,0x38,0xf5,0x88,0x9c,0xff,0x74,0xc1,0x3d,0x70,0xfa,0x9a,
-    0x54,0xbd,0x37,0xb0,0x38,0x9f,0xb6,0xe4,0x51,0xec,0x24,0xa0,0xa4,0xbe,0x9f,0x6e,
-    0xad,0x3b,0x0f,0x30,0xa0,0xd2,0x37,0x67,0x9b,0xc2,0x6f,0xd5,0xfd,0x9a,0xfd,0xc6,
-    0x56,0x08,0x64,0x84,0x74,0x12,0xfe,0xa8,0xe3,0x26,0x4a,0x08,0x2f,0xdb,0x32,0x9a,
-    0xae,0xaf,0x01,0x75,0xf0,0x7b,0x28,0xb6,0xb2,0x4a,0xf0,0xd8,0xfd,0xb4,0x11,0xf5,
-    0x26,0x31,0x49,0xd1,0x82,0x91,0x04,0x3b,0x4b,0x79,0x3c,0x57,0x2e,0x38,0x9f,0x9a,
-    0xfd,0xdf,0x53,0xd9,0xbd,0x48,0x96,0xfb,0xbb,0x21,0x64,0xdd,0xec,0x68,0xc3,0x77,
-    0x7d,0x41,0xcf,0x7c,0x2f,0xa8,0x87,0xf0,0x8f,0xf0,0x0c,0xdd,0x3f,0x88,0x5c,0x23,
-    0x49,0x26,0x1b,0x60,0xff,0xbc,0x9e,0xb8,0xc0,0xf6,0xe0,0x21,0xf1,0x44,0x44,0x21,
-    0x81,0x06,0x9b,0x39,0xf0,0xaf,0xf0,0x5c,0x44,0x44,0xc7,0x51,0xf2,0x1d,0xf3,0x06,
-    0x1a,0x14,0x04,0xd1,0xa4,0xed,0x92,0x39,0x21,0x77,0xe9,0x77,0x1f,0xd6,0x80,0x5e,
-    0x42,0xb4,0xd5,0x44,0xd1,0xd2,0xd6,0x84,0xca,0xa5,0xb8,0xee,0x48,0x4f,0x93,0x2d,
-    0xca,0x82,0x46,0xff,0x77,0x5b,0x18,0x79,0x88,0x14,0x4c,0x0d
-};
-
-static const UInt8 intermediate2[] = {
-    0x30,0x82,0x03,0xca,0x30,0x82,0x02,0xb2,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49,
-    0x33,0x00,0x65,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,
-    0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,
-    0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,
-    0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49,
-    0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x30,0x31,0x32,0x31,0x35,
-    0x30,0x35,0x30,0x37,0x30,0x30,0x5a,0x17,0x0d,0x32,0x30,0x31,0x32,0x31,0x35,0x30,
-    0x35,0x30,0x37,0x30,0x30,0x5a,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
-    0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,
-    0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,
-    0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,
-    0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,
-    0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa8,0x7f,0xa9,
-    0x2d,0x47,0xc3,0xdb,0xdb,0x10,0x79,0xa0,0xae,0xd5,0x80,0xfa,0x5b,0xbe,0x64,0x5f,
-    0x26,0xb9,0x5a,0x84,0x0d,0x1b,0x56,0x14,0x49,0xe1,0xda,0xfb,0x83,0x07,0xaf,0x80,
-    0x2d,0x93,0xbf,0x44,0xd9,0x85,0x1f,0x18,0xb0,0xe1,0xb9,0x06,0x34,0x24,0xd1,0xf9,
-    0x9f,0x34,0xe0,0x26,0x3e,0xce,0x57,0xca,0x30,0x3b,0xae,0x44,0x55,0x47,0x7f,0x2e,
-    0xe5,0xe8,0x51,0x55,0x90,0x95,0x23,0xde,0xd3,0xb4,0x88,0xf8,0x33,0x1e,0x5e,0xe6,
-    0x2b,0xae,0x9b,0x94,0x2c,0xec,0xd9,0xc9,0x47,0x67,0x14,0x54,0x6a,0x33,0x6f,0xe1,
-    0x0c,0x7f,0x0f,0xa0,0x7e,0xb5,0xc3,0x0f,0x63,0x4f,0xdf,0x38,0x9d,0x73,0xea,0x9f,
-    0xaa,0x34,0x30,0xbf,0xba,0x83,0x56,0x65,0x26,0x90,0x01,0xf6,0xfc,0x93,0xc6,0x2b,
-    0xcc,0xf2,0x90,0x7d,0x2a,0x31,0xe1,0xcd,0x0f,0x23,0xd1,0x78,0x2b,0x49,0xc5,0x21,
-    0x77,0xc9,0x8b,0x02,0x70,0xf1,0xc2,0xa3,0xdf,0xca,0xb7,0x73,0x06,0x76,0xfd,0xcb,
-    0xc0,0xc9,0x23,0x21,0x17,0x34,0x1c,0x80,0xa9,0xc6,0x92,0x95,0xd0,0xc6,0xeb,0x83,
-    0x56,0xb0,0x98,0x90,0x50,0xf4,0xcf,0x9b,0x3b,0x2d,0x3e,0xcf,0x94,0x27,0x69,0x9f,
-    0xdc,0x66,0xfb,0x05,0x0c,0xe3,0x99,0x1e,0x06,0x86,0xd9,0xe6,0xf5,0x6c,0xfe,0x98,
-    0x5d,0x61,0xb1,0x89,0x01,0xc4,0x7f,0x48,0x68,0x62,0x06,0x26,0x95,0x40,0xcd,0x93,
-    0x46,0xf8,0xb0,0x8d,0x28,0x3a,0xc7,0x0e,0x46,0x42,0x9f,0x32,0xc3,0xc6,0x78,0xc7,
-    0x10,0xd5,0x37,0xff,0x17,0x4c,0x24,0x60,0xc6,0xd5,0x18,0x9a,0x7d,0x02,0x03,0x01,
-    0x00,0x01,0xa3,0x81,0xe5,0x30,0x81,0xe2,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,
-    0x18,0x30,0x16,0x80,0x14,0x65,0xf2,0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,
-    0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,
-    0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,
-    0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,
-    0x0c,0x01,0x06,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,
-    0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,
-    0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x3e,0x06,0x03,0x55,
-    0x1d,0x1f,0x04,0x37,0x30,0x35,0x30,0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,
-    0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,
-    0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x63,
-    0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,
-    0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,
-    0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,
-    0xfc,0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x0d,0x06,0x09,0x2a,0x86,
-    0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xb6,0x37,
-    0x1c,0xdb,0x09,0x29,0xbd,0x24,0x76,0x1b,0x7f,0x6b,0x36,0x25,0xd2,0x43,0xf2,0x09,
-    0x22,0x63,0x3f,0x8e,0xd6,0x15,0xf9,0x9c,0x36,0xc9,0xb1,0x1c,0x10,0x61,0x39,0x24,
-    0x96,0x76,0xa4,0xa3,0x70,0xa4,0xe5,0x52,0xc1,0xba,0xb9,0xbb,0x72,0x1a,0xdc,0x76,
-    0x05,0x86,0x45,0x03,0x0a,0xb8,0x95,0xd5,0xb2,0x63,0xb4,0x7b,0x9a,0x00,0xd5,0x31,
-    0x76,0x50,0x25,0xc0,0x98,0x17,0xc9,0xfa,0x57,0x36,0x50,0x1f,0x66,0x2b,0xb1,0xd1,
-    0xe6,0xcf,0x14,0x56,0xf2,0xb9,0x9f,0xa9,0x6f,0x2d,0x15,0xb7,0x66,0x46,0x9e,0x85,
-    0x7c,0x68,0xbd,0xf3,0x5f,0x9f,0xbf,0xbe,0xf8,0xf9,0x7f,0x7b,0x1b,0xca,0x51,0xc2,
-    0xae,0x43,0x20,0x83,0x90,0xab,0xb5,0x70,0x73,0x42,0xa9,0xc1,0xd5,0x4f,0x89,0xcf,
-    0x72,0xba,0x86,0x5c,0xd8,0x8c,0xaf,0x85,0xf1,0x3d,0x52,0x23,0xac,0x68,0x05,0x73,
-    0xca,0x36,0x7c,0x12,0x86,0xae,0xdc,0xda,0x91,0x40,0x1f,0xe0,0x6b,0x26,0x43,0x64,
-    0xe9,0x5f,0x71,0xbf,0x22,0x6c,0x6e,0xd1,0x32,0x0c,0x7c,0x07,0x36,0x3a,0x09,0xef,
-    0xe7,0xa7,0x9b,0x73,0x19,0xe3,0x6a,0xd2,0x41,0x43,0x23,0xef,0x63,0x30,0xa0,0x34,
-    0x12,0x2c,0xe5,0x23,0x5f,0x46,0x87,0xcc,0xf1,0x2f,0x0b,0xd1,0x72,0x58,0xc5,0x36,
-    0xcb,0x4e,0x00,0x5f,0x15,0x80,0x0a,0x05,0xb5,0x34,0x34,0x9c,0x19,0x20,0xc1,0x5b,
-    0x80,0x98,0x96,0x42,0x01,0x54,0x6c,0x65,0x4e,0xc5,0x2b,0x04,0x55,0x63,0x71,0x5e,
-    0x99,0x79,0xc5,0xfb,0x03,0xbf,0x27,0x56,0xa6,0xdf,0x3a,0x4c,0xea,0x63
-};
-
-
-/* subject:/C=RU/CN=telegram.im */
-/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
-/* Not After : Sep  3 23:57:19 2019 GMT */
-
-unsigned char leafOnAllowList_Cert[1719]={
-    0x30,0x82,0x06,0xB3,0x30,0x82,0x05,0x9B,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x31,
-    0x4E,0xCD,0xA3,0x65,0x0B,0x68,0x8D,0x7D,0x77,0xD3,0x5A,0x00,0x4A,0xC5,0x94,0x30,
-    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
-    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
-    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
-    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
-    0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
-    0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
-    0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x39,0x30,0x33,0x32,
-    0x33,0x35,0x37,0x31,0x39,0x5A,0x17,0x0D,0x31,0x39,0x30,0x39,0x30,0x33,0x32,0x33,
-    0x35,0x37,0x31,0x39,0x5A,0x30,0x23,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
-    0x13,0x02,0x52,0x55,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x0C,0x0B,0x74,
-    0x65,0x6C,0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x82,0x02,0x22,0x30,0x0D,
-    0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,
-    0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xCA,0xCD,0x7B,0x38,0x40,
-    0x59,0xBD,0xD7,0x0D,0xB4,0xDA,0xA7,0x43,0x3F,0x64,0xE7,0xD5,0x88,0x4A,0xA3,0x7D,
-    0xA1,0x8A,0x6C,0x3B,0x1B,0xE0,0xE4,0xE0,0x82,0xCD,0xD3,0x38,0x7D,0x6E,0x49,0x0F,
-    0x56,0x2D,0xA7,0x3A,0x1D,0x7A,0x5C,0x48,0x0D,0x15,0xBD,0x68,0xC0,0x24,0xAE,0x9B,
-    0x03,0x33,0x5E,0xBB,0x12,0x13,0x32,0xDA,0xAF,0xAD,0xEB,0x36,0x76,0x6F,0xBD,0x91,
-    0xF0,0xC1,0xC6,0x14,0xE1,0xDA,0x88,0x32,0x47,0x26,0x5C,0x92,0x5D,0xE1,0xA4,0x3E,
-    0x99,0xCD,0x5B,0xFB,0x92,0x3C,0xA9,0x56,0xEC,0x6B,0xA9,0xEB,0xB0,0x34,0x89,0x4B,
-    0x96,0x1A,0x57,0x0D,0x5F,0x94,0x7C,0x25,0x67,0xCE,0xC0,0x6A,0xB1,0x73,0xE4,0xB3,
-    0x56,0xD8,0xE9,0x09,0x4F,0x5D,0x91,0xBB,0x5E,0x6C,0x13,0xE7,0x18,0xDB,0x62,0x0D,
-    0xDA,0xB9,0xCD,0x97,0xC1,0xD4,0x35,0x0F,0x1A,0x4B,0xCA,0xFC,0x9D,0x88,0xD1,0xE4,
-    0xFC,0x1D,0x43,0x7E,0xE7,0x1A,0xEB,0xED,0x1F,0x7D,0x1F,0x2B,0xF9,0x3A,0x0D,0x06,
-    0x03,0x3F,0x2D,0xAF,0xF4,0xDB,0xCC,0x91,0x7B,0xF7,0x9D,0xAA,0x13,0x41,0xC0,0x57,
-    0x8F,0x3E,0xE2,0xCA,0x45,0x7D,0x35,0x1B,0x0C,0x51,0x53,0x81,0x05,0x74,0x88,0xA2,
-    0x37,0x9B,0x26,0x34,0xAE,0x49,0xB6,0x97,0x9F,0x81,0xFB,0x45,0x7F,0x65,0x82,0x1F,
-    0x8E,0xC1,0xF0,0xC0,0x63,0x1F,0x7B,0xE4,0x45,0xA7,0x4C,0x1C,0x09,0x10,0xF6,0x8A,
-    0x81,0x8E,0x3B,0x6E,0xFF,0x15,0x53,0x9D,0x36,0x2F,0x52,0x01,0x0C,0x34,0x59,0x12,
-    0x9C,0xCA,0xAF,0xF5,0x58,0x31,0x37,0xE6,0x44,0xE5,0x0D,0xDB,0x0F,0x43,0xA3,0x09,
-    0x79,0x78,0x00,0x3D,0x7F,0x3B,0x2F,0xB8,0x28,0x58,0x79,0x35,0xEE,0xA1,0xDA,0x1B,
-    0xF2,0x8F,0x9C,0xAB,0x3F,0x38,0xB5,0x88,0x85,0x78,0x48,0xAA,0x67,0x41,0x0A,0xAB,
-    0x1D,0x89,0xE1,0x60,0x39,0x9A,0x6B,0x88,0xE3,0xB9,0x78,0x02,0x2F,0x74,0x58,0xDD,
-    0xBD,0xEE,0x51,0x8E,0xA9,0x1E,0x5E,0xFD,0x84,0x2B,0x94,0x55,0x14,0xAE,0x68,0x71,
-    0x73,0xC7,0xE3,0xAE,0x9E,0xD9,0x54,0xB4,0x6D,0xE1,0x9A,0x10,0x1A,0x51,0x68,0x13,
-    0x8E,0x51,0x18,0xBF,0xA8,0x7C,0x1A,0x18,0x2C,0xCE,0xF6,0x56,0xFD,0x9E,0xDC,0x97,
-    0xE8,0x95,0x08,0xDA,0xC6,0xBC,0x8C,0x9C,0xDC,0x70,0x45,0xFD,0xD2,0x3E,0x83,0xE3,
-    0x01,0x23,0xD4,0x74,0x6D,0xFD,0x2B,0x55,0x97,0x99,0x96,0xEB,0xD3,0x2D,0x5A,0xA7,
-    0xEF,0xC8,0x89,0x4C,0xA3,0xC1,0xDA,0x17,0xD0,0xDE,0x9C,0xB6,0xA3,0x1D,0x14,0x05,
-    0x65,0xCA,0x5C,0x32,0xD0,0x58,0x62,0xAA,0x56,0x72,0x90,0x02,0xC0,0xFC,0xB6,0x85,
-    0x5A,0x53,0xC2,0xC1,0x31,0xAE,0xD6,0xC8,0x54,0xBE,0x78,0xE2,0x44,0x41,0x58,0xC3,
-    0xEE,0xA7,0x38,0x6D,0x4E,0xAF,0xF1,0xD2,0xD1,0xD9,0xB1,0x17,0x5D,0x10,0x00,0x1D,
-    0x8A,0x07,0xF6,0x5C,0x2C,0x1D,0x2B,0xDB,0xDE,0x3C,0x5B,0x22,0xC4,0xBB,0x27,0xC6,
-    0x5A,0x78,0x25,0x7A,0x8F,0x86,0x42,0x6A,0x82,0xD3,0x7C,0xCA,0x07,0x62,0x23,0x09,
-    0x44,0xEE,0x3B,0xEF,0x0E,0xB7,0x1A,0xA4,0x4D,0xBB,0x93,0xFD,0x83,0xCD,0x67,0x22,
-    0x4B,0xE9,0x37,0x23,0x99,0x3F,0xD7,0xD4,0xEE,0x5C,0x4B,0x02,0x03,0x01,0x00,0x01,
-    0xA3,0x82,0x02,0xAF,0x30,0x82,0x02,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
-    0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,
-    0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,
-    0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,
-    0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x2A,0x36,0x37,
-    0x39,0xD2,0xCA,0x66,0xB3,0xF8,0x12,0x94,0x78,0xB1,0xD9,0x18,0x1C,0x11,0xD9,0x7C,
-    0xD7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,
-    0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
-    0xA8,0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,
-    0x30,0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,
-    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,
-    0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,
-    0x65,0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,
-    0x05,0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
-    0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,
-    0x2E,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,
-    0x72,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,
-    0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,
-    0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,
-    0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,
-    0x30,0x16,0x06,0x03,0x55,0x1D,0x11,0x04,0x0F,0x30,0x0D,0x82,0x0B,0x74,0x65,0x6C,
-    0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x4F,0x06,0x03,0x55,0x1D,0x20,0x04,
-    0x48,0x30,0x46,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3A,0x06,
-    0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x01,0x01,0x02,0x30,0x2B,0x30,0x29,
-    0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,
-    0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,
-    0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x82,0x01,0x06,0x06,0x0A,0x2B,
-    0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF7,0x04,0x81,0xF4,0x00,
-    0xF2,0x00,0x77,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE,0x3A,0x8C,0xEE,0xB9,
-    0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1,0x0A,0x67,0xAC,0xBB,
-    0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x56,0xF2,0x97,0xEB,0x40,0x00,0x00,0x04,0x03,
-    0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xBC,0xC2,0x3C,0xA9,0x92,0x2F,0x3D,0x59,0x3C,
-    0x82,0x38,0xD6,0x1A,0x83,0x95,0x04,0x15,0x1C,0x85,0x19,0x8F,0x12,0x33,0x01,0x1B,
-    0xB1,0xCF,0xBE,0xE6,0xC1,0x6F,0xBE,0x02,0x21,0x00,0xB2,0x3B,0x8C,0xA0,0xB0,0x9C,
-    0xCF,0xBA,0xFA,0x4E,0xBA,0xE7,0x95,0x85,0x89,0x5C,0xE1,0x5F,0x34,0x7A,0xA8,0xCB,
-    0x19,0xC8,0x0C,0xED,0x3A,0xA4,0xE2,0x29,0xCD,0xBF,0x00,0x77,0x00,0xA4,0xB9,0x09,
-    0x90,0xB4,0x18,0x58,0x14,0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,
-    0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,
-    0x56,0xF2,0x97,0xEC,0x65,0x00,0x00,0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,
-    0x96,0x67,0x94,0x08,0x36,0x41,0xF7,0x3F,0x97,0x0B,0xAE,0xAB,0x2F,0xD4,0x0C,0xE5,
-    0xFA,0x3F,0xB2,0x0B,0x4F,0x57,0x1C,0xDF,0x0A,0xF4,0xE7,0x04,0x59,0x1F,0x0D,0xEF,
-    0x02,0x21,0x00,0xBC,0xB5,0xAD,0xF5,0x60,0x34,0x47,0xD5,0x23,0x08,0x12,0xDE,0x8F,
-    0xC7,0xE9,0x14,0x0C,0x02,0x25,0x0B,0x6D,0xB8,0xBF,0x1C,0x0D,0x65,0xEC,0x86,0x9B,
-    0x30,0x88,0x2F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
-    0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x9A,0xD3,0xED,0xF3,0xA8,0x95,0x4E,0x35,
-    0x96,0xFF,0xA4,0xF1,0x61,0xB1,0x97,0xCA,0xF1,0xC8,0xDC,0x82,0x51,0xB9,0x29,0x3D,
-    0x77,0x59,0x96,0xF4,0x32,0x1F,0xCC,0xF9,0xC6,0x71,0x9E,0x6E,0xB4,0x83,0xFC,0xD9,
-    0xBF,0x21,0x43,0xAF,0xEB,0xB1,0x37,0x36,0x91,0x26,0x72,0xF8,0xAA,0x3A,0x38,0xBE,
-    0x51,0x27,0xBB,0x07,0x48,0x92,0x4E,0xFA,0xA0,0x5A,0x00,0x0D,0x81,0xCB,0x3B,0x17,
-    0x4E,0x04,0x0A,0xF7,0x0E,0x53,0xCD,0xAC,0x5E,0xC8,0xA5,0xE3,0x31,0x6E,0x9F,0x45,
-    0x65,0xA1,0x81,0x5C,0x98,0xF9,0x7E,0x07,0xC1,0x05,0x92,0xBD,0xCD,0xEA,0x5C,0xC7,
-    0x0B,0xC1,0x22,0x8F,0x13,0x7E,0xA2,0xB5,0xE2,0x88,0xBF,0x00,0xF0,0xC5,0xCA,0x99,
-    0xB2,0x59,0x9E,0x6E,0x71,0x35,0x49,0xC5,0xAF,0xAB,0x9B,0x80,0x2A,0xE1,0x8F,0x82,
-    0x98,0x43,0x54,0x8D,0x7A,0x28,0x98,0xA4,0xAE,0xDE,0x29,0xCC,0x15,0xBF,0x2E,0x4F,
-    0xD8,0x70,0x2E,0x8F,0xD8,0xE0,0xB9,0xC0,0x37,0x67,0x7A,0x29,0x35,0x0B,0xCD,0x7D,
-    0xF9,0x59,0x4A,0x6C,0x1C,0x87,0x31,0x2C,0x85,0x83,0x08,0x4E,0xAB,0xED,0xA1,0xEF,
-    0x76,0x90,0x32,0x71,0x6D,0xE6,0x13,0xE5,0x70,0xB8,0x7B,0xF3,0x6C,0x47,0x04,0xDE,
-    0xCC,0x61,0x67,0x5D,0x98,0xC0,0xDB,0x7D,0x24,0x3D,0x60,0xA9,0x60,0x9D,0xD8,0xC7,
-    0x27,0x8C,0x5F,0xA7,0x5A,0xE9,0x58,0x2C,0x2A,0x03,0x92,0xB6,0xF1,0x51,0xC6,0x1D,
-    0xA4,0x7B,0xDF,0xE6,0xF3,0x1A,0xD4,0x23,0x6C,0x4E,0x8D,0x5F,0xFB,0x98,0xD2,0xB3,
-    0x0B,0x73,0x41,0xB6,0x5C,0x84,0xEF,
-};
-
-/* subject:/CN=mmime.info */
-/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
-/* Not After : Sep 12 17:15:48 2016 GMT */
-
-unsigned char leafNotOnAllowList_Cert[1343]={
-    0x30,0x82,0x05,0x3B,0x30,0x82,0x04,0x23,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x6A,
-    0xC3,0x4F,0x8F,0xC7,0x97,0x97,0x53,0xE4,0x61,0x64,0x13,0xC4,0x2E,0x92,0x9B,0x30,
-    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
-    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
-    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
-    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
-    0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72,
-    0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
-    0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x31,0x32,0x31,
-    0x37,0x31,0x35,0x34,0x38,0x5A,0x17,0x0D,0x31,0x36,0x30,0x39,0x31,0x32,0x31,0x37,
-    0x31,0x35,0x34,0x38,0x5A,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
-    0x0C,0x0A,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x82,0x01,0x22,
-    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
-    0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB6,0x88,0xD4,
-    0xC3,0xBE,0x56,0x7F,0xB1,0xF1,0x48,0x37,0x71,0x3F,0xC7,0x72,0x53,0x95,0x64,0xAC,
-    0x60,0xF6,0x8C,0x01,0x15,0x2C,0xBD,0x6D,0x43,0x3F,0x8F,0x50,0x12,0x03,0x72,0x0C,
-    0x0D,0x37,0xD7,0x00,0x13,0xEC,0x49,0xC5,0xCF,0x00,0xE1,0x84,0x01,0x8B,0x1A,0xD7,
-    0x6D,0x8A,0xC7,0xB9,0xA7,0x3F,0x3A,0xE5,0xDD,0x1A,0xC9,0xCD,0x30,0xB5,0x74,0x0B,
-    0xFD,0x3C,0x70,0x8D,0xCF,0xCC,0xB7,0xB7,0x52,0x95,0x47,0xDB,0x47,0x2F,0x9C,0x5C,
-    0x06,0x6B,0x3D,0xA4,0xE5,0x42,0x6C,0x85,0x69,0xF3,0x35,0x07,0x3C,0xEF,0xA2,0xFB,
-    0x81,0x3F,0xF6,0x1C,0x51,0x17,0xA6,0x19,0x70,0xF3,0x02,0x43,0x8C,0xC3,0x42,0xED,
-    0xFE,0xF7,0x5F,0xD1,0xF3,0xBB,0x46,0xE9,0x11,0xB8,0x39,0x2E,0xE6,0x8E,0x00,0x48,
-    0x66,0xDF,0x78,0xDE,0x1A,0x27,0x71,0xF1,0x13,0x37,0xC7,0x65,0xA0,0x03,0x41,0xF9,
-    0xB2,0xE1,0x82,0x54,0x38,0x60,0x7E,0x1A,0x5A,0x77,0xC6,0x6E,0x9C,0x91,0x06,0x62,
-    0x84,0xA6,0x91,0xF0,0x3E,0x10,0x4F,0x83,0x1D,0x87,0x94,0xEB,0x0F,0x14,0x91,0xEC,
-    0x58,0xFC,0x15,0x60,0x16,0xF6,0xCD,0x88,0xF7,0x7C,0xE9,0x26,0x71,0x3C,0x14,0x3E,
-    0xD0,0xE0,0x06,0x3B,0xC2,0xAC,0xC0,0x16,0x16,0x0B,0x43,0xD2,0x92,0x96,0x84,0xC9,
-    0x65,0x6E,0xC9,0x76,0x8A,0xE3,0x5B,0x96,0xDE,0xB9,0x57,0xB0,0x7C,0xC2,0xE9,0x74,
-    0x2D,0x6D,0x6F,0x58,0x23,0xC9,0xEB,0xB3,0x63,0xB6,0x18,0xC6,0xD6,0x6B,0xF0,0x88,
-    0xAC,0x2D,0x3E,0x05,0x6D,0x00,0xC0,0x25,0x9A,0x4C,0x3E,0xFE,0xA5,0x02,0x03,0x01,
-    0x00,0x01,0xA3,0x82,0x02,0x45,0x30,0x82,0x02,0x41,0x30,0x0B,0x06,0x03,0x55,0x1D,
-    0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,
-    0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06,
-    0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,
-    0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3D,0xAB,0x6A,0xB5,
-    0xCC,0x2F,0xFE,0x38,0x1F,0xEF,0x88,0xA0,0xF7,0xBC,0x2A,0x44,0xEA,0x9E,0xE6,0xBD,
-    0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,0x16,
-    0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,0xA8,
-    0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,0x30,
-    0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,0x68,
-    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x36,0x2E,0x77,0x6F,0x73,0x69,
-    0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,0x65,
-    0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
-    0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x36,
-    0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2E,
-    0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,0x72,
-    0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0,
-    0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x36,0x2E,
-    0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,0x73,
-    0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,0x30,
-    0x81,0xB6,0x06,0x03,0x55,0x1D,0x11,0x04,0x81,0xAE,0x30,0x81,0xAB,0x82,0x0A,0x6D,
-    0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0E,0x77,0x77,0x77,0x2E,0x6D,
-    0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x63,0x6C,0x6F,0x75,0x64,
-    0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x12,0x77,0x65,0x62,
-    0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
-    0x0E,0x76,0x70,0x6E,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,
-    0x11,0x62,0x61,0x63,0x6B,0x75,0x70,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,
-    0x66,0x6F,0x82,0x10,0x66,0x69,0x6C,0x65,0x73,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,
-    0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,
-    0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x73,0x68,0x61,0x72,0x65,0x2E,0x6D,0x6D,0x69,
-    0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6E,0x65,0x77,0x73,0x2E,0x6D,0x6D,
-    0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x51,0x06,0x03,0x55,0x1D,0x20,0x04,
-    0x4A,0x30,0x48,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3C,0x06,
-    0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,0x2B,
-    0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,
-    0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,
-    0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,0x2A,
-    0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x7A,
-    0x93,0xB0,0x04,0xAB,0xCA,0x53,0x61,0x83,0xC4,0xDC,0x8B,0xE9,0xA5,0x62,0x46,0x9E,
-    0x22,0x7A,0xBB,0x23,0x32,0xC9,0xC8,0x55,0xA7,0x87,0x53,0x68,0x61,0xF4,0x14,0x9B,
-    0xA6,0xC1,0xC2,0x2D,0xF1,0xD6,0x2F,0x58,0x6D,0xCC,0xF9,0x47,0x4F,0x49,0x82,0xDD,
-    0xFA,0x61,0xD4,0xE1,0x99,0xB3,0x1E,0x5A,0x44,0x1E,0xA3,0xC2,0x1E,0x83,0x4F,0x9C,
-    0xB8,0xBC,0x25,0xCD,0x32,0x13,0xCA,0xA8,0xEC,0x17,0xD6,0xEB,0x96,0x38,0xFF,0x26,
-    0xF7,0x76,0x85,0xA0,0x96,0x7C,0x70,0xCE,0xFC,0xBF,0x23,0x1D,0xF8,0xFB,0x0F,0x3E,
-    0xA8,0x22,0xF4,0xE6,0x96,0xD7,0x38,0xF3,0xCE,0xA2,0xDE,0xD3,0xAA,0x11,0x61,0x2E,
-    0x41,0xBF,0xE0,0xAD,0x65,0x88,0x06,0xB4,0x8E,0x45,0x38,0xEB,0x48,0xA5,0xEB,0xE6,
-    0x88,0xD2,0x0D,0x83,0x8B,0x6A,0x2A,0x97,0xC6,0xBD,0x01,0x39,0x71,0x0A,0xDA,0xF3,
-    0x2A,0x8D,0x7F,0x5C,0xCC,0xF0,0x05,0x17,0x99,0x98,0x11,0xD3,0x43,0x23,0xCE,0x91,
-    0x55,0x02,0x7E,0x93,0x1B,0x37,0xE9,0x81,0x84,0x7D,0xEE,0x80,0x0D,0x69,0xF5,0x77,
-    0x20,0x8B,0x39,0x7F,0x4E,0x52,0x94,0xED,0x07,0x76,0xF0,0xB6,0x12,0x39,0xDA,0xEB,
-    0x80,0x42,0x02,0xD4,0xFE,0xE6,0x42,0xB7,0xC5,0xA8,0xEC,0xA6,0x83,0x9C,0x68,0x60,
-    0x9A,0x52,0xF2,0x7F,0xF6,0x48,0x92,0x93,0x10,0x43,0xDE,0x5E,0x75,0x18,0x1B,0x22,
-    0x12,0x3F,0xEB,0x7A,0x38,0x6E,0x73,0xBD,0x6A,0x2C,0xE6,0x07,0xEA,0xFC,0x50,0x31,
-    0x54,0xC3,0x7B,0xD1,0x0B,0xC1,0x78,0x9D,0x6E,0xF2,0xAF,0x65,0xB9,0xF1,0xB5,
-};
-
-/* subject:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */
-/* issuer :/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
-/* Not After : Nov  8 00:58:58 2029 GMT */
-
-unsigned char ca1_Cert[1456]={
-    0x30,0x82,0x05,0xAC,0x30,0x82,0x03,0x94,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x38,
-    0xF6,0x45,0xC1,0xE2,0x5D,0x91,0x2C,0xCE,0x3B,0x2B,0x39,0x12,0x31,0x74,0x0D,0x30,
-    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55,
-    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,
-    0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,
-    0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55,
-    0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-    0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x6F,0x66,0x20,0x57,
-    0x6F,0x53,0x69,0x67,0x6E,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x31,0x30,0x38,0x30,
-    0x30,0x35,0x38,0x35,0x38,0x5A,0x17,0x0D,0x32,0x39,0x31,0x31,0x30,0x38,0x30,0x30,
-    0x35,0x38,0x35,0x38,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
-    0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,
-    0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,
-    0x31,0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,
-    0x6E,0x20,0x43,0x41,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,
-    0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x47,0x32,0x30,0x82,0x01,0x22,
-    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
-    0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE3,0xB4,0x80,
-    0x0E,0x6B,0x30,0x50,0x82,0x2F,0x1F,0xE7,0x9D,0xBF,0xF8,0x7C,0x42,0x25,0xED,0xAE,
-    0x61,0xC4,0xEB,0x86,0x87,0x23,0x7F,0x11,0x1F,0xC0,0x93,0x5F,0x1B,0x92,0x90,0x1E,
-    0x77,0x8C,0xBC,0x76,0xF7,0xFB,0x0A,0xA5,0xD5,0x7D,0xAC,0xDC,0x4B,0x18,0xD8,0x58,
-    0x2E,0xDF,0x46,0x6B,0x34,0x0F,0x45,0x64,0x60,0x84,0xC2,0xEB,0x9A,0x0E,0x51,0xD4,
-    0x2A,0x54,0x51,0x3E,0x27,0x3B,0x64,0x68,0x86,0x6F,0x7C,0x6B,0x00,0x3C,0x99,0xF6,
-    0x4C,0xA8,0x45,0x27,0xAD,0xA5,0xCB,0x2B,0x37,0xED,0x59,0xC3,0x52,0x4C,0x4F,0xDE,
-    0x34,0x9C,0xF2,0xB7,0xD1,0xFA,0x58,0xCB,0xE5,0x62,0x9E,0x55,0x46,0x5C,0xB7,0xC5,
-    0x8D,0x38,0x24,0x35,0xEF,0x97,0x2C,0x7C,0x65,0x10,0x0D,0xEF,0x9F,0x97,0x08,0xD5,
-    0xE5,0xB3,0x12,0x7A,0x92,0xDD,0xFE,0x88,0x0F,0x8F,0xA4,0xAF,0xBD,0xC5,0xD6,0x36,
-    0xF7,0x41,0x1B,0xE8,0x59,0xDD,0x86,0xFF,0x35,0xBF,0xED,0xE4,0xD1,0xA0,0x93,0x6E,
-    0x51,0xA8,0x99,0xCB,0xDF,0xDD,0xBE,0x71,0x88,0xC3,0xDA,0xB1,0x65,0xCC,0x7B,0x95,
-    0xC4,0x66,0x8F,0xBE,0x4E,0x06,0x7F,0x9B,0x53,0x8C,0x6B,0x3C,0xCE,0x97,0x26,0x82,
-    0x1F,0x17,0x30,0xBA,0x3F,0xC8,0xDE,0xCC,0x0B,0xA1,0xB4,0xEF,0x12,0x3D,0x93,0xCB,
-    0x08,0x30,0xE7,0x1A,0x98,0x97,0x80,0x3A,0x26,0x84,0x8F,0xFE,0x73,0x74,0x95,0x53,
-    0x0F,0x51,0xB2,0xAA,0x89,0x57,0xF4,0x96,0x40,0x72,0x13,0x1D,0xE4,0x67,0x98,0x4E,
-    0x8F,0xC6,0x40,0x0B,0xF5,0x1D,0x0C,0x45,0x2D,0xE0,0xD5,0x92,0x83,0x02,0x03,0x01,
-    0x00,0x01,0xA3,0x82,0x01,0x76,0x30,0x82,0x01,0x72,0x30,0x0E,0x06,0x03,0x55,0x1D,
-    0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,
-    0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,
-    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
-    0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x30,0x06,
-    0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F,
-    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,0x2E,0x77,0x6F,0x73,
-    0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,
-    0x72,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x66,0x30,0x64,0x30,
-    0x27,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,
-    0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
-    0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05,
-    0x05,0x07,0x30,0x02,0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,
-    0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,
-    0x67,0x32,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,
-    0x63,0x65,0x72,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xA7,
-    0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,
-    0xA8,0xC7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE1,
-    0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,
-    0xFE,0xFB,0x3E,0x30,0x47,0x06,0x03,0x55,0x1D,0x20,0x04,0x40,0x30,0x3E,0x30,0x3C,
-    0x06,0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,
-    0x2B,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,
-    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,
-    0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
-    0x96,0x5A,0xDF,0x96,0x91,0x17,0x68,0x90,0x5D,0x2F,0xB4,0x32,0x15,0x80,0x03,0x03,
-    0x0B,0xE9,0x1C,0xB7,0x73,0x6C,0xDA,0xA8,0xFA,0x94,0xDD,0xDD,0x3E,0x34,0x2B,0x2E,
-    0x80,0x93,0x6C,0xFA,0xA6,0x67,0xD3,0x1B,0x7A,0x82,0x41,0xCE,0x9E,0xFF,0x3F,0xEF,
-    0xB2,0x83,0x6A,0x9E,0xFC,0x32,0xFD,0x44,0xF3,0x82,0x66,0xAA,0xCF,0x44,0x2F,0xB3,
-    0x37,0x41,0xF0,0x79,0x12,0xE3,0x02,0x27,0x86,0x48,0x92,0xBE,0xCF,0x56,0xD7,0xCB,
-    0xD7,0xE7,0x1E,0x25,0x9D,0x41,0xDB,0x0A,0xE7,0x33,0x12,0x58,0xAD,0x95,0xD8,0x9E,
-    0xD4,0xB7,0x95,0x29,0xBA,0xFE,0xFF,0xDF,0x80,0xA4,0x77,0x5B,0x15,0x62,0x0F,0x69,
-    0xF8,0x87,0x6D,0x74,0xEA,0x85,0xA2,0x76,0x5D,0x9F,0x95,0x2E,0x03,0xBC,0x8A,0xF9,
-    0x8A,0xAC,0x81,0x64,0x50,0xF2,0x0B,0x45,0x4B,0xEC,0x97,0x30,0x39,0x74,0xE5,0xA7,
-    0x7E,0x16,0x24,0x62,0x2B,0x50,0xF1,0x5C,0xD8,0x4F,0xCD,0x2E,0xA2,0x18,0x25,0xA3,
-    0xCE,0xF6,0x1F,0x60,0xDD,0x15,0xDE,0x20,0x15,0x1B,0x0E,0x7F,0xAF,0x85,0xD9,0x40,
-    0xAC,0x07,0x2A,0x34,0xDD,0x51,0xB0,0x1A,0xA8,0xE6,0x0E,0x9F,0x5F,0xDB,0x46,0x70,
-    0xE6,0xF5,0xD9,0x25,0x1C,0xF0,0x1D,0xE5,0x42,0xA1,0x2D,0x22,0x9D,0x6E,0x11,0xC9,
-    0x8D,0xA6,0x65,0xBC,0x0E,0xAA,0x76,0x73,0xC8,0x56,0x60,0x2F,0xFB,0x3F,0x86,0xB9,
-    0xA5,0xF5,0x33,0xEF,0xD5,0x13,0x1F,0x49,0x4C,0x38,0x07,0x9E,0x59,0x22,0x5A,0xC7,
-    0x4E,0xD9,0x25,0x24,0xBA,0x53,0x70,0xFC,0x63,0x2A,0x54,0x51,0xEB,0xC3,0x4B,0x41,
-    0x7D,0xE4,0xE8,0x3C,0x2C,0xA5,0x76,0x5A,0xBF,0xD9,0x4C,0xA8,0x0D,0xAE,0x52,0x6E,
-    0xA5,0x5D,0x98,0x3D,0x6C,0x90,0x6D,0x78,0x1F,0xC3,0x70,0x95,0x86,0x07,0x3F,0x54,
-    0xE3,0xEA,0x8A,0x81,0x64,0x62,0x9A,0x8F,0x31,0xAF,0x7B,0x2A,0x7E,0x92,0x22,0xC3,
-    0x8E,0xCC,0x53,0xAC,0xC7,0x9C,0x99,0x11,0x2B,0x48,0x3F,0x52,0x71,0x2B,0x6E,0xC0,
-    0xE1,0xB3,0x0A,0xE5,0x03,0x62,0xD7,0x89,0x18,0x28,0x4C,0x0A,0x8D,0x3F,0x0B,0x45,
-    0x89,0x81,0x8B,0x88,0xA4,0x93,0xC2,0x7F,0x44,0xE5,0x1E,0x5B,0x40,0x00,0xFC,0x2F,
-    0xCC,0x3B,0xF8,0x6A,0x79,0x31,0xFD,0x44,0x14,0xB6,0x8F,0x48,0x85,0x4C,0xAB,0x0A,
-    0x9D,0xBB,0x37,0x0A,0xFC,0x51,0x19,0xE0,0xFE,0x59,0x6A,0x3B,0x8F,0x60,0x62,0xA7,
-    0x07,0x82,0xAF,0x08,0x66,0xA0,0xF2,0xDA,0x60,0x02,0xEA,0xD8,0x34,0x7E,0x57,0x71,
-    0xA1,0xB5,0xFE,0x69,0xD7,0xFB,0xDD,0x5A,0x9C,0xF3,0xFF,0xC4,0xEA,0xCD,0x74,0xFA,
-    0x94,0x70,0xD3,0x58,0x92,0xCE,0xAF,0x12,0xE4,0x6E,0xEB,0xDD,0xB8,0xAF,0x1D,0xE2,
-    0x65,0xD4,0x46,0xEA,0x0B,0x3E,0xE3,0x68,0x0E,0x0A,0x4C,0x27,0x83,0x50,0x91,0x06,
-    0xC6,0x7B,0xF8,0xFA,0x9B,0x26,0xED,0x2C,0x0E,0x67,0xB8,0x6C,0xE5,0x2C,0x98,0x6D,
-    0x5F,0x7A,0x28,0xC3,0x84,0x3C,0x03,0x0D,0xF7,0xE2,0x03,0xE1,0x94,0xC2,0x58,0x27,
-    0xF8,0x4D,0x81,0x59,0x2F,0xF1,0x7C,0x61,0xC9,0x57,0x5D,0xBD,0xDC,0x9C,0x80,0xD0,
-    0x64,0xDF,0x7C,0x87,0x78,0x85,0xE6,0x94,0x8B,0x70,0x8B,0x05,0x47,0xE4,0xC8,0x7B,
-};
-
-/* subject:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */
-/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
-/* Not After : Dec 31 23:59:59 2019 GMT */
-
-unsigned char ca2_Cert[1632]={
-    0x30,0x82,0x06,0x5C,0x30,0x82,0x04,0x44,0xA0,0x03,0x02,0x01,0x02,0x02,0x07,0x19,
-    0xC2,0x85,0x30,0xE9,0x3B,0x36,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
-    0x01,0x01,0x0B,0x05,0x00,0x30,0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
-    0x13,0x02,0x49,0x4C,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,
-    0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,
-    0x06,0x03,0x55,0x04,0x0B,0x13,0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,
-    0x67,0x69,0x74,0x61,0x6C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
-    0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,
-    0x04,0x03,0x13,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
-    0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
-    0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x32,0x32,
-    0x34,0x36,0x33,0x36,0x5A,0x17,0x0D,0x31,0x39,0x31,0x32,0x33,0x31,0x32,0x33,0x35,
-    0x39,0x35,0x39,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
-    0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,
-    0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,
-    0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,
-    0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
-    0x79,0x20,0x6F,0x66,0x20,0x57,0x6F,0x53,0x69,0x67,0x6E,0x30,0x82,0x02,0x22,0x30,
-    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
-    0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xBD,0xCA,0x8D,0xAC,
-    0xB8,0x91,0x15,0x56,0x97,0x7B,0x6B,0x5C,0x7A,0xC2,0xDE,0x6B,0xD9,0xA1,0xB0,0xC3,
-    0x10,0x23,0xFA,0xA7,0xA1,0xB2,0xCC,0x31,0xFA,0x3E,0xD9,0xA6,0x29,0x6F,0x16,0x3D,
-    0xE0,0x6B,0xF8,0xB8,0x40,0x5F,0xDB,0x39,0xA8,0x00,0x7A,0x8B,0xA0,0x4D,0x54,0x7D,
-    0xC2,0x22,0x78,0xFC,0x8E,0x09,0xB8,0xA8,0x85,0xD7,0xCC,0x95,0x97,0x4B,0x74,0xD8,
-    0x9E,0x7E,0xF0,0x00,0xE4,0x0E,0x89,0xAE,0x49,0x28,0x44,0x1A,0x10,0x99,0x32,0x0F,
-    0x25,0x88,0x53,0xA4,0x0D,0xB3,0x0F,0x12,0x08,0x16,0x0B,0x03,0x71,0x27,0x1C,0x7F,
-    0xE1,0xDB,0xD2,0xFD,0x67,0x68,0xC4,0x05,0x5D,0x0A,0x0E,0x5D,0x70,0xD7,0xD8,0x97,
-    0xA0,0xBC,0x53,0x41,0x9A,0x91,0x8D,0xF4,0x9E,0x36,0x66,0x7A,0x7E,0x56,0xC1,0x90,
-    0x5F,0xE6,0xB1,0x68,0x20,0x36,0xA4,0x8C,0x24,0x2C,0x2C,0x47,0x0B,0x59,0x76,0x66,
-    0x30,0xB5,0xBE,0xDE,0xED,0x8F,0xF8,0x9D,0xD3,0xBB,0x01,0x30,0xE6,0xF2,0xF3,0x0E,
-    0xE0,0x2C,0x92,0x80,0xF3,0x85,0xF9,0x28,0x8A,0xB4,0x54,0x2E,0x9A,0xED,0xF7,0x76,
-    0xFC,0x15,0x68,0x16,0xEB,0x4A,0x6C,0xEB,0x2E,0x12,0x8F,0xD4,0xCF,0xFE,0x0C,0xC7,
-    0x5C,0x1D,0x0B,0x7E,0x05,0x32,0xBE,0x5E,0xB0,0x09,0x2A,0x42,0xD5,0xC9,0x4E,0x90,
-    0xB3,0x59,0x0D,0xBB,0x7A,0x7E,0xCD,0xD5,0x08,0x5A,0xB4,0x7F,0xD8,0x1C,0x69,0x11,
-    0xF9,0x27,0x0F,0x7B,0x06,0xAF,0x54,0x83,0x18,0x7B,0xE1,0xDD,0x54,0x7A,0x51,0x68,
-    0x6E,0x77,0xFC,0xC6,0xBF,0x52,0x4A,0x66,0x46,0xA1,0xB2,0x67,0x1A,0xBB,0xA3,0x4F,
-    0x77,0xA0,0xBE,0x5D,0xFF,0xFC,0x56,0x0B,0x43,0x72,0x77,0x90,0xCA,0x9E,0xF9,0xF2,
-    0x39,0xF5,0x0D,0xA9,0xF4,0xEA,0xD7,0xE7,0xB3,0x10,0x2F,0x30,0x42,0x37,0x21,0xCC,
-    0x30,0x70,0xC9,0x86,0x98,0x0F,0xCC,0x58,0x4D,0x83,0xBB,0x7D,0xE5,0x1A,0xA5,0x37,
-    0x8D,0xB6,0xAC,0x32,0x97,0x00,0x3A,0x63,0x71,0x24,0x1E,0x9E,0x37,0xC4,0xFF,0x74,
-    0xD4,0x37,0xC0,0xE2,0xFE,0x88,0x46,0x60,0x11,0xDD,0x08,0x3F,0x50,0x36,0xAB,0xB8,
-    0x7A,0xA4,0x95,0x62,0x6A,0x6E,0xB0,0xCA,0x6A,0x21,0x5A,0x69,0xF3,0xF3,0xFB,0x1D,
-    0x70,0x39,0x95,0xF3,0xA7,0x6E,0xA6,0x81,0x89,0xA1,0x88,0xC5,0x3B,0x71,0xCA,0xA3,
-    0x52,0xEE,0x83,0xBB,0xFD,0xA0,0x77,0xF4,0xE4,0x6F,0xE7,0x42,0xDB,0x6D,0x4A,0x99,
-    0x8A,0x34,0x48,0xBC,0x17,0xDC,0xE4,0x80,0x08,0x22,0xB6,0xF2,0x31,0xC0,0x3F,0x04,
-    0x3E,0xEB,0x9F,0x20,0x79,0xD6,0xB8,0x06,0x64,0x64,0x02,0x31,0xD7,0xA9,0xCD,0x52,
-    0xFB,0x84,0x45,0x69,0x09,0x00,0x2A,0xDC,0x55,0x8B,0xC4,0x06,0x46,0x4B,0xC0,0x4A,
-    0x1D,0x09,0x5B,0x39,0x28,0xFD,0xA9,0xAB,0xCE,0x00,0xF9,0x2E,0x48,0x4B,0x26,0xE6,
-    0x30,0x4C,0xA5,0x58,0xCA,0xB4,0x44,0x82,0x4F,0xE7,0x91,0x1E,0x33,0xC3,0xB0,0x93,
-    0xFF,0x11,0xFC,0x81,0xD2,0xCA,0x1F,0x71,0x29,0xDD,0x76,0x4F,0x92,0x25,0xAF,0x1D,
-    0x81,0xB7,0x0F,0x2F,0x8C,0xC3,0x06,0xCC,0x2F,0x27,0xA3,0x4A,0xE4,0x0E,0x99,0xBA,
-    0x7C,0x1E,0x45,0x1F,0x7F,0xAA,0x19,0x45,0x96,0xFD,0xFC,0x3D,0x02,0x03,0x01,0x00,
-    0x01,0xA3,0x82,0x01,0x07,0x30,0x82,0x01,0x03,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
-    0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06,
-    0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
-    0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xE1,0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,
-    0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,0xFE,0xFB,0x3E,0x30,0x1F,0x06,0x03,
-    0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,
-    0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,0x43,0xD0,0x41,0xAE,0xF2,0x30,0x69,0x06,
-    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x5D,0x30,0x5B,0x30,0x27,0x06,
-    0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,0x70,0x3A,
-    0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,
-    0x63,0x6F,0x6D,0x2F,0x63,0x61,0x30,0x30,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
-    0x30,0x02,0x86,0x24,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x2E,0x73,
-    0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74,
-    0x73,0x2F,0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x32,0x06,0x03,0x55,0x1D,0x1F,0x04,
-    0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3A,
-    0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,
-    0x6F,0x6D,0x2F,0x73,0x66,0x73,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00,
-    0xB6,0x6D,0xF8,0x70,0xFB,0xE2,0x0D,0x4C,0x98,0xB3,0x07,0x49,0x15,0xF5,0x04,0xC4,
-    0x6C,0xCA,0xCA,0xF5,0x68,0xA0,0x08,0xFE,0x12,0x6D,0x9C,0x04,0x06,0xC9,0xAD,0x9A,
-    0x91,0x52,0x3E,0x78,0xC4,0x5C,0xEE,0x9F,0x54,0x1D,0xEE,0xE3,0xF1,0x5E,0x30,0xC9,
-    0x49,0xE1,0x39,0xE0,0xA6,0x9D,0x36,0x6C,0x57,0xFA,0xE6,0x34,0x4F,0x55,0xE8,0x87,
-    0xA8,0x2C,0xDD,0x05,0xF1,0x58,0x12,0x91,0xE8,0xCA,0xCE,0x28,0x78,0x8F,0xDF,0x07,
-    0x85,0x01,0xA5,0xDC,0x45,0x96,0x05,0xD4,0x80,0xB2,0x2B,0x05,0x9A,0xCB,0x9A,0xA5,
-    0x8B,0xE0,0x3A,0x67,0xE6,0x73,0x47,0xBE,0x4A,0xFD,0x27,0xB1,0x88,0xEF,0xE6,0xCA,
-    0xCF,0x8D,0x0E,0x26,0x9F,0xFA,0x5F,0x57,0x78,0xAD,0x6D,0xFE,0xAE,0x9B,0x35,0x08,
-    0xB1,0xC3,0xBA,0xC1,0x00,0x4A,0x4B,0x7D,0x14,0xBD,0xF7,0xF1,0xD3,0x55,0x18,0xAC,
-    0xD0,0x33,0x70,0x88,0x6D,0xC4,0x09,0x71,0x14,0xA6,0x2B,0x4F,0x88,0x81,0xE7,0x0B,
-    0x00,0x37,0xA9,0x15,0x7D,0x7E,0xD7,0x01,0x96,0x3F,0x2F,0xAF,0x7B,0x62,0xAE,0x0A,
-    0x4A,0xBF,0x4B,0x39,0x2E,0x35,0x10,0x8B,0xFE,0x04,0x39,0xE4,0x3C,0x3A,0x0C,0x09,
-    0x56,0x40,0x3A,0xB5,0xF4,0xC2,0x68,0x0C,0xB5,0xF9,0x52,0xCD,0xEE,0x9D,0xF8,0x98,
-    0xFC,0x78,0xE7,0x58,0x47,0x8F,0x1C,0x73,0x58,0x69,0x33,0xAB,0xFF,0xDD,0xDF,0x8E,
-    0x24,0x01,0x77,0x98,0x19,0x3A,0xB0,0x66,0x79,0xBC,0xE1,0x08,0xA3,0x0E,0x4F,0xC1,
-    0x04,0xB3,0xF3,0x01,0xC8,0xEB,0xD3,0x59,0x1C,0x35,0xD2,0x93,0x1E,0x70,0x65,0x82,
-    0x7F,0xDB,0xCF,0xFB,0xC8,0x99,0x12,0x60,0xC3,0x44,0x6F,0x3A,0x80,0x4B,0xD7,0xBE,
-    0x21,0xAA,0x14,0x7A,0x64,0xCB,0xDD,0x37,0x43,0x45,0x5B,0x32,0x2E,0x45,0xF0,0xD9,
-    0x59,0x1F,0x6B,0x18,0xF0,0x7C,0xE9,0x55,0x36,0x19,0x61,0x5F,0xB5,0x7D,0xF1,0x8D,
-    0xBD,0x88,0xE4,0x75,0x4B,0x98,0xDD,0x27,0xB0,0xE4,0x84,0x44,0x2A,0x61,0x84,0x57,
-    0x05,0x82,0x11,0x1F,0xAA,0x35,0x58,0xF3,0x20,0x0E,0xAF,0x59,0xEF,0xFA,0x55,0x72,
-    0x72,0x0D,0x26,0xD0,0x9B,0x53,0x49,0xAC,0xCE,0x37,0x2E,0x65,0x61,0xFF,0xF6,0xEC,
-    0x1B,0xEA,0xF6,0xF1,0xA6,0xD3,0xD1,0xB5,0x7B,0xBE,0x35,0xF4,0x22,0xC1,0xBC,0x8D,
-    0x01,0xBD,0x68,0x5E,0x83,0x0D,0x2F,0xEC,0xD6,0xDA,0x63,0x0C,0x27,0xD1,0x54,0x3E,
-    0xE4,0xA8,0xD3,0xCE,0x4B,0x32,0xB8,0x91,0x94,0xFF,0xFB,0x5B,0x49,0x2D,0x75,0x18,
-    0xA8,0xBA,0x71,0x9A,0x3B,0xAE,0xD9,0xC0,0xA9,0x4F,0x87,0x91,0xED,0x8B,0x7B,0x6B,
-    0x20,0x98,0x89,0x39,0x83,0x4F,0x80,0xC4,0x69,0xCC,0x17,0xC9,0xC8,0x4E,0xBE,0xE4,
-    0xA9,0xA5,0x81,0x76,0x70,0x06,0x04,0x32,0xCD,0x83,0x65,0xF4,0xBC,0x7D,0x3E,0x13,
-    0xBC,0xD2,0xE8,0x6F,0x63,0xAA,0xB5,0x3B,0xDA,0x8D,0x86,0x32,0x82,0x78,0x9D,0xD9,
-    0xCC,0xFF,0xBF,0x57,0x64,0x74,0xED,0x28,0x3D,0x44,0x62,0x15,0x61,0x4B,0xF7,0x94,
-    0xB0,0x0D,0x2A,0x67,0x1C,0xF0,0xCB,0x9B,0xA5,0x92,0xBF,0xF8,0x41,0x5A,0xC1,0x3D,
-    0x60,0xED,0x9F,0xBB,0xB8,0x6D,0x9B,0xCE,0xA9,0x6A,0x16,0x3F,0x7E,0xEA,0x06,0xF1,
-};
-
-/* subject:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
-/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */
-/* Not After : Sep 17 19:46:36 2036 GMT */
-
-unsigned char root_Cert[1997]={
-    0x30,0x82,0x07,0xC9,0x30,0x82,0x05,0xB1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
-    0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-    0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,
-    0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,
-    0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,
-    0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,
-    0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,
-    0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,
-    0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
-    0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,
-    0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x17,
-    0x0D,0x33,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x30,0x7D,
-    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,0x30,
-    0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,
-    0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,0x22,
-    0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,0x43,
-    0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,
-    0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,0x61,
-    0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
-    0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x02,
-    0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
-    0x03,0x82,0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xC1,0x88,
-    0xDB,0x09,0xBC,0x6C,0x46,0x7C,0x78,0x9F,0x95,0x7B,0xB5,0x33,0x90,0xF2,0x72,0x62,
-    0xD6,0xC1,0x36,0x20,0x22,0x24,0x5E,0xCE,0xE9,0x77,0xF2,0x43,0x0A,0xA2,0x06,0x64,
-    0xA4,0xCC,0x8E,0x36,0xF8,0x38,0xE6,0x23,0xF0,0x6E,0x6D,0xB1,0x3C,0xDD,0x72,0xA3,
-    0x85,0x1C,0xA1,0xD3,0x3D,0xB4,0x33,0x2B,0xD3,0x2F,0xAF,0xFE,0xEA,0xB0,0x41,0x59,
-    0x67,0xB6,0xC4,0x06,0x7D,0x0A,0x9E,0x74,0x85,0xD6,0x79,0x4C,0x80,0x37,0x7A,0xDF,
-    0x39,0x05,0x52,0x59,0xF7,0xF4,0x1B,0x46,0x43,0xA4,0xD2,0x85,0x85,0xD2,0xC3,0x71,
-    0xF3,0x75,0x62,0x34,0xBA,0x2C,0x8A,0x7F,0x1E,0x8F,0xEE,0xED,0x34,0xD0,0x11,0xC7,
-    0x96,0xCD,0x52,0x3D,0xBA,0x33,0xD6,0xDD,0x4D,0xDE,0x0B,0x3B,0x4A,0x4B,0x9F,0xC2,
-    0x26,0x2F,0xFA,0xB5,0x16,0x1C,0x72,0x35,0x77,0xCA,0x3C,0x5D,0xE6,0xCA,0xE1,0x26,
-    0x8B,0x1A,0x36,0x76,0x5C,0x01,0xDB,0x74,0x14,0x25,0xFE,0xED,0xB5,0xA0,0x88,0x0F,
-    0xDD,0x78,0xCA,0x2D,0x1F,0x07,0x97,0x30,0x01,0x2D,0x72,0x79,0xFA,0x46,0xD6,0x13,
-    0x2A,0xA8,0xB9,0xA6,0xAB,0x83,0x49,0x1D,0xE5,0xF2,0xEF,0xDD,0xE4,0x01,0x8E,0x18,
-    0x0A,0x8F,0x63,0x53,0x16,0x85,0x62,0xA9,0x0E,0x19,0x3A,0xCC,0xB5,0x66,0xA6,0xC2,
-    0x6B,0x74,0x07,0xE4,0x2B,0xE1,0x76,0x3E,0xB4,0x6D,0xD8,0xF6,0x44,0xE1,0x73,0x62,
-    0x1F,0x3B,0xC4,0xBE,0xA0,0x53,0x56,0x25,0x6C,0x51,0x09,0xF7,0xAA,0xAB,0xCA,0xBF,
-    0x76,0xFD,0x6D,0x9B,0xF3,0x9D,0xDB,0xBF,0x3D,0x66,0xBC,0x0C,0x56,0xAA,0xAF,0x98,
-    0x48,0x95,0x3A,0x4B,0xDF,0xA7,0x58,0x50,0xD9,0x38,0x75,0xA9,0x5B,0xEA,0x43,0x0C,
-    0x02,0xFF,0x99,0xEB,0xE8,0x6C,0x4D,0x70,0x5B,0x29,0x65,0x9C,0xDD,0xAA,0x5D,0xCC,
-    0xAF,0x01,0x31,0xEC,0x0C,0xEB,0xD2,0x8D,0xE8,0xEA,0x9C,0x7B,0xE6,0x6E,0xF7,0x27,
-    0x66,0x0C,0x1A,0x48,0xD7,0x6E,0x42,0xE3,0x3F,0xDE,0x21,0x3E,0x7B,0xE1,0x0D,0x70,
-    0xFB,0x63,0xAA,0xA8,0x6C,0x1A,0x54,0xB4,0x5C,0x25,0x7A,0xC9,0xA2,0xC9,0x8B,0x16,
-    0xA6,0xBB,0x2C,0x7E,0x17,0x5E,0x05,0x4D,0x58,0x6E,0x12,0x1D,0x01,0xEE,0x12,0x10,
-    0x0D,0xC6,0x32,0x7F,0x18,0xFF,0xFC,0xF4,0xFA,0xCD,0x6E,0x91,0xE8,0x36,0x49,0xBE,
-    0x1A,0x48,0x69,0x8B,0xC2,0x96,0x4D,0x1A,0x12,0xB2,0x69,0x17,0xC1,0x0A,0x90,0xD6,
-    0xFA,0x79,0x22,0x48,0xBF,0xBA,0x7B,0x69,0xF8,0x70,0xC7,0xFA,0x7A,0x37,0xD8,0xD8,
-    0x0D,0xD2,0x76,0x4F,0x57,0xFF,0x90,0xB7,0xE3,0x91,0xD2,0xDD,0xEF,0xC2,0x60,0xB7,
-    0x67,0x3A,0xDD,0xFE,0xAA,0x9C,0xF0,0xD4,0x8B,0x7F,0x72,0x22,0xCE,0xC6,0x9F,0x97,
-    0xB6,0xF8,0xAF,0x8A,0xA0,0x10,0xA8,0xD9,0xFB,0x18,0xC6,0xB6,0xB5,0x5C,0x52,0x3C,
-    0x89,0xB6,0x19,0x2A,0x73,0x01,0x0A,0x0F,0x03,0xB3,0x12,0x60,0xF2,0x7A,0x2F,0x81,
-    0xDB,0xA3,0x6E,0xFF,0x26,0x30,0x97,0xF5,0x8B,0xDD,0x89,0x57,0xB6,0xAD,0x3D,0xB3,
-    0xAF,0x2B,0xC5,0xB7,0x76,0x02,0xF0,0xA5,0xD6,0x2B,0x9A,0x86,0x14,0x2A,0x72,0xF6,
-    0xE3,0x33,0x8C,0x5D,0x09,0x4B,0x13,0xDF,0xBB,0x8C,0x74,0x13,0x52,0x4B,0x02,0x03,
-    0x01,0x00,0x01,0xA3,0x82,0x02,0x52,0x30,0x82,0x02,0x4E,0x30,0x0C,0x06,0x03,0x55,
-    0x1D,0x13,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,
-    0x04,0x04,0x03,0x02,0x01,0xAE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
-    0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,
-    0x43,0xD0,0x41,0xAE,0xF2,0x30,0x64,0x06,0x03,0x55,0x1D,0x1F,0x04,0x5D,0x30,0x5B,
-    0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,
-    0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,
-    0x2F,0x73,0x66,0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x2B,
-    0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,
-    0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x73,0x66,
-    0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x82,0x01,0x5D,0x06,
-    0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x54,0x30,0x82,0x01,0x50,0x30,0x82,0x01,0x4C,
-    0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x81,0xB5,0x37,0x01,0x01,0x01,0x30,0x82,0x01,
-    0x3B,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x23,0x68,
-    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,
-    0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,
-    0x64,0x66,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29,
-    0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,
-    0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x69,0x6E,0x74,0x65,0x72,0x6D,0x65,
-    0x64,0x69,0x61,0x74,0x65,0x2E,0x70,0x64,0x66,0x30,0x81,0xD0,0x06,0x08,0x2B,0x06,
-    0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xC3,0x30,0x27,0x16,0x20,0x53,0x74,0x61,
-    0x72,0x74,0x20,0x43,0x6F,0x6D,0x6D,0x65,0x72,0x63,0x69,0x61,0x6C,0x20,0x28,0x53,
-    0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x29,0x20,0x4C,0x74,0x64,0x2E,0x30,0x03,0x02,
-    0x01,0x01,0x1A,0x81,0x97,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x20,0x4C,0x69,0x61,
-    0x62,0x69,0x6C,0x69,0x74,0x79,0x2C,0x20,0x72,0x65,0x61,0x64,0x20,0x74,0x68,0x65,
-    0x20,0x73,0x65,0x63,0x74,0x69,0x6F,0x6E,0x20,0x2A,0x4C,0x65,0x67,0x61,0x6C,0x20,
-    0x4C,0x69,0x6D,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2A,0x20,0x6F,0x66,0x20,
-    0x74,0x68,0x65,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,
-    0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
-    0x72,0x69,0x74,0x79,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x76,0x61,0x69,
-    0x6C,0x61,0x62,0x6C,0x65,0x20,0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
-    0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,
-    0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,0x64,0x66,0x30,0x11,0x06,0x09,
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x00,0x07,0x30,
-    0x38,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,0x04,0x2B,0x16,0x29,
-    0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,
-    0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
-    0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
-    0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0x16,0x6C,0x99,
-    0xF4,0x66,0x0C,0x34,0xF5,0xD0,0x85,0x5E,0x7D,0x0A,0xEC,0xDA,0x10,0x4E,0x38,0x1C,
-    0x5E,0xDF,0xA6,0x25,0x05,0x4B,0x91,0x32,0xC1,0xE8,0x3B,0xF1,0x3D,0xDD,0x44,0x09,
-    0x5B,0x07,0x49,0x8A,0x29,0xCB,0x66,0x02,0xB7,0xB1,0x9A,0xF7,0x25,0x98,0x09,0x3C,
-    0x8E,0x1B,0xE1,0xDD,0x36,0x87,0x2B,0x4B,0xBB,0x68,0xD3,0x39,0x66,0x3D,0xA0,0x26,
-    0xC7,0xF2,0x39,0x91,0x1D,0x51,0xAB,0x82,0x7B,0x7E,0xD5,0xCE,0x5A,0xE4,0xE2,0x03,
-    0x57,0x70,0x69,0x97,0x08,0xF9,0x5E,0x58,0xA6,0x0A,0xDF,0x8C,0x06,0x9A,0x45,0x16,
-    0x16,0x38,0x0A,0x5E,0x57,0xF6,0x62,0xC7,0x7A,0x02,0x05,0xE6,0xBC,0x1E,0xB5,0xF2,
-    0x9E,0xF4,0xA9,0x29,0x83,0xF8,0xB2,0x14,0xE3,0x6E,0x28,0x87,0x44,0xC3,0x90,0x1A,
-    0xDE,0x38,0xA9,0x3C,0xAC,0x43,0x4D,0x64,0x45,0xCE,0xDD,0x28,0xA9,0x5C,0xF2,0x73,
-    0x7B,0x04,0xF8,0x17,0xE8,0xAB,0xB1,0xF3,0x2E,0x5C,0x64,0x6E,0x73,0x31,0x3A,0x12,
-    0xB8,0xBC,0xB3,0x11,0xE4,0x7D,0x8F,0x81,0x51,0x9A,0x3B,0x8D,0x89,0xF4,0x4D,0x93,
-    0x66,0x7B,0x3C,0x03,0xED,0xD3,0x9A,0x1D,0x9A,0xF3,0x65,0x50,0xF5,0xA0,0xD0,0x75,
-    0x9F,0x2F,0xAF,0xF0,0xEA,0x82,0x43,0x98,0xF8,0x69,0x9C,0x89,0x79,0xC4,0x43,0x8E,
-    0x46,0x72,0xE3,0x64,0x36,0x12,0xAF,0xF7,0x25,0x1E,0x38,0x89,0x90,0x77,0x7E,0xC3,
-    0x6B,0x6A,0xB9,0xC3,0xCB,0x44,0x4B,0xAC,0x78,0x90,0x8B,0xE7,0xC7,0x2C,0x1E,0x4B,
-    0x11,0x44,0xC8,0x34,0x52,0x27,0xCD,0x0A,0x5D,0x9F,0x85,0xC1,0x89,0xD5,0x1A,0x78,
-    0xF2,0x95,0x10,0x53,0x32,0xDD,0x80,0x84,0x66,0x75,0xD9,0xB5,0x68,0x28,0xFB,0x61,
-    0x2E,0xBE,0x84,0xA8,0x38,0xC0,0x99,0x12,0x86,0xA5,0x1E,0x67,0x64,0xAD,0x06,0x2E,
-    0x2F,0xA9,0x70,0x85,0xC7,0x96,0x0F,0x7C,0x89,0x65,0xF5,0x8E,0x43,0x54,0x0E,0xAB,
-    0xDD,0xA5,0x80,0x39,0x94,0x60,0xC0,0x34,0xC9,0x96,0x70,0x2C,0xA3,0x12,0xF5,0x1F,
-    0x48,0x7B,0xBD,0x1C,0x7E,0x6B,0xB7,0x9D,0x90,0xF4,0x22,0x3B,0xAE,0xF8,0xFC,0x2A,
-    0xCA,0xFA,0x82,0x52,0xA0,0xEF,0xAF,0x4B,0x55,0x93,0xEB,0xC1,0xB5,0xF0,0x22,0x8B,
-    0xAC,0x34,0x4E,0x26,0x22,0x04,0xA1,0x87,0x2C,0x75,0x4A,0xB7,0xE5,0x7D,0x13,0xD7,
-    0xB8,0x0C,0x64,0xC0,0x36,0xD2,0xC9,0x2F,0x86,0x12,0x8C,0x23,0x09,0xC1,0x1B,0x82,
-    0x3B,0x73,0x49,0xA3,0x6A,0x57,0x87,0x94,0xE5,0xD6,0x78,0xC5,0x99,0x43,0x63,0xE3,
-    0x4D,0xE0,0x77,0x2D,0xE1,0x65,0x99,0x72,0x69,0x04,0x1A,0x47,0x09,0xE6,0x0F,0x01,
-    0x56,0x24,0xFB,0x1F,0xBF,0x0E,0x79,0xA9,0x58,0x2E,0xB9,0xC4,0x09,0x01,0x7E,0x95,
-    0xBA,0x6D,0x00,0x06,0x3E,0xB2,0xEA,0x4A,0x10,0x39,0xD8,0xD0,0x2B,0xF5,0xBF,0xEC,
-    0x75,0xBF,0x97,0x02,0xC5,0x09,0x1B,0x08,0xDC,0x55,0x37,0xE2,0x81,0xFB,0x37,0x84,
-    0x43,0x62,0x20,0xCA,0xE7,0x56,0x4B,0x65,0xEA,0xFE,0x6C,0xC1,0x24,0x93,0x24,0xA1,
-    0x34,0xEB,0x05,0xFF,0x9A,0x22,0xAE,0x9B,0x7D,0x3F,0xF1,0x65,0x51,0x0A,0xA6,0x30,
-    0x6A,0xB3,0xF4,0x88,0x1C,0x80,0x0D,0xFC,0x72,0x8A,0xE8,0x83,0x5E,
-};
-
-
-static SecCertificateRef createCertFromStaticData(const UInt8 *certData, CFIndex certLength)
-{
-    SecCertificateRef cert = NULL;
-    CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, certData, certLength, kCFAllocatorNull);
-    if (data) {
-        cert = SecCertificateCreateWithData(NULL, data);
-        CFRelease(data);
-    }
-    return cert;
-}
-
-static void TestLeafOnAllowList()
-{
-    SecCertificateRef certs[4];
-    SecPolicyRef policy = NULL;
-    SecTrustRef trust = NULL;
-    CFDateRef date = NULL;
-    CFArrayRef certArray = NULL;
-    CFArrayRef anchorsArray = NULL;
-
-    isnt(certs[0] = createCertFromStaticData(leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)),
-         NULL, "allowlist: create leaf cert");
-    isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
-         NULL, "allowlist: create intermediate ca 1");
-    isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
-         NULL, "allowlist: create intermediate ca 2");
-    isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
-         NULL, "allowlist: create root");
-
-    isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
-         NULL, "allowlist: create cert array");
-
-    /* create a trust reference with basic policy */
-    isnt(policy = SecPolicyCreateBasicX509(), NULL, "allowlist: create policy");
-    ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "allowlist: create trust");
-
-    /* set evaluate date: September 12, 2016 at 1:30:00 PM PDT */
-    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "allowlist: create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "allowlist: set verify date");
-
-    /* use a known root CA at this point in time to anchor the chain */
-    isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
-         NULL, "allowlist: create anchors array");
-    ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "allowlist: set anchors");
-
-    SecTrustResultType trustResult = kSecTrustResultInvalid;
-    ok_status(SecTrustEvaluate(trust, &trustResult), "allowlist: evaluate");
-
-    /* expected result is kSecTrustResultUnspecified since cert is on allow list and its issuer chains to a trusted root */
-    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
-       (int)trustResult);
-
-    /* clean up */
-    for(CFIndex idx=0; idx < 4; idx++) {
-        if (certs[idx]) { CFRelease(certs[idx]); }
-    }
-    if (policy) { CFRelease(policy); }
-    if (trust) { CFRelease(trust); }
-    if (date) { CFRelease(date); }
-    if (certArray) { CFRelease(certArray); }
-    if (anchorsArray) { CFRelease(anchorsArray); }
-}
-
-static void TestLeafNotOnAllowList()
-{
-    SecCertificateRef certs[4];
-    SecPolicyRef policy = NULL;
-    SecTrustRef trust = NULL;
-    CFDateRef date = NULL;
-    CFArrayRef certArray = NULL;
-    CFArrayRef anchorsArray = NULL;
-
-    isnt(certs[0] = createCertFromStaticData(leafNotOnAllowList_Cert, sizeof(leafNotOnAllowList_Cert)),
-         NULL, "!allowlist: create leaf cert");
-    isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)),
-         NULL, "!allowlist: create intermediate ca 1");
-    isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)),
-         NULL, "!allowlist: create intermediate ca 2");
-    isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)),
-         NULL, "!allowlist: create root");
-
-    isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks),
-         NULL, "!allowlist: create cert array");
-
-    /* create a trust reference with basic policy */
-    isnt(policy = SecPolicyCreateBasicX509(), NULL, "!allowlist: create policy");
-    ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "!allowlist: create trust");
-
-    /* set evaluate date: September 7, 2016 at 9:00:00 PM PDT */
-    isnt(date = CFDateCreate(NULL, 495000000.0), NULL, "!allowlist: create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "!allowlist: set verify date");
-
-    /* use a known root CA at this point in time to anchor the chain */
-    isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks),
-         NULL, "allowlist: create anchors array");
-    ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "!allowlist: set anchors");
-
-    SecTrustResultType trustResult = kSecTrustResultInvalid;
-    ok_status(SecTrustEvaluate(trust, &trustResult), "!allowlist: evaluate");
-
-    /* expected result is kSecTrustResultRecoverableTrustFailure (if issuer is distrusted)
-     or kSecTrustResultFatalTrustFailure (if issuer is revoked), since cert is not on allow list */
-    ok(trustResult == kSecTrustResultRecoverableTrustFailure ||
-       trustResult == kSecTrustResultFatalTrustFailure,
-       "trustResult 5 or 6 expected (got %d)", (int)trustResult);
-
-    /* clean up */
-    for(CFIndex idx=0; idx < 4; idx++) {
-        if (certs[idx]) { CFRelease(certs[idx]); }
-    }
-    if (policy) { CFRelease(policy); }
-    if (trust) { CFRelease(trust); }
-    if (date) { CFRelease(date); }
-    if (certArray) { CFRelease(certArray); }
-    if (anchorsArray) { CFRelease(anchorsArray); }
-}
-
-static void TestAllowListForRootCA(void)
-{
-    SecCertificateRef test0[2] = {NULL,NULL};
-    SecCertificateRef test1[2] = {NULL,NULL};
-    SecCertificateRef test1e[2] = {NULL,NULL};
-    SecCertificateRef test2[2] = {NULL,NULL};
-    SecPolicyRef policy = NULL;
-    SecTrustRef trust = NULL;
-    CFDateRef date = NULL;
-    SecTrustResultType trustResult;
-
-    isnt(test0[0] = createCertFromStaticData(cert0, sizeof(cert0)),
-            NULL, "create first leaf");
-    isnt(test1[0] = createCertFromStaticData(cert1, sizeof(cert1)),
-         NULL, "create second leaf");
-    isnt(test1e[0] = createCertFromStaticData(cert1_expired, sizeof(cert1_expired)),
-         NULL, "create second leaf (expired)");
-    isnt(test2[0] = createCertFromStaticData(cert2, sizeof(cert2)),
-         NULL, "create third leaf");
-
-    isnt(test0[1] = createCertFromStaticData(intermediate0, sizeof(intermediate0)),
-         NULL, "create intermediate");
-    isnt(test1[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
-         NULL, "create intermediate");
-    isnt(test1e[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)),
-         NULL, "create intermediate");
-    isnt(test2[1] = createCertFromStaticData(intermediate2, sizeof(intermediate2)),
-         NULL, "create intermediate");
-
-    CFArrayRef certs0 = CFArrayCreate(kCFAllocatorDefault, (const void **)test0, 2, &kCFTypeArrayCallBacks);
-    CFArrayRef certs1 = CFArrayCreate(kCFAllocatorDefault, (const void **)test1, 2, &kCFTypeArrayCallBacks);
-    CFArrayRef certs1e = CFArrayCreate(kCFAllocatorDefault, (const void **)test1e, 2, &kCFTypeArrayCallBacks);
-    CFArrayRef certs2 = CFArrayCreate(kCFAllocatorDefault, (const void **)test2, 2, &kCFTypeArrayCallBacks);
-
-    /*
-     * Whitelisted certificates issued by untrusted root CA.
-     */
-    isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy");
-    ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust");
-    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
-    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
-    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
-    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
-       (int)trustResult);
-    if (trust) { CFRelease(trust); }
-    if (date) { CFRelease(date); }
-
-    ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust");
-    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
-    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
-    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
-    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
-       (int)trustResult);
-    if (trust) { CFRelease(trust); }
-    if (date) { CFRelease(date); }
-
-    ok_status(SecTrustCreateWithCertificates(certs2, policy, &trust), "create trust");
-    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
-    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
-    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
-    ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
-       (int)trustResult);
-    /*
-     * Same certificate, on allow list but past expiration. Expect to fail.
-     */
-    if (date) { CFRelease(date); }
-    isnt(date = CFDateCreate(NULL, 667680000.0), NULL, "create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set date to far future so certs are expired");
-    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
-    ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
-       (int)trustResult);
-    if (trust) { CFRelease(trust); }
-    if (date) { CFRelease(date); }
-
-    /*
-     * Expired certificate not on allow list. Expect to fail.
-     */
-    ok_status(SecTrustCreateWithCertificates(certs1e, policy, &trust), "create trust");
-    /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */
-    isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date");
-    ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date");
-    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
-    ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
-       (int)trustResult);
-    if (trust) { CFRelease(trust); }
-    if (date) { CFRelease(date); }
-
-
-    /* Clean up. */
-    if (policy) { CFRelease(policy); }
-    if (certs0) { CFRelease(certs0); }
-    if (certs1) { CFRelease(certs1); }
-    if (certs1e) { CFRelease(certs1e); }
-    if (certs2) { CFRelease(certs2); }
-
-    if (test0[0]) { CFRelease(test0[0]); }
-    if (test0[1]) { CFRelease(test0[1]); }
-    if (test1[0]) { CFRelease(test1[0]); }
-    if (test1[1]) { CFRelease(test1[1]); }
-    if (test1e[0]) { CFRelease(test1e[0]); }
-    if (test1e[1]) { CFRelease(test1e[1]); }
-    if (test2[0]) { CFRelease(test2[0]); }
-    if (test2[1]) { CFRelease(test2[1]); }
-}
-
-static void tests(void)
-{
-    TestAllowListForRootCA();
-    TestLeafOnAllowList();
-    TestLeafNotOnAllowList();
-}
-
-int si_84_sectrust_allowlist(int argc, char *const *argv)
-{
-    plan_tests(59);
-    tests();
-
-    return 0;
-}
diff --git a/OSX/sec/Security/SecCTKKey.c b/OSX/sec/Security/SecCTKKey.c
index bbc468d8..a223e646 100644
--- a/OSX/sec/Security/SecCTKKey.c
+++ b/OSX/sec/Security/SecCTKKey.c
@@ -230,6 +230,60 @@ out:
 
 static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key);
 
+static Boolean SecCTKKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+    SecCTKKeyData *kd = key->key;
+    CFTypeRef acm_reference = NULL;
+
+    static const CFStringRef *const knownUseFlags[] = {
+        &kSecUseOperationPrompt,
+        &kSecUseAuthenticationContext,
+        &kSecUseAuthenticationUI,
+        &kSecUseCallerName,
+        &kSecUseCredentialReference,
+    };
+
+    // Check, whether name is part of known use flags.
+    bool isUseFlag = false;
+    for (size_t i = 0; i < array_size(knownUseFlags); i++) {
+        if (CFEqual(*knownUseFlags[i], name)) {
+            isUseFlag = true;
+            break;
+        }
+    }
+
+    if (CFEqual(name, kSecUseAuthenticationContext)) {
+        // Preprocess LAContext to ACMRef value.
+        if (value != NULL) {
+            require_quiet(acm_reference = SecItemAttributesCopyPreparedAuthContext(value, error), out);
+            value = acm_reference;
+        }
+        name = kSecUseCredentialReference;
+    }
+
+    if (isUseFlag) {
+        // Release existing token connection to enforce creation of new connection with new auth params.
+        CFReleaseNull(kd->token);
+        if (value != NULL) {
+            CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name, value);
+        } else {
+            CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name);
+        }
+    } else {
+        if (kd->params == NULL) {
+            kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+        }
+        if (value != NULL) {
+            CFDictionarySetValue(kd->params, name, value);
+        } else {
+            CFDictionaryRemoveValue(kd->params, name);
+        }
+    }
+
+out:
+    CFReleaseSafe(acm_reference);
+    return TRUE;
+}
+
 static SecKeyDescriptor kSecCTKKeyDescriptor = {
     .version = kSecKeyDescriptorVersion,
     .name = "CTKKey",
@@ -243,6 +297,7 @@ static SecKeyDescriptor kSecCTKKeyDescriptor = {
     .copyPublic = SecCTKKeyCopyPublicOctets,
     .copyOperationResult = SecCTKKeyCopyOperationResult,
     .createDuplicate = SecCTKKeyCreateDuplicate,
+    .setParameter = SecCTKKeySetParameter,
 };
 
 static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key) {
@@ -444,59 +499,3 @@ out:
     CFReleaseSafe(outputAttributes);
     return attestationData;
 }
-
-Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
-    CFTypeRef acm_reference = NULL;
-    require_action_quiet(key->key_class == &kSecCTKKeyDescriptor, out,
-                         SecError(errSecUnimplemented, error, CFSTR("SecKeySetParameter() not supported for key %@"), key));
-    SecCTKKeyData *kd = key->key;
-
-    static const CFStringRef *const knownUseFlags[] = {
-        &kSecUseOperationPrompt,
-        &kSecUseAuthenticationContext,
-        &kSecUseAuthenticationUI,
-        &kSecUseCallerName,
-        &kSecUseCredentialReference,
-    };
-
-    // Check, whether name is part of known use flags.
-    bool isUseFlag = false;
-    for (size_t i = 0; i < array_size(knownUseFlags); i++) {
-        if (CFEqual(*knownUseFlags[i], name)) {
-            isUseFlag = true;
-            break;
-        }
-    }
-
-    if (CFEqual(name, kSecUseAuthenticationContext)) {
-        // Preprocess LAContext to ACMRef value.
-        if (value != NULL) {
-            require_quiet(acm_reference = SecItemAttributesCopyPreparedAuthContext(value, error), out);
-            value = acm_reference;
-        }
-        name = kSecUseCredentialReference;
-    }
-
-    if (isUseFlag) {
-        // Release existing token connection to enforce creation of new connection with new auth params.
-        CFReleaseNull(kd->token);
-        if (value != NULL) {
-            CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name, value);
-        } else {
-            CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name);
-        }
-    } else {
-        if (kd->params == NULL) {
-            kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
-        }
-        if (value != NULL) {
-            CFDictionarySetValue(kd->params, name, value);
-        } else {
-            CFDictionaryRemoveValue(kd->params, name);
-        }
-    }
-
-out:
-    CFReleaseSafe(acm_reference);
-    return TRUE;
-}
diff --git a/OSX/sec/Security/SecCertificateInternal.h b/OSX/sec/Security/SecCertificateInternal.h
index da7de66f..fe449f36 100644
--- a/OSX/sec/Security/SecCertificateInternal.h
+++ b/OSX/sec/Security/SecCertificateInternal.h
@@ -58,14 +58,6 @@ CFDataRef SecCertificateCopyIssuerSequence(SecCertificateRef certificate);
 /* Return the DER encoded subject sequence for the receiving certificates subject. */
 CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate);
 
-/* Return the content of a DER encoded X.501 name (without the tag and length
-   fields) for the receiving certificates issuer. */
-CFDataRef SecCertificateGetNormalizedIssuerContent(SecCertificateRef certificate);
-
-/* Return the content of a DER encoded X.501 name (without the tag and length
-   fields) for the receiving certificates subject. */
-CFDataRef SecCertificateGetNormalizedSubjectContent(SecCertificateRef certificate);
-
 /* Return the normalized name or NULL if it fails to parse */
 CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name);
 
diff --git a/OSX/sec/Security/SecCertificatePath.c b/OSX/sec/Security/SecCertificatePath.c
index 1e05a332..d215ee4d 100644
--- a/OSX/sec/Security/SecCertificatePath.c
+++ b/OSX/sec/Security/SecCertificatePath.c
@@ -626,7 +626,7 @@ bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath) {
     return false;
 }
 
-static bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath) {
+bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath) {
     CFDictionaryRef keySizes = NULL;
     CFNumberRef rsaSize = NULL, ecSize = NULL;
     bool result = true;
diff --git a/OSX/sec/Security/SecCertificatePath.h b/OSX/sec/Security/SecCertificatePath.h
index a1e5e966..46d9855f 100644
--- a/OSX/sec/Security/SecCertificatePath.h
+++ b/OSX/sec/Security/SecCertificatePath.h
@@ -127,6 +127,8 @@ bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsolute
 
 bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath);
 
+bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath);
+
 CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath,
 	CFAbsoluteTime verifyTime);
 
diff --git a/OSX/sec/Security/SecCertificatePriv.h b/OSX/sec/Security/SecCertificatePriv.h
index 16d4cb85..358e1b46 100644
--- a/OSX/sec/Security/SecCertificatePriv.h
+++ b/OSX/sec/Security/SecCertificatePriv.h
@@ -150,6 +150,14 @@ CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate, CFErrorR
 CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate);
 #endif
 
+/* Return the content of a DER encoded X.501 name (without the tag and length
+ fields) for the receiving certificates issuer. */
+CFDataRef SecCertificateGetNormalizedIssuerContent(SecCertificateRef certificate);
+
+/* Return the content of a DER encoded X.501 name (without the tag and length
+ fields) for the receiving certificates subject. */
+CFDataRef SecCertificateGetNormalizedSubjectContent(SecCertificateRef certificate);
+
 /* Return an array of CFStringRefs representing the ip addresses in the
    certificate if any. */
 CFArrayRef SecCertificateCopyIPAddresses(SecCertificateRef certificate);
diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in
index 4399d1e5..7511598e 100644
--- a/OSX/sec/Security/SecExports.exp-in
+++ b/OSX/sec/Security/SecExports.exp-in
@@ -507,6 +507,7 @@ _SecCertificatePathGetNextSourceIndex
 _SecCertificatePathGetRoot
 _SecCertificatePathGetUsageConstraintsAtIndex
 _SecCertificatePathHasWeakHash
+_SecCertificatePathHasWeakKeySize
 _SecCertificatePathIsAnchored
 _SecCertificatePathIsValid
 _SecCertificatePathScore
diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c
index 18c36670..dfed2289 100644
--- a/OSX/sec/Security/SecItem.c
+++ b/OSX/sec/Security/SecItem.c
@@ -88,9 +88,7 @@
 #include <pwd.h>
 #include <grp.h>
 #include <unistd.h>
-#ifndef SECITEM_SHIM_OSX
 #include <libDER/asn1Types.h>
-#endif // *** END SECITEM_SHIM_OSX ***
 
 #include <utilities/SecDb.h>
 #include <IOKit/IOReturn.h>
@@ -1108,7 +1106,6 @@ static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, C
         CFDictionarySetValue(SecCFDictionaryCOWGetMutable(attrs), kSecMatchPolicy, objectReadyForXPC);
         CFRelease(objectReadyForXPC);
     }
-#ifndef SECITEM_SHIM_OSX
     value = CFDictionaryGetValue(attrs->dictionary, kSecAttrIssuer);
     if (value) {
         /* convert DN to canonical issuer, if value is DN (top level sequence) */
@@ -1124,7 +1121,6 @@ static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, C
             }
         }
     }
-#endif
 
     ok = true;
 
@@ -1162,6 +1158,25 @@ bool SecItemAuthDo(SecCFDictionaryCOW *auth_params, CFErrorRef *error, SecItemAu
     bool ok = false;
     CFArrayRef ac_pairs = NULL;
     SecCFDictionaryCOW auth_options = { NULL };
+    //We need to create shared LAContext for Mail to reduce popups with Auth UI.
+    //This app-hack will be removed by:<rdar://problem/28305552>
+    static CFTypeRef sharedLAContext = NULL;
+    static CFDataRef sharedACMContext = NULL;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        CFBundleRef bundle = CFBundleGetMainBundle();
+        CFStringRef bundleName = (bundle != NULL)?CFBundleGetIdentifier(bundle):NULL;
+        if (bundleName && CFEqual(bundleName, CFSTR("com.apple.mail"))) {
+            sharedLAContext = LACreateNewContextWithACMContext(NULL, error);
+            sharedACMContext = (sharedLAContext != NULL)?LACopyACMContext(sharedLAContext, error):NULL;
+        }
+    });
+    if (sharedLAContext && sharedACMContext &&
+        (auth_params->dictionary == NULL || (CFDictionaryGetValue(auth_params->dictionary, kSecUseAuthenticationContext) == NULL &&
+                                             CFDictionaryGetValue(auth_params->dictionary, kSecUseCredentialReference) == NULL))) {
+        CFDictionarySetValue(SecCFDictionaryCOWGetMutable(auth_params), kSecUseAuthenticationContext, sharedLAContext);
+        CFDictionarySetValue(SecCFDictionaryCOWGetMutable(auth_params), kSecUseCredentialReference, sharedACMContext);
+    }
 
     for (uint32_t i = 0;; ++i) {
         // If the operation succeeded or failed with other than auth-needed error, just leave.
diff --git a/OSX/sec/Security/SecKey.c b/OSX/sec/Security/SecKey.c
index 90cef042..1375ce93 100644
--- a/OSX/sec/Security/SecKey.c
+++ b/OSX/sec/Security/SecKey.c
@@ -1180,11 +1180,19 @@ SecKeyRef SecKeyCreateDuplicate(SecKeyRef key) {
     }
 }
 
+Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+    if (key->key_class->version >= 4 && key->key_class->setParameter) {
+        return key->key_class->setParameter(key, name, value, error);
+    } else {
+        return SecError(errSecUnimplemented, error, CFSTR("setParameter not implemented for %@"), key);
+    }
+}
+
 #pragma mark Generic algorithm adaptor lookup and invocation
 
 static CFTypeRef SecKeyCopyBackendOperationResult(SecKeyOperationContext *context, SecKeyAlgorithm algorithm,
                                                   CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
-    CFTypeRef result = NULL;
+    CFTypeRef result = kCFNull;
     assert(CFArrayGetCount(context->algorithm) > 0);
     if (context->key->key_class->version >= 4 && context->key->key_class->copyOperationResult != NULL) {
         return context->key->key_class->copyOperationResult(context->key, context->operation, algorithm,
diff --git a/OSX/sec/Security/SecKeyPriv.h b/OSX/sec/Security/SecKeyPriv.h
index 51704ea9..60aabb66 100644
--- a/OSX/sec/Security/SecKeyPriv.h
+++ b/OSX/sec/Security/SecKeyPriv.h
@@ -133,6 +133,7 @@ typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErr
 typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
 typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
 typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key);
+typedef Boolean (*SecKeySetParameterMethod)(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error);
 
 /*!
  @abstract Performs cryptographic operation with the key.
@@ -200,6 +201,7 @@ typedef struct __SecKeyDescriptor {
     SecKeyCopyOperationResultMethod copyOperationResult;
     SecKeyIsEqualMethod isEqual;
     SecKeyCreateDuplicateMethod createDuplicate;
+    SecKeySetParameterMethod setParameter;
 #endif
 } SecKeyDescriptor;
 
@@ -458,8 +460,8 @@ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AV
  @param error Error which gathers more information when something went wrong.
 
  @discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
- to SecKey implementation backend (currently only CTK-based token backend is supported).  Parameter names and types are
- a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
+ to SecKey implementation backend.  Parameter names and types are either generic kSecUse*** attributes or are a contract between
+ SecKey user (application) and backend and in this case are not interpreted by SecKey layer in any way.
  */
 Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
 __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c
index 3b0ed374..ce03cdf9 100644
--- a/OSX/sec/Security/SecPolicy.c
+++ b/OSX/sec/Security/SecPolicy.c
@@ -613,6 +613,10 @@ errOut:
     return result;
 }
 
+#ifdef TARGET_OS_OSX
+static void set_ku_from_properties(SecPolicyRef policy, CFDictionaryRef properties);
+#endif
+
 SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
 	CFDictionaryRef properties) {
 	// Creates a policy reference for a given policy object identifier.
@@ -898,6 +902,9 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
 		secerror("ERROR: policy \"%@\" is unsupported", policyIdentifier);
 	}
 
+#ifdef TARGET_OS_OSX
+    set_ku_from_properties(policy, properties);
+#endif
 errOut:
 	return policy;
 }
@@ -1093,6 +1100,9 @@ OSStatus SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properti
 		}
 	}
 
+#ifdef TARGET_OS_OSX
+    set_ku_from_properties(policyRef, properties);
+#endif
 	CFRelease(oid);
 	return result;
 }
@@ -1446,6 +1456,53 @@ static void add_ku(CFMutableDictionaryRef options, SecKeyUsage keyUsage) {
     }
 }
 
+#ifdef TARGET_OS_OSX
+static void set_ku_from_properties(SecPolicyRef policy, CFDictionaryRef properties) {
+    if (!policy || !properties) {
+        return;
+    }
+
+    CFStringRef keyNames[] = { kSecPolicyKU_DigitalSignature, kSecPolicyKU_NonRepudiation, kSecPolicyKU_KeyEncipherment, kSecPolicyKU_DataEncipherment,
+        kSecPolicyKU_KeyAgreement, kSecPolicyKU_KeyCertSign, kSecPolicyKU_CRLSign, kSecPolicyKU_EncipherOnly, kSecPolicyKU_DecipherOnly };
+
+    uint32_t keyUsageValues[] = { kSecKeyUsageDigitalSignature, kSecKeyUsageNonRepudiation, kSecKeyUsageKeyEncipherment, kSecKeyUsageDataEncipherment,
+        kSecKeyUsageKeyAgreement, kSecKeyUsageKeyCertSign, kSecKeyUsageCRLSign, kSecKeyUsageEncipherOnly, kSecKeyUsageDecipherOnly };
+
+    bool haveKeyUsage = false;
+    CFTypeRef keyUsageBoolean;
+    for (uint32_t i = 0; i < sizeof(keyNames) / sizeof(CFStringRef); ++i) {
+        if (CFDictionaryGetValueIfPresent(properties, keyNames[i], (const void**)&keyUsageBoolean)) {
+            if (CFEqual(keyUsageBoolean, kCFBooleanTrue)) {
+                haveKeyUsage = true;
+                break;
+            }
+        }
+    }
+
+    if (!haveKeyUsage) {
+        return;
+    }
+
+    CFMutableDictionaryRef options = (CFMutableDictionaryRef) policy->_options;
+    if (!options) {
+        options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+                                            &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        if (!options) return;
+        policy->_options = options;
+    } else {
+        CFDictionaryRemoveValue(options, kSecPolicyCheckKeyUsage);
+    }
+
+    for (uint32_t i = 0; i < sizeof(keyNames) / sizeof(CFStringRef); ++i) {
+        if (CFDictionaryGetValueIfPresent(properties, keyNames[i], (const void**)&keyUsageBoolean)) {
+            if (CFEqual(keyUsageBoolean, kCFBooleanTrue)) {
+                add_ku(options, keyUsageValues[i]);
+            }
+        }
+    }
+}
+#endif
+
 static void add_oid(CFMutableDictionaryRef options, CFStringRef policy_key, const DERItem *oid) {
     CFDataRef oid_data = CFDataCreate(kCFAllocatorDefault,
                                  oid ? oid->data : NULL,
@@ -1617,6 +1674,29 @@ errOut:
     return success;
 }
 
+static bool SecPolicyAddStrongKeySizeOptions(CFMutableDictionaryRef options) {
+    bool success = false;
+    CFDictionaryRef keySizes = NULL;
+    CFNumberRef rsaSize = NULL, ecSize = NULL;
+
+    /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+    const void *values[] = { rsaSize, ecSize };
+    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+                                          &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+    add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+    success = true;
+
+errOut:
+    CFReleaseSafe(keySizes);
+    CFReleaseSafe(rsaSize);
+    CFReleaseSafe(ecSize);
+    return success;
+}
+
 static bool isAppleOid(CFStringRef oid) {
     if (!SecCertificateIsOidString(oid)) {
         return false;
@@ -1627,16 +1707,33 @@ static bool isAppleOid(CFStringRef oid) {
     return false;
 }
 
-static bool allowTestHierarchyForPolicy(CFStringRef policyName) {
+static bool isCFPreferenceInSecurityDomain(CFStringRef setting) {
+    /* For backwards compatibility reasons we have to check both "com.apple.security"
+     and "com.apple.Security". */
+    return (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL) ||
+            CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL));
+}
+
+static bool allowTestHierarchyForPolicy(CFStringRef policyName, bool isSSL) {
     bool allow = false;
+
     CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("ApplePinningAllowTestCerts%@"), policyName);
     require(setting, fail);
-    if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL)) {
+    if (isCFPreferenceInSecurityDomain(setting)) {
         allow = true;
     } else {
         secnotice("pinningQA", "could not enable test hierarchy: %@ not true", setting);
     }
     CFRelease(setting);
+
+    if (!allow && isSSL) {
+        if (isCFPreferenceInSecurityDomain(CFSTR("AppleServerAuthenticationAllowUAT"))) {
+            allow = true;
+        } else {
+            secnotice("pinningQA", "could not enable test hierarchy: AppleServerAuthenticationAllowUAT not true");
+        }
+    }
+
 fail:
     return allow;
 }
@@ -1649,7 +1746,7 @@ static bool SecPolicyAddAppleAnchorOptions(CFMutableDictionaryRef options, CFStr
         return false;
     }
 
-    if (allowTestHierarchyForPolicy(policyName)) {
+    if (allowTestHierarchyForPolicy(policyName, false)) {
         CFDictionarySetValue(appleAnchorOptions,
                              kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
     }
@@ -1708,8 +1805,6 @@ errOut:
 
 SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) {
     CFMutableDictionaryRef options = NULL;
-    CFDictionaryRef keySizes = NULL;
-    CFNumberRef rsaSize = NULL, ecSize = NULL;
     SecPolicyRef result = NULL;
 
     if (!policyName || !intermediateMarkerOID || !leafMarkerOID) {
@@ -1744,22 +1839,13 @@ SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, CFStringRef inte
     add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
 
     /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
-    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
-    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
-    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
-    const void *values[] = { rsaSize, ecSize };
-    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
-                                  &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
-    add_element(options, kSecPolicyCheckKeySize, keySizes);
+    require(SecPolicyAddStrongKeySizeOptions(options), errOut);
 
     require(result = SecPolicyCreate(kSecPolicyAppleGenericApplePinned,
                                      policyName, options), errOut);
 
 errOut:
     CFReleaseSafe(options);
-    CFReleaseSafe(keySizes);
-    CFReleaseSafe(rsaSize);
-    CFReleaseSafe(ecSize);
     return result;
 }
 
@@ -1771,12 +1857,22 @@ requireUATPinning(CFStringRef service)
     if (SecIsInternalRelease()) {
         CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationNoPinning%@"), service);
         require(setting, fail);
-        if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) {
+        if(isCFPreferenceInSecurityDomain(setting)) {
             pinningRequired = false;
         } else {
             secnotice("pinningQA", "could not disable pinning: %@ not true", setting);
         }
         CFRelease(setting);
+
+        if (!pinningRequired) {
+            goto fail;
+        }
+
+        if(isCFPreferenceInSecurityDomain(CFSTR("AppleServerAuthenticationNoPinning"))) {
+            pinningRequired = false;
+        } else {
+            secnotice("pinningQA", "could not disable pinning: AppleServerAuthenticationNoPinning not true");
+        }
     } else {
         secnotice("pinningQA", "could not disable pinning: not an internal release");
     }
@@ -1786,7 +1882,7 @@ fail:
 
 SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
                                           CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) {
-    CFMutableDictionaryRef options = NULL;
+    CFMutableDictionaryRef options = NULL, appleAnchorOptions = NULL;
     SecPolicyRef result = NULL;
 
     if (!policyName || !hostname || !leafMarkerOID) {
@@ -1794,13 +1890,41 @@ SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef h
     }
 
     if (requireUATPinning(policyName)) {
+        require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+                                                    &kCFTypeDictionaryKeyCallBacks,
+                                                    &kCFTypeDictionaryValueCallBacks), errOut);
+
+        SecPolicyAddBasicX509Options(options);
+
+        /* Anchored to the Apple Roots */
+        require_quiet(appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL), errOut);
+        if (allowTestHierarchyForPolicy(policyName, true)) {
+            CFDictionarySetValue(appleAnchorOptions,
+                                 kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+        }
+        add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+
+        /* Exactly 3 certs in the chain */
+        require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
         if (intermediateMarkerOID) {
-            require(result = SecPolicyCreateApplePinned(policyName, intermediateMarkerOID, leafMarkerOID), errOut);
+            /* Intermediate marker OID matches input OID */
+            if (!isAppleOid(intermediateMarkerOID)) {
+                secwarning("creating an Apple pinning policy with a non-Apple OID: %@", intermediateMarkerOID);
+            }
+            add_element(options, kSecPolicyCheckIntermediateMarkerOid, intermediateMarkerOID);
         } else {
-            require(result = SecPolicyCreateApplePinned(policyName, CFSTR("1.2.840.113635.100.6.2.12"), leafMarkerOID), errOut);
+            add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.12"));
         }
 
-        require_action(options = CFDictionaryCreateMutableCopy(NULL, 0, result->_options), errOut, CFReleaseNull(result));
+        /* Leaf marker OID matches input OID */
+        if (!isAppleOid(leafMarkerOID)) {
+            secwarning("creating an Apple pinning policy with a non-Apple OID: %@", leafMarkerOID);
+        }
+        add_leaf_marker_string(options, leafMarkerOID);
+
+        /* New leaf marker OID format */
+        add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOID);
 
         /* ServerAuth EKU is in leaf cert */
         add_eku_string(options, CFSTR("1.3.6.1.5.5.7.3.1"));
@@ -1808,19 +1932,23 @@ SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef h
         /* Hostname is in leaf cert */
         add_element(options, kSecPolicyCheckSSLHostname, hostname);
 
-        /* New leaf marker OID format */
-        add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOID);
+        /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+        require(SecPolicyAddStrongKeySizeOptions(options), errOut);
+
+        /* Check revocation using any available method */
+        add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+
+        require(result = SecPolicyCreate(kSecPolicyAppleGenericAppleSSLPinned,
+                                         policyName, options), errOut);
 
-        CFReleaseSafe(result->_options);
-        result->_options = CFRetainSafe(options);
     } else {
         result = SecPolicyCreateSSL(true, hostname);
+        SecPolicySetOid(result, kSecPolicyAppleGenericAppleSSLPinned);
     }
 
-    SecPolicySetOid(result, kSecPolicyAppleGenericAppleSSLPinned);
-
 errOut:
     CFReleaseSafe(options);
+    CFReleaseSafe(appleAnchorOptions);
     return result;
 }
 
@@ -2057,7 +2185,7 @@ SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void) {
     appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
     require(appleAnchorOptions, errOut);
 
-    if (allowTestHierarchyForPolicy(kSecPolicyNameiPhoneApplicationSigning)) {
+    if (allowTestHierarchyForPolicy(kSecPolicyNameiPhoneApplicationSigning, false)) {
         /* Allow a test hierarchy-signed cert with prod name/OIDs */
         CFDictionarySetValue(appleAnchorOptions,
                              kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
@@ -3059,8 +3187,9 @@ static bool
 allowUATRoot(bool allowNonProd, CFStringRef service, CFDictionaryRef context)
 {
     bool UATAllowed = false;
+    CFStringRef setting = NULL;
     if (SecIsInternalRelease() || allowNonProd) {
-        CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationAllowUAT%@"), service);
+        setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationAllowUAT%@"), service);
         CFTypeRef value = NULL;
         require(setting, fail);
 
@@ -3072,18 +3201,26 @@ allowUATRoot(bool allowNonProd, CFStringRef service, CFDictionaryRef context)
             UATAllowed = true;
         }
 
-        if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) {
+        if (isCFPreferenceInSecurityDomain(setting)) {
             UATAllowed = true;
         }
 
         if (!UATAllowed) {
             secnotice("pinningQA", "could not enable test cert: %@ not true", setting);
+        } else {
+            goto fail;
+        }
+
+        if (isCFPreferenceInSecurityDomain(CFSTR("AppleServerAuthenticationAllowUAT"))) {
+            UATAllowed = true;
+        } else {
+            secnotice("pinningQA", "could not enable test hierarchy: AppleServerAuthenticationAllowUAT not true");
         }
-        CFRelease(setting);
     } else {
         secnotice("pinningQA", "could not enable test cert: not an internal release");
     }
 fail:
+    CFReleaseNull(setting);
     return UATAllowed;
 }
 
@@ -3133,11 +3270,10 @@ SecPolicyCreateAppleServerAuthCommon(CFStringRef hostname,
 	 * Require pinning to the Apple CA's (and if UAT environment,
 	 * include the Apple Test CA's as anchors).
 	 */
-
         appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
         require(appleAnchorOptions, errOut);
 
-        if (allowUAT || allowTestHierarchyForPolicy(service)) {
+        if (allowUAT || allowTestHierarchyForPolicy(service, true)) {
             /* Note: SecPolicyServer won't allow the test roots for non-internal devices */
             CFDictionarySetValue(appleAnchorOptions,
                                  kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
@@ -3679,7 +3815,7 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) {
         // Apple anchors, allowing test anchors for internal releases properly configured
         appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
         require(appleAnchorOptions, errOut);
-        if (allowUAT || allowTestHierarchyForPolicy(kSecPolicyNameAppleHomeKitServerAuth)) {
+        if (allowUAT || allowTestHierarchyForPolicy(kSecPolicyNameAppleHomeKitServerAuth, true)) {
             CFDictionarySetValue(appleAnchorOptions,
                                  kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
         }
@@ -3778,15 +3914,7 @@ SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void) {
     add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
 
     /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
-    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
-    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
-    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
-    const void *values[] = { rsaSize, ecSize };
-    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
-                                          &kCFTypeDictionaryKeyCallBacks,
-                                          &kCFTypeDictionaryValueCallBacks), errOut);
-    add_element(options, kSecPolicyCheckKeySize, keySizes);
-
+    require(SecPolicyAddStrongKeySizeOptions(options), errOut);
 
     require(result = SecPolicyCreate(kSecPolicyAppleSoftwareSigning,
                                      kSecPolicyNameAppleSoftwareSigning, options), errOut);
@@ -3824,7 +3952,7 @@ SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef testRootHash)
     /* Anchored to the SEP Root CA. Allow alternative root for developers */
     require(SecPolicyAddAnchorSHA256Options(options, SEPRootCA_SHA256),errOut);
     if (testRootHash && SecIsInternalRelease() && !SecIsProductionFused() &&
-        allowTestHierarchyForPolicy(kSecPolicyNameAppleUniqueDeviceCertificate)
+        allowTestHierarchyForPolicy(kSecPolicyNameAppleUniqueDeviceCertificate, false)
         && (kSecPolicySHA256Size == CFDataGetLength(testRootHash))) {
         add_element(options, kSecPolicyCheckAnchorSHA256, testRootHash);
     }
@@ -3898,13 +4026,7 @@ SecPolicyRef SecPolicyCreateAppleWarsaw(void) {
     add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
 
     /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
-    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
-    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
-    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
-    const void *values[] = { rsaSize, ecSize };
-    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
-                                          &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
-    add_element(options, kSecPolicyCheckKeySize, keySizes);
+    require(SecPolicyAddStrongKeySizeOptions(options), errOut);
 
     require(result = SecPolicyCreate(kSecPolicyAppleWarsaw,
                                      kSecPolicyNameAppleWarsaw, options), errOut);
@@ -3956,13 +4078,7 @@ SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) {
     add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.50"));
 
     /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
-    require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
-    require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
-    const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
-    const void *values[] = { rsaSize, ecSize };
-    require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
-                                          &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
-    add_element(options, kSecPolicyCheckKeySize, keySizes);
+    require(SecPolicyAddStrongKeySizeOptions(options), errOut);
 
     require(result = SecPolicyCreate(kSecPolicyAppleSecureIOStaticAsset,
                                      kSecPolicyNameAppleSecureIOStaticAsset, options), errOut);
diff --git a/OSX/sec/Security/SecPolicyLeafCallbacks.c b/OSX/sec/Security/SecPolicyLeafCallbacks.c
index 081b1ece..d3783937 100644
--- a/OSX/sec/Security/SecPolicyLeafCallbacks.c
+++ b/OSX/sec/Security/SecPolicyLeafCallbacks.c
@@ -162,7 +162,6 @@ static bool SecPolicyCheckCertQualifiedCertStatements(SecCertificateRef __unused
     return true;
 }
 
-#if 0
 /* We have a wildcard reference identifier that looks like "*." followed by 2 or
    more labels. Use CFNetwork's function for determining if those labels comprise
    a top-level domain. We need to dlopen since CFNetwork is a client of ours. */
@@ -176,7 +175,7 @@ static bool SecDNSIsTLD(CFStringRef reference) {
     dispatch_once(&onceToken, ^{
         void *framework = dlopen("/System/Library/Frameworks/CFNetwork.framework/CFNetwork", RTLD_LAZY);
         if (framework) {
-            CFNIsDomainTopLevelFunctionPtr = dlsym(framework, "_CFHostIsDomainTopLevel");
+            CFNIsDomainTopLevelFunctionPtr = dlsym(framework, "_CFHostIsDomainTopLevelForCertificatePolicy");
         }
     });
 
@@ -195,7 +194,6 @@ out:
     CFReleaseNull(presentedDomain);
     return result;
 }
-#endif
 
 /* Compare hostname, to a server name obtained from the server's cert
  Obtained from the SubjectAltName or the CommonName entry in the Subject.
@@ -258,11 +256,9 @@ static bool SecDNSMatch(CFStringRef reference, CFStringRef presented) {
 
             /* must not occur before single-label TLD */
             require_quiet(count > 2 && ix != count - 2, noMatch);
-#if 0
-            // <rdar://26563617>, check removed due to <rdar://26552669>
+
             /* must not occur before a multi-label gTLD */
             require_quiet(!SecDNSIsTLD(presented), noMatch);
-#endif
         } else {
             /* partial-label wildcards are disallowed */
             CFRange partialRange = CFStringFind(plabel, CFSTR("*"), 0);
diff --git a/OSX/sec/Security/SecSharedCredential.c b/OSX/sec/Security/SecSharedCredential.c
index bf7a275a..97c43792 100644
--- a/OSX/sec/Security/SecSharedCredential.c
+++ b/OSX/sec/Security/SecSharedCredential.c
@@ -37,6 +37,7 @@
 OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn, CFStringRef account, CFStringRef password, CFErrorRef *error);
 OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn, CFStringRef account, CFArrayRef *credentials, CFErrorRef *error);
 
+#if TARGET_OS_IOS
 
 OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn,
     CFStringRef account,
@@ -54,11 +55,7 @@ OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn,
         CFDictionaryAddValue(args, kSecAttrAccount, account);
     }
     if (password) {
-#if TARGET_OS_IPHONE && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_WATCH && !TARGET_OS_TV
         CFDictionaryAddValue(args, kSecSharedPassword, password);
-#else
-        CFDictionaryAddValue(args, CFSTR("spwd"), password);
-#endif
     }
     status = SecOSStatusWith(^bool (CFErrorRef *error) {
         CFTypeRef raw_result = NULL;
@@ -87,6 +84,7 @@ OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn,
 
     return status;
 }
+#endif /* TARGET_OS_IOS */
 
 void SecAddSharedWebCredential(CFStringRef fqdn,
     CFStringRef account,
@@ -95,7 +93,7 @@ void SecAddSharedWebCredential(CFStringRef fqdn,
 {
 	__block CFErrorRef error = NULL;
 	__block dispatch_queue_t dst_queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0);
-	dispatch_retain(dst_queue);
+#if TARGET_OS_IOS
 
     /* sanity check input arguments */
 	CFStringRef errStr = NULL;
@@ -113,7 +111,6 @@ void SecAddSharedWebCredential(CFStringRef fqdn,
 				completionHandler(error);
 			}
 			CFReleaseSafe(error);
-			dispatch_release(dst_queue);
 		});
 		return;
 	}
@@ -136,12 +133,20 @@ void SecAddSharedWebCredential(CFStringRef fqdn,
 				completionHandler(error);
 			}
 			CFReleaseSafe(error);
-			dispatch_release(dst_queue);
 		});
 	});
-
+#else
+    SecError(errSecParam, &error, CFSTR("SharedWebCredentials not supported on this platform"));
+    dispatch_async(dst_queue, ^{
+        if (completionHandler) {
+            completionHandler(error);
+        }
+        CFReleaseSafe(error);
+    });
+#endif
 }
 
+#if TARGET_OS_IOS
 OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn,
     CFStringRef account,
     CFArrayRef *credentials,
@@ -186,17 +191,17 @@ OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn,
     });
 
     return status;
-
 }
+#endif /* TARGET_OS_IOS */
 
 void SecRequestSharedWebCredential(CFStringRef fqdn,
     CFStringRef account,
     void (^completionHandler)(CFArrayRef credentials, CFErrorRef error))
 {
-    __block CFArrayRef result = NULL;
 	__block CFErrorRef error = NULL;
 	__block dispatch_queue_t dst_queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0);
-	dispatch_retain(dst_queue);
+#if TARGET_OS_IOS
+    __block CFArrayRef result = NULL;
 
     /* sanity check input arguments, if provided */
 	CFStringRef errStr = NULL;
@@ -214,7 +219,6 @@ void SecRequestSharedWebCredential(CFStringRef fqdn,
 			}
 			CFReleaseSafe(error);
             CFReleaseSafe(result);
-			dispatch_release(dst_queue);
 		});
 		return;
 	}
@@ -236,9 +240,17 @@ void SecRequestSharedWebCredential(CFStringRef fqdn,
 			}
 			CFReleaseSafe(error);
 			CFReleaseSafe(result);
-			dispatch_release(dst_queue);
 		});
 	});
+#else
+    SecError(errSecParam, &error, CFSTR("SharedWebCredentials not supported on this platform"));
+    dispatch_async(dst_queue, ^{
+        if (completionHandler) {
+            completionHandler(NULL, error);
+        }
+        CFReleaseSafe(error);
+    });
+#endif
 
 }
 
@@ -297,4 +309,3 @@ CFStringRef SecCreateSharedWebCredentialPassword(void)
     }
 
 }
-
diff --git a/OSX/sec/Security/Tool/keychain_find.c b/OSX/sec/Security/Tool/keychain_find.c
index cde7206b..0d4f132b 100644
--- a/OSX/sec/Security/Tool/keychain_find.c
+++ b/OSX/sec/Security/Tool/keychain_find.c
@@ -61,6 +61,20 @@ static void add_key(const void *key, const void *value, void *context) {
     CFArrayAppendValue(context, key);
 }
 
+static bool isPrintableString(CFStringRef theString){
+    bool result = false;
+    CFCharacterSetRef controlSet = CFCharacterSetGetPredefined(kCFCharacterSetControl);
+    CFCharacterSetRef newlineSet = CFCharacterSetGetPredefined(kCFCharacterSetNewline);
+    CFCharacterSetRef illegalSet = CFCharacterSetGetPredefined(kCFCharacterSetIllegal);
+
+    CFMutableCharacterSetRef unacceptable = CFCharacterSetCreateMutableCopy(kCFAllocatorDefault, controlSet);
+    CFCharacterSetUnion(unacceptable, newlineSet);
+    CFCharacterSetUnion(unacceptable, illegalSet);
+    result = CFStringFindCharacterFromSet(theString, unacceptable, CFRangeMake(0, CFStringGetLength(theString)), 0, NULL);
+    CFReleaseNull(unacceptable);
+    return result;
+}
+
 static void display_item(const void *v_item, void *context) {
     CFDictionaryRef item = (CFDictionaryRef)v_item;
     CFIndex dict_count, key_ix, key_count;
@@ -99,12 +113,18 @@ static void display_item(const void *v_item, void *context) {
             CFDataRef v_d = (CFDataRef)value;
             CFStringRef v_s = CFStringCreateFromExternalRepresentation(
                 kCFAllocatorDefault, v_d, kCFStringEncodingUTF8);
+
             if (v_s) {
-                CFStringAppend(line, CFSTR("/"));
-                CFStringAppend(line, v_s);
-                CFStringAppend(line, CFSTR("/ "));
-                CFRelease(v_s);
+                if(!isPrintableString(v_s))
+                    CFStringAppend(line, CFSTR("not printable "));
+                else{
+                    CFStringAppend(line, CFSTR("/"));
+                    CFStringAppend(line, v_s);
+                    CFStringAppend(line, CFSTR("/ "));
+                }
             }
+            CFReleaseNull(v_s);
+
             const uint8_t *bytes = CFDataGetBytePtr(v_d);
             CFIndex len = CFDataGetLength(v_d);
             for (jx = 0; jx < len; ++jx) {
diff --git a/OSX/sec/ipc/server.c b/OSX/sec/ipc/server.c
index e24cb6db..8c252d63 100644
--- a/OSX/sec/ipc/server.c
+++ b/OSX/sec/ipc/server.c
@@ -612,9 +612,13 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
         pthread_setspecific(taskThreadKey, client.task);
 #endif
         client.accessGroups = SecTaskCopyAccessGroups(client.task);
+
+#if TARGET_OS_IOS
         if (operation == sec_add_shared_web_credential_id || operation == sec_copy_shared_web_credential_id) {
             domains = SecTaskCopySharedWebCredentialDomains(client.task);
         }
+#endif
+
 #if TARGET_OS_IPHONE
         client.allowSystemKeychain = SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateSystemKeychain);
         client.isNetworkExtension = SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateNetworkExtension);
@@ -1072,9 +1076,11 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
             }
             case sec_add_shared_web_credential_id:
             {
+#if TARGET_OS_IOS
                 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
                 if (query) {
                     CFTypeRef result = NULL;
+
                     CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
                     if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
                         SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
@@ -1083,10 +1089,14 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
                     CFReleaseSafe(appID);
                     CFReleaseNull(query);
                 }
+#else
+                SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
+#endif
                 break;
             }
             case sec_copy_shared_web_credential_id:
             {
+#if TARGET_OS_IOS
                 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
                 if (query) {
                     CFTypeRef result = NULL;
@@ -1098,6 +1108,9 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
                     CFReleaseSafe(appID);
                     CFReleaseNull(query);
                 }
+#else
+                SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
+#endif
                 break;
             }
             case sec_get_log_settings_id:
diff --git a/OSX/sec/sec.xcodeproj/project.pbxproj b/OSX/sec/sec.xcodeproj/project.pbxproj
index 3fa4b64b..b3b69d5b 100644
--- a/OSX/sec/sec.xcodeproj/project.pbxproj
+++ b/OSX/sec/sec.xcodeproj/project.pbxproj
@@ -20,6 +20,7 @@
 		0C0BDB611756882A00BC1A7E /* secd_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C0BDB601756882A00BC1A7E /* secd_regressions.h */; };
 		0C0BDB63175688DA00BC1A7E /* secd-01-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C0BDB62175688DA00BC1A7E /* secd-01-items.c */; };
 		0C0C887A1CCED00E00617D1B /* shared_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = D40771B21C9B4CE50016AA66 /* shared_regressions.h */; };
+		0C27C3E81D6F8BB1008CB02F /* secd-201-coders.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C87F8301D6F838200A9EC17 /* secd-201-coders.c */; };
 		0C3276C31CB329AB005D6DDC /* secd_77_ids_messaging.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */; };
 		0C60F39C1CAF0E8E00221D24 /* secd-76-idstransport.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */; };
 		0C664AE8175951270092D3D9 /* secd-02-upgrade-while-locked.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C664AE7175951270092D3D9 /* secd-02-upgrade-while-locked.c */; };
@@ -27,6 +28,7 @@
 		0CBF93F9177B7CFC001E5658 /* secd-04-corrupted-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBF93F6177B7CFC001E5658 /* secd-04-corrupted-items.c */; };
 		0CBF93FC177BA9D9001E5658 /* secd-05-corrupted-items.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CBF93FB177BA9D9001E5658 /* secd-05-corrupted-items.m */; };
 		0CE7ABDF171383E30088968F /* keychain_backup.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CE7ABDE171383E30088968F /* keychain_backup.c */; };
+		0CFDBAD91D6FC58D00826CDE /* SOSEnginePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CFDBAD81D6FC58D00826CDE /* SOSEnginePriv.h */; };
 		18270F5914CF654400B05E7F /* client.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD560614CB6E7A008233F2 /* client.c */; };
 		18AD560F14CB6E7A008233F2 /* securityd_client.h in Headers */ = {isa = PBXBuildFile; fileRef = 18AD560814CB6E7A008233F2 /* securityd_client.h */; };
 		18AD566714CB70A8008233F2 /* SecItem.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563714CB6EB9008233F2 /* SecItem.c */; };
@@ -83,7 +85,6 @@
 		446BB5E518F83172005D1B83 /* SecAccessControl.c in Sources */ = {isa = PBXBuildFile; fileRef = C6766767189884D200E9A12C /* SecAccessControl.c */; };
 		4477A8D918F28AB700B5BB9F /* si-78-query-attrs.c in Sources */ = {isa = PBXBuildFile; fileRef = 4477A8D718F28AAE00B5BB9F /* si-78-query-attrs.c */; };
 		448305101B46FB8700326450 /* ios8-inet-keychain-2.h in Headers */ = {isa = PBXBuildFile; fileRef = 4483050F1B46FB8700326450 /* ios8-inet-keychain-2.h */; };
-		448305111B46FC0D00326450 /* secd-35-keychain-migrate-inet.c in Sources */ = {isa = PBXBuildFile; fileRef = 4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */; };
 		449265291AB0D6FF00644D4C /* SecCTKKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 449265271AB0D6FF00644D4C /* SecCTKKey.c */; };
 		4492652A1AB0D6FF00644D4C /* SecCTKKeyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 449265281AB0D6FF00644D4C /* SecCTKKeyPriv.h */; };
 		4802A59816D7156D0059E5B9 /* SOSUserKeygen.h in Headers */ = {isa = PBXBuildFile; fileRef = 4802A59716D711190059E5B9 /* SOSUserKeygen.h */; settings = {ATTRIBUTES = (); }; };
@@ -283,7 +284,7 @@
 		BE53FA301B0AC5C300719A63 /* SecKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563C14CB6EB9008233F2 /* SecKey.c */; };
 		BE53FA311B0AC65500719A63 /* SecECKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562C14CB6EB9008233F2 /* SecECKey.c */; };
 		BE53FA321B0AC65B00719A63 /* SecRSAKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564714CB6EB9008233F2 /* SecRSAKey.c */; };
-		BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */ = {isa = PBXBuildFile; fileRef = BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */; };
+		BE5C5BD11D8C90F500A97339 /* si-84-sectrust-allowlist.m in Sources */ = {isa = PBXBuildFile; fileRef = BE5C5BD01D8C90C200A97339 /* si-84-sectrust-allowlist.m */; };
 		BE5EC1F018C80108005E7682 /* swcagent_client.c in Sources */ = {isa = PBXBuildFile; fileRef = BEF9640A18B418A400813FA3 /* swcagent_client.c */; };
 		BE62D7601747FF3E001EAA9D /* si-72-syncableitems.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */; };
 		BE642BB2188F32C200C899A2 /* SecSharedCredential.c in Sources */ = {isa = PBXBuildFile; fileRef = BE642BB1188F32C200C899A2 /* SecSharedCredential.c */; };
@@ -392,6 +393,9 @@
 		D48C567D1C73E5C300E41928 /* SecPolicyLeafCallbacks.c in Sources */ = {isa = PBXBuildFile; fileRef = D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */; };
 		D4A919771CA9A3DD003D2ADA /* si-95-cms-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */; };
 		D4A919781CA9A3DD003D2ADA /* si-95-cms-basic.h in Headers */ = {isa = PBXBuildFile; fileRef = D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */; };
+		D4B2E7941DAEFBB500F79E03 /* wosign_certs.h in Headers */ = {isa = PBXBuildFile; fileRef = D4B2E7911DAEFBB500F79E03 /* wosign_certs.h */; };
+		D4B2E7951DAEFBB500F79E03 /* date_testing_certs.h in Headers */ = {isa = PBXBuildFile; fileRef = D4B2E7921DAEFBB500F79E03 /* date_testing_certs.h */; };
+		D4B2E7961DAEFBB500F79E03 /* cnnic_certs.h in Headers */ = {isa = PBXBuildFile; fileRef = D4B2E7931DAEFBB500F79E03 /* cnnic_certs.h */; };
 		D4CBC1481BE9A89E00C5795E /* si-89-cms-hash-agility.c in Sources */ = {isa = PBXBuildFile; fileRef = D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */; };
 		D4CBC1491BE9A89E00C5795E /* si-89-cms-hash-agility.h in Headers */ = {isa = PBXBuildFile; fileRef = D4CBC1471BE9A89E00C5795E /* si-89-cms-hash-agility.h */; };
 		D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */; };
@@ -495,6 +499,8 @@
 		E7FEFB87169E363300E18152 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 521C0B9815FA5C4A00604B61 /* Foundation.framework */; };
 		E7FEFB91169E36D800E18152 /* keychain_sync.c in Sources */ = {isa = PBXBuildFile; fileRef = E7FEFB90169E36D800E18152 /* keychain_sync.c */; };
 		EB3409AF1C1D5BBE00D77661 /* secd-20-keychain_upgrade.m in Sources */ = {isa = PBXBuildFile; fileRef = EB3409AE1C1D5BB300D77661 /* secd-20-keychain_upgrade.m */; };
+		EB36F0421D9041FC0094C601 /* secd-35-keychain-migrate-inet.c in Sources */ = {isa = PBXBuildFile; fileRef = 4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */; };
+		EB36F0431D9041FC0094C601 /* secd-36-ks-encrypt.m in Sources */ = {isa = PBXBuildFile; fileRef = EB36F0401D9041F40094C601 /* secd-36-ks-encrypt.m */; };
 		EB6432BD1C510A6E00B671F2 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = EB6432BC1C510A6E00B671F2 /* SecDigest.c */; };
 		EB6432BE1C510A6E00B671F2 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = EB6432BC1C510A6E00B671F2 /* SecDigest.c */; };
 		EB69AB041BF3C42F00913AF1 /* SecEMCS.m in Sources */ = {isa = PBXBuildFile; fileRef = EB69AB031BF3C42F00913AF1 /* SecEMCS.m */; };
@@ -557,10 +563,12 @@
 		0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = secd_77_ids_messaging.c; sourceTree = "<group>"; };
 		0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-76-idstransport.c"; sourceTree = "<group>"; };
 		0C664AE7175951270092D3D9 /* secd-02-upgrade-while-locked.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = "secd-02-upgrade-while-locked.c"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
+		0C87F8301D6F838200A9EC17 /* secd-201-coders.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-201-coders.c"; sourceTree = "<group>"; };
 		0CBF93F5177B7CFC001E5658 /* secd-03-corrupted-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-03-corrupted-items.c"; sourceTree = "<group>"; };
 		0CBF93F6177B7CFC001E5658 /* secd-04-corrupted-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-04-corrupted-items.c"; sourceTree = "<group>"; };
 		0CBF93FB177BA9D9001E5658 /* secd-05-corrupted-items.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-05-corrupted-items.m"; sourceTree = "<group>"; };
 		0CE7ABDE171383E30088968F /* keychain_backup.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = keychain_backup.c; sourceTree = "<group>"; };
+		0CFDBAD81D6FC58D00826CDE /* SOSEnginePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSEnginePriv.h; sourceTree = "<group>"; };
 		18270C9714CF1AAD00B05E7F /* base.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = base.xcconfig; sourceTree = "<group>"; };
 		18270C9814CF1AAD00B05E7F /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = debug.xcconfig; sourceTree = "<group>"; };
 		18270C9914CF1AAD00B05E7F /* lib.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = lib.xcconfig; sourceTree = "<group>"; };
@@ -921,7 +929,7 @@
 		BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecSignatureVerificationSupport.c; sourceTree = "<group>"; };
 		BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSignatureVerificationSupport.h; sourceTree = "<group>"; };
 		BE556A5D19550E1600E6EE8C /* SecPolicyCerts.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecPolicyCerts.h; sourceTree = "<group>"; };
-		BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-whitelist.c"; sourceTree = "<group>"; };
+		BE5C5BD01D8C90C200A97339 /* si-84-sectrust-allowlist.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-84-sectrust-allowlist.m"; sourceTree = "<group>"; };
 		BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-72-syncableitems.c"; sourceTree = "<group>"; };
 		BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-70-sectrust-unified.c"; sourceTree = "<group>"; };
 		BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSharedCredential.h; sourceTree = "<group>"; };
@@ -1016,6 +1024,9 @@
 		D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecPolicyLeafCallbacks.c; sourceTree = "<group>"; };
 		D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-95-cms-basic.c"; sourceTree = "<group>"; };
 		D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-95-cms-basic.h"; sourceTree = "<group>"; };
+		D4B2E7911DAEFBB500F79E03 /* wosign_certs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wosign_certs.h; path = "si-84-sectrust-allowlist/wosign_certs.h"; sourceTree = "<group>"; };
+		D4B2E7921DAEFBB500F79E03 /* date_testing_certs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = date_testing_certs.h; path = "si-84-sectrust-allowlist/date_testing_certs.h"; sourceTree = "<group>"; };
+		D4B2E7931DAEFBB500F79E03 /* cnnic_certs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cnnic_certs.h; path = "si-84-sectrust-allowlist/cnnic_certs.h"; sourceTree = "<group>"; };
 		D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-85-sectrust-ssl-policy.c"; sourceTree = "<group>"; };
 		D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-85-sectrust-ssl-policy.h"; sourceTree = "<group>"; };
 		D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-89-cms-hash-agility.c"; sourceTree = "<group>"; };
@@ -1109,6 +1120,7 @@
 		E7FEFB8C169E363300E18152 /* libSOSCommands.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSOSCommands.a; sourceTree = BUILT_PRODUCTS_DIR; };
 		E7FEFB90169E36D800E18152 /* keychain_sync.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = keychain_sync.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
 		EB3409AE1C1D5BB300D77661 /* secd-20-keychain_upgrade.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-20-keychain_upgrade.m"; sourceTree = "<group>"; };
+		EB36F0401D9041F40094C601 /* secd-36-ks-encrypt.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-36-ks-encrypt.m"; sourceTree = "<group>"; };
 		EB6432BC1C510A6E00B671F2 /* SecDigest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDigest.c; sourceTree = "<group>"; };
 		EB69AB031BF3C42F00913AF1 /* SecEMCS.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecEMCS.m; sourceTree = "<group>"; };
 		EB69AB051BF425F300913AF1 /* si-90-emcs.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-90-emcs.m"; sourceTree = "<group>"; };
@@ -1628,7 +1640,8 @@
 				D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */,
 				440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */,
 				BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */,
-				BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */,
+				D48D56CC1DAEC030005AA1C0 /* si-84-sectrust-allowlist */,
+				BE5C5BD01D8C90C200A97339 /* si-84-sectrust-allowlist.m */,
 				D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */,
 				D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */,
 				D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */,
@@ -1725,6 +1738,7 @@
 				4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.m */,
 				529F46F11AEC759E0002392C /* secd-34-backup-der-parse.c */,
 				4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */,
+				EB36F0401D9041F40094C601 /* secd-36-ks-encrypt.m */,
 				E75AB9191AE9958300C5EF3F /* secd-40-cc-gestalt.c */,
 				E79D62B9176798BF005A9743 /* secd-50-account.c */,
 				523CBBF71B3227A2002C0884 /* secd-49-manifests.c */,
@@ -1772,6 +1786,7 @@
 				E739A9DC1D318FA4003C088A /* secd-130-other-peer-views.c */,
 				CD35B8291C2650FE00E0852A /* secd-154-engine-backoff.c */,
 				48B5888B1D00ED9000E0C5A7 /* secd-200-logstate.c */,
+				0C87F8301D6F838200A9EC17 /* secd-201-coders.c */,
 				E7A10FAA1771245D00C4602F /* SOSAccountTesting.h */,
 				E79D62BE1767A547005A9743 /* SecdTestKeychainUtilities.c */,
 				E79D62BF1767A55F005A9743 /* SecdTestKeychainUtilities.h */,
@@ -1808,6 +1823,16 @@
 			name = SharedWebCredentialAgent;
 			sourceTree = "<group>";
 		};
+		D48D56CC1DAEC030005AA1C0 /* si-84-sectrust-allowlist */ = {
+			isa = PBXGroup;
+			children = (
+				D4B2E7911DAEFBB500F79E03 /* wosign_certs.h */,
+				D4B2E7921DAEFBB500F79E03 /* date_testing_certs.h */,
+				D4B2E7931DAEFBB500F79E03 /* cnnic_certs.h */,
+			);
+			name = "si-84-sectrust-allowlist";
+			sourceTree = "<group>";
+		};
 		E71049F4169E023B00DB0045 /* SecurityTool */ = {
 			isa = PBXGroup;
 			children = (
@@ -2030,6 +2055,7 @@
 				4C8BDDA117B4FE9400C20EA5 /* SOSDigestVector.h */,
 				4C9DC91C15B602910036D941 /* SOSEngine.c */,
 				4C9DC91915B602760036D941 /* SOSEngine.h */,
+				0CFDBAD81D6FC58D00826CDE /* SOSEnginePriv.h */,
 				4C8BDD9E17B4FDE100C20EA5 /* SOSManifest.c */,
 				4C8BDD9C17B4FD2A00C20EA5 /* SOSManifest.h */,
 				4CBDB30B17B70206002FA799 /* SOSMessage.c */,
@@ -2234,6 +2260,9 @@
 				D44C81EA1CD1947200BE9A0D /* si-97-sectrust-path-scoring.h in Headers */,
 				D43091561D84D80B004097DA /* si-25-cms-skid.h in Headers */,
 				D4653DEB1C9E2299002ED6D5 /* si-28-sectrustsettings.h in Headers */,
+				D4B2E7961DAEFBB500F79E03 /* cnnic_certs.h in Headers */,
+				D4B2E7941DAEFBB500F79E03 /* wosign_certs.h in Headers */,
+				D4B2E7951DAEFBB500F79E03 /* date_testing_certs.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -2262,6 +2291,7 @@
 				CDE5F8A41AF025D60074958E /* SOSPeerInfoCollections.h in Headers */,
 				CDE5F8B51AF026470074958E /* SOSTransportKeyParameter.h in Headers */,
 				CDE5F8851AF025B30074958E /* SOSConcordanceTrust.h in Headers */,
+				0CFDBAD91D6FC58D00826CDE /* SOSEnginePriv.h in Headers */,
 				CDE5F8AD1AF026470074958E /* SOSTransport.h in Headers */,
 				CDE5F8801AF025AC0074958E /* SOSRingTypes.h in Headers */,
 				4C8BDD9D17B4FD2A00C20EA5 /* SOSManifest.h in Headers */,
@@ -2679,6 +2709,7 @@
 				5E0CE1651CB6347300E75776 /* secd-83-item-match-valid-on-date.m in Sources */,
 				4CC62F221B4EF136009FEF0E /* secd-75-engine-views.c in Sources */,
 				F9EF72F21AC0F98400A4D24A /* secd-70-engine-smash.c in Sources */,
+				0C27C3E81D6F8BB1008CB02F /* secd-201-coders.c in Sources */,
 				5384299418E492A300E91AFE /* secd-70-otr-remote.c in Sources */,
 				E7F18557177A502900177B23 /* secd-56-account-apply.c in Sources */,
 				EB69AB071BF4332700913AF1 /* si-90-emcs.m in Sources */,
@@ -2688,11 +2719,13 @@
 				0CBF93F8177B7CFC001E5658 /* secd-03-corrupted-items.c in Sources */,
 				E75AB91B1AE9964800C5EF3F /* secd-40-cc-gestalt.c in Sources */,
 				0CBF93FC177BA9D9001E5658 /* secd-05-corrupted-items.m in Sources */,
+				EB36F0421D9041FC0094C601 /* secd-35-keychain-migrate-inet.c in Sources */,
 				5E0CE1671CB6348D00E75776 /* secd-83-item-match-trusted.m in Sources */,
 				527258D11981C00F003CFCEC /* secd-70-engine.c in Sources */,
 				E7850ED11BB30E87002A54CA /* secd-65-account-retirement-reset.c in Sources */,
 				4C495EDF1982145200BC1809 /* SOSTestDevice.c in Sources */,
 				E78A9AB21D34263100006B5B /* secd-130-other-peer-views.c in Sources */,
+				EB36F0431D9041FC0094C601 /* secd-36-ks-encrypt.m in Sources */,
 				0CBF93F9177B7CFC001E5658 /* secd-04-corrupted-items.c in Sources */,
 				4898223A17BDB277003BEF32 /* secd-52-account-changed.c in Sources */,
 				0C062B1F175E784B00806CFE /* secd-30-keychain-upgrade.c in Sources */,
@@ -2713,7 +2746,6 @@
 				486C6C691795F9D600387075 /* secd-61-account-leave-not-in-kansas-anymore.c in Sources */,
 				E79D62BD176799EE005A9743 /* SOSTestDataSource.c in Sources */,
 				EBF2D7661C1E482B006AB6FF /* secd-21-transmogrify.m in Sources */,
-				448305111B46FC0D00326450 /* secd-35-keychain-migrate-inet.c in Sources */,
 				4469FC2D1AA0A6D00021AA26 /* secd-33-keychain-ctk.m in Sources */,
 				E79D62BC176799DB005A9743 /* SOSRegressionUtilities.c in Sources */,
 				E7A10FAC1771246A00C4602F /* secd-55-account-circle.c in Sources */,
@@ -2981,7 +3013,7 @@
 				D4D887571CED0B9400DC7583 /* si-27-sectrust-exceptions.c in Sources */,
 				0982E02C1D19695B0060002E /* si-44-seckey-ec.m in Sources */,
 				D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */,
-				BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */,
+				BE5C5BD11D8C90F500A97339 /* si-84-sectrust-allowlist.m in Sources */,
 				D4D886F01CEC008600DC7583 /* si-23-sectrust-ocsp.c in Sources */,
 				D4D8875E1CED490700DC7583 /* si-74-OTAPKISigner.c in Sources */,
 				D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */,
diff --git a/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m b/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m
index bb4ba556..756ddb70 100644
--- a/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m
+++ b/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m
@@ -38,7 +38,6 @@
 #import <utilities/SecFileLocations.h>
 #import <utilities/fileIo.h>
 
-#import <securityd/SOSCloudCircleServer.h>
 #import <securityd/SecItemServer.h>
 
 #import <Security/SecBasePriv.h>
diff --git a/OSX/sec/securityd/Regressions/secd-201-coders.c b/OSX/sec/securityd/Regressions/secd-201-coders.c
new file mode 100644
index 00000000..c5fc6712
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-201-coders.c
@@ -0,0 +1,378 @@
+/*
+ * Copyright (c) 2013-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+//
+//  secd_201_coders
+//  sec
+//
+
+#include <stdio.h>
+
+
+
+
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <CoreFoundation/CFDictionary.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
+#include "SOSCloudKeychainLogging.h"
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include "SOSTestDataSource.h"
+#include "SOSTestDevice.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+
+#include "SOSAccountTesting.h"
+
+#include "SecdTestKeychainUtilities.h"
+
+static int kTestTestCount = 182;
+
+static void TestSOSEngineDoOnQueue(SOSEngineRef engine, dispatch_block_t action)
+{
+    dispatch_sync(engine->queue, action);
+}
+
+static bool SOSAccountIsThisPeerIDMe(SOSAccountRef account, CFStringRef peerID) {
+    SOSPeerInfoRef mypi = SOSFullPeerInfoGetPeerInfo(account->my_identity);
+    CFStringRef myPeerID = SOSPeerInfoGetPeerID(mypi);
+
+    return myPeerID && CFEqualSafe(myPeerID, peerID);
+}
+
+static bool TestSOSEngineDoTxnOnQueue(SOSEngineRef engine, CFErrorRef *error, void(^transaction)(SOSTransactionRef txn, bool *commit))
+{
+    return SOSDataSourceWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn, bool *commit) {
+        TestSOSEngineDoOnQueue(engine, ^{ transaction(txn, commit); });
+    });
+}
+
+static void compareCoders(CFMutableDictionaryRef beforeCoders, CFMutableDictionaryRef afterCoderState)
+{
+    CFDictionaryForEach(beforeCoders, ^(const void *key, const void *value) {
+        CFStringRef beforePeerid = (CFStringRef)key;
+        SOSCoderRef beforeCoderData = (SOSCoderRef)value;
+        SOSCoderRef afterCoderData = (SOSCoderRef)CFDictionaryGetValue(afterCoderState, beforePeerid);
+        ok(CFEqual(beforeCoderData,afterCoderData));
+    });
+}
+
+static void ids_test_sync(SOSAccountRef alice_account, SOSAccountRef bob_account){
+
+    CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+    __block bool SyncingCompletedOverIDS = false;
+    __block CFErrorRef localError = NULL;
+    __block bool done = false;
+    do{
+        SOSCircleForEachValidPeer(alice_account->trusted_circle, alice_account->user_public, ^(SOSPeerInfoRef peer) {
+            if (!SOSAccountIsThisPeerIDMe(alice_account, SOSPeerInfoGetPeerID(peer))) {
+                if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), peer) &&
+                   SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), peer)){
+                    secnotice("IDS Transport","Syncing with IDS capable peers using IDS!");
+
+                    CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+                    CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+                    CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+                    CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(alice_account->trusted_circle), ids);
+                    SOSEngineRef alice_engine = SOSTransportMessageGetEngine(alice_account->ids_message_transport);
+
+                    //testing loading and saving coders
+                    ok(alice_engine->coders);
+                    CFMutableDictionaryRef beforeCoders = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(alice_engine->coders), alice_engine->coders);
+                    TestSOSEngineDoTxnOnQueue(alice_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+                        ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(alice_account->ids_message_transport), txn, &localError));
+                    });
+
+                    ok(alice_engine->coders);
+
+                    TestSOSEngineDoTxnOnQueue(alice_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+                        ok(SOSTestEngineSaveCoders(alice_engine, txn, &localError));
+                    });
+
+                    compareCoders(beforeCoders, alice_engine->coders);
+
+                    //syncing with all peers
+                    SyncingCompletedOverIDS = SOSTransportMessageSyncWithPeers(alice_account->ids_message_transport, circleToIdsId, &localError);
+
+                    //testing load after sync with all peers
+                    CFMutableDictionaryRef codersAfterSyncBeforeLoad = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(alice_engine->coders), alice_engine->coders);
+                    TestSOSEngineDoTxnOnQueue(alice_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+                        ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(alice_account->ids_message_transport), txn, &localError));
+                    });
+                    compareCoders(codersAfterSyncBeforeLoad, alice_engine->coders);
+
+                    CFReleaseNull(codersAfterSyncBeforeLoad);
+                    CFReleaseNull(beforeCoders);
+                    CFReleaseNull(circleToIdsId);
+                    CFReleaseNull(ids);
+                }
+            }
+        });
+
+        ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL);
+
+        SOSCircleForEachValidPeer(bob_account->trusted_circle, bob_account->user_public, ^(SOSPeerInfoRef peer) {
+            if (!SOSAccountIsThisPeerIDMe(bob_account, SOSPeerInfoGetPeerID(peer))) {
+                if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), peer) &&
+                   SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), peer)){
+                    secnotice("IDS Transport","Syncing with IDS capable peers using IDS!");
+
+                    CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+                    CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+                    CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+                    CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(bob_account->trusted_circle), ids);
+                    SOSEngineRef bob_engine = SOSTransportMessageGetEngine(bob_account->ids_message_transport);
+
+                    //testing loading and saving coders
+                    ok(bob_engine->coders);
+                    CFMutableDictionaryRef beforeCoders = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(bob_engine->coders), bob_engine->coders);
+                    TestSOSEngineDoTxnOnQueue(bob_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+                        ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(bob_account->ids_message_transport), txn, &localError));
+                    });
+
+                    ok(bob_engine->coders);
+
+                    TestSOSEngineDoTxnOnQueue(bob_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+                        ok(SOSTestEngineSaveCoders(bob_engine, txn, &localError));
+                    });
+
+                    compareCoders(beforeCoders, bob_engine->coders);
+
+                    SyncingCompletedOverIDS &= SOSTransportMessageSyncWithPeers(bob_account->ids_message_transport, circleToIdsId, &localError);
+
+                    //testing load after sync with all peers
+                    CFMutableDictionaryRef codersAfterSyncBeforeLoad = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(bob_engine->coders), bob_engine->coders);
+                    TestSOSEngineDoTxnOnQueue(bob_engine, &localError, ^(SOSTransactionRef txn, bool *commit) {
+                        ok(TestSOSEngineLoadCoders(SOSTransportMessageGetEngine(bob_account->ids_message_transport), txn, &localError));
+                    });
+                    compareCoders(codersAfterSyncBeforeLoad, bob_engine->coders);
+                    CFReleaseNull(codersAfterSyncBeforeLoad);
+                    CFReleaseNull(beforeCoders);
+                    CFReleaseNull(circleToIdsId);
+                    CFReleaseNull(ids);
+                }
+            }
+        });
+
+        if(CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(alice_account->ids_message_transport)) == 0 && CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(bob_account->ids_message_transport)) == 0){
+            done = true;
+            break;
+        }
+
+        ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL);
+
+    }while(done == false);
+    CFReleaseNull(changes);
+
+    ok(SyncingCompletedOverIDS, "synced items over IDS");
+
+}
+
+static void tests(void)
+{
+
+    __block CFErrorRef error = NULL;
+    CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+    CFDataRef cfwrong_password = CFDataCreate(NULL, (uint8_t *) "NotFooFooFoo", 10);
+    CFStringRef cfaccount = CFSTR("test@test.org");
+
+    CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+    SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
+    SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
+
+    ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+    // Bob wins writing at this point, feed the changes back to alice.
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
+
+    ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+    CFReleaseNull(error);
+    ok(SOSAccountTryUserCredentials(alice_account, cfaccount, cfpassword, &error), "Credential trying (%@)", error);
+    CFReleaseNull(error);
+    ok(!SOSAccountTryUserCredentials(alice_account, cfaccount, cfwrong_password, &error), "Credential failing (%@)", error);
+    CFReleaseNull(cfwrong_password);
+    is(error ? CFErrorGetCode(error) : 0, kSOSErrorWrongPassword, "Expected SOSErrorWrongPassword");
+    CFReleaseNull(error);
+
+    ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
+    CFReleaseNull(error);
+
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+    ok(SOSAccountHasCompletedInitialSync(alice_account), "Alice thinks she's completed initial sync");
+
+    ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+    CFReleaseNull(error);
+
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+    {
+        CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
+
+        ok(applicants && CFArrayGetCount(applicants) == 1, "See one applicant %@ (%@)", applicants, error);
+        ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Alice accepts (%@)", error);
+        CFReleaseNull(error);
+        CFReleaseNull(applicants);
+    }
+
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+    accounts_agree("bob&alice pair", bob_account, alice_account);
+
+    CFArrayRef peers = SOSAccountCopyPeers(alice_account, &error);
+    ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
+    CFReleaseNull(peers);
+
+    //creating test devices
+    CFIndex version = 0;
+
+    // Optionally prefix each peer with name to make them more unique.
+    CFArrayRef deviceIDs = CFArrayCreateForCFTypes(kCFAllocatorDefault,SOSAccountGetMyPeerID(alice_account), SOSAccountGetMyPeerID(bob_account), NULL);
+    CFSetRef views = SOSViewsCopyTestV2Default();
+    CFMutableArrayRef peerMetas = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+    CFStringRef deviceID;
+    CFArrayForEachC(deviceIDs, deviceID) {
+        SOSPeerMetaRef peerMeta = SOSPeerMetaCreateWithComponents(deviceID, views, NULL);
+        CFArrayAppendValue(peerMetas, peerMeta);
+        CFReleaseNull(peerMeta);
+    }
+
+    CFReleaseNull(views);
+    CFArrayForEachC(deviceIDs, deviceID) {
+        SOSTestDeviceRef device = SOSTestDeviceCreateWithDbNamed(kCFAllocatorDefault, deviceID, deviceID);
+        SOSTestDeviceSetPeerIDs(device, peerMetas, version, NULL);
+
+        if(CFEqualSafe(deviceID, SOSAccountGetMyPeerID(alice_account))){
+            alice_account->factory = device->dsf;
+            SOSTestDeviceAddGenericItem(device, CFSTR("Alice"), CFSTR("Alice-add"));
+        }
+        else{
+            bob_account->factory = device->dsf;
+            SOSTestDeviceAddGenericItem(device, CFSTR("Bob"), CFSTR("Bob-add"));
+        }
+
+        CFReleaseNull(device);
+    }
+    CFReleaseNull(deviceIDs);
+    CFReleaseNull(peerMetas);
+
+    SOSUnregisterAllTransportMessages();
+    CFArrayRemoveAllValues(message_transports);
+    
+    alice_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(alice_account, CFSTR("Alice"), CFSTR("TestSource"), &error);
+    bob_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(bob_account, CFSTR("Bob"), CFSTR("TestSource"), &error);
+
+    bool result = SOSAccountModifyCircle(alice_account, &error, ^bool(SOSCircleRef circle) {
+        CFErrorRef localError = NULL;
+
+        SOSFullPeerInfoUpdateTransportType(alice_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+        SOSFullPeerInfoUpdateTransportPreference(alice_account->my_identity, kCFBooleanFalse, &localError);
+        SOSFullPeerInfoUpdateTransportFragmentationPreference(alice_account->my_identity, kCFBooleanTrue, &localError);
+
+        return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), NULL);
+    });
+
+    ok(result, "Alice account update circle with transport type");
+
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+    result = SOSAccountModifyCircle(bob_account, &error, ^bool(SOSCircleRef circle) {
+        CFErrorRef localError = NULL;
+
+        SOSFullPeerInfoUpdateTransportType(bob_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+        SOSFullPeerInfoUpdateTransportPreference(bob_account->my_identity, kCFBooleanFalse, &localError);
+        SOSFullPeerInfoUpdateTransportFragmentationPreference(bob_account->my_identity, kCFBooleanTrue, &localError);
+
+        return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), NULL);
+    });
+
+    ok(result, "Bob account update circle with transport type");
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+    CFStringRef alice_transportType =SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(alice_account));
+    CFStringRef bob_accountTransportType = SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(bob_account));
+    ok(CFEqualSafe(alice_transportType, CFSTR("IDS2.0")), "Alice transport type not IDS");
+    ok(CFEqualSafe(bob_accountTransportType, CFSTR("IDS2.0")), "Bob transport type not IDS");
+
+    CFReleaseNull(alice_transportType);
+    CFReleaseNull(bob_accountTransportType);
+
+    SOSTransportMessageIDSTestSetName(alice_account->ids_message_transport, CFSTR("Alice Account"));
+    ok(SOSTransportMessageIDSTestGetName(alice_account->ids_message_transport) != NULL, "retrieved getting account name");
+    ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(alice_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+    SOSTransportMessageIDSTestSetName(bob_account->ids_message_transport, CFSTR("Bob Account"));
+    ok(SOSTransportMessageIDSTestGetName(bob_account->ids_message_transport) != NULL, "retrieved getting account name");
+    ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(bob_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+
+    ok(SOSAccountSetMyDSID(alice_account, CFSTR("Alice"),&error), "Setting IDS device ID");
+    CFStringRef alice_dsid = SOSAccountCopyDeviceID(alice_account, &error);
+    ok(CFEqualSafe(alice_dsid, CFSTR("Alice")), "Getting IDS device ID");
+
+    ok(SOSAccountSetMyDSID(bob_account, CFSTR("Bob"),&error), "Setting IDS device ID");
+    CFStringRef bob_dsid = SOSAccountCopyDeviceID(bob_account, &error);
+    ok(CFEqualSafe(bob_dsid, CFSTR("Bob")), "Getting IDS device ID");
+
+    is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+    ok(SOSAccountEnsurePeerRegistration(alice_account, NULL), "ensure peer registration - alice");
+    ok(SOSAccountEnsurePeerRegistration(bob_account, NULL), "ensure peer registration - bob");
+
+    ids_test_sync(alice_account, bob_account);
+
+    SOSUnregisterAllTransportMessages();
+    SOSUnregisterAllTransportCircles();
+    SOSUnregisterAllTransportKeyParameters();
+    CFArrayRemoveAllValues(key_transports);
+    CFArrayRemoveAllValues(circle_transports);
+    CFArrayRemoveAllValues(message_transports);
+    CFReleaseNull(alice_account);
+    CFReleaseNull(bob_account);
+
+}
+
+int secd_201_coders(int argc, char *const *argv)
+{
+    plan_tests(kTestTestCount);
+
+    secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+    tests();
+    
+    return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m b/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m
new file mode 100644
index 00000000..ed3cb12a
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include "secd_regressions.h"
+
+#include <Security/Security.h>
+
+#include <utilities/SecCFWrappers.h>
+#include "SecDbKeychainItem.h"
+
+#include <TargetConditionals.h>
+
+#if USE_KEYSTORE
+#include <libaks.h>
+
+#include "SecdTestKeychainUtilities.h"
+
+int secd_36_ks_encrypt(int argc, char *const *argv)
+{
+    plan_tests(8);
+
+    keybag_handle_t keybag;
+    keybag_state_t state;
+    CFDictionaryRef data = NULL;
+    CFDataRef enc = NULL;
+    CFErrorRef error = NULL;
+    SecAccessControlRef ac = NULL;
+    bool ret;
+
+    char passcode[] = "password";
+    int passcode_len = sizeof(passcode) - 1;
+
+
+    /* Create and lock custom keybag */
+    is(kIOReturnSuccess, aks_create_bag(passcode, passcode_len, kAppleKeyStoreDeviceBag, &keybag), "create keybag");
+    is(kIOReturnSuccess, aks_get_lock_state(keybag, &state), "get keybag state");
+    is(0, (int)(state&keybag_state_locked), "keybag unlocked");
+
+    data = (__bridge CFDictionaryRef)@{
+        (id)kSecValueData : @"secret here",
+    };
+
+    ok(ac = SecAccessControlCreate(NULL, &error), "SecAccessControlCreate: %@", error);
+    ok(SecAccessControlSetProtection(ac, kSecAttrAccessibleWhenUnlocked, &error), "SecAccessControlSetProtection: %@", error);
+
+    ret = ks_encrypt_data(keybag, ac, NULL, data, NULL, &enc, true, &error);
+    is(true, ret);
+
+    CFReleaseNull(ac);
+
+    {
+        CFMutableDictionaryRef attributes = NULL;
+        uint32_t version = 0;
+
+        ret = ks_decrypt_data(keybag, kAKSKeyOpDecrypt, &ac, NULL, enc, NULL, NULL, &attributes, &version, &error);
+        is(true, ret, "ks_decrypt_data: %@", error);
+
+        ok(CFEqual(SecAccessControlGetProtection(ac), kSecAttrAccessibleWhenUnlocked), "AccessControl protection is: %@", SecAccessControlGetProtection(ac));
+
+        CFReleaseNull(ac);
+    }
+
+    CFReleaseNull(error);
+    CFReleaseNull(enc);
+
+    return 0;
+}
+
+#else /* !USE_KEYSTORE */
+
+int secd_36_ks_encrypt(int argc, char *const *argv)
+{
+    plan_tests(1);
+    ok(true);
+    return 0;
+}
+#endif /* USE_KEYSTORE */
diff --git a/OSX/sec/securityd/Regressions/secd-71-engine-save.c b/OSX/sec/securityd/Regressions/secd-71-engine-save.c
index bd367670..7ba78df9 100644
--- a/OSX/sec/securityd/Regressions/secd-71-engine-save.c
+++ b/OSX/sec/securityd/Regressions/secd-71-engine-save.c
@@ -29,7 +29,7 @@
 #include "secd_regressions.h"
 #include "SecdTestKeychainUtilities.h"
 
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 #include <Security/SecureObjectSync/SOSPeer.h>
 #include <Security/SecBase64.h>
 #include <Security/SecItem.h>
diff --git a/OSX/sec/securityd/Regressions/secd_regressions.h b/OSX/sec/securityd/Regressions/secd_regressions.h
index f2e91b0e..32ce9856 100644
--- a/OSX/sec/securityd/Regressions/secd_regressions.h
+++ b/OSX/sec/securityd/Regressions/secd_regressions.h
@@ -37,6 +37,7 @@ ONE_TEST(secd_31_keychain_unreadable)
 OFF_ONE_TEST(secd_32_restore_bad_backup)
 ONE_TEST(secd_33_keychain_ctk)
 ONE_TEST(secd_35_keychain_migrate_inet)
+ONE_TEST(secd_36_ks_encrypt)
 ONE_TEST(secd_40_cc_gestalt)
 ONE_TEST(secd_50_account)
 ONE_TEST(secd_49_manifests)
@@ -88,3 +89,5 @@ ONE_TEST(secd_154_engine_backoff)
 ONE_TEST(secd_100_initialsync)
 ONE_TEST(secd_130_other_peer_views)
 ONE_TEST(secd_200_logstate)
+ONE_TEST(secd_201_coders)
+
diff --git a/OSX/sec/securityd/SecCAIssuerRequest.c b/OSX/sec/securityd/SecCAIssuerRequest.c
index 4fe1591c..40c893be 100644
--- a/OSX/sec/securityd/SecCAIssuerRequest.c
+++ b/OSX/sec/securityd/SecCAIssuerRequest.c
@@ -38,6 +38,10 @@
 #include <securityd/asynchttp.h>
 #include <stdlib.h>
 
+#define MAX_CA_ISSUERS 3
+#define CA_ISSUERS_REQUEST_THRESHOLD 10
+
+
 /* CA Issuer lookup code. */
 
 typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
@@ -57,7 +61,14 @@ static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
 }
 
 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
-    while (request->issuerIX < CFArrayGetCount(request->issuers)) {
+    CFIndex count = CFArrayGetCount(request->issuers);
+    if (count >= CA_ISSUERS_REQUEST_THRESHOLD) {
+        secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count);
+        request->callback(request->context, NULL);
+        SecCAIssuerRequestRelease(request);
+        return true;
+    }
+    while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) {
         CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
                                                  request->issuerIX++);
         CFStringRef scheme = CFURLCopyScheme(issuer);
diff --git a/OSX/sec/securityd/SecDbItem.h b/OSX/sec/securityd/SecDbItem.h
index 440f25e4..4e6c6dd9 100644
--- a/OSX/sec/securityd/SecDbItem.h
+++ b/OSX/sec/securityd/SecDbItem.h
@@ -137,13 +137,9 @@ struct SecDbItem {
     const SecDbClass *class;
     keyclass_t keyclass;
     keybag_handle_t keybag;
-    //sqlite3_int64 _rowid;
-    //CFDataRef _primaryKey;
-    //CFDataRef _sha1;
-    //CFDataRef _edata;
     enum SecDbItemState _edataState;
     CFMutableDictionaryRef attributes;
-    CFTypeRef credHandle;
+    CFDataRef credHandle;
     CFTypeRef cryptoOp;
     CFArrayRef callerAccessGroups;
 };
diff --git a/OSX/sec/securityd/SecDbKeychainItem.c b/OSX/sec/securityd/SecDbKeychainItem.c
index 0386b7a5..135845fb 100644
--- a/OSX/sec/securityd/SecDbKeychainItem.c
+++ b/OSX/sec/securityd/SecDbKeychainItem.c
@@ -94,14 +94,10 @@ const uint32_t kUseDefaultIVMask =  1<<31;
 const int16_t  kIVSizeAESGCM = 12;
 
 // echo "keychainblobstaticiv" | openssl dgst -sha256 | cut -c1-24 | xargs -I {} echo "0x{}" | xxd -r | xxd -p  -i
-//  0x1e, 0xa0, 0x5c, 0xa9, 0x98, 0x2e, 0x87, 0xdc, 0xf1, 0x45, 0xe8, 0x24
-
-
 static const uint8_t gcmIV[kIVSizeAESGCM] = {
     0x1e, 0xa0, 0x5c, 0xa9, 0x98, 0x2e, 0x87, 0xdc, 0xf1, 0x45, 0xe8, 0x24
 };
 
-
 /* Given plainText create and return a CFDataRef containing:
  BULK_KEY = RandomKey()
  version || keyclass|ACL || KeyStore_WRAP(keyclass, BULK_KEY) ||
@@ -331,12 +327,9 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
     size_t blobLen = CFDataGetLength(blob);
     const uint8_t *cursor = CFDataGetBytePtr(blob);
     keyclass_t keyclass;
-    uint32_t wrapped_key_size;
 
-    /* Check for underflow, ensuring we have at least one full AES block left. */
-    if (blobLen < sizeof(version) + sizeof(keyclass) +
-        CFDataGetLength(bulkKey) + v0KeyWrapOverHead + 16) {
-        ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow"));
+    if (blobLen < sizeof(version)) {
+        ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (length)"));
         goto out;
     }
 
@@ -348,23 +341,41 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
     }
 
     cursor += sizeof(version);
-
-    size_t minimum_blob_len = sizeof(version) + 16;
-    size_t ctLen = blobLen - sizeof(version);
+    blobLen -= sizeof(version);
 
     bool hasProtectionData = (version >= 4);
 
     if (hasProtectionData) {
         /* Deserialize SecAccessControl object from the blob. */
-        uint32_t prot_length = *((uint32_t *)cursor);
+        uint32_t prot_length;
+
+        /*
+         * Parse proto length
+         */
+
+        if (blobLen < sizeof(prot_length)) {
+            ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (prot_length)"));
+            goto out;
+        }
+
+        prot_length = *((uint32_t *)cursor);
         cursor += sizeof(prot_length);
+        blobLen -= sizeof(prot_length);
+
+        /*
+         * Parse proto itself
+         */
+
+        if (blobLen < prot_length) {
+            ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (prot)"));
+            goto out;
+        }
 
         CFTypeRef protection = kc_copy_protection_from(cursor, cursor + prot_length);
         if (!protection) {
             ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
             goto out;
-        }
-        else {
+        } else {
             access_control = SecAccessControlCreate(NULL, NULL);
             require_quiet(access_control, out);
             ok = SecAccessControlSetProtection(access_control, protection, NULL);
@@ -376,19 +387,24 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
         }
         
         cursor += prot_length;
+        blobLen -= prot_length;
 
-        minimum_blob_len += sizeof(prot_length) + prot_length;
-        ctLen -= sizeof(prot_length) + prot_length;
-
-        /* Get numeric value of keyclass from the access_control. */
+        /*
+         * Get numeric value of keyclass from the access_control.
+         */
         keyclass = kc_parse_keyclass(SecAccessControlGetProtection(access_control), error);
         if (!keyclass) {
             ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid ACL"));
             goto out;
         }
     } else {
+        if (blobLen < sizeof(keyclass)) {
+            ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (keyclass)"));
+            goto out;
+        }
+
         keyclass = *((keyclass_t *)cursor);
-	//secerror("class: %d keyclass: %d", keyclass, keyclass & key_class_last);
+
 #if USE_KEYSTORE
         CFTypeRef protection = kc_encode_keyclass(keyclass & key_class_last); // mask out generation
 #else
@@ -401,12 +417,12 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
                              ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: SecAccessControlSetProtection failed")));
 
         cursor += sizeof(keyclass);
-
-        minimum_blob_len += sizeof(keyclass);
-        ctLen -= sizeof(keyclass);
+        blobLen -= sizeof(keyclass);
     }
 
     size_t tagLen = 0;
+    uint32_t wrapped_key_size = 0;
+
     switch (version) {
         case 0:
             wrapped_key_size = (uint32_t)CFDataGetLength(bulkKey) + v0KeyWrapOverHead;
@@ -420,28 +436,44 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
         case 5:
         case 6:
             tagLen = 16;
-            minimum_blob_len -= 16; // Remove PKCS7 padding block requirement
-            ctLen -= tagLen;        // Remove tagLen from ctLen
             /* DROPTHROUGH */
         case 1:
+            if (blobLen < sizeof(wrapped_key_size)) {
+                ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (wrapped_key_size)"));
+                goto out;
+            }
             wrapped_key_size = *((uint32_t *)cursor);
+
             cursor += sizeof(wrapped_key_size);
-            minimum_blob_len += sizeof(wrapped_key_size);
-            ctLen -= sizeof(wrapped_key_size);
+            blobLen -= sizeof(wrapped_key_size);
+
             break;
         default:
             ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid version %d"), version);
             goto out;
     }
 
-    /* Validate key wrap length against total length */
-    require(blobLen - minimum_blob_len - tagLen >= wrapped_key_size, out);
-    ctLen -= wrapped_key_size;
-    if (version < 2 && (ctLen & 0xF) != 0) {
-        ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid version"));
+    if (blobLen < tagLen + wrapped_key_size) {
+        ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (wrapped_key/taglen)"));
         goto out;
     }
 
+    size_t ctLen = blobLen - tagLen - wrapped_key_size;
+
+    /*
+     * Pre-version 2 have some additial constraints since it use AES in CBC mode
+     */
+    if (version < 2) {
+        if (ctLen < kCCBlockSizeAES128) {
+            ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: Check for underflow (CBC check)"));
+            goto out;
+        }
+        if ((ctLen & 0xF) != 0) {
+            ok = SecError(errSecDecode, error, CFSTR("ks_decrypt_data: invalid length on CBC data"));
+            goto out;
+        }
+    }
+
 #if USE_KEYSTORE
     if (hasProtectionData) {
         if (caller_access_groups) {
@@ -457,6 +489,9 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
             require_quiet(ok = ks_delete_acl(ref_key, ed_data, acm_context, caller_access_groups_data, access_control, error), out);
             attributes = CFRetainSafe(authenticated_attributes);
             goto out;
+        } else {
+            ok = SecError(errSecInternal, error, CFSTR("ks_decrypt_data: invalid operation"));
+            goto out;
         }
     } else
 #endif
@@ -467,7 +502,7 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
     }
 
     if (iv) {
-        // AAD is (version || ac_data || key_wrapped_size)
+        // AAD is (version || ... [|| key_wrapped_size ])
         aad = CFDataGetBytePtr(blob);
         aadLen = cursor - aad;
     }
@@ -617,11 +652,12 @@ static CFTypeRef kc_encode_keyclass(keyclass_t keyclass) {
 static bool kc_attribs_key_encrypted_data_from_blob(keybag_handle_t keybag, const SecDbClass *class, const void *blob_data, size_t blob_data_len, SecAccessControlRef access_control, uint32_t version,
                                              CFMutableDictionaryRef *authenticated_attributes, aks_ref_key_t *ref_key, CFDataRef *encrypted_data, CFErrorRef *error)
 {
-    bool ok = false;
+    CFMutableDictionaryRef acl = NULL;
     CFDictionaryRef blob_dict = NULL;
+    aks_ref_key_t tmp_ref_key = NULL;
     CFDataRef key_data = NULL;
     CFDataRef ed = NULL;
-    aks_ref_key_t tmp_ref_key = NULL;
+    bool ok = false;
 
     der_decode_plist(NULL, kCFPropertyListImmutable, (CFPropertyListRef*)&blob_dict, NULL, blob_data, blob_data + blob_data_len);
     require_action_quiet(blob_dict, out, SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: failed to decode 'blob data'")));
@@ -633,7 +669,6 @@ static bool kc_attribs_key_encrypted_data_from_blob(keybag_handle_t keybag, cons
     require_action_quiet(ed, out, SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: failed to decode 'encrypted data'")));
     require_action_quiet(key_data, out, SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: failed to decode 'key data'")));
 
-    CFMutableDictionaryRef acl = NULL;
     const void *external_data = NULL;
     size_t external_data_len = 0;
     require_quiet(external_data = ks_ref_key_get_external_data(keybag, key_data, &tmp_ref_key, &external_data_len, error), out);
@@ -656,10 +691,14 @@ static bool kc_attribs_key_encrypted_data_from_blob(keybag_handle_t keybag, cons
 
     if (acl) {
         /* v4 data format used wrong ACL placement, for backward compatibility we have to support both formats */
-        if (version == 4)
+        if (version == 4) {
             SecAccessControlSetConstraints(access_control, acl);
-        else
-            SecAccessControlSetConstraints(access_control, CFDictionaryGetValue(acl, kAKSKeyAcl));
+        } else {
+            CFDictionaryRef constraints = CFDictionaryGetValue(acl, kAKSKeyAcl);
+            require_action_quiet(isDictionary(constraints), out,
+                                 SecError(errSecDecode, error, CFSTR("kc_attribs_key_encrypted_data_from_blob: acl missing")));
+            SecAccessControlSetConstraints(access_control, constraints);
+        }
 
         /* v4/v5 data format usualy does not contain kAKSKeyOpEncrypt, so add kAKSKeyOpEncrypt if is missing */
         if (version < 6) {
@@ -668,7 +707,6 @@ static bool kc_attribs_key_encrypted_data_from_blob(keybag_handle_t keybag, cons
                 SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpEncrypt, kCFBooleanTrue, NULL);
         }
 
-        CFRelease(acl);
     }
 
     if (encrypted_data)
@@ -687,7 +725,9 @@ out:
     CFReleaseSafe(blob_dict);
     CFReleaseSafe(key_data);
     CFReleaseSafe(ed);
-    
+    CFReleaseSafe(acl);
+
+
     return ok;
 }
 
diff --git a/OSX/sec/securityd/SecDbQuery.h b/OSX/sec/securityd/SecDbQuery.h
index 7d1e1fab..651e4db6 100644
--- a/OSX/sec/securityd/SecDbQuery.h
+++ b/OSX/sec/securityd/SecDbQuery.h
@@ -110,7 +110,7 @@ typedef struct Query
 
     /* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */
     SecAccessControlRef q_access_control;
-    CFTypeRef q_use_cred_handle;
+    CFDataRef q_use_cred_handle;
     
     // Flag indicating that ui-protected items should be simply skipped
     // instead of reporting them to the client as an error.
diff --git a/OSX/sec/securityd/SecItemBackupServer.c b/OSX/sec/securityd/SecItemBackupServer.c
index b6a45cf5..46e480af 100644
--- a/OSX/sec/securityd/SecItemBackupServer.c
+++ b/OSX/sec/securityd/SecItemBackupServer.c
@@ -23,7 +23,7 @@
 
 #include <securityd/SecItemBackupServer.h>
 #include <securityd/SecItemServer.h>
-#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSEnginePriv.h>
 #include <Security/SecureObjectSync/SOSPeer.h>
 #include <Security/SecureObjectSync/SOSBackupSliceKeyBag.h>
 #include <Security/SecureObjectSync/SOSViews.h>
@@ -50,7 +50,7 @@ static bool withDataSourceAndEngine(CFErrorRef *error, void (^action)(SOSDataSou
 int SecServerItemBackupHandoffFD(CFStringRef backupName, CFErrorRef *error) {
     __block int fd = -1;
     if (!withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
-        SOSEngineForPeerIDNoCoder(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
+        SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
             fd = SOSPeerHandoffFD(peer, error);
         });
     }) && fd >= 0) {
diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c
index a94acc7c..3df04a2d 100644
--- a/OSX/sec/securityd/SecItemDb.c
+++ b/OSX/sec/securityd/SecItemDb.c
@@ -335,8 +335,11 @@ struct s3dl_query_ctx {
  optional data, class and persistent ref results.  This is so we can use
  the CFDictionaryCreate() api here rather than appending to a
  mutable dictionary. */
-static CF_RETURNS_RETAINED CFTypeRef handle_result(Query *q, CFMutableDictionaryRef item,
-                               sqlite_int64 rowid) {
+static CF_RETURNS_RETAINED CFTypeRef
+handle_result(Query *q,
+              CFMutableDictionaryRef item,
+              sqlite_int64 rowid)
+{
     CFTypeRef a_result;
     CFDataRef data;
     data = CFDictionaryGetValue(item, kSecValueData);
@@ -390,7 +393,7 @@ static void s3dl_query_row(sqlite3_stmt *stmt, void *context) {
     Query *q = c->q;
 
     sqlite_int64 rowid = sqlite3_column_int64(stmt, 0);
-    CFMutableDictionaryRef item;
+    CFMutableDictionaryRef item = NULL;
     bool ok = s3dl_item_from_col(stmt, q, 1, c->accessGroups, &item, NULL, &q->q_error);
     if (!ok) {
         OSStatus status = SecErrorGetOSStatus(q->q_error);
@@ -584,7 +587,10 @@ static CFStringRef s3dl_select_sql(Query *q, CFArrayRef accessGroups) {
 		CFStringAppend(sql, q->q_class->name);
         SecDbAppendWhereClause(sql, q, accessGroups);
     }
-    SecDbAppendLimit(sql, q->q_limit);
+    //do not append limit for all queries which needs filtering
+    if (q->q_match_issuer == NULL && q->q_match_policy == NULL && q->q_match_valid_on_date == NULL && q->q_match_trusted_only == NULL) {
+        SecDbAppendLimit(sql, q->q_limit);
+    }
 
     return sql;
 }
@@ -741,7 +747,7 @@ s3dl_query(s3dl_handle_row handle_row,
         if (sql_ok)
             sql_ok = sqlBindWhereClause(stmt, q, accessGroups, &param, error);
         if (sql_ok) {
-            SecDbForEach(stmt, error, ^bool (int row_index) {
+            SecDbForEach(dbt, stmt, error, ^bool (int row_index) {
                 handle_row(stmt, context);
 
                 bool needs_auth = q->q_error && CFErrorGetCode(q->q_error) == errSecAuthNeeded;
diff --git a/OSX/sec/securityd/SecItemServer.c b/OSX/sec/securityd/SecItemServer.c
index 6e2a3b44..a22e5375 100644
--- a/OSX/sec/securityd/SecItemServer.c
+++ b/OSX/sec/securityd/SecItemServer.c
@@ -44,10 +44,12 @@
 #include <Security/SecTrustInternal.h>
 #include <Security/SecCertificatePriv.h>
 
+#if USE_KEYSTORE
+#include <MobileKeyBag/MobileKeyBag.h>
+#endif
 // TODO: Make this include work on both platforms. rdar://problem/16526848
 #if TARGET_OS_EMBEDDED
 #include <Security/SecEntitlements.h>
-#include <MobileKeyBag/MobileKeyBag.h>
 #else
 /* defines from <Security/SecEntitlements.h> */
 #define kSecEntitlementAssociatedDomains CFSTR("com.apple.developer.associated-domains")
@@ -712,17 +714,55 @@ static bool SecServerImportBackupableKeychain(SecDbConnectionRef dbt,
     });
 }
 
+#if USE_KEYSTORE
+/*
+ * Similar to ks_open_keybag, but goes through MKB interface
+ */
+static bool mkb_open_keybag(CFDataRef keybag, CFDataRef password, MKBKeyBagHandleRef *handle, CFErrorRef *error) {
+    kern_return_t rc;
+    MKBKeyBagHandleRef mkbhandle = NULL;
+
+    rc = MKBKeyBagCreateWithData(keybag, &mkbhandle);
+    if (rc != kMobileKeyBagSuccess) {
+        return SecKernError(rc, error, CFSTR("MKBKeyBagCreateWithData failed: %d"), rc);
+    }
+
+    if (password) {
+        rc = MKBKeyBagUnlock(mkbhandle, password);
+        if (rc != kMobileKeyBagSuccess) {
+            CFRelease(mkbhandle);
+            return SecKernError(rc, error, CFSTR("failed to unlock bag: %d"), rc);
+        }
+    }
+
+    *handle = mkbhandle;
+
+    return true;
+}
+#endif
+
+
 static CFDataRef SecServerKeychainCreateBackup(SecDbConnectionRef dbt, SecurityClient *client, CFDataRef keybag,
     CFDataRef password, CFErrorRef *error) {
     CFDataRef backup = NULL;
     keybag_handle_t backup_keybag;
-    if (ks_open_keybag(keybag, password, &backup_keybag, error)) {
-        /* Export from system keybag to backup keybag. */
-        backup = SecServerExportBackupableKeychain(dbt, client, KEYBAG_DEVICE, backup_keybag, error);
-        if (!ks_close_keybag(backup_keybag, error)) {
-            CFReleaseNull(backup);
-        }
-    }
+#if USE_KEYSTORE
+    MKBKeyBagHandleRef mkbhandle = NULL;
+    require(mkb_open_keybag(keybag, password, &mkbhandle, error), out);
+
+    require_noerr(MKBKeyBagGetAKSHandle(mkbhandle, &backup_keybag), out);
+
+#else
+    backup_keybag = KEYBAG_NONE;
+#endif
+    /* Export from system keybag to backup keybag. */
+    backup = SecServerExportBackupableKeychain(dbt, client, KEYBAG_DEVICE, backup_keybag, error);
+
+out:
+#if USE_KEYSTORE
+    if (mkbhandle)
+        CFRelease(mkbhandle);
+#endif
     return backup;
 }
 
@@ -733,15 +773,25 @@ static bool SecServerKeychainRestore(SecDbConnectionRef dbt,
                                      CFDataRef password,
                                      CFErrorRef *error)
 {
+    bool ok = false;
     keybag_handle_t backup_keybag;
-    if (!ks_open_keybag(keybag, password, &backup_keybag, error))
-        return false;
+#if USE_KEYSTORE
+    MKBKeyBagHandleRef mkbhandle = NULL;
+    require(mkb_open_keybag(keybag, password, &mkbhandle, error), out);
 
+    require_noerr(MKBKeyBagGetAKSHandle(mkbhandle, &backup_keybag), out);
+#else
+    backup_keybag = KEYBAG_NONE;
+#endif
     /* Import from backup keybag to system keybag. */
-    bool ok = SecServerImportBackupableKeychain(dbt, client, backup_keybag, KEYBAG_DEVICE,
-                                      backup, error);
-    ok &= ks_close_keybag(backup_keybag, error);
+    require(SecServerImportBackupableKeychain(dbt, client, backup_keybag, KEYBAG_DEVICE, backup, error), out);
 
+    ok = true;
+out:
+#if USE_KEYSTORE
+    if (mkbhandle)
+        CFRelease(mkbhandle);
+#endif
     return ok;
 }
 
@@ -1643,6 +1693,8 @@ fail:
 // MARK: -
 // MARK: Shared web credentials
 
+#if TARGET_OS_IOS
+
 /* constants */
 #define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v);
 
@@ -2401,6 +2453,9 @@ cleanup:
     return ok;
 }
 
+#endif /* TARGET_OS_IOS */
+
+
 // MARK: -
 // MARK: Keychain backup
 
diff --git a/OSX/sec/securityd/SecItemServer.h b/OSX/sec/securityd/SecItemServer.h
index 5c394d8d..9d3986ee 100644
--- a/OSX/sec/securityd/SecItemServer.h
+++ b/OSX/sec/securityd/SecItemServer.h
@@ -67,10 +67,10 @@ bool _SecServerRestoreSyncable(CFDictionaryRef backup, CFDataRef keybag, CFDataR
 bool _SecServerTransmogrifyToSystemKeychain(SecurityClient *client, CFErrorRef *error);
 bool _SecServerTransmogrifyToSyncBubble(CFArrayRef services, uid_t uid, SecurityClient *client, CFErrorRef *error);
 bool _SecServerDeleteMUSERViews(SecurityClient *client, uid_t uid, CFErrorRef *error);
-#endif
 
 bool _SecAddSharedWebCredential(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
 bool _SecCopySharedWebCredential(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
+#endif /* TARGET_OS_IOS */
 
 // Hack to log objects from inside SOS code
 void SecItemServerAppendItemDescription(CFMutableStringRef desc, CFDictionaryRef object);
diff --git a/OSX/sec/securityd/SecKeybagSupport.c b/OSX/sec/securityd/SecKeybagSupport.c
index 88aeeb00..45797da4 100644
--- a/OSX/sec/securityd/SecKeybagSupport.c
+++ b/OSX/sec/securityd/SecKeybagSupport.c
@@ -86,11 +86,14 @@ static bool hwaes_key_available(void)
 {
     keybag_handle_t handle = bad_keybag_handle;
     keybag_handle_t special_handle = bad_keybag_handle;
-#if TARGET_OS_MAC && !TARGET_OS_EMBEDDED
+#if TARGET_OS_OSX
     special_handle = session_keybag_handle;
 #elif TARGET_OS_EMBEDDED
     special_handle = device_keybag_handle;
+#else
+#error "supported keybag target"
 #endif
+
     kern_return_t kr = aks_get_system(special_handle, &handle);
     if (kr != kIOReturnSuccess) {
 #if TARGET_OS_EMBEDDED
diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c
index 2730c316..78dbc697 100644
--- a/OSX/sec/securityd/SecPolicyServer.c
+++ b/OSX/sec/securityd/SecPolicyServer.c
@@ -2614,6 +2614,9 @@ static void SecORVCFinish(SecORVCRef orvc) {
     }
 }
 
+#define MAX_OCSP_RESPONDERS 3
+#define OCSP_REQUEST_THRESHOLD 10
+
 /* Return the next responder we should contact for this rvc or NULL if we
  exhausted them all. */
 static CFURLRef SecORVCGetNextResponder(SecORVCRef rvc) {
@@ -2621,7 +2624,11 @@ static CFURLRef SecORVCGetNextResponder(SecORVCRef rvc) {
     CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
     if (ocspResponders) {
         CFIndex responderCount = CFArrayGetCount(ocspResponders);
-        while (rvc->responderIX < responderCount) {
+        if (responderCount >= OCSP_REQUEST_THRESHOLD) {
+            secnotice("rvc", "too many ocsp responders (%ld)", (long)responderCount);
+            return NULL;
+        }
+        while (rvc->responderIX < responderCount && rvc->responderIX < MAX_OCSP_RESPONDERS) {
             CFURLRef responder = CFArrayGetValueAtIndex(ocspResponders, rvc->responderIX);
             rvc->responderIX++;
             CFStringRef scheme = CFURLCopyScheme(responder);
@@ -3013,12 +3020,19 @@ static void SecCRVCFinish(SecCRVCRef crvc) {
     // nothing yet
 }
 
+#define MAX_CRL_DPS 3
+#define CRL_REQUEST_THRESHOLD 10
+
 static CFURLRef SecCRVCGetNextDistributionPoint(SecCRVCRef rvc) {
     SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
     CFArrayRef crlDPs = SecCertificateGetCRLDistributionPoints(cert);
     if (crlDPs) {
         CFIndex crlDPCount = CFArrayGetCount(crlDPs);
-        while (rvc->distributionPointIX < crlDPCount) {
+        if (crlDPCount >= CRL_REQUEST_THRESHOLD) {
+            secnotice("rvc", "too many CRL DP entries (%ld)", (long)crlDPCount);
+            return NULL;
+        }
+        while (rvc->distributionPointIX < crlDPCount && rvc->distributionPointIX < MAX_CRL_DPS) {
             CFURLRef distributionPoint = CFArrayGetValueAtIndex(crlDPs, rvc->distributionPointIX);
             rvc->distributionPointIX++;
             CFStringRef scheme = CFURLCopyScheme(distributionPoint);
@@ -3595,7 +3609,11 @@ void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
         policy_tree_prune(&pvc->valid_policy_tree);
     }
     pvc->policyIX = 0;
-    pvc->result = true;
+
+    /* Since we don't run the LeafChecks again, we need to preserve the
+     * result the leaf had. */
+    pvc->result = (details) ? (CFDictionaryGetCount(CFArrayGetValueAtIndex(details, 0)) == 0)
+                            : true;
 }
 
 SecPolicyRef SecPVCGetPolicy(SecPVCRef pvc) {
@@ -3982,7 +4000,7 @@ static bool SecPVCContainsString(SecPVCRef pvc, CFIndex policyIX, CFStringRef st
         tmpStringValue = CFStringCreateCopy(NULL, stringValue);
     }
     if (policyIX >= 0 && policyIX < CFArrayGetCount(pvc->policies)) {
-		SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, policyIX);
+        SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, policyIX);
         /* Have to look for all the possible locations of name string */
         CFStringRef policyString = NULL;
         policyString = CFDictionaryGetValue(policy->_options, kSecPolicyCheckSSLHostname);
@@ -4227,6 +4245,84 @@ bool SecPVCCheckUsageConstraints(SecPVCRef pvc) {
     return shouldDeny;
 }
 
+#define kSecPolicySHA256Size 32
+static const UInt8 kTestDateConstraintsRoot[kSecPolicySHA256Size] = {
+    0x51,0xA0,0xF3,0x1F,0xC0,0x1D,0xEC,0x87,0x32,0xB6,0xFD,0x13,0x6A,0x43,0x4D,0x6C,
+    0x87,0xCD,0x62,0xE0,0x38,0xB4,0xFB,0xD6,0x40,0xB0,0xFD,0x62,0x4D,0x1F,0xCF,0x6D
+};
+static const UInt8 kWS_CA1_G2[kSecPolicySHA256Size] = {
+    0xD4,0x87,0xA5,0x6F,0x83,0xB0,0x74,0x82,0xE8,0x5E,0x96,0x33,0x94,0xC1,0xEC,0xC2,
+    0xC9,0xE5,0x1D,0x09,0x03,0xEE,0x94,0x6B,0x02,0xC3,0x01,0x58,0x1E,0xD9,0x9E,0x16
+};
+static const UInt8 kWS_CA1_NEW[kSecPolicySHA256Size] = {
+    0x4B,0x22,0xD5,0xA6,0xAE,0xC9,0x9F,0x3C,0xDB,0x79,0xAA,0x5E,0xC0,0x68,0x38,0x47,
+    0x9C,0xD5,0xEC,0xBA,0x71,0x64,0xF7,0xF2,0x2D,0xC1,0xD6,0x5F,0x63,0xD8,0x57,0x08
+};
+static const UInt8 kWS_CA2_NEW[kSecPolicySHA256Size] = {
+    0xD6,0xF0,0x34,0xBD,0x94,0xAA,0x23,0x3F,0x02,0x97,0xEC,0xA4,0x24,0x5B,0x28,0x39,
+    0x73,0xE4,0x47,0xAA,0x59,0x0F,0x31,0x0C,0x77,0xF4,0x8F,0xDF,0x83,0x11,0x22,0x54
+};
+static const UInt8 kWS_ECC[kSecPolicySHA256Size] = {
+    0x8B,0x45,0xDA,0x1C,0x06,0xF7,0x91,0xEB,0x0C,0xAB,0xF2,0x6B,0xE5,0x88,0xF5,0xFB,
+    0x23,0x16,0x5C,0x2E,0x61,0x4B,0xF8,0x85,0x56,0x2D,0x0D,0xCE,0x50,0xB2,0x9B,0x02
+};
+static const UInt8 kSC_SFSCA[kSecPolicySHA256Size] = {
+    0xC7,0x66,0xA9,0xBE,0xF2,0xD4,0x07,0x1C,0x86,0x3A,0x31,0xAA,0x49,0x20,0xE8,0x13,
+    0xB2,0xD1,0x98,0x60,0x8C,0xB7,0xB7,0xCF,0xE2,0x11,0x43,0xB8,0x36,0xDF,0x09,0xEA
+};
+static const UInt8 kSC_SHA2[kSecPolicySHA256Size] = {
+    0xE1,0x78,0x90,0xEE,0x09,0xA3,0xFB,0xF4,0xF4,0x8B,0x9C,0x41,0x4A,0x17,0xD6,0x37,
+    0xB7,0xA5,0x06,0x47,0xE9,0xBC,0x75,0x23,0x22,0x72,0x7F,0xCC,0x17,0x42,0xA9,0x11
+};
+static const UInt8 kSC_G2[kSecPolicySHA256Size] = {
+    0xC7,0xBA,0x65,0x67,0xDE,0x93,0xA7,0x98,0xAE,0x1F,0xAA,0x79,0x1E,0x71,0x2D,0x37,
+    0x8F,0xAE,0x1F,0x93,0xC4,0x39,0x7F,0xEA,0x44,0x1B,0xB7,0xCB,0xE6,0xFD,0x59,0x95
+};
+
+bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc) {
+    static CFSetRef sConstrainedRoots = NULL;
+    static dispatch_once_t _t;
+    dispatch_once(&_t, ^{
+        const UInt8 *v_hashes[] = {
+            kWS_CA1_G2, kWS_CA1_NEW, kWS_CA2_NEW, kWS_ECC,
+            kSC_SFSCA, kSC_SHA2, kSC_G2, kTestDateConstraintsRoot
+        };
+        CFMutableSetRef set = CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks);
+        CFIndex ix, count = sizeof(v_hashes)/sizeof(*v_hashes);
+        for (ix=0; ix<count; ix++) {
+            CFDataRef hash = CFDataCreateWithBytesNoCopy(NULL, v_hashes[ix],
+                kSecPolicySHA256Size, kCFAllocatorNull);
+            if (hash) {
+                CFSetAddValue(set, hash);
+                CFRelease(hash);
+            }
+        }
+        sConstrainedRoots = set;
+    });
+
+    bool shouldDeny = false;
+    CFIndex certIX, certCount = SecCertificatePathGetCount(pvc->path);
+    for (certIX = certCount - 1; certIX >= 0 && !shouldDeny; certIX--) {
+        SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(pvc->path, certIX);
+        CFDataRef sha256 = SecCertificateCopySHA256Digest(cert);
+        if (sha256 && CFSetContainsValue(sConstrainedRoots, sha256)) {
+            /* matched a constrained root; check notBefore dates on all its children. */
+            CFIndex childIX = certIX;
+            while (--childIX >= 0) {
+                SecCertificateRef child = SecCertificatePathGetCertificateAtIndex(pvc->path, childIX);
+                /* 1 Dec 2016 00:00:00 GMT */
+                if (child && (CFAbsoluteTime)502243200.0 <= SecCertificateNotValidBefore(child)) {
+                    SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey, certIX, kCFBooleanFalse, true);
+                    shouldDeny = true;
+                    break;
+                }
+            }
+        }
+        CFReleaseNull(sha256);
+    }
+    return shouldDeny;
+}
+
 /* AUDIT[securityd](done):
    policy->_options is a caller provided dictionary, only its cf type has
    been checked.
@@ -4244,19 +4340,22 @@ bool SecPVCPathChecks(SecPVCRef pvc) {
     }
 
     CFArrayRef policies = pvc->policies;
-	CFIndex count = CFArrayGetCount(policies);
-	for (; pvc->policyIX < count; ++pvc->policyIX) {
+    CFIndex count = CFArrayGetCount(policies);
+    for (; pvc->policyIX < count; ++pvc->policyIX) {
         /* Validate all keys for all policies. */
         pvc->callbacks = gSecPolicyPathCallbacks;
-		SecPolicyRef policy = SecPVCGetPolicy(pvc);
+        SecPolicyRef policy = SecPVCGetPolicy(pvc);
         CFDictionaryApplyFunction(policy->_options, SecPVCValidateKey, pvc);
         if (!pvc->result && !pvc->details)
             return completed;
-	}
+    }
 
     /* Check whether the TrustSettings say to deny a cert in the path. */
     (void)SecPVCCheckUsageConstraints(pvc);
 
+    /* Check for issuer date constraints. */
+    (void)SecPVCCheckIssuerDateConstraints(pvc);
+
     /* Check the things we can't check statically for the certificate path. */
     /* Critical Extensions, chainLength. */
 
diff --git a/OSX/sec/securityd/SecPolicyServer.h b/OSX/sec/securityd/SecPolicyServer.h
index ecae581d..a690bc64 100644
--- a/OSX/sec/securityd/SecPolicyServer.h
+++ b/OSX/sec/securityd/SecPolicyServer.h
@@ -135,6 +135,8 @@ SecTrustSettingsResult SecPVCGetTrustSettingsResult(SecPVCRef pvc, SecCertificat
 
 bool SecPVCCheckUsageConstraints(SecPVCRef pvc);
 
+bool SecPVCCheckIssuerDateConstraints(SecPVCRef pvc);
+
 __END_DECLS
 
 #endif /* !_SECURITY_SECPOLICYSERVER_H_ */
diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c
index 1b36ba36..84faea33 100644
--- a/OSX/sec/securityd/SecTrustServer.c
+++ b/OSX/sec/securityd/SecTrustServer.c
@@ -40,8 +40,10 @@
 #include <Security/SecCertificateInternal.h>
 #include <Security/SecCertificatePath.h>
 #include <Security/SecFramework.h>
+#include <Security/SecPolicyPriv.h>
 #include <Security/SecPolicyInternal.h>
 #include <Security/SecTrustSettingsPriv.h>
+#include <Security/SecTask.h>
 #include <CoreFoundation/CFRuntime.h>
 #include <CoreFoundation/CFSet.h>
 #include <CoreFoundation/CFString.h>
@@ -53,6 +55,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <limits.h>
+#include <sys/codesign.h>
 #include <Security/SecBase.h>
 #include "SecRSAKey.h"
 #include <libDER/oids.h>
@@ -65,6 +68,10 @@
 #include "personalization.h"
 #include <utilities/SecInternalReleasePriv.h>
 
+#if TARGET_OS_OSX
+#include <Security/SecTaskPriv.h>
+#endif
+
 
 /********************************************************
  ***************** OTA Trust support ********************
@@ -1186,8 +1193,12 @@ static bool SecPathBuilderIsPartial(SecPathBuilderRef builder,
 		if (SecCertificatePathIsAnchored(path)) {
             secdebug("trust", "Adding candidate %@", path);
 			CFArrayAppendValue(builder->candidatePaths, path);
-			return false;
 		}
+        /* The path is not partial if the last cert is self-signed. */
+        if ((SecCertificatePathSelfSignedIndex(path) >= 0) &&
+            (SecCertificatePathSelfSignedIndex(path) == SecCertificatePathGetCount(path)-1)) {
+            return false;
+        }
 	}
 
 	return true;
@@ -1536,8 +1547,8 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) {
     }
 
     /* Accept a partial path if certificate is on the allow list
-       and is temporally valid. */
-    if (completed && pvc->is_allowlisted &&
+       and is temporally valid and passed all PVC checks. */
+    if (completed && pvc->is_allowlisted && pvc->result &&
         builder->bestPathScore < ACCEPT_PATH_SCORE &&
         SecCertificatePathIsValid(pvc->path, pvc->verifyTime)) {
         builder->bestPathScore += ACCEPT_PATH_SCORE;
@@ -1548,6 +1559,7 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) {
     return completed;
 }
 
+
 static bool SecPathBuilderReportResult(SecPathBuilderRef builder) {
     SecPVCRef pvc = &builder->path;
     bool haveRevocationResponse = false;
@@ -1660,10 +1672,10 @@ bool SecPathBuilderStep(SecPathBuilderRef builder) {
     }
 
     SecTrustResultType result  = kSecTrustResultInvalid;
-    if (builder->bestPathScore > ACCEPT_PATH_SCORE) {
-        result = kSecTrustResultUnspecified;
-    } else if (builder->denyBestPath) {
+    if (builder->denyBestPath) {
         result = kSecTrustResultDeny;
+    } else if (builder->bestPathScore > ACCEPT_PATH_SCORE) {
+        result = kSecTrustResultUnspecified;
     } else {
         result = kSecTrustResultRecoverableTrustFailure;
     }
diff --git a/OSX/sec/securityd/spi.c b/OSX/sec/securityd/spi.c
index d57c7968..9416e4e7 100644
--- a/OSX/sec/securityd/spi.c
+++ b/OSX/sec/securityd/spi.c
@@ -42,21 +42,28 @@
 
 static struct securityd spi = {
 #if !TRUSTD_SERVER
+    /* Trustd must xpc to secd to use these. */
     .sec_item_add                           = _SecItemAdd,
     .sec_item_copy_matching                 = _SecItemCopyMatching,
     .sec_item_update                        = _SecItemUpdate,
     .sec_item_delete                        = _SecItemDelete,
+#if TARGET_OS_IOS
     .sec_add_shared_web_credential          = _SecAddSharedWebCredential,
     .sec_copy_shared_web_credential         = _SecCopySharedWebCredential,
+#endif
     .sec_trust_store_for_domain             = SecTrustStoreForDomainName,
     .sec_trust_store_contains               = SecTrustStoreContainsCertificateWithDigest,
     .sec_trust_store_set_trust_settings     = _SecTrustStoreSetTrustSettings,
     .sec_trust_store_remove_certificate     = SecTrustStoreRemoveCertificateWithDigest,
     .sec_truststore_remove_all              = _SecTrustStoreRemoveAll,
     .sec_item_delete_all                    = _SecItemDeleteAll,
-#endif /* !TRUSTD_SERVER */
+#endif
+#if TRUSTD_SERVER || TARGET_OS_IPHONE
+    /* Local trust evaluation only occurs in trustd and iOS securityd */
     .sec_trust_evaluate                     = SecTrustServerEvaluate,
+#endif
 #if !TRUSTD_SERVER
+    /* Trustd must xpc to secd to use these. */
     .sec_keychain_backup                    = _SecServerKeychainCreateBackup,
     .sec_keychain_restore                   = _SecServerKeychainRestore,
     .sec_keychain_backup_syncable           = _SecServerBackupSyncable,
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleISTCA2G1.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleISTCA2G1.cer
new file mode 100644
index 00000000..46711ce4
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleISTCA2G1.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSystemIntegration2CA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSystemIntegration2CA.cer
new file mode 100644
index 00000000..23979e49
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSystemIntegration2CA.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/GeoTrustGlobalCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/GeoTrustGlobalCA.cer
new file mode 100644
index 00000000..4ae42e81
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/GeoTrustGlobalCA.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/GoogleInternetAuthority.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/GoogleInternetAuthority.cer
new file mode 100644
index 00000000..3a0b158e
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/GoogleInternetAuthority.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/LASecureIOStaticAssetSigning.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/LASecureIOStaticAssetSigning.cer
new file mode 100644
index 00000000..af1a1a32
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/LASecureIOStaticAssetSigning.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/LASecureIOStaticAssetSigningTest.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/LASecureIOStaticAssetSigningTest.cer
new file mode 100644
index 00000000..31507550
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/LASecureIOStaticAssetSigningTest.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist
index 18ffe221..ae644116 100644
--- a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist
+++ b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist
@@ -408,6 +408,40 @@
 		<key>ChainLength</key>
 		<integer>3</integer>
 	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>AppleSSLPinned</string>
+		<key>MinorTestName</key>
+		<string>PositiveTest-Test-NewOidStyle</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.63</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyPolicyName</key>
+				<string>TLSPinningTest</string>
+				<key>SecPolicyLeafMarkerOid</key>
+				<string>1.2.840.113635.100.6.27.42</string>
+				<key>SecPolicyName</key>
+				<string>tlspinningtest.apple.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>test_new_oids</string>
+		<key>Intermediates</key>
+		<string>TestAppleServerAuthentication</string>
+		<key>Anchors</key>
+		<string>TestAppleRootCA</string>
+		<key>VerifyDate</key>
+		<date>2016-09-01T16:56:50Z</date>
+		<key>ExpectedResult</key>
+		<integer>4</integer>
+		<key>ChainLength</key>
+		<integer>3</integer>
+		<key>EnableTestCertificates</key>
+		<string>ApplePinningAllowTestCertsTLSPinningTest</string>
+	</dict>
 	<dict>
 		<key>MajorTestName</key>
 		<string>AppleSSLPinned</string>
@@ -472,7 +506,7 @@
 		<key>MajorTestName</key>
 		<string>AppleSSLPinned</string>
 		<key>MinorTestName</key>
-		<string>NegativeTest-TestHierarchy</string>
+		<string>PositiveTest-TestHierarchy</string>
 		<key>Policies</key>
 		<dict>
 			<key>PolicyIdentifier</key>
@@ -2016,5 +2050,223 @@
 		<key>VerifyDate</key>
 		<date>2016-03-01T20:00:00Z</date>
 	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>EscrowProxyCompatibility</string>
+		<key>MinorTestName</key>
+		<string>PositiveTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.73</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyName</key>
+				<string>p97-escrowproxy.icloud.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>escrowproxy</string>
+		<key>Intermediates</key>
+		<string>AppleISTCA2G1</string>
+		<key>Anchors</key>
+		<string>GeoTrustGlobalCA</string>
+		<key>ExpectedResult</key>
+		<integer>4</integer>
+		<key>VerifyDate</key>
+		<date>2016-10-04T19:00:00Z</date>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>EscrowProxyCompatibility</string>
+		<key>MinorTestName</key>
+		<string>NegativeTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.43</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyName</key>
+				<string>p97-escrowproxy.icloud.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>escrowproxy</string>
+		<key>Intermediates</key>
+		<string>AppleISTCA2G1</string>
+		<key>Anchors</key>
+		<string>GeoTrustGlobalCA</string>
+		<key>ExpectedResult</key>
+		<integer>5</integer>
+		<key>VerifyDate</key>
+		<date>2016-10-04T19:00:00Z</date>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>EscrowProxyCompatibility</string>
+		<key>MinorTestName</key>
+		<string>PositiveTest-TrustedIntermediate</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.73</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyName</key>
+				<string>p97-escrowproxy.icloud.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>escrowproxy</string>
+		<key>Intermediates</key>
+		<string>AppleISTCA2G1</string>
+		<key>Anchors</key>
+		<array>
+			<string>AppleISTCA2G1</string>
+			<string>GeoTrustGlobalCA</string>
+		</array>
+		<key>ExpectedResult</key>
+		<integer>4</integer>
+		<key>VerifyDate</key>
+		<date>2016-10-04T19:00:00Z</date>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>MMCSCompatibility</string>
+		<key>MinorTestName</key>
+		<string>PositiveTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.74</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyName</key>
+				<string>p98-content.icloud.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>mmcs</string>
+		<key>Intermediates</key>
+		<string>AppleISTCA2G1</string>
+		<key>Anchors</key>
+		<string>GeoTrustGlobalCA</string>
+		<key>ExpectedResult</key>
+		<integer>4</integer>
+		<key>VerifyDate</key>
+		<date>2016-10-04T19:00:00Z</date>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>MMCSCompatibility</string>
+		<key>MinorTestName</key>
+		<string>NegativeTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.45</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyName</key>
+				<string>p98-content.icloud.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>mmcs</string>
+		<key>Intermediates</key>
+		<string>AppleISTCA2G1</string>
+		<key>Anchors</key>
+		<string>GeoTrustGlobalCA</string>
+		<key>ExpectedResult</key>
+		<integer>5</integer>
+		<key>VerifyDate</key>
+		<date>2016-10-04T19:00:00Z</date>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>TLDWildcard</string>
+		<key>MinorTestName</key>
+		<string>PositiveTest-CookieTLD</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.3</string>
+			<key>Properties</key>
+			<dict>
+				<key>SecPolicyName</key>
+				<string>content.googleapis.com</string>
+			</dict>
+		</dict>
+		<key>Leaf</key>
+		<string>googleapis</string>
+		<key>Intermediates</key>
+		<string>GoogleInternetAuthority</string>
+		<key>Anchors</key>
+		<string>GeoTrustGlobalCA</string>
+		<key>ExpectedResult</key>
+		<integer>4</integer>
+		<key>VerifyDate</key>
+		<date>2016-10-04T19:00:00Z</date>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>LASecureStaticIOAssets</string>
+		<key>MinorTestName</key>
+		<string>PositiveTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.75</string>
+		</dict>
+		<key>Leaf</key>
+		<string>LASecureIOStaticAssetSigning</string>
+		<key>Intermediates</key>
+		<string>AppleSystemIntegration2CA</string>
+		<key>Anchors</key>
+		<string>AppleRootCA</string>
+		<key>ExpectedResult</key>
+		<integer>4</integer>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>LASecureStaticIOAssets</string>
+		<key>MinorTestName</key>
+		<string>NegativeTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.75</string>
+		</dict>
+		<key>Leaf</key>
+		<string>LASecureIOStaticAssetSigningTest</string>
+		<key>Intermediates</key>
+		<string>TestAppleSystemIntegration2CA</string>
+		<key>Anchors</key>
+		<string>TestAppleRootCA</string>
+		<key>ExpectedResult</key>
+		<integer>5</integer>
+	</dict>
+	<dict>
+		<key>MajorTestName</key>
+		<string>LASecureStaticIOAssets</string>
+		<key>MinorTestName</key>
+		<string>NegativeTest</string>
+		<key>Policies</key>
+		<dict>
+			<key>PolicyIdentifier</key>
+			<string>1.2.840.113635.100.1.75</string>
+		</dict>
+		<key>Leaf</key>
+		<string>LASecureIOStaticAssetSigningTest</string>
+		<key>Intermediates</key>
+		<string>TestAppleSystemIntegration2CA</string>
+		<key>Anchors</key>
+		<string>TestAppleRootCA</string>
+		<key>ExpectedResult</key>
+		<integer>5</integer>
+		<key>EnableTestCertificates</key>
+		<string>AllowAppleTestCertificatesSecureIOStaticAsset</string>
+	</dict>
 </array>
 </plist>
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/escrowproxy.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/escrowproxy.cer
new file mode 100644
index 00000000..d453c90f
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/escrowproxy.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/googleapis.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/googleapis.cer
new file mode 100644
index 00000000..165e5944
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/googleapis.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/mmcs.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/mmcs.cer
new file mode 100644
index 00000000..fbd9005f
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/mmcs.cer differ
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/test_new_oids.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/test_new_oids.cer
new file mode 100644
index 00000000..57f972ee
Binary files /dev/null and b/OSX/shared_regressions/si-20-sectrust-policies-data/test_new_oids.cer differ
diff --git a/OSX/shared_regressions/si-44-seckey-rsa.m b/OSX/shared_regressions/si-44-seckey-rsa.m
index 06ddc100..d38b4c75 100644
--- a/OSX/shared_regressions/si-44-seckey-rsa.m
+++ b/OSX/shared_regressions/si-44-seckey-rsa.m
@@ -141,12 +141,52 @@ static const int TestCountEncryption =
 TestCountEncryptKeypairRun + (TestCountEncryptRun * 6) + (1 * 1) +
 TestCountEncryptKeypairRun + (TestCountEncryptRun * 7) + (1 * 0);
 
-static const int TestCount = TestCountEncryption;
+static void test_bad_input(NSInteger keySizeInBits, NSInteger inputSize, SecKeyAlgorithm algorithm) {
+    NSError *error;
+    NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};
+
+    error = nil;
+    id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
+    ok(privateKey != nil, "generate private key (error %@)", error);
+    id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
+
+    NSData *input, *output;
+
+    error = nil;
+    input = [NSMutableData dataWithLength:inputSize];
+    output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
+    ok(output, "encryption succeeds at the border size %d (key=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, algorithm);
+    is((NSInteger)output.length, keySizeInBits / 8, "Unexpected output block size");
+
+    input = [NSMutableData dataWithLength:inputSize + 1];
+    output = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)input, (void *)&error));
+    ok(output == nil, "encryption did not fail for border size %d (key=%dbytes, output=%dbytes, %@)", (int)input.length, (int)keySizeInBits / 8, (int)output.length, algorithm);
+    is_status((OSStatus)error.code, errSecParam, "Fails with errSecParam for too long input (%@)", algorithm);
+}
+static const int TestCountBadInputSizeStep = 5;
+
+static void test_bad_input_size() {
+    test_bad_input(1024, 128, kSecKeyAlgorithmRSAEncryptionRaw);
+    test_bad_input(2048, 256, kSecKeyAlgorithmRSAEncryptionRaw);
+    test_bad_input(1024, 128 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
+    test_bad_input(2048, 256 - 11, kSecKeyAlgorithmRSAEncryptionPKCS1);
+    test_bad_input(1024, 128 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
+    test_bad_input(2048, 256 - 42, kSecKeyAlgorithmRSAEncryptionOAEPSHA1);
+    test_bad_input(1024, 128 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
+    test_bad_input(2048, 256 - 66, kSecKeyAlgorithmRSAEncryptionOAEPSHA256);
+}
+static const int TestCountBadInputSize = TestCountBadInputSizeStep * 8;
+
+static const int TestCount =
+TestCountEncryption +
+TestCountBadInputSize;
+
 int si_44_seckey_rsa(int argc, char *const *argv) {
     plan_tests(TestCount);
 
     @autoreleasepool {
         test_encryption();
+        test_bad_input_size();
     }
     
     return 0;
diff --git a/OSX/utilities/src/SecDb.c b/OSX/utilities/src/SecDb.c
index a75b5243..be8b4fff 100644
--- a/OSX/utilities/src/SecDb.c
+++ b/OSX/utilities/src/SecDb.c
@@ -67,6 +67,7 @@ struct __OpaqueSecDbConnection {
     SecDbTransactionSource source;
     bool isCorrupted;
     int maybeCorruptedCode;
+    bool hasIOFailure;
     CFErrorRef corruptionError;
     sqlite3 *handle;
     // Pending deletions and additions for the current transaction
@@ -373,6 +374,8 @@ static bool SecDbConnectionCheckCode(SecDbConnectionRef dbconn, int code, CFErro
         CFRelease(msg);
     }
 
+    dbconn->hasIOFailure |= (SQLITE_IOERR == code);
+
     /* If it's already corrupted, don't try to recover */
     if (dbconn->isCorrupted) {
         CFStringRef reason = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
@@ -384,7 +387,7 @@ static bool SecDbConnectionCheckCode(SecDbConnectionRef dbconn, int code, CFErro
         return false;
     }
 
-    dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_IOERR == code) || (SQLITE_CANTOPEN == code);
+    dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_CANTOPEN == code);
     if (dbconn->isCorrupted) {
         /* Run integrity check and only make dbconn->isCorrupted true and
            run the corruption handler if the integrity check conclusively fails. */
@@ -891,6 +894,7 @@ SecDbConnectionCreate(SecDbRef db, bool readOnly, CFErrorRef *error)
     dbconn->source = NULL;
     dbconn->isCorrupted = false;
     dbconn->maybeCorruptedCode = 0;
+    dbconn->hasIOFailure = false;
     dbconn->corruptionError = NULL;
     dbconn->handle = NULL;
     dbconn->changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
@@ -925,7 +929,7 @@ SecDbConnectionRef SecDbConnectionAquire(SecDbRef db, bool readOnly, CFErrorRef
                 secerror("Unable to create database: %@", localError);
                 if (localError && CFEqual(CFErrorGetDomain(localError), kSecDbErrorDomain)) {
                     int code = (int)CFErrorGetCode(localError);
-                    dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_IOERR == code) || (SQLITE_CANTOPEN == code);
+                    dbconn->isCorrupted = (SQLITE_CORRUPT == code) || (SQLITE_NOTADB == code) || (SQLITE_CANTOPEN == code);
                 }
                 // If the open failure isn't due to corruption, propagte the error.
                 ok = dbconn->isCorrupted;
@@ -1001,13 +1005,19 @@ void SecDbConnectionRelease(SecDbConnectionRef dbconn) {
     SecDbRef db = dbconn->db;
     secinfo("dbconn", "release %@", dbconn);
     dispatch_sync(db->queue, ^{
-        CFIndex count = CFArrayGetCount(db->connections);
-        // Add back possible writable dbconn to the pool.
         bool readOnly = SecDbConnectionIsReadOnly(dbconn);
-        CFArrayInsertValueAtIndex(db->connections, readOnly ? count : 0, dbconn);
-        // Remove the last (probably read-only) dbconn from the pool.
-        if (count >= kSecDbMaxIdleHandles) {
-            CFArrayRemoveValueAtIndex(db->connections, count);
+        if (dbconn->hasIOFailure) {
+            // Something wrong on the file layer (e.g. revoked file descriptor for networked home)
+            // so we don't trust our existing connections anymore.
+            CFArrayRemoveAllValues(db->connections);
+        } else {
+            CFIndex count = CFArrayGetCount(db->connections);
+            // Add back possible writable dbconn to the pool.
+            CFArrayInsertValueAtIndex(db->connections, readOnly ? count : 0, dbconn);
+            // Remove the last (probably read-only) dbconn from the pool.
+            if (count >= kSecDbMaxIdleHandles) {
+                CFArrayRemoveValueAtIndex(db->connections, count);
+            }
         }
         // Signal after we have put the connection back in the pool of connections
         dispatch_semaphore_signal(readOnly ? db->read_semaphore : db->write_semaphore);
@@ -1315,7 +1325,7 @@ bool SecDbWithSQL(SecDbConnectionRef dbconn, CFStringRef sql, CFErrorRef *error,
 /* SecDbForEach returns true if all SQLITE_ROW returns of sqlite3_step() return true from the row block.
  If the row block returns false and doesn't set an error (to indicate it has reached a limit),
  this entire function returns false. In that case no error will be set. */
-bool SecDbForEach(sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index)) {
+bool SecDbForEach(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index)) {
     bool result = false;
     for (int row_ix = 0;;++row_ix) {
         int s3e = sqlite3_step(stmt);
@@ -1334,6 +1344,7 @@ bool SecDbForEach(sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_inde
             if (s3e == SQLITE_DONE) {
                 result = true;
             } else {
+                dbconn->hasIOFailure |= (s3e == SQLITE_IOERR);
                 SecDbErrorWithStmt(s3e, stmt, error, CFSTR("step[%d]"), row_ix);
             }
             break;
diff --git a/OSX/utilities/src/SecDb.h b/OSX/utilities/src/SecDb.h
index 0cfb1f93..17e5f53e 100644
--- a/OSX/utilities/src/SecDb.h
+++ b/OSX/utilities/src/SecDb.h
@@ -159,7 +159,7 @@ sqlite3_stmt *SecDbPrepareV2(SecDbConnectionRef dbconn, const char *sql, size_t
 sqlite3_stmt *SecDbCopyStmt(SecDbConnectionRef dbconn, CFStringRef sql, CFStringRef *tail, CFErrorRef *error);
 bool SecDbReleaseCachedStmt(SecDbConnectionRef dbconn, CFStringRef sql, sqlite3_stmt *stmt, CFErrorRef *error);
 bool SecDbWithSQL(SecDbConnectionRef dbconn, CFStringRef sql, CFErrorRef *error, bool(^perform)(sqlite3_stmt *stmt));
-bool SecDbForEach(sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index));
+bool SecDbForEach(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error, bool(^row)(int row_index));
 
 // Mark the database as corrupted.
 void SecDbCorrupt(SecDbConnectionRef dbconn, CFErrorRef error);
diff --git a/Security.exp-in b/Security.exp-in
index 2c076611..f34cc73a 100644
--- a/Security.exp-in
+++ b/Security.exp-in
@@ -109,6 +109,8 @@ _kSSLSessionConfig_standard
 _kSSLSessionConfig_RC4_fallback
 _kSSLSessionConfig_TLSv1_fallback
 _kSSLSessionConfig_TLSv1_RC4_fallback
+_kSSLSessionConfig_3DES_fallback
+_kSSLSessionConfig_TLSv1_3DES_fallback
 _kSSLSessionConfig_legacy_DHE
 _kSSLSessionConfig_anonymous
 
diff --git a/Security.xcodeproj/project.pbxproj b/Security.xcodeproj/project.pbxproj
index 228278c6..734054f5 100644
--- a/Security.xcodeproj/project.pbxproj
+++ b/Security.xcodeproj/project.pbxproj
@@ -9608,7 +9608,7 @@
 				MTL_ENABLE_DEBUG_INFO = YES;
 				ONLY_ACTIVE_ARCH = YES;
 				OTHER_LDFLAGS = (
-					"-laks",
+					"$(APPLE_AKS_LIBRARY)",
 					"-lACM",
 					"-framework",
 					SystemConfiguration,
@@ -9674,7 +9674,7 @@
 				INSTALL_PATH = /AppleInternal/Tests/Security/;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				OTHER_LDFLAGS = (
-					"-laks",
+					"$(APPLE_AKS_LIBRARY)",
 					"-lACM",
 					"-framework",
 					SystemConfiguration,
diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme
index f45fa327..3ac265f6 100644
--- a/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme	
+++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme	
@@ -263,6 +263,10 @@
             argument = "secd_95_escrow_persistence"
             isEnabled = "NO">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "secd_201_coders"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "-v"
             isEnabled = "NO">
diff --git a/SecurityTests/ssl-policy-certs/SSLTrustPolicyTest.plist b/SecurityTests/ssl-policy-certs/SSLTrustPolicyTest.plist
index 514afc20..2512207f 100644
--- a/SecurityTests/ssl-policy-certs/SSLTrustPolicyTest.plist
+++ b/SecurityTests/ssl-policy-certs/SSLTrustPolicyTest.plist
@@ -100,8 +100,6 @@
 		<string>apple.co.uk</string>
 		<key>Result</key>
 		<string>kSecTrustResultRecoverableTrustFailure</string>
-		<key>Reason</key>
-		<string>rdar://problem/26555272</string>
 	</dict>
 	<key>Test12</key>
 	<dict>
diff --git a/SecurityTool/keychain_find.c b/SecurityTool/keychain_find.c
index 9a0ee59e..529ea5fc 100644
--- a/SecurityTool/keychain_find.c
+++ b/SecurityTool/keychain_find.c
@@ -1628,6 +1628,11 @@ int keychain_parse_args_and_set_partition_list(int argc, char * const *argv, CFM
         goto cleanup;
     }
 
+    if(!partitionidsinput) {
+        result = 2;
+        goto cleanup;
+    }
+
     if(!password) {
         char* cpassword = prompt_password(keychainName);
         if (!cpassword) {
@@ -1638,11 +1643,6 @@ int keychain_parse_args_and_set_partition_list(int argc, char * const *argv, CFM
         free(cpassword);
     }
 
-    if(!partitionidsinput || !password) {
-        result = 2;
-        goto cleanup;
-    }
-
     result = keychain_set_partition_list(kc, query, password, partitionidsinput);
 
 cleanup:
diff --git a/SecurityTool/security.1 b/SecurityTool/security.1
index fa9c8d31..3f002552 100644
--- a/SecurityTool/security.1
+++ b/SecurityTool/security.1
@@ -127,10 +127,18 @@ Add certificates to a keychain.
 Find a generic password item.
 .It Nm delete-generic-password
 Delete a generic password item.
+.It Nm set-generic-password-partition-list
+Set the partition list of a generic password item.
 .It Nm find-internet-password
 Find an internet password item.
 .It Nm delete-internet-password
 Delete an internet password item.
+.It Nm set-internet-password-partition-list
+Set the partition list of a internet password item.
+.It Nm find-key
+Find keys in the keychain
+.It Nm set-key-partition-list
+Set the partition list of a key.
 .It Nm find-certificate
 Find a certificate item.
 .It Nm find-identity
@@ -668,6 +676,160 @@ Display the password(only) for the item found
 .El
 .El
 .It
+.Nm find-key
+.Op Ar options...
+.Op Ar keychain...
+.Bl -item -offset -indent
+Search the keychain for keys.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl a Ar application-label
+Match "application label" string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl d
+Match keys that can decrypt
+.It Fl D Ar description
+Match "description" string
+.It Fl e
+Match keys that can encrypt
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl r
+Match keys that can derive
+.It Fl s
+Match keys that can sign
+.It Fl t Ar type
+Type of key to find: one of "symmetric", "public", or "private"
+.It Fl u
+Match keys that can unwrap
+.It Fl v
+Match keys that can verify
+.It Fl w
+Match keys that can wrap
+.El
+.El
+.It
+.Nm set-generic-password-partition-list
+.Op Fl a Ar account
+.Op Fl s Ar service
+.Op Fl S Ar <partition list (comma separated)>
+.Op Fl k Ar <keychain password>
+.Op Ar options...
+.Op Ar keychain
+.Bl -item -offset -indent
+Sets the "partition list" for a generic password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl S Ar partition-list
+Comma-separated partition list. See output of "security dump-keychain" for examples.
+.It Fl k Ar password
+Password for keychain
+.It Fl a Ar account
+Match account string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl C Ar type
+Match type (four-character code)
+.It Fl D Ar kind
+Match kind string
+.It Fl G Ar value
+Match value string (generic attribute)
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl s Ar service
+Match service string
+.El
+.El
+.It
+.Nm set-internet-password-partition-list
+.Op Fl a Ar account
+.Op Fl s Ar server
+.Op Fl S Ar <partition list (comma separated)>
+.Op Fl k Ar <keychain password>
+.Op Ar options...
+.Op Ar keychain
+.Bl -item -offset -indent
+Sets the "partition list" for an internet password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl S Ar partition-list
+Comma-separated partition list. See output of "security dump-keychain" for examples.
+.It Fl k Ar password
+Password for keychain
+.It Fl a Ar account
+Match account string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl C Ar type
+Match type (four-character code)
+.It Fl d Ar securityDomain
+Match securityDomain string
+.It Fl D Ar kind
+Match kind string
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl p Ar path
+Match path string
+.It Fl P Ar port
+Match port number
+.It Fl r Ar protocol
+Match protocol (four-character code)
+.It Fl s Ar server
+Match server string
+.It Fl t Ar authenticationType
+Match authenticationType (four-character code)
+.El
+.El
+.It
+.Nm set-key-partition-list
+.Op Fl S Ar <partition list (comma separated)>
+.Op Fl k Ar <keychain password>
+.Op Ar options...
+.Op Ar keychain
+.Bl -item -offset -indent
+Sets the "partition list" for a key. The "partition list" is an extra parameter in the ACL which limits access to the key based on an application's code signature. You must present the keychain's password to change a partition list. If you'd like to run /usr/bin/codesign with the key, "apple:" must be an element of the partition list.
+.It
+.Bl -tag -compact -width -indent-indent
+.It Fl S Ar partition-list
+Comma-separated partition list. See output of "security dump-keychain" for examples.
+.It Fl k Ar password
+Password for keychain
+.It Fl a Ar application-label
+Match "application label" string
+.It Fl c Ar creator
+Match creator (four-character code)
+.It Fl d
+Match keys that can decrypt
+.It Fl D Ar description
+Match "description" string
+.It Fl e
+Match keys that can encrypt
+.It Fl j Ar comment
+Match comment string
+.It Fl l Ar label
+Match label string
+.It Fl r
+Match keys that can derive
+.It Fl s
+Match keys that can sign
+.It Fl t Ar type
+Type of key to find: one of "symmetric", "public", or "private"
+.It Fl u
+Match keys that can unwrap
+.It Fl v
+Match keys that can verify
+.It Fl w
+Match keys that can wrap
+.El
+.El
+.It
 .Nm find-certificate
 .Op Fl h
 .Op Fl a
diff --git a/SecurityTool/security.c b/SecurityTool/security.c
index 2454a6d3..0cea23c0 100644
--- a/SecurityTool/security.c
+++ b/SecurityTool/security.c
@@ -310,7 +310,7 @@ const command commands[] =
         "    -k  The password for the keychain (required)\n"
         "If no keychains are specified to search, the default search list is used.\n"
         "Use of the -k option is insecure. Omit it to be prompted.\n",
-        "Set the partition ID list of a generic password item."},
+        "Set the partition list of a generic password item."},
 
 	{ "find-internet-password", keychain_find_internet_password,
 	  "[-a account] [-s server] [options...] [-g] [keychain...]\n"
@@ -367,7 +367,7 @@ const command commands[] =
 
         "If no keychains are specified to search, the default search list is used.\n"
         "Use of the -k option is insecure. Omit it to be prompted.\n",
-        "Set the partition ID list of a internet password item."},
+        "Set the partition list of a internet password item."},
 
     { "find-key", keychain_find_key,
         "[options...] [keychain...]\n"
@@ -407,7 +407,7 @@ const command commands[] =
         "    -k  password for keychain (required)\n"
 
         "If no keychains are specified to search, the default search list is used.",
-        "Set the partition ID list of a key."},
+        "Set the partition list of a key."},
 
 	{ "find-certificate", keychain_find_certificate,
 	  "[-a] [-c name] [-e emailAddress] [-m] [-p] [-Z] [keychain...]\n"
diff --git a/securityd/etc/com.apple.securityd.plist b/securityd/etc/com.apple.securityd.plist
index a916fb8c..a93b364d 100644
--- a/securityd/etc/com.apple.securityd.plist
+++ b/securityd/etc/com.apple.securityd.plist
@@ -2,6 +2,11 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>2000</integer>
+	</dict>
 	<key>Label</key>
 	<string>com.apple.securityd</string>
 	<key>ProgramArguments</key>
diff --git a/securityd/securityd_service/securityd_service/main.c b/securityd/securityd_service/securityd_service/main.c
index 46a444fb..89f2d1d8 100644
--- a/securityd/securityd_service/securityd_service/main.c
+++ b/securityd/securityd_service/securityd_service/main.c
@@ -559,6 +559,7 @@ service_kb_unlock(service_context_t * context, const void * secret, int secret_l
     rc = aks_unlock_bag(session_handle, secret, secret_len);
 
 done:
+    syslog(LOG_NOTICE, "aks_unlock_bag result: (%ld)", (long)rc);
     return rc;
 }
 
diff --git a/securityd/src/acls.cpp b/securityd/src/acls.cpp
index 98c7e5da..10d1c351 100644
--- a/securityd/src/acls.cpp
+++ b/securityd/src/acls.cpp
@@ -152,7 +152,7 @@ void SecurityServerAcl::validatePartition(SecurityServerEnvironment& env, bool p
     // will end up trying to create the system keychain and causes a hang.
     // Avoid this by checking for the presence of the db first.
     if((!env.database) || env.database->dbVersion() < SecurityServer::CommonBlob::version_partition) {
-        secnotice("integrity", "no db or old db version, skipping");
+        secinfo("integrity", "no db or old db version, skipping");
         return;
     }
 
diff --git a/securityd/src/agentquery.cpp b/securityd/src/agentquery.cpp
index 931e59bf..69f480a2 100644
--- a/securityd/src/agentquery.cpp
+++ b/securityd/src/agentquery.cpp
@@ -50,6 +50,7 @@
 #define AUTH_XPC_ITEM_FLAGS "_item_flags"
 #define AUTH_XPC_ITEM_VALUE "_item_value"
 #define AUTH_XPC_ITEM_TYPE  "_item_type"
+#define AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH "_item_sensitive_value_length"
 
 #define AUTH_XPC_REQUEST_METHOD_KEY "_agent_request_key"
 #define AUTH_XPC_REQUEST_METHOD_CREATE "_agent_request_create"
@@ -298,8 +299,20 @@ static void xpcArrayToAuthItemSet(AuthItemSet *setToBuild, xpc_object_t input) {
 
         size_t length;
         const void *data = xpc_dictionary_get_data(item, AUTH_XPC_ITEM_VALUE, &length);
-        void *dataCopy = malloc(length);
-        memcpy(dataCopy, data, length);
+        void *dataCopy = 0;
+
+        // <rdar://problem/13033889> authd is holding on to multiple copies of my password in the clear
+        bool sensitive = xpc_dictionary_get_value(item, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+        if (sensitive) {
+            size_t sensitiveLength = (size_t)xpc_dictionary_get_uint64(item, AUTH_XPC_ITEM_SENSITIVE_VALUE_LENGTH);
+            dataCopy = malloc(sensitiveLength);
+            memcpy(dataCopy, data, sensitiveLength);
+            memset_s((void *)data, length, 0, sensitiveLength); // clear the sensitive data, memset_s is never optimized away
+            length = sensitiveLength;
+        } else {
+            dataCopy = malloc(length);
+            memcpy(dataCopy, data, length);
+        }
 
         uint64_t flags = xpc_dictionary_get_uint64(item, AUTH_XPC_ITEM_FLAGS);
         AuthItemRef nextItem(name, AuthValueOverlay((uint32_t)length, dataCopy), (uint32_t)flags);
diff --git a/securityd/src/connection.cpp b/securityd/src/connection.cpp
index e9d54120..84b0ac8f 100644
--- a/securityd/src/connection.cpp
+++ b/securityd/src/connection.cpp
@@ -56,7 +56,7 @@ Connection::Connection(Process &proc, Port rPort)
 	// bump the send-rights count on the reply port so we keep the right after replying
 	mClientPort.modRefs(MACH_PORT_RIGHT_SEND, +1);
 	
-    secnotice("SS", "New client connection %p: %d %d", this, rPort.port(), proc.uid());
+    secinfo("SS", "New client connection %p: %d %d", this, rPort.port(), proc.uid());
 }
 
 
@@ -66,7 +66,7 @@ Connection::Connection(Process &proc, Port rPort)
 //
 Connection::~Connection()
 {
-    secnotice("SS", "releasing client connection %p", this);
+    secinfo("SS", "releasing client connection %p", this);
 	assert(!agentWait);
 }
 
@@ -76,7 +76,7 @@ Connection::~Connection()
 //
 void Connection::guestRef(SecGuestRef newGuest, SecCSFlags flags)
 {
-	secnotice("SS", "Connection %p switches to guest 0x%x", this, newGuest);
+	secinfo("SS", "Connection %p switches to guest 0x%x", this, newGuest);
 	mGuestRef = newGuest;
 }
 
@@ -91,7 +91,7 @@ void Connection::terminate()
 	assert(state == idle);
 	mClientPort.modRefs(MACH_PORT_RIGHT_SEND, -1);	// discard surplus send right
 	assert(mClientPort.getRefs(MACH_PORT_RIGHT_SEND) == 1);	// one left for final reply
-	secnotice("SS", "Connection %p terminated", this);
+	secinfo("SS", "Connection %p terminated", this);
 }
 
 
@@ -107,11 +107,11 @@ void Connection::abort(bool keepReplyPort)
         mClientPort.destroy();		// dead as a doornail already
 	switch (state) {
 	case idle:
-		secnotice("SS", "Connection %p aborted", this);
+		secinfo("SS", "Connection %p aborted", this);
 		break;
 	case busy:
 		state = dying;				// shoot me soon, please
-		secnotice("SS", "Connection %p abort deferred (busy)", this);
+		secinfo("SS", "Connection %p abort deferred (busy)", this);
 		break;
 	default:
 		assert(false);				// impossible (we hope)
@@ -137,7 +137,7 @@ void Connection::beginWork(audit_token_t &auditToken)
 		mOverrideReturn = CSSM_OK;	// clear override
 		break;
 	case busy:
-		secnotice("SS", "Attempt to re-enter connection %p(port %d)", this, mClientPort.port());
+		secinfo("SS", "Attempt to re-enter connection %p(port %d)", this, mClientPort.port());
 		CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);	//@@@ some state-error code instead?
 	default:
 		assert(false);
@@ -169,7 +169,7 @@ void Connection::endWork(CSSM_RETURN &rcode)
 		state = idle;
 		return;
 	case dying:
-		secnotice("SS", "Connection %p abort resuming", this);
+		secinfo("SS", "Connection %p abort resuming", this);
 		return;
 	default:
 		assert(false);
diff --git a/securityd/src/kcdatabase.cpp b/securityd/src/kcdatabase.cpp
index 697b1975..18e40a78 100644
--- a/securityd/src/kcdatabase.cpp
+++ b/securityd/src/kcdatabase.cpp
@@ -171,7 +171,10 @@ change_secret_on_keybag(KeychainDatabase & db, const void * secret, int secret_l
     // if for some reason we are locked lets unlock so later we don't try and throw up SecurityAgent dialog
     bool locked = false;
     if ((service_client_kb_is_locked(&context, &locked, NULL) == KB_Success) && locked) {
-        service_client_kb_unlock(&context, new_secret, new_secret_len);
+        rc = service_client_kb_unlock(&context, new_secret, new_secret_len);
+        if (rc != KB_Success) {
+            syslog(LOG_ERR, "Failed to unlock iCloud keychain for uid %d (%d)", context.s_uid, (int)rc);
+        }
     }
 }
 
@@ -295,14 +298,13 @@ KeychainDatabase::KeychainDatabase(const DLDbIdentifier &id, const DbBlob *blob,
     DbIdentifier ident(id, blob->randomSignature);
 	Session &session = process().session();
 	RefPointer<KeychainDbCommon> com;
-    secnotice("kccommon", "looking for a common at %s", ident.dbName());
+    secinfo("kccommon", "looking for a common at %s", ident.dbName());
 	if (KeychainDbCommon::find(ident, session, com)) {
-        secnotice("kccommon", "found %p", com.get());
 		parent(*com);
         secinfo("KCdb", "joining keychain %p %s with common %p", this, (char*)this->dbName(), &common());
 	} else {
 		// DbCommon not present; make a new one
-        secnotice("kccommon", "no common found");
+        secinfo("kccommon", "no common found");
 		parent(*com);
 		common().mParams = blob->params;
         secinfo("KCdb", "making keychain %p %s with common %p", this, (char*)this->dbName(), &common());
@@ -333,7 +335,7 @@ bool KeychainDbCommon::find(const DbIdentifier &ident, Session &session, RefPoin
         for (CommonSet::const_iterator it = mCommonSet.begin(); it != mCommonSet.end(); ++it) {
             if (&session == &(*it)->session() && ident == (*it)->identifier()) {
                 common = *it;
-                secnotice("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
+                secinfo("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
                 return true;
             }
         }
@@ -346,7 +348,7 @@ bool KeychainDbCommon::find(const DbIdentifier &ident, Session &session, RefPoin
         for (CommonSet::const_iterator it = mCommonSet.begin(); it != mCommonSet.end(); ++it) {
             if (&session == &(*it)->session() && ident == (*it)->identifier()) {
                 common = *it;
-                secnotice("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
+                secinfo("kccommon", "found a common for %s at %p", ident.dbName(), common.get());
                 return true;
             }
         }
@@ -360,7 +362,7 @@ bool KeychainDbCommon::find(const DbIdentifier &ident, Session &session, RefPoin
             common = new KeychainDbCommon(session, ident);
         }
 
-        secnotice("kccommon", "made a new common for %s at %p", ident.dbName(), common.get());
+        secinfo("kccommon", "made a new common for %s at %p", ident.dbName(), common.get());
 
         // Can't call insert() here, because it grabs the write lock (which we have).
         common->insertHoldingLock();
@@ -446,7 +448,7 @@ KeychainDatabase::KeychainDatabase(const DLDbIdentifier& id, KeychainDatabase &s
     RefPointer<KeychainDbCommon> newCommon;
     if(KeychainDbCommon::find(ident, process().session(), newCommon, CommonBlob::version_none, &src.common())) {
         // A common already existed. Write over it, but note that everything may go horribly from here on out.
-        secnotice("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
+        secinfo("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
         newCommon->cloneFrom(src.common());
     }
 
@@ -497,7 +499,7 @@ KeychainDatabase::KeychainDatabase(uint32 requestedVersion, KeychainDatabase &sr
     RefPointer<KeychainDbCommon> newCommon;
     if(KeychainDbCommon::find(ident, process().session(), newCommon, requestedVersion)) {
         // A common already existed here. Write over it, but note that everything may go horribly from here on out.
-        secnotice("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
+        secinfo("kccommon", "Found common where we didn't expect. Possible strange behavior ahead.");
         newCommon->cloneFrom(src.common(), requestedVersion);
     }
     newCommon->initializeKeybag();
@@ -787,7 +789,7 @@ void KeychainDatabase::makeUnlocked(bool unlockKeybag)
 void KeychainDatabase::makeUnlocked(const AccessCredentials *cred, bool unlockKeybag)
 {
     if (isLocked()) {
-		secinfo("KCdb", "%p(%p) unlocking for makeUnlocked()", this, &common());
+		secnotice("KCdb", "%p(%p) unlocking for makeUnlocked()", this, &common());
         assert(mBlob || (mValidData && common().hasMaster()));
 		establishOldSecrets(cred);
 		common().setUnlocked(); // mark unlocked
@@ -810,7 +812,7 @@ void KeychainDatabase::makeUnlocked(const AccessCredentials *cred, bool unlockKe
         }
     }
 	if (!mValidData) {	// need to decode to get our ACLs, master secret available
-		secinfo("KCdb", "%p(%p) is unlocked; decoding for makeUnlocked()", this, &common());
+		secnotice("KCdb", "%p(%p) is unlocked; decoding for makeUnlocked()", this, &common());
 		if (!decode())
 			CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
 	}
diff --git a/securityd/src/process.cpp b/securityd/src/process.cpp
index a15aa0d8..6439308e 100644
--- a/securityd/src/process.cpp
+++ b/securityd/src/process.cpp
@@ -64,7 +64,7 @@ Process::Process(TaskPort taskPort,	const ClientSetupInfo *info, const CommonCri
         || ServerChild::find<ServerChild>(this->pid()))   // securityd's child; do not mark this txn dirty
 		VProc::Transaction::deactivate();
 
-    secnotice("SS", "%p client new: pid:%d session:%d %s taskPort:%d uid:%d gid:%d", this, this->pid(), this->session().sessionId(),
+    secinfo("SS", "%p client new: pid:%d session:%d %s taskPort:%d uid:%d gid:%d", this, this->pid(), this->session().sessionId(),
              (char *)codePath(this->processCode()).c_str(), taskPort.port(), mUid, mGid);
 }
 
@@ -124,7 +124,7 @@ void Process::setup(const ClientSetupInfo *info)
 //
 Process::~Process()
 {
-    secnotice("SS", "%p client release: %d", this, this->pid());
+    secinfo("SS", "%p client release: %d", this, this->pid());
 
     // release our name for the process's task port
 	if (mTaskPort)
diff --git a/securityd/src/server.cpp b/securityd/src/server.cpp
index 58dd4b79..40772eed 100644
--- a/securityd/src/server.cpp
+++ b/securityd/src/server.cpp
@@ -267,12 +267,11 @@ void Server::notifyDeadName(Port port)
 	// unbounded time, including calls out to token daemons etc.
 	
 	StLock<Mutex> serverLock(*this);
-	secnotice("SSports", "port %d is dead", port.port());
-    
+
     // is it a connection?
     PortMap<Connection>::iterator conIt = mConnections.find(port);
     if (conIt != mConnections.end()) {
-        secnotice("SS", "%p dead connection %d", this, port.port());
+        secinfo("SS", "%p dead connection %d", this, port.port());
         RefPointer<Connection> con = conIt->second;
 		mConnections.erase(conIt);
         serverLock.unlock();
@@ -283,7 +282,7 @@ void Server::notifyDeadName(Port port)
     // is it a process?
     PortMap<Process>::iterator procIt = mProcesses.find(port);
     if (procIt != mProcesses.end()) {
-        secnotice("SS", "%p dead process %d", this, port.port());
+        secinfo("SS", "%p dead process %d", this, port.port());
         RefPointer<Process> proc = procIt->second;
 		mPids.erase(proc->pid());
 		mProcesses.erase(procIt);
@@ -306,7 +305,7 @@ void Server::notifyDeadName(Port port)
 //
 void Server::notifyNoSenders(Port port, mach_port_mscount_t)
 {
-    secnotice("SS", "%p dead session %d", this, port.port());
+    secinfo("SS", "%p dead session %d", this, port.port());
 }
 
 
diff --git a/xcconfig/Security.xcconfig b/xcconfig/Security.xcconfig
index 069cc467..e84c0fb0 100644
--- a/xcconfig/Security.xcconfig
+++ b/xcconfig/Security.xcconfig
@@ -1,8 +1,8 @@
 
-APPLE_AKS_LIBRARY[sdk=macosx*] = -L$(SDKROOT)/usr/local/lib -laks
-APPLE_AKS_LIBRARY[sdk=iphoneos*] = -L$(SDKROOT)/usr/local/lib -laks
-APPLE_AKS_LIBRARY[sdk=watchos*] = -L$(SDKROOT)/usr/local/lib -laks
-APPLE_AKS_LIBRARY[sdk=tvos*] = -L$(SDKROOT)/usr/local/lib -laks
+APPLE_AKS_LIBRARY[sdk=macosx*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
+APPLE_AKS_LIBRARY[sdk=iphoneos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
+APPLE_AKS_LIBRARY[sdk=watchos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
+APPLE_AKS_LIBRARY[sdk=tvos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag
 
 
 FRAMEWORK_SEARCH_PATHS = $(inherited) $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks $(DEVELOPER_LIBRARY_DIR)