From 07691282a056c4efea71e1e505527601e8cc166b Mon Sep 17 00:00:00 2001 From: Apple Date: Wed, 31 Jul 2019 05:55:00 +0000 Subject: [PATCH] Security-58286.260.20.tar.gz --- .../lib/RequirementKeywords.h | 2 + .../lib/RequirementLexer.cpp | 92 ++- .../lib/RequirementParser.cpp | 333 +++++---- .../lib/RequirementParser.hpp | 7 +- .../lib/RequirementParserTokenTypes.hpp | 56 +- .../lib/RequirementParserTokenTypes.txt | 56 +- .../lib/csutilities.cpp | 77 ++ OSX/libsecurity_codesigning/lib/csutilities.h | 1 + OSX/libsecurity_codesigning/lib/policydb.cpp | 55 +- OSX/libsecurity_codesigning/lib/policydb.h | 1 + OSX/libsecurity_codesigning/lib/reqdumper.cpp | 37 + OSX/libsecurity_codesigning/lib/reqdumper.h | 1 + OSX/libsecurity_codesigning/lib/reqinterp.cpp | 88 ++- OSX/libsecurity_codesigning/lib/reqinterp.h | 9 +- OSX/libsecurity_codesigning/lib/reqreader.cpp | 9 + OSX/libsecurity_codesigning/lib/reqreader.h | 1 + OSX/libsecurity_codesigning/lib/requirement.h | 9 +- .../requirements.grammar | 43 +- OSX/libsecurity_keychain/lib/TokenLogin.cpp | 25 +- .../Regressions/sc-150-backupkeyderivation.c | 8 +- .../Regressions/secitem/si-15-certificate.c | 210 +++++- .../Regressions/secitem/si-23-sectrust-ocsp.c | 71 +- .../Regressions/secitem/si-23-sectrust-ocsp.h | 666 ++++++++++-------- .../secitem/si-27-sectrust-exceptions.c | 164 ++--- .../secitem/si-32-sectrust-pinning-required.h | 486 ++++++------- .../secitem/si-32-sectrust-pinning-required.m | 8 +- OSX/sec/Security/SecCertificate.c | 22 + OSX/sec/Security/SecExports.exp-in | 1 + OSX/sec/securityd/OTATrustUtilities.h | 3 + OSX/sec/securityd/OTATrustUtilities.m | 89 ++- OSX/sec/securityd/SOSCloudCircleServer.m | 10 +- OSX/sec/securityd/SecItemDb.c | 4 + OSX/sec/securityd/SecPolicyServer.c | 41 +- OSX/sec/securityd/SecRevocationNetworking.m | 28 +- .../PinningPolicyTrustTest.plist | 36 +- .../si-20-sectrust-policies-data/ids_test.cer | Bin 0 -> 1146 bytes .../si-20-sectrust-policies-data/itunes.cer | Bin 1742 -> 1752 bytes OSX/shared_regressions/si-44-seckey-aks.m | 8 +- ...livability.cer => deprecatedSSLServer.cer} | Bin 1087 -> 1100 bytes .../digicert_ev_root_ca.cer | Bin 0 -> 969 bytes .../si-82-sectrust-ct-data/www_paypal_com.cer | Bin 1548 -> 0 bytes .../www_paypal_com_issuer.cer | Bin 1512 -> 0 bytes OSX/shared_regressions/si-82-sectrust-ct.m | 34 +- Security.xcodeproj/project.pbxproj | 9 +- SecurityTool/requirement.c | 104 +++ SecurityTool/requirement.h | 38 + SecurityTool/security.c | 9 +- securityd/src/transition.cpp | 20 +- trust/SecCertificatePriv.h | 2 + 49 files changed, 1996 insertions(+), 977 deletions(-) create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ids_test.cer rename OSX/shared_regressions/si-82-sectrust-ct-data/{livability.cer => deprecatedSSLServer.cer} (50%) create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/digicert_ev_root_ca.cer delete mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com.cer delete mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com_issuer.cer create mode 100644 SecurityTool/requirement.c create mode 100644 SecurityTool/requirement.h diff --git a/OSX/libsecurity_codesigning/lib/RequirementKeywords.h b/OSX/libsecurity_codesigning/lib/RequirementKeywords.h index 09c304b5..55830e14 100644 --- a/OSX/libsecurity_codesigning/lib/RequirementKeywords.h +++ b/OSX/libsecurity_codesigning/lib/RequirementKeywords.h @@ -22,5 +22,7 @@ "info", "entitlement", "exists", + "absent", "leaf", "root", + "timestamp", diff --git a/OSX/libsecurity_codesigning/lib/RequirementLexer.cpp b/OSX/libsecurity_codesigning/lib/RequirementLexer.cpp index 646bfaae..2de62d4f 100644 --- a/OSX/libsecurity_codesigning/lib/RequirementLexer.cpp +++ b/OSX/libsecurity_codesigning/lib/RequirementLexer.cpp @@ -12,12 +12,26 @@ #include "requirement.h" #include "reqmaker.h" #include "csutilities.h" +#include +#include #include #include #include // OID coding +#include using namespace CodeSigning; typedef Requirement::Maker Maker; +extern "C" { + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return +an absoluteTime if the date was valid and properly decoded. Return +NULL_TIME otherwise. */ +CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, + size_t length); + +} + + ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) RequirementLexer::RequirementLexer(std::istream& in) : antlr::CharScanner(new antlr::CharBuffer(in),true) @@ -46,11 +60,13 @@ void RequirementLexer::initLiterals() literals["cdhash"] = 20; literals["entitlement"] = 30; literals["library"] = 8; + literals["timestamp"] = 52; literals["never"] = 17; literals["cert"] = 27; literals["plugin"] = 9; + literals["absent"] = 32; literals["or"] = 10; - literals["leaf"] = 43; + literals["leaf"] = 44; literals["info"] = 29; literals["designated"] = 7; literals["apple"] = 24; @@ -58,7 +74,7 @@ void RequirementLexer::initLiterals() literals["true"] = 16; literals["notarized"] = 22; literals["and"] = 11; - literals["root"] = 44; + literals["root"] = 45; literals["platform"] = 21; literals["anchor"] = 23; literals["false"] = 18; @@ -394,11 +410,11 @@ void RequirementLexer::mIDENT(bool _createToken) { } default: { - goto _loop47; + goto _loop49; } } } - _loop47:; + _loop49:; } // ( ... )* _ttype = testLiteralsTable(text.substr(_begin, text.length()-_begin),_ttype); if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { @@ -499,11 +515,11 @@ void RequirementLexer::mDOTKEY(bool _createToken) { } } else { - goto _loop51; + goto _loop53; } } - _loop51:; + _loop53:; } // ( ... )* _ttype = testLiteralsTable(_ttype); if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { @@ -520,18 +536,18 @@ void RequirementLexer::mINTEGER(bool _createToken) { std::string::size_type _saveIndex; { // ( ... )+ - int _cnt69=0; + int _cnt71=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { matchRange('0','9'); } else { - if ( _cnt69>=1 ) { goto _loop69; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt71>=1 ) { goto _loop71; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt69++; + _cnt71++; } - _loop69:; + _loop71:; } // ( ... )+ if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { _token = makeToken(_ttype); @@ -549,19 +565,19 @@ void RequirementLexer::mPATHNAME(bool _createToken) { match("/"); mIDENT(false); { // ( ... )+ - int _cnt54=0; + int _cnt56=0; for (;;) { if ((LA(1) == 0x2f /* '/' */ )) { match("/"); mIDENT(false); } else { - if ( _cnt54>=1 ) { goto _loop54; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt56>=1 ) { goto _loop56; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt54++; + _cnt56++; } - _loop54:; + _loop56:; } // ( ... )+ if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { _token = makeToken(_ttype); @@ -583,18 +599,18 @@ void RequirementLexer::mHASHCONSTANT(bool _createToken) { match('\"' /* charlit */ ); text.erase(_saveIndex); { // ( ... )+ - int _cnt57=0; + int _cnt59=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX(false); } else { - if ( _cnt57>=1 ) { goto _loop57; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt59>=1 ) { goto _loop59; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt57++; + _cnt59++; } - _loop57:; + _loop59:; } // ( ... )+ _saveIndex = text.length(); match('\"' /* charlit */ ); @@ -672,18 +688,18 @@ void RequirementLexer::mHEXCONSTANT(bool _createToken) { match('x' /* charlit */ ); text.erase(_saveIndex); { // ( ... )+ - int _cnt60=0; + int _cnt62=0; for (;;) { if ((_tokenSet_1.member(LA(1)))) { mHEX(false); } else { - if ( _cnt60>=1 ) { goto _loop60; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt62>=1 ) { goto _loop62; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt60++; + _cnt62++; } - _loop60:; + _loop62:; } // ( ... )+ if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { _token = makeToken(_ttype); @@ -719,11 +735,11 @@ void RequirementLexer::mSTRING(bool _createToken) { } } else { - goto _loop66; + goto _loop68; } } - _loop66:; + _loop68:; } // ( ... )* _saveIndex = text.length(); match('\"' /* charlit */ ); @@ -980,7 +996,7 @@ void RequirementLexer::mWS(bool _createToken) { std::string::size_type _saveIndex; { // ( ... )+ - int _cnt90=0; + int _cnt92=0; for (;;) { switch ( LA(1)) { case 0x20 /* ' ' */ : @@ -1001,12 +1017,12 @@ void RequirementLexer::mWS(bool _createToken) { } default: { - if ( _cnt90>=1 ) { goto _loop90; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt92>=1 ) { goto _loop92; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } - _cnt90++; + _cnt92++; } - _loop90:; + _loop92:; } // ( ... )+ _ttype = antlr::Token::SKIP; if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { @@ -1029,11 +1045,11 @@ void RequirementLexer::mSHELLCOMMENT(bool _createToken) { matchNot('\n' /* charlit */ ); } else { - goto _loop93; + goto _loop95; } } - _loop93:; + _loop95:; } // ( ... )* _ttype = antlr::Token::SKIP; if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { @@ -1066,11 +1082,11 @@ void RequirementLexer::mC_COMMENT(bool _createToken) { } } else { - goto _loop99; + goto _loop101; } } - _loop99:; + _loop101:; } // ( ... )* match("*/"); _ttype = antlr::Token::SKIP; @@ -1094,11 +1110,11 @@ void RequirementLexer::mCPP_COMMENT(bool _createToken) { matchNot('\n' /* charlit */ ); } else { - goto _loop102; + goto _loop104; } } - _loop102:; + _loop104:; } // ( ... )* _ttype = antlr::Token::SKIP; if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { @@ -1118,22 +1134,22 @@ const antlr::BitSet RequirementLexer::_tokenSet_1(_tokenSet_1_data_,10); const unsigned long RequirementLexer::_tokenSet_2_data_[] = { 4294967295UL, 4294967291UL, 4026531839UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967292UL, 2097151UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 // 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e -// 0x1f ! # $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : +// 0x1f ! # $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < const antlr::BitSet RequirementLexer::_tokenSet_2(_tokenSet_2_data_,16); const unsigned long RequirementLexer::_tokenSet_3_data_[] = { 4294966271UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967292UL, 2097151UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xd 0xe 0xf 0x10 0x11 // 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f -// ! \" # $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : +// ! \" # $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < const antlr::BitSet RequirementLexer::_tokenSet_3(_tokenSet_3_data_,16); const unsigned long RequirementLexer::_tokenSet_4_data_[] = { 4294967295UL, 4294934527UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967292UL, 2097151UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 // 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e -// 0x1f ! \" # $ % & \' ( ) * + , - . 0 1 2 3 4 5 6 7 8 9 : +// 0x1f ! \" # $ % & \' ( ) * + , - . 0 1 2 3 4 5 6 7 8 9 : ; < const antlr::BitSet RequirementLexer::_tokenSet_4(_tokenSet_4_data_,16); const unsigned long RequirementLexer::_tokenSet_5_data_[] = { 4294967295UL, 4294966271UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967292UL, 2097151UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 // 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e -// 0x1f ! \" # $ % & \' ( ) + , - . / 0 1 2 3 4 5 6 7 8 9 : +// 0x1f ! \" # $ % & \' ( ) + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < const antlr::BitSet RequirementLexer::_tokenSet_5(_tokenSet_5_data_,16); ANTLR_END_NAMESPACE diff --git a/OSX/libsecurity_codesigning/lib/RequirementParser.cpp b/OSX/libsecurity_codesigning/lib/RequirementParser.cpp index ae070e4d..02887a62 100644 --- a/OSX/libsecurity_codesigning/lib/RequirementParser.cpp +++ b/OSX/libsecurity_codesigning/lib/RequirementParser.cpp @@ -7,12 +7,26 @@ #include "requirement.h" #include "reqmaker.h" #include "csutilities.h" +#include +#include #include #include #include // OID coding +#include using namespace CodeSigning; typedef Requirement::Maker Maker; +extern "C" { + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return +an absoluteTime if the date was valid and properly decoded. Return +NULL_TIME otherwise. */ +CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, + size_t length); + +} + + ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) // @@ -66,7 +80,12 @@ ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) void RequirementParser::certMatchOperation(Maker &maker, int32_t slot, string key) { - if (matchPrefix(key, "subject.")) { + if (const char *oids = matchPrefix(key, "timestamp.")) { + maker.put(opCertFieldDate); + maker.put(slot); + CssmAutoData oid(Allocator::standard()); oid.fromOid(oids); + maker.putData(oid.data(), oid.length()); + } else if (matchPrefix(key, "subject.")) { maker.put(opCertField); maker.put(slot); maker.put(key); @@ -971,78 +990,10 @@ void RequirementParser::match_suffix( maker.put(matchExists); break; } - case EQL: - case EQQL: + case LITERAL_absent: { - { - switch ( LA(1)) { - case EQL: - { - match(EQL); - break; - } - case EQQL: - { - match(EQQL); - break; - } - default: - { - throw antlr::NoViableAltException(LT(1), getFilename()); - } - } - } - MatchOperation mop = matchEqual; string value; - { - switch ( LA(1)) { - case STAR: - { - match(STAR); - mop = matchEndsWith; - break; - } - case HEXCONSTANT: - case DOTKEY: - case STRING: - { - break; - } - default: - { - throw antlr::NoViableAltException(LT(1), getFilename()); - } - } - } - value=datavalue(); - { - switch ( LA(1)) { - case STAR: - { - match(STAR); - mop = (mop == matchEndsWith) ? matchContains : matchBeginsWith; - break; - } - case antlr::Token::EOF_TYPE: - case LITERAL_guest: - case LITERAL_host: - case LITERAL_designated: - case LITERAL_library: - case LITERAL_plugin: - case LITERAL_or: - case LITERAL_and: - case RPAREN: - case INTEGER: - case SEMI: - { - break; - } - default: - { - throw antlr::NoViableAltException(LT(1), getFilename()); - } - } - } - maker.put(mop); maker.put(value); + match(LITERAL_absent); + maker.put(matchAbsent); break; } case SUBS: @@ -1053,40 +1004,150 @@ void RequirementParser::match_suffix( maker.put(matchContains); maker.put(value); break; } - case LESS: - { - match(LESS); - string value; - value=datavalue(); - maker.put(matchLessThan); maker.put(value); - break; - } - case GT: - { - match(GT); - string value; - value=datavalue(); - maker.put(matchGreaterThan); maker.put(value); - break; - } - case LE: - { - match(LE); - string value; - value=datavalue(); - maker.put(matchLessEqual); maker.put(value); - break; - } - case GE: - { - match(GE); - string value; - value=datavalue(); - maker.put(matchGreaterEqual); maker.put(value); - break; - } default: - { + if ((LA(1) == EQL || LA(1) == EQQL) && (_tokenSet_16.member(LA(2)))) { + { + switch ( LA(1)) { + case EQL: + { + match(EQL); + break; + } + case EQQL: + { + match(EQQL); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + MatchOperation mop = matchEqual; string value; + { + switch ( LA(1)) { + case STAR: + { + match(STAR); + mop = matchEndsWith; + break; + } + case HEXCONSTANT: + case DOTKEY: + case STRING: + { + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + value=datavalue(); + { + switch ( LA(1)) { + case STAR: + { + match(STAR); + mop = (mop == matchEndsWith) ? matchContains : matchBeginsWith; + break; + } + case antlr::Token::EOF_TYPE: + case LITERAL_guest: + case LITERAL_host: + case LITERAL_designated: + case LITERAL_library: + case LITERAL_plugin: + case LITERAL_or: + case LITERAL_and: + case RPAREN: + case INTEGER: + case SEMI: + { + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + maker.put(mop); maker.put(value); + } + else if ((LA(1) == EQL || LA(1) == EQQL) && (LA(2) == LITERAL_timestamp)) { + { + switch ( LA(1)) { + case EQL: + { + match(EQL); + break; + } + case EQQL: + { + match(EQQL); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + MatchOperation mop = matchOn; int64_t value; + value=timestamp(); + maker.put(mop); maker.put(value); + } + else if ((LA(1) == LESS) && ((LA(2) >= HEXCONSTANT && LA(2) <= STRING))) { + match(LESS); + string value; + value=datavalue(); + maker.put(matchLessThan); maker.put(value); + } + else if ((LA(1) == GT) && ((LA(2) >= HEXCONSTANT && LA(2) <= STRING))) { + match(GT); + string value; + value=datavalue(); + maker.put(matchGreaterThan); maker.put(value); + } + else if ((LA(1) == LE) && ((LA(2) >= HEXCONSTANT && LA(2) <= STRING))) { + match(LE); + string value; + value=datavalue(); + maker.put(matchLessEqual); maker.put(value); + } + else if ((LA(1) == GE) && ((LA(2) >= HEXCONSTANT && LA(2) <= STRING))) { + match(GE); + string value; + value=datavalue(); + maker.put(matchGreaterEqual); maker.put(value); + } + else if ((LA(1) == LESS) && (LA(2) == LITERAL_timestamp)) { + match(LESS); + int64_t value; + value=timestamp(); + maker.put(matchBefore); maker.put(value); + } + else if ((LA(1) == GT) && (LA(2) == LITERAL_timestamp)) { + match(GT); + int64_t value; + value=timestamp(); + maker.put(matchAfter); maker.put(value); + } + else if ((LA(1) == LE) && (LA(2) == LITERAL_timestamp)) { + match(LE); + int64_t value; + value=timestamp(); + maker.put(matchOnOrBefore); maker.put(value); + } + else if ((LA(1) == GE) && (LA(2) == LITERAL_timestamp)) { + match(GE); + int64_t value; + value=timestamp(); + maker.put(matchOnOrAfter); maker.put(value); + } + else { throw antlr::NoViableAltException(LT(1), getFilename()); } } @@ -1124,7 +1185,24 @@ string RequirementParser::datavalue() { } catch (antlr::RecognitionException& ex) { reportError(ex); - recover(ex,_tokenSet_16); + recover(ex,_tokenSet_17); + } + return result; +} + +int64_t RequirementParser::timestamp() { + int64_t result; + antlr::RefToken s = antlr::nullToken; + + try { // for error handling + match(LITERAL_timestamp); + s = LT(1); + match(STRING); + result = (int64_t)SecAbsoluteTimeFromDateContent(ASN1_GENERALIZED_TIME, (uint8_t const *)s->getText().c_str(), s->getText().length()); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); } return result; } @@ -1158,7 +1236,7 @@ string RequirementParser::stringvalue() { } catch (antlr::RecognitionException& ex) { reportError(ex); - recover(ex,_tokenSet_17); + recover(ex,_tokenSet_18); } return result; } @@ -1241,6 +1319,7 @@ const char* RequirementParser::tokenNames[] = { "\"info\"", "\"entitlement\"", "\"exists\"", + "\"absent\"", "EQL", "EQQL", "STAR", @@ -1260,6 +1339,7 @@ const char* RequirementParser::tokenNames[] = { "STRING", "PATHNAME", "INTEGER", + "\"timestamp\"", "SEMI", "IDENT", "HEX", @@ -1274,27 +1354,27 @@ const char* RequirementParser::tokenNames[] = { const unsigned long RequirementParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL }; // EOF const antlr::BitSet RequirementParser::_tokenSet_0(_tokenSet_0_data_,4); -const unsigned long RequirementParser::_tokenSet_1_data_[] = { 992UL, 262144UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_1_data_[] = { 992UL, 524288UL, 0UL, 0UL }; // "guest" "host" "designated" "library" "plugin" INTEGER const antlr::BitSet RequirementParser::_tokenSet_1(_tokenSet_1_data_,4); const unsigned long RequirementParser::_tokenSet_2_data_[] = { 16UL, 0UL, 0UL, 0UL }; // ARROW const antlr::BitSet RequirementParser::_tokenSet_2(_tokenSet_2_data_,4); -const unsigned long RequirementParser::_tokenSet_3_data_[] = { 994UL, 262144UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_3_data_[] = { 994UL, 524288UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" INTEGER const antlr::BitSet RequirementParser::_tokenSet_3(_tokenSet_3_data_,4); -const unsigned long RequirementParser::_tokenSet_4_data_[] = { 268447730UL, 1024259UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_4_data_[] = { 268447730UL, 3097094UL, 0UL, 0UL }; // EOF ARROW "guest" "host" "designated" "library" "plugin" "or" "and" // RPAREN "trusted" EQL EQQL LBRACK HASHCONSTANT DOTKEY STRING PATHNAME // INTEGER SEMI const antlr::BitSet RequirementParser::_tokenSet_4(_tokenSet_4_data_,4); -const unsigned long RequirementParser::_tokenSet_5_data_[] = { 9186UL, 786432UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_5_data_[] = { 9186UL, 2621440UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" RPAREN INTEGER SEMI const antlr::BitSet RequirementParser::_tokenSet_5(_tokenSet_5_data_,4); -const unsigned long RequirementParser::_tokenSet_6_data_[] = { 994UL, 786432UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_6_data_[] = { 994UL, 2621440UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" INTEGER SEMI const antlr::BitSet RequirementParser::_tokenSet_6(_tokenSet_6_data_,4); -const unsigned long RequirementParser::_tokenSet_7_data_[] = { 10210UL, 786432UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_7_data_[] = { 10210UL, 2621440UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" "or" RPAREN INTEGER // SEMI const antlr::BitSet RequirementParser::_tokenSet_7(_tokenSet_7_data_,4); @@ -1302,38 +1382,41 @@ const unsigned long RequirementParser::_tokenSet_8_data_[] = { 1828704256UL, 0UL // LPAREN NOT "always" "true" "never" "false" "identifier" "cdhash" "platform" // "notarized" "anchor" "certificate" "cert" "info" "entitlement" const antlr::BitSet RequirementParser::_tokenSet_8(_tokenSet_8_data_,4); -const unsigned long RequirementParser::_tokenSet_9_data_[] = { 12258UL, 786432UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_9_data_[] = { 12258UL, 2621440UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN // INTEGER SEMI const antlr::BitSet RequirementParser::_tokenSet_9(_tokenSet_9_data_,4); -const unsigned long RequirementParser::_tokenSet_10_data_[] = { 0UL, 269312UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_10_data_[] = { 0UL, 538624UL, 0UL, 0UL }; // NEG "leaf" "root" INTEGER const antlr::BitSet RequirementParser::_tokenSet_10(_tokenSet_10_data_,4); -const unsigned long RequirementParser::_tokenSet_11_data_[] = { 0UL, 237827UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_11_data_[] = { 0UL, 475654UL, 0UL, 0UL }; // EQL EQQL LBRACK HASHCONSTANT DOTKEY STRING PATHNAME const antlr::BitSet RequirementParser::_tokenSet_11(_tokenSet_11_data_,4); -const unsigned long RequirementParser::_tokenSet_12_data_[] = { 0UL, 499712UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_12_data_[] = { 0UL, 999424UL, 0UL, 0UL }; // HASHCONSTANT DOTKEY STRING PATHNAME INTEGER const antlr::BitSet RequirementParser::_tokenSet_12(_tokenSet_12_data_,4); -const unsigned long RequirementParser::_tokenSet_13_data_[] = { 268435456UL, 237827UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_13_data_[] = { 268435456UL, 475654UL, 0UL, 0UL }; // "trusted" EQL EQQL LBRACK HASHCONSTANT DOTKEY STRING PATHNAME const antlr::BitSet RequirementParser::_tokenSet_13(_tokenSet_13_data_,4); -const unsigned long RequirementParser::_tokenSet_14_data_[] = { 2147495906UL, 1024000UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_14_data_[] = { 2147495906UL, 3096576UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN // "exists" HASHCONSTANT DOTKEY STRING PATHNAME INTEGER SEMI const antlr::BitSet RequirementParser::_tokenSet_14(_tokenSet_14_data_,4); -const unsigned long RequirementParser::_tokenSet_15_data_[] = { 2147495906UL, 786683UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_15_data_[] = { 2147495906UL, 2621943UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN -// "exists" EQL EQQL SUBS LESS GT LE GE INTEGER SEMI +// "exists" "absent" EQL EQQL SUBS LESS GT LE GE INTEGER SEMI const antlr::BitSet RequirementParser::_tokenSet_15(_tokenSet_15_data_,4); -const unsigned long RequirementParser::_tokenSet_16_data_[] = { 12258UL, 786436UL, 0UL, 0UL }; +const unsigned long RequirementParser::_tokenSet_16_data_[] = { 0UL, 229384UL, 0UL, 0UL }; +// STAR HEXCONSTANT DOTKEY STRING +const antlr::BitSet RequirementParser::_tokenSet_16(_tokenSet_16_data_,4); +const unsigned long RequirementParser::_tokenSet_17_data_[] = { 12258UL, 2621448UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN // STAR INTEGER SEMI -const antlr::BitSet RequirementParser::_tokenSet_16(_tokenSet_16_data_,4); -const unsigned long RequirementParser::_tokenSet_17_data_[] = { 12258UL, 786948UL, 0UL, 0UL }; +const antlr::BitSet RequirementParser::_tokenSet_17(_tokenSet_17_data_,4); +const unsigned long RequirementParser::_tokenSet_18_data_[] = { 12258UL, 2622472UL, 0UL, 0UL }; // EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN // STAR RBRACK INTEGER SEMI -const antlr::BitSet RequirementParser::_tokenSet_17(_tokenSet_17_data_,4); +const antlr::BitSet RequirementParser::_tokenSet_18(_tokenSet_18_data_,4); ANTLR_END_NAMESPACE diff --git a/OSX/libsecurity_codesigning/lib/RequirementParser.hpp b/OSX/libsecurity_codesigning/lib/RequirementParser.hpp index 80d37170..dddc90d7 100644 --- a/OSX/libsecurity_codesigning/lib/RequirementParser.hpp +++ b/OSX/libsecurity_codesigning/lib/RequirementParser.hpp @@ -96,6 +96,7 @@ public: Maker &maker ); public: string datavalue(); + public: int64_t timestamp(); public: string stringvalue(); public: string pathstring(); public: @@ -109,10 +110,10 @@ protected: private: static const char* tokenNames[]; #ifndef NO_STATIC_CONSTS - static const int NUM_TOKENS = 59; + static const int NUM_TOKENS = 61; #else enum { - NUM_TOKENS = 59 + NUM_TOKENS = 61 }; #endif @@ -152,6 +153,8 @@ private: static const antlr::BitSet _tokenSet_16; static const unsigned long _tokenSet_17_data_[]; static const antlr::BitSet _tokenSet_17; + static const unsigned long _tokenSet_18_data_[]; + static const antlr::BitSet _tokenSet_18; }; ANTLR_END_NAMESPACE diff --git a/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.hpp b/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.hpp index f4aa120a..7cf6171f 100644 --- a/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.hpp +++ b/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.hpp @@ -41,33 +41,35 @@ struct CUSTOM_API RequirementParserTokenTypes { LITERAL_info = 29, LITERAL_entitlement = 30, LITERAL_exists = 31, - EQL = 32, - EQQL = 33, - STAR = 34, - SUBS = 35, - LESS = 36, - GT = 37, - LE = 38, - GE = 39, - LBRACK = 40, - RBRACK = 41, - NEG = 42, - LITERAL_leaf = 43, - LITERAL_root = 44, - HASHCONSTANT = 45, - HEXCONSTANT = 46, - DOTKEY = 47, - STRING = 48, - PATHNAME = 49, - INTEGER = 50, - SEMI = 51, - IDENT = 52, - HEX = 53, - COMMA = 54, - WS = 55, - SHELLCOMMENT = 56, - C_COMMENT = 57, - CPP_COMMENT = 58, + LITERAL_absent = 32, + EQL = 33, + EQQL = 34, + STAR = 35, + SUBS = 36, + LESS = 37, + GT = 38, + LE = 39, + GE = 40, + LBRACK = 41, + RBRACK = 42, + NEG = 43, + LITERAL_leaf = 44, + LITERAL_root = 45, + HASHCONSTANT = 46, + HEXCONSTANT = 47, + DOTKEY = 48, + STRING = 49, + PATHNAME = 50, + INTEGER = 51, + LITERAL_timestamp = 52, + SEMI = 53, + IDENT = 54, + HEX = 55, + COMMA = 56, + WS = 57, + SHELLCOMMENT = 58, + C_COMMENT = 59, + CPP_COMMENT = 60, NULL_TREE_LOOKAHEAD = 3 }; #ifdef __cplusplus diff --git a/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.txt b/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.txt index 09dee68b..052076c1 100644 --- a/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.txt +++ b/OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.txt @@ -28,30 +28,32 @@ LITERAL_trusted="trusted"=28 LITERAL_info="info"=29 LITERAL_entitlement="entitlement"=30 LITERAL_exists="exists"=31 -EQL=32 -EQQL=33 -STAR=34 -SUBS=35 -LESS=36 -GT=37 -LE=38 -GE=39 -LBRACK=40 -RBRACK=41 -NEG=42 -LITERAL_leaf="leaf"=43 -LITERAL_root="root"=44 -HASHCONSTANT=45 -HEXCONSTANT=46 -DOTKEY=47 -STRING=48 -PATHNAME=49 -INTEGER=50 -SEMI=51 -IDENT=52 -HEX=53 -COMMA=54 -WS=55 -SHELLCOMMENT=56 -C_COMMENT=57 -CPP_COMMENT=58 +LITERAL_absent="absent"=32 +EQL=33 +EQQL=34 +STAR=35 +SUBS=36 +LESS=37 +GT=38 +LE=39 +GE=40 +LBRACK=41 +RBRACK=42 +NEG=43 +LITERAL_leaf="leaf"=44 +LITERAL_root="root"=45 +HASHCONSTANT=46 +HEXCONSTANT=47 +DOTKEY=48 +STRING=49 +PATHNAME=50 +INTEGER=51 +LITERAL_timestamp="timestamp"=52 +SEMI=53 +IDENT=54 +HEX=55 +COMMA=56 +WS=57 +SHELLCOMMENT=58 +C_COMMENT=59 +CPP_COMMENT=60 diff --git a/OSX/libsecurity_codesigning/lib/csutilities.cpp b/OSX/libsecurity_codesigning/lib/csutilities.cpp index e25e7b58..774b6ee2 100644 --- a/OSX/libsecurity_codesigning/lib/csutilities.cpp +++ b/OSX/libsecurity_codesigning/lib/csutilities.cpp @@ -24,8 +24,16 @@ // // csutilities - miscellaneous utilities for the code signing implementation // + #include "csutilities.h" +#include +#include +#include +#include +#include +#include #include +#include #include #include #include "requirement.h" @@ -34,6 +42,16 @@ #include #include +extern "C" { + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return + an absoluteTime if the date was valid and properly decoded. Return + NULL_TIME otherwise. */ +CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, + size_t length); + +} + namespace Security { namespace CodeSigning { @@ -151,6 +169,65 @@ bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid) SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data); return matched; } + + +CFDateRef certificateCopyFieldDate(SecCertificateRef cert, const CSSM_OID &policyOid) +{ + CFDataRef oidData = NULL; + CFDateRef value = NULL; + CFDataRef data = NULL; + SecAsn1CoderRef coder = NULL; + CSSM_DATA str = { 0 }; + CFAbsoluteTime time = 0.0; + OSStatus status = 0; + bool isCritical; + + oidData = CFDataCreateWithBytesNoCopy(NULL, policyOid.Data, policyOid.Length, + kCFAllocatorNull); + + if (oidData == NULL) { + goto out; + } + + data = SecCertificateCopyExtensionValue(cert, oidData, &isCritical); + + if (data == NULL) { + goto out; + } + + status = SecAsn1CoderCreate(&coder); + if (status != 0) { + goto out; + } + + // We currently only support UTF8 strings. + status = SecAsn1Decode(coder, CFDataGetBytePtr(data), CFDataGetLength(data), + kSecAsn1UTF8StringTemplate, &str); + if (status != 0) { + goto out; + } + + time = SecAbsoluteTimeFromDateContent(ASN1_GENERALIZED_TIME, + str.Data, str.Length); + + if (time == 0.0) { + goto out; + } + + value = CFDateCreate(NULL, time); +out: + if (coder) { + SecAsn1CoderRelease(coder); + } + if (data) { + CFRelease(data); + } + if (oidData) { + CFRelease(oidData); + } + + return value; +} #endif // diff --git a/OSX/libsecurity_codesigning/lib/csutilities.h b/OSX/libsecurity_codesigning/lib/csutilities.h index 668ffb86..bd4408cd 100644 --- a/OSX/libsecurity_codesigning/lib/csutilities.h +++ b/OSX/libsecurity_codesigning/lib/csutilities.h @@ -128,6 +128,7 @@ size_t hashFileData(const char *path, _Hash *hasher) #if TARGET_OS_OSX bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid); bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid); +CFDateRef certificateCopyFieldDate(SecCertificateRef cert, const CSSM_OID &policyOid); #endif // diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp index 9e330e17..7d5eba99 100644 --- a/OSX/libsecurity_codesigning/lib/policydb.cpp +++ b/OSX/libsecurity_codesigning/lib/policydb.cpp @@ -219,12 +219,12 @@ void PolicyDatabase::addFeature(const char *name, const char *value, const char void PolicyDatabase::simpleFeature(const char *feature, void (^perform)()) { + SQLite::Transaction update(*this); if (!hasFeature(feature)) { - SQLite::Transaction update(*this); perform(); addFeature(feature, "upgraded", "upgraded"); - update.commit(); } + update.commit(); } void PolicyDatabase::simpleFeature(const char *feature, const char *sql) @@ -234,6 +234,14 @@ void PolicyDatabase::simpleFeature(const char *feature, const char *sql) perform.execute(); }); } + +void PolicyDatabase::simpleFeatureNoTransaction(const char *feature, void (^perform)()) +{ + if (!hasFeature(feature)) { + perform(); + addFeature(feature, "upgraded", "upgraded"); + } +} void PolicyDatabase::upgradeDatabase() @@ -313,6 +321,49 @@ void PolicyDatabase::upgradeDatabase() "UPDATE authority SET priority = 10.0 WHERE label = 'Mac App Store'"); bumpMacAppStorePriority.execute(); }); + + { + SQLite::Transaction devIdRequirementUpgrades(*this); + + simpleFeatureNoTransaction("legacy_devid", ^{ + auto migrateReq = [](auto db, int type, string req) { + const string legacy = + " and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] absent or " + "certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp \"20190408000000Z\")"; + + const string unnotarized = + " and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] exists and " + "certificate leaf[timestamp.1.2.840.113635.100.6.1.33] >= timestamp \"20190408000000Z\")"; + + SQLite::Statement update(*db, "UPDATE OR IGNORE authority " + "SET requirement = :newreq " + "WHERE requirement = :oldreq " + " AND type = :type " + " AND label = 'Developer ID'"); + update.bind(":oldreq") = req; + update.bind(":type") = type; + update.bind(":newreq") = req + legacy; + update.execute(); + + SQLite::Statement insert(*db, "INSERT OR IGNORE INTO authority " + "(type, requirement, allow, priority, label) " + "VALUES " + "(:type, :req, 0, 4.0, " + "'Unnotarized Developer ID')"); + insert.bind(":type") = type; + insert.bind(":req") = req + unnotarized; + insert.execute(); + }; + + migrateReq(this, 1, "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"); + migrateReq(this, 2, "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])"); + migrateReq(this, 3, "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"); + }); + + // Add simpleFeatureNoTransaction for going from the requirements create above, to add secure timestamps in requirements, here before the commit + + devIdRequirementUpgrades.commit(); + } } diff --git a/OSX/libsecurity_codesigning/lib/policydb.h b/OSX/libsecurity_codesigning/lib/policydb.h index a4c58920..f9d259be 100644 --- a/OSX/libsecurity_codesigning/lib/policydb.h +++ b/OSX/libsecurity_codesigning/lib/policydb.h @@ -122,6 +122,7 @@ public: void addFeature(const char *feature, const char *value, const char *remarks); void simpleFeature(const char *feature, const char *sql); void simpleFeature(const char *feature, void (^perform)()); + void simpleFeatureNoTransaction(const char *feature, void (^perform)()); void installExplicitSet(const char *auth, const char *sigs); diff --git a/OSX/libsecurity_codesigning/lib/reqdumper.cpp b/OSX/libsecurity_codesigning/lib/reqdumper.cpp index 75e240d5..ea29bdfe 100644 --- a/OSX/libsecurity_codesigning/lib/reqdumper.cpp +++ b/OSX/libsecurity_codesigning/lib/reqdumper.cpp @@ -199,6 +199,15 @@ void Dumper::expr(SyntaxLevel level) case opCertField: print("certificate"); certSlot(); print("["); dotString(); print("]"); match(); break; + case opCertFieldDate: + print("certificate"); certSlot(); print("["); +#if TARGET_OS_OSX + { + const unsigned char *data; size_t length; + getData(data, length); + print("timestamp.%s", CssmOid((unsigned char *)data, length).toOid().c_str()); + } +#endif case opCertGeneric: print("certificate"); certSlot(); print("["); #if TARGET_OS_OSX @@ -274,6 +283,9 @@ void Dumper::match() case matchExists: print(" /* exists */"); break; + case matchAbsent: + print(" absent "); + break; case matchEqual: print(" = "); data(); break; @@ -298,6 +310,21 @@ void Dumper::match() case matchGreaterThan: print(" > "); data(); break; + case matchOn: + print(" = "); timestamp(); + break; + case matchBefore: + print(" < "); timestamp(); + break; + case matchAfter: + print(" > "); timestamp(); + break; + case matchOnOrBefore: + print(" <= "); timestamp(); + break; + case matchOnOrAfter: + print(" >= "); timestamp(); + break; default: print("MATCH OPCODE %d NOT UNDERSTOOD", op); break; @@ -362,6 +389,16 @@ void Dumper::data(PrintMode bestMode /* = isSimple */, bool dotOkay /* = false * break; } } + +void Dumper::timestamp() +{ + CFAbsoluteTime at = static_cast(get()); + CFRef date = CFDateCreate(NULL, at); + + CFRef str = CFCopyDescription(date); + + print("<%s>", cfString(str).c_str()); +} void Dumper::printBytes(const Byte *data, size_t length) { diff --git a/OSX/libsecurity_codesigning/lib/reqdumper.h b/OSX/libsecurity_codesigning/lib/reqdumper.h index 30793fdc..b2f6b4d1 100644 --- a/OSX/libsecurity_codesigning/lib/reqdumper.h +++ b/OSX/libsecurity_codesigning/lib/reqdumper.h @@ -77,6 +77,7 @@ protected: isBinary // contains binary bytes (use 0xnnn form) }; void data(PrintMode bestMode = isSimple, bool dotOkay = false); + void timestamp(); void dotString() { data(isSimple, true); } void quotedString() { data(isPrintable); } void hashData(); // H"bytes" diff --git a/OSX/libsecurity_codesigning/lib/reqinterp.cpp b/OSX/libsecurity_codesigning/lib/reqinterp.cpp index 80a6ae13..4ea2c53a 100644 --- a/OSX/libsecurity_codesigning/lib/reqinterp.cpp +++ b/OSX/libsecurity_codesigning/lib/reqinterp.cpp @@ -24,6 +24,7 @@ // // reqinterp - Requirement language (exprOp) interpreter // + #include "reqinterp.h" #include "codesigning_dtrace.h" #include @@ -158,6 +159,13 @@ bool Requirement::Interpreter::eval(int depth) Match match(*this); return certFieldGeneric(key, match, cert); } + case opCertFieldDate: + { + SecCertificateRef cert = mContext->cert(get()); + string key = getString(); + Match match(*this); + return certFieldDate(key, match, cert); + } case opCertPolicy: { SecCertificateRef cert = mContext->cert(get()); @@ -211,7 +219,7 @@ bool Requirement::Interpreter::infoKeyValue(const string &key, const Match &matc if (mContext->info) // we have an Info.plist if (CFTypeRef value = CFDictionaryGetValue(mContext->info, CFTempString(key))) return match(value); - return false; + return match(kCFNull); } @@ -223,7 +231,7 @@ bool Requirement::Interpreter::entitlementValue(const string &key, const Match & if (mContext->entitlements) // we have an Info.plist if (CFTypeRef value = CFDictionaryGetValue(mContext->entitlements, CFTempString(key))) return match(value); - return false; + return match(kCFNull); } @@ -296,7 +304,26 @@ bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match & bool Requirement::Interpreter::certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert) { - return cert && certificateHasField(cert, oid) && match(kCFBooleanTrue); + return cert && match(certificateHasField(cert, oid) ? (CFTypeRef)kCFBooleanTrue : (CFTypeRef)kCFNull); +} + +bool Requirement::Interpreter::certFieldDate(const string &key, const Match &match, SecCertificateRef cert) +{ + // the key is actually a (binary) OID value + CssmOid oid((char *)key.data(), key.length()); + return certFieldDate(oid, match, cert); +} + +bool Requirement::Interpreter::certFieldDate(const CssmOid &oid, const Match &match, SecCertificateRef cert) +{ + CFTypeRef value = cert != NULL ? certificateCopyFieldDate(cert, oid) : NULL; + bool matching = match(value != NULL ? value : kCFNull); + + if (value) { + CFRelease(value); + } + + return matching; } bool Requirement::Interpreter::certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert) @@ -308,7 +335,7 @@ bool Requirement::Interpreter::certFieldPolicy(const string &key, const Match &m bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert) { - return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue); + return cert && match(certificateHasPolicy(cert, oid) ? (CFTypeRef)kCFBooleanTrue : (CFTypeRef)kCFNull); } #endif @@ -538,6 +565,7 @@ SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef Requirement::Interpreter::Match::Match(Interpreter &interp) { switch (mOp = interp.get()) { + case matchAbsent: case matchExists: break; case matchEqual: @@ -550,6 +578,14 @@ Requirement::Interpreter::Match::Match(Interpreter &interp) case matchGreaterEqual: mValue.take(makeCFString(interp.getString())); break; + case matchOn: + case matchBefore: + case matchAfter: + case matchOnOrBefore: + case matchOnOrAfter: { + mValue.take(CFDateCreate(NULL, interp.getAbsoluteTime())); + break; + } default: // Assume this (unknown) match type has a single data argument. // This gives us a chance to keep the instruction stream aligned. @@ -568,6 +604,10 @@ bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const if (!candidate) return false; + if (candidate == kCFNull) { + return mOp == matchAbsent; // only 'absent' matches + } + // interpret an array as matching alternatives (any one succeeds) if (CFGetTypeID(candidate) == CFArrayGetTypeID()) { CFArrayRef array = CFArrayRef(candidate); @@ -578,31 +618,33 @@ bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const } switch (mOp) { + case matchAbsent: + return false; // it exists, so it cannot be absent case matchExists: // anything but NULL and boolean false "exists" return !CFEqual(candidate, kCFBooleanFalse); case matchEqual: // equality works for all CF types return CFEqual(candidate, mValue); case matchContains: - if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + if (isStringValue() && CFGetTypeID(candidate) == CFStringGetTypeID()) { CFStringRef value = CFStringRef(candidate); - if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(value)), 0, NULL)) + if (CFStringFindWithOptions(value, cfStringValue(), CFRangeMake(0, CFStringGetLength(value)), 0, NULL)) return true; } return false; case matchBeginsWith: - if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + if (isStringValue() && CFGetTypeID(candidate) == CFStringGetTypeID()) { CFStringRef value = CFStringRef(candidate); - if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(mValue)), 0, NULL)) + if (CFStringFindWithOptions(value, cfStringValue(), CFRangeMake(0, CFStringGetLength(cfStringValue())), 0, NULL)) return true; } return false; case matchEndsWith: - if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + if (isStringValue() && CFGetTypeID(candidate) == CFStringGetTypeID()) { CFStringRef value = CFStringRef(candidate); - CFIndex matchLength = CFStringGetLength(mValue); + CFIndex matchLength = CFStringGetLength(cfStringValue()); CFIndex start = CFStringGetLength(value) - matchLength; if (start >= 0) - if (CFStringFindWithOptions(value, mValue, CFRangeMake(start, matchLength), 0, NULL)) + if (CFStringFindWithOptions(value, cfStringValue(), CFRangeMake(start, matchLength), 0, NULL)) return true; } return false; @@ -614,6 +656,26 @@ bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, false); case matchGreaterEqual: return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, false); + case matchOn: + case matchBefore: + case matchAfter: + case matchOnOrBefore: + case matchOnOrAfter: { + if (!isDateValue() || CFGetTypeID(candidate) != CFDateGetTypeID()) { + return false; + } + + CFComparisonResult res = CFDateCompare((CFDateRef)candidate, cfDateValue(), NULL); + + switch (mOp) { + case matchOn: return res == 0; + case matchBefore: return res < 0; + case matchAfter: return res > 0; + case matchOnOrBefore: return res <= 0; + case matchOnOrAfter: return res >= 0; + default: abort(); + } + } default: // unrecognized match types can never match return false; @@ -624,9 +686,9 @@ bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const bool Requirement::Interpreter::Match::inequality(CFTypeRef candidate, CFStringCompareFlags flags, CFComparisonResult outcome, bool negate) const { - if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + if (isStringValue() && CFGetTypeID(candidate) == CFStringGetTypeID()) { CFStringRef value = CFStringRef(candidate); - if ((CFStringCompare(value, mValue, flags) == outcome) == negate) + if ((CFStringCompare(value, cfStringValue(), flags) == outcome) == negate) return true; } return false; diff --git a/OSX/libsecurity_codesigning/lib/reqinterp.h b/OSX/libsecurity_codesigning/lib/reqinterp.h index 45270409..83b2fb02 100644 --- a/OSX/libsecurity_codesigning/lib/reqinterp.h +++ b/OSX/libsecurity_codesigning/lib/reqinterp.h @@ -62,8 +62,13 @@ protected: bool inequality(CFTypeRef candidate, CFStringCompareFlags flags, CFComparisonResult outcome, bool negate) const; private: - CFCopyRef mValue; // match value + CFCopyRef mValue; // match value MatchOperation mOp; // type of match + + bool isStringValue() const { return CFGetTypeID(mValue) == CFStringGetTypeID(); } + bool isDateValue() const { return CFGetTypeID(mValue) == CFDateGetTypeID(); } + CFStringRef cfStringValue() const { return isStringValue() ? (CFStringRef)mValue.get() : NULL; } + CFDateRef cfDateValue() const { return isDateValue() ? (CFDateRef)mValue.get() : NULL; } }; protected: @@ -77,6 +82,8 @@ protected: bool certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert); bool certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert); bool certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert); + bool certFieldDate(const string &key, const Match &match, SecCertificateRef cert); + bool certFieldDate(const CssmOid &oid, const Match &match, SecCertificateRef cert); #endif bool verifyAnchor(SecCertificateRef cert, const unsigned char *digest); bool appleSigned(); diff --git a/OSX/libsecurity_codesigning/lib/reqreader.cpp b/OSX/libsecurity_codesigning/lib/reqreader.cpp index bb3d74dd..d6f94a11 100644 --- a/OSX/libsecurity_codesigning/lib/reqreader.cpp +++ b/OSX/libsecurity_codesigning/lib/reqreader.cpp @@ -75,6 +75,15 @@ CFDataRef Requirement::Reader::getHash() return makeCFData(s, length); } +CFAbsoluteTime Requirement::Reader::getAbsoluteTime() +{ + // timestamps are saved as 64bit ints internally for + // portability, but CoreFoundation wants CFAbsoluteTimes, + // which are doubles. + // This cuts off subseconds. + return static_cast(get()); +} + const unsigned char *Requirement::Reader::getSHA1() { const unsigned char *digest; size_t length; diff --git a/OSX/libsecurity_codesigning/lib/reqreader.h b/OSX/libsecurity_codesigning/lib/reqreader.h index 69dc29d0..55aa2f75 100644 --- a/OSX/libsecurity_codesigning/lib/reqreader.h +++ b/OSX/libsecurity_codesigning/lib/reqreader.h @@ -48,6 +48,7 @@ public: std::string getString(); CFDataRef getHash(); + CFAbsoluteTime getAbsoluteTime(); const unsigned char *getSHA1(); template void getData(T *&data, size_t &length) diff --git a/OSX/libsecurity_codesigning/lib/requirement.h b/OSX/libsecurity_codesigning/lib/requirement.h index eccd2d6a..4bb59398 100644 --- a/OSX/libsecurity_codesigning/lib/requirement.h +++ b/OSX/libsecurity_codesigning/lib/requirement.h @@ -155,7 +155,7 @@ enum ExprOp { opCDHash, // match hash of CodeDirectory directly [cd hash] opNot, // logical inverse [expr] opInfoKeyField, // Info.plist key field [string; match suffix] - opCertField, // Certificate field [cert index; field name; match suffix] + opCertField, // Certificate field, existence only [cert index; field name; match suffix] opTrustedCert, // require trust settings to approve one particular cert [cert index] opTrustedCerts, // require trust settings to approve the cert chain opCertGeneric, // Certificate component by OID [cert index; oid; match suffix] @@ -166,6 +166,7 @@ enum ExprOp { opNamedCode, // named subroutine opPlatform, // platform constraint [integer] opNotarized, // has a developer id+ ticket + opCertFieldDate, // extension value as timestamp [cert index; field name; match suffix] exprOpCount // (total opcode count in use) }; @@ -180,6 +181,12 @@ enum MatchOperation { matchGreaterThan, // greater than (string with numeric comparison) matchLessEqual, // less or equal (string with numeric comparison) matchGreaterEqual, // greater or equal (string with numeric comparison) + matchOn, // on (timestamp comparison) + matchBefore, // before (timestamp comparison) + matchAfter, // after (timestamp comparison) + matchOnOrBefore, // on or before (timestamp comparison) + matchOnOrAfter, // on or after (timestamp comparison) + matchAbsent, // not present (kCFNull) }; diff --git a/OSX/libsecurity_codesigning/requirements.grammar b/OSX/libsecurity_codesigning/requirements.grammar index 2886f22c..953dd0a3 100644 --- a/OSX/libsecurity_codesigning/requirements.grammar +++ b/OSX/libsecurity_codesigning/requirements.grammar @@ -47,11 +47,25 @@ header "post_include_cpp" { #include "requirement.h" #include "reqmaker.h" #include "csutilities.h" +#include +#include #include #include #include // OID coding +#include using namespace CodeSigning; typedef Requirement::Maker Maker; + +extern "C" { + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return +an absoluteTime if the date was valid and properly decoded. Return +NULL_TIME otherwise. */ +CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, + size_t length); + +} + } options { @@ -115,7 +129,12 @@ options { void RequirementParser::certMatchOperation(Maker &maker, int32_t slot, string key) { - if (matchPrefix(key, "subject.")) { + if (const char *oids = matchPrefix(key, "timestamp.")) { + maker.put(opCertFieldDate); + maker.put(slot); + CssmAutoData oid(Allocator::standard()); oid.fromOid(oids); + maker.putData(oid.data(), oid.length()); + } else if (matchPrefix(key, "subject.")) { maker.put(opCertField); maker.put(slot); maker.put(key); @@ -308,12 +327,18 @@ entitlementspec[Maker &maker] { string key; } match_suffix[Maker &maker] : empty ( "exists" ) ? { maker.put(matchExists); } + | "absent" + { maker.put(matchAbsent); } | ( EQL | EQQL ) { MatchOperation mop = matchEqual; string value; } ( STAR { mop = matchEndsWith; } ) ? value=datavalue ( STAR { mop = (mop == matchEndsWith) ? matchContains : matchBeginsWith; } ) ? { maker.put(mop); maker.put(value); } + | ( EQL | EQQL ) + { MatchOperation mop = matchOn; int64_t value; } + value=timestamp + { maker.put(mop); maker.put(value); } | SUBS { string value; } value=datavalue { maker.put(matchContains); maker.put(value); } | LESS { string value; } value=datavalue @@ -324,6 +349,14 @@ match_suffix[Maker &maker] { maker.put(matchLessEqual); maker.put(value); } | GE { string value; } value=datavalue { maker.put(matchGreaterEqual); maker.put(value); } + | LESS { int64_t value; } value=timestamp + { maker.put(matchBefore); maker.put(value); } + | GT { int64_t value; } value=timestamp + { maker.put(matchAfter); maker.put(value); } + | LE { int64_t value; } value=timestamp + { maker.put(matchOnOrBefore); maker.put(value); } + | GE { int64_t value; } value=timestamp + { maker.put(matchOnOrAfter); maker.put(value); } ; bracketKey returns [string key] @@ -390,6 +423,11 @@ integer returns [int32_t result] : s:INTEGER { result = int32_t(atol(s->getText().c_str())); } ; +// timestamps +timestamp returns [int64_t result] + : "timestamp" s:STRING { result = (int64_t)SecAbsoluteTimeFromDateContent(ASN1_GENERALIZED_TIME, (uint8_t const *)s->getText().c_str(), s->getText().length()); } + ; + // syntactic cavity generators fluff : SEMI @@ -419,8 +457,7 @@ options { k=2; testLiterals=false; - // Pass through valid UTF-8 (which excludes hex C0-C1 and F5-FF), - // but also exclude ASCII control characters below 0x20 (space). + // Pass through valid UTF-8 (which excludes hex C0-C1 and F5-FF). // Byte ranges according to Unicode 11.0, paragraph 3.9 D92. charVocabulary='\000'..'\277' | '\302'..'\364'; } diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.cpp b/OSX/libsecurity_keychain/lib/TokenLogin.cpp index 77bf44da..bfe91fd5 100644 --- a/OSX/libsecurity_keychain/lib/TokenLogin.cpp +++ b/OSX/libsecurity_keychain/lib/TokenLogin.cpp @@ -159,7 +159,12 @@ static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey return errSecParam; } - CFDataRef desiredHash = getPubKeyHashWrap(context); + CFDataRef desiredHash = getPubKeyHashWrap(context); + if (!desiredHash) { + os_log_error(TL_LOG, "No wrap key in context"); + return errSecParam; + } + CFIndex idx, count = CFArrayGetCount(identities); for (idx = 0; idx < count; ++idx) { SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(identities, idx); @@ -550,6 +555,7 @@ OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFSt return aks_retval; } +// context = data wrapped in password variable, loginData = dictionary from stored plist OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginData) { if (!loginData || !context) { @@ -562,10 +568,23 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa return errSecInternal; } + CFDataRef pubKeyWrapFromPlist = (CFDataRef)CFDictionaryGetValue(loginData, kSecAttrPublicKeyHash); + if (pubKeyWrapFromPlist == NULL) { + os_log_error(TL_LOG, "Failed to get wrapkey"); + return errSecInternal; + } + + CFRef ctx = makeCFDictionary(4, + kSecAttrTokenID, getTokenId(context), + kSecAttrService, getPin(context), + kSecAttrPublicKeyHash, getPubKeyHash(context), + kSecAttrAccount, pubKeyWrapFromPlist + ); + CFRef error; CFRef privKey; CFRef LAContext; - OSStatus retval = privKeyForPubKeyHash(context, privKey.take(), LAContext.take()); + OSStatus retval = privKeyForPubKeyHash(ctx, privKey.take(), LAContext.take()); if (retval != errSecSuccess) { os_log_error(TL_LOG, "Failed to get private key for public key hash: %d", (int) retval); return retval; @@ -639,7 +658,7 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa (CFDataRef)wrappedUsk.get(), error.take()); if (!unwrappedUsk) { - os_log_error(TL_LOG, "TokenLoginUnlockKeybag failed to unwrap blob: %@", error.get()); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag failed to unwrap blob: %{public}@", error.get()); return errSecInternal; } diff --git a/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c b/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c index 7203620e..a1d3b59b 100644 --- a/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c +++ b/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c @@ -95,9 +95,13 @@ static void tests(void) ok(SOSGenerateDeviceBackupFullKey(fullKey3, cp, entropy3, &error), "Generate key 3 (%@)", error); CFReleaseNull(error); - size_t comparisonSize = ccec_full_ctx_size(ccec_ccn_size(cp)); + size_t ex_size = ccec_x963_export_size(true, ccec_ctx_pub(fullKey1)); + uint8_t buf1[ex_size]; + ccec_x963_export(true, buf1, fullKey1); + uint8_t buf1a[ex_size]; + ccec_x963_export(true, buf1a, fullKey1a); - ok(memcmp(fullKey1, fullKey1a, comparisonSize), "Two derivations match"); + ok(0 == memcmp(buf1, buf1a, ex_size), "Two derivations match"); CFDataRef publicKeyData = SOSCopyDeviceBackupPublicKey(entropy1, &error); ok(publicKeyData, "Public key copy"); diff --git a/OSX/sec/Security/Regressions/secitem/si-15-certificate.c b/OSX/sec/Security/Regressions/secitem/si-15-certificate.c index bd51a64c..b57f6b06 100644 --- a/OSX/sec/Security/Regressions/secitem/si-15-certificate.c +++ b/OSX/sec/Security/Regressions/secitem/si-15-certificate.c @@ -1044,14 +1044,222 @@ static void test_copy_extension_value(void) { CFReleaseNull(cert); } +/* subject:/UID=372S63A2R8/CN=Developer ID Application: John Brayton/OU=372S63A2R8/O=John Brayton/C=US */ +/* issuer :/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US */ +const uint8_t _old_developer_cert[] = { + 0x30,0x82,0x05,0x65,0x30,0x82,0x04,0x4D,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3B, + 0x8B,0xC9,0x83,0xCC,0x57,0x54,0x95,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x79,0x31,0x2D,0x30,0x2B,0x06,0x03,0x55,0x04, + 0x03,0x0C,0x24,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x49,0x44,0x20, + 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75, + 0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B, + 0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63, + 0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31, + 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20, + 0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55, + 0x53,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,0x34,0x32,0x31,0x31,0x39,0x33,0x39,0x33, + 0x30,0x5A,0x17,0x0D,0x31,0x37,0x30,0x34,0x32,0x32,0x31,0x39,0x33,0x39,0x33,0x30, + 0x5A,0x30,0x81,0x86,0x31,0x1A,0x30,0x18,0x06,0x0A,0x09,0x92,0x26,0x89,0x93,0xF2, + 0x2C,0x64,0x01,0x01,0x0C,0x0A,0x33,0x37,0x32,0x53,0x36,0x33,0x41,0x32,0x52,0x38, + 0x31,0x2F,0x30,0x2D,0x06,0x03,0x55,0x04,0x03,0x0C,0x26,0x44,0x65,0x76,0x65,0x6C, + 0x6F,0x70,0x65,0x72,0x20,0x49,0x44,0x20,0x41,0x70,0x70,0x6C,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x3A,0x20,0x4A,0x6F,0x68,0x6E,0x20,0x42,0x72,0x61,0x79,0x74,0x6F, + 0x6E,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0A,0x33,0x37,0x32,0x53, + 0x36,0x33,0x41,0x32,0x52,0x38,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0A,0x0C, + 0x0C,0x4A,0x6F,0x68,0x6E,0x20,0x42,0x72,0x61,0x79,0x74,0x6F,0x6E,0x31,0x0B,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D, + 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01, + 0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xDE,0x02,0xD5,0xBC,0x79, + 0x03,0x44,0x44,0xA0,0xCC,0x53,0xB9,0x4D,0xF6,0xF7,0x59,0xCF,0xA4,0x71,0x8A,0x20, + 0x72,0xA2,0x60,0xEA,0x45,0x26,0x52,0x39,0xA7,0xBD,0xFF,0x0A,0x45,0x0E,0xA2,0xE4, + 0x42,0x8C,0x0D,0x4B,0xF5,0x96,0x73,0xB3,0x56,0x0E,0xAA,0x2B,0x3F,0xBB,0x69,0x93, + 0xD5,0xC1,0x20,0xF2,0x40,0x38,0xB6,0x6C,0xB1,0xA0,0x4C,0x1B,0xA6,0xF1,0xE5,0x34, + 0xD4,0xD8,0xB0,0xF0,0x34,0x8C,0x2B,0xA4,0xBF,0x1E,0x8F,0x64,0xF0,0x25,0x9F,0x5D, + 0x65,0x1E,0x61,0xBA,0x63,0x68,0x16,0x67,0xDE,0x0B,0x76,0x25,0xFD,0xAF,0xB3,0xBF, + 0x1D,0xEA,0x82,0x85,0xE5,0x80,0xC7,0x62,0x1B,0x17,0xB3,0x5E,0x56,0xEA,0xD4,0x39, + 0x9C,0xA7,0x39,0x9B,0x1F,0xAD,0xD7,0xE1,0x7D,0x71,0x48,0xE5,0x19,0x53,0x98,0x6A, + 0x01,0x14,0x21,0x53,0xE4,0x69,0x69,0x3F,0xF3,0xC0,0x6C,0x2D,0x82,0x78,0x63,0x4E, + 0xAA,0xE4,0x0C,0xEF,0xC3,0x99,0x53,0xCA,0x1A,0x08,0xF4,0x95,0x48,0x23,0x8F,0xC9, + 0x13,0xCA,0xA7,0x0C,0xDC,0xB8,0x34,0x67,0x46,0x68,0x72,0x04,0x7E,0x17,0xC1,0x73, + 0x38,0x21,0xB8,0x52,0x35,0x3F,0x15,0x4D,0x60,0x82,0x63,0xEE,0x37,0xCC,0xF6,0x1F, + 0xF8,0xBC,0xA3,0xF6,0x1F,0xE1,0x9F,0x45,0xFA,0x5A,0xF6,0xC1,0x06,0x16,0xF8,0x03, + 0x84,0x7E,0x2F,0xE3,0x0D,0xEC,0x3E,0x05,0xF5,0xC0,0x0C,0x57,0x84,0x4C,0xCB,0x25, + 0x81,0x4C,0x59,0x2C,0xDC,0x63,0xA7,0xA0,0xA6,0x6C,0xC3,0xDC,0x7F,0x1E,0xAA,0x1E, + 0xD8,0x31,0x7D,0x08,0x8C,0x2F,0x85,0xB9,0x09,0xFF,0xD9,0x02,0x03,0x01,0x00,0x01, + 0xA3,0x82,0x01,0xE1,0x30,0x82,0x01,0xDD,0x30,0x3E,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x01,0x01,0x04,0x32,0x30,0x30,0x30,0x2E,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x30,0x01,0x86,0x22,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73, + 0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70, + 0x2D,0x64,0x65,0x76,0x69,0x64,0x30,0x31,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04, + 0x16,0x04,0x14,0xB1,0x95,0xE5,0x40,0x5D,0xE0,0x7B,0x76,0xF6,0x2B,0xD4,0x5B,0x16, + 0x6F,0x90,0x52,0x43,0x9C,0x8E,0xEA,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01, + 0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, + 0x80,0x14,0x57,0x17,0xED,0xA2,0xCF,0xDC,0x7C,0x98,0xA1,0x10,0xE0,0xFC,0xBE,0x87, + 0x2D,0x2C,0xF2,0xE3,0x17,0x54,0x30,0x82,0x01,0x0E,0x06,0x03,0x55,0x1D,0x20,0x04, + 0x82,0x01,0x05,0x30,0x82,0x01,0x01,0x30,0x81,0xFE,0x06,0x09,0x2A,0x86,0x48,0x86, + 0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF0,0x30,0x28,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x02,0x01,0x16,0x1C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77, + 0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65, + 0x63,0x61,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30, + 0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65,0x20,0x6F,0x6E, + 0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74,0x79,0x20,0x61, + 0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74,0x61,0x6E,0x63, + 0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E,0x20,0x61,0x70, + 0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E,0x64,0x61,0x72, + 0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63,0x6F,0x6E,0x64, + 0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x2C,0x20,0x63, + 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F,0x6C,0x69,0x63, + 0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20,0x73,0x74,0x61, + 0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01, + 0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01, + 0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03, + 0x30,0x13,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x01,0x0D,0x01,0x01, + 0xFF,0x04,0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, + 0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x53,0x09,0xBD,0xA3,0xB5,0xE0,0x63, + 0x49,0x02,0x71,0x3C,0x3A,0xF3,0xC9,0x08,0xF0,0xF9,0xCA,0x4E,0x70,0xD4,0x8D,0x3F, + 0xE5,0x9C,0x67,0xED,0x49,0xB4,0x7C,0xA3,0x5D,0x44,0xDE,0xF0,0x48,0xB9,0xDD,0x54, + 0x4F,0x56,0x7D,0xFD,0x08,0x14,0x3C,0x15,0xB8,0xFF,0x54,0x23,0x9A,0x48,0xC5,0x6C, + 0x48,0x72,0xE4,0x30,0xA6,0xC6,0xE8,0x42,0x62,0x29,0xA5,0x13,0x72,0x1C,0x04,0x6C, + 0x91,0x92,0xC3,0x3A,0x53,0x0A,0x52,0xDC,0x26,0x88,0xDE,0x42,0xA1,0x57,0xC2,0x03, + 0x3A,0xD7,0xE3,0x9B,0x2A,0x1F,0x48,0x65,0xFD,0x7F,0x81,0xEF,0x8E,0x39,0x64,0xB8, + 0x36,0x2B,0x60,0xCC,0x6A,0x50,0x0C,0x79,0xAD,0x75,0xD2,0x44,0x43,0xA1,0x31,0x5A, + 0x27,0xEC,0xB1,0xF5,0xC2,0x32,0x0D,0x35,0xF8,0x70,0x45,0x66,0xA3,0x6A,0x29,0x1F, + 0x60,0x7E,0xEE,0x34,0xF7,0x0F,0xBE,0x23,0x1D,0x97,0x3F,0x6C,0xE4,0xA6,0xF6,0x59, + 0x73,0x51,0x1B,0x13,0x38,0x04,0x98,0x59,0x8F,0xBF,0x8D,0xB8,0x0E,0xC7,0x57,0x00, + 0x8D,0x14,0x3A,0xA5,0xD9,0x4F,0xD9,0x4E,0xFF,0x75,0x83,0x15,0xA6,0x0E,0x1A,0xD3, + 0x0D,0xBC,0x0B,0x7E,0x99,0x3A,0xB9,0x73,0xAE,0x84,0x49,0xEE,0x8B,0x26,0x8E,0xD3, + 0xE9,0x36,0xCD,0xAD,0xC1,0xA9,0x00,0xC0,0x91,0x8B,0x3E,0x7E,0x7B,0x25,0x7F,0x7F, + 0x0D,0x4B,0xA4,0xE4,0xAD,0x67,0x4D,0x6A,0xF1,0xF7,0xF4,0xC0,0x5F,0x4B,0x9A,0xB4, + 0x2D,0x9B,0x91,0x3B,0x5A,0x67,0x9B,0xC5,0x64,0x99,0x04,0xA0,0x01,0xCF,0x52,0xE0, + 0xBB,0xA1,0xC9,0xDD,0xD6,0x75,0x2E,0xE8,0x04, +}; + +/* subject:/UID=PV45XFU466/CN=Developer ID Application: T Solanki (PV45XFU466)/OU=PV45XFU466/O=T Solanki/C=US */ +/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Caspian Certification Authority */ +const uint8_t _new_developer_cert[] = { + 0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x69, + 0x87,0x9F,0x89,0x35,0xB9,0x9C,0xD7,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x7F,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03, + 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69, + 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69, + 0x74,0x79,0x31,0x33,0x30,0x31,0x06,0x03,0x55,0x04,0x03,0x0C,0x2A,0x54,0x65,0x73, + 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x61,0x73,0x70,0x69,0x61,0x6E,0x20, + 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75, + 0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x31,0x39,0x30,0x33,0x30, + 0x35,0x32,0x32,0x30,0x32,0x32,0x31,0x5A,0x17,0x0D,0x32,0x34,0x30,0x33,0x30,0x35, + 0x32,0x32,0x30,0x32,0x32,0x31,0x5A,0x30,0x81,0x8D,0x31,0x1A,0x30,0x18,0x06,0x0A, + 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01,0x0C,0x0A,0x50,0x56,0x34,0x35, + 0x58,0x46,0x55,0x34,0x36,0x36,0x31,0x39,0x30,0x37,0x06,0x03,0x55,0x04,0x03,0x0C, + 0x30,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x49,0x44,0x20,0x41,0x70, + 0x70,0x6C,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x3A,0x20,0x54,0x20,0x53,0x6F,0x6C, + 0x61,0x6E,0x6B,0x69,0x20,0x28,0x50,0x56,0x34,0x35,0x58,0x46,0x55,0x34,0x36,0x36, + 0x29,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0A,0x50,0x56,0x34,0x35, + 0x58,0x46,0x55,0x34,0x36,0x36,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x0A,0x0C, + 0x09,0x54,0x20,0x53,0x6F,0x6C,0x61,0x6E,0x6B,0x69,0x31,0x0B,0x30,0x09,0x06,0x03, + 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A, + 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30, + 0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC8,0xA7,0xFD,0xE0,0x5C,0xBD,0x35,0x6D, + 0x73,0x44,0xE1,0x9A,0xDA,0x70,0xE9,0x6E,0x99,0xDB,0x9C,0x0A,0x47,0x9B,0x71,0xBC, + 0xCF,0xE2,0x2A,0x1D,0x6C,0x11,0x5A,0x45,0x27,0xD5,0x3B,0x42,0x4C,0x1B,0xE2,0x43, + 0x5D,0xCA,0x37,0x48,0xB1,0xCD,0xA5,0xDC,0x2B,0x46,0xE9,0xD5,0xEE,0xCE,0xE1,0xF2, + 0x9C,0xD0,0x55,0x14,0x42,0x7A,0x9A,0xFB,0x2C,0xF0,0x20,0xD5,0x53,0x6B,0x3E,0x76, + 0x45,0x59,0xB6,0x16,0x41,0x52,0x61,0x64,0x2E,0xFA,0x69,0x43,0x95,0xD7,0x75,0x63, + 0x24,0xF8,0xFD,0x62,0x99,0xE9,0x5B,0xF8,0x72,0xE9,0x85,0x06,0x73,0x60,0x9C,0x83, + 0xD7,0xD6,0x1D,0xEC,0xC5,0x85,0x48,0xE0,0x55,0x71,0xFE,0xE0,0x54,0xAF,0x06,0xE7, + 0xD6,0x39,0x87,0xFB,0x5A,0xE7,0x7F,0x02,0x7C,0x80,0x2B,0x8B,0xA6,0x6A,0x06,0xF0, + 0xBE,0xDF,0xB3,0x1D,0x4D,0x40,0x9F,0x05,0x36,0x55,0xA4,0x09,0x58,0xB1,0xD2,0xB8, + 0xC0,0x8B,0xDE,0x25,0xD8,0xEB,0x80,0x07,0x34,0x64,0xE5,0x77,0x9A,0x39,0xD6,0xE1, + 0x7F,0x8A,0xF2,0xE4,0x56,0x15,0x84,0xB2,0x8A,0x54,0x31,0xCB,0xC3,0xAD,0xB6,0x63, + 0x72,0x64,0x53,0x8F,0xE5,0x74,0xD3,0xAA,0x91,0x0D,0xF0,0xEF,0x03,0x24,0x21,0x8C, + 0x0D,0x45,0xE4,0x18,0x0E,0xE0,0xDB,0x8C,0x20,0xF1,0x4A,0xD6,0x8B,0x60,0x84,0x3D, + 0x14,0x0D,0xCA,0x46,0x20,0x1F,0x13,0x07,0x7E,0x23,0x90,0x5B,0x8F,0xCF,0xD0,0x1E, + 0x48,0x56,0xF5,0xED,0xF3,0x96,0x52,0x03,0x40,0xF7,0x47,0x4A,0xAF,0xD0,0x67,0x0F, + 0xC1,0x5F,0xB1,0xA8,0xCD,0x29,0xDD,0x91,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x02, + 0x2E,0x30,0x82,0x02,0x2A,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04, + 0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14, + 0xF8,0x7A,0x23,0x8A,0xD2,0xE7,0xD2,0xDF,0x21,0xDB,0x7A,0xF4,0x12,0x31,0x6E,0x28, + 0xF6,0xF9,0xF0,0x8E,0x30,0x49,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01, + 0x04,0x3D,0x30,0x3B,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01, + 0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2D,0x75,0x61, + 0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D, + 0x2F,0x6F,0x63,0x73,0x70,0x30,0x33,0x2D,0x64,0x65,0x76,0x69,0x64,0x30,0x39,0x30, + 0x82,0x01,0x1D,0x06,0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x14,0x30,0x82,0x01,0x10, + 0x30,0x82,0x01,0x0C,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30, + 0x81,0xFE,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30, + 0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65,0x20,0x6F,0x6E, + 0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74,0x79,0x20,0x61, + 0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74,0x61,0x6E,0x63, + 0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E,0x20,0x61,0x70, + 0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E,0x64,0x61,0x72, + 0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63,0x6F,0x6E,0x64, + 0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x2C,0x20,0x63, + 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F,0x6C,0x69,0x63, + 0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20,0x73,0x74,0x61, + 0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x36,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x02,0x01,0x16,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77, + 0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74,0x69, + 0x66,0x69,0x63,0x61,0x74,0x65,0x61,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x2F, + 0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08, + 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04, + 0x16,0x04,0x14,0x6A,0x2A,0x84,0xE8,0xAF,0x4B,0x33,0x37,0xB3,0x09,0xD5,0x8D,0x49, + 0x5B,0xF1,0xA9,0x3D,0x6E,0xCD,0x71,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01, + 0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x13,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7, + 0x63,0x64,0x06,0x01,0x0D,0x01,0x01,0xFF,0x04,0x02,0x05,0x00,0x30,0x1F,0x06,0x0A, + 0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x01,0x21,0x04,0x11,0x0C,0x0F,0x32,0x30, + 0x31,0x39,0x30,0x33,0x30,0x35,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x10,0x06, + 0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x01,0x20,0x04,0x02,0x05,0x00,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82, + 0x01,0x01,0x00,0x64,0x2D,0x1E,0xE4,0x1A,0x98,0xEF,0x62,0xF9,0xD8,0xEE,0xF8,0xCA, + 0x87,0xD7,0x71,0x55,0xDB,0x0D,0x9E,0x8F,0xDE,0x6E,0xBA,0x7D,0xBE,0xE7,0x2E,0xE3, + 0x48,0x09,0x09,0x11,0x54,0x3C,0x6F,0x79,0x61,0xF6,0x18,0xAB,0xE6,0xF4,0x87,0x59, + 0x20,0x97,0xC3,0xC2,0x47,0x25,0x03,0x47,0xA0,0xD6,0x95,0x08,0x67,0xA4,0x25,0xB1, + 0x94,0x0A,0x17,0x90,0xA7,0x64,0xD1,0xB6,0x35,0x59,0xF8,0x9D,0x0E,0x1E,0xF2,0x5D, + 0x2A,0x68,0x90,0x30,0xDF,0xC0,0xF6,0xBE,0x82,0x96,0x9C,0x26,0xAA,0x23,0xFB,0x05, + 0xC0,0xC2,0xE5,0xED,0x91,0xEF,0x44,0x93,0xC2,0x1D,0x53,0xE8,0x73,0xB7,0xBC,0xDB, + 0x3F,0x06,0x19,0xE5,0x40,0x2A,0xA2,0xE0,0x6F,0xA7,0xF7,0x08,0xB5,0xCB,0x90,0x19, + 0x4E,0x94,0xCF,0xD0,0x06,0x90,0xD7,0x60,0x2A,0x12,0x8A,0x54,0xE7,0x0B,0x67,0xEA, + 0x7B,0x02,0x42,0xAF,0xFE,0xA0,0x70,0x0D,0x7E,0xC6,0x28,0x96,0x41,0x55,0x34,0x83, + 0x5A,0x8C,0xBB,0x85,0x67,0xBC,0x0F,0x18,0x81,0x22,0xA4,0x66,0xCA,0x17,0x54,0xF3, + 0x2D,0xFE,0xBE,0xC7,0xAC,0x21,0x7A,0x6A,0x52,0x2E,0xAD,0x45,0x8B,0x39,0xF7,0x57, + 0x67,0x35,0x86,0xB8,0x3C,0x78,0x40,0xE0,0x28,0xD5,0xE9,0x80,0xA2,0xC2,0x07,0xFA, + 0xAC,0x63,0x1B,0xB6,0x8B,0x47,0xAB,0xC4,0xF1,0x29,0x75,0xE4,0x18,0xF6,0xBB,0x5E, + 0x37,0xD9,0x20,0xEA,0x1F,0xBD,0xA2,0xB6,0x1D,0x22,0x67,0x7C,0x13,0x6D,0xFD,0x91, + 0x01,0x34,0x43,0xB8,0xAA,0x8D,0xEA,0x1A,0xB0,0x31,0xCE,0xF1,0xCB,0x0B,0xC4,0x38, + 0xA4,0x85,0x74, +}; + +static void test_developer_id_date(void) { + SecCertificateRef old_devid = SecCertificateCreateWithBytes(NULL, _old_developer_cert, sizeof(_old_developer_cert)); + SecCertificateRef new_devid = SecCertificateCreateWithBytes(NULL, _new_developer_cert, sizeof(_new_developer_cert)); + + CFErrorRef error = NULL; + CFAbsoluteTime time; + is(SecCertificateGetDeveloperIDDate(old_devid, &time, &error), false, "old Developer ID cert returned date"); + is(CFErrorGetCode(error), errSecMissingRequiredExtension, "old Developer ID cert failed with wrong error code"); + CFReleaseNull(error); + + ok(SecCertificateGetDeveloperIDDate(new_devid, &time, &error), "new developer ID cert failed to copy date"); + is(time, 573436800.0, "date in certificate wasn't 2019-03-05 00:00:00Z"); + + CFReleaseNull(old_devid); + CFReleaseNull(new_devid); +} + int si_15_certificate(int argc, char *const *argv) { - plan_tests(45); + plan_tests(49); tests(); test_common_name(); test_copy_email_addresses(); test_copy_extension_value(); + test_developer_id_date(); return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c index b5d82838..fd88f613 100644 --- a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c +++ b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c @@ -26,7 +26,7 @@ static void tests(void) { SecTrustRef trust; - SecCertificateRef cert0, cert1, responderCert; + SecCertificateRef cert0, cert1; isnt(cert0 = SecCertificateCreateWithBytes(NULL, _ocsp_c0, sizeof(_ocsp_c0)), NULL, "create cert0"); isnt(cert1 = SecCertificateCreateWithBytes(NULL, _ocsp_c1, sizeof(_ocsp_c1)), @@ -36,7 +36,7 @@ static void tests(void) CFArrayAppendValue(certs, cert0); CFArrayAppendValue(certs, cert1); - SecPolicyRef sslPolicy = SecPolicyCreateSSL(true, CFSTR("www.paypal.com")); + SecPolicyRef sslPolicy = SecPolicyCreateSSL(true, CFSTR("www.apple.com")); SecPolicyRef ocspPolicy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod); const void *v_policies[] = { sslPolicy, ocspPolicy }; CFArrayRef policies = CFArrayCreate(NULL, v_policies, @@ -45,11 +45,11 @@ static void tests(void) CFRelease(ocspPolicy); ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust"); - /* April 9, 2018 at 1:53:20 PM PDT */ - CFDateRef date = CFDateCreate(NULL, 545000000.0); + /* August 14, 2018 at 9:26:40 PM PDT */ + CFDateRef date = CFDateCreate(NULL, 556000000.0); ok_status(SecTrustSetVerifyDate(trust, date), "set date"); - is(SecTrustGetVerifyTime(trust), 545000000.0, "get date"); + is(SecTrustGetVerifyTime(trust), 556000000.0, "get date"); SecTrustResultType trustResult; ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); @@ -62,40 +62,60 @@ static void tests(void) kSecTrustInfoExtendedValidationKey); ok(ev, "extended validation succeeded"); - SecPolicyRef ocspSignerPolicy; + CFReleaseSafe(info); + CFReleaseSafe(trust); + CFReleaseSafe(policies); + CFReleaseSafe(certs); + CFReleaseSafe(cert0); + CFReleaseSafe(cert1); + CFReleaseSafe(date); +} + +static void test_ocsp_responder_policy() { + SecCertificateRef leaf = NULL, subCA = NULL, responderCert = NULL; + CFMutableArrayRef certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeArrayCallBacks); + SecTrustRef trust = NULL; + SecPolicyRef ocspSignerPolicy = NULL; + SecTrustResultType trustResult = kSecTrustResultInvalid; + + /* August 14, 2018 at 9:26:40 PM PDT */ + CFDateRef date = CFDateCreate(NULL, 556000000.0); + + isnt(leaf = SecCertificateCreateWithBytes(NULL, valid_ist_certificate, + sizeof(valid_ist_certificate)), NULL, "create ist leaf"); + isnt(subCA = SecCertificateCreateWithBytes(NULL, ist_intermediate_certificate, + sizeof(ist_intermediate_certificate)), NULL, "create ist subCA"); + CFArrayAppendValue(certs, leaf); + CFArrayAppendValue(certs, subCA); + ok(ocspSignerPolicy = SecPolicyCreateOCSPSigner(), - "create ocspSigner policy"); + "create ocspSigner policy"); - CFReleaseNull(trust); ok_status(SecTrustCreateWithCertificates(certs, ocspSignerPolicy, &trust), - "create trust for c0 -> c1"); + "create trust for c0 -> c1"); ok_status(SecTrustSetVerifyDate(trust, date), "set date"); ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); is_status(trustResult, kSecTrustResultRecoverableTrustFailure, - "trust is kSecTrustResultRecoverableTrustFailure"); + "trust is kSecTrustResultRecoverableTrustFailure"); isnt(responderCert = SecCertificateCreateWithBytes(NULL, _responderCert, - sizeof(_responderCert)), NULL, "create responderCert"); + sizeof(_responderCert)), NULL, "create responderCert"); CFArraySetValueAtIndex(certs, 0, responderCert); - CFReleaseNull(trust); ok_status(SecTrustCreateWithCertificates(certs, ocspSignerPolicy, &trust), - "create trust for ocspResponder -> c1"); - CFReleaseNull(date); - date = CFDateCreate(NULL, 525000000.0); // August 21, 2017 at 2:20:00 AM PDT + "create trust for ocspResponder -> c1"); ok_status(SecTrustSetVerifyDate(trust, date), "set date"); ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); is_status(trustResult, kSecTrustResultUnspecified, - "trust is kSecTrustResultUnspecified"); + "trust is kSecTrustResultUnspecified"); + CFReleaseNull(leaf); + CFReleaseNull(subCA); + CFReleaseNull(responderCert); + CFReleaseNull(certs); + CFReleaseNull(trust); CFReleaseSafe(ocspSignerPolicy); - CFReleaseSafe(info); - CFReleaseSafe(trust); - CFReleaseSafe(policies); - CFReleaseSafe(certs); - CFReleaseSafe(cert0); - CFReleaseSafe(cert1); - CFReleaseSafe(responderCert); - CFReleaseSafe(date); + CFReleaseNull(date); } static void test_revocation() { @@ -798,7 +818,7 @@ int si_23_sectrust_ocsp(int argc, char *const *argv) unsigned host_cnt = 0; - plan_tests(93); + plan_tests(95); for (host_cnt = 0; host_cnt < sizeof(hosts)/sizeof(hosts[0]); host_cnt ++) { if(!ping_host(hosts[host_cnt])) { @@ -808,6 +828,7 @@ int si_23_sectrust_ocsp(int argc, char *const *argv) } tests(); + test_ocsp_responder_policy(); test_aia(); test_aia_https(); test_revocation(); diff --git a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.h b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.h index e12d2ac1..14c314b4 100644 --- a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.h +++ b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.h @@ -25,290 +25,267 @@ #ifndef _SECURITY_SI_23_SECTRUST_OCSP_H_ #define _SECURITY_SI_23_SECTRUST_OCSP_H_ -/* subject:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/street=2211 N 1st St/O=PayPal, Inc./OU=CDN Support/CN=www.paypal.com */ -/* issuer :/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */ +/* subject:/businessCategory=Private Organization/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=California/serialNumber=C0806592/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Internet Services for Akamai/CN=www.apple.com */ +/* issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA */ static const uint8_t _ocsp_c0[]={ - 0x30,0x82,0x07,0x64,0x30,0x82,0x06,0x4C,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x57, - 0xCB,0x7E,0x15,0xE2,0xE3,0xE2,0x44,0xD8,0x2B,0x01,0x63,0x29,0x46,0xEB,0xF0,0x30, - 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x77, - 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30, - 0x1B,0x06,0x03,0x55,0x04,0x0A,0x13,0x14,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, - 0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x1F,0x30,0x1D, - 0x06,0x03,0x55,0x04,0x0B,0x13,0x16,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20, - 0x54,0x72,0x75,0x73,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x28,0x30, - 0x26,0x06,0x03,0x55,0x04,0x03,0x13,0x1F,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, - 0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20, - 0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x30,0x1E,0x17,0x0D,0x31,0x37,0x30,0x39,0x32, - 0x32,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x39,0x31,0x30,0x33,0x30, - 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x82,0x01,0x09,0x31,0x13,0x30,0x11,0x06, - 0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,0x13,0x02,0x55,0x53, - 0x31,0x19,0x30,0x17,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01, - 0x02,0x0C,0x08,0x44,0x65,0x6C,0x61,0x77,0x61,0x72,0x65,0x31,0x1D,0x30,0x1B,0x06, - 0x03,0x55,0x04,0x0F,0x13,0x14,0x50,0x72,0x69,0x76,0x61,0x74,0x65,0x20,0x4F,0x72, - 0x67,0x61,0x6E,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x31,0x10,0x30,0x0E,0x06,0x03, - 0x55,0x04,0x05,0x13,0x07,0x33,0x30,0x31,0x34,0x32,0x36,0x37,0x31,0x0B,0x30,0x09, + 0x30,0x82,0x06,0xF0,0x30,0x82,0x05,0xD8,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x05, + 0x43,0xF9,0xBA,0x21,0xAD,0xC4,0x65,0x39,0x19,0x20,0x14,0xC9,0x77,0x24,0xD1,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x75, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x15,0x30, + 0x13,0x06,0x03,0x55,0x04,0x0A,0x13,0x0C,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74, + 0x20,0x49,0x6E,0x63,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x13,0x10,0x77, + 0x77,0x77,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x31, + 0x34,0x30,0x32,0x06,0x03,0x55,0x04,0x03,0x13,0x2B,0x44,0x69,0x67,0x69,0x43,0x65, + 0x72,0x74,0x20,0x53,0x48,0x41,0x32,0x20,0x45,0x78,0x74,0x65,0x6E,0x64,0x65,0x64, + 0x20,0x56,0x61,0x6C,0x69,0x64,0x61,0x74,0x69,0x6F,0x6E,0x20,0x53,0x65,0x72,0x76, + 0x65,0x72,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x38,0x30,0x35,0x30,0x39,0x30, + 0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x39,0x30,0x33,0x32,0x35,0x31,0x32, + 0x30,0x30,0x30,0x30,0x5A,0x30,0x81,0xEE,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04, + 0x0F,0x0C,0x14,0x50,0x72,0x69,0x76,0x61,0x74,0x65,0x20,0x4F,0x72,0x67,0x61,0x6E, + 0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01, + 0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,0x13,0x02,0x55,0x53,0x31,0x1B,0x30,0x19, + 0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x0A,0x43, + 0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x11,0x30,0x0F,0x06,0x03,0x55, + 0x04,0x05,0x13,0x08,0x43,0x30,0x38,0x30,0x36,0x35,0x39,0x32,0x31,0x0B,0x30,0x09, 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55, - 0x04,0x11,0x0C,0x0A,0x39,0x35,0x31,0x33,0x31,0x2D,0x32,0x30,0x32,0x31,0x31,0x13, - 0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72, - 0x6E,0x69,0x61,0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x07,0x0C,0x08,0x53,0x61, - 0x6E,0x20,0x4A,0x6F,0x73,0x65,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x09,0x0C, - 0x0D,0x32,0x32,0x31,0x31,0x20,0x4E,0x20,0x31,0x73,0x74,0x20,0x53,0x74,0x31,0x15, - 0x30,0x13,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0C,0x50,0x61,0x79,0x50,0x61,0x6C,0x2C, - 0x20,0x49,0x6E,0x63,0x2E,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0B, - 0x43,0x44,0x4E,0x20,0x53,0x75,0x70,0x70,0x6F,0x72,0x74,0x31,0x17,0x30,0x15,0x06, - 0x03,0x55,0x04,0x03,0x0C,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C, - 0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, - 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A, - 0x02,0x82,0x01,0x01,0x00,0xBF,0xF7,0x98,0x4B,0x4E,0xAA,0xF2,0x2F,0xC6,0x77,0xAB, - 0x26,0x76,0x60,0x2E,0xAB,0x50,0xBD,0x47,0xFF,0x8B,0x7C,0xB7,0x4A,0x75,0x0D,0x81, - 0xF7,0x46,0xE2,0x6B,0x03,0x9F,0xE4,0x07,0xFF,0xC0,0xAC,0xE5,0x15,0x7C,0x0B,0x81, - 0xAA,0xD0,0x32,0x88,0xB0,0x58,0x4E,0xEB,0xC1,0x13,0xCC,0x27,0xDD,0x1A,0x27,0x40, - 0xE8,0xF8,0x16,0x39,0x9A,0x4D,0x55,0xD5,0x0D,0x47,0x7C,0xD1,0x58,0xDB,0x41,0x8E, - 0x41,0x0E,0x3E,0xF2,0x3B,0x05,0x78,0x5D,0x8B,0xBF,0x28,0x71,0x41,0x11,0xC9,0x14, - 0xDB,0xE5,0xE2,0xAA,0x80,0x84,0xD0,0xE8,0xA7,0x2C,0xAA,0xC2,0x06,0xC8,0xDC,0xD3, - 0x18,0x35,0x42,0xA0,0x47,0xD5,0xB5,0xBA,0x57,0x66,0xC3,0x01,0x1F,0xC1,0x3A,0x58, - 0xE8,0x39,0x94,0xF5,0x5E,0x50,0x73,0x7E,0xB6,0x84,0x45,0x27,0xFC,0x52,0x4C,0xEF, - 0x1E,0x32,0x30,0x13,0x0C,0xF5,0x93,0xE5,0xB9,0xA8,0xA0,0x1C,0x05,0xA9,0x69,0xB7, - 0xA4,0x07,0x27,0xB9,0x6E,0x30,0x99,0x3A,0x6F,0x33,0xD7,0xFF,0x24,0xAE,0x02,0x12, - 0x08,0xF8,0x55,0x3F,0x30,0xEC,0xA2,0x5F,0x93,0x34,0x8B,0xAB,0x05,0xE6,0x8D,0xD5, - 0x93,0xBE,0x93,0x78,0x3E,0x97,0xA8,0x66,0xDC,0xA9,0x25,0x9B,0xF0,0x18,0x1A,0xFA, - 0xAE,0x80,0x99,0xC6,0x0F,0xE2,0x67,0xAA,0x26,0xA8,0xED,0xE8,0xFF,0x45,0x8F,0x45, - 0x0E,0xC8,0xC3,0x28,0x51,0x12,0xA6,0x17,0x1E,0x27,0xC8,0x61,0x71,0xC7,0x34,0x40, - 0xD0,0xC9,0xBA,0x49,0x72,0x9B,0xBD,0x57,0xCD,0xEA,0xD5,0x86,0x63,0x51,0x1D,0x48, - 0x14,0x70,0xBE,0xD4,0xD5,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x03,0x56,0x30,0x82, - 0x03,0x52,0x30,0x7C,0x06,0x03,0x55,0x1D,0x11,0x04,0x75,0x30,0x73,0x82,0x12,0x68, - 0x69,0x73,0x74,0x6F,0x72,0x79,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F, - 0x6D,0x82,0x0C,0x74,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82, - 0x0C,0x63,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x0D,0x63, - 0x36,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x14,0x64,0x65, - 0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63, - 0x6F,0x6D,0x82,0x0C,0x70,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D, - 0x82,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D, - 0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55, - 0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55, - 0x1D,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01, - 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x6F,0x06,0x03,0x55,0x1D, - 0x20,0x04,0x68,0x30,0x66,0x30,0x5B,0x06,0x0B,0x60,0x86,0x48,0x01,0x86,0xF8,0x45, - 0x01,0x07,0x17,0x06,0x30,0x4C,0x30,0x23,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07, - 0x02,0x01,0x16,0x17,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x64,0x2E,0x73,0x79, - 0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x25,0x06,0x08,0x2B, - 0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x19,0x0C,0x17,0x68,0x74,0x74,0x70,0x73, - 0x3A,0x2F,0x2F,0x64,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x72, - 0x70,0x61,0x30,0x07,0x06,0x05,0x67,0x81,0x0C,0x01,0x01,0x30,0x1F,0x06,0x03,0x55, - 0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x01,0x59,0xAB,0xE7,0xDD,0x3A,0x0B,0x59, - 0xA6,0x64,0x63,0xD6,0xCF,0x20,0x07,0x57,0xD5,0x91,0xE7,0x6A,0x30,0x2B,0x06,0x03, - 0x55,0x1D,0x1F,0x04,0x24,0x30,0x22,0x30,0x20,0xA0,0x1E,0xA0,0x1C,0x86,0x1A,0x68, - 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x72,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63, - 0x6F,0x6D,0x2F,0x73,0x72,0x2E,0x63,0x72,0x6C,0x30,0x57,0x06,0x08,0x2B,0x06,0x01, - 0x05,0x05,0x07,0x01,0x01,0x04,0x4B,0x30,0x49,0x30,0x1F,0x06,0x08,0x2B,0x06,0x01, - 0x05,0x05,0x07,0x30,0x01,0x86,0x13,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x72, - 0x2E,0x73,0x79,0x6D,0x63,0x64,0x2E,0x63,0x6F,0x6D,0x30,0x26,0x06,0x08,0x2B,0x06, - 0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73, - 0x72,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x73,0x72,0x2E,0x63, - 0x72,0x74,0x30,0x82,0x01,0x7E,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02, - 0x04,0x02,0x04,0x82,0x01,0x6E,0x04,0x82,0x01,0x6A,0x01,0x68,0x00,0x75,0x00,0xDD, - 0xEB,0x1D,0x2B,0x7A,0x0D,0x4F,0xA6,0x20,0x8B,0x81,0xAD,0x81,0x68,0x70,0x7E,0x2E, - 0x8E,0x9D,0x01,0xD5,0x5C,0x88,0x8D,0x3D,0x11,0xC4,0xCD,0xB6,0xEC,0xBE,0xCC,0x00, - 0x00,0x01,0x5E,0xAB,0x85,0x57,0xB1,0x00,0x00,0x04,0x03,0x00,0x46,0x30,0x44,0x02, - 0x20,0x07,0xE3,0x40,0xE7,0x2A,0x3C,0x38,0xEC,0xF4,0xFB,0x7D,0xBC,0x99,0x23,0xBA, - 0xD6,0x39,0x0D,0x7B,0x87,0x4C,0xF0,0x8B,0xAC,0x88,0x76,0x16,0x98,0xAD,0xED,0xAC, - 0x34,0x02,0x20,0x5E,0xA4,0x5A,0xF6,0xBD,0xD0,0xF2,0x4D,0x77,0x31,0x31,0x65,0x94, - 0xC1,0x2C,0x2D,0x16,0x2D,0x4C,0x8A,0xF3,0xAA,0x2C,0x63,0x3A,0x26,0x94,0x8F,0x5C, - 0x04,0x32,0xB4,0x00,0x77,0x00,0xA4,0xB9,0x09,0x90,0xB4,0x18,0x58,0x14,0x87,0xBB, - 0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77, - 0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,0x5E,0xAB,0x85,0x57,0xEC,0x00,0x00, - 0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xE4,0x54,0x30,0xB7,0x22,0x75,0x2E, - 0x6B,0x3F,0xE9,0x65,0x5D,0x59,0x8B,0x0E,0x9F,0x44,0x9D,0x8C,0x05,0xB1,0xFB,0x11, - 0xD7,0x59,0x98,0x3C,0x35,0xEA,0x52,0xEA,0x9E,0x02,0x21,0x00,0xBD,0x07,0x6C,0x78, - 0x5B,0x81,0xFF,0x45,0x6E,0x8C,0x68,0x99,0x41,0x72,0xC1,0xE5,0x36,0x71,0x81,0x00, - 0x85,0x1D,0x2A,0xC4,0xFD,0x9E,0x7D,0x85,0xC0,0xD5,0x8F,0x6A,0x00,0x76,0x00,0xEE, - 0x4B,0xBD,0xB7,0x75,0xCE,0x60,0xBA,0xE1,0x42,0x69,0x1F,0xAB,0xE1,0x9E,0x66,0xA3, - 0x0F,0x7E,0x5F,0xB0,0x72,0xD8,0x83,0x00,0xC4,0x7B,0x89,0x7A,0xA8,0xFD,0xCB,0x00, - 0x00,0x01,0x5E,0xAB,0x85,0x59,0xB0,0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45,0x02, - 0x21,0x00,0xD5,0x8C,0xD3,0x11,0xE6,0x08,0xAA,0xCC,0x98,0x35,0xFC,0xED,0x49,0xF0, - 0x34,0x8B,0xE2,0x68,0x0D,0x66,0x65,0x8F,0x1D,0x56,0x7A,0x7E,0xC7,0x35,0x19,0xD1, - 0xB7,0x0A,0x02,0x20,0x6A,0x96,0x22,0xEC,0x63,0x63,0x79,0xE5,0x5E,0x27,0x98,0x19, - 0xDE,0x4F,0xFC,0x69,0x0A,0x22,0x64,0x97,0x70,0x92,0x67,0x9C,0x7C,0xF4,0x00,0xD1, - 0xDF,0xC2,0x61,0xE6,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01, - 0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x88,0x75,0x7C,0xEE,0x8C,0x6F,0x9E,0xE3, - 0xDA,0xB9,0x40,0x53,0x78,0xED,0x57,0x11,0x4C,0xE4,0x3F,0x11,0x4A,0xC3,0xDA,0x80, - 0x97,0xF4,0xF8,0x8E,0x0F,0x8E,0xB1,0x73,0x67,0x83,0xDE,0x3E,0x9E,0x2C,0x85,0x6B, - 0x02,0xB5,0x73,0x48,0x26,0x4D,0x43,0xD7,0x04,0xBD,0xC7,0x7D,0xC4,0xDC,0x03,0xB8, - 0x0B,0x35,0x7C,0x39,0x2C,0x42,0x24,0xB3,0xDC,0x15,0x78,0xF6,0x54,0x70,0xFC,0xE0, - 0x9B,0xF5,0x9F,0x30,0x08,0xB0,0x2F,0x4B,0xF1,0xA1,0x49,0x96,0x08,0x76,0x5C,0xAE, - 0xDC,0x3E,0x95,0x0D,0x1A,0x89,0x0C,0xDA,0x32,0xAD,0x2A,0x4B,0xD7,0x63,0x50,0x8C, - 0x0C,0xE3,0x08,0xEC,0x6F,0x78,0x55,0x67,0x05,0x68,0x65,0x22,0x39,0xE3,0x7E,0x36, - 0xD9,0x90,0xD2,0x3D,0x06,0x36,0xC7,0xDE,0xEE,0xF4,0xD6,0xDD,0xDA,0xC3,0xFB,0xAC, - 0x43,0xFE,0x2F,0x1C,0x64,0x9B,0xE2,0xDD,0xC0,0x89,0x8B,0x52,0x98,0x8D,0x0E,0xF6, - 0x09,0x2D,0xE4,0x4D,0x62,0x9C,0x16,0x22,0x96,0xFB,0x68,0x5B,0x94,0x87,0x87,0xCE, - 0x18,0x7E,0x41,0x60,0x79,0xA4,0x17,0x3E,0x71,0xF2,0xB1,0xA2,0x06,0xD8,0x71,0xD8, - 0x33,0x0B,0x6A,0xD4,0x67,0x68,0x24,0x3E,0xBA,0xC6,0x21,0x94,0x5D,0x6A,0xF6,0x21, - 0x84,0x5F,0xD0,0xFF,0xAC,0xE4,0x3D,0xAA,0xAD,0x95,0x85,0xFC,0x4B,0x69,0x30,0x72, - 0xB7,0xBA,0x4D,0xDA,0x3A,0xED,0xD9,0x7D,0x40,0x1D,0x02,0x29,0xB8,0xD5,0x0C,0x09, - 0x9E,0x0D,0x74,0x8B,0xFA,0x62,0x02,0x4A,0x88,0x6E,0x7C,0x13,0x56,0xBA,0x99,0x3F, - 0x13,0x78,0x48,0x82,0xAC,0x43,0x8E,0x61, + 0x04,0x08,0x13,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12, + 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x13,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69, + 0x6E,0x6F,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70, + 0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x25,0x30,0x23,0x06,0x03,0x55,0x04,0x0B, + 0x13,0x1C,0x49,0x6E,0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x53,0x65,0x72,0x76,0x69, + 0x63,0x65,0x73,0x20,0x66,0x6F,0x72,0x20,0x41,0x6B,0x61,0x6D,0x61,0x69,0x31,0x16, + 0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,0x0D,0x77,0x77,0x77,0x2E,0x61,0x70,0x70, + 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86, + 0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82, + 0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC0,0x14,0x0E,0x40,0xB0,0xFB,0x3A,0xB4,0x6D, + 0x4A,0xA6,0x24,0xCC,0x18,0x79,0x74,0x11,0x88,0x85,0x12,0x79,0xFF,0xA2,0x15,0xA1, + 0x05,0x43,0xF0,0xC2,0x1E,0xAC,0x3C,0xE2,0x26,0x3A,0x05,0x40,0x96,0xAD,0x48,0x59, + 0x04,0x06,0x0C,0x76,0x84,0x50,0xF7,0x94,0x5C,0xF0,0xD8,0xAE,0xEA,0xFE,0x0B,0xE0, + 0x4A,0xBB,0x58,0x08,0x12,0x99,0x9F,0xB7,0x31,0xB2,0xFC,0xF7,0x2C,0x63,0x3E,0x92, + 0xF0,0x10,0xF5,0x88,0x3C,0x65,0x27,0x42,0x0E,0x5F,0xBB,0x7E,0x5F,0xC5,0x94,0x1C, + 0x7D,0x56,0xA3,0xB4,0x50,0x2F,0x45,0x45,0x40,0xA1,0xAF,0x11,0x47,0x63,0x64,0x8C, + 0xFC,0xAB,0xE7,0x13,0x39,0xAD,0xDD,0x1B,0x3C,0x50,0x11,0x56,0x0F,0x26,0x33,0x94, + 0x9F,0xF4,0x97,0x25,0xCE,0xBA,0x42,0x16,0xC2,0xB2,0x10,0xC3,0x14,0xD1,0x14,0x15, + 0x1F,0x32,0x17,0x00,0x6C,0x24,0x65,0x26,0x36,0xA7,0xEE,0xC2,0x52,0xD3,0xD2,0xB0, + 0xA6,0xCD,0x56,0x47,0x71,0xF5,0xEC,0xE3,0xCE,0xA2,0x0A,0xC5,0xAF,0xD6,0x5B,0x15, + 0xD9,0x52,0xE3,0x17,0x85,0x98,0x7D,0xEF,0x52,0xC2,0x09,0x82,0x75,0x36,0xAE,0x2C, + 0x6D,0xD4,0xC3,0x8A,0x85,0x12,0x1F,0x79,0x1E,0xAB,0x1E,0xCC,0xBA,0x3D,0x6E,0x99, + 0x41,0x95,0x20,0x8F,0xF2,0x56,0xF8,0x7A,0x53,0x07,0xC9,0x02,0x97,0x77,0x5E,0x62, + 0x19,0xB4,0xAA,0xF6,0xEB,0x68,0xB1,0x20,0x4F,0x55,0x1F,0x46,0x67,0xF0,0xCF,0xEF, + 0xAD,0xE9,0x6E,0x4A,0x57,0xB1,0x23,0xF2,0xB7,0xB6,0xEB,0xD4,0xCC,0x9C,0x82,0xE7, + 0xAB,0xC6,0x25,0xA4,0x7B,0x48,0x8D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x03,0x00, + 0x30,0x82,0x02,0xFC,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80, + 0x14,0x3D,0xD3,0x50,0xA5,0xD6,0xA0,0xAD,0xEE,0xF3,0x4A,0x60,0x0A,0x65,0xD3,0x21, + 0xD4,0xF8,0xF8,0xD6,0x0F,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14, + 0xC9,0xBC,0xFC,0x9B,0x14,0x87,0xFE,0xE9,0xC1,0x53,0x82,0xA7,0xE4,0x4F,0xD1,0x74, + 0xC2,0xA5,0x79,0x13,0x30,0x2A,0x06,0x03,0x55,0x1D,0x11,0x04,0x23,0x30,0x21,0x82, + 0x0D,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x10, + 0x69,0x6D,0x61,0x67,0x65,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D, + 0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0, + 0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01, + 0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30, + 0x75,0x06,0x03,0x55,0x1D,0x1F,0x04,0x6E,0x30,0x6C,0x30,0x34,0xA0,0x32,0xA0,0x30, + 0x86,0x2E,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x33,0x2E,0x64,0x69, + 0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x2F,0x73,0x68,0x61,0x32,0x2D, + 0x65,0x76,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x2D,0x67,0x32,0x2E,0x63,0x72,0x6C, + 0x30,0x34,0xA0,0x32,0xA0,0x30,0x86,0x2E,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63, + 0x72,0x6C,0x34,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D, + 0x2F,0x73,0x68,0x61,0x32,0x2D,0x65,0x76,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x2D, + 0x67,0x32,0x2E,0x63,0x72,0x6C,0x30,0x4B,0x06,0x03,0x55,0x1D,0x20,0x04,0x44,0x30, + 0x42,0x30,0x37,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xFD,0x6C,0x02,0x01,0x30,0x2A, + 0x30,0x28,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1C,0x68,0x74, + 0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x64,0x69,0x67,0x69,0x63,0x65, + 0x72,0x74,0x2E,0x63,0x6F,0x6D,0x2F,0x43,0x50,0x53,0x30,0x07,0x06,0x05,0x67,0x81, + 0x0C,0x01,0x01,0x30,0x81,0x88,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01, + 0x04,0x7C,0x30,0x7A,0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01, + 0x86,0x18,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x64,0x69, + 0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x52,0x06,0x08,0x2B,0x06, + 0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x46,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63, + 0x61,0x63,0x65,0x72,0x74,0x73,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E, + 0x63,0x6F,0x6D,0x2F,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74,0x53,0x48,0x41,0x32, + 0x45,0x78,0x74,0x65,0x6E,0x64,0x65,0x64,0x56,0x61,0x6C,0x69,0x64,0x61,0x74,0x69, + 0x6F,0x6E,0x53,0x65,0x72,0x76,0x65,0x72,0x43,0x41,0x2E,0x63,0x72,0x74,0x30,0x09, + 0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x82,0x01,0x03,0x06,0x0A,0x2B, + 0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF4,0x04,0x81,0xF1,0x00, + 0xEF,0x00,0x76,0x00,0xBB,0xD9,0xDF,0xBC,0x1F,0x8A,0x71,0xB5,0x93,0x94,0x23,0x97, + 0xAA,0x92,0x7B,0x47,0x38,0x57,0x95,0x0A,0xAB,0x52,0xE8,0x1A,0x90,0x96,0x64,0x36, + 0x8E,0x1E,0xD1,0x85,0x00,0x00,0x01,0x63,0x46,0x25,0xD6,0x3A,0x00,0x00,0x04,0x03, + 0x00,0x47,0x30,0x45,0x02,0x21,0x00,0xCD,0x06,0x70,0xA1,0x82,0x9D,0x94,0x7C,0xFD, + 0xBA,0x24,0xF6,0xD1,0x32,0x3C,0x0E,0x6B,0x08,0x27,0xD7,0x40,0xF1,0x3D,0x69,0x0D, + 0x97,0x67,0x94,0xFC,0xC8,0x04,0x9A,0x02,0x20,0x29,0xEB,0x04,0x1E,0xEB,0xB0,0x8A, + 0x4B,0xE0,0xA6,0xCF,0x95,0xCD,0x05,0x74,0x7F,0x18,0xD8,0x6B,0x76,0xE2,0xC2,0x45, + 0x45,0x66,0x1E,0x40,0xEF,0xFB,0xEF,0x89,0x1F,0x00,0x75,0x00,0x56,0x14,0x06,0x9A, + 0x2F,0xD7,0xC2,0xEC,0xD3,0xF5,0xE1,0xBD,0x44,0xB2,0x3E,0xC7,0x46,0x76,0xB9,0xBC, + 0x99,0x11,0x5C,0xC0,0xEF,0x94,0x98,0x55,0xD6,0x89,0xD0,0xDD,0x00,0x00,0x01,0x63, + 0x46,0x25,0xD5,0xC3,0x00,0x00,0x04,0x03,0x00,0x46,0x30,0x44,0x02,0x20,0x0B,0x27, + 0x52,0x85,0x46,0x02,0x37,0x41,0x10,0x05,0x4E,0x0E,0xD4,0x99,0x0A,0x38,0x93,0xFD, + 0xFE,0xCB,0x93,0xD2,0x73,0x6D,0x19,0x45,0x4D,0x91,0x1C,0xDA,0xFB,0x59,0x02,0x20, + 0x64,0xCD,0x18,0x8D,0xA4,0x20,0xEE,0x9A,0x61,0xE0,0x5E,0x42,0x3E,0x0F,0xA9,0x22, + 0x16,0x24,0xE4,0xD8,0xB0,0x6F,0x5F,0xFC,0xA3,0x0F,0xA7,0x45,0xFA,0xC1,0xB8,0x3F, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03, + 0x82,0x01,0x01,0x00,0x04,0x71,0x4E,0x20,0xBF,0xD1,0x77,0x37,0x21,0x1E,0x02,0x82, + 0x70,0x87,0xA1,0x94,0xA0,0xF9,0x65,0xCE,0xE6,0x2A,0xC5,0x07,0xDF,0x1F,0xE4,0x0E, + 0x8B,0xB2,0x0A,0xD4,0xB9,0x3C,0x12,0x70,0x35,0xA2,0xF9,0xF9,0x0B,0x12,0x7E,0x4E, + 0xEE,0x18,0x2E,0x36,0xF2,0x3E,0x46,0x09,0xC5,0x4A,0x8C,0xBA,0xCA,0x5D,0xD7,0x72, + 0x06,0x6C,0x39,0xF8,0x6B,0x62,0x76,0x1A,0xC1,0xB3,0xA3,0x07,0xB2,0x5C,0x88,0xA1, + 0xA9,0x7D,0x77,0x11,0x9D,0x69,0x4D,0xBC,0x81,0xB6,0xA2,0x18,0x53,0x67,0xBA,0x7D, + 0xD0,0xFC,0xD1,0xBB,0x28,0x7B,0xBC,0x83,0x17,0x96,0x8B,0x1E,0xFF,0x17,0x36,0x72, + 0xC9,0x60,0xB7,0x19,0xE7,0xDC,0xF5,0x25,0x48,0x33,0x60,0xB1,0xFE,0x1A,0x92,0x8B, + 0xF5,0x84,0xE0,0xD8,0xDC,0x33,0x7F,0xD7,0x8F,0x56,0xDB,0x11,0x31,0xA5,0xAD,0x38, + 0xA0,0x8B,0x40,0x21,0xFA,0x64,0x7A,0xCA,0x44,0xF0,0xD8,0x39,0x38,0x10,0xDC,0x3D, + 0x35,0x0E,0x1E,0x01,0x49,0xDC,0xE9,0xA2,0x3C,0xD0,0x0D,0xFD,0x69,0x93,0x83,0x9E, + 0x80,0xCD,0xEE,0x0C,0x6B,0x2E,0xF1,0x27,0xFD,0x09,0xC0,0x44,0x0B,0xA9,0x7D,0xE6, + 0x24,0xA1,0x32,0xC4,0xAD,0xB9,0x25,0xC5,0x00,0xB8,0x1E,0x8A,0xFA,0x03,0x58,0xEA, + 0x02,0xE6,0x03,0x17,0xFA,0x4B,0xBE,0x74,0x1A,0x8E,0xBF,0xC5,0xC3,0xBD,0x89,0x5E, + 0x76,0xE3,0x7E,0x6B,0x2B,0x06,0x7E,0xA3,0xEC,0x12,0x39,0x90,0x7E,0xC1,0x00,0x51, + 0xA8,0x64,0x00,0x57,0x9B,0x27,0xD9,0x91,0x5F,0x75,0x53,0xDC,0x24,0x0C,0xD3,0x55, + 0x62,0x3A,0x5F,0xD1, }; - -/* subject:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */ -/* issuer :/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 */ +/* subject:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA */ +/* issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA */ static const uint8_t _ocsp_c1[]= { - 0x30,0x82,0x05,0x2B,0x30,0x82,0x04,0x13,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x7E, - 0xE1,0x4A,0x6F,0x6F,0xEF,0xF2,0xD3,0x7F,0x3F,0xAD,0x65,0x4D,0x3A,0xDA,0xB4,0x30, - 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81, - 0xCA,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x17, - 0x30,0x15,0x06,0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,0x67, - 0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x0B, - 0x13,0x16,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x54,0x72,0x75,0x73,0x74, - 0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x3A,0x30,0x38,0x06,0x03,0x55,0x04, - 0x0B,0x13,0x31,0x28,0x63,0x29,0x20,0x32,0x30,0x30,0x36,0x20,0x56,0x65,0x72,0x69, - 0x53,0x69,0x67,0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x20,0x2D,0x20,0x46,0x6F,0x72, - 0x20,0x61,0x75,0x74,0x68,0x6F,0x72,0x69,0x7A,0x65,0x64,0x20,0x75,0x73,0x65,0x20, - 0x6F,0x6E,0x6C,0x79,0x31,0x45,0x30,0x43,0x06,0x03,0x55,0x04,0x03,0x13,0x3C,0x56, - 0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20, - 0x50,0x75,0x62,0x6C,0x69,0x63,0x20,0x50,0x72,0x69,0x6D,0x61,0x72,0x79,0x20,0x43, - 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74, - 0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x47,0x35,0x30,0x1E,0x17,0x0D,0x31, - 0x33,0x31,0x30,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32,0x33, - 0x31,0x30,0x33,0x30,0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x77,0x31,0x0B,0x30, - 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30,0x1B,0x06,0x03, - 0x55,0x04,0x0A,0x13,0x14,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x43,0x6F, - 0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55, - 0x04,0x0B,0x13,0x16,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x54,0x72,0x75, - 0x73,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x28,0x30,0x26,0x06,0x03, - 0x55,0x04,0x03,0x13,0x1F,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x43,0x6C, - 0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20,0x43,0x41,0x20, - 0x2D,0x20,0x47,0x33,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, - 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A, - 0x02,0x82,0x01,0x01,0x00,0xD8,0xA1,0x65,0x74,0x23,0xE8,0x2B,0x64,0xE2,0x32,0xD7, - 0x33,0x37,0x3D,0x8E,0xF5,0x34,0x16,0x48,0xDD,0x4F,0x7F,0x87,0x1C,0xF8,0x44,0x23, - 0x13,0x8E,0xFB,0x11,0xD8,0x44,0x5A,0x18,0x71,0x8E,0x60,0x16,0x26,0x92,0x9B,0xFD, - 0x17,0x0B,0xE1,0x71,0x70,0x42,0xFE,0xBF,0xFA,0x1C,0xC0,0xAA,0xA3,0xA7,0xB5,0x71, - 0xE8,0xFF,0x18,0x83,0xF6,0xDF,0x10,0x0A,0x13,0x62,0xC8,0x3D,0x9C,0xA7,0xDE,0x2E, - 0x3F,0x0C,0xD9,0x1D,0xE7,0x2E,0xFB,0x2A,0xCE,0xC8,0x9A,0x7F,0x87,0xBF,0xD8,0x4C, - 0x04,0x15,0x32,0xC9,0xD1,0xCC,0x95,0x71,0xA0,0x4E,0x28,0x4F,0x84,0xD9,0x35,0xFB, - 0xE3,0x86,0x6F,0x94,0x53,0xE6,0x72,0x8A,0x63,0x67,0x2E,0xBE,0x69,0xF6,0xF7,0x6E, - 0x8E,0x9C,0x60,0x04,0xEB,0x29,0xFA,0xC4,0x47,0x42,0xD2,0x78,0x98,0xE3,0xEC,0x0B, - 0xA5,0x92,0xDC,0xB7,0x9A,0xBD,0x80,0x64,0x2B,0x38,0x7C,0x38,0x09,0x5B,0x66,0xF6, - 0x2D,0x95,0x7A,0x86,0xB2,0x34,0x2E,0x85,0x9E,0x90,0x0E,0x5F,0xB7,0x5D,0xA4,0x51, - 0x72,0x46,0x70,0x13,0xBF,0x67,0xF2,0xB6,0xA7,0x4D,0x14,0x1E,0x6C,0xB9,0x53,0xEE, - 0x23,0x1A,0x4E,0x8D,0x48,0x55,0x43,0x41,0xB1,0x89,0x75,0x6A,0x40,0x28,0xC5,0x7D, - 0xDD,0xD2,0x6E,0xD2,0x02,0x19,0x2F,0x7B,0x24,0x94,0x4B,0xEB,0xF1,0x1A,0xA9,0x9B, - 0xE3,0x23,0x9A,0xEA,0xFA,0x33,0xAB,0x0A,0x2C,0xB7,0xF4,0x60,0x08,0xDD,0x9F,0x1C, - 0xCD,0xDD,0x2D,0x01,0x66,0x80,0xAF,0xB3,0x2F,0x29,0x1D,0x23,0xB8,0x8A,0xE1,0xA1, - 0x70,0x07,0x0C,0x34,0x0F,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x5D,0x30,0x82, - 0x01,0x59,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x23, - 0x30,0x21,0x30,0x1F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x13, - 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x32,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E, - 0x63,0x6F,0x6D,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30, - 0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x65,0x06,0x03,0x55,0x1D,0x20,0x04,0x5E, - 0x30,0x5C,0x30,0x5A,0x06,0x04,0x55,0x1D,0x20,0x00,0x30,0x52,0x30,0x26,0x06,0x08, - 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F, - 0x2F,0x77,0x77,0x77,0x2E,0x73,0x79,0x6D,0x61,0x75,0x74,0x68,0x2E,0x63,0x6F,0x6D, - 0x2F,0x63,0x70,0x73,0x30,0x28,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02, - 0x30,0x1C,0x1A,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x73, - 0x79,0x6D,0x61,0x75,0x74,0x68,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x70,0x61,0x30,0x30, - 0x06,0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86, - 0x1F,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x31,0x2E,0x73,0x79,0x6D,0x63,0x62, - 0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x63,0x61,0x33,0x2D,0x67,0x35,0x2E,0x63,0x72,0x6C, - 0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06, - 0x30,0x29,0x06,0x03,0x55,0x1D,0x11,0x04,0x22,0x30,0x20,0xA4,0x1E,0x30,0x1C,0x31, - 0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,0x53,0x79,0x6D,0x61,0x6E,0x74, - 0x65,0x63,0x50,0x4B,0x49,0x2D,0x31,0x2D,0x35,0x33,0x33,0x30,0x1D,0x06,0x03,0x55, - 0x1D,0x0E,0x04,0x16,0x04,0x14,0x01,0x59,0xAB,0xE7,0xDD,0x3A,0x0B,0x59,0xA6,0x64, - 0x63,0xD6,0xCF,0x20,0x07,0x57,0xD5,0x91,0xE7,0x6A,0x30,0x1F,0x06,0x03,0x55,0x1D, - 0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x7F,0xD3,0x65,0xA7,0xC2,0xDD,0xEC,0xBB,0xF0, - 0x30,0x09,0xF3,0x43,0x39,0xFA,0x02,0xAF,0x33,0x31,0x33,0x30,0x0D,0x06,0x09,0x2A, - 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x42, - 0x01,0x55,0x7B,0xD0,0x16,0x1A,0x5D,0x58,0xE8,0xBB,0x9B,0xA8,0x4D,0xD7,0xF3,0xD7, - 0xEB,0x13,0x94,0x86,0xD6,0x7F,0x21,0x0B,0x47,0xBC,0x57,0x9B,0x92,0x5D,0x4F,0x05, - 0x9F,0x38,0xA4,0x10,0x7C,0xCF,0x83,0xBE,0x06,0x43,0x46,0x8D,0x08,0xBC,0x6A,0xD7, - 0x10,0xA6,0xFA,0xAB,0xAF,0x2F,0x61,0xA8,0x63,0xF2,0x65,0xDF,0x7F,0x4C,0x88,0x12, - 0x88,0x4F,0xB3,0x69,0xD9,0xFF,0x27,0xC0,0x0A,0x97,0x91,0x8F,0x56,0xFB,0x89,0xC4, - 0xA8,0xBB,0x92,0x2D,0x1B,0x73,0xB0,0xC6,0xAB,0x36,0xF4,0x96,0x6C,0x20,0x08,0xEF, - 0x0A,0x1E,0x66,0x24,0x45,0x4F,0x67,0x00,0x40,0xC8,0x07,0x54,0x74,0x33,0x3B,0xA6, - 0xAD,0xBB,0x23,0x9F,0x66,0xED,0xA2,0x44,0x70,0x34,0xFB,0x0E,0xEA,0x01,0xFD,0xCF, - 0x78,0x74,0xDF,0xA7,0xAD,0x55,0xB7,0x5F,0x4D,0xF6,0xD6,0x3F,0xE0,0x86,0xCE,0x24, - 0xC7,0x42,0xA9,0x13,0x14,0x44,0x35,0x4B,0xB6,0xDF,0xC9,0x60,0xAC,0x0C,0x7F,0xD9, - 0x93,0x21,0x4B,0xEE,0x9C,0xE4,0x49,0x02,0x98,0xD3,0x60,0x7B,0x5C,0xBC,0xD5,0x30, - 0x2F,0x07,0xCE,0x44,0x42,0xC4,0x0B,0x99,0xFE,0xE6,0x9F,0xFC,0xB0,0x78,0x86,0x51, - 0x6D,0xD1,0x2C,0x9D,0xC6,0x96,0xFB,0x85,0x82,0xBB,0x04,0x2F,0xF7,0x62,0x80,0xEF, - 0x62,0xDA,0x7F,0xF6,0x0E,0xAC,0x90,0xB8,0x56,0xBD,0x79,0x3F,0xF2,0x80,0x6E,0xA3, - 0xD9,0xB9,0x0F,0x5D,0x3A,0x07,0x1D,0x91,0x93,0x86,0x4B,0x29,0x4C,0xE1,0xDC,0xB5, - 0xE1,0xE0,0x33,0x9D,0xB3,0xCB,0x36,0x91,0x4B,0xFE,0xA1,0xB4,0xEE,0xF0,0xF9, + 0x30,0x82,0x04,0xB6,0x30,0x82,0x03,0x9E,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x0C, + 0x79,0xA9,0x44,0xB0,0x8C,0x11,0x95,0x20,0x92,0x61,0x5F,0xE2,0x6B,0x1D,0x83,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x6C, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x15,0x30, + 0x13,0x06,0x03,0x55,0x04,0x0A,0x13,0x0C,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74, + 0x20,0x49,0x6E,0x63,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x13,0x10,0x77, + 0x77,0x77,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x31, + 0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x03,0x13,0x22,0x44,0x69,0x67,0x69,0x43,0x65, + 0x72,0x74,0x20,0x48,0x69,0x67,0x68,0x20,0x41,0x73,0x73,0x75,0x72,0x61,0x6E,0x63, + 0x65,0x20,0x45,0x56,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D, + 0x31,0x33,0x31,0x30,0x32,0x32,0x31,0x32,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32, + 0x38,0x31,0x30,0x32,0x32,0x31,0x32,0x30,0x30,0x30,0x30,0x5A,0x30,0x75,0x31,0x0B, + 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x15,0x30,0x13,0x06, + 0x03,0x55,0x04,0x0A,0x13,0x0C,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74,0x20,0x49, + 0x6E,0x63,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x13,0x10,0x77,0x77,0x77, + 0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x31,0x34,0x30, + 0x32,0x06,0x03,0x55,0x04,0x03,0x13,0x2B,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74, + 0x20,0x53,0x48,0x41,0x32,0x20,0x45,0x78,0x74,0x65,0x6E,0x64,0x65,0x64,0x20,0x56, + 0x61,0x6C,0x69,0x64,0x61,0x74,0x69,0x6F,0x6E,0x20,0x53,0x65,0x72,0x76,0x65,0x72, + 0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02, + 0x82,0x01,0x01,0x00,0xD7,0x53,0xA4,0x04,0x51,0xF8,0x99,0xA6,0x16,0x48,0x4B,0x67, + 0x27,0xAA,0x93,0x49,0xD0,0x39,0xED,0x0C,0xB0,0xB0,0x00,0x87,0xF1,0x67,0x28,0x86, + 0x85,0x8C,0x8E,0x63,0xDA,0xBC,0xB1,0x40,0x38,0xE2,0xD3,0xF5,0xEC,0xA5,0x05,0x18, + 0xB8,0x3D,0x3E,0xC5,0x99,0x17,0x32,0xEC,0x18,0x8C,0xFA,0xF1,0x0C,0xA6,0x64,0x21, + 0x85,0xCB,0x07,0x10,0x34,0xB0,0x52,0x88,0x2B,0x1F,0x68,0x9B,0xD2,0xB1,0x8F,0x12, + 0xB0,0xB3,0xD2,0xE7,0x88,0x1F,0x1F,0xEF,0x38,0x77,0x54,0x53,0x5F,0x80,0x79,0x3F, + 0x2E,0x1A,0xAA,0xA8,0x1E,0x4B,0x2B,0x0D,0xAB,0xB7,0x63,0xB9,0x35,0xB7,0x7D,0x14, + 0xBC,0x59,0x4B,0xDF,0x51,0x4A,0xD2,0xA1,0xE2,0x0C,0xE2,0x90,0x82,0x87,0x6A,0xAE, + 0xEA,0xD7,0x64,0xD6,0x98,0x55,0xE8,0xFD,0xAF,0x1A,0x50,0x6C,0x54,0xBC,0x11,0xF2, + 0xFD,0x4A,0xF2,0x9D,0xBB,0x7F,0x0E,0xF4,0xD5,0xBE,0x8E,0x16,0x89,0x12,0x55,0xD8, + 0xC0,0x71,0x34,0xEE,0xF6,0xDC,0x2D,0xEC,0xC4,0x87,0x25,0x86,0x8D,0xD8,0x21,0xE4, + 0xB0,0x4D,0x0C,0x89,0xDC,0x39,0x26,0x17,0xDD,0xF6,0xD7,0x94,0x85,0xD8,0x04,0x21, + 0x70,0x9D,0x6F,0x6F,0xFF,0x5C,0xBA,0x19,0xE1,0x45,0xCB,0x56,0x57,0x28,0x7E,0x1C, + 0x0D,0x41,0x57,0xAA,0xB7,0xB8,0x27,0xBB,0xB1,0xE4,0xFA,0x2A,0xEF,0x21,0x23,0x75, + 0x1A,0xAD,0x2D,0x9B,0x86,0x35,0x8C,0x9C,0x77,0xB5,0x73,0xAD,0xD8,0x94,0x2D,0xE4, + 0xF3,0x0C,0x9D,0xEE,0xC1,0x4E,0x62,0x7E,0x17,0xC0,0x71,0x9E,0x2C,0xDE,0xF1,0xF9, + 0x10,0x28,0x19,0x33,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x49,0x30,0x82,0x01, + 0x45,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01, + 0x01,0xFF,0x02,0x01,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04, + 0x04,0x03,0x02,0x01,0x86,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,0x30,0x14, + 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x03,0x02,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01, + 0x04,0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01, + 0x86,0x18,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x64,0x69, + 0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x4B,0x06,0x03,0x55,0x1D, + 0x1F,0x04,0x44,0x30,0x42,0x30,0x40,0xA0,0x3E,0xA0,0x3C,0x86,0x3A,0x68,0x74,0x74, + 0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x34,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72, + 0x74,0x2E,0x63,0x6F,0x6D,0x2F,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74,0x48,0x69, + 0x67,0x68,0x41,0x73,0x73,0x75,0x72,0x61,0x6E,0x63,0x65,0x45,0x56,0x52,0x6F,0x6F, + 0x74,0x43,0x41,0x2E,0x63,0x72,0x6C,0x30,0x3D,0x06,0x03,0x55,0x1D,0x20,0x04,0x36, + 0x30,0x34,0x30,0x32,0x06,0x04,0x55,0x1D,0x20,0x00,0x30,0x2A,0x30,0x28,0x06,0x08, + 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1C,0x68,0x74,0x74,0x70,0x73,0x3A, + 0x2F,0x2F,0x77,0x77,0x77,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63, + 0x6F,0x6D,0x2F,0x43,0x50,0x53,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, + 0x14,0x3D,0xD3,0x50,0xA5,0xD6,0xA0,0xAD,0xEE,0xF3,0x4A,0x60,0x0A,0x65,0xD3,0x21, + 0xD4,0xF8,0xF8,0xD6,0x0F,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, + 0x80,0x14,0xB1,0x3E,0xC3,0x69,0x03,0xF8,0xBF,0x47,0x01,0xD4,0x98,0x26,0x1A,0x08, + 0x02,0xEF,0x63,0x64,0x2B,0xC3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D, + 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x9D,0xB6,0xD0,0x90,0x86,0xE1, + 0x86,0x02,0xED,0xC5,0xA0,0xF0,0x34,0x1C,0x74,0xC1,0x8D,0x76,0xCC,0x86,0x0A,0xA8, + 0xF0,0x4A,0x8A,0x42,0xD6,0x3F,0xC8,0xA9,0x4D,0xAD,0x7C,0x08,0xAD,0xE6,0xB6,0x50, + 0xB8,0xA2,0x1A,0x4D,0x88,0x07,0xB1,0x29,0x21,0xDC,0xE7,0xDA,0xC6,0x3C,0x21,0xE0, + 0xE3,0x11,0x49,0x70,0xAC,0x7A,0x1D,0x01,0xA4,0xCA,0x11,0x3A,0x57,0xAB,0x7D,0x57, + 0x2A,0x40,0x74,0xFD,0xD3,0x1D,0x85,0x18,0x50,0xDF,0x57,0x47,0x75,0xA1,0x7D,0x55, + 0x20,0x2E,0x47,0x37,0x50,0x72,0x8C,0x7F,0x82,0x1B,0xD2,0x62,0x8F,0x2D,0x03,0x5A, + 0xDA,0xC3,0xC8,0xA1,0xCE,0x2C,0x52,0xA2,0x00,0x63,0xEB,0x73,0xBA,0x71,0xC8,0x49, + 0x27,0x23,0x97,0x64,0x85,0x9E,0x38,0x0E,0xAD,0x63,0x68,0x3C,0xBA,0x52,0x81,0x58, + 0x79,0xA3,0x2C,0x0C,0xDF,0xDE,0x6D,0xEB,0x31,0xF2,0xBA,0xA0,0x7C,0x6C,0xF1,0x2C, + 0xD4,0xE1,0xBD,0x77,0x84,0x37,0x03,0xCE,0x32,0xB5,0xC8,0x9A,0x81,0x1A,0x4A,0x92, + 0x4E,0x3B,0x46,0x9A,0x85,0xFE,0x83,0xA2,0xF9,0x9E,0x8C,0xA3,0xCC,0x0D,0x5E,0xB3, + 0x3D,0xCF,0x04,0x78,0x8F,0x14,0x14,0x7B,0x32,0x9C,0xC7,0x00,0xA6,0x5C,0xC4,0xB5, + 0xA1,0x55,0x8D,0x5A,0x56,0x68,0xA4,0x22,0x70,0xAA,0x3C,0x81,0x71,0xD9,0x9D,0xA8, + 0x45,0x3B,0xF4,0xE5,0xF6,0xA2,0x51,0xDD,0xC7,0x7B,0x62,0xE8,0x6F,0x0C,0x74,0xEB, + 0xB8,0xDA,0xF8,0xBF,0x87,0x0D,0x79,0x50,0x91,0x90,0x9B,0x18,0x3B,0x91,0x59,0x27, + 0xF1,0x35,0x28,0x13,0xAB,0x26,0x7E,0xD5,0xF7,0x7A, }; +/* subject:/CN=Apple IST CA 2 OCSP Responder NL01/O=Apple Inc./C=US */ +/* issuer :/CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US */ static const uint8_t _responderCert[]= { - 0x30,0x82,0x04,0x58,0x30,0x82,0x03,0x40,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x03, - 0x56,0x99,0xC9,0x07,0x45,0xC1,0xA9,0x4C,0x50,0x3A,0x24,0x28,0xD6,0x04,0x5D,0x30, - 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x77, - 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30, - 0x1B,0x06,0x03,0x55,0x04,0x0A,0x13,0x14,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, - 0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x1F,0x30,0x1D, - 0x06,0x03,0x55,0x04,0x0B,0x13,0x16,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20, - 0x54,0x72,0x75,0x73,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x28,0x30, - 0x26,0x06,0x03,0x55,0x04,0x03,0x13,0x1F,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, - 0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20, - 0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x30,0x1E,0x17,0x0D,0x31,0x37,0x30,0x37,0x31, - 0x38,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x37,0x31,0x30,0x31,0x36, - 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x39,0x31,0x37,0x30,0x35,0x06,0x03,0x55, - 0x04,0x03,0x13,0x2E,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x43,0x6C,0x61, - 0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20,0x43,0x41,0x20,0x2D, - 0x20,0x47,0x33,0x20,0x4F,0x43,0x53,0x50,0x20,0x52,0x65,0x73,0x70,0x6F,0x6E,0x64, - 0x65,0x72,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D, - 0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82, - 0x01,0x01,0x00,0xA1,0x49,0x87,0x17,0x74,0x89,0x30,0x97,0x77,0x0D,0x11,0x51,0x51, - 0x3A,0x80,0x2D,0x7C,0xEC,0xB2,0x4C,0xB1,0xE5,0x46,0x51,0x1C,0xF5,0x7A,0x02,0xB3, - 0x77,0x19,0x3B,0x7B,0x94,0x00,0x1A,0xA4,0xD1,0xB8,0xF0,0x07,0xF2,0x1B,0x8D,0x70, - 0xC0,0x81,0x44,0xB5,0x58,0xD8,0x34,0xEC,0x62,0xF7,0x8B,0x4B,0x3C,0x44,0x7D,0xD0, - 0x35,0xAE,0xEF,0x2B,0xFB,0x75,0xAF,0xB3,0x10,0x32,0xC8,0xF9,0x08,0x2C,0x5C,0x1B, - 0x07,0x56,0x7C,0x88,0x6D,0xEE,0x4C,0xD5,0x8F,0xD4,0x48,0x41,0xBB,0x03,0xA8,0xBF, - 0x20,0xE8,0x52,0xFB,0x24,0x5F,0x90,0x78,0xB8,0x87,0x0D,0xD5,0x17,0xAB,0xA8,0xF0, - 0xDB,0xF8,0x61,0x9F,0xF8,0x09,0x88,0x79,0x19,0x6F,0x57,0xC6,0x69,0x01,0x08,0xAA, - 0xC6,0xBF,0x8D,0x0C,0x2D,0xD3,0x54,0x89,0x03,0xC8,0xA8,0x55,0x00,0xC2,0x89,0xEC, - 0x8E,0xD8,0xD8,0x12,0x15,0x26,0x67,0x8E,0x88,0x0F,0x94,0xFA,0x57,0x50,0xE7,0xE9, - 0x7B,0x1B,0x94,0xF6,0xF1,0xE2,0x91,0x02,0x42,0x4F,0x3B,0x3E,0xB6,0xDD,0x3C,0x78, - 0xE7,0xC8,0x45,0x4F,0x7B,0x7D,0x41,0xD5,0x95,0x3C,0xD6,0x16,0x84,0xF5,0x16,0xF2, - 0x45,0x6C,0xBF,0x05,0x00,0x7E,0x92,0x70,0xB7,0x01,0x14,0x86,0x89,0x89,0x9D,0x6B, - 0xDC,0x5D,0xDF,0x30,0x25,0x7F,0xAA,0x93,0xC0,0xC7,0xC7,0x80,0x12,0xEE,0x47,0xF7, - 0x90,0x69,0x82,0x86,0xFA,0x22,0x11,0x45,0xAB,0xD1,0x50,0x4F,0xED,0x87,0xCA,0x99, - 0x20,0xB5,0xC1,0x8D,0xAC,0x01,0x41,0x5C,0x70,0x3C,0x4D,0xD7,0x8E,0xD6,0x8F,0x51, - 0x19,0x79,0xAB,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x1C,0x30,0x82,0x01,0x18, - 0x30,0x0F,0x06,0x09,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,0x04,0x02,0x05, - 0x00,0x30,0x22,0x06,0x03,0x55,0x1D,0x11,0x04,0x1B,0x30,0x19,0xA4,0x17,0x30,0x15, - 0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0A,0x54,0x47,0x56,0x2D,0x45, - 0x2D,0x32,0x31,0x35,0x32,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, - 0x80,0x14,0x01,0x59,0xAB,0xE7,0xDD,0x3A,0x0B,0x59,0xA6,0x64,0x63,0xD6,0xCF,0x20, - 0x07,0x57,0xD5,0x91,0xE7,0x6A,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, - 0x14,0xE3,0x5E,0x00,0x73,0xB3,0x6F,0xFB,0x26,0x90,0x5A,0xE3,0xE5,0xF4,0xB5,0x99, - 0x95,0xEA,0x80,0xFA,0x9F,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04, - 0x02,0x30,0x00,0x30,0x6E,0x06,0x03,0x55,0x1D,0x20,0x04,0x67,0x30,0x65,0x30,0x63, - 0x06,0x0B,0x60,0x86,0x48,0x01,0x86,0xF8,0x45,0x01,0x07,0x17,0x03,0x30,0x54,0x30, - 0x26,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1A,0x68,0x74,0x74, - 0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x73,0x79,0x6D,0x61,0x75,0x74,0x68,0x2E, - 0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x2A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05, - 0x07,0x02,0x02,0x30,0x1E,0x1A,0x1C,0x20,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, - 0x77,0x77,0x77,0x2E,0x73,0x79,0x6D,0x61,0x75,0x74,0x68,0x2E,0x63,0x6F,0x6D,0x2F, - 0x72,0x70,0x61,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08, - 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01, - 0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, - 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x57,0xAB,0x23, - 0x8E,0x31,0x91,0x87,0x0E,0x02,0xC1,0x55,0xD4,0x53,0x58,0x16,0xEA,0x1B,0x77,0x61, - 0x68,0x88,0x96,0xC6,0x8D,0x4F,0x57,0xD8,0x80,0x04,0xD2,0xCB,0x41,0x84,0xE9,0x78, - 0xB1,0x21,0xD0,0xFD,0xB6,0x68,0x8C,0xB0,0xD5,0xED,0x28,0xB3,0xA9,0x9A,0x8A,0xBB, - 0x88,0x09,0x30,0x04,0xB1,0x29,0xC6,0xC9,0x13,0x4F,0xDB,0xDA,0x52,0x00,0x3A,0x61, - 0xEE,0xD5,0x6F,0xAB,0xDE,0x71,0x1B,0x8E,0xFA,0xE0,0x1F,0x09,0x9D,0x00,0xF1,0x1F, - 0xAC,0x88,0x73,0x86,0x37,0xDA,0x7A,0x05,0x3F,0xDB,0xD2,0xEB,0x47,0x0B,0xC9,0x39, - 0x74,0xA4,0x06,0xBD,0x50,0x63,0x52,0xEE,0x9F,0xE7,0x58,0x07,0x95,0x85,0x6D,0x43, - 0xE8,0x3B,0x7E,0x0D,0x36,0x65,0x2A,0xB1,0x62,0xB5,0xDB,0x31,0x49,0x38,0x7F,0x6D, - 0x4E,0xE0,0x9D,0x84,0x79,0x68,0xC3,0x1B,0xFB,0x89,0x54,0xFB,0x3C,0xEC,0xD1,0xF9, - 0xF1,0xC2,0x57,0xD4,0xBF,0xBE,0xA6,0x22,0xD2,0x84,0xC3,0xC2,0x0E,0x9E,0x0E,0x54, - 0x25,0x79,0x91,0x16,0x4E,0xBC,0x2B,0xD4,0x4F,0x63,0xB3,0x5B,0x7C,0x70,0x91,0xDE, - 0xE2,0x70,0x34,0xB9,0x21,0xB4,0x89,0xF6,0x98,0x12,0x9E,0x38,0xF8,0x36,0x29,0x9D, - 0x0A,0xEC,0xC6,0x69,0xD6,0xC6,0x2E,0xB8,0x38,0x07,0x3F,0xC5,0x52,0x8A,0xEE,0x6F, - 0x20,0xDE,0x62,0xA7,0x85,0xEC,0x05,0x4A,0x15,0x1B,0x3D,0xA6,0x79,0x09,0x76,0xB0, - 0x8B,0xDC,0x13,0xD1,0xD2,0x5E,0xAB,0x65,0x99,0x4D,0xA6,0x49,0x66,0xB8,0x2C,0x77, - 0xAC,0x85,0x71,0xA4,0x69,0x59,0xA6,0xD4,0xAD,0x61,0xA1,0xCE, + 0x30,0x82,0x03,0xBB,0x30,0x82,0x02,0xA3,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x5B, + 0x1B,0xA7,0xF8,0x9D,0xF4,0x7B,0x7C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x62,0x31,0x1C,0x30,0x1A,0x06,0x03,0x55,0x04, + 0x03,0x13,0x13,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x53,0x54,0x20,0x43,0x41,0x20, + 0x32,0x20,0x2D,0x20,0x47,0x31,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x13, + 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41, + 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x38, + 0x30,0x38,0x31,0x31,0x30,0x30,0x34,0x36,0x35,0x33,0x5A,0x17,0x0D,0x31,0x38,0x30, + 0x39,0x32,0x32,0x30,0x30,0x34,0x36,0x35,0x33,0x5A,0x30,0x4F,0x31,0x2B,0x30,0x29, + 0x06,0x03,0x55,0x04,0x03,0x0C,0x22,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x53,0x54, + 0x20,0x43,0x41,0x20,0x32,0x20,0x4F,0x43,0x53,0x50,0x20,0x52,0x65,0x73,0x70,0x6F, + 0x6E,0x64,0x65,0x72,0x20,0x4E,0x4C,0x30,0x31,0x31,0x13,0x30,0x11,0x06,0x03,0x55, + 0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B, + 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82, + 0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xA5,0x35,0xB2,0xC4, + 0xF2,0xAB,0x4C,0xFE,0xAA,0x5D,0xC7,0x23,0x52,0x68,0x42,0xC7,0x77,0x27,0x78,0x4E, + 0x80,0xFD,0x06,0xA3,0x51,0xA2,0x4F,0xF7,0x7A,0xD0,0x19,0x78,0xFD,0xEA,0x94,0xD8, + 0xE3,0x0C,0x3C,0x50,0x17,0x30,0xDB,0x84,0x38,0x13,0xE1,0xCF,0x6C,0xA0,0x1F,0x01, + 0xC7,0x12,0xC7,0x96,0x64,0x09,0x45,0x2F,0xA2,0x83,0xFE,0x4E,0x2C,0xF2,0x39,0x6F, + 0x20,0x34,0x6D,0xEC,0xBE,0xF9,0x86,0xA3,0xEF,0x40,0x1B,0x61,0x2D,0xE1,0xA4,0xB9, + 0xD4,0x3E,0x8E,0x65,0x7B,0x2F,0x26,0xD5,0x54,0xA6,0x12,0xC7,0x50,0xC8,0x89,0x94, + 0x86,0xFA,0x41,0x48,0xCF,0xE2,0xF1,0xF8,0xF2,0x0E,0xCC,0x25,0x43,0x0C,0x66,0x85, + 0xDC,0x88,0xA0,0x76,0x90,0x45,0xFC,0x4E,0x95,0x8F,0xA2,0x17,0x2F,0xAF,0x7C,0x41, + 0x59,0xA0,0xA1,0x36,0x98,0x18,0x20,0x4D,0x07,0xF5,0x7F,0xD1,0x66,0x65,0xC6,0x74, + 0xEA,0xBE,0xB8,0x20,0x88,0x29,0x27,0x5D,0x06,0x55,0xD0,0xB2,0x11,0xAF,0x52,0x58, + 0xD1,0x8A,0x57,0x6E,0x85,0x8D,0x0C,0xBD,0x6A,0xD3,0x87,0x09,0xF6,0x0F,0x07,0x7B, + 0x5C,0x8F,0x96,0x16,0xB5,0x89,0xB7,0x63,0xC4,0x33,0xDA,0x67,0x63,0xA3,0xC4,0x4B, + 0x73,0xEF,0x57,0x96,0x4F,0x15,0x2F,0x1B,0xF7,0x8E,0x35,0x24,0x18,0x68,0x87,0x16, + 0x0A,0x76,0x71,0x8B,0x94,0x11,0xB9,0xCC,0x02,0x97,0x2D,0x6F,0x94,0x00,0x1A,0x31, + 0xA6,0x9A,0x6B,0x4A,0xD3,0x64,0xB0,0x0F,0xA2,0xB0,0x5E,0xC0,0x2A,0x13,0xD6,0x7C, + 0x90,0xA6,0x5C,0xEE,0x7F,0x78,0xCA,0x7F,0x62,0x2F,0xF9,0x47,0x02,0x03,0x01,0x00, + 0x01,0xA3,0x81,0x87,0x30,0x81,0x84,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01, + 0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, + 0x80,0x14,0xD8,0x7A,0x94,0x44,0x7C,0x90,0x70,0x90,0x16,0x9E,0xDD,0x17,0x9C,0x01, + 0x44,0x03,0x86,0xD6,0x2A,0x29,0x30,0x0F,0x06,0x09,0x2B,0x06,0x01,0x05,0x05,0x07, + 0x30,0x01,0x05,0x04,0x02,0x05,0x00,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C, + 0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,0x30,0x1D,0x06,0x03, + 0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x75,0xDB,0x74,0x13,0x4A,0xCB,0xCB,0x5A,0x6B, + 0x78,0x40,0x5A,0x81,0x67,0x42,0xA5,0xD9,0xD0,0x4E,0x38,0x30,0x0E,0x06,0x03,0x55, + 0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x0D,0x06,0x09,0x2A, + 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3A, + 0x7E,0x84,0xE2,0x58,0xED,0x07,0xDD,0xE5,0xBD,0x5E,0x88,0x55,0x06,0x23,0x16,0x20, + 0xD1,0x85,0x89,0x60,0x83,0x19,0x21,0x04,0x9C,0x57,0xFE,0x91,0x30,0xBD,0x7C,0x83, + 0x45,0xA3,0xA1,0x11,0x0A,0x29,0xCF,0x6C,0x55,0x47,0xC3,0x7B,0x8C,0xEE,0x43,0xFE, + 0x42,0x0F,0xE6,0xCE,0xC7,0x24,0xAF,0x21,0x2E,0xC7,0xFD,0xFA,0xBA,0x7E,0xCE,0xA3, + 0x9D,0x92,0x5B,0x54,0x4C,0x4F,0x14,0x55,0xD6,0x5F,0xB0,0xB0,0x73,0xFD,0x78,0x61, + 0xDC,0xF6,0xA1,0xB6,0xFF,0xAF,0x3B,0x49,0x6F,0x62,0x95,0xD0,0x4E,0xA9,0x3F,0xE8, + 0x5C,0xCD,0x36,0xEA,0xED,0x57,0x04,0x32,0xB6,0xB0,0x91,0xDC,0x32,0xA6,0xC7,0x84, + 0x9C,0x3F,0x24,0x3A,0x64,0x56,0x62,0xA2,0x02,0x15,0xC9,0x63,0x96,0x8E,0x6C,0xF5, + 0x3E,0xB1,0xE4,0x3C,0x79,0x63,0xE0,0x94,0xE8,0xD0,0x73,0x31,0x7B,0x3C,0x99,0x66, + 0x82,0x2D,0x47,0x49,0x22,0x33,0xD4,0xD1,0x80,0x35,0xF1,0xB1,0xFD,0x01,0x92,0x07, + 0x6B,0x1E,0xF1,0xD0,0x02,0x84,0x24,0xD6,0xDF,0x2F,0x10,0x06,0x0F,0x36,0x5D,0x4B, + 0x1A,0xE3,0xDB,0x1F,0x8C,0x54,0x07,0x63,0x41,0x9E,0x74,0x6E,0x6F,0x9D,0xCE,0xCC, + 0x36,0x7B,0xE0,0xC5,0xCB,0x04,0x12,0xFF,0xF3,0x09,0xD7,0x36,0x5D,0x09,0xD0,0xCD, + 0xF2,0x73,0xAA,0x10,0x5D,0x0D,0xC2,0x12,0x21,0x00,0x89,0xE5,0x34,0x17,0x6C,0x76, + 0xE2,0x2F,0xDA,0xBD,0xCA,0xFB,0x9D,0xF2,0x1C,0x3B,0x62,0xCA,0xC0,0x97,0x82,0x54, + 0x92,0x4E,0x0C,0xD0,0x3B,0x79,0xD0,0x41,0x29,0x84,0xF5,0x75,0x40,0xB4,0xE8, }; /* subject:/serialNumber=424761419/jurisdictionC=FR/businessCategory=Private Organization/C=FR/postalCode=59100/ST=Nord/L=Roubaix/street=2 rue Kellermann/O=OVH SAS/OU=IT/OU=COMODO EV SSL/CN=ovh.com */ @@ -740,6 +717,143 @@ static unsigned char revoked_ist_certificate[1515]={ 0xB4,0x1E,0x4D,0x5E,0xEA,0x9A,0x1E,0xE9,0x42,0x87,0x9F, }; +static unsigned char valid_ist_certificate[] = { + 0x30,0x82,0x08,0x51,0x30,0x82,0x07,0x39,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3A, + 0xFC,0x35,0x65,0x26,0x40,0x12,0xAF,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x62,0x31,0x1C,0x30,0x1A,0x06,0x03,0x55,0x04, + 0x03,0x13,0x13,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x53,0x54,0x20,0x43,0x41,0x20, + 0x32,0x20,0x2D,0x20,0x47,0x31,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x13, + 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41, + 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x38, + 0x30,0x37,0x31,0x36,0x32,0x32,0x31,0x31,0x30,0x38,0x5A,0x17,0x0D,0x32,0x30,0x30, + 0x38,0x31,0x34,0x32,0x32,0x31,0x31,0x30,0x38,0x5A,0x30,0x79,0x31,0x18,0x30,0x16, + 0x06,0x03,0x55,0x04,0x03,0x0C,0x0F,0x76,0x61,0x6C,0x69,0x64,0x2E,0x61,0x70,0x70, + 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C, + 0x1D,0x6D,0x61,0x6E,0x61,0x67,0x65,0x6D,0x65,0x6E,0x74,0x3A,0x69,0x64,0x6D,0x73, + 0x2E,0x67,0x72,0x6F,0x75,0x70,0x2E,0x31,0x32,0x30,0x38,0x39,0x32,0x30,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49, + 0x6E,0x63,0x2E,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61, + 0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48, + 0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01, + 0x0A,0x02,0x82,0x01,0x01,0x00,0xC7,0x5F,0xAC,0x4A,0xAC,0x71,0xFC,0xF1,0x80,0x8D, + 0x57,0xA1,0xDC,0x3B,0x48,0x4F,0x02,0x83,0xBA,0xE0,0x57,0x36,0xAB,0x53,0xB5,0x14, + 0x47,0x8F,0x87,0x24,0xA6,0x7A,0x40,0x5C,0xC3,0x28,0x6E,0x29,0x6D,0x54,0x35,0x89, + 0x79,0xA9,0x12,0xF3,0xD7,0x0A,0x4E,0xBE,0xC7,0xFB,0x75,0xF3,0x1B,0x92,0x6D,0x3F, + 0x7B,0xCC,0x72,0x63,0xF5,0xE8,0x57,0xC8,0xD2,0x7A,0x36,0x98,0x6E,0x61,0x0F,0x48, + 0xD1,0xC3,0x37,0xA4,0xB9,0x94,0x1C,0x66,0x18,0x75,0x97,0x34,0xED,0xFA,0x96,0x00, + 0x24,0x1A,0x8D,0x2E,0xFB,0x98,0x48,0x85,0xA5,0x73,0x9E,0xED,0x7D,0x8E,0x3C,0xCF, + 0xED,0xE9,0xE1,0x5F,0x1C,0x36,0xFF,0x20,0x2D,0x62,0x5C,0x0E,0x3D,0xCC,0x6E,0x3D, + 0xDB,0xF8,0x5A,0x8A,0x5A,0x2A,0x75,0xDC,0x09,0xC4,0x21,0x45,0x55,0x04,0xE3,0xEC, + 0x20,0xF0,0x5E,0xE3,0xC7,0x1A,0xD3,0x16,0x78,0x07,0xF1,0x65,0xF3,0xAD,0xB5,0x68, + 0x4B,0x0E,0x5D,0xA9,0x37,0xEA,0x58,0xAA,0x19,0x1F,0xF4,0xB4,0xF3,0x01,0xB0,0xE0, + 0xDC,0x25,0x4D,0x8A,0x2E,0xB1,0xC4,0xD3,0xE6,0x05,0x9E,0x23,0x8B,0x1E,0x8B,0xD0, + 0x14,0xA1,0x7E,0xC7,0x98,0xF1,0x68,0x9C,0x2D,0x10,0xDE,0xF9,0x79,0x14,0x3E,0x98, + 0x73,0x19,0x94,0x4B,0x4A,0xF7,0x52,0xDA,0x4D,0x98,0x26,0xAC,0xB2,0x76,0x1A,0x71, + 0xB5,0xFA,0x0D,0xE8,0x93,0xEB,0x92,0xF8,0x77,0x82,0xE5,0xE9,0xD4,0x07,0x8C,0xFD, + 0x20,0x8D,0xA0,0x25,0xD2,0x8A,0x6F,0xE2,0x33,0xA7,0x24,0x56,0x14,0x30,0x29,0x9D, + 0x6B,0xAB,0x2A,0x33,0xF9,0xD3,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x04,0xF2,0x30, + 0x82,0x04,0xEE,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30, + 0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD8,0x7A, + 0x94,0x44,0x7C,0x90,0x70,0x90,0x16,0x9E,0xDD,0x17,0x9C,0x01,0x44,0x03,0x86,0xD6, + 0x2A,0x29,0x30,0x7E,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x72, + 0x30,0x70,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x28, + 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x73,0x2E,0x61,0x70,0x70, + 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x69,0x73,0x74,0x63, + 0x61,0x32,0x67,0x31,0x2E,0x64,0x65,0x72,0x30,0x38,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x30,0x01,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73, + 0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70, + 0x30,0x33,0x2D,0x61,0x70,0x70,0x6C,0x65,0x69,0x73,0x74,0x63,0x61,0x32,0x67,0x31, + 0x32,0x30,0x30,0x43,0x06,0x03,0x55,0x1D,0x11,0x04,0x3C,0x30,0x3A,0x82,0x0F,0x76, + 0x61,0x6C,0x69,0x64,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x13, + 0x76,0x61,0x6C,0x69,0x64,0x2D,0x75,0x61,0x74,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E, + 0x63,0x6F,0x6D,0x82,0x12,0x76,0x61,0x6C,0x69,0x64,0x2D,0x71,0x61,0x2E,0x61,0x70, + 0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x81,0xFF,0x06,0x03,0x55,0x1D,0x20,0x04, + 0x81,0xF7,0x30,0x81,0xF4,0x30,0x81,0xF1,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63, + 0x64,0x05,0x0B,0x04,0x30,0x81,0xE2,0x30,0x81,0xA4,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x02,0x02,0x30,0x81,0x97,0x0C,0x81,0x94,0x52,0x65,0x6C,0x69,0x61,0x6E, + 0x63,0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69, + 0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61, + 0x72,0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65, + 0x70,0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x61,0x6E,0x79,0x20,0x61,0x70, + 0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61, + 0x6E,0x64,0x20,0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66, + 0x20,0x75,0x73,0x65,0x20,0x61,0x6E,0x64,0x2F,0x6F,0x72,0x20,0x63,0x65,0x72,0x74, + 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69, + 0x63,0x65,0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x39, + 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x2D,0x68,0x74,0x74,0x70, + 0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D, + 0x2F,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x61,0x75,0x74,0x68, + 0x6F,0x72,0x69,0x74,0x79,0x2F,0x72,0x70,0x61,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25, + 0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08, + 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x37,0x06,0x03,0x55,0x1D,0x1F,0x04, + 0x30,0x30,0x2E,0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A, + 0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F, + 0x61,0x70,0x70,0x6C,0x65,0x69,0x73,0x74,0x63,0x61,0x32,0x67,0x31,0x2E,0x63,0x72, + 0x6C,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x55,0xF7,0x8E,0xC8, + 0x40,0x19,0x7D,0x8B,0x19,0x80,0xA5,0xF5,0xC6,0x44,0x75,0x8A,0x04,0x1E,0x7D,0x48, + 0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0, + 0x30,0x82,0x02,0x6D,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02, + 0x04,0x82,0x02,0x5D,0x04,0x82,0x02,0x59,0x02,0x57,0x00,0x75,0x00,0xBB,0xD9,0xDF, + 0xBC,0x1F,0x8A,0x71,0xB5,0x93,0x94,0x23,0x97,0xAA,0x92,0x7B,0x47,0x38,0x57,0x95, + 0x0A,0xAB,0x52,0xE8,0x1A,0x90,0x96,0x64,0x36,0x8E,0x1E,0xD1,0x85,0x00,0x00,0x01, + 0x64,0xA5,0x2E,0xD8,0xFD,0x00,0x00,0x04,0x03,0x00,0x46,0x30,0x44,0x02,0x20,0x3E, + 0xD8,0xAB,0x26,0x35,0xFC,0xAC,0xE8,0x97,0xE8,0x84,0x28,0x73,0x0D,0xFB,0x6F,0x7B, + 0x02,0xF6,0x8E,0xB8,0xD1,0xAC,0xF3,0x9C,0xDF,0x37,0x2E,0x42,0x53,0x6B,0x3A,0x02, + 0x20,0x73,0x9A,0xED,0x05,0x2C,0x5C,0xDD,0x5A,0x60,0x2D,0xF9,0xB3,0x5C,0x7B,0xB3, + 0x95,0x0F,0xF1,0x21,0xD3,0xB5,0x1C,0x40,0xBC,0x50,0x79,0xE2,0xF3,0x19,0x89,0xAC, + 0xE7,0x00,0x75,0x00,0x56,0x14,0x06,0x9A,0x2F,0xD7,0xC2,0xEC,0xD3,0xF5,0xE1,0xBD, + 0x44,0xB2,0x3E,0xC7,0x46,0x76,0xB9,0xBC,0x99,0x11,0x5C,0xC0,0xEF,0x94,0x98,0x55, + 0xD6,0x89,0xD0,0xDD,0x00,0x00,0x01,0x64,0xA5,0x2E,0xD9,0xA9,0x00,0x00,0x04,0x03, + 0x00,0x46,0x30,0x44,0x02,0x20,0x2E,0x5B,0x93,0xD3,0xCA,0x9A,0x1E,0x80,0xC3,0x50, + 0x1C,0xC1,0x37,0x6B,0x11,0x76,0x34,0xE8,0xE3,0xC7,0x8D,0x17,0xD0,0x4D,0x2E,0xA7, + 0xD9,0x98,0x6E,0x15,0x3A,0xC3,0x02,0x20,0x18,0x2B,0xD6,0x7A,0x11,0x46,0xC0,0xE1, + 0x99,0xDA,0x51,0x9C,0xBA,0xC5,0xC3,0x4C,0x3F,0x9A,0xB2,0xD1,0xDA,0xB7,0x6B,0x69, + 0x33,0x81,0x23,0x46,0x6F,0x54,0xFF,0x3F,0x00,0x76,0x00,0xEE,0x4B,0xBD,0xB7,0x75, + 0xCE,0x60,0xBA,0xE1,0x42,0x69,0x1F,0xAB,0xE1,0x9E,0x66,0xA3,0x0F,0x7E,0x5F,0xB0, + 0x72,0xD8,0x83,0x00,0xC4,0x7B,0x89,0x7A,0xA8,0xFD,0xCB,0x00,0x00,0x01,0x64,0xA5, + 0x2E,0xD9,0x25,0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45,0x02,0x20,0x5E,0x30,0x51, + 0x55,0x80,0x59,0xEA,0x60,0x45,0x10,0x9D,0x8E,0x61,0x07,0x34,0xD4,0xC2,0x08,0x46, + 0xEB,0xAC,0x4A,0xC3,0x72,0xC6,0x04,0x8E,0xF4,0x5D,0xF6,0xAF,0x51,0x02,0x21,0x00, + 0xC0,0x20,0xF0,0x01,0x1F,0x74,0xD4,0x33,0x24,0xE3,0x70,0xB3,0x80,0x47,0xE9,0x8A, + 0xB6,0x47,0xE4,0x65,0xA4,0x98,0x8D,0x6A,0xD8,0x75,0xE4,0xFE,0xC7,0x7A,0x89,0x5E, + 0x00,0x77,0x00,0x55,0x81,0xD4,0xC2,0x16,0x90,0x36,0x01,0x4A,0xEA,0x0B,0x9B,0x57, + 0x3C,0x53,0xF0,0xC0,0xE4,0x38,0x78,0x70,0x25,0x08,0x17,0x2F,0xA3,0xAA,0x1D,0x07, + 0x13,0xD3,0x0C,0x00,0x00,0x01,0x64,0xA5,0x2E,0xD9,0x74,0x00,0x00,0x04,0x03,0x00, + 0x48,0x30,0x46,0x02,0x21,0x00,0x94,0x79,0x39,0x0B,0x5F,0x59,0x89,0x4D,0xD4,0x09, + 0x28,0xB4,0xE1,0x07,0xC0,0x58,0xDC,0xA3,0x86,0x07,0x68,0x29,0x02,0xDA,0x86,0xE6, + 0x70,0xBE,0x32,0xB7,0xC6,0x33,0x02,0x21,0x00,0xA6,0x72,0x28,0x8B,0xC9,0x61,0xC4, + 0xFB,0x53,0x98,0x8F,0x99,0x3F,0x92,0x7E,0x06,0x21,0x10,0xA1,0x58,0x1D,0x28,0x44, + 0x80,0x29,0x91,0xC2,0xE6,0xBB,0xCE,0xCC,0x0E,0x00,0x76,0x00,0x87,0x75,0xBF,0xE7, + 0x59,0x7C,0xF8,0x8C,0x43,0x99,0x5F,0xBD,0xF3,0x6E,0xFF,0x56,0x8D,0x47,0x56,0x36, + 0xFF,0x4A,0xB5,0x60,0xC1,0xB4,0xEA,0xFF,0x5E,0xA0,0x83,0x0F,0x00,0x00,0x01,0x64, + 0xA5,0x2E,0xD9,0x12,0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45,0x02,0x20,0x37,0x9C, + 0x18,0xFC,0x24,0x63,0xAD,0x19,0xD6,0xA2,0x82,0xD9,0x47,0x82,0xAE,0x94,0x66,0x97, + 0xE4,0x73,0xCC,0x36,0x40,0x8A,0x6F,0xA5,0xAA,0x3C,0x99,0x92,0x8D,0x8F,0x02,0x21, + 0x00,0xF4,0x44,0x4A,0x8D,0x3A,0x18,0x31,0xDA,0xF5,0xDD,0xF4,0x37,0x4F,0xB3,0x1D, + 0xF6,0x15,0xBD,0x8B,0xF5,0x75,0x53,0x12,0x35,0xE5,0xD5,0x4D,0x08,0x0E,0xA7,0xC2, + 0x69,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00, + 0x03,0x82,0x01,0x01,0x00,0x8F,0x46,0xED,0x04,0x6F,0xED,0xF7,0xAA,0xB9,0xE3,0x29, + 0xF7,0x4A,0x9F,0x69,0xEB,0xB2,0x61,0xD0,0x37,0x68,0x8F,0xC8,0xCF,0xB2,0x4F,0x1F, + 0x02,0x3E,0xF3,0x78,0x38,0x67,0xDB,0xD1,0xFA,0x60,0x16,0x70,0xDD,0xB7,0x44,0x12, + 0x54,0x0A,0x8C,0x3E,0xEC,0xF2,0xE9,0xBC,0x78,0x11,0x8D,0x7F,0x44,0x16,0xF0,0x87, + 0xD6,0xD8,0xA2,0x65,0xBC,0x11,0x32,0x4A,0xED,0xA9,0xF9,0xD7,0xB6,0xF7,0x9B,0x0F, + 0xFF,0x82,0x06,0x12,0x04,0x77,0xB9,0x13,0x08,0xAB,0x98,0x5D,0x07,0x04,0x7C,0xDC, + 0x43,0x1E,0x86,0x16,0x8C,0xF7,0xB2,0x67,0x42,0x65,0x43,0x40,0x9B,0x1F,0xC6,0x97, + 0x18,0x41,0xCF,0x2F,0xA9,0xC8,0x4D,0x57,0x4E,0x84,0x28,0x0F,0xC9,0x3A,0xEF,0xB6, + 0x3D,0x9C,0xE9,0x96,0x12,0xFA,0xF2,0x35,0xA0,0xF1,0xDB,0x9D,0x0A,0x65,0x23,0xBB, + 0xC9,0x38,0xCC,0x39,0x7E,0x6B,0x17,0x80,0x48,0xF1,0xAC,0xF3,0x12,0x33,0x7B,0xBE, + 0x5E,0x7B,0xC4,0x8D,0xC6,0xB9,0x9B,0x85,0x0A,0x8A,0x52,0x4F,0x5E,0xC7,0x1F,0x12, + 0xDB,0xA5,0xBA,0x33,0x9E,0xA2,0x3A,0x9E,0x11,0x82,0x4E,0x42,0x0E,0x3F,0x82,0xDF, + 0x36,0x91,0xF7,0x24,0xB6,0xFC,0x6D,0x00,0x19,0xF2,0xD0,0x31,0x70,0x1F,0xED,0xE6, + 0x37,0xED,0x1D,0xB3,0xDB,0x06,0x01,0x90,0x0E,0x95,0x9B,0xD6,0x34,0x5F,0xFA,0xE6, + 0xD1,0x34,0xA6,0xD9,0x61,0x63,0x3E,0x2D,0x59,0x7B,0xD4,0xA5,0x9E,0x3F,0xFE,0xFE, + 0x58,0xC9,0x60,0xAE,0xA4,0xC2,0xCB,0xA6,0x50,0x9D,0x50,0xDB,0x38,0x80,0x2F,0xC9, + 0x2A,0xC5,0xEF,0x98,0xCF, +}; + static unsigned char ist_intermediate_certificate[1092]={ 0x30,0x82,0x04,0x40,0x30,0x82,0x03,0x28,0xA0,0x03,0x02,0x01,0x02,0x02,0x03,0x02, 0x3A,0x74,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05, diff --git a/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c b/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c index 81a2af1e..7aa5ba2d 100644 --- a/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c +++ b/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c @@ -138,93 +138,85 @@ static unsigned char _c0[]={ 0xDB,0xC4,0x65,0xDE,0x57,0xFB,0x6D,0x49,0xC8,0x7A,0xF8, }; -/* subject:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */ -/* issuer :/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 */ - +/* subject:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA */ +/* issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA */ static unsigned char _c1[]={ - 0x30,0x82,0x05,0x2B,0x30,0x82,0x04,0x13,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x7E, - 0xE1,0x4A,0x6F,0x6F,0xEF,0xF2,0xD3,0x7F,0x3F,0xAD,0x65,0x4D,0x3A,0xDA,0xB4,0x30, - 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81, - 0xCA,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x17, - 0x30,0x15,0x06,0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,0x67, - 0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x0B, - 0x13,0x16,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x54,0x72,0x75,0x73,0x74, - 0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x3A,0x30,0x38,0x06,0x03,0x55,0x04, - 0x0B,0x13,0x31,0x28,0x63,0x29,0x20,0x32,0x30,0x30,0x36,0x20,0x56,0x65,0x72,0x69, - 0x53,0x69,0x67,0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x20,0x2D,0x20,0x46,0x6F,0x72, - 0x20,0x61,0x75,0x74,0x68,0x6F,0x72,0x69,0x7A,0x65,0x64,0x20,0x75,0x73,0x65,0x20, - 0x6F,0x6E,0x6C,0x79,0x31,0x45,0x30,0x43,0x06,0x03,0x55,0x04,0x03,0x13,0x3C,0x56, - 0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20, - 0x50,0x75,0x62,0x6C,0x69,0x63,0x20,0x50,0x72,0x69,0x6D,0x61,0x72,0x79,0x20,0x43, - 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74, - 0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x47,0x35,0x30,0x1E,0x17,0x0D,0x31, - 0x33,0x31,0x30,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32,0x33, - 0x31,0x30,0x33,0x30,0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x77,0x31,0x0B,0x30, - 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30,0x1B,0x06,0x03, - 0x55,0x04,0x0A,0x13,0x14,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x43,0x6F, - 0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55, - 0x04,0x0B,0x13,0x16,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x54,0x72,0x75, - 0x73,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x28,0x30,0x26,0x06,0x03, - 0x55,0x04,0x03,0x13,0x1F,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20,0x43,0x6C, - 0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20,0x43,0x41,0x20, - 0x2D,0x20,0x47,0x33,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, - 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A, - 0x02,0x82,0x01,0x01,0x00,0xD8,0xA1,0x65,0x74,0x23,0xE8,0x2B,0x64,0xE2,0x32,0xD7, - 0x33,0x37,0x3D,0x8E,0xF5,0x34,0x16,0x48,0xDD,0x4F,0x7F,0x87,0x1C,0xF8,0x44,0x23, - 0x13,0x8E,0xFB,0x11,0xD8,0x44,0x5A,0x18,0x71,0x8E,0x60,0x16,0x26,0x92,0x9B,0xFD, - 0x17,0x0B,0xE1,0x71,0x70,0x42,0xFE,0xBF,0xFA,0x1C,0xC0,0xAA,0xA3,0xA7,0xB5,0x71, - 0xE8,0xFF,0x18,0x83,0xF6,0xDF,0x10,0x0A,0x13,0x62,0xC8,0x3D,0x9C,0xA7,0xDE,0x2E, - 0x3F,0x0C,0xD9,0x1D,0xE7,0x2E,0xFB,0x2A,0xCE,0xC8,0x9A,0x7F,0x87,0xBF,0xD8,0x4C, - 0x04,0x15,0x32,0xC9,0xD1,0xCC,0x95,0x71,0xA0,0x4E,0x28,0x4F,0x84,0xD9,0x35,0xFB, - 0xE3,0x86,0x6F,0x94,0x53,0xE6,0x72,0x8A,0x63,0x67,0x2E,0xBE,0x69,0xF6,0xF7,0x6E, - 0x8E,0x9C,0x60,0x04,0xEB,0x29,0xFA,0xC4,0x47,0x42,0xD2,0x78,0x98,0xE3,0xEC,0x0B, - 0xA5,0x92,0xDC,0xB7,0x9A,0xBD,0x80,0x64,0x2B,0x38,0x7C,0x38,0x09,0x5B,0x66,0xF6, - 0x2D,0x95,0x7A,0x86,0xB2,0x34,0x2E,0x85,0x9E,0x90,0x0E,0x5F,0xB7,0x5D,0xA4,0x51, - 0x72,0x46,0x70,0x13,0xBF,0x67,0xF2,0xB6,0xA7,0x4D,0x14,0x1E,0x6C,0xB9,0x53,0xEE, - 0x23,0x1A,0x4E,0x8D,0x48,0x55,0x43,0x41,0xB1,0x89,0x75,0x6A,0x40,0x28,0xC5,0x7D, - 0xDD,0xD2,0x6E,0xD2,0x02,0x19,0x2F,0x7B,0x24,0x94,0x4B,0xEB,0xF1,0x1A,0xA9,0x9B, - 0xE3,0x23,0x9A,0xEA,0xFA,0x33,0xAB,0x0A,0x2C,0xB7,0xF4,0x60,0x08,0xDD,0x9F,0x1C, - 0xCD,0xDD,0x2D,0x01,0x66,0x80,0xAF,0xB3,0x2F,0x29,0x1D,0x23,0xB8,0x8A,0xE1,0xA1, - 0x70,0x07,0x0C,0x34,0x0F,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x5D,0x30,0x82, - 0x01,0x59,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x23, - 0x30,0x21,0x30,0x1F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x13, - 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x32,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E, - 0x63,0x6F,0x6D,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30, - 0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x65,0x06,0x03,0x55,0x1D,0x20,0x04,0x5E, - 0x30,0x5C,0x30,0x5A,0x06,0x04,0x55,0x1D,0x20,0x00,0x30,0x52,0x30,0x26,0x06,0x08, - 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F, - 0x2F,0x77,0x77,0x77,0x2E,0x73,0x79,0x6D,0x61,0x75,0x74,0x68,0x2E,0x63,0x6F,0x6D, - 0x2F,0x63,0x70,0x73,0x30,0x28,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02, - 0x30,0x1C,0x1A,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x73, - 0x79,0x6D,0x61,0x75,0x74,0x68,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x70,0x61,0x30,0x30, - 0x06,0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86, - 0x1F,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x31,0x2E,0x73,0x79,0x6D,0x63,0x62, - 0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x63,0x61,0x33,0x2D,0x67,0x35,0x2E,0x63,0x72,0x6C, - 0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06, - 0x30,0x29,0x06,0x03,0x55,0x1D,0x11,0x04,0x22,0x30,0x20,0xA4,0x1E,0x30,0x1C,0x31, - 0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11,0x53,0x79,0x6D,0x61,0x6E,0x74, - 0x65,0x63,0x50,0x4B,0x49,0x2D,0x31,0x2D,0x35,0x33,0x33,0x30,0x1D,0x06,0x03,0x55, - 0x1D,0x0E,0x04,0x16,0x04,0x14,0x01,0x59,0xAB,0xE7,0xDD,0x3A,0x0B,0x59,0xA6,0x64, - 0x63,0xD6,0xCF,0x20,0x07,0x57,0xD5,0x91,0xE7,0x6A,0x30,0x1F,0x06,0x03,0x55,0x1D, - 0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x7F,0xD3,0x65,0xA7,0xC2,0xDD,0xEC,0xBB,0xF0, - 0x30,0x09,0xF3,0x43,0x39,0xFA,0x02,0xAF,0x33,0x31,0x33,0x30,0x0D,0x06,0x09,0x2A, - 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x42, - 0x01,0x55,0x7B,0xD0,0x16,0x1A,0x5D,0x58,0xE8,0xBB,0x9B,0xA8,0x4D,0xD7,0xF3,0xD7, - 0xEB,0x13,0x94,0x86,0xD6,0x7F,0x21,0x0B,0x47,0xBC,0x57,0x9B,0x92,0x5D,0x4F,0x05, - 0x9F,0x38,0xA4,0x10,0x7C,0xCF,0x83,0xBE,0x06,0x43,0x46,0x8D,0x08,0xBC,0x6A,0xD7, - 0x10,0xA6,0xFA,0xAB,0xAF,0x2F,0x61,0xA8,0x63,0xF2,0x65,0xDF,0x7F,0x4C,0x88,0x12, - 0x88,0x4F,0xB3,0x69,0xD9,0xFF,0x27,0xC0,0x0A,0x97,0x91,0x8F,0x56,0xFB,0x89,0xC4, - 0xA8,0xBB,0x92,0x2D,0x1B,0x73,0xB0,0xC6,0xAB,0x36,0xF4,0x96,0x6C,0x20,0x08,0xEF, - 0x0A,0x1E,0x66,0x24,0x45,0x4F,0x67,0x00,0x40,0xC8,0x07,0x54,0x74,0x33,0x3B,0xA6, - 0xAD,0xBB,0x23,0x9F,0x66,0xED,0xA2,0x44,0x70,0x34,0xFB,0x0E,0xEA,0x01,0xFD,0xCF, - 0x78,0x74,0xDF,0xA7,0xAD,0x55,0xB7,0x5F,0x4D,0xF6,0xD6,0x3F,0xE0,0x86,0xCE,0x24, - 0xC7,0x42,0xA9,0x13,0x14,0x44,0x35,0x4B,0xB6,0xDF,0xC9,0x60,0xAC,0x0C,0x7F,0xD9, - 0x93,0x21,0x4B,0xEE,0x9C,0xE4,0x49,0x02,0x98,0xD3,0x60,0x7B,0x5C,0xBC,0xD5,0x30, - 0x2F,0x07,0xCE,0x44,0x42,0xC4,0x0B,0x99,0xFE,0xE6,0x9F,0xFC,0xB0,0x78,0x86,0x51, - 0x6D,0xD1,0x2C,0x9D,0xC6,0x96,0xFB,0x85,0x82,0xBB,0x04,0x2F,0xF7,0x62,0x80,0xEF, - 0x62,0xDA,0x7F,0xF6,0x0E,0xAC,0x90,0xB8,0x56,0xBD,0x79,0x3F,0xF2,0x80,0x6E,0xA3, - 0xD9,0xB9,0x0F,0x5D,0x3A,0x07,0x1D,0x91,0x93,0x86,0x4B,0x29,0x4C,0xE1,0xDC,0xB5, - 0xE1,0xE0,0x33,0x9D,0xB3,0xCB,0x36,0x91,0x4B,0xFE,0xA1,0xB4,0xEE,0xF0,0xF9, + 0x30,0x82,0x04,0xB6,0x30,0x82,0x03,0x9E,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x0C, + 0x79,0xA9,0x44,0xB0,0x8C,0x11,0x95,0x20,0x92,0x61,0x5F,0xE2,0x6B,0x1D,0x83,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x6C, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x15,0x30, + 0x13,0x06,0x03,0x55,0x04,0x0A,0x13,0x0C,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74, + 0x20,0x49,0x6E,0x63,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x13,0x10,0x77, + 0x77,0x77,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x31, + 0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x03,0x13,0x22,0x44,0x69,0x67,0x69,0x43,0x65, + 0x72,0x74,0x20,0x48,0x69,0x67,0x68,0x20,0x41,0x73,0x73,0x75,0x72,0x61,0x6E,0x63, + 0x65,0x20,0x45,0x56,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D, + 0x31,0x33,0x31,0x30,0x32,0x32,0x31,0x32,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32, + 0x38,0x31,0x30,0x32,0x32,0x31,0x32,0x30,0x30,0x30,0x30,0x5A,0x30,0x75,0x31,0x0B, + 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x15,0x30,0x13,0x06, + 0x03,0x55,0x04,0x0A,0x13,0x0C,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74,0x20,0x49, + 0x6E,0x63,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x13,0x10,0x77,0x77,0x77, + 0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x31,0x34,0x30, + 0x32,0x06,0x03,0x55,0x04,0x03,0x13,0x2B,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74, + 0x20,0x53,0x48,0x41,0x32,0x20,0x45,0x78,0x74,0x65,0x6E,0x64,0x65,0x64,0x20,0x56, + 0x61,0x6C,0x69,0x64,0x61,0x74,0x69,0x6F,0x6E,0x20,0x53,0x65,0x72,0x76,0x65,0x72, + 0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02, + 0x82,0x01,0x01,0x00,0xD7,0x53,0xA4,0x04,0x51,0xF8,0x99,0xA6,0x16,0x48,0x4B,0x67, + 0x27,0xAA,0x93,0x49,0xD0,0x39,0xED,0x0C,0xB0,0xB0,0x00,0x87,0xF1,0x67,0x28,0x86, + 0x85,0x8C,0x8E,0x63,0xDA,0xBC,0xB1,0x40,0x38,0xE2,0xD3,0xF5,0xEC,0xA5,0x05,0x18, + 0xB8,0x3D,0x3E,0xC5,0x99,0x17,0x32,0xEC,0x18,0x8C,0xFA,0xF1,0x0C,0xA6,0x64,0x21, + 0x85,0xCB,0x07,0x10,0x34,0xB0,0x52,0x88,0x2B,0x1F,0x68,0x9B,0xD2,0xB1,0x8F,0x12, + 0xB0,0xB3,0xD2,0xE7,0x88,0x1F,0x1F,0xEF,0x38,0x77,0x54,0x53,0x5F,0x80,0x79,0x3F, + 0x2E,0x1A,0xAA,0xA8,0x1E,0x4B,0x2B,0x0D,0xAB,0xB7,0x63,0xB9,0x35,0xB7,0x7D,0x14, + 0xBC,0x59,0x4B,0xDF,0x51,0x4A,0xD2,0xA1,0xE2,0x0C,0xE2,0x90,0x82,0x87,0x6A,0xAE, + 0xEA,0xD7,0x64,0xD6,0x98,0x55,0xE8,0xFD,0xAF,0x1A,0x50,0x6C,0x54,0xBC,0x11,0xF2, + 0xFD,0x4A,0xF2,0x9D,0xBB,0x7F,0x0E,0xF4,0xD5,0xBE,0x8E,0x16,0x89,0x12,0x55,0xD8, + 0xC0,0x71,0x34,0xEE,0xF6,0xDC,0x2D,0xEC,0xC4,0x87,0x25,0x86,0x8D,0xD8,0x21,0xE4, + 0xB0,0x4D,0x0C,0x89,0xDC,0x39,0x26,0x17,0xDD,0xF6,0xD7,0x94,0x85,0xD8,0x04,0x21, + 0x70,0x9D,0x6F,0x6F,0xFF,0x5C,0xBA,0x19,0xE1,0x45,0xCB,0x56,0x57,0x28,0x7E,0x1C, + 0x0D,0x41,0x57,0xAA,0xB7,0xB8,0x27,0xBB,0xB1,0xE4,0xFA,0x2A,0xEF,0x21,0x23,0x75, + 0x1A,0xAD,0x2D,0x9B,0x86,0x35,0x8C,0x9C,0x77,0xB5,0x73,0xAD,0xD8,0x94,0x2D,0xE4, + 0xF3,0x0C,0x9D,0xEE,0xC1,0x4E,0x62,0x7E,0x17,0xC0,0x71,0x9E,0x2C,0xDE,0xF1,0xF9, + 0x10,0x28,0x19,0x33,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x49,0x30,0x82,0x01, + 0x45,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01, + 0x01,0xFF,0x02,0x01,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04, + 0x04,0x03,0x02,0x01,0x86,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,0x30,0x14, + 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x03,0x02,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01, + 0x04,0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01, + 0x86,0x18,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x64,0x69, + 0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x4B,0x06,0x03,0x55,0x1D, + 0x1F,0x04,0x44,0x30,0x42,0x30,0x40,0xA0,0x3E,0xA0,0x3C,0x86,0x3A,0x68,0x74,0x74, + 0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x34,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72, + 0x74,0x2E,0x63,0x6F,0x6D,0x2F,0x44,0x69,0x67,0x69,0x43,0x65,0x72,0x74,0x48,0x69, + 0x67,0x68,0x41,0x73,0x73,0x75,0x72,0x61,0x6E,0x63,0x65,0x45,0x56,0x52,0x6F,0x6F, + 0x74,0x43,0x41,0x2E,0x63,0x72,0x6C,0x30,0x3D,0x06,0x03,0x55,0x1D,0x20,0x04,0x36, + 0x30,0x34,0x30,0x32,0x06,0x04,0x55,0x1D,0x20,0x00,0x30,0x2A,0x30,0x28,0x06,0x08, + 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1C,0x68,0x74,0x74,0x70,0x73,0x3A, + 0x2F,0x2F,0x77,0x77,0x77,0x2E,0x64,0x69,0x67,0x69,0x63,0x65,0x72,0x74,0x2E,0x63, + 0x6F,0x6D,0x2F,0x43,0x50,0x53,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, + 0x14,0x3D,0xD3,0x50,0xA5,0xD6,0xA0,0xAD,0xEE,0xF3,0x4A,0x60,0x0A,0x65,0xD3,0x21, + 0xD4,0xF8,0xF8,0xD6,0x0F,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, + 0x80,0x14,0xB1,0x3E,0xC3,0x69,0x03,0xF8,0xBF,0x47,0x01,0xD4,0x98,0x26,0x1A,0x08, + 0x02,0xEF,0x63,0x64,0x2B,0xC3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D, + 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x9D,0xB6,0xD0,0x90,0x86,0xE1, + 0x86,0x02,0xED,0xC5,0xA0,0xF0,0x34,0x1C,0x74,0xC1,0x8D,0x76,0xCC,0x86,0x0A,0xA8, + 0xF0,0x4A,0x8A,0x42,0xD6,0x3F,0xC8,0xA9,0x4D,0xAD,0x7C,0x08,0xAD,0xE6,0xB6,0x50, + 0xB8,0xA2,0x1A,0x4D,0x88,0x07,0xB1,0x29,0x21,0xDC,0xE7,0xDA,0xC6,0x3C,0x21,0xE0, + 0xE3,0x11,0x49,0x70,0xAC,0x7A,0x1D,0x01,0xA4,0xCA,0x11,0x3A,0x57,0xAB,0x7D,0x57, + 0x2A,0x40,0x74,0xFD,0xD3,0x1D,0x85,0x18,0x50,0xDF,0x57,0x47,0x75,0xA1,0x7D,0x55, + 0x20,0x2E,0x47,0x37,0x50,0x72,0x8C,0x7F,0x82,0x1B,0xD2,0x62,0x8F,0x2D,0x03,0x5A, + 0xDA,0xC3,0xC8,0xA1,0xCE,0x2C,0x52,0xA2,0x00,0x63,0xEB,0x73,0xBA,0x71,0xC8,0x49, + 0x27,0x23,0x97,0x64,0x85,0x9E,0x38,0x0E,0xAD,0x63,0x68,0x3C,0xBA,0x52,0x81,0x58, + 0x79,0xA3,0x2C,0x0C,0xDF,0xDE,0x6D,0xEB,0x31,0xF2,0xBA,0xA0,0x7C,0x6C,0xF1,0x2C, + 0xD4,0xE1,0xBD,0x77,0x84,0x37,0x03,0xCE,0x32,0xB5,0xC8,0x9A,0x81,0x1A,0x4A,0x92, + 0x4E,0x3B,0x46,0x9A,0x85,0xFE,0x83,0xA2,0xF9,0x9E,0x8C,0xA3,0xCC,0x0D,0x5E,0xB3, + 0x3D,0xCF,0x04,0x78,0x8F,0x14,0x14,0x7B,0x32,0x9C,0xC7,0x00,0xA6,0x5C,0xC4,0xB5, + 0xA1,0x55,0x8D,0x5A,0x56,0x68,0xA4,0x22,0x70,0xAA,0x3C,0x81,0x71,0xD9,0x9D,0xA8, + 0x45,0x3B,0xF4,0xE5,0xF6,0xA2,0x51,0xDD,0xC7,0x7B,0x62,0xE8,0x6F,0x0C,0x74,0xEB, + 0xB8,0xDA,0xF8,0xBF,0x87,0x0D,0x79,0x50,0x91,0x90,0x9B,0x18,0x3B,0x91,0x59,0x27, + 0xF1,0x35,0x28,0x13,0xAB,0x26,0x7E,0xD5,0xF7,0x7A, }; /* subject:/CN=self-signed.ssltest.apple.com/C=US */ diff --git a/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.h b/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.h index d30c7bb6..f66bb236 100644 --- a/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.h +++ b/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.h @@ -24,280 +24,234 @@ #ifndef _SECURITY_SI_32_SECTRUST_PINNING_REQUIRED_H_ #define _SECURITY_SI_32_SECTRUST_PINNING_REQUIRED_H_ -/* subject:/CN=query.ess.apple.com/OU=IDS SRE/O=Apple Inc./C=US */ -/* issuer :/CN=Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */ -uint8_t _ids_prod[]={ - 0x30,0x82,0x07,0x86,0x30,0x82,0x06,0x6E,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x1A, - 0xFE,0x9C,0x01,0x42,0x80,0xFB,0xAE,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, - 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x6D,0x31,0x27,0x30,0x25,0x06,0x03,0x55,0x04, - 0x03,0x0C,0x1E,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20, - 0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43, - 0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74, - 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72, - 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70, - 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, - 0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x37,0x30,0x39,0x31,0x39,0x32, - 0x30,0x35,0x36,0x31,0x35,0x5A,0x17,0x0D,0x31,0x38,0x31,0x30,0x31,0x39,0x32,0x30, - 0x35,0x36,0x31,0x35,0x5A,0x30,0x52,0x31,0x1C,0x30,0x1A,0x06,0x03,0x55,0x04,0x03, - 0x0C,0x13,0x71,0x75,0x65,0x72,0x79,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C, - 0x65,0x2E,0x63,0x6F,0x6D,0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x07, - 0x49,0x44,0x53,0x20,0x53,0x52,0x45,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A, - 0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09, - 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06, - 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F, - 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xBE,0x9A,0x0A,0x7E,0x25,0xE0, - 0x09,0xD1,0xC4,0x0E,0xC6,0xCB,0x15,0xB6,0xE0,0xB2,0xF8,0xB6,0xDB,0x9D,0xC7,0x5D, - 0x40,0xA3,0x82,0x03,0xE6,0x8A,0x66,0x0F,0x87,0x10,0xA9,0x58,0x2B,0xCB,0x94,0x60, - 0xB6,0x13,0x8B,0x78,0xB0,0xE6,0x9B,0xA6,0xEF,0x1E,0xE2,0xF2,0xC2,0xC6,0x69,0x67, - 0xA2,0xB6,0x5C,0xA7,0x6C,0xA8,0x3C,0xC7,0xBC,0x3B,0x6E,0x96,0xEE,0x65,0x19,0x8D, - 0x37,0x9A,0xAF,0x35,0xBF,0x51,0xB0,0xD6,0xEC,0x9D,0xBF,0x05,0x44,0xBD,0x2F,0x70, - 0x9D,0x3B,0x84,0xEC,0x2C,0x74,0x48,0x8E,0x68,0x00,0x7E,0x9B,0x19,0xA2,0xE9,0x11, - 0xF7,0x35,0x16,0x3E,0x03,0xD0,0x42,0x4E,0x97,0xC2,0xA9,0x48,0x9F,0x13,0xD8,0x74, - 0x5C,0xD6,0x3D,0xC3,0x8B,0x59,0x76,0xD6,0xC4,0x9D,0x60,0x1D,0xE8,0x8B,0x0D,0x5D, - 0x38,0xB6,0x7F,0xC7,0xE4,0x55,0xCC,0x29,0x52,0x92,0xB8,0x79,0x60,0x3A,0x25,0xE4, - 0xE9,0xA0,0xAE,0xAB,0xF2,0x0F,0x15,0x6C,0xD3,0x10,0x01,0x33,0x18,0x91,0x68,0x49, - 0x37,0x7C,0x61,0x26,0x44,0xE9,0xDE,0x4E,0x8B,0xE5,0x3C,0x2E,0xBE,0x3F,0x8C,0x0D, - 0x4D,0x7E,0x8B,0x43,0x4F,0x5E,0x09,0xF3,0xD2,0x6B,0xA2,0x27,0xAF,0xDE,0x9C,0x9A, - 0xEB,0xD4,0x76,0x40,0x69,0x82,0xB7,0x94,0xF3,0x2B,0x2E,0xA8,0xA4,0x97,0x38,0x02, - 0xEE,0x3B,0x8C,0x82,0x16,0x9E,0x12,0x42,0x57,0x05,0x9F,0xC7,0x07,0x82,0x78,0x3D, - 0x47,0xB8,0x11,0xDD,0x81,0x25,0x24,0xF2,0x49,0x7B,0x34,0x7A,0xC1,0x16,0xE4,0x34, - 0x36,0x67,0xAF,0x75,0x4F,0xB3,0x3D,0xEF,0x83,0xF7,0x02,0x03,0x01,0x00,0x01,0xA3, - 0x82,0x04,0x43,0x30,0x82,0x04,0x3F,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16, - 0x04,0x14,0x6F,0xD8,0x77,0x83,0x70,0xEB,0x9F,0xB6,0x01,0x22,0xDB,0x03,0x56,0x6B, - 0x20,0x12,0xAC,0x2F,0x3F,0x9A,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF, - 0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80, - 0x14,0x2C,0xC5,0x6D,0x52,0xDD,0x31,0xEF,0x8C,0xEC,0x08,0x81,0xED,0xDF,0xDC,0xCA, - 0x43,0x00,0x45,0x01,0xD0,0x30,0x3C,0x06,0x03,0x55,0x1D,0x1F,0x04,0x35,0x30,0x33, - 0x30,0x31,0xA0,0x2F,0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63, - 0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70, - 0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x63,0x61,0x31,0x2E, - 0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03, - 0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08, - 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x82,0x03,0x77,0x06,0x03,0x55,0x1D, - 0x11,0x04,0x82,0x03,0x6E,0x30,0x82,0x03,0x6A,0x82,0x13,0x71,0x75,0x65,0x72,0x79, - 0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x16, - 0x73,0x6D,0x73,0x2D,0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70, - 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x16,0x71,0x75,0x65,0x72,0x79,0x2D,0x70,0x76, - 0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x18, - 0x6F,0x70,0x65,0x6E,0x6D,0x61,0x72,0x6B,0x65,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61, - 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1B,0x69,0x6E,0x76,0x69,0x74,0x61, - 0x74,0x69,0x6F,0x6E,0x2D,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C, - 0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1B,0x70,0x72,0x6F,0x66,0x69,0x6C,0x65,0x2D,0x63, - 0x61,0x72,0x72,0x79,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63, - 0x6F,0x6D,0x82,0x1F,0x72,0x65,0x67,0x69,0x73,0x74,0x72,0x61,0x74,0x69,0x6F,0x6E, - 0x2D,0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E, - 0x63,0x6F,0x6D,0x82,0x16,0x69,0x64,0x65,0x6E,0x74,0x69,0x74,0x79,0x2E,0x65,0x73, - 0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1E,0x69,0x6E,0x76, - 0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x2D,0x63,0x61,0x72,0x72,0x79,0x2E,0x65,0x73, - 0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1E,0x61,0x67,0x67, - 0x72,0x65,0x67,0x61,0x74,0x6F,0x72,0x2D,0x63,0x61,0x72,0x72,0x79,0x2E,0x65,0x73, - 0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1B,0x69,0x64,0x65, - 0x6E,0x74,0x69,0x74,0x79,0x2D,0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61, - 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x18,0x61,0x67,0x67,0x72,0x65,0x67, - 0x61,0x74,0x6F,0x72,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63, - 0x6F,0x6D,0x82,0x1C,0x69,0x64,0x65,0x6E,0x74,0x69,0x74,0x79,0x2D,0x63,0x61,0x72, - 0x72,0x79,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D, - 0x82,0x16,0x71,0x75,0x65,0x72,0x79,0x2D,0x6D,0x72,0x2E,0x65,0x73,0x73,0x2E,0x61, - 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1A,0x70,0x72,0x6F,0x66,0x69,0x6C, - 0x65,0x2D,0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65, - 0x2E,0x63,0x6F,0x6D,0x82,0x1B,0x61,0x67,0x67,0x72,0x65,0x67,0x61,0x74,0x6F,0x72, - 0x2D,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F, - 0x6D,0x82,0x1A,0x72,0x65,0x67,0x69,0x73,0x74,0x72,0x61,0x74,0x69,0x6F,0x6E,0x2E, - 0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x20,0x72, - 0x65,0x67,0x69,0x73,0x74,0x72,0x61,0x74,0x69,0x6F,0x6E,0x2D,0x63,0x61,0x72,0x72, - 0x79,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82, - 0x17,0x73,0x6D,0x73,0x2D,0x63,0x61,0x72,0x72,0x79,0x2E,0x65,0x73,0x73,0x2E,0x61, - 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x18,0x71,0x75,0x65,0x72,0x79,0x2D, - 0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63, - 0x6F,0x6D,0x82,0x16,0x6A,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x65,0x73,0x73, - 0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x11,0x73,0x6D,0x73,0x2E, - 0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1B,0x61, - 0x67,0x67,0x72,0x65,0x67,0x61,0x74,0x6F,0x72,0x2D,0x70,0x76,0x2E,0x65,0x73,0x73, - 0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x16,0x71,0x75,0x65,0x72, - 0x79,0x2D,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63, - 0x6F,0x6D,0x82,0x15,0x70,0x72,0x6F,0x66,0x69,0x6C,0x65,0x2E,0x65,0x73,0x73,0x2E, - 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x19,0x71,0x75,0x65,0x72,0x79, - 0x2D,0x63,0x61,0x72,0x72,0x79,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65, - 0x2E,0x63,0x6F,0x6D,0x82,0x1B,0x69,0x6E,0x76,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E, - 0x2D,0x6D,0x72,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F, - 0x6D,0x82,0x1B,0x61,0x67,0x67,0x72,0x65,0x67,0x61,0x74,0x6F,0x72,0x2D,0x6D,0x72, - 0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1B, - 0x69,0x6E,0x76,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x2D,0x70,0x76,0x2E,0x65,0x73, - 0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x18,0x69,0x6E,0x76, - 0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C, - 0x65,0x2E,0x63,0x6F,0x6D,0x82,0x1D,0x61,0x67,0x67,0x72,0x65,0x67,0x61,0x74,0x6F, - 0x72,0x2D,0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65, - 0x2E,0x63,0x6F,0x6D,0x82,0x1D,0x69,0x6E,0x76,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E, - 0x2D,0x74,0x65,0x73,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E, - 0x63,0x6F,0x6D,0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B, +/* subject:/CN=profile.ess.apple.com/O=Apple Inc./ST=California/C=US */ +/* issuer :/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */ +uint8_t _ids_test[]={ + 0x30,0x82,0x04,0x76,0x30,0x82,0x03,0x5E,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x24, + 0x1F,0x1C,0x82,0xF4,0x25,0x42,0xB4,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04, + 0x03,0x0C,0x23,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65, + 0x72,0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C, + 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41, + 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x38, + 0x30,0x38,0x30,0x37,0x30,0x31,0x30,0x35,0x33,0x37,0x5A,0x17,0x0D,0x31,0x39,0x30, + 0x39,0x30,0x36,0x30,0x31,0x30,0x35,0x33,0x37,0x5A,0x30,0x57,0x31,0x1E,0x30,0x1C, + 0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x70,0x72,0x6F,0x66,0x69,0x6C,0x65,0x2E,0x65, + 0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x31,0x13,0x30,0x11, + 0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63, + 0x2E,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69, + 0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13, + 0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02, + 0x82,0x01,0x01,0x00,0xDA,0xEE,0xCE,0x4F,0x0A,0x31,0xF5,0x6A,0x6C,0xD8,0xD8,0xF9, + 0x1E,0x4D,0x85,0x38,0x17,0x42,0x45,0xBA,0xF2,0x8C,0x16,0xC2,0xEC,0x29,0x84,0x88, + 0xC2,0xC2,0x45,0xCB,0x79,0xF6,0x7F,0x89,0x65,0x3D,0x98,0xED,0xE7,0x21,0xA8,0xAB, + 0x4C,0xE2,0x75,0x7C,0x5B,0x26,0x00,0xC4,0x4C,0x81,0xE4,0xFF,0xA4,0xBB,0xA6,0x0F, + 0x80,0x9D,0xD9,0xD5,0xA3,0xD2,0x5C,0xA1,0x25,0xE1,0x9F,0xB5,0x53,0xF3,0x31,0x3B, + 0xCB,0x55,0xC2,0x75,0xFB,0xC7,0x3B,0x3C,0x07,0x6B,0x29,0xAF,0x43,0x90,0x1E,0x9B, + 0xC3,0x47,0x0C,0x09,0xDF,0x07,0x9C,0xA8,0x12,0x3E,0x9E,0xFE,0x29,0xE7,0x11,0x06, + 0xA1,0x1D,0x8C,0xEA,0x99,0x73,0xD5,0x13,0x66,0x51,0x0D,0x3D,0x6B,0x67,0x38,0x68, + 0x04,0x40,0xE8,0x1E,0x50,0x56,0x59,0x77,0x5A,0xF3,0x12,0xAC,0x2B,0x93,0xF8,0xBC, + 0x87,0xA6,0x70,0x3F,0xB8,0x8F,0xE2,0xEC,0x38,0x5F,0xB4,0x73,0xE6,0x95,0x38,0xD1, + 0x31,0x16,0xFE,0xFF,0x77,0x01,0xD2,0xD0,0x2F,0xF4,0xF7,0x3A,0x21,0x5B,0xA8,0x36, + 0xC4,0xE4,0x58,0x26,0x3D,0x6F,0xFF,0xA0,0x39,0x45,0x83,0xCB,0x66,0xF5,0x4C,0xC6, + 0x43,0x67,0x1C,0x58,0x72,0x5B,0xCC,0xAA,0x15,0x91,0x4D,0xE6,0x24,0xF6,0x18,0xFE, + 0xF5,0xEF,0x75,0xB4,0x5B,0xF1,0x86,0x2F,0x67,0x0A,0x5B,0x7D,0x8E,0x22,0x1B,0x2F, + 0xFA,0xE2,0xB1,0x41,0x37,0x4D,0x26,0xD6,0x9B,0x13,0x66,0x5F,0xE5,0xCD,0x4B,0xC9, + 0x91,0x62,0xF9,0x98,0x8E,0x7F,0xB6,0x6F,0x7A,0xFF,0x95,0xF1,0x0B,0x1C,0x1F,0xFB, + 0xD1,0x49,0xB7,0xFD,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x29,0x30,0x82,0x01, + 0x25,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30, + 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA8,0xCA,0x7A,0x9B, + 0xA8,0x37,0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2, + 0x30,0x52,0x06,0x03,0x55,0x1D,0x11,0x04,0x4B,0x30,0x49,0x82,0x18,0x6F,0x70,0x65, + 0x6E,0x6D,0x61,0x72,0x6B,0x65,0x74,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C, + 0x65,0x2E,0x63,0x6F,0x6D,0x82,0x16,0x69,0x64,0x65,0x6E,0x74,0x69,0x74,0x79,0x2E, + 0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x15,0x70, + 0x72,0x6F,0x66,0x69,0x6C,0x65,0x2E,0x65,0x73,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65, + 0x2E,0x63,0x6F,0x6D,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06, + 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x49,0x06,0x03,0x55,0x1D,0x1F, + 0x04,0x42,0x30,0x40,0x30,0x3E,0xA0,0x3C,0xA0,0x3A,0x86,0x38,0x68,0x74,0x74,0x70, + 0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E, + 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x74,0x65,0x73,0x74,0x61,0x70, + 0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x63,0x61,0x31, + 0x2E,0x63,0x72,0x6C,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3F, + 0x0C,0x0D,0xC7,0x17,0x81,0x02,0x61,0x50,0x18,0xFC,0xAF,0xBD,0xA0,0xA8,0x4E,0x78, + 0xA7,0xFB,0xF1,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03, + 0x02,0x05,0xA0,0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B, 0x04,0x02,0x04,0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D, - 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x2D,0x0C,0xCF,0x60,0xD4,0xBF, - 0xAE,0x51,0x01,0xF9,0xDF,0x46,0xBD,0xDE,0x39,0xEF,0xCA,0x36,0x6F,0xD0,0x31,0xCE, - 0x2C,0x04,0x05,0x46,0x7E,0xB5,0xC8,0x16,0xAD,0xCF,0xC2,0x3F,0xFB,0xB7,0x44,0x06, - 0xB2,0x73,0x09,0xBE,0x30,0x78,0xD9,0x90,0xED,0x73,0x7B,0x6B,0xF9,0xDC,0x7F,0x16, - 0xE7,0x6F,0x55,0x9E,0x6F,0x4B,0xD9,0x77,0x53,0xAA,0xCB,0xAA,0x98,0x76,0x07,0xE9, - 0x49,0x3C,0x52,0x91,0x22,0xEA,0x9A,0x57,0x0D,0x7E,0x2E,0x1B,0xA8,0xD5,0x55,0x70, - 0xE1,0x47,0x2B,0x55,0x04,0x9A,0x98,0x79,0x30,0x08,0xEF,0x1D,0xB7,0x2C,0x0B,0xB0, - 0x42,0x11,0x4A,0xB5,0xB5,0xB7,0xCE,0xAC,0xD1,0x8C,0x0B,0x52,0x62,0xBB,0x32,0x4A, - 0xAB,0x22,0x40,0x37,0x10,0x1B,0x67,0x51,0x4A,0x06,0x00,0x70,0xB5,0x6F,0x0B,0x45, - 0x7F,0xA0,0x8A,0x30,0xF5,0xF1,0x70,0x1F,0x61,0xBC,0xB0,0xDD,0x38,0xC1,0xAF,0xCA, - 0x26,0x79,0x90,0xFC,0x7D,0x59,0xA5,0x75,0xB4,0x89,0x11,0x2B,0xAD,0x93,0xB5,0xFE, - 0xD4,0x1A,0xC1,0xDC,0x19,0x01,0xC7,0xF6,0x6C,0xFA,0x36,0xDD,0x7F,0xBD,0x28,0x70, - 0x8E,0xC9,0xE5,0xF3,0xEB,0xC2,0xA9,0x5A,0x9D,0xBB,0x2F,0xCE,0xE6,0x8B,0x28,0xEA, - 0x8D,0x28,0x37,0x0A,0x65,0x1F,0x4E,0x03,0xC6,0xCE,0x22,0x56,0x46,0x1E,0xAF,0xC9, - 0x38,0x99,0xCA,0xE4,0x5E,0x50,0xEF,0xCE,0x63,0x29,0x1A,0x9E,0xCA,0xE2,0xAE,0x30, - 0xD4,0x99,0xC0,0x49,0x38,0xA3,0x51,0xDD,0xF2,0xA8,0x4C,0x81,0x4A,0xF7,0x36,0x9C, - 0xC2,0x18,0xC5,0xCF,0x22,0xF2,0xE9,0x8A,0xD2,0x87, + 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x53,0x88,0x1A,0x2C,0x60,0xFB, + 0x15,0x08,0x83,0x06,0xE4,0xF7,0x23,0x38,0x50,0xA6,0xD3,0xA7,0xBD,0x06,0xB4,0xAF, + 0x87,0x4F,0x13,0xC6,0x1B,0x79,0x2C,0x80,0x30,0x7E,0x23,0x0D,0x4E,0x6A,0xC3,0x9B, + 0xF8,0x73,0x1E,0x7B,0xD7,0x14,0xB0,0x5F,0xA8,0xEC,0xB4,0x0D,0xBD,0x3B,0x40,0x87, + 0x9A,0x4D,0x1D,0x2D,0x8F,0x00,0xCE,0x72,0xDE,0xAF,0x2E,0x73,0x82,0x54,0xBA,0x0E, + 0x3A,0xC2,0xAB,0x7C,0x09,0xE8,0xBE,0x0B,0x26,0x0F,0xC3,0x80,0xCD,0x9C,0x85,0x09, + 0xA3,0xD3,0xB5,0xCE,0x7D,0x63,0xB3,0x33,0x32,0x06,0xD9,0xAE,0xA9,0x7D,0x1E,0x2F, + 0xF9,0x1B,0x60,0x3F,0x1F,0xFA,0x57,0x17,0xC6,0x5A,0x28,0x44,0x24,0x36,0xF4,0x77, + 0xE6,0x91,0x7D,0xED,0x45,0x28,0x59,0x3E,0xA1,0x03,0x3E,0x45,0x3F,0x41,0x8E,0x62, + 0x0A,0x21,0xD8,0x47,0xED,0xFA,0x53,0x4F,0x07,0x7D,0xF6,0xFC,0xE1,0x98,0xC0,0x0C, + 0xAA,0x68,0xD2,0xB7,0xCD,0x7D,0xF5,0x55,0xD7,0x56,0x55,0x78,0x56,0x80,0x8A,0x30, + 0x89,0x30,0x2C,0xA9,0x8A,0x71,0xD1,0x4E,0x05,0x4A,0x5E,0xDB,0x23,0x2F,0xC9,0xA1, + 0x45,0xF9,0xF1,0x16,0xE1,0x72,0xA5,0xD7,0xB1,0x32,0xB3,0x90,0x4B,0xF8,0x72,0xD6, + 0xF3,0x65,0x84,0x0F,0xB6,0x23,0x41,0x4D,0xE3,0xDD,0xC0,0x5B,0xB7,0xF8,0x1C,0xF2, + 0x1F,0xB5,0x5D,0xD0,0xFB,0xB9,0x7D,0x0D,0x34,0xC4,0x61,0x42,0x8E,0xD4,0xED,0x4C, + 0xA4,0x83,0x9C,0x8D,0xBA,0xE3,0x49,0x45,0x07,0xE4,0x0E,0x0E,0x01,0x10,0x93,0xCF, + 0x49,0x39,0x4C,0x1C,0x0A,0x88,0xC3,0x2E,0x7C,0x64, }; -/* subject:/CN=Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */ -/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */ -uint8_t _AppleServerAuth[1020]={ - 0x30,0x82,0x03,0xF8,0x30,0x82,0x02,0xE0,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x23, - 0x69,0x74,0x04,0xAD,0xCB,0x83,0x14,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, - 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, - 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A, +/* subject:/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */ +/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ +uint8_t _TestAppleServerAuth[]={ + 0x30,0x82,0x04,0x0F,0x30,0x82,0x02,0xF7,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4B, + 0x28,0xA9,0x3B,0x57,0x8B,0xF6,0x26,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A, 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03, - 0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69, + 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69, 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69, - 0x74,0x79,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70, - 0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x34, - 0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x17,0x0D,0x32,0x39,0x30, - 0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30,0x6D,0x31,0x27,0x30,0x25, - 0x06,0x03,0x55,0x04,0x03,0x0C,0x1E,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72, - 0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69, - 0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17, - 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75, - 0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A, - 0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09, - 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06, - 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F, - 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB9,0x26,0x16,0xB0,0xCB,0x87, - 0xAB,0x71,0x15,0x92,0x8E,0xDF,0xAA,0x3E,0xE1,0x80,0xD7,0x53,0xBA,0xA4,0x60,0xCC, - 0x7C,0x85,0x72,0xF7,0x30,0x7C,0x09,0x4F,0x57,0x0D,0x4A,0xFF,0xE1,0x5E,0xC9,0x4B, - 0x50,0x13,0x02,0x64,0xB1,0xBD,0x39,0x35,0xD1,0xD7,0x04,0x51,0xC1,0x18,0xFA,0x22, - 0xFA,0xAE,0xDF,0x98,0x18,0xD6,0xBF,0x4E,0x4D,0x43,0x10,0xFA,0x25,0x88,0x9F,0xD3, - 0x40,0x85,0x76,0xE5,0x22,0x81,0xB6,0x54,0x45,0x73,0x9A,0x8B,0xE3,0x9C,0x48,0x1A, - 0x86,0x7A,0xC3,0x51,0xE2,0xDA,0x95,0xF8,0xA4,0x7D,0xDB,0x30,0xDE,0x6C,0x0E,0xC4, - 0xC5,0xF5,0x6C,0x98,0xE7,0xA6,0xFA,0x57,0x20,0x1D,0x19,0x73,0x7A,0x0E,0xCD,0x63, - 0x0F,0xB7,0x27,0x88,0x2E,0xE1,0x9A,0x68,0x82,0xB8,0x40,0x6C,0x63,0x16,0x24,0x66, - 0x2B,0xE7,0xB2,0xE2,0x54,0x7D,0xE7,0x88,0x39,0xA2,0x1B,0x81,0x3E,0x02,0xD3,0x39, - 0xD8,0x97,0x77,0x4A,0x32,0x0C,0xD6,0x0A,0x0A,0xB3,0x04,0x9B,0xF1,0x72,0x6F,0x63, - 0xA8,0x15,0x1E,0x6C,0x37,0xE8,0x0F,0xDB,0x53,0x90,0xD6,0x29,0x5C,0xBC,0x6A,0x57, - 0x9B,0x46,0x78,0x0A,0x3E,0x24,0xEA,0x9A,0x3F,0xA1,0xD8,0x3F,0xF5,0xDB,0x6E,0xA8, - 0x6C,0x82,0xB5,0xDD,0x99,0x38,0xEC,0x92,0x56,0x94,0xA6,0xC5,0x73,0x26,0xD1,0xAE, - 0x08,0xB2,0xC6,0x52,0xE7,0x8E,0x76,0x4B,0x89,0xB8,0x54,0x0F,0x6E,0xE0,0xD9,0x42, - 0xDB,0x2A,0x65,0x87,0x46,0x14,0xBB,0x96,0xB8,0x57,0xBB,0x51,0xE6,0x84,0x13,0xF7, - 0x0D,0xA1,0xB6,0x89,0xAC,0x7C,0xD1,0x21,0x74,0xAB,0x02,0x03,0x01,0x00,0x01,0xA3, - 0x81,0xA6,0x30,0x81,0xA3,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14, - 0x2C,0xC5,0x6D,0x52,0xDD,0x31,0xEF,0x8C,0xEC,0x08,0x81,0xED,0xDF,0xDC,0xCA,0x43, - 0x00,0x45,0x01,0xD0,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05, - 0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, - 0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6, - 0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x2E,0x06,0x03,0x55,0x1D,0x1F,0x04,0x27,0x30, - 0x25,0x30,0x23,0xA0,0x21,0xA0,0x1F,0x86,0x1D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, - 0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x6F, - 0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF, - 0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63, - 0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, - 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x23,0xF1,0x06,0x7E, - 0x50,0x41,0x81,0xA2,0x5E,0xD3,0x70,0xA4,0x49,0x91,0xAF,0xD8,0xCC,0x67,0x8C,0xA1, - 0x25,0x7D,0xC4,0x9A,0x93,0x39,0x2F,0xD8,0x69,0xFB,0x1B,0x41,0x5B,0x44,0xD7,0xD9, - 0x6B,0xCB,0x3B,0x25,0x09,0x1A,0xF2,0xF4,0xE3,0xC7,0x9C,0xE8,0xB0,0x5B,0xF0,0xDF, - 0xDD,0x22,0x25,0x11,0x15,0x93,0xB9,0x49,0x5E,0xDA,0x0C,0x66,0x7A,0x5E,0xD7,0x6F, - 0xF0,0x63,0xD4,0x65,0x8C,0xC4,0x7A,0x54,0x7D,0x56,0x4F,0x65,0x9A,0xFD,0xDA,0xC4, - 0xB2,0xC8,0xB0,0xB8,0xA1,0xCB,0x7D,0xE0,0x47,0xA8,0x40,0x15,0xB8,0x16,0x19,0xED, - 0x5B,0x61,0x8E,0xDF,0xAA,0xD0,0xCD,0xD2,0x3A,0xC0,0x7E,0x3A,0x9F,0x22,0x4E,0xDF, - 0xDF,0xF4,0x4E,0x1A,0xCD,0x93,0xFF,0xD0,0xF0,0x45,0x55,0x64,0x33,0x3E,0xD4,0xE5, - 0xDA,0x68,0xA0,0x13,0x8A,0x76,0x30,0x27,0xD4,0xBF,0xF8,0x1E,0x76,0xF6,0xF9,0xC3, - 0x00,0xEF,0xB1,0x83,0xEA,0x53,0x6D,0x5C,0x35,0xC7,0x0D,0x07,0x01,0xBA,0xF8,0x61, - 0xB9,0xFE,0xC5,0x9A,0x6B,0x43,0x61,0x81,0x03,0xEB,0xBA,0x5F,0x70,0x9D,0xE8,0x6F, - 0x94,0x24,0x4B,0xDC,0xCE,0x92,0xA8,0x2E,0xA2,0x35,0x3C,0xE3,0x49,0xE0,0x16,0x77, - 0xA2,0xDC,0x6B,0xB9,0x8D,0x18,0x42,0xB9,0x36,0x96,0x43,0x32,0xC6,0xCB,0x76,0x99, - 0x35,0x36,0xD8,0x56,0xC6,0x98,0x5D,0xC3,0x6F,0xA5,0x7E,0x95,0xC2,0xD5,0x7A,0x0A, - 0x02,0x20,0x66,0x78,0x92,0xF2,0x67,0xA4,0x23,0x0D,0xE8,0x09,0xBD,0xCC,0x21,0x31, - 0x10,0xA0,0xBD,0xBE,0xB5,0xDD,0x4C,0xDD,0x46,0x03,0x99,0x99, + 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73, + 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30, + 0x1E,0x17,0x0D,0x31,0x35,0x30,0x36,0x30,0x38,0x30,0x37,0x35,0x38,0x34,0x35,0x5A, + 0x17,0x0D,0x32,0x39,0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30, + 0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,0x03,0x0C,0x23,0x54,0x65,0x73,0x74, + 0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x41,0x75, + 0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x31, + 0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74, + 0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C, + 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13, + 0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02, + 0x82,0x01,0x01,0x00,0xC5,0x7B,0x3F,0x48,0xD3,0x62,0x93,0x93,0x7C,0x0C,0x37,0x69, + 0xDB,0x28,0x05,0x40,0x12,0xD7,0x1F,0x0A,0xB8,0xC3,0xBA,0x24,0x39,0x22,0xDC,0x39, + 0x42,0x1F,0xFD,0x93,0x45,0x3C,0x23,0x0B,0x3E,0xB4,0x96,0xA6,0x55,0x59,0xBA,0xC4, + 0x99,0xE7,0x8A,0x5F,0x8F,0xAE,0x66,0xA7,0x28,0xE2,0x9E,0x68,0xD9,0xEC,0x52,0x67, + 0xFE,0xDD,0xBE,0x59,0xB4,0xAD,0x97,0x63,0x64,0xB0,0x08,0x3C,0xBB,0x6E,0xD1,0x29, + 0xD8,0x58,0xA1,0x99,0x6C,0x2F,0x2F,0xB3,0xF5,0x5C,0x59,0xCA,0xA1,0xE6,0x67,0x44, + 0x3C,0x13,0xB4,0xAE,0x0D,0x00,0xC7,0x53,0xB7,0xF5,0x61,0x58,0xD5,0xC8,0x42,0xFC, + 0xE2,0xFD,0xD5,0x39,0x18,0x80,0xE2,0x72,0xBC,0xF8,0xC3,0x9F,0xCB,0xD8,0x2F,0x83, + 0x40,0x9A,0x3E,0x55,0x5E,0x61,0xA9,0xC4,0x81,0x14,0x2B,0x7B,0x19,0x15,0xAD,0x84, + 0x5E,0x80,0xA8,0x67,0x79,0x05,0x16,0x48,0x5C,0xAE,0x1A,0x2B,0x59,0x9F,0xAA,0x62, + 0x0B,0x2F,0x57,0xCD,0xE8,0xA8,0x5D,0x38,0xAD,0x7C,0x90,0x79,0x50,0xAC,0x4D,0x13, + 0xA4,0xA7,0xF3,0x73,0xED,0xD6,0x93,0x45,0xDD,0xA8,0xC6,0xFE,0x03,0x28,0x4D,0x58, + 0xC1,0x8B,0xC1,0x03,0x0E,0xE7,0xDF,0x78,0xDD,0x21,0xC6,0x6D,0x1E,0xA0,0x38,0xD7, + 0xA7,0xD7,0x04,0x8C,0x7F,0xCA,0x15,0xEA,0x88,0xE9,0xAE,0x8D,0x46,0xE0,0x87,0x94, + 0x3E,0x8F,0x53,0x11,0x88,0x23,0x99,0x7B,0x9D,0xD8,0x69,0x1A,0x22,0xAE,0xB5,0x18, + 0xA5,0x9F,0xEA,0x71,0x31,0x0B,0x27,0x93,0x85,0x1D,0xF7,0xA0,0xC3,0x82,0x0A,0x3F, + 0xEE,0xD2,0xD4,0xEF,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xB3,0x30,0x81,0xB0,0x30, + 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37, + 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x0F, + 0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30, + 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x59,0xB8,0x2B,0x94, + 0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,0xC9,0x59,0xC3,0x54,0x98, + 0x30,0x3B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x34,0x30,0x32,0x30,0x30,0xA0,0x2E,0xA0, + 0x2C,0x86,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61, + 0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D, + 0x2F,0x74,0x65,0x73,0x74,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06, + 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06, + 0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82, + 0x01,0x01,0x00,0x11,0x24,0x61,0x2B,0x7C,0x5E,0x67,0x29,0x94,0x14,0x19,0x16,0xD5, + 0xD4,0x7A,0xEE,0x53,0x1A,0x64,0xA2,0x6A,0x2B,0x04,0xE6,0x2C,0xA1,0x08,0xBA,0xCA, + 0x81,0xF5,0x28,0x2A,0xCE,0xD5,0x6B,0x52,0xAC,0xE7,0xBD,0xB3,0x23,0xB9,0x67,0x2C, + 0xC7,0x9E,0x61,0xA1,0xD9,0x6C,0x3F,0x4F,0x55,0xD4,0x75,0xAF,0x44,0xAD,0xF8,0xCE, + 0x58,0xA7,0x2E,0xF8,0x6A,0xF0,0x76,0x51,0x31,0x75,0x4C,0xCA,0xF6,0xC3,0x59,0xC7, + 0xE6,0xAE,0x4A,0x20,0x4E,0x5F,0xB9,0xAB,0x1C,0xB6,0x36,0x25,0x60,0x02,0x32,0x47, + 0x7D,0xA0,0xE2,0x36,0xB3,0x3B,0x40,0x20,0x9E,0x38,0x40,0x1C,0x7E,0x83,0x35,0x9C, + 0x9D,0x8B,0xD1,0xF9,0xEA,0xD4,0xF2,0x83,0xE0,0x30,0xEA,0xC3,0xEE,0x3D,0x76,0x98, + 0x9E,0x0A,0x07,0xB5,0xB6,0xFC,0x38,0x32,0xF6,0x41,0xEF,0x8E,0x25,0x2C,0xE3,0xC7, + 0xA7,0xAD,0x88,0x77,0x4D,0x10,0x1D,0x67,0x50,0x64,0xB0,0x02,0x04,0x2C,0xEA,0x4C, + 0x81,0x33,0xBE,0xF3,0xCD,0x43,0x63,0x97,0x44,0xDF,0xBB,0xC6,0xE2,0x37,0x32,0xF1, + 0xE4,0x19,0x1F,0xF5,0xAE,0xDA,0x05,0xC4,0x0B,0xFA,0x30,0xCA,0x77,0x78,0x65,0xD6, + 0x4F,0x2D,0xFE,0x63,0xD3,0x4C,0x3D,0xA9,0x0E,0xC4,0x0F,0xD6,0xCC,0x2A,0x2D,0x06, + 0x9B,0xDE,0x94,0xF6,0x22,0x2E,0x89,0xCB,0x68,0x4E,0xDE,0x79,0xE5,0x83,0xDE,0x64, + 0x63,0xE9,0x77,0x88,0xF1,0x57,0xF2,0x5C,0xB4,0x77,0x3A,0xC8,0x1F,0x6D,0x80,0x4C, + 0x8B,0x68,0xA5,0xFA,0xAD,0x1F,0x5C,0x8C,0x50,0x27,0xED,0xF7,0x43,0x68,0xAD,0x34, + 0x5E,0xF6,0x74, }; -/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */ -/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */ -uint8_t _AppleRootCA[1215]={ - 0x30,0x82,0x04,0xBB,0x30,0x82,0x03,0xA3,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x02, - 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30, - 0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13, - 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49, - 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70, +/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ +/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ +uint8_t _TestAppleRootCA[]={ + 0x30,0x82,0x04,0xCC,0x30,0x82,0x03,0xB4,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3D, + 0x00,0x4B,0x90,0x3E,0xDE,0xE0,0xD0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03, + 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69, + 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69, + 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73, + 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30, + 0x1E,0x17,0x0D,0x31,0x35,0x30,0x34,0x32,0x32,0x30,0x32,0x31,0x35,0x34,0x38,0x5A, + 0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30,0x33,0x36,0x5A,0x30, + 0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49, + 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70, 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F, - 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06, - 0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74, - 0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x34,0x32,0x35,0x32,0x31,0x34, - 0x30,0x33,0x36,0x5A,0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30, - 0x33,0x36,0x5A,0x30,0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, - 0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70, - 0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B, - 0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63, - 0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31, - 0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20, - 0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A, - 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30, - 0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE4,0x91,0xA9,0x09,0x1F,0x91,0xDB,0x1E, - 0x47,0x50,0xEB,0x05,0xED,0x5E,0x79,0x84,0x2D,0xEB,0x36,0xA2,0x57,0x4C,0x55,0xEC, - 0x8B,0x19,0x89,0xDE,0xF9,0x4B,0x6C,0xF5,0x07,0xAB,0x22,0x30,0x02,0xE8,0x18,0x3E, - 0xF8,0x50,0x09,0xD3,0x7F,0x41,0xA8,0x98,0xF9,0xD1,0xCA,0x66,0x9C,0x24,0x6B,0x11, - 0xD0,0xA3,0xBB,0xE4,0x1B,0x2A,0xC3,0x1F,0x95,0x9E,0x7A,0x0C,0xA4,0x47,0x8B,0x5B, - 0xD4,0x16,0x37,0x33,0xCB,0xC4,0x0F,0x4D,0xCE,0x14,0x69,0xD1,0xC9,0x19,0x72,0xF5, - 0x5D,0x0E,0xD5,0x7F,0x5F,0x9B,0xF2,0x25,0x03,0xBA,0x55,0x8F,0x4D,0x5D,0x0D,0xF1, - 0x64,0x35,0x23,0x15,0x4B,0x15,0x59,0x1D,0xB3,0x94,0xF7,0xF6,0x9C,0x9E,0xCF,0x50, - 0xBA,0xC1,0x58,0x50,0x67,0x8F,0x08,0xB4,0x20,0xF7,0xCB,0xAC,0x2C,0x20,0x6F,0x70, - 0xB6,0x3F,0x01,0x30,0x8C,0xB7,0x43,0xCF,0x0F,0x9D,0x3D,0xF3,0x2B,0x49,0x28,0x1A, - 0xC8,0xFE,0xCE,0xB5,0xB9,0x0E,0xD9,0x5E,0x1C,0xD6,0xCB,0x3D,0xB5,0x3A,0xAD,0xF4, - 0x0F,0x0E,0x00,0x92,0x0B,0xB1,0x21,0x16,0x2E,0x74,0xD5,0x3C,0x0D,0xDB,0x62,0x16, - 0xAB,0xA3,0x71,0x92,0x47,0x53,0x55,0xC1,0xAF,0x2F,0x41,0xB3,0xF8,0xFB,0xE3,0x70, - 0xCD,0xE6,0xA3,0x4C,0x45,0x7E,0x1F,0x4C,0x6B,0x50,0x96,0x41,0x89,0xC4,0x74,0x62, - 0x0B,0x10,0x83,0x41,0x87,0x33,0x8A,0x81,0xB1,0x30,0x58,0xEC,0x5A,0x04,0x32,0x8C, - 0x68,0xB3,0x8F,0x1D,0xDE,0x65,0x73,0xFF,0x67,0x5E,0x65,0xBC,0x49,0xD8,0x76,0x9F, - 0x33,0x14,0x65,0xA1,0x77,0x94,0xC9,0x2D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01, - 0x7A,0x30,0x82,0x01,0x76,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04, - 0x04,0x03,0x02,0x01,0x06,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04, - 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, - 0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6,0xF7, - 0x47,0x4D,0x7F,0x08,0x5E,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, - 0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6, - 0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20,0x04, - 0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86,0x48, - 0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06,0x01, - 0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77, - 0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70, - 0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07, - 0x02,0x02,0x30,0x81,0xB6,0x1A,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65, - 0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69, - 0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74, - 0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74, - 0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E, - 0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E, - 0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63, - 0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65, - 0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F, - 0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69, - 0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20, - 0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0D,0x06,0x09,0x2A, - 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x5C, - 0x36,0x99,0x4C,0x2D,0x78,0xB7,0xED,0x8C,0x9B,0xDC,0xF3,0x77,0x9B,0xF2,0x76,0xD2, - 0x77,0x30,0x4F,0xC1,0x1F,0x85,0x83,0x85,0x1B,0x99,0x3D,0x47,0x37,0xF2,0xA9,0x9B, - 0x40,0x8E,0x2C,0xD4,0xB1,0x90,0x12,0xD8,0xBE,0xF4,0x73,0x9B,0xEE,0xD2,0x64,0x0F, - 0xCB,0x79,0x4F,0x34,0xD8,0xA2,0x3E,0xF9,0x78,0xFF,0x6B,0xC8,0x07,0xEC,0x7D,0x39, - 0x83,0x8B,0x53,0x20,0xD3,0x38,0xC4,0xB1,0xBF,0x9A,0x4F,0x0A,0x6B,0xFF,0x2B,0xFC, - 0x59,0xA7,0x05,0x09,0x7C,0x17,0x40,0x56,0x11,0x1E,0x74,0xD3,0xB7,0x8B,0x23,0x3B, - 0x47,0xA3,0xD5,0x6F,0x24,0xE2,0xEB,0xD1,0xB7,0x70,0xDF,0x0F,0x45,0xE1,0x27,0xCA, - 0xF1,0x6D,0x78,0xED,0xE7,0xB5,0x17,0x17,0xA8,0xDC,0x7E,0x22,0x35,0xCA,0x25,0xD5, - 0xD9,0x0F,0xD6,0x6B,0xD4,0xA2,0x24,0x23,0x11,0xF7,0xA1,0xAC,0x8F,0x73,0x81,0x60, - 0xC6,0x1B,0x5B,0x09,0x2F,0x92,0xB2,0xF8,0x44,0x48,0xF0,0x60,0x38,0x9E,0x15,0xF5, - 0x3D,0x26,0x67,0x20,0x8A,0x33,0x6A,0xF7,0x0D,0x82,0xCF,0xDE,0xEB,0xA3,0x2F,0xF9, - 0x53,0x6A,0x5B,0x64,0xC0,0x63,0x33,0x77,0xF7,0x3A,0x07,0x2C,0x56,0xEB,0xDA,0x0F, - 0x21,0x0E,0xDA,0xBA,0x73,0x19,0x4F,0xB5,0xD9,0x36,0x7F,0xC1,0x87,0x55,0xD9,0xA7, - 0x99,0xB9,0x32,0x42,0xFB,0xD8,0xD5,0x71,0x9E,0x7E,0xA1,0x52,0xB7,0x1B,0xBD,0x93, - 0x42,0x24,0x12,0x2A,0xC7,0x0F,0x1D,0xB6,0x4D,0x9C,0x5E,0x63,0xC8,0x4B,0x80,0x17, - 0x50,0xAA,0x8A,0xD5,0xDA,0xE4,0xFC,0xD0,0x09,0x07,0x37,0xB0,0x75,0x75,0x21, + 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1B,0x30,0x19,0x06, + 0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65, + 0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00, + 0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC7,0xD1,0x43,0x53,0x7F,0x0D,0x88, + 0x6B,0xE6,0xB1,0x67,0x9D,0xEE,0x67,0xB6,0xE7,0x77,0x12,0x81,0xC4,0xDF,0x24,0x6B, + 0x7A,0x75,0x24,0xF7,0x01,0x09,0xCE,0x34,0x92,0xF5,0x38,0x08,0x42,0x7E,0xEC,0x9D, + 0xF2,0x5D,0x38,0x91,0xB4,0x93,0x98,0x35,0x11,0x3C,0x98,0x00,0x77,0xD9,0xD7,0xF3, + 0x4A,0xF8,0xF0,0xBC,0xEB,0x97,0x5D,0x4B,0x61,0x2E,0xFB,0xC5,0xCC,0x68,0xB7,0x6D, + 0x69,0x10,0xCC,0xA5,0x61,0x78,0xA8,0x81,0x02,0x9E,0xE7,0x63,0xC5,0xFF,0x29,0x22, + 0x82,0x68,0xAA,0xAA,0x0E,0xFB,0xA9,0xD8,0x16,0x73,0x25,0xBF,0x9D,0x08,0x62,0x2F, + 0x78,0x04,0xF6,0xF6,0x44,0x07,0x37,0x6E,0x99,0x1B,0x93,0xD8,0x7F,0xEE,0x72,0xDE, + 0xE8,0x32,0xF6,0x6D,0x78,0x04,0xA0,0xA8,0x21,0x26,0x8A,0x32,0xE3,0xB1,0x65,0x85, + 0xA1,0x7B,0x1A,0xA9,0x02,0xB2,0xBB,0xEE,0xDD,0xDD,0x8F,0x41,0x49,0xC8,0x3F,0xDC, + 0x1E,0xDF,0x21,0xA3,0x95,0x99,0xBB,0xFC,0x29,0xBA,0x40,0x43,0xB9,0x1C,0xCD,0xC9, + 0x21,0x45,0x73,0xAD,0xFF,0xFD,0xA2,0x6C,0x5C,0x3B,0x1C,0x37,0x91,0x34,0x8E,0x5C, + 0xD3,0xD5,0x03,0x58,0x28,0xC7,0xF2,0x76,0x6F,0x11,0xC0,0xB5,0xBD,0x7E,0xEF,0x23, + 0xB3,0x3D,0xB8,0xBD,0x38,0x66,0x8C,0xF2,0x78,0x95,0xC1,0x8B,0x32,0x65,0x3A,0x9B, + 0x49,0x1A,0x5C,0x41,0x3C,0xC6,0x85,0x50,0xEC,0x85,0xF0,0x59,0x17,0x81,0xE8,0x96, + 0xE8,0x6A,0xCC,0xB3,0xC7,0x46,0xBF,0x81,0x48,0xD1,0x09,0x1B,0xBC,0x73,0x1E,0xD7, + 0xE8,0x27,0xA8,0x49,0x48,0xA2,0x1C,0x41,0x1D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82, + 0x01,0x7A,0x30,0x82,0x01,0x76,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, + 0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33, + 0xC9,0x59,0xC3,0x54,0x98,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04, + 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30, + 0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52, + 0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20, + 0x04,0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86, + 0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06, + 0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F, + 0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70, + 0x70,0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05, + 0x07,0x02,0x02,0x30,0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63, + 0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72, + 0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70, + 0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65, + 0x6E,0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61, + 0x6E,0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20, + 0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73, + 0x65,0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70, + 0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65, + 0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0E,0x06,0x03, + 0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00, + 0x10,0x5E,0x6C,0x69,0xFC,0xA6,0x0F,0xE2,0x09,0xD5,0x94,0x90,0xA6,0x7C,0x22,0xDC, + 0xEE,0xB0,0x8F,0x24,0x22,0x4F,0xB3,0x67,0xDB,0x32,0xB0,0xD6,0x24,0x87,0xE6,0xF3, + 0xEA,0x9E,0xD0,0x95,0x75,0xAA,0xA7,0x08,0xFF,0xB0,0x35,0xD7,0x1F,0xA3,0xBF,0x89, + 0x55,0x0C,0x1C,0xA4,0xD0,0xF8,0x00,0x17,0x44,0x94,0x36,0x63,0x3B,0x83,0xFE,0x4E, + 0xE5,0xB3,0xEC,0x7B,0x7D,0xCE,0xFE,0xA9,0x54,0xED,0xBB,0x12,0xA6,0x72,0x2B,0xB3, + 0x48,0x00,0xC7,0x8E,0xF5,0x5B,0x68,0xC9,0x24,0x22,0x7F,0xA1,0x4D,0xFC,0x54,0xD9, + 0xD0,0x5D,0x82,0x53,0x71,0x29,0x66,0xCF,0x0F,0x6D,0x32,0xA6,0x3F,0xAE,0x54,0x27, + 0xC2,0x8C,0x12,0x4C,0xF0,0xD6,0xC1,0x80,0x75,0xC3,0x33,0x19,0xD1,0x8B,0x58,0xE6, + 0x00,0x69,0x76,0xE7,0xE5,0x3D,0x47,0xF9,0xC0,0x9C,0xE7,0x19,0x1E,0x95,0xBC,0x52, + 0x15,0xCE,0x94,0xF8,0x30,0x14,0x0B,0x39,0x0E,0x8B,0xAF,0x29,0x30,0x56,0xAF,0x5A, + 0x28,0xAC,0xE1,0x0F,0x51,0x76,0x76,0x9A,0xE7,0xB9,0x7D,0xA3,0x30,0xE8,0xE3,0x71, + 0x15,0xE8,0xBF,0x0D,0x4F,0x12,0x9B,0x65,0xAB,0xEF,0xA4,0xE9,0x42,0xF0,0xD2,0x4D, + 0x20,0x55,0x29,0x88,0x58,0x5C,0x82,0x67,0x63,0x20,0x50,0xC6,0xCA,0x04,0xE8,0xBC, + 0x3D,0x93,0x06,0x21,0xB2,0xC0,0xBF,0x53,0x1E,0xE1,0x8B,0x48,0xA9,0xB9,0xD7,0xE6, + 0x5F,0x4E,0x5A,0x2F,0x43,0xAC,0x35,0xBD,0x26,0x60,0x2F,0x01,0xD5,0x86,0x6B,0x64, + 0xFA,0x67,0x05,0x44,0x55,0x83,0x5B,0x93,0x9C,0x7C,0xA7,0x26,0x4E,0x02,0x2B,0x48, }; diff --git a/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m b/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m index b1773732..4e44d314 100644 --- a/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m +++ b/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m @@ -41,13 +41,13 @@ static NSArray *root = nil; static NSDate *verifyDate = nil; static void setup_globals(void) { - SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _ids_prod, sizeof(_ids_prod)); - SecCertificateRef intermediate = SecCertificateCreateWithBytes(NULL, _AppleServerAuth, sizeof(_AppleServerAuth)); - SecCertificateRef rootcert = SecCertificateCreateWithBytes(NULL, _AppleRootCA, sizeof(_AppleRootCA)); + SecCertificateRef leaf = SecCertificateCreateWithBytes(NULL, _ids_test, sizeof(_ids_test)); + SecCertificateRef intermediate = SecCertificateCreateWithBytes(NULL, _TestAppleServerAuth, sizeof(_TestAppleServerAuth)); + SecCertificateRef rootcert = SecCertificateCreateWithBytes(NULL, _TestAppleRootCA, sizeof(_TestAppleRootCA)); certs = @[(__bridge id)leaf,(__bridge id)intermediate]; root = @[(__bridge id)rootcert]; - verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:528000000.0]; //September 24, 2017 at 7:40:00 PM PDT + verifyDate = [NSDate dateWithTimeIntervalSinceReferenceDate:560000000.0]; //September 30, 2018 at 4:33:20 AM PDT CFReleaseNull(leaf); CFReleaseNull(intermediate); diff --git a/OSX/sec/Security/SecCertificate.c b/OSX/sec/Security/SecCertificate.c index 15302c73..a74f1f99 100644 --- a/OSX/sec/Security/SecCertificate.c +++ b/OSX/sec/Security/SecCertificate.c @@ -6502,3 +6502,25 @@ errOut: CFReleaseNull(appleRoot); return result; } + +bool SecCertificateGetDeveloperIDDate(SecCertificateRef certificate, CFAbsoluteTime *time, CFErrorRef *error) { + if (!certificate || !time) { + return SecError(errSecParam, error, CFSTR("DeveloperID Date parsing: missing required input")); + } + DERItem *extensionValue = SecCertificateGetExtensionValue(certificate, CFSTR("1.2.840.113635.100.6.1.33")); + if (!extensionValue) { + return SecError(errSecMissingRequiredExtension, error, CFSTR("DeveloperID Date parsing: extension not found")); + } + DERDecodedInfo decodedValue; + if (DERDecodeItem(extensionValue, &decodedValue) != DR_Success) { + return SecError(errSecDecode, error, CFSTR("DeveloperID Date parsing: extension value failed to decode")); + } + /* The extension value is a DERGeneralizedTime encoded in a UTF8String */ + CFErrorRef localError = NULL; + if (decodedValue.tag == ASN1_UTF8_STRING) { + *time = SecAbsoluteTimeFromDateContentWithError(ASN1_GENERALIZED_TIME, decodedValue.content.data, decodedValue.content.length, &localError); + } else { + return SecError(errSecDecode, error, CFSTR("DeveloperID Date parsing: extension value wrong tag")); + } + return CFErrorPropagate(localError, error); +} diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in index 2c5d1537..d7741e13 100644 --- a/OSX/sec/Security/SecExports.exp-in +++ b/OSX/sec/Security/SecExports.exp-in @@ -356,6 +356,7 @@ _SecCertificateCopyCommonName _SecCertificateCopyCommonNames _SecCertificateCopyCompanyName _SecCertificateCopyCountry +_SecCertificateGetDeveloperIDDate _SecCertificateCopyDNSNames _SecCertificateCopyDNSNamesFromSAN _SecCertificateCopyDNSNamesFromSubject diff --git a/OSX/sec/securityd/OTATrustUtilities.h b/OSX/sec/securityd/OTATrustUtilities.h index 74f33fe5..38f99053 100644 --- a/OSX/sec/securityd/OTATrustUtilities.h +++ b/OSX/sec/securityd/OTATrustUtilities.h @@ -145,6 +145,9 @@ NSNumber *SecOTAPKIGetSamplingRateForEvent(SecOTAPKIRef otapkiRef, NSString *eve CFArrayRef SecOTAPKICopyAppleCertificateAuthorities(SecOTAPKIRef otapkiRef); +extern const CFStringRef kOTAPKIKillSwitchCT; +bool SecOTAPKIKillSwitchEnabled(SecOTAPKIRef otapkiRef, CFStringRef switchKey); + // SPI to return the array of currently trusted Escrow certificates CF_EXPORT CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error); diff --git a/OSX/sec/securityd/OTATrustUtilities.m b/OSX/sec/securityd/OTATrustUtilities.m index f04a136e..5c90306d 100644 --- a/OSX/sec/securityd/OTATrustUtilities.m +++ b/OSX/sec/securityd/OTATrustUtilities.m @@ -183,6 +183,7 @@ static uint64_t GetSystemVersion(CFStringRef key); #if !TARGET_OS_BRIDGE static BOOL UpdateFromAsset(NSURL *localURL, NSNumber *asset_version, NSError **error); static BOOL UpdateOTACheckInDate(void); +static void UpdateKillSwitch(NSString *key, bool value); #endif #if TARGET_OS_IPHONE static void TriggerUnlockNotificationOTATrustAssetCheck(dispatch_queue_t queue); @@ -198,12 +199,16 @@ NSString *kOTATrustContextFilename = @"OTAPKIContext.plist"; NSString *kOTATrustTrustedCTLogsFilename = @"TrustedCTLogs.plist"; NSString *kOTATrustAnalyticsSamplingRatesFilename = @"AnalyticsSamplingRates.plist"; NSString *kOTATrustAppleCertifcateAuthoritiesFilename = @"AppleCertificateAuthorities.plist"; +NSString *kOTATrustCTKillSwitch = @"CTKillSwitch"; + +const CFStringRef kOTAPKIKillSwitchCT = CFSTR("CTKillSwitch"); #if !TARGET_OS_BRIDGE const NSString *OTATrustMobileAssetType = @"com.apple.MobileAsset.PKITrustSupplementals"; #define kOTATrustMobileAssetNotification "com.apple.MobileAsset.PKITrustSupplementals.cached-metadata-updated" #define kOTATrustOnDiskAssetNotification "com.apple.trustd.asset-updated" #define kOTATrustCheckInNotification "com.apple.trustd.asset-check-in" +#define kOTATrustKillSwitchNotification "com.apple.trustd.kill-switch" const NSUInteger OTATrustMobileAssetCompatibilityVersion = 1; #define kOTATrustDefaultUpdatePeriod 60*60*12 // 12 hours #define kOTATrustMinimumUpdatePeriod 60*5 // 5 min @@ -483,6 +488,30 @@ static BOOL CopyFileToDisk(NSString *filename, NSURL *localURL, NSError **error) return NO; } +static void GetKillSwitchAttributes(NSDictionary *attributes) { + bool killSwitchEnabled = false; + + // CT Kill Switch + NSNumber *ctKillSwitch = [attributes objectForKey:kOTATrustCTKillSwitch]; + if (isNSNumber(ctKillSwitch)) { + NSError *error = nil; + UpdateOTAContextOnDisk(kOTATrustCTKillSwitch, ctKillSwitch, &error); + UpdateKillSwitch(kOTATrustCTKillSwitch, [ctKillSwitch boolValue]); + secnotice("OTATrust", "got CT kill switch = %d", [ctKillSwitch boolValue]); + killSwitchEnabled = true; + } + + /* Other kill switches TBD. + * When adding one, make sure to add to the Analytics Samplers since these kill switches + * are installed before the full asset is downloaded and installed. (A device can have the + * kill switches without having the asset version that contained them.) */ + + // notify the other trustds if any kill switch was read + if (SecOTAPKIIsSystemTrustd() && killSwitchEnabled) { + notify_post(kOTATrustKillSwitchNotification); + } +} + // MARK: Fetch and Update Functions #if TARGET_OS_IPHONE static NSNumber *UpdateAndPurgeAsset(MAAsset *asset, NSNumber *asset_version, NSError **error) { @@ -598,6 +627,8 @@ static BOOL DownloadOTATrustAsset(BOOL isLocalOnly, BOOL wait, NSError **error) continue; } + GetKillSwitchAttributes(asset.attributes); + switch (asset.state) { default: MakeOTATrustError(&ma_error, OTATrustLogLevelError, NSOSStatusErrorDomain, errSecInternal, @@ -786,6 +817,8 @@ static BOOL DownloadOTATrustAsset(BOOL isLocalOnly, BOOL wait, NSError **error) continue; } + GetKillSwitchAttributes(attributes); + ASProgressHandler OTATrustHandler = ^(NSDictionary *state, NSError *progressError){ NSString *operationState = nil; if (progressError) { @@ -847,6 +880,9 @@ static BOOL DownloadOTATrustAsset(BOOL isLocalOnly, BOOL wait, NSError **error) began_async_job = true; } break; + case ASAssetStateStalled: + secdebug("OTATrust", "OTATrust asset stalled"); + // drop through case ASAssetStateDownloading: secdebug("OTATrust", "OTATrust asset downloading"); asset.progressHandler = OTATrustHandler; @@ -888,6 +924,27 @@ static BOOL DownloadOTATrustAsset(BOOL isLocalOnly, BOOL wait, NSError **error) } #endif /* !TARGET_OS_IPHONE */ +static bool InitializeKillSwitch(NSString *key) { +#if !TARGET_OS_BRIDGE + NSError *error = nil; + NSDictionary *OTAPKIContext = [NSDictionary dictionaryWithContentsOfURL:GetAssetFileURL(kOTATrustContextFilename) error:&error]; + if (isNSDictionary(OTAPKIContext)) { + NSNumber *killSwitchValue = OTAPKIContext[key]; + if (isNSNumber(killSwitchValue)) { + secinfo("OTATrust", "found on-disk kill switch %{public}@ with value %d", key, [killSwitchValue boolValue]); + return [killSwitchValue boolValue]; + } else { + MakeOTATrustError(&error, OTATrustLogLevelNotice, NSOSStatusErrorDomain, errSecInvalidValue, + @"OTAContext.plist missing check-in"); + } + } else { + MakeOTATrustError(&error, OTATrustLogLevelNotice, NSOSStatusErrorDomain, errSecMissingValue, + @"OTAContext.plist missing dictionary"); + } +#endif + return false; +} + static void InitializeOTATrustAsset(dispatch_queue_t queue) { /* Only the "system" trustd does updates */ if (SecOTAPKIIsSystemTrustd()) { @@ -930,6 +987,10 @@ static void InitializeOTATrustAsset(dispatch_queue_t queue) { secinfo("OTATrust", "Got notification about successful PKITrustSupplementals asset check-in"); (void)UpdateOTACheckInDate(); }); + int out_token3 = 0; + notify_register_dispatch(kOTATrustKillSwitchNotification, &out_token3, queue, ^(int __unused token) { + UpdateKillSwitch(kOTATrustCTKillSwitch, InitializeKillSwitch(kOTATrustCTKillSwitch)); + }); } } @@ -1484,6 +1545,7 @@ struct _OpaqueSecOTAPKI { CFDateRef _lastAssetCheckIn; CFDictionaryRef _eventSamplingRates; CFArrayRef _appleCAs; + bool _ctKillSwitch; }; CFGiblisFor(SecOTAPKI) @@ -1686,7 +1748,10 @@ static SecOTAPKIRef SecOTACreate() { #if !TARGET_OS_BRIDGE /* Initialize our update handling */ InitializeOTATrustAsset(kOTABackgroundQueue); -#endif + otapkiref->_ctKillSwitch = InitializeKillSwitch(kOTATrustCTKillSwitch); +#else // TARGET_OS_BRIDGE + otapkiref->_ctKillSwitch = true; // bridgeOS never enforces CT +#endif // TARGET_OS_BRIDGE return otapkiref; } @@ -1701,10 +1766,12 @@ SecOTAPKIRef SecOTAPKICopyCurrentOTAPKIRef() { QOS_CLASS_BACKGROUND, 0); attr = dispatch_queue_attr_make_with_autorelease_frequency(attr, DISPATCH_AUTORELEASE_FREQUENCY_WORK_ITEM); kOTABackgroundQueue = dispatch_queue_create("com.apple.security.OTAPKIBackgroundQueue", attr); - kCurrentOTAPKIRef = SecOTACreate(); if (!kOTAQueue || !kOTABackgroundQueue) { secerror("Failed to create OTAPKI Queues. May crash later."); } + dispatch_sync(kOTAQueue, ^{ + kCurrentOTAPKIRef = SecOTACreate(); + }); } }); @@ -1738,6 +1805,14 @@ static BOOL UpdateOTACheckInDate(void) { } } +static void UpdateKillSwitch(NSString *key, bool value) { + dispatch_sync(kOTAQueue, ^{ + if ([key isEqualToString:kOTATrustCTKillSwitch]) { + kCurrentOTAPKIRef->_ctKillSwitch = value; + } + }); +} + static BOOL UpdateFromAsset(NSURL *localURL, NSNumber *asset_version, NSError **error) { if (!localURL || !asset_version) { MakeOTATrustError(error, OTATrustLogLevelError, NSOSStatusErrorDomain, errSecInternal, @@ -2064,6 +2139,16 @@ CFArrayRef SecOTAPKICopyAppleCertificateAuthorities(SecOTAPKIRef otapkiRef) { return CFRetainSafe(otapkiRef->_appleCAs); } +bool SecOTAPKIKillSwitchEnabled(SecOTAPKIRef otapkiRef, CFStringRef key) { + if (NULL == otapkiRef || NULL == key) { + return false; + } + if (CFEqualSafe(key, kOTAPKIKillSwitchCT)) { + return otapkiRef->_ctKillSwitch; + } + return false; +} + /* Returns an array of certificate data (CFDataRef) */ CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error) { SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); diff --git a/OSX/sec/securityd/SOSCloudCircleServer.m b/OSX/sec/securityd/SOSCloudCircleServer.m index d0ce6425..ffed641f 100644 --- a/OSX/sec/securityd/SOSCloudCircleServer.m +++ b/OSX/sec/securityd/SOSCloudCircleServer.m @@ -672,10 +672,12 @@ static bool do_with_account_while_unlocked(CFErrorRef *error, bool (^action)(SOS result = SecAKSDoWhileUserBagLocked(&localError, ^{ do_with_account(^(SOSAccountTransaction* txn) { SOSAccount *account = txn.account; - if(![SOSAuthKitHelpers peerinfoHasMID: account]) { - // This is the first good opportunity to update our FullPeerInfo and - // push the resulting circle. - [SOSAuthKitHelpers updateMIDInPeerInfo: account]; + if([account isInCircle: NULL]) { + if(![SOSAuthKitHelpers peerinfoHasMID: account]) { + // This is the first good opportunity to update our FullPeerInfo and + // push the resulting circle. + [SOSAuthKitHelpers updateMIDInPeerInfo: account]; + } } attempted_action = true; action_result = action(txn, error); diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c index 4128cafc..ca13565c 100644 --- a/OSX/sec/securityd/SecItemDb.c +++ b/OSX/sec/securityd/SecItemDb.c @@ -1348,6 +1348,10 @@ bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bool mult secdebug("backup", "found exact sys_bound item: %@", item); return true; } + if (isString(service) && CFStringHasPrefix(service, CFSTR("com.apple.gs."))) { + secdebug("backup", "found exact sys_bound item: %@", item); + return true; + } if (isString(service) && CFEqual(service, CFSTR("com.apple.facetime"))) { CFStringRef account = CFDictionaryGetValue(item, kSecAttrAccount); if (isString(account) && CFEqual(account, CFSTR("registrationV1"))) { diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c index b53cd556..fda34f81 100644 --- a/OSX/sec/securityd/SecPolicyServer.c +++ b/OSX/sec/securityd/SecPolicyServer.c @@ -2300,20 +2300,24 @@ static void SecPolicyCheckSystemTrustedCTRequired(SecPVCRef pvc) { require_quiet(SecCertificatePathVCIsPathValidated(path), out); /* We only enforce this check when all of the following are true: - * 0. Not a pinning policy */ + * 0. Kill Switch not enabled */ + require_quiet(!SecOTAPKIKillSwitchEnabled(otaref, kOTAPKIKillSwitchCT), out); + + /* 1. Not a pinning policy */ SecPolicyRef policy = SecPVCGetPolicy(pvc); require_quiet(CFEqualSafe(SecPolicyGetName(policy),kSecPolicyNameSSLServer), out); - /* 1. Device has checked in to MobileAsset for a current log list within the last 60 days. + /* 2. Device has checked in to MobileAsset for a current log list within the last 60 days. * Or the caller passed in the trusted log list. */ require_quiet(SecOTAPKIAssetStalenessLessThanSeconds(otaref, kSecOTAPKIAssetStalenessDisable) || trustedLogs, out); - /* 2. Leaf issuance date is on or after 16 Oct 2018 at 00:00:00 AM UTC and not expired. */ + /* 3. Leaf issuance date is on or after 16 Oct 2018 at 00:00:00 AM UTC and not expired. */ SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0); require_quiet(SecCertificateNotValidBefore(leaf) >= 561340800.0 && SecCertificateIsValid(leaf, SecPVCGetVerifyTime(pvc)), out); - /* 3. Chain is anchored with root in the system anchor source but not the Apple anchor source */ + /* 4. Chain is anchored with root in the system anchor source but not the Apple anchor source + * with certain excepted CAs and configurable included CAs. */ CFIndex count = SecPVCGetCertificateCount(pvc); SecCertificateRef root = SecPVCGetCertificateAtIndex(pvc, count - 1); appleAnchorSource = SecMemoryCertificateSourceCreate(SecGetAppleTrustAnchors(false)); @@ -3399,14 +3403,22 @@ static void SecPVCCheckRequireCTConstraints(SecPVCRef pvc) { if (ctp <= kSecPathCTNotRequired || !SecPVCIsSSLServerAuthenticationPolicy(pvc)) { return; } - /* CT was required. Error is always set on leaf certificate. */ - SecPVCSetResultForced(pvc, kSecPolicyCheckCTRequired, - 0, kCFBooleanFalse, true); - if (ctp != kSecPathCTRequiredOverridable) { - /* Normally kSecPolicyCheckCTRequired is recoverable, - so need to manually change trust result here. */ - pvc->result = kSecTrustResultFatalTrustFailure; + + /* We need to have a recent log list or the CT check may have failed due to the list being out of date. + * Also, honor the CT kill switch. */ + SecOTAPKIRef otaref = SecOTAPKICopyCurrentOTAPKIRef(); + if (!SecOTAPKIKillSwitchEnabled(otaref, kOTAPKIKillSwitchCT) && + SecOTAPKIAssetStalenessLessThanSeconds(otaref, kSecOTAPKIAssetStalenessDisable)) { + /* CT was required. Error is always set on leaf certificate. */ + SecPVCSetResultForced(pvc, kSecPolicyCheckCTRequired, + 0, kCFBooleanFalse, true); + if (ctp != kSecPathCTRequiredOverridable) { + /* Normally kSecPolicyCheckCTRequired is recoverable, + so need to manually change trust result here. */ + pvc->result = kSecTrustResultFatalTrustFailure; + } } + CFReleaseNull(otaref); } /* AUDIT[securityd](done): @@ -3467,10 +3479,13 @@ void SecPVCPathChecks(SecPVCRef pvc) { /* This call will set the value of pvc->is_ct, but won't change the result (pvc->result) */ SecPolicyCheckCT(pvc); - /* Certs are only EV if they are also CT verified */ - if (ev_check_ok && SecCertificatePathVCIsCT(path)) { + /* Certs are only EV if they are also CT verified (when the Kill Switch isn't enabled and against a recent log list) */ + SecOTAPKIRef otaref = SecOTAPKICopyCurrentOTAPKIRef(); + if (ev_check_ok && (SecCertificatePathVCIsCT(path) || SecOTAPKIKillSwitchEnabled(otaref, kOTAPKIKillSwitchCT) || + !SecOTAPKIAssetStalenessLessThanSeconds(otaref, kSecOTAPKIAssetStalenessDisable))) { SecCertificatePathVCSetIsEV(path, true); } + CFReleaseNull(otaref); } /* Say that we did the expensive path checks (that we want to skip on the second call) */ diff --git a/OSX/sec/securityd/SecRevocationNetworking.m b/OSX/sec/securityd/SecRevocationNetworking.m index d12695b2..ec7be407 100644 --- a/OSX/sec/securityd/SecRevocationNetworking.m +++ b/OSX/sec/securityd/SecRevocationNetworking.m @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. + * Copyright (c) 2017-2019 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -178,10 +178,13 @@ didReceiveResponse:(NSURLResponse *)response completionHandler:(void (^)(NSURLSessionResponseDisposition disposition))completionHandler { /* nsurlsessiond started our download. Create a transaction since we're going to be working for a little bit */ self->_transaction = os_transaction_create("com.apple.trustd.valid.download"); - secinfo("validupdate", "Session %@ data task %@ returned response %ld, expecting %lld bytes", session, dataTask, - (long)[(NSHTTPURLResponse *)response statusCode],[response expectedContentLength]); + secinfo("validupdate", "Session %@ data task %@ returned response %ld (%@), expecting %lld bytes", + session, dataTask, (long)[(NSHTTPURLResponse *)response statusCode], + [response MIMEType], [response expectedContentLength]); - (void)checkBasePath(kSecRevocationBasePath); + WithPathInRevocationInfoDirectory(NULL, ^(const char *utf8String) { + (void)checkBasePath(utf8String); + }); CFURLRef updateFileURL = SecCopyURLForFileInRevocationInfoDirectory(CFSTR("update-current")); self->_currentUpdateFileURL = (updateFileURL) ? CFBridgingRelease(updateFileURL) : nil; const char *updateFilePath = [self->_currentUpdateFileURL fileSystemRepresentation]; @@ -327,7 +330,6 @@ static ValidUpdateRequest *request = nil; @"Accept-Encoding" : @"gzip,deflate,br"}; config.TLSMinimumSupportedProtocol = kTLSProtocol12; - config.TLSMaximumSupportedProtocol = kTLSProtocol13; return config; } @@ -347,6 +349,7 @@ static ValidUpdateRequest *request = nil; /* Callbacks should be on a separate NSOperationQueue. We'll then dispatch the work on updateQueue and return from the callback. */ NSOperationQueue *queue = [[NSOperationQueue alloc] init]; + queue.maxConcurrentOperationCount = 1; _backgroundSession = [NSURLSession sessionWithConfiguration:config delegate:delegate delegateQueue:queue]; } @@ -366,8 +369,6 @@ static ValidUpdateRequest *request = nil; * after system boot before trying to initiate network activity, to avoid the possibility * of a performance regression in the boot path. */ dispatch_async(updateQueue, ^{ - /* Take a transaction while we work */ - os_transaction_t transaction = os_transaction_create("com.apple.trustd.valid.scheduleUpdate"); CFAbsoluteTime now = CFAbsoluteTimeGetCurrent(); if (self.updateScheduled != 0.0) { secdebug("validupdate", "update in progress (scheduled %f)", (double)self.updateScheduled); @@ -379,18 +380,15 @@ static ValidUpdateRequest *request = nil; gNextUpdate = now + (minUptime - uptime); gUpdateStarted = 0; secnotice("validupdate", "postponing update until %f", gNextUpdate); + return; } else { self.updateScheduled = now; secnotice("validupdate", "scheduling update at %f", (double)self.updateScheduled); } } - NSURL *validUrl = [NSURL URLWithString:[NSString stringWithFormat:@"https://%@/g3/v%ld", - server, (unsigned long)version]]; - if (!validUrl) { - secnotice("validupdate", "invalid update url"); - return; - } + /* we have an update to schedule, so take a transaction while we work */ + os_transaction_t transaction = os_transaction_create("com.apple.trustd.valid.scheduleUpdate"); /* clear all old sessions and cleanup disk (for previous download tasks) */ static dispatch_once_t onceToken; @@ -416,12 +414,14 @@ static ValidUpdateRequest *request = nil; @"version" : @(version) }); + NSURL *validUrl = [NSURL URLWithString:[NSString stringWithFormat:@"https://%@/g3/v%ld", + server, (unsigned long)version]]; NSURLSessionDataTask *dataTask = [self.backgroundSession dataTaskWithURL:validUrl]; dataTask.taskDescription = [NSString stringWithFormat:@"%lu",(unsigned long)version]; [dataTask resume]; secnotice("validupdate", "scheduled background data task %@ at %f", dataTask, CFAbsoluteTimeGetCurrent()); (void) transaction; // dead store - transaction = nil; + transaction = nil; // ARC releases the transaction }); return YES; diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist index ea40b6d8..cf5ed7af 100644 --- a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist +++ b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist @@ -2329,17 +2329,17 @@ Leaf - ids_prod + ids_test Intermediates - AppleServerAuthentication + TestAppleServerAuthentication Anchors - AppleRootCA + TestAppleRootCA ExpectedResult 4 ChainLength 3 VerifyDate - 2018-02-08T21:00:00Z + 2019-02-08T21:00:00Z MajorTestName @@ -2385,17 +2385,17 @@ Leaf - ids_prod + ids_test Intermediates - AppleServerAuthentication + TestAppleServerAuthentication Anchors - AppleRootCA + TestAppleRootCA ExpectedResult 4 ChainLength 3 VerifyDate - 2018-02-08T21:00:00Z + 2019-02-08T21:00:00Z MajorTestName @@ -2441,17 +2441,17 @@ Leaf - ids_prod + ids_test Intermediates - AppleServerAuthentication + TestAppleServerAuthentication Anchors - AppleRootCA + TestAppleRootCA ExpectedResult 4 ChainLength 3 VerifyDate - 2018-02-08T21:00:00Z + 2019-02-08T21:00:00Z MajorTestName @@ -2499,17 +2499,17 @@ Leaf - ids_prod + ids_test Intermediates - AppleServerAuthentication + TestAppleServerAuthentication Anchors - AppleRootCA + TestAppleRootCA ExpectedResult 4 ChainLength 3 VerifyDate - 2018-02-08T21:00:00Z + 2019-02-08T21:00:00Z MajorTestName @@ -3064,7 +3064,7 @@ Properties SecPolicyName - hls-svod.itunes.apple.com + hls-slive.itunes.apple.com Leaf @@ -3092,7 +3092,7 @@ Properties SecPolicyName - hls-svod.itunes.apple.com + hls-slive.itunes.apple.com Leaf diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ids_test.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ids_test.cer new file mode 100644 index 0000000000000000000000000000000000000000..c489eff14903509b3effeb59dda5ad22ca400f72 GIT binary patch literal 1146 zcmXqLVkt9dVvbwD%*4pV#GxWD)AU8vX^R0b8>d#AN85K^Mn-N{27@9)9Rn>k=1>-9 z9_5hK;t~bNf`Xh>h2YepveY64$I_CF)Vz|+ul4;REJ&%9(kLv903kRY2dQ)sY(oH(zcg@J{Exq+d9sj+z! zkZWmRX}P59e$nvPqLTj`q|Jc*MtiXOp|D!h+@mq?YO|`gaDE9AvIpd`Z`d_|VDMqg_ zJMtt#%{Kr40!!EC(`jFQjyb2xL=;7zStUBr_nFE!iGN?;mu`vv*ruP(6B(4AJ z(MCseU$twqh124np7lOCG3n=wzWQzXRsW}cm%S-{Kr;NFVCDf9Ye z9iIK8Sg!iI$cFe8Z?^F6wRUKq>_rjT8HR)<#CaK6~bt;T=2;q07N z&c&Cvo~upXY;44KbKS~XIsKo~3HI{8!o`n8X}GAEeJOu7vG%R2Mx@u>Gh39n0CPxyT`mVh7S<*bG cch_T2SN11-e2fB<&wE<>$Z&NW)~iVY09h-b-~a#s literal 0 HcmV?d00001 diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/itunes.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/itunes.cer index c1681b64f74eb23666deab527828541fe0e5932b..e3fc0c5ac9a5f1d35fe56dd53e13680698480178 100644 GIT binary patch delta 910 zcmX@ddxKZrpo#4Y5LYi?W@2Pw5)e3iC~U8%?>5sX6Xt8r{{4NTc&U-4fw7^np}Dc8 zk!h4TuaTjFiJ>8sYtYzisBECf#vIDR%p;YNQ>+_ z`@c>$-M3C-3@PQ2DXJq`(!otkN++onfl*7iQ&Bn;W zc&(C&g^8t!DF%omn8GHjvZ&Q(R_KIJW?*1pW^glbVN&ohU3K&Qbw$fVyQZvdT2LJE zWyPJmgw1jX3ewWANpl4HFewxSUs$(n#yMWj!&BxoBtCz6blSbjNg}4)Z?;QSheo=H zF_bYZ*~vL!i$sJ-`)=VyXVMF}Y)ogc{FJ`G<8k>}z7xE61Q-|?LDtR&TI+)7{^E`zkCzBZt9SzWID*8$=17xW0v_%VW@X*0j;fvdFMs#$;DsXUU+ z{nhmaPJxrwf7p1KXZ!2p^WQ66V^VPZoO#J1hGn&jgQK*;&Rui9+=!lLu3IUQ5K(zl zZ|~PLK#N_br0Q*WcW(U=2lg8){%IVz^{i>%jnjr(?JpZo+q$iB1=M0l^nrp=pbgvmT_p~C$G?a_}ieHydd0`t>>A${XygqX>?drD2sM}^OxosepM zZK}W>o<%QBbau0}hN6K*l+WwymjD?4 BbsGQx delta 900 zcmcb?dyZG!po#4i5Em|BW@2Pw;)uD?x;J^_DXWR{rG^%UMux_Q=0>KbMp5FtMurB4 zKmg$yG&UJ387QzZhq5s9NM_^|>lT;gr%XK7vb`w zF5%E#f6naXMV7gW%d~F&-12o@`|rC6QDI>&E6tCwmo@RrXeROI&Q9m@Slq<&&Y+3q z)#MqB8;qTS7RU;+*cezf!7b6tEGf-PE!ImcD9B0GOU}=2l7-o?o0y-xxr(Wj(QZ}! zk1Gq$u4hBCWVyUu{lnEugwu&+IQ1L^qpVtvpkWOtxGmkYP>%9+(+~vLn%X;2-__E z>xbT4{`zpQ%O<=rrvrtOZa=_Dx;Bb+!?&QGACAjPA4!J z+e`O9kF5F8<2*Bd@8`V#VZH8QX8*mmCLG-I>VMpVW`3x5x{-o0>XjAKjkEm;3=1CT zHg2KU+J z=y&?Xg$7(~99nH2=WIcV$DIL`CU|mUx)=C=Z934kYVx(&TbNxNbGqg`_CG(*w0zTx s$W1eu6jkJQJZfr08j#Sv;Y7A diff --git a/OSX/shared_regressions/si-44-seckey-aks.m b/OSX/shared_regressions/si-44-seckey-aks.m index 16632ba6..53232555 100644 --- a/OSX/shared_regressions/si-44-seckey-aks.m +++ b/OSX/shared_regressions/si-44-seckey-aks.m @@ -377,21 +377,21 @@ static void rewrapTest(void) { // Encrypt message with SEP key. NSData *message = [@"message" dataUsingEncoding:NSUTF8StringEncoding]; id pubKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)key)); - NSData *encrypted = CFBridgingRelease(SecKeyCreateEncryptedDataWithParameters((__bridge SecKeyRef)pubKey, kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM, (__bridge CFDataRef)message, (__bridge CFDictionaryRef)@{(id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @256}, (void *)&error)); + NSData *encrypted = CFBridgingRelease(SecKeyCreateEncryptedDataWithParameters((__bridge SecKeyRef)pubKey, kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM, (__bridge CFDataRef)message, (__bridge CFDictionaryRef)@{(id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @128}, (void *)&error)); ok(encrypted, "failed to encrypt with public key, %@", error); NSData *cert = [NSData dataWithBytes:satori_test_cert length:sizeof(satori_test_cert)]; NSDictionary *recryptParams = @{ (id)kSecKeyEncryptionParameterRecryptCertificate: cert, - (id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @256, + (id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @128, (id)kSecKeyEncryptionParameterRecryptParameters: @{ - (id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @256 + (id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @128 }, }; NSData *recrypted = CFBridgingRelease(SecKeyCreateDecryptedDataWithParameters((__bridge SecKeyRef)key, kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM, (__bridge CFDataRef)encrypted, (__bridge CFDictionaryRef)recryptParams, (void *)&error)); ok(recrypted, "failed to recrypt, %@", error); id recryptKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)[NSData dataWithBytes:satori_priv length:sizeof(satori_priv)], (CFDictionaryRef)@{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate}, (void *)&error)); - NSData *decrypted = CFBridgingRelease(SecKeyCreateDecryptedDataWithParameters((__bridge SecKeyRef)recryptKey, kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM, (__bridge CFDataRef)recrypted, (__bridge CFDictionaryRef)@{(id)kSecKeyEncryptionParameterSymmetricKeySizeInBits: @256}, (void *)&error)); + NSData *decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((__bridge SecKeyRef)recryptKey, kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM, (__bridge CFDataRef)recrypted, (void *)&error)); ok(decrypted, "failed to decrypt, %@", error); ok([decrypted isEqualToData:message], "Decrypted data differs: %@ vs %@", decrypted, message); } diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/livability.cer b/OSX/shared_regressions/si-82-sectrust-ct-data/deprecatedSSLServer.cer similarity index 50% rename from OSX/shared_regressions/si-82-sectrust-ct-data/livability.cer rename to OSX/shared_regressions/si-82-sectrust-ct-data/deprecatedSSLServer.cer index b6812aef172cf9d9495d5990b71868de798ea706..c1b5fa7e03ca5b2731e9a07ac0690e6513b7467b 100644 GIT binary patch delta 320 zcmdnbafUMfg&4oC<`->R8mr6ab`}cZb@o!iC%GX*~G)z zY-YxW=EjB-zXW;M)i`KN#YpV4eh*Eo0yUenwa7y_c3meQ3YBlE65^eAk&0l z?dAxkJVucVSO2Rm6PzdZ*EUb?-cF`l;-~xmOuoe|>*>K@;L4;>Kjnjx#PoBD%MQ0k zA8c`WA#tqX{(=uPjN=?4z3ZBjUoa^$%nVc0N^zQedCJD$GA0ZkRZlDpz4&uce~B*B KMhmg>#XbO)3Vj3s delta 331 zcmX@Zv7bZSpozuWpo#g>0%j&gCMFIO(cqg^T%Ok^%9om37#bK_8d?~dnpj4O^BNf# zn1Z-QrUnL4291q|iU#s*%%LpIJQ6vXWr<0dIhiGudd20b6VGb1S(;c{7?@A|7vyp5 znChpXm;(kIvv2-cbkIfd2zR>ir9xh_{U5)t`}RqDir>1AQ(vSXo_zVvffVh zXK2l1Ef8?scH&@xsrQm(13r)@en!UsEG*1S%pC??Y#dr`9_MU9Ja+~I7bb<=hou`| zPS|(YQJ}xr;o_w=p{2)W25;LlFQV`TgY-F*L?#7cGXt%yZ@g|QRsYivv;Ez)K=ty} RvdKFqtB5#hRjl2x8vvi0d;0(Y diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/digicert_ev_root_ca.cer b/OSX/shared_regressions/si-82-sectrust-ct-data/digicert_ev_root_ca.cer new file mode 100644 index 0000000000000000000000000000000000000000..dae0196507d9166bbf9de6ed93ed5bd91d2a6f7c GIT binary patch literal 969 zcmXqLVm@ln#I$w+GZP~dlK|727_}^JhuQtym7mtRsg@h?vTHrk&& ztLnL}Q0ws3DJJQQxMViOXD)Ntcx3yg{tGjftaOaDx_oEKHJjTd7E8R&_^LL2_gWe( zWby8^XKvxdy5w!Em&G4m((=PUDRAG9qi=3oOnS`rlw%^#5e>)C->0KGMe7P*nC|y2 z;KS3U1MC5c*hY*|CU8utq&? zd&l;QPp7z6SghtsIkZ15c52JPg{pGxu~Grt3PNWbcjs{jTI}#X&BV;ez_>WsAklyi z7{#*ujEw(TSb)i@&43@o7Y6ZJ4VZzHfh)yU1V#fRgNzj0^gGw*%(v-CW8(-{yshZ|Lo0pNehH&82Z8W| zU7xFN3a0j%{+jp4b?dyFK8D^qCcbdi>Dyd!?)Ky0%ED_;6{j%X3T>aIlJc!9?aaM7 z=4V%!Y|Nakd}3aOl6Haf<4||QM9KFNM_cv%48AQe6jMI&{86fy@#+0i(hF>VoQmr< z>`vh5)a7A|3EF<-C)bRNqVe;E_SKjrTkLgNQvXCvo9oE*Ox~A0j}8cg?>JE=G%@s( zN9K(^T1?UWE>{!`Z-3cUpcXqJVcs5ZaZdd$r{$b8PO_^XycF~OmEz6}p*c2l_Rss% i5HmaZ>>Kx0s_N+r%s(?U)rMSO`QxRY@Z$0p@?HQubYDLJ literal 0 HcmV?d00001 diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com.cer b/OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com.cer deleted file mode 100644 index 32b46fcebaa22bc99e6d20fd5fef2447ffc7480a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1548 zcmaJ>Yfuwc6wckK!BJZo9r4jotKCh7iJeaO*M8@G=bU@L zbIygFL<%|Vej|zi1W`%Ny|%8&<@UtG&%Q8S$Xp4P5}7`f6?&osKr9x)H7%q9$|Pt$ zCc%+>8>xju1t7KV3nlLhC;S z<2)DbWeEQgqLOhD6ibw|Y=D`Zl2TPwWmv{%W%#THhu@n*2Pk5!<1ILWG()2hjN-|I z*)u#8!w@DSvzm4JoGvFZpYph!6zlf;2%Bv-k&zBZYL$GXnY6(0SI9#PXdU1R2gj>7hM;=_c1WVC`rjCbR)w(Ca5v}a0PkOi)UGjRvlmz*e_Qm{hrd%Pc}BhT+TX;XLi)C%vm z{x<65q|`&{GrHQ*E2#_YAKmy^f4Tbh+L9^P4wh*D+H(2k@_UG*V^7EUB9nB}qkZVn z7Y}rYPA=T}Rkf8!E~j#P8y*~NpOc++uDo3}_38GO(@Sl2qx!F$>D$|lpg;unaNszv zNHZ+srPZmi#c(0_FCn?uayP^J>0pGo+z|FP$9rGnwM2)n1lF$9Xj zlckFR;3bBkh`2GlaJnQ+7z-&s!D4X~3I_iWxI~B~utl&07D*I~Ls=m7XC{c!O5kjm zIKV?doOWRUoCYT7b(Drz&k4(YxlG1qMR$EVH9@JZkk4t)_2kNAUYnoLT_KhuypP8@zqe5TPChOzq zth2*5-864W%NtWwG2GGOcl=b)m#q8pfDcP*_-+gO!QGhI^=mDmp1?X~+J(b8HM4%+ zJT>2xl2EojMYcQrlxo(v?>991>&M-jbcyP`+dpyD8RNd$286^`EY+-LYZ++SbcA6U3@tn{#)c-X_{) c?^NFEwAcMufI$miByN&9u`3D}onV$JQ=JNMI zCT2zk#>GvHmw+L14xCtJ`B=nQME-OI?3%YzHL5za)qg5Oa{tSSY-a-@U{Q2ej}nG6P61{!P}+HAm_!p_7fCWA9>lM9L=+T|hI7Z@zi zYtsQK2c`tqu;A3>(xOz|ZfO>87Laa8?dvnYV$EONwJ9Z zKfNr~wx+i)`|$aOtScT8I@OYT2C8DpP^abOr{|+OsjL_*1~N$#9B?E;eat1Pn zQU(%00bm{#1ZPcSXGbFg6AN8KT@!Pl-=U!dbgQ9(zJV@`Z@}25h#n02$;AaImKw-| zY*J>CFc51HslS}M{LtMuyFVCkes;F}#kAho&=@)00}Cx+x@TmVw&+*=GuyXUw9jo9 zwLehA9N)c5Y=Y|dL(MmimzpGJ2nF*5cUGSa<6M5&%*BuILQ>M^wqGw6&NfN!4OSAj z`@7~{x}Ni+*m~oZPm2l;m~#EwXB&=&JGX4Qr~C23HxGG{!thON3?EKc zQ9dagTk_QHJ!j3lhcgYiI4Y(43+Iccov=9nu4no-ww=XpPcBb6_%vawYN_tcOv5*4 zryX8g_V-1J%Nn7bzWW1T?7ZUQr+#{!!o@nRnr+GM^U8KjzaaLUJ16(MbG|XRra}3y zxj(=9?I_!PR$|Lfh4;3%pPgDe`-0!4_LaQLT#5tk7DT^YTj#Y$>FNr#Cx==Ucy9s# Da6$|! diff --git a/OSX/shared_regressions/si-82-sectrust-ct.m b/OSX/shared_regressions/si-82-sectrust-ct.m index 10ae8424..63615768 100644 --- a/OSX/shared_regressions/si-82-sectrust-ct.m +++ b/OSX/shared_regressions/si-82-sectrust-ct.m @@ -156,7 +156,6 @@ static void tests() SecCertificateRef certA=NULL, certD=NULL, certF=NULL, certCA_alpha=NULL, certCA_beta=NULL; CFDataRef proofD=NULL, proofA_1=NULL, proofA_2=NULL; SecCertificateRef www_digicert_com_2015_cert=NULL, www_digicert_com_2016_cert=NULL, digicert_sha2_ev_server_ca=NULL; - SecCertificateRef www_paypal_com_cert=NULL, www_paypal_com_issuer_cert=NULL; SecCertificateRef pilot_cert_3055998=NULL, pilot_cert_3055998_issuer=NULL; SecCertificateRef whitelist_00008013=NULL, whitelist_5555bc4f=NULL, whitelist_aaaae152=NULL, whitelist_fff9b5f6=NULL; SecCertificateRef whitelist_00008013_issuer=NULL, whitelist_5555bc4f_issuer=NULL, whitelist_fff9b5f6_issuer=NULL; @@ -184,8 +183,6 @@ static void tests() isnt(www_digicert_com_2015_cert = SecCertificateCreateFromResource(@"www_digicert_com_2015"), NULL, "create www.digicert.com 2015 cert"); isnt(www_digicert_com_2016_cert = SecCertificateCreateFromResource(@"www_digicert_com_2016"), NULL, "create www.digicert.com 2016 cert"); isnt(digicert_sha2_ev_server_ca = SecCertificateCreateFromResource(@"digicert_sha2_ev_server_ca"), NULL, "create digicert.com subCA cert"); - isnt(www_paypal_com_cert = SecCertificateCreateFromResource(@"www_paypal_com"), NULL, "create www.paypal.com cert"); - isnt(www_paypal_com_issuer_cert = SecCertificateCreateFromResource(@"www_paypal_com_issuer"), NULL, "create www.paypal.com issuer cert"); isnt(valid_ocsp = CFDataCreateFromResource(@"valid_ocsp_response"), NULL, "create valid_ocsp"); isnt(invalid_ocsp = CFDataCreateFromResource(@"invalid_ocsp_response"), NULL, "create invalid_ocsp"); isnt(bad_hash_ocsp = CFDataCreateFromResource(@"bad_hash_ocsp_response"), NULL, "create bad_hash_ocsp"); @@ -278,12 +275,20 @@ static void tests() CFReleaseNull(certs); CFReleaseNull(scts); - /* case 8: Current (April 2016) www.digicert.com cert: 3 embedded SCTs, CT qualified */ + /* case 8: April 2016 www.digicert.com cert: 3 embedded SCTs, CT qualified, but OCSP doesn't respond */ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array"); CFArrayAppendValue(certs, www_digicert_com_2016_cert); CFArrayAppendValue(certs, digicert_sha2_ev_server_ca); + + /* WatchOS doesn't require OCSP for EV flag, so even though the OCSP responder no longer responds for this cert, + * it is EV on watchOS. */ +#if TARGET_OS_WATCH test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.digicert.com"), date_20160422, true, true, false, "digicert 2016"); +#else + test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.digicert.com"), date_20160422, + true, false, false, "digicert 2016"); +#endif CFReleaseNull(certs); @@ -323,8 +328,6 @@ static void tests() CFReleaseSafe(www_digicert_com_2015_cert); CFReleaseSafe(www_digicert_com_2016_cert); CFReleaseSafe(digicert_sha2_ev_server_ca); - CFReleaseSafe(www_paypal_com_cert); - CFReleaseSafe(www_paypal_com_issuer_cert); CFReleaseSafe(pilot_cert_3055998); CFReleaseSafe(pilot_cert_3055998_issuer); CFReleaseSafe(whitelist_00008013); @@ -817,12 +820,13 @@ errOut: static void test_apple_enforcement_exceptions(void) { SecCertificateRef appleRoot = NULL, appleServerAuthCA = NULL, apple_server_after = NULL; - SecCertificateRef geoTrustRoot = NULL, appleISTCA8G1 = NULL, livability = NULL; + SecCertificateRef geoTrustRoot = NULL, appleISTCA8G1 = NULL, deprecatedSSLServer = NULL; CFArrayRef trustedLogs = CTTestsCopyTrustedLogs(); SecTrustRef trust = NULL; SecPolicyRef policy = NULL; NSArray *anchors = nil, *certs = nil; - NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:562340800.0]; // October 27, 2018 at 6:46:40 AM PDT + NSDate *date1 = [NSDate dateWithTimeIntervalSinceReferenceDate:562340800.0]; // October 27, 2018 at 6:46:40 AM PDT + NSDate *date2 = [NSDate dateWithTimeIntervalSinceReferenceDate:576000000.0]; // April 3, 2019 at 9:00:00 AM PDT require_action(appleRoot = SecCertificateCreateFromResource(@"enforcement_apple_root"), errOut, fail("failed to create apple root")); @@ -834,25 +838,25 @@ static void test_apple_enforcement_exceptions(void) { errOut, fail("failed to create GeoTrust root")); require_action(appleISTCA8G1 = SecCertificateCreateFromResource(@"AppleISTCA8G1"), errOut, fail("failed to create apple IST CA")); - require_action(livability = SecCertificateCreateFromResource(@"livability"), + require_action(deprecatedSSLServer = SecCertificateCreateFromResource(@"deprecatedSSLServer"), errOut, fail("failed to create livability cert")); // test apple anchor after date without CT passes policy = SecPolicyCreateSSL(true, CFSTR("bbasile-test.scv.apple.com")); certs = @[ (__bridge id)apple_server_after, (__bridge id)appleServerAuthCA ]; require_noerr_action(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), errOut, fail("failed to create trust")); - require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date), errOut, fail("failed to set verify date")); + require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date1), errOut, fail("failed to set verify date")); require_noerr_action(SecTrustSetTrustedLogs(trust, trustedLogs), errOut, fail("failed to set trusted logs")); ok(SecTrustEvaluateWithError(trust, NULL), "apple root post-flag-date non-CT cert failed"); CFReleaseNull(trust); CFReleaseNull(policy); // test apple ca after date without CT passes - policy = SecPolicyCreateSSL(true, CFSTR("livability.swe.apple.com")); - certs = @[ (__bridge id)livability, (__bridge id)appleISTCA8G1 ]; + policy = SecPolicyCreateSSL(true, CFSTR("bbasile-test.scv.apple.com")); + certs = @[ (__bridge id)deprecatedSSLServer, (__bridge id)appleISTCA8G1 ]; anchors = @[ (__bridge id)geoTrustRoot ]; require_noerr_action(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), errOut, fail("failed to create trust")); - require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date), errOut, fail("failed to set verify date")); + require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date2), errOut, fail("failed to set verify date")); require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), errOut, fail("failed to set anchors")); require_noerr_action(SecTrustSetTrustedLogs(trust, trustedLogs), errOut, fail("failed to set trusted logs")); ok(SecTrustEvaluateWithError(trust, NULL), "apple public post-flag-date non-CT cert failed"); @@ -863,7 +867,7 @@ errOut: CFReleaseNull(apple_server_after); CFReleaseNull(geoTrustRoot); CFReleaseNull(appleISTCA8G1); - CFReleaseNull(livability); + CFReleaseNull(deprecatedSSLServer); CFReleaseNull(trustedLogs); CFReleaseNull(trust); CFReleaseNull(policy); @@ -1427,7 +1431,7 @@ static void test_ct_exceptions(void) { int si_82_sectrust_ct(int argc, char *const *argv) { - plan_tests(433); + plan_tests(431); tests(); test_sct_serialization(); diff --git a/Security.xcodeproj/project.pbxproj b/Security.xcodeproj/project.pbxproj index 0f7c7884..f7e1cec6 100644 --- a/Security.xcodeproj/project.pbxproj +++ b/Security.xcodeproj/project.pbxproj @@ -5443,6 +5443,8 @@ F6AF96681E646CAF00917214 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4432AF6A1A01458F000958DC /* libcoreauthd_client.a */; }; F93C493B1AB8FF530047E01A /* ckcdiagnose.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = F93C493A1AB8FF530047E01A /* ckcdiagnose.sh */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; }; F964772C1E5832540019E4EB /* SecCodePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD0678E1D8CDF7E007602F1 /* SecCodePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + F9C8AFCD223740C800E7D6AE /* requirement.h in Headers */ = {isa = PBXBuildFile; fileRef = F9C8AFCB223740C800E7D6AE /* requirement.h */; }; + F9C8AFD222374D1100E7D6AE /* requirement.c in Sources */ = {isa = PBXBuildFile; fileRef = F9C8AFC5223740C700E7D6AE /* requirement.c */; }; /* End PBXBuildFile section */ /* Begin PBXBuildRule section */ @@ -10152,7 +10154,6 @@ 6C9AA79E1F7C1D8F00D08296 /* supdctl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = supdctl; sourceTree = BUILT_PRODUCTS_DIR; }; 6C9AA7A01F7C1D9000D08296 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 6CA2B9431E9F9F5700C43444 /* RateLimiter.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = RateLimiter.h; sourceTree = ""; }; - 6CA557FE219E214200993CF4 /* securityuploadd-sim.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = "securityuploadd-sim.plist"; sourceTree = ""; }; 6CA837612210C5E7002770F1 /* kc-45-change-password.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = "kc-45-change-password.c"; path = "regressions/kc-45-change-password.c"; sourceTree = ""; }; 6CAA8D201F842FB3007B6E03 /* securityuploadd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = securityuploadd; sourceTree = BUILT_PRODUCTS_DIR; }; 6CB5F4751E4025AB00DBF3F0 /* CKKSCloudKitTestsInfo.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = CKKSCloudKitTestsInfo.plist; sourceTree = ""; }; @@ -13377,6 +13378,8 @@ F6A3CB0D1E7062BA00E7821F /* authd-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = "authd-Entitlements.plist"; path = "OSX/authd/authd-Entitlements.plist"; sourceTree = ""; }; F93C493A1AB8FF530047E01A /* ckcdiagnose.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = ckcdiagnose.sh; sourceTree = ""; }; F9B458272183E01100F6BCEB /* SignatureEditing.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; name = SignatureEditing.sh; path = OSX/codesign_tests/SignatureEditing.sh; sourceTree = ""; }; + F9C8AFC5223740C700E7D6AE /* requirement.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = requirement.c; sourceTree = ""; }; + F9C8AFCB223740C800E7D6AE /* requirement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = requirement.h; sourceTree = ""; }; /* End PBXFileReference section */ /* Begin PBXFrameworksBuildPhase section */ @@ -17784,6 +17787,8 @@ DC5ABDBE1D832D5800CF422C /* Source */ = { isa = PBXGroup; children = ( + F9C8AFC5223740C700E7D6AE /* requirement.c */, + F9C8AFCB223740C800E7D6AE /* requirement.h */, DC5ABD781D832D5800CF422C /* srCdsaUtils.cpp */, DC5ABD791D832D5800CF422C /* srCdsaUtils.h */, DC5ABD7A1D832D5800CF422C /* createFVMaster.c */, @@ -22853,6 +22858,7 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( + F9C8AFCD223740C800E7D6AE /* requirement.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -30304,6 +30310,7 @@ DC5ABDEB1D832E4000CF422C /* verify_cert.c in Sources */, DC5ABDEC1D832E4000CF422C /* access_utils.c in Sources */, DC5ABDED1D832E4000CF422C /* translocate.c in Sources */, + F9C8AFD222374D1100E7D6AE /* requirement.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/SecurityTool/requirement.c b/SecurityTool/requirement.c new file mode 100644 index 00000000..a3527644 --- /dev/null +++ b/SecurityTool/requirement.c @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2019 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include + +#include +#include +#include + +#include "security_tool.h" +#include "trusted_cert_utils.h" +#include "requirement.h" + +#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) { CFRelease(_cf); } } + +int requirement_evaluate(int argc, char * const *argv) +{ + int err = 0; + CFErrorRef error = NULL; + CFStringRef reqStr = NULL; + SecRequirementRef req = NULL; + CFMutableArrayRef certs = NULL; + + if (argc < 3) { + return SHOW_USAGE_MESSAGE; + } + + // Create Requirement + + reqStr = CFStringCreateWithCString(NULL, argv[1], kCFStringEncodingUTF8); + + OSStatus status = SecRequirementCreateWithStringAndErrors(reqStr, + kSecCSDefaultFlags, &error, &req); + + if (status != errSecSuccess) { + CFStringRef errorDesc = CFErrorCopyDescription(error); + CFIndex errorLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(errorDesc), + kCFStringEncodingUTF8); + char *errorStr = malloc(errorLength+1); + + CFStringGetCString(errorDesc, errorStr, errorLength+1, kCFStringEncodingUTF8); + + fprintf(stderr, "parsing requirement failed (%d): %s\n", status, errorStr); + + free(errorStr); + + err = 1; + } + + // Create cert chain + + const int num_certs = argc - 2; + + certs = CFArrayCreateMutable(NULL, num_certs, &kCFTypeArrayCallBacks); + + for (int i = 0; i < num_certs; ++i) { + SecCertificateRef cert = NULL; + + if (readCertFile(argv[2 + i], &cert) != 0) { + fprintf(stderr, "Error reading certificate at '%s'\n", argv[2 + i]); + err = 2; + goto out; + } + + CFArrayAppendValue(certs, cert); + CFRelease(cert); + } + + // Evaluate! + + if (req != NULL) { + status = SecRequirementEvaluate(req, certs, NULL, kSecCSDefaultFlags); + printf("%d\n", status); + err = status == 0 ? 0 : 3; + } + +out: + CFReleaseSafe(certs); + CFReleaseSafe(req); + CFReleaseSafe(reqStr); + CFReleaseSafe(error); + + return err; +} diff --git a/SecurityTool/requirement.h b/SecurityTool/requirement.h new file mode 100644 index 00000000..c0a1e3a0 --- /dev/null +++ b/SecurityTool/requirement.h @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2019 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#ifndef _REQUIREMENT_H_ +#define _REQUIREMENT_H_ 1 + +#ifdef __cplusplus +extern "C" { +#endif + +extern int requirement_evaluate(int argc, char * const *argv); + +#ifdef __cplusplus +} +#endif + +#endif /* _REQUIREMENT_H_ */ diff --git a/SecurityTool/security.c b/SecurityTool/security.c index 301f00b5..798d2e65 100644 --- a/SecurityTool/security.c +++ b/SecurityTool/security.c @@ -57,6 +57,7 @@ #include "createFVMaster.h" #include "smartcards.h" #include "translocate.h" +#include "requirement.h" #include #include @@ -732,7 +733,13 @@ const command commands[] = "If the provided path is translocated, display the original path\n" "If the provided path is not translocated, display the passed in path", "Find the original path for a translocated path." }, - {} + + { "requirement-evaluate", requirement_evaluate, + " [ ...]\n" + "Evaluates the given requirement string against the given cert chain.", + "Evaluate a requirement against a cert chain." }, + + {} }; /* Global variables. */ diff --git a/securityd/src/transition.cpp b/securityd/src/transition.cpp index 112926bf..20f8b182 100644 --- a/securityd/src/transition.cpp +++ b/securityd/src/transition.cpp @@ -219,6 +219,13 @@ Database *pickDb(Database *db1, Database *db2) return Server::optionalDatabase(noDb); } +static void checkPathLength(char const *str) { + if (strlen(str) >= PATH_MAX) { + secerror("SecServer: path too long"); + CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR); + } +} + // // Setup/Teardown functions. // @@ -306,15 +313,16 @@ kern_return_t ucsp_server_getDbName(UCSP_ARGS, DbHandle db, char name[PATH_MAX]) { BEGIN_IPC(getDbName) string result = Server::database(db)->dbName(); - assert(result.length() < PATH_MAX); - memcpy(name, result.c_str(), result.length() + 1); + checkPathLength(result.c_str()); + memcpy(name, result.c_str(), result.length() + 1); END_IPC(DL) } kern_return_t ucsp_server_setDbName(UCSP_ARGS, DbHandle db, const char *name) { BEGIN_IPC(setDbName) - Server::database(db)->dbName(name); + checkPathLength(name); + Server::database(db)->dbName(name); END_IPC(DL) } @@ -541,6 +549,7 @@ kern_return_t ucsp_server_createDb(UCSP_ARGS, DbHandle *db, CopyOutAccessCredentials creds(cred, credLength); CopyOutEntryAcl owneracl(owner, ownerLength); CopyOut flatident(ident, identLength, reinterpret_cast(xdr_DLDbFlatIdentifierRef)); + checkPathLength((*reinterpret_cast(flatident.data())).name); #ifndef __clang_analyzer__ *db = (new KeychainDatabase(*reinterpret_cast(flatident.data()), params, connection.process(), creds, owneracl))->handle(); #endif @@ -554,6 +563,8 @@ kern_return_t ucsp_server_cloneDb(UCSP_ARGS, DbHandle srcDb, DATA_IN(ident), DbH CopyOut flatident(ident, identLength, reinterpret_cast(xdr_DLDbFlatIdentifierRef)); + checkPathLength((*reinterpret_cast(flatident.data())).name); + RefPointer srcKC = Server::keychain(srcDb); secnotice("integrity", "cloning db %d", srcKC->handle()); @@ -659,6 +670,8 @@ kern_return_t ucsp_server_decodeDb(UCSP_ARGS, DbHandle *db, DLDbFlatIdentifier* flatID = (DLDbFlatIdentifier*) flatident.data(); DLDbIdentifier id = *flatID; // invokes a casting operator + checkPathLength(id.dbName()); + #ifndef __clang_analyzer__ *db = (new KeychainDatabase(id, SSBLOB(DbBlob, blob), connection.process(), creds))->handle(); @@ -1383,6 +1396,7 @@ kern_return_t ucsp_server_createGuest(UCSP_ARGS, SecGuestRef host, SecCSFlags flags, SecGuestRef *newGuest) { BEGIN_IPC(createGuest) + checkPathLength(path); *newGuest = connection.process().createGuest(host, status, path, DATA(cdhash), DATA(attributes), flags); END_IPC(CSSM) } diff --git a/trust/SecCertificatePriv.h b/trust/SecCertificatePriv.h index b0786e3c..9c28e8e4 100644 --- a/trust/SecCertificatePriv.h +++ b/trust/SecCertificatePriv.h @@ -419,6 +419,8 @@ CFDataRef SecCertificateCopyExtensionValue(SecCertificateRef certificate, CFTypeRef extensionOID, bool *isCritical) __OSX_AVAILABLE_STARTING(__MAC_10_13_4, __IPHONE_11_3); +bool SecCertificateGetDeveloperIDDate(SecCertificateRef certificate, CFAbsoluteTime *time, CFErrorRef * CF_RETURNS_RETAINED error); + /* * Legacy functions (OS X only) */ -- 2.45.2