From 3a7be6fd655a5b07ffb821947ed6ba5fdc4bea8c Mon Sep 17 00:00:00 2001 From: Apple Date: Tue, 29 Nov 2016 21:43:50 +0000 Subject: [PATCH] Security-57740.20.22.tar.gz --- .gitignore | 4 + OSX/OSX.xcodeproj/project.pbxproj | 33 +- .../xcschemes/osx - World.xcscheme | 12 +- OSX/authd/authtoken.c | 1 + OSX/authd/engine.c | 1 + OSX/authd/process.c | 28 +- OSX/authd/process.h | 13 +- ....dfr.prompts-BBBAA77A32-C4EBFEA440.strings | 157 ++ OSX/lib/security.exp-in | 16 +- OSX/libsecurity_asn1/.gitignore | 3 + .../libsecurity_asn1.xcodeproj/.gitignore | 2 + .../lib/AuthorizationTagsPriv.h | 1 + .../project.pbxproj | 4 + .../lib/DLDBListCFPref.cpp | 7 + OSX/libsecurity_keychain/lib/SecItem.cpp | 2 +- OSX/libsecurity_keychain/lib/SecItemPriv.h | 2 + OSX/libsecurity_keychain/lib/SecKeyPriv.h | 16 + OSX/libsecurity_keychain/lib/SecPolicyPriv.h | 430 +++-- .../lib/StorageManager.cpp | 6 +- OSX/libsecurity_keychain/libDER/.gitignore | 3 + .../libDER/libDER.xcodeproj/.gitignore | 2 + OSX/libsecurity_smime/.gitignore | 3 + OSX/libsecurity_ssl/.gitignore | 3 + .../libsecurity_ssl.xcodeproj/.gitignore | 2 + OSX/regressions/.gitignore | 1 + .../regressions.xcodeproj/.gitignore | 2 + OSX/sec/.gitignore | 4 + .../Regressions/secitem/si-25-cms-skid.h | 270 ++++ .../Regressions/secitem/si-25-cms-skid.m | 62 + .../secitem/si-71-mobile-store-policy.c | 4 +- .../secitem/si-84-sectrust-whitelist.c | 1386 +++++++++++++++++ OSX/sec/Security/SecAccessControl.c | 5 +- OSX/sec/Security/SecCTKKey.c | 70 +- OSX/sec/Security/SecCertificate.c | 15 +- OSX/sec/Security/SecCertificateInternal.h | 4 +- OSX/sec/Security/SecCertificatePath.c | 10 +- OSX/sec/Security/SecCertificatePath.h | 2 + OSX/sec/Security/SecExports.exp-in | 9 +- OSX/sec/Security/SecItem.c | 27 +- OSX/sec/Security/SecItemInternal.h | 2 + OSX/sec/Security/SecKey.c | 10 +- OSX/sec/Security/SecKeyPriv.h | 15 + OSX/sec/Security/SecPolicy.c | 148 +- OSX/sec/Security/SecPolicyLeafCallbacks.c | 2 +- OSX/sec/Security/SecPolicyPriv.h | 534 ++++--- OSX/sec/sec.xcodeproj/project.pbxproj | 12 + OSX/sec/securityd/OTATrustUtilities.c | 128 +- OSX/sec/securityd/OTATrustUtilities.h | 7 +- OSX/sec/securityd/SecDbKeychainItem.c | 2 +- OSX/sec/securityd/SecItemDb.c | 19 +- OSX/sec/securityd/SecKeybagSupport.c | 7 +- OSX/sec/securityd/SecKeybagSupport.h | 6 +- OSX/sec/securityd/SecPolicyServer.c | 149 +- OSX/sec/securityd/SecPolicyServer.h | 1 + OSX/sec/securityd/SecTrustServer.c | 88 +- OSX/shared_regressions/shared_regressions.h | 3 + .../si-20-sectrust-policies-data/.gitignore | 2 + OSX/utilities/.gitignore | 1 + OSX/utilities/src/SecAppleAnchor.c | 301 +++- OSX/utilities/src/SecAppleAnchorPriv.h | 2 + OSX/utilities/src/SecInternalRelease.c | 2 +- OSX/utilities/utilities.xcodeproj/.gitignore | 2 + Security.xcodeproj/.gitignore | 2 + Security.xcodeproj/project.pbxproj | 2 - .../xcschemes/ios - Debug.xcscheme | 8 + .../xcschemes/ios - Release.xcscheme | 4 + SecurityTests/.gitignore | 6 + .../libsecurity_smime.xcodeproj/.gitignore | 2 + .../securityd_service/main.c | 186 ++- .../securityd_service/securityd_service.h | 3 + .../securityd_service_client.c | 80 +- .../securityd_service_client.h | 5 +- .../securitydservicectrl/main.c | 38 +- .../securitydservicectrl.entitlements | 4 +- 74 files changed, 3627 insertions(+), 778 deletions(-) create mode 100644 .gitignore create mode 100644 OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings create mode 100644 OSX/libsecurity_asn1/.gitignore create mode 100644 OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore create mode 100644 OSX/libsecurity_keychain/libDER/.gitignore create mode 100644 OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore create mode 100644 OSX/libsecurity_smime/.gitignore create mode 100644 OSX/libsecurity_ssl/.gitignore create mode 100644 OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore create mode 100644 OSX/regressions/.gitignore create mode 100644 OSX/regressions/regressions.xcodeproj/.gitignore create mode 100644 OSX/sec/.gitignore create mode 100644 OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h create mode 100644 OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m create mode 100644 OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore create mode 100644 OSX/utilities/.gitignore create mode 100644 OSX/utilities/utilities.xcodeproj/.gitignore create mode 100644 Security.xcodeproj/.gitignore create mode 100644 SecurityTests/.gitignore create mode 100644 libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..dfd386e4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*~ +cscope.out +.DS_Store +xcuserdata diff --git a/OSX/OSX.xcodeproj/project.pbxproj b/OSX/OSX.xcodeproj/project.pbxproj index 482c5946..030366f7 100644 --- a/OSX/OSX.xcodeproj/project.pbxproj +++ b/OSX/OSX.xcodeproj/project.pbxproj @@ -210,7 +210,6 @@ 18F2353615C9FDD200060520 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; 18F2353715C9FDE400060520 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; }; 18F2353815C9FDEF00060520 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; - 18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; }; 18FE68021471A42900A2CBE3 /* SecDigestTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A3146F1BEC000BF1F3 /* SecDigestTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; 18FE68031471A42900A2CBE3 /* SecReadTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A4146F1BEC000BF1F3 /* SecReadTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; 18FE68041471A42900A2CBE3 /* SecTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A5146F1BEC000BF1F3 /* SecTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; @@ -448,6 +447,7 @@ 52F8DE4C1AF2EB6600A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */; }; 532847791785076B009118DC /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5328475117850741009118DC /* Localizable.strings */; }; 5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */; }; + 5E6344221D4B834600A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5E6343FC1D4B6FF800A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings */; }; 5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; 5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; 5EC01FEE1B0CA7E0009FBB75 /* sec_acl_stress.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */; }; @@ -479,7 +479,6 @@ BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; }; BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; - BE48AE0D1ADF1DF4000836C1 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; }; BE48AE0E1ADF1DF4000836C1 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; }; BE48AE0F1ADF1DF4000836C1 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; }; BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; @@ -591,6 +590,8 @@ DC311CC81CCEC82E00E14E8D /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; DC7EFBAB1CBC46A7005F9624 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */; }; DC7EFC0E1CBC7567005F9624 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */; }; + DCA28DF71D629C6D00201446 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DCA28DF61D629C6D00201446 /* libsqlite3.dylib */; }; + DCA28E1C1D629C7C00201446 /* AppleSystemInfo.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C5DD46B17A5F67300696A79 /* AppleSystemInfo.framework */; }; E74583F51BF66506001B54A4 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; E76079D61951FDAF00F69731 /* liblogging.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E76079D51951FDA800F69731 /* liblogging.a */; }; E778BFBC17176DDE00302C14 /* security.exp-in in Sources */ = {isa = PBXBuildFile; fileRef = 182BB562146F4C73000BF1F3 /* security.exp-in */; }; @@ -2629,6 +2630,7 @@ 5328475217850741009118DC /* en */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/Localizable.strings; sourceTree = ""; }; 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_client.a; path = usr/local/lib/libcoreauthd_client.a; sourceTree = SDKROOT; }; 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_test_client.a; path = usr/local/lib/libcoreauthd_test_client.a; sourceTree = SDKROOT; }; + 5E6343FD1D4B6FF800A23FB4 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = "en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings"; sourceTree = ""; }; 5E7AF4721ACD64AC00005140 /* libACM.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libACM.a; path = usr/local/lib/libACM.a; sourceTree = SDKROOT; }; 5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sec_acl_stress.c; path = ../../secacltests/sec_acl_stress.c; sourceTree = ""; }; 5EC01FF01B0CAE62009FBB75 /* LocalAuthentication.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = LocalAuthentication.framework; path = System/Library/Frameworks/LocalAuthentication.framework; sourceTree = SDKROOT; }; @@ -2706,6 +2708,7 @@ D4DDD9661CA2F2A700AA03AE /* libbsm.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libbsm.dylib; path = usr/lib/libbsm.dylib; sourceTree = SDKROOT; }; D4EC94D51CEA48000083E753 /* si-20-sectrust-policies-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-20-sectrust-policies-data"; path = "../shared_regressions/si-20-sectrust-policies-data"; sourceTree = ""; }; DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SecurityFoundation.framework; path = System/Library/Frameworks/SecurityFoundation.framework; sourceTree = SDKROOT; }; + DCA28DF61D629C6D00201446 /* libsqlite3.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libsqlite3.dylib; path = usr/lib/libsqlite3.dylib; sourceTree = SDKROOT; }; EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "bc-10-knife-on-bread.m"; path = "Breadcrumb/bc-10-knife-on-bread.m"; sourceTree = ""; }; EB22F3F618A26BA50016A8EC /* breadcrumb_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = breadcrumb_regressions.h; path = Breadcrumb/breadcrumb_regressions.h; sourceTree = ""; }; EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecBreadcrumb.c; path = Breadcrumb/SecBreadcrumb.c; sourceTree = ""; }; @@ -2851,7 +2854,6 @@ 44A655CF1AA4B4F50059D185 /* libctkclient.a in Frameworks */, 8E64DB4A1C17C26F0076C9DF /* libDER.a in Frameworks */, AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */, - 18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */, 18270EFA14CF426200B05E7F /* libsqlite3.dylib in Frameworks */, 4C8D8651177A752D0019A804 /* libsecipc_client.a in Frameworks */, 4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */, @@ -2964,6 +2966,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + DCA28E1C1D629C7C00201446 /* AppleSystemInfo.framework in Frameworks */, + DCA28DF71D629C6D00201446 /* libsqlite3.dylib in Frameworks */, EBB6970B1BE2091300715F16 /* Foundation.framework in Frameworks */, 5EF7C2521B00EB0A00E5E99C /* libaks.a in Frameworks */, 5EF7C2511B00EAF100E5E99C /* libcoreauthd_client.a in Frameworks */, @@ -2997,7 +3001,6 @@ BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */, BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */, BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */, - BE48AE0D1ADF1DF4000836C1 /* libsecurity_codesigning.a in Frameworks */, BE48AE0E1ADF1DF4000836C1 /* libASN1.a in Frameworks */, BE48AE0F1ADF1DF4000836C1 /* libDER.a in Frameworks */, BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */, @@ -3143,6 +3146,7 @@ 1807384D146D0D4E00F05C24 /* Frameworks */ = { isa = PBXGroup; children = ( + DCA28DF61D629C6D00201446 /* libsqlite3.dylib */, 6C721DB01D3D18D700888AE1 /* login.framework */, D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */, DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */, @@ -3315,6 +3319,7 @@ children = ( 187D6B8F15D4359F00E27494 /* authorization.buttons.strings */, 187D6B9115D4359F00E27494 /* authorization.prompts.strings */, + 5E6343FC1D4B6FF800A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings */, 43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */, 188AD8D81471FE3D0081C619 /* FDELocalizable.strings */, 182BB55C146F4544000BF1F3 /* FDEPrefs.plist */, @@ -5621,6 +5626,7 @@ 188AD8DC1471FE3E0081C619 /* FDELocalizable.strings in Resources */, 188AD8DD1471FE3E0081C619 /* InfoPlist.strings in Resources */, 52B006C015238F76005D4556 /* TimeStampingPrefs.plist in Resources */, + 5E6344221D4B834600A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings in Resources */, 187D6B9315D435BD00E27494 /* authorization.buttons.strings in Resources */, 187D6B9415D435C700E27494 /* authorization.prompts.strings in Resources */, ); @@ -6590,6 +6596,14 @@ name = Localizable.strings; sourceTree = ""; }; + 5E6343FC1D4B6FF800A23FB4 /* authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings */ = { + isa = PBXVariantGroup; + children = ( + 5E6343FD1D4B6FF800A23FB4 /* en */, + ); + name = "authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings"; + sourceTree = ""; + }; CD276BE21A83F204003226BC /* InfoPlist.strings */ = { isa = PBXVariantGroup; children = ( @@ -6792,6 +6806,7 @@ "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", "-framework", AppleSystemInfo, + "-lc++", ); USE_HEADERMAP = NO; }; @@ -7461,6 +7476,10 @@ ARCHS = "$(ARCHS_STANDARD)"; CLANG_ENABLE_OBJC_ARC = YES; CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist"; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); GCC_PREPROCESSOR_DEFINITIONS = ( "DEBUG=1", "$(inherited)", @@ -7492,6 +7511,10 @@ ARCHS = "$(ARCHS_STANDARD)"; CLANG_ENABLE_OBJC_ARC = YES; CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist"; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); GCC_WARN_UNDECLARED_SELECTOR = YES; HEADER_SEARCH_PATHS = ( "$(inherited)", @@ -7546,6 +7569,7 @@ "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", "-framework", AppleSystemInfo, + "-lc++", ); PRODUCT_NAME = trustd; USE_HEADERMAP = NO; @@ -7587,6 +7611,7 @@ "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", "-framework", AppleSystemInfo, + "-lc++", ); PRODUCT_NAME = trustd; USE_HEADERMAP = NO; diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme index 09f31817..0264d450 100644 --- a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme +++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme @@ -73,10 +73,6 @@ - - @@ -97,6 +93,10 @@ argument = "kc-30-xara" isEnabled = "NO"> + + @@ -285,6 +285,10 @@ argument = "si_83_seccertificate_sighashalg" isEnabled = "NO"> + + diff --git a/OSX/authd/authtoken.c b/OSX/authd/authtoken.c index 6f123e6f..c627cb29 100644 --- a/OSX/authd/authtoken.c +++ b/OSX/authd/authtoken.c @@ -60,6 +60,7 @@ struct _auth_token_s { bool least_privileged; bool appleSigned; + bool firstPartySigned; bool sandboxed; char * code_url; diff --git a/OSX/authd/engine.c b/OSX/authd/engine.c index 6e2d250c..0ef521ba 100644 --- a/OSX/authd/engine.c +++ b/OSX/authd/engine.c @@ -185,6 +185,7 @@ _set_process_immutable_hints(auth_items_t immutable_hints, process_t proc) { // process information - immutable auth_items_set_bool(immutable_hints, AGENT_HINT_PROCESS_SIGNED, process_apple_signed(proc)); + auth_items_set_bool(immutable_hints, AGENT_HINT_PROCESS_FROM_APPLE, process_firstparty_signed(proc)); } void diff --git a/OSX/authd/process.c b/OSX/authd/process.c index 19f71229..2e8eb4da 100644 --- a/OSX/authd/process.c +++ b/OSX/authd/process.c @@ -33,7 +33,8 @@ struct _process_s { mach_port_t bootstrap; - bool appleSigned; + bool appStoreSigned; + bool firstPartySigned; }; static void @@ -182,14 +183,20 @@ process_create(const audit_info_s * auditInfo, session_t session) } // This is the clownfish supported way to check for a Mac App Store or B&I signed build - CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])"); + // AppStore apps must have resource envelope 2. Check with spctl -a -t exec -vv + CFStringRef firstPartyRequirement = CFSTR("anchor apple"); + CFStringRef appStoreRequirement = CFSTR("anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists"); SecRequirementRef secRequirementRef = NULL; - status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef); + status = SecRequirementCreateWithString(firstPartyRequirement, kSecCSDefaultFlags, &secRequirementRef); if (status == errSecSuccess) { - proc->appleSigned = process_verify_requirment(proc, secRequirementRef); + proc->firstPartySigned = process_verify_requirement(proc, secRequirementRef); + CFReleaseNull(secRequirementRef); } - CFReleaseSafe(secRequirementRef); - + status = SecRequirementCreateWithString(appStoreRequirement, kSecCSDefaultFlags, &secRequirementRef); + if (status == errSecSuccess) { + proc->appStoreSigned = process_verify_requirement(proc, secRequirementRef); + CFReleaseSafe(secRequirementRef); + } LOGV("process[%i]: created (sid=%i) %s %p", proc->auditInfo.pid, proc->auditInfo.asid, proc->code_url, proc); done: @@ -456,7 +463,7 @@ process_get_requirement(process_t proc) return proc->code_requirement; } -bool process_verify_requirment(process_t proc, SecRequirementRef requirment) +bool process_verify_requirement(process_t proc, SecRequirementRef requirment) { OSStatus status = SecCodeCheckValidity(proc->codeRef, kSecCSDefaultFlags, requirment); if (status != errSecSuccess) { @@ -467,7 +474,12 @@ bool process_verify_requirment(process_t proc, SecRequirementRef requirment) // Returns true if the process was signed by B&I or the Mac App Store bool process_apple_signed(process_t proc) { - return proc->appleSigned; + return (proc->firstPartySigned || proc->appStoreSigned); +} + +// Returns true if the process was signed by B&I +bool process_firstparty_signed(process_t proc) { + return proc->firstPartySigned; } mach_port_t process_get_bootstrap(process_t proc) diff --git a/OSX/authd/process.h b/OSX/authd/process.h index cb89b4d4..c4def564 100644 --- a/OSX/authd/process.h +++ b/OSX/authd/process.h @@ -12,7 +12,7 @@ extern "C" { #endif AUTH_WARN_RESULT AUTH_MALLOC AUTH_NONNULL_ALL AUTH_RETURNS_RETAINED -process_t process_create(const audit_info_s*,session_t); +process_t process_create(const audit_info_s*, session_t); AUTH_NONNULL_ALL const void * process_get_key(process_t); @@ -54,13 +54,13 @@ AUTH_NONNULL_ALL CFIndex process_get_connection_count(process_t); AUTH_NONNULL_ALL -void process_add_auth_token(process_t,auth_token_t); +void process_add_auth_token(process_t, auth_token_t); AUTH_NONNULL_ALL -void process_remove_auth_token(process_t,auth_token_t, uint32_t flags); +void process_remove_auth_token(process_t, auth_token_t, uint32_t flags); AUTH_NONNULL_ALL -auth_token_t process_find_copy_auth_token(process_t,const AuthorizationBlob*); +auth_token_t process_find_copy_auth_token(process_t, const AuthorizationBlob*); AUTH_NONNULL_ALL CFIndex process_get_auth_token_count(process_t); @@ -84,11 +84,14 @@ AUTH_NONNULL_ALL SecRequirementRef process_get_requirement(process_t); AUTH_NONNULL_ALL -bool process_verify_requirment(process_t,SecRequirementRef); +bool process_verify_requirement(process_t, SecRequirementRef); AUTH_NONNULL_ALL bool process_apple_signed(process_t proc); +AUTH_NONNULL_ALL +bool process_firstparty_signed(process_t proc); + AUTH_NONNULL_ALL mach_port_t process_get_bootstrap(process_t); diff --git a/OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings b/OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings new file mode 100644 index 00000000..a37ee1e1 --- /dev/null +++ b/OSX/lib/en.lproj/authorization.dfr.prompts-BBBAA77A32-C4EBFEA440.strings @@ -0,0 +1,157 @@ +"system.preferences.accounts" = "Touch ID to Unlock Users & Groups Preferences."; + +"com.apple.SoftwareUpdate.scan" = "Touch ID to Check for New Apple-provided Software."; + +"system.preferences.datetime" = "Touch ID to Unlock the Date & Time Preferences."; + +"system.identity.write.credential" = "Touch ID to Update the Authentication Credentials."; + +"com.apple.appserver.privilege.admin" = "Touch ID to Modify the Application Server Settings."; + +"system.privilege.taskport.safe" = "Touch ID to Take Control of Another Process."; + +"com.apple.DiskManagement.internal." = "Touch ID to Modify the Selected Disk."; + +"system.print.operator" = "Touch ID to Use the Printer."; + +"com.apple.AOSNotification.FindMyMac.modify" = "Touch ID to Make Changes to Find My Mac."; + +"system.printingmanager" = "Touch ID to Print to a Locked Printer."; + +"com.apple.DiskManagement.reserveKEK" = "Touch ID to Modify an Encrypted Disk."; + +"system.services.systemconfiguration.network" = "Touch ID to Modify the System Network Configuration."; + +"sys.openfile." = "Touch ID to Open the Chosen File."; + +"com.apple.lldb.LaunchUsingXPC" = "Touch ID to Take Control of a Root Process."; + +"com.apple.OpenScripting.additions.send" = "Touch ID to Send Restricted Scripting Addition Commands to Other Applications."; + +"com.apple.library-repair" = "Touch ID to Repair Your Photo Library."; + +"com.apple.XType.fontmover.restore" = "Touch ID to Restore the Default System Fonts."; + +"system.csfde.requestpassword" = "Touch ID to Unlock Your Disk."; + +"com.apple.Safari.show-passwords" = "Touch ID to Show Passwords."; + +"com.apple.Safari.show-credit-card-numbers" = "Touch ID to Show Credit Card Numbers."; + +"com.apple.Safari.install-ephemeral-extensions" = "Touch ID to Install an Extension."; + +"com.apple.Safari.allow-apple-events-to-run-javascript" = "Touch ID to Allow Apple Events to Run JavaScript on Web Pages."; + +"com.apple.Safari.allow-javascript-in-smart-search-field" = "Touch ID to Allow JavaScript to be Used in the Smart Search Field."; + +"system.sharepoints." = "Touch ID to Modify Sharing Preferences."; + +"system.preferences.energysaver" = "Touch ID to Unlock the Energy Saver Preferences."; + +"system.install.apple-software" = "Touch ID to Install Apple-provided Software."; + +"system.install.apple-software.standard-user" = "Touch ID to Install Apple-provided software."; + +"com.apple.security.assessment.update" = "Touch ID to Install an App from an Unidentified Developer."; + +"com.apple.docset.install" = "Touch ID to Update the Developer Documentation."; + +"com.apple.Safari.parental-controls" = "Touch ID to Modify the Parental Controls Settings for Safari."; + +"com.apple.Safari.allow-unsigned-app-extensions" = "Touch ID to Allow Unsigned Extensions."; + +"com.apple.ServiceManagement.blesshelper" = "Touch ID to Install a New Helper Tool."; + +"system.device.dvd.setregion.initial" = "Touch ID to Set the DVD Region Code for the First Time."; + +"system.preferences.network" = "Touch ID to Unlock the Network Preferences."; + +"system.identity.write." = "Touch ID to Update the Set of Local Users."; + +"com.apple.opendirectoryd.linkidentity" = "Touch ID to Modify Your User Account."; + +"com.apple.trust-settings.user" = "Touch ID to Change Your Certificate Trust Settings."; + +"system.preferences.printing" = "Touch ID to Unlock the Printers & Scanners Preferences."; + +"system.hdd.smart" = "Touch ID to Modify the Diagnostic Settings for Your Hard Drive."; + +"system.print.admin" = "Touch ID to Modify the Printer Settings."; + +"system.preferences.accessibility" = "Touch ID to Unlock Accessibility Preferences."; + +"com.apple.activitymonitor.kill" = "Touch ID to Quit the Selected Process."; + +"system.burn" = "Touch ID to Burn a Disc."; + +"system.preferences.sharing" = "Touch ID to Unlock the Sharing Preferences."; + +"system.preferences.parental-controls" = "Touch ID to Unlock Parental Controls Preferences."; + +"system.preferences.security" = "Touch ID to Unlock Security & Privacy Preferences."; + +"system.preferences.startupdisk" = "Touch ID to Unlock the Startup Disk Preferences."; + +"com.apple.ServiceManagement.daemons.modify" = "Touch ID to Add a New Helper Tool."; + +"com.apple.DiskManagement." = "Touch ID to Modify the Selected Disk."; + +"com.apple.trust-settings.admin" = "Touch ID to Change the System Certificate Trust Settings."; + +"system.identity.write.self" = "Touch ID to Update Your Authentication Credentials."; + +"system.install.app-store-software" = "Touch ID to Install Software."; + +"system.install.app-store-software.standard-user" = "Touch ID to Install Software."; + +"system.preferences.version-cue" = "Touch ID to Modify the Version Cue Preferences."; + +"system.preferences" = "Touch ID to Modify Your System Settings."; + +"com.apple.SoftwareUpdate.modify-settings" = "Touch ID to Unlock the App Store Preferences."; + +"com.apple.uninstalld.uninstall" = "Touch ID to Delete an Application."; + +"system.privilege.taskport" = "Touch ID to Take Control of Another Process."; + +"system.install.software" = "Touch ID to Install New Software."; + +"system.preferences.security.remotepair" = "Touch ID to Pair the Remote."; + +"com.apple.XType.fontmover.remove" = "Touch ID to Remove Existing System Fonts."; + +"system.global-login-items." = "Touch ID to Add a Login Item."; + +"com.apple.server.admin.streaming" = "Touch ID to Modify the QuickTime Streaming Server Settings."; + +"system.preferences.softwareupdate" = "Touch ID to Unlock the App Store Preferences."; + +"system.keychain.modify" = "Touch ID to Modify the System Keychain."; + +"com.apple.XType.fontmover.install" = "Touch ID to Install New System Fonts."; + +"system.services.directory.configure" = "Touch ID to Modify the Directory Services Configuration."; + +"system.preferences.timemachine" = "Touch ID to Unlock the Time Machine Preferences."; + +"com.apple.appserver.privilege.user" = "Touch ID to Modify your Application Server Settings."; + +"system.privilege.taskport.debug" = "Touch ID to Take Control of Another Process for Debugging to Continue."; + +"com.apple.container-repair" = "Touch ID to Repair Your Library to Run Applications."; + +"com.apple.pf.rule" = "Touch ID to Modify Firewall Rules."; + +"com.apple.AOSNotification.FindMyMac.remove" = "Touch ID to Turn Off Find My Mac."; + +"com.apple.iBooksX.ParentalControl" = "Touch ID to Unlock Your Parental Controls Preferences."; + +"system.services.networkextension.vpn" = "Touch ID to Modify the VPN Configuration."; + +"system.services.networkextension.filtering" = "Touch ID to Modify the Content Filtering Configuration."; + +"com.apple.iCloud.passwordReset" = "Touch ID to Reset Your Apple ID Password."; + +"system.preferences.continuity" = "Touch ID to Unlock the Touch ID Preferences."; + +"com.apple.ctkbind.admin" = "Touch ID to Pair the Current User With the SmartCard Identity."; diff --git a/OSX/lib/security.exp-in b/OSX/lib/security.exp-in index 637f8021..8752c7d0 100644 --- a/OSX/lib/security.exp-in +++ b/OSX/lib/security.exp-in @@ -18,6 +18,7 @@ _SecAsn1Decode _SecAsn1DecodeData _SecAsn1EncodeItem _SecAsn1Malloc +_SecAsn1OidCompare _kSecAsn1AnyTemplate _kSecAsn1BMPStringTemplate _kSecAsn1BitStringTemplate @@ -403,6 +404,9 @@ _SecTaskCreateFromSelf _SecTaskCopyValueForEntitlement _SecTaskCopyValuesForEntitlements _SecTaskCopySigningIdentifier +#if TARGET_OS_OSX +_SecTaskEntitlementsValidated +#endif _SecTaskGetCodeSignStatus _SecTaskGetTypeID _SecTaskValidateForRequirement @@ -1411,6 +1415,7 @@ _kSecPolicyAppleProfileSigner _kSecPolicyApplePushService _kSecPolicyAppleQAProfileSigner _kSecPolicyAppleRevocation +_kSecPolicyAppleSecureIOStaticAsset _kSecPolicyAppleServerAuthentication _kSecPolicyAppleSMIME _kSecPolicyAppleSMPEncryption @@ -1425,6 +1430,7 @@ _kSecPolicyAppleTimeStamping _kSecPolicyAppleTVOSApplicationSigning _kSecPolicyAppleUniqueDeviceIdentifierCertificate _kSecPolicyAppleURLBag +_kSecPolicyAppleWarsaw _kSecPolicyAppleX509Basic _kSecPolicyMacAppStoreReceipt _kSecPolicyAppleAnchorIncludeTestRoots @@ -1745,7 +1751,8 @@ _SecCertificateIsCA _SecCertificateIsSelfSigned _SecCertificateIsSelfSignedCA _SecCertificateIsSignedBy -_SecCertificateIsWeak +_SecCertificateIsWeakHash +_SecCertificateIsWeakKey _SecCertificateParseGeneralNameContentProperty _SecCertificateParseGeneralNames _SecCertificatePathCopyAddingLeaf @@ -1763,6 +1770,7 @@ _SecCertificatePathGetRoot _SecCertificatePathGetUsageConstraintsAtIndex _SecCertificatePathHasWeakHash _SecCertificatePathIsAnchored +_SecCertificatePathIsValid _SecCertificatePathScore _SecCertificatePathSelfSignedIndex _SecCertificatePathSetIsAnchored @@ -1821,6 +1829,9 @@ _SecItemCopyDisplayNames _SecItemCopyMatching _SecItemCopyParentCertificates _SecItemCopyStoredCertificate +#if TARGET_OS_OSX +_SecItemCreateFromAttributeDictionary_osx +#endif #if TARGET_OS_EMBEDDED _SecCopyLastError _SecItemUpdateWithError @@ -1874,6 +1885,7 @@ _SecKeyCopyModulus _SecKeyCreate _SecKeyCreateAttestation _SecKeyCreateDecryptedData +_SecKeyCreateDuplicate _SecKeyCreateEncryptedData _SecKeyCreateFromAttributeDictionary _SecKeyCreateFromPublicBytes @@ -2072,12 +2084,14 @@ _SecPolicyCreateApplePPQService _SecPolicyCreateApplePPQSigning _SecPolicyCreateApplePushService _SecPolicyCreateApplePushServiceLegacy +_SecPolicyCreateAppleSecureIOStaticAsset _SecPolicyCreateAppleSMPEncryption _SecPolicyCreateAppleSoftwareSigning _SecPolicyCreateAppleSSLPinned _SecPolicyCreateAppleSSLService _SecPolicyCreateAppleTimeStamping _SecPolicyCreateAppleTVOSApplicationSigning +_SecPolicyCreateAppleWarsaw _SecPolicyCreateBasicX509 _SecPolicyCreateCodeSigning _SecPolicyCreateConfigurationProfileSigner diff --git a/OSX/libsecurity_asn1/.gitignore b/OSX/libsecurity_asn1/.gitignore new file mode 100644 index 00000000..35cfb4d3 --- /dev/null +++ b/OSX/libsecurity_asn1/.gitignore @@ -0,0 +1,3 @@ +.DS_Store +xcuserdata +project.xcworkspace diff --git a/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore b/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h index 6001609e..6c90551d 100644 --- a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h +++ b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h @@ -259,6 +259,7 @@ #define AGENT_HINT_AUTHORIZE_RULE "authorize-rule" #define AGENT_HINT_TOKEN_NAME "token-name" #define AGENT_HINT_PROCESS_SIGNED "process-apple-signed" +#define AGENT_HINT_PROCESS_FROM_APPLE "process-firstparty-signed" #define AGENT_HINT_SHOW_RESET "show-reset" #define AGENT_HINT_PASSWORD_ONLY "password-only" diff --git a/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj b/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj index ff45f46c..395b161c 100644 --- a/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj +++ b/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj @@ -162,6 +162,7 @@ C2F4439B14C626D4000A01E6 /* quarantine++.h in Headers */ = {isa = PBXBuildFile; fileRef = C2F4439914C626D4000A01E6 /* quarantine++.h */; }; C2F6566E0BCBFB250078779E /* cserror.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2F6566C0BCBFB250078779E /* cserror.cpp */; }; DC1418651CCEE2EC00CFD769 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1418641CCEE2EC00CFD769 /* libutilities.a */; }; + DC529B311D63C78000D617E8 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC529B301D63C78000D617E8 /* IOKit.framework */; }; EB68B111150DAEEA00B4013D /* RequirementLexer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB68B10B150DAEBB00B4013D /* RequirementLexer.cpp */; }; EB68B112150DAEEA00B4013D /* RequirementParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB68B10D150DAEBB00B4013D /* RequirementParser.cpp */; }; EB68B133150DB04400B4013D /* RequirementKeywords.h in Headers */ = {isa = PBXBuildFile; fileRef = EB68B10A150DAEBB00B4013D /* RequirementKeywords.h */; }; @@ -503,6 +504,7 @@ C2F6566D0BCBFB250078779E /* cserror.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cserror.h; sourceTree = ""; }; CDCBE8941A1A96E8002CB2B7 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; }; DC1418641CCEE2EC00CFD769 /* libutilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libutilities.a; path = "../../../Users/kmowery/Library/Developer/Xcode/DerivedData/Security-fkwwcnddijtngfaslvsedvgyzbou/Build/Products/Debug/libutilities.a"; sourceTree = ""; }; + DC529B301D63C78000D617E8 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; EB68B10A150DAEBB00B4013D /* RequirementKeywords.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RequirementKeywords.h; sourceTree = ""; }; EB68B10B150DAEBB00B4013D /* RequirementLexer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RequirementLexer.cpp; sourceTree = ""; }; EB68B10C150DAEBB00B4013D /* RequirementLexer.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = RequirementLexer.hpp; sourceTree = ""; }; @@ -636,6 +638,7 @@ C200424E15D425D9004AE0A1 /* libsecurity_utilities.a in Frameworks */, DC1418651CCEE2EC00CFD769 /* libutilities.a in Frameworks */, 7ACF261219958B6F00849B25 /* CoreFoundation.framework in Frameworks */, + DC529B311D63C78000D617E8 /* IOKit.framework in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -932,6 +935,7 @@ C2CC30EF0B8519CF005FA59D /* Frameworks */ = { isa = PBXGroup; children = ( + DC529B301D63C78000D617E8 /* IOKit.framework */, DC1418641CCEE2EC00CFD769 /* libutilities.a */, C2D6EA461C8F5265009B586F /* libsecurity_utilities.a */, C2D6EA441C8F5257009B586F /* Security.framework */, diff --git a/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp b/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp index 9e4e9df6..ecef3fbe 100644 --- a/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp +++ b/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp @@ -958,6 +958,13 @@ DLDbListCFPref::searchList() void DLDbListCFPref::searchList(const vector &searchList) { + if(searchList.size() == 0) { + mSearchList.clear(); + mSearchListSet = false; + changed(true); + return; + } + vector newList(searchList); mSearchList.swap(newList); mSearchListSet = true; diff --git a/OSX/libsecurity_keychain/lib/SecItem.cpp b/OSX/libsecurity_keychain/lib/SecItem.cpp index 93635785..c4f4fd3b 100644 --- a/OSX/libsecurity_keychain/lib/SecItem.cpp +++ b/OSX/libsecurity_keychain/lib/SecItem.cpp @@ -64,7 +64,7 @@ OSStatus SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUp OSStatus SecItemDelete_ios(CFDictionaryRef query); OSStatus SecItemUpdateTokenItems_ios(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes); -CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes); + OSStatus SecItemValidateAppleApplicationGroupAccess(CFStringRef group); CFDictionaryRef SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass, bool iOSOut, bool pruneMatch, bool pruneSync, bool pruneReturn, bool pruneData, bool pruneAccess); diff --git a/OSX/libsecurity_keychain/lib/SecItemPriv.h b/OSX/libsecurity_keychain/lib/SecItemPriv.h index c8065f0c..8b88d67e 100644 --- a/OSX/libsecurity_keychain/lib/SecItemPriv.h +++ b/OSX/libsecurity_keychain/lib/SecItemPriv.h @@ -453,6 +453,8 @@ bool _SecSystemKeychainTransfer(CFErrorRef *error); OSStatus SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes); +CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes); + __END_DECLS #endif /* !_SECURITY_SECITEMPRIV_H_ */ diff --git a/OSX/libsecurity_keychain/lib/SecKeyPriv.h b/OSX/libsecurity_keychain/lib/SecKeyPriv.h index e2b1ebc5..bf97e64a 100644 --- a/OSX/libsecurity_keychain/lib/SecKeyPriv.h +++ b/OSX/libsecurity_keychain/lib/SecKeyPriv.h @@ -129,6 +129,8 @@ typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key); typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error); typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key); typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2); +typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key); + /*! @abstract Performs cryptographic operation with the key. @param key Key to perform the operation on. @@ -194,6 +196,7 @@ typedef struct __SecKeyDescriptor { SecKeyCopyPublicKeyMethod copyPublicKey; SecKeyCopyOperationResultMethod copyOperationResult; SecKeyIsEqualMethod isEqual; + SecKeyCreateDuplicateMethod createDuplicate; #endif } SecKeyDescriptor; @@ -531,6 +534,19 @@ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AV Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); +/*! + @function SecKeyCreateDuplicate + @abstract Creates duplicate fo the key. + + @param key Source key to be duplicated + + @discussion Only memory representation of the key is duplicated, so if the key is backed by keychain, only one instance + stays in the keychain. Duplicating key is useful for setting 'temporary' key parameters using SecKeySetParameter. + If the key is immutable (i.e. does not support SecKeySetParameter), calling this method is identical to calling CFRetain(). + */ +SecKeyRef SecKeyCreateDuplicate(SecKeyRef key) +__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); + /*! Algorithms for converting between bigendian and core-crypto ccunit data representation. */ diff --git a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h index 7eb06b4c..ee635e69 100644 --- a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h +++ b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h @@ -24,8 +24,8 @@ /*! @header SecPolicyPriv The functions provided in SecPolicyPriv provide an interface to various - X.509 certificate trust policies. - */ + X.509 certificate trust policies. +*/ #ifndef _SECURITY_SECPOLICYPRIV_H_ #define _SECURITY_SECPOLICYPRIV_H_ @@ -95,6 +95,8 @@ CF_IMPLICIT_BRIDGING_ENABLED @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth @constant kSecPolicyAppleMMCSCompatibilityServerAuth + @constant kSecPolicyAppleSecureIOStaticAsset + @constant kSecPolicyAppleWarsaw */ extern const CFStringRef kSecPolicyAppleMobileStore __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); @@ -200,6 +202,11 @@ extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); +extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); +extern const CFStringRef kSecPolicyAppleWarsaw + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); + /*! @enum Policy Value Constants @@ -265,7 +272,7 @@ extern const CFStringRef kSecPolicyRootDigest * The intermediate has a marker extension with OID matching the intermediateMarkerOID parameter. * The leaf has a marker extension with OID matching the leafMarkerOID parameter. - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -298,12 +305,8 @@ SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension or Common Name. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL - on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@" - (where %@ is the policyName parameter) in the com.apple.Security preferences for the user - of the calling application. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -318,13 +321,14 @@ SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef h certificate chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in chain. * The intermediate has Common Name "Apple iPhone Certification Authority". * The leaf has Common Name "iPhone Activation". @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneActivation(void); @@ -334,12 +338,13 @@ SecPolicyRef SecPolicyCreateiPhoneActivation(void); chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * There are exactly 4 certs in chain. - * The chain is anchored to "Apple Root CA" certificate. - * The first intermediate has Common Name "Apple iPhone Device CA". + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 4 certs in chain. + * The first intermediate has Common Name "Apple iPhone Device CA". @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void); @@ -349,10 +354,10 @@ SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void); chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to the Factory Device CA. + * The chain is anchored to the Factory Device CA. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void); @@ -361,13 +366,13 @@ SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void); @abstract Returns a policy object for verifying iAP certificate chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The leaf has notBefore date after 5/31/2006 midnight GMT. - * The leaf has Common Name beginning with "IPA_". + * The leaf has notBefore date after 5/31/2006 midnight GMT. + * The leaf has Common Name beginning with "IPA_". The intended use of this policy is that the caller pass in the intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates(). @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiAP(void); @@ -377,13 +382,13 @@ SecPolicyRef SecPolicyCreateiAP(void); certificates. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to the iTMS CA. - * There are exactly 2 certs in the chain. - * The leaf has Organization "Apple Inc.". - * The leaf has Common Name "iTunes Store URL Bag". + * The chain is anchored to the iTMS CA. + * There are exactly 2 certs in the chain. + * The leaf has Organization "Apple Inc.". + * The leaf has Common Name "iTunes Store URL Bag". @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void); @@ -402,8 +407,8 @@ SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void); to contain either the ServerAuth OID, if the server param is true or ClientAuth OID, otherwise. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames); @@ -416,8 +421,8 @@ SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedSer hostname or ip address to match the hostname in the leaf certificate. @discussion This policy uses the Basic X.509 policy with validity check. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname); @@ -426,12 +431,14 @@ SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostna @abstract Returns a policy object for evaluating SW update signing certs. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1. + * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void); @@ -440,11 +447,14 @@ SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void); @abstract Returns a policy object for evaluating installer package signing certs. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The leaf KeyUsage extension has the digital signature bit set. + * The leaf ExtendedKeyUsage extension has the CodeSigning OID. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateApplePackageSigning(void); @@ -454,18 +464,18 @@ SecPolicyRef SecPolicyCreateApplePackageSigning(void); signatures. This is for apps signed directly by the app store. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Apple iPhone OS Application Signing". - * If the device is not a production device and is running an internal - release, the leaf may have the Common Name "TEST Apple iPhone OS - Application Signing TEST". - * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID - or the CodeSigning OID. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". + * The leaf has Common Name "Apple iPhone OS Application Signing". + * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID + 1.2.840.113635.100.6.1.6. + * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID + or the CodeSigning OID. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void); @@ -475,10 +485,10 @@ SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void); signatures. This policy is for certificates inside a UPP or regular profile. @discussion This policy only verifies that the leaf is temporally valid - and not revoked. + and not revoked via any available method. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void); @@ -487,16 +497,17 @@ SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void); @abstract Returns a policy object for evaluating provisioning profile signatures. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing". - * If the device is not a production device and is running an internal - release, the leaf may have the Common Name "TEST Apple iPhone OS - Provisioning Profile Signing TEST". + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". + * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing". + * If the device is not a production device and is running an internal + release, the leaf may have the Common Name "TEST Apple iPhone OS + Provisioning Profile Signing TEST". @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void); @@ -507,17 +518,17 @@ SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void); and allows for both the prod and the dev/test certs. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to any of the production Apple Root CAs. - Test roots are never permitted. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. - * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or - the CodeSigning OID. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID - 1.2.840.113635.100.6.1.24.1. + * The chain is anchored to any of the production Apple Root CAs. + Test roots are never permitted. + * There are exactly 3 certs in the chain. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. + * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or + the CodeSigning OID. + * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID + 1.2.840.113635.100.6.1.24.1. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void); @@ -527,8 +538,8 @@ SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void); @discussion This policy uses the Basic X.509 policy with validity check and requires the leaf to have an ExtendedKeyUsage of OCSPSigning. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateOCSPSigner(void); @@ -541,27 +552,27 @@ enum { kSecKeyExchangeEncryptSMIMEUsage = (1 << 4), kSecKeyExchangeBothSMIMEUsage = (1 << 5), kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage | - kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage + kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage }; /*! @function SecPolicyCreateSMIME @abstract Returns a policy object for evaluating S/MIME certificate chains. - @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage + @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage flags, to indicate the intended usage of this certificate. - @param email Optional; if present, the policy will require the specified - email to match the email in the leaf certificate. + @param email Optional; if present, the policy will require the specified + email to match the email in the leaf certificate. @discussion This policy uses the Basic X.509 policy with validity check and requires the leaf to have - * a KeyUsage matching the smimeUsage, - * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the - EmailProtection OID, and - * if the email param is specified, the email address in the RFC822Name in the - SubjectAlternativeName extension or in the Email Address field of the - Subject Name. + * a KeyUsage matching the smimeUsage, + * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the + EmailProtection OID, and + * if the email param is specified, the email address in the RFC822Name in the + SubjectAlternativeName extension or in the Email Address field of the + Subject Name. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email); @@ -570,11 +581,11 @@ SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable ema @abstract Returns a policy object for evaluating code signing certificate chains. @discussion This policy uses the Basic X.509 policy with validity check and requires the leaf to have - * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and - * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID. + * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and + * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateCodeSigning(void); @@ -584,8 +595,8 @@ SecPolicyRef SecPolicyCreateCodeSigning(void); @disucssion This policy checks some of the Basic X.509 policy options with no validity check. It explicitly allows for empty subjects. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. - */ + on this when it is no longer needed. +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateLockdownPairing(void); @@ -605,8 +616,10 @@ SecPolicyRef SecPolicyCreateURLBag(void); @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". * The leaf has Common Name "OTA Task Signing". @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -619,8 +632,10 @@ SecPolicyRef SecPolicyCreateOTATasking(void); @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". * The leaf has Common Name "Asset Manifest Signing". @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -633,9 +648,10 @@ SecPolicyRef SecPolicyCreateMobileAsset(void); @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 - or OID 1.2.840.113635.100.6.2.7. + or OID 1.2.840.113635.100.6.2.7. * The leaf has a marker extension with OID 1.2.840.113635.100.4.7. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -649,7 +665,13 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void); Mac App Store Receipts. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. + * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1. + * The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -664,9 +686,10 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void); team ID to match the organizationalUnit field in the leaf certificate's subject. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the - cardIssuer. + cardIssuer. * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14. * The leaf has a Organizational Unit matching the TeamID. @result A policy object. The caller is responsible for calling CFRelease @@ -674,14 +697,15 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void); */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, - CFStringRef __nullable teamIdentifier); + CFStringRef __nullable teamIdentifier); /*! @function SecPolicyCreateMobileStoreSigner @abstract Returns a policy object for evaluating Mobile Store certificate chains. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification Authority". * The leaf has KeyUsage with the DigitalSignature bit set. @@ -697,7 +721,8 @@ SecPolicyRef SecPolicyCreateMobileStoreSigner(void); @abstract Returns a policy object for evaluating Test Mobile Store certificate chains. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification Authority". * The leaf has KeyUsage with the DigitalSignature bit set. @@ -742,14 +767,15 @@ SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void); Provisioning Profiles. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. * The leaf has KeyUsage with the DigitalSignature bit set. * The leaf has a marker extension with OID 1.2.840.113635.100.4.11. * Revocation is checked via OCSP. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void); @@ -759,25 +785,31 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void); Configuration Profiles. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3. * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void); /*! @function SecPolicyCreateQAConfigurationProfileSigner @abstract Returns a policy object for evaluating certificate chains for signing - QA Configuration Profiles. + QA Configuration Profiles. On customer builds, this function returns the same + policy as SecPolicyCreateConfigurationProfileSigner. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3. * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void); @@ -790,7 +822,7 @@ SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void); * There are exactly 2 certs in the chain. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateOTAPKISigner(void); @@ -803,7 +835,7 @@ SecPolicyRef SecPolicyCreateOTAPKISigner(void); * There are exactly 2 certs in the chain. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateTestOTAPKISigner(void); @@ -813,14 +845,15 @@ SecPolicyRef SecPolicyCreateTestOTAPKISigner(void); Apple ID Validation Records. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 - or OID 1.2.840.113635.100.6.2.10. + or OID 1.2.840.113635.100.6.2.10. * The leaf has a marker extension with OID 1.2.840.113635.100.6.25. * Revocation is checked via OCSP. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. - */ +*/ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void); @@ -829,7 +862,8 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void); @abstract Returns a policy object for evaluating SMP certificate chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA - ECC" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13. * The leaf has KeyUsage with the KeyEncipherment bit set. @@ -862,10 +896,11 @@ SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void); @abstract Returns a policy object for verifying production PPQ Signing certificates. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification - Authority". + Authority". * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10. * The leaf has KeyUsage with the DigitalSignature bit set. * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2. @@ -877,13 +912,15 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void); /*! @function SecPolicyCreateTestApplePPQSigning - @abstract Returns a policy object for verifying test PPQ Signing certificates. + @abstract Returns a policy object for verifying test PPQ Signing certificates. On + customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification - Authority". + Authority". * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10. * The leaf has KeyUsage with the DigitalSignature bit set. * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1. @@ -912,16 +949,16 @@ SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname); @discussion This policy uses the Basic X.509 policy with validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. + are permitted only on internal releases either using the context dictionary or with + defaults write. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1. + if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -937,16 +974,16 @@ SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDicti @discussion This policy uses the Basic X.509 policy with validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. + are permitted only on internal releases either using the context dictionary or with + defaults write. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1. + if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -961,10 +998,10 @@ SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryR and pinning options: * The chain is anchored to an Entrust Intermediate. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -976,7 +1013,7 @@ SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname); @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions) @param hostname Required; hostname to verify the certificate name against. @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value - Boolean true will allow Test Apple rotos and test OIDs on internal releases. + Boolean true will allow Test Apple roots and test OIDs on internal releases. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. @@ -1025,15 +1062,15 @@ SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname) @discussion This policy uses the Basic X.509 policy with validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. + are permitted only on internal releases either using the context dictionary or with + defaults write. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1050,16 +1087,16 @@ SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef @discussion This policy uses the Basic X.509 policy with validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases either using the context dictionary or with - defaults write. + are permitted only on internal releases either using the context dictionary or with + defaults write. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1. + if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1076,15 +1113,15 @@ SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRe @discussion This policy uses the Basic X.509 policy with validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted either using the context dictionary or with defaults write. + are permitted either using the context dictionary or with defaults write. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1. + if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1097,27 +1134,51 @@ SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryR @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions) @param hostname Required; hostname to verify the certificate name against. @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value - Boolean true will allow Test Apple roots on internal releases. +Boolean true will allow Test Apple roots on internal releases. @discussion This policy uses the Basic X.509 policy with validity check - and pinning options: +and pinning options: * The chain is anchored to any of the production Apple Root CAs via full certificate - comparison. Test Apple Root CAs are permitted only on internal releases either - using the context dictionary or with defaults write. + comparison. Test Apple Root CAs are permitted only on internal releases either + using the context dictionary or with defaults write. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or, - if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1. + if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1. * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via CRL. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. +on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context) __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); +/*! + @function SecPolicyCreateAppleCompatibilityEscrowProxyService + @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs + @param hostname Required; hostname to verify the certificate name against. + @discussion This policy uses the Basic X.509 policy with validity check + and pinning options: + * The chain is anchored to the GeoTrust Global CA + * The intermediate has a subject public key info hash matching the public key of + the Apple IST CA G1 intermediate. + * The chain length is 3. + * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or, + if UAT is enabled with a defaults write (internal devices only), + OID 1.2.840.113635.100.6.27.7.1. + * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName + extension or Common Name. + * The leaf is checked against the Black and Gray lists. + * The leaf has ExtendedKeyUsage with the ServerAuth OID. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. + */ +__nullable CF_RETURNS_RETAINED +SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname) +__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); + /*! @function SecPolicyCreateAppleFMiPService @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions) @@ -1136,7 +1197,7 @@ SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDict extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via CRL. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1150,14 +1211,15 @@ SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryR @param hostname Optional; hostname to verify the certificate name against. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1180,7 +1242,8 @@ SecPolicyRef SecPolicyCreateAppleTimeStamping(void); @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA - ECC" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2". * The leaf has KeyUsage with the KeyEncipherment bit set. @@ -1198,7 +1261,7 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void) @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs - are permitted only on internal releases. + are permitted only on internal releases. * There are exactly 3 certs in the chain. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10. * The leaf has a marker extension with OID 1.2.840.113635.100.6.43. @@ -1224,7 +1287,7 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void) extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via CRL. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1257,7 +1320,7 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) * 1.2.840.113635.100.4.8 ("Safari Developer" EKU) * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU) * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU) - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -1277,7 +1340,7 @@ SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void) * The intermediate has the Common Name "Apple Code Signing Certification Authority". * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22. * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing). - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -1318,14 +1381,51 @@ CFStringRef SecPolicyGetOidString(SecPolicyRef policy) * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value of "ucrt". * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1. - * RSA key sizes are are disallowed. EC key sizes are P-256 or larger. - @result A policy object. The caller is responsible for calling CFRelease on this when + * RSA key sizes are disallowed. EC key sizes are P-256 or larger. +@result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash) __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); +/*! + @function SecPolicyCreateAppleWarsaw + @abstract Returns a policy object for verifying signed Warsaw assets. + @discussion The resulting policy uses the Basic X.509 policy with validity check and + pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14. + * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29. + * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. + @result A policy object. The caller is responsible for calling CFRelease on this when + it is no longer needed. + */ +__nullable CF_RETURNS_RETAINED +SecPolicyRef SecPolicyCreateAppleWarsaw(void) + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); + +/*! + @function SecPolicyCreateAppleSecureIOStaticAsset + @abstract Returns a policy object for verifying signed static assets for Secure IO. + @discussion The resulting policy uses the Basic X.509 policy with no validity check and + pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10. + * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50. + * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. + @result A policy object. The caller is responsible for calling CFRelease on this when + it is no longer needed. + */ +__nullable CF_RETURNS_RETAINED +SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); + + CF_IMPLICIT_BRIDGING_DISABLED CF_ASSUME_NONNULL_END diff --git a/OSX/libsecurity_keychain/lib/StorageManager.cpp b/OSX/libsecurity_keychain/lib/StorageManager.cpp index 74041838..fb7d24a7 100644 --- a/OSX/libsecurity_keychain/lib/StorageManager.cpp +++ b/OSX/libsecurity_keychain/lib/StorageManager.cpp @@ -1430,8 +1430,8 @@ void StorageManager::login(UInt32 nameLength, const void *name, try { Keychain loginRenamed1KC(keychain(loginRenamed1DLDbIdentifier)); - secnotice("KCLogin", "Attempting to unlock %s with %d-character password", - (loginRenamed1KC) ? loginRenamed1KC->name() : "", (unsigned int)passwordLength); + secnotice("KCLogin", "Attempting to unlock renamed KC \"%s\"", + (loginRenamed1KC) ? loginRenamed1KC->name() : ""); loginRenamed1KC->unlock(CssmData(const_cast(password), passwordLength)); // if we get here, we unlocked it if (loginKeychainExists) { @@ -1661,7 +1661,7 @@ void StorageManager::login(UInt32 nameLength, const void *name, try { Keychain shortnameDotKC(keychain(shortnameDotDLDbIdentifier)); - secnotice("KCLogin", "Attempting to unlock %s", + secnotice("KCLogin", "Attempting to unlock short name keychain \"%s\"", (shortnameDotKC) ? shortnameDotKC->name() : ""); shortnameDotKC->unlock(CssmData(const_cast(password), passwordLength)); } diff --git a/OSX/libsecurity_keychain/libDER/.gitignore b/OSX/libsecurity_keychain/libDER/.gitignore new file mode 100644 index 00000000..35cfb4d3 --- /dev/null +++ b/OSX/libsecurity_keychain/libDER/.gitignore @@ -0,0 +1,3 @@ +.DS_Store +xcuserdata +project.xcworkspace diff --git a/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore b/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/OSX/libsecurity_smime/.gitignore b/OSX/libsecurity_smime/.gitignore new file mode 100644 index 00000000..35cfb4d3 --- /dev/null +++ b/OSX/libsecurity_smime/.gitignore @@ -0,0 +1,3 @@ +.DS_Store +xcuserdata +project.xcworkspace diff --git a/OSX/libsecurity_ssl/.gitignore b/OSX/libsecurity_ssl/.gitignore new file mode 100644 index 00000000..35cfb4d3 --- /dev/null +++ b/OSX/libsecurity_ssl/.gitignore @@ -0,0 +1,3 @@ +.DS_Store +xcuserdata +project.xcworkspace diff --git a/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore b/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/OSX/regressions/.gitignore b/OSX/regressions/.gitignore new file mode 100644 index 00000000..e43b0f98 --- /dev/null +++ b/OSX/regressions/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/OSX/regressions/regressions.xcodeproj/.gitignore b/OSX/regressions/regressions.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/OSX/regressions/regressions.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/OSX/sec/.gitignore b/OSX/sec/.gitignore new file mode 100644 index 00000000..53eb330c --- /dev/null +++ b/OSX/sec/.gitignore @@ -0,0 +1,4 @@ +.DS_Store +xcuserdata +project.xcworkspace +*.swp diff --git a/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h new file mode 100644 index 00000000..b60e913b --- /dev/null +++ b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.h @@ -0,0 +1,270 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef _SECURITY_SI_25_CMS_SKID_H_ +#define _SECURITY_SI_25_CMS_SKID_H_ + +const uint8_t _content[33] = { + 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x63, 0x6f, 0x6e, + 0x74, 0x61, 0x69, 0x6e, 0x73, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x64, 0x61, 0x74, 0x61, 0x2e, + 0x0a +}; + +const uint8_t _signedData[3740] = { + 0x30, 0x82, 0x0e, 0x98, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, + 0x82, 0x0e, 0x89, 0x30, 0x82, 0x0e, 0x85, 0x02, 0x01, 0x03, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x0d, 0x1f, 0x30, 0x82, 0x03, 0x54, 0x30, 0x82, + 0x02, 0x3c, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x02, 0x34, 0x56, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x42, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, + 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x49, 0x6e, + 0x63, 0x2e, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x47, 0x65, 0x6f, + 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x30, + 0x1e, 0x17, 0x0d, 0x30, 0x32, 0x30, 0x35, 0x32, 0x31, 0x30, 0x34, 0x30, 0x30, 0x30, 0x30, 0x5a, + 0x17, 0x0d, 0x32, 0x32, 0x30, 0x35, 0x32, 0x31, 0x30, 0x34, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, + 0x42, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x16, + 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, + 0x74, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, + 0x12, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, + 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, + 0x82, 0x01, 0x01, 0x00, 0xda, 0xcc, 0x18, 0x63, 0x30, 0xfd, 0xf4, 0x17, 0x23, 0x1a, 0x56, 0x7e, + 0x5b, 0xdf, 0x3c, 0x6c, 0x38, 0xe4, 0x71, 0xb7, 0x78, 0x91, 0xd4, 0xbc, 0xa1, 0xd8, 0x4c, 0xf8, + 0xa8, 0x43, 0xb6, 0x03, 0xe9, 0x4d, 0x21, 0x07, 0x08, 0x88, 0xda, 0x58, 0x2f, 0x66, 0x39, 0x29, + 0xbd, 0x05, 0x78, 0x8b, 0x9d, 0x38, 0xe8, 0x05, 0xb7, 0x6a, 0x7e, 0x71, 0xa4, 0xe6, 0xc4, 0x60, + 0xa6, 0xb0, 0xef, 0x80, 0xe4, 0x89, 0x28, 0x0f, 0x9e, 0x25, 0xd6, 0xed, 0x83, 0xf3, 0xad, 0xa6, + 0x91, 0xc7, 0x98, 0xc9, 0x42, 0x18, 0x35, 0x14, 0x9d, 0xad, 0x98, 0x46, 0x92, 0x2e, 0x4f, 0xca, + 0xf1, 0x87, 0x43, 0xc1, 0x16, 0x95, 0x57, 0x2d, 0x50, 0xef, 0x89, 0x2d, 0x80, 0x7a, 0x57, 0xad, + 0xf2, 0xee, 0x5f, 0x6b, 0xd2, 0x00, 0x8d, 0xb9, 0x14, 0xf8, 0x14, 0x15, 0x35, 0xd9, 0xc0, 0x46, + 0xa3, 0x7b, 0x72, 0xc8, 0x91, 0xbf, 0xc9, 0x55, 0x2b, 0xcd, 0xd0, 0x97, 0x3e, 0x9c, 0x26, 0x64, + 0xcc, 0xdf, 0xce, 0x83, 0x19, 0x71, 0xca, 0x4e, 0xe6, 0xd4, 0xd5, 0x7b, 0xa9, 0x19, 0xcd, 0x55, + 0xde, 0xc8, 0xec, 0xd2, 0x5e, 0x38, 0x53, 0xe5, 0x5c, 0x4f, 0x8c, 0x2d, 0xfe, 0x50, 0x23, 0x36, + 0xfc, 0x66, 0xe6, 0xcb, 0x8e, 0xa4, 0x39, 0x19, 0x00, 0xb7, 0x95, 0x02, 0x39, 0x91, 0x0b, 0x0e, + 0xfe, 0x38, 0x2e, 0xd1, 0x1d, 0x05, 0x9a, 0xf6, 0x4d, 0x3e, 0x6f, 0x0f, 0x07, 0x1d, 0xaf, 0x2c, + 0x1e, 0x8f, 0x60, 0x39, 0xe2, 0xfa, 0x36, 0x53, 0x13, 0x39, 0xd4, 0x5e, 0x26, 0x2b, 0xdb, 0x3d, + 0xa8, 0x14, 0xbd, 0x32, 0xeb, 0x18, 0x03, 0x28, 0x52, 0x04, 0x71, 0xe5, 0xab, 0x33, 0x3d, 0xe1, + 0x38, 0xbb, 0x07, 0x36, 0x84, 0x62, 0x9c, 0x79, 0xea, 0x16, 0x30, 0xf4, 0x5f, 0xc0, 0x2b, 0xe8, + 0x71, 0x6b, 0xe4, 0xf9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, + 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89, 0xfb, + 0xab, 0x05, 0x64, 0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e, 0x30, 0x1f, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89, + 0xfb, 0xab, 0x05, 0x64, 0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x35, 0xe3, 0x29, 0x6a, 0xe5, 0x2f, 0x5d, 0x54, 0x8e, 0x29, 0x50, 0x94, 0x9f, 0x99, + 0x1a, 0x14, 0xe4, 0x8f, 0x78, 0x2a, 0x62, 0x94, 0xa2, 0x27, 0x67, 0x9e, 0xd0, 0xcf, 0x1a, 0x5e, + 0x47, 0xe9, 0xc1, 0xb2, 0xa4, 0xcf, 0xdd, 0x41, 0x1a, 0x05, 0x4e, 0x9b, 0x4b, 0xee, 0x4a, 0x6f, + 0x55, 0x52, 0xb3, 0x24, 0xa1, 0x37, 0x0a, 0xeb, 0x64, 0x76, 0x2a, 0x2e, 0x2c, 0xf3, 0xfd, 0x3b, + 0x75, 0x90, 0xbf, 0xfa, 0x71, 0xd8, 0xc7, 0x3d, 0x37, 0xd2, 0xb5, 0x05, 0x95, 0x62, 0xb9, 0xa6, + 0xde, 0x89, 0x3d, 0x36, 0x7b, 0x38, 0x77, 0x48, 0x97, 0xac, 0xa6, 0x20, 0x8f, 0x2e, 0xa6, 0xc9, + 0x0c, 0xc2, 0xb2, 0x99, 0x45, 0x00, 0xc7, 0xce, 0x11, 0x51, 0x22, 0x22, 0xe0, 0xa5, 0xea, 0xb6, + 0x15, 0x48, 0x09, 0x64, 0xea, 0x5e, 0x4f, 0x74, 0xf7, 0x05, 0x3e, 0xc7, 0x8a, 0x52, 0x0c, 0xdb, + 0x15, 0xb4, 0xbd, 0x6d, 0x9b, 0xe5, 0xc6, 0xb1, 0x54, 0x68, 0xa9, 0xe3, 0x69, 0x90, 0xb6, 0x9a, + 0xa5, 0x0f, 0xb8, 0xb9, 0x3f, 0x20, 0x7d, 0xae, 0x4a, 0xb5, 0xb8, 0x9c, 0xe4, 0x1d, 0xb6, 0xab, + 0xe6, 0x94, 0xa5, 0xc1, 0xc7, 0x83, 0xad, 0xdb, 0xf5, 0x27, 0x87, 0x0e, 0x04, 0x6c, 0xd5, 0xff, + 0xdd, 0xa0, 0x5d, 0xed, 0x87, 0x52, 0xb7, 0x2b, 0x15, 0x02, 0xae, 0x39, 0xa6, 0x6a, 0x74, 0xe9, + 0xda, 0xc4, 0xe7, 0xbc, 0x4d, 0x34, 0x1e, 0xa9, 0x5c, 0x4d, 0x33, 0x5f, 0x92, 0x09, 0x2f, 0x88, + 0x66, 0x5d, 0x77, 0x97, 0xc7, 0x1d, 0x76, 0x13, 0xa9, 0xd5, 0xe5, 0xf1, 0x16, 0x09, 0x11, 0x35, + 0xd5, 0xac, 0xdb, 0x24, 0x71, 0x70, 0x2c, 0x98, 0x56, 0x0b, 0xd9, 0x17, 0xb4, 0xd1, 0xe3, 0x51, + 0x2b, 0x5e, 0x75, 0xe8, 0xd5, 0xd0, 0xdc, 0x4f, 0x34, 0xed, 0xc2, 0x05, 0x66, 0x80, 0xa1, 0xcb, + 0xe6, 0x33, 0x30, 0x82, 0x04, 0x40, 0x30, 0x82, 0x03, 0x28, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x03, 0x02, 0x3a, 0x75, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x42, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x47, 0x65, 0x6f, + 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x12, 0x47, 0x65, 0x6f, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x47, 0x6c, + 0x6f, 0x62, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x36, 0x31, + 0x36, 0x31, 0x35, 0x34, 0x32, 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x35, 0x32, 0x30, + 0x31, 0x35, 0x34, 0x32, 0x34, 0x33, 0x5a, 0x30, 0x62, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x13, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, + 0x20, 0x35, 0x20, 0x2d, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x13, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf0, 0x8a, 0x08, 0xba, + 0x2c, 0x13, 0x5c, 0x5a, 0xf1, 0x98, 0xfd, 0x31, 0x59, 0x66, 0xc2, 0x56, 0x7a, 0x7e, 0x40, 0x2a, + 0x4c, 0x94, 0xc9, 0x68, 0xb6, 0xb3, 0x23, 0xbd, 0x60, 0x1b, 0x3b, 0xe7, 0xfd, 0x3d, 0x5d, 0x70, + 0x26, 0xc5, 0x3a, 0xaa, 0xb0, 0xca, 0x69, 0x64, 0x0b, 0x62, 0x3e, 0x49, 0xe9, 0x4c, 0x05, 0x21, + 0xbe, 0x34, 0xf4, 0xaa, 0x73, 0x21, 0x13, 0x31, 0x84, 0xe8, 0xce, 0xef, 0x38, 0xcf, 0x57, 0xe9, + 0xdb, 0xcb, 0xce, 0xd1, 0x6d, 0xfa, 0xc8, 0x81, 0x92, 0x2d, 0x22, 0xce, 0x15, 0x7e, 0x7e, 0xb1, + 0x07, 0xac, 0x88, 0xc7, 0x18, 0x92, 0xc1, 0x96, 0xc6, 0x0c, 0x90, 0x26, 0x17, 0x55, 0x5f, 0x19, + 0x1b, 0x25, 0xcf, 0x9e, 0x51, 0x34, 0xfa, 0xf3, 0xe7, 0xb1, 0x1c, 0x78, 0x18, 0xda, 0xe4, 0x39, + 0x1a, 0x91, 0x1b, 0xc2, 0xdf, 0xa8, 0x00, 0x5b, 0x5f, 0x4e, 0xc4, 0x22, 0xb4, 0xba, 0x64, 0xe2, + 0x4a, 0x77, 0xba, 0xed, 0x2c, 0xeb, 0xfe, 0x8b, 0x61, 0x96, 0xf0, 0x1e, 0x84, 0x2d, 0x74, 0x0a, + 0x7b, 0x17, 0xcd, 0xc3, 0xee, 0x00, 0x6e, 0xd7, 0x66, 0x79, 0x8b, 0x50, 0xe9, 0x4f, 0xaf, 0xa6, + 0x3d, 0x91, 0x31, 0x2f, 0xca, 0x87, 0x2b, 0xcf, 0xf7, 0x08, 0x49, 0x14, 0x8a, 0x8e, 0x62, 0x7d, + 0xad, 0x56, 0xaa, 0x95, 0x62, 0xe3, 0xe9, 0x6b, 0x4e, 0x64, 0x41, 0xe2, 0x4f, 0x22, 0xf7, 0x4b, + 0x56, 0xf1, 0x2c, 0xa8, 0x71, 0x11, 0x38, 0x09, 0x8b, 0x97, 0xb9, 0x08, 0xbf, 0xcf, 0x30, 0x26, + 0x83, 0x40, 0x90, 0x63, 0x1a, 0xb6, 0x69, 0xba, 0x79, 0xb7, 0xae, 0x59, 0xec, 0x6b, 0x0d, 0x84, + 0x47, 0xa7, 0xae, 0x0b, 0x47, 0x4c, 0x06, 0xfb, 0x76, 0x82, 0x69, 0x7b, 0x5e, 0x23, 0x60, 0x52, + 0x35, 0xd0, 0xac, 0x46, 0x1c, 0xea, 0xa0, 0xb6, 0x5a, 0x8b, 0xd9, 0xed, 0x02, 0x03, 0x01, 0x00, + 0x01, 0xa3, 0x82, 0x01, 0x1d, 0x30, 0x82, 0x01, 0x19, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89, 0xfb, 0xab, 0x05, 0x64, + 0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x56, 0x33, 0x90, 0x2f, 0x9d, 0xf4, 0xd2, 0x30, 0xd0, 0x0d, 0x62, + 0x25, 0x13, 0x78, 0x1d, 0x21, 0xa7, 0x51, 0x12, 0x0f, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, + 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x35, 0x06, + 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2e, 0x30, 0x2c, 0x30, 0x2a, 0xa0, 0x28, 0xa0, 0x26, 0x86, 0x24, + 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x67, 0x2e, 0x73, 0x79, 0x6d, 0x63, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x73, 0x2f, 0x67, 0x74, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c, + 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x2e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, + 0x04, 0x22, 0x30, 0x20, 0x30, 0x1e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, + 0x86, 0x12, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x67, 0x2e, 0x73, 0x79, 0x6d, 0x63, 0x64, + 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4c, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x45, 0x30, 0x43, 0x30, + 0x41, 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x36, 0x30, 0x33, 0x30, + 0x31, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x25, 0x68, 0x74, 0x74, + 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x65, 0x6f, 0x74, 0x72, 0x75, 0x73, 0x74, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x63, + 0x70, 0x73, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x98, 0xfa, 0xbf, 0x23, 0x7e, 0x50, 0xda, 0xdc, 0x6d, 0x99, + 0x5a, 0x97, 0x61, 0xe3, 0xa2, 0x67, 0x00, 0x75, 0x23, 0x98, 0xaf, 0x9f, 0xad, 0x21, 0x35, 0xa8, + 0x78, 0x8b, 0xa3, 0xaf, 0x1c, 0x3a, 0x1e, 0x40, 0xe0, 0x84, 0x39, 0x6a, 0x84, 0xd5, 0xd4, 0xa8, + 0x9f, 0xfe, 0xbd, 0xb2, 0x07, 0x76, 0x74, 0x50, 0xb0, 0xbf, 0x6a, 0x00, 0x19, 0xf4, 0xbd, 0xd2, + 0xf6, 0x55, 0x7d, 0x93, 0x0c, 0x14, 0xcd, 0x13, 0xec, 0xc5, 0x31, 0x66, 0xb4, 0xf4, 0x50, 0x50, + 0x71, 0xde, 0xde, 0xfc, 0xce, 0x33, 0x9f, 0xfe, 0xe5, 0x14, 0xa5, 0x17, 0x4c, 0x10, 0xa4, 0xd9, + 0x3a, 0x7e, 0xa4, 0xe7, 0xe0, 0xbd, 0x53, 0x7f, 0xfd, 0xea, 0x8c, 0x80, 0x55, 0x7c, 0xbc, 0x95, + 0xa8, 0x1f, 0xc7, 0x30, 0x41, 0x1b, 0x92, 0xf8, 0xd7, 0xe5, 0x42, 0xb9, 0x71, 0xd7, 0x29, 0x70, + 0x44, 0x55, 0x42, 0xd5, 0x77, 0x12, 0xb5, 0x80, 0xad, 0x55, 0x5f, 0xc3, 0x5b, 0x93, 0xc0, 0x5b, + 0xd6, 0x97, 0xc7, 0x8d, 0x31, 0x49, 0xb7, 0x30, 0x88, 0x33, 0xd8, 0xc6, 0x50, 0x17, 0xc1, 0xb0, + 0x94, 0x0c, 0x88, 0xe3, 0x33, 0x28, 0xad, 0x30, 0x04, 0x05, 0x6d, 0xdc, 0x23, 0xcd, 0x76, 0x4f, + 0x1c, 0xd0, 0xb4, 0x17, 0x7a, 0x04, 0x42, 0x0b, 0xb3, 0xdb, 0xe4, 0x3b, 0xbe, 0x7e, 0x6d, 0xe5, + 0xe1, 0x60, 0x91, 0x7e, 0x24, 0xd1, 0xdf, 0x6e, 0xc0, 0xc9, 0x97, 0x26, 0x17, 0x03, 0xd9, 0xec, + 0x5b, 0x51, 0x5f, 0x8d, 0x28, 0xc9, 0x0e, 0x25, 0x96, 0x5c, 0x98, 0x01, 0x10, 0x19, 0x6b, 0x17, + 0x5a, 0x72, 0x85, 0xf0, 0x5a, 0x70, 0x10, 0x59, 0x4a, 0x43, 0x85, 0xa2, 0x6c, 0xf8, 0x2d, 0x98, + 0x4c, 0xeb, 0xe3, 0x20, 0x73, 0xe9, 0x12, 0xea, 0x03, 0x6a, 0x06, 0xb3, 0xbd, 0x41, 0xca, 0x1c, + 0x57, 0xdf, 0x1f, 0xf5, 0xc4, 0x37, 0x30, 0x82, 0x05, 0x7f, 0x30, 0x82, 0x04, 0x67, 0xa0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x08, 0x7f, 0x11, 0xef, 0xdb, 0xe0, 0x91, 0x91, 0xe6, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x62, 0x31, 0x1c, + 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, + 0x53, 0x54, 0x20, 0x43, 0x41, 0x20, 0x35, 0x20, 0x2d, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1e, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, + 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, + 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x35, 0x32, 0x38, 0x31, 0x38, 0x33, 0x30, 0x35, 0x33, + 0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x36, 0x32, 0x36, 0x31, 0x38, 0x33, 0x30, 0x35, 0x33, 0x5a, + 0x30, 0x53, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x62, 0x62, 0x61, + 0x73, 0x69, 0x6c, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, + 0x6e, 0x63, 0x2e, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, + 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xaf, 0xba, 0x8e, 0x32, 0x59, 0xa1, 0xd3, 0xc7, 0x16, 0x1c, + 0x21, 0xe8, 0x65, 0xc8, 0x2f, 0x48, 0xc1, 0x01, 0x36, 0xdc, 0x55, 0xcb, 0x73, 0x95, 0x0d, 0x16, + 0x60, 0x40, 0x7c, 0xe3, 0x87, 0xb6, 0xad, 0xa7, 0x40, 0x86, 0xb9, 0x81, 0xfa, 0xd4, 0xd4, 0x55, + 0xe0, 0xa1, 0x73, 0x24, 0x49, 0x30, 0xff, 0x33, 0xe2, 0xb2, 0x7a, 0xf6, 0x66, 0xda, 0x37, 0x42, + 0x49, 0xaa, 0x54, 0x87, 0x55, 0x46, 0x75, 0xe2, 0x62, 0x07, 0xc6, 0x68, 0x95, 0x6a, 0x43, 0xd7, + 0x4a, 0xe1, 0xf3, 0xd9, 0x56, 0x11, 0xa7, 0xdb, 0x90, 0xfc, 0x5a, 0xd2, 0xa1, 0x61, 0xac, 0xc3, + 0xe0, 0x6c, 0x8d, 0x3a, 0x2e, 0xee, 0xee, 0x74, 0x1c, 0xba, 0xad, 0x24, 0x1b, 0xf2, 0x41, 0xae, + 0x49, 0x5d, 0x6e, 0x6c, 0x3f, 0xc8, 0x2b, 0xcd, 0xbc, 0x64, 0xb7, 0x68, 0x31, 0x69, 0xc7, 0x00, + 0x0a, 0x8b, 0xe8, 0xe8, 0x6a, 0x5d, 0xd8, 0xda, 0x7b, 0x7a, 0x3e, 0xf1, 0xde, 0x0d, 0x83, 0xbc, + 0x7d, 0xeb, 0x76, 0xd1, 0xa5, 0x3f, 0x90, 0xb5, 0xa7, 0xd6, 0x0c, 0x1b, 0xe8, 0x2d, 0x75, 0xc3, + 0xed, 0x6b, 0xf6, 0xf2, 0x99, 0xf2, 0xa6, 0xd0, 0xff, 0x4f, 0x27, 0x18, 0x19, 0x6c, 0x57, 0xc9, + 0x74, 0xe8, 0x74, 0x20, 0x97, 0x82, 0x86, 0x86, 0xed, 0x1a, 0x5c, 0xf6, 0xab, 0x09, 0x57, 0x0e, + 0x40, 0xc9, 0x97, 0xbe, 0x00, 0x82, 0xb7, 0x03, 0x9b, 0x23, 0xb1, 0xbb, 0xdc, 0x57, 0xdb, 0xf1, + 0xbb, 0x8a, 0x60, 0xf5, 0x8f, 0xc1, 0x9c, 0x29, 0xe3, 0x44, 0xec, 0x6c, 0xeb, 0x43, 0x4f, 0x5b, + 0xc4, 0xa3, 0x65, 0x96, 0xb8, 0xa7, 0x7c, 0xe0, 0x86, 0xf8, 0xd3, 0x53, 0x96, 0xc9, 0xdf, 0x10, + 0x87, 0x95, 0xfb, 0x37, 0xb6, 0xb6, 0x1a, 0x27, 0x3a, 0x06, 0x46, 0x46, 0xbc, 0x83, 0x67, 0xa6, + 0xc2, 0x0e, 0xa1, 0x6d, 0xdb, 0x85, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x46, 0x30, + 0x82, 0x02, 0x42, 0x30, 0x48, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, + 0x3c, 0x30, 0x3a, 0x30, 0x38, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, + 0x2c, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70, + 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34, 0x2d, 0x61, 0x70, + 0x70, 0x6c, 0x65, 0x69, 0x73, 0x74, 0x63, 0x61, 0x35, 0x67, 0x31, 0x30, 0x31, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xf2, 0x03, 0x28, 0xd3, 0x26, 0xde, 0xc3, 0x80, + 0xbc, 0xf9, 0x02, 0x31, 0xc2, 0x25, 0x13, 0x6c, 0x4c, 0xa6, 0x2e, 0xbe, 0x30, 0x0c, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, + 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x56, 0x33, 0x90, 0x2f, 0x9d, 0xf4, 0xd2, 0x30, 0xd0, + 0x0d, 0x62, 0x25, 0x13, 0x78, 0x1d, 0x21, 0xa7, 0x51, 0x12, 0x0f, 0x30, 0x82, 0x01, 0x2a, 0x06, + 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x21, 0x30, 0x82, 0x01, 0x1d, 0x30, 0x82, 0x01, 0x19, + 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x0b, 0x05, 0x01, 0x30, 0x82, 0x01, + 0x08, 0x30, 0x81, 0xca, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81, + 0xbd, 0x0c, 0x81, 0xba, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x6e, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x20, 0x61, 0x73, 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61, + 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, + 0x63, 0x61, 0x62, 0x6c, 0x65, 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, + 0x73, 0x65, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69, 0x63, 0x65, 0x20, 0x73, 0x74, + 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x63, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x73, 0x68, 0x61, 0x6c, 0x6c, + 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x20, 0x61, 0x73, 0x2c, 0x20, 0x6f, + 0x72, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x20, 0x61, 0x20, 0x77, 0x72, 0x69, 0x74, + 0x74, 0x65, 0x6e, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x30, 0x39, + 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x2d, 0x68, 0x74, 0x74, 0x70, + 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x61, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x72, 0x70, 0x61, 0x30, 0x37, 0x06, 0x03, 0x55, 0x1d, 0x1f, + 0x04, 0x30, 0x30, 0x2e, 0x30, 0x2c, 0xa0, 0x2a, 0xa0, 0x28, 0x86, 0x26, 0x68, 0x74, 0x74, 0x70, + 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x69, 0x73, 0x74, 0x63, 0x61, 0x35, 0x67, 0x31, 0x2e, 0x63, + 0x72, 0x6c, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, + 0x05, 0xa0, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, + 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, + 0x30, 0x13, 0x81, 0x11, 0x62, 0x62, 0x61, 0x73, 0x69, 0x6c, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, + 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6b, 0x17, 0xbc, 0x28, 0x7a, 0x64, 0xe7, + 0x6a, 0x30, 0x36, 0x2e, 0x49, 0x9b, 0x45, 0xda, 0x4c, 0x64, 0x86, 0xbb, 0x8c, 0x08, 0xc3, 0xbb, + 0x2e, 0xfb, 0xa2, 0x8e, 0x9d, 0x33, 0xdf, 0x29, 0xea, 0x69, 0x2a, 0x6b, 0x06, 0x2b, 0x9b, 0x39, + 0x7a, 0xcc, 0xe2, 0x50, 0x22, 0xb3, 0x09, 0x47, 0x60, 0x98, 0x34, 0x08, 0xb9, 0x72, 0x9f, 0xf8, + 0x3a, 0x52, 0x6f, 0x60, 0x82, 0x24, 0x10, 0xd2, 0xe2, 0xba, 0xc3, 0x84, 0xf2, 0xdc, 0x39, 0x0b, + 0xef, 0x5f, 0xdb, 0x82, 0x38, 0x5c, 0x69, 0xf3, 0x0e, 0xe8, 0x66, 0x93, 0x56, 0xde, 0xe0, 0xba, + 0xed, 0xc7, 0x31, 0xfa, 0x33, 0x1c, 0x65, 0xb4, 0xbc, 0x55, 0x4c, 0xc0, 0x0c, 0xda, 0xe2, 0x3e, + 0x76, 0xf6, 0xc4, 0x27, 0x92, 0xef, 0x60, 0x9d, 0x08, 0x7e, 0xad, 0x91, 0x63, 0x61, 0xc0, 0x07, + 0x11, 0xd5, 0x85, 0xc1, 0xa3, 0xb4, 0x26, 0xab, 0xd2, 0xac, 0xe7, 0x5a, 0xc6, 0xf5, 0xa5, 0xe3, + 0x1c, 0x55, 0x97, 0xae, 0xd7, 0x6c, 0x53, 0xfe, 0x24, 0x76, 0xf7, 0x40, 0x0e, 0x7d, 0xb9, 0xe5, + 0xcf, 0x65, 0x83, 0xa8, 0xc0, 0x28, 0x83, 0xcf, 0x03, 0xe8, 0xac, 0x90, 0x4c, 0xdd, 0xea, 0xbf, + 0x08, 0x54, 0xf4, 0x64, 0x46, 0x44, 0xfd, 0xab, 0xa1, 0x0d, 0x32, 0x26, 0xbd, 0xab, 0xef, 0xa1, + 0x3f, 0x8b, 0x92, 0x0e, 0xdd, 0x15, 0xeb, 0xb2, 0x76, 0x43, 0xbc, 0xe5, 0xde, 0x21, 0x95, 0x0c, + 0x49, 0xfb, 0x64, 0x90, 0x17, 0x27, 0x8d, 0x7f, 0x53, 0xc3, 0xb0, 0xf1, 0x73, 0xa4, 0x08, 0x5d, + 0x92, 0x5f, 0x4b, 0xb5, 0xeb, 0xdb, 0x11, 0xcb, 0xb6, 0xe9, 0xef, 0xc7, 0xe0, 0x65, 0x32, 0x5a, + 0x39, 0xd6, 0xc3, 0xfb, 0xcf, 0xb5, 0xf3, 0x88, 0x3c, 0x3b, 0xa2, 0xe7, 0xc6, 0x57, 0x59, 0x03, + 0xb6, 0xc1, 0x32, 0x8e, 0x23, 0x1f, 0xc9, 0x33, 0xdb, 0x31, 0x82, 0x01, 0x3f, 0x30, 0x82, 0x01, + 0x3b, 0x02, 0x01, 0x03, 0xa0, 0x16, 0x04, 0x14, 0xf2, 0x03, 0x28, 0xd3, 0x26, 0xde, 0xc3, 0x80, + 0xbc, 0xf9, 0x02, 0x31, 0xc2, 0x25, 0x13, 0x6c, 0x4c, 0xa6, 0x2e, 0xbe, 0x30, 0x0b, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x2f, 0x47, 0xc4, 0xc0, + 0x95, 0x16, 0x10, 0x08, 0x48, 0xe1, 0x91, 0x4e, 0xd9, 0x24, 0xae, 0xf3, 0xb1, 0x7f, 0x92, 0x8e, + 0x88, 0xc3, 0xfd, 0x11, 0x33, 0x14, 0xc1, 0xf1, 0x19, 0xa3, 0x54, 0x60, 0xe7, 0x75, 0x9d, 0xb6, + 0xac, 0x07, 0x83, 0x5c, 0xab, 0xf7, 0x6a, 0xf2, 0x3d, 0xf0, 0x26, 0x5e, 0xdf, 0xaf, 0x92, 0x2d, + 0xea, 0x01, 0x77, 0x2d, 0x91, 0x7c, 0x89, 0x79, 0xe1, 0xc5, 0xa5, 0xdc, 0x7a, 0x3a, 0xfd, 0xba, + 0x60, 0x64, 0xad, 0x0e, 0xc2, 0x09, 0x39, 0x61, 0x8b, 0x83, 0x27, 0x8a, 0xeb, 0xc0, 0x30, 0x1e, + 0x67, 0x01, 0x77, 0xd9, 0xe8, 0xf8, 0x0b, 0x60, 0xf4, 0x17, 0x19, 0xbb, 0x20, 0xfa, 0x80, 0xeb, + 0xe6, 0x52, 0xac, 0x7e, 0x5b, 0xe1, 0xed, 0x60, 0x68, 0x40, 0x33, 0x97, 0x1e, 0x57, 0x85, 0x89, + 0xad, 0xe9, 0xd3, 0x81, 0xf0, 0xea, 0xa1, 0x73, 0x5a, 0x66, 0xb1, 0x03, 0x9a, 0x5f, 0xdd, 0x89, + 0xd6, 0xd7, 0x93, 0x18, 0xc6, 0xd0, 0xbf, 0xd2, 0xdf, 0x67, 0xca, 0xbe, 0x1b, 0x05, 0x42, 0xc2, + 0x1f, 0x36, 0xfa, 0xbe, 0x1d, 0x4b, 0x2b, 0x28, 0xf0, 0x9c, 0xdb, 0x84, 0xbc, 0xf7, 0x39, 0x20, + 0x68, 0x10, 0x5b, 0xdd, 0x61, 0x00, 0x72, 0x67, 0x61, 0x19, 0x46, 0xa3, 0x3a, 0x09, 0x03, 0xcd, + 0x79, 0x49, 0x06, 0xe8, 0x8f, 0x59, 0x41, 0xbd, 0x81, 0xf0, 0x32, 0x81, 0x78, 0xc0, 0x8f, 0x3f, + 0x18, 0xa2, 0x12, 0xdd, 0xde, 0xe7, 0xed, 0x8e, 0x9f, 0x57, 0x76, 0xe0, 0x62, 0x72, 0xc6, 0x90, + 0xcc, 0x73, 0xda, 0xe0, 0x30, 0xce, 0xb3, 0x21, 0x6b, 0x52, 0x31, 0x8c, 0x6a, 0x26, 0x59, 0xed, + 0xad, 0x46, 0x03, 0x69, 0xe7, 0xf5, 0x88, 0x97, 0x6f, 0x42, 0x21, 0x6b, 0xe8, 0xc6, 0x6e, 0x89, + 0x47, 0x01, 0x28, 0xf6, 0x6a, 0x89, 0x54, 0x4a, 0xdc, 0x9e, 0x3e, 0x1f +}; + +#endif /* _SECURITY_SI_25_CMS_SKID_H_ */ diff --git a/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m new file mode 100644 index 00000000..d6d53b98 --- /dev/null +++ b/OSX/sec/Security/Regressions/secitem/si-25-cms-skid.m @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "shared_regressions.h" + +#import +#import + +#import +#import +#include + +#import "si-25-cms-skid.h" + +static void test_cms_verification(void) +{ + NSData *content = [NSData dataWithBytes:_content length:sizeof(_content)]; + NSData *signedData = [NSData dataWithBytes:_signedData length:sizeof(_signedData)]; + + SecPolicyRef policy = SecPolicyCreateBasicX509(); + SecTrustRef trust = NULL; + SecTrustResultType trustResult = kSecTrustResultInvalid; + + ok_status(SecCMSVerify((__bridge CFDataRef)signedData, (__bridge CFDataRef)content, policy, &trust, NULL), "verify CMS message"); + + //10 Sept 2016 + ok_status(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:495245242.0]), "set verify date"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + is(trustResult, kSecTrustResultUnspecified, "trust suceeded"); + + CFReleaseSafe(policy); + CFRetainSafe(trust); +} + +int si_25_cms_skid(int argc, char *const *argv) +{ + plan_tests(4); + + test_cms_verification(); + + return 0; +} diff --git a/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c b/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c index 1d539187..bc8c78f2 100644 --- a/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c +++ b/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c @@ -489,6 +489,7 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors) CFArrayRef certs = NULL; CFDateRef date = NULL; SecTrustRef trust = NULL; + OSStatus status; isnt(leafCert = SecCertificateCreateWithBytes(NULL, kPCSEscrowLeafCert, sizeof(kPCSEscrowLeafCert)), NULL, "could not create leafCert from kPCSEscrowLeafCert"); @@ -503,7 +504,8 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors) /* Set explicit verify date: Mar 18 2016. */ isnt(date = CFDateCreate(NULL, 480000000.0), NULL, "create verify date"); - ok_status(SecTrustSetVerifyDate(trust, date), "set date"); + status = (date) ? SecTrustSetVerifyDate(trust, date) : errSecParam; + ok_status(status, "set date"); SecTrustSetAnchorCertificates(trust, anchors); diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c new file mode 100644 index 00000000..9603fb89 --- /dev/null +++ b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-whitelist.c @@ -0,0 +1,1386 @@ +/* + * si-84-sectrust-allowlist.c + * Security + * + * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved. + */ + +#include +#include + +#include "shared_regressions.h" + +/* On allow list until: + Not After : Mar 9 07:45:00 2018 GMT +*/ +static const UInt8 cert0[] = { + 0x30,0x82,0x05,0x44,0x30,0x82,0x04,0x2c,0xa0,0x03,0x02,0x01,0x02,0x02,0x11,0x00, + 0x9d,0x12,0x4b,0xdb,0x57,0xb7,0x9f,0xba,0x33,0xf6,0x44,0xd9,0x10,0x40,0x48,0x4c, + 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30, + 0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19, + 0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53, + 0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x31,0x19,0x30,0x17,0x06,0x03,0x55, + 0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36, + 0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x35,0x30,0x33,0x30,0x39,0x30,0x37, + 0x34,0x35,0x30,0x30,0x5a,0x17,0x0d,0x31,0x38,0x30,0x33,0x30,0x39,0x30,0x37,0x34, + 0x35,0x30,0x30,0x5a,0x30,0x79,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13, + 0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x53,0x17, + 0x4e,0xac,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x07,0x1e,0x04,0x53,0x17,0x4e, + 0xac,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x0a,0x1e,0x1a,0x53,0x17,0x4e,0xac, + 0x74,0x5e,0x94,0xb1,0x5b,0x9d,0x4f,0xe1,0x60,0x6f,0x67,0x0d,0x52,0xa1,0x67,0x09, + 0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x0b,0x1e, + 0x06,0x7f,0x51,0x7e,0xdc,0x90,0xe8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03, + 0x13,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71,0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x30, + 0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01, + 0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00, + 0xfc,0x09,0x73,0x1d,0x18,0x75,0xbd,0x7f,0xf5,0xce,0x9e,0x6e,0x26,0x1c,0xbd,0xca, + 0xc7,0x1b,0x75,0x45,0x13,0x1e,0xe4,0x52,0x7e,0x78,0xe9,0x1c,0x79,0xa1,0x02,0xd8, + 0x3d,0xc6,0xc5,0x6f,0x7b,0xbd,0xae,0xc7,0x3b,0xe6,0x45,0xc2,0xe9,0xc9,0x32,0x2d, + 0xd4,0xda,0x7a,0x93,0x79,0x30,0xce,0xec,0x6f,0xf5,0x0d,0x2d,0xde,0xa4,0xce,0xbd, + 0x40,0xfb,0xda,0x7d,0x48,0x7d,0x98,0x02,0x17,0x75,0x99,0x65,0x68,0x1c,0xbb,0x92, + 0x29,0x16,0xdc,0xc6,0x1d,0x1d,0x19,0x1b,0x94,0x17,0x6e,0x93,0xd8,0x57,0xaa,0x00, + 0xf9,0xa2,0x37,0x9a,0xde,0x65,0xc2,0xce,0xa5,0xae,0x80,0xa7,0x56,0xab,0x8c,0xc8, + 0x6a,0x3d,0xbe,0x86,0xe1,0x13,0x69,0x41,0x4b,0xe9,0xfa,0xd9,0xa5,0x63,0x8f,0xba, + 0x02,0x15,0x09,0xca,0xf9,0x27,0x0f,0xea,0x90,0x4f,0x5d,0xa5,0x66,0x51,0xad,0xc8, + 0xff,0x2d,0xf3,0xd4,0x7c,0xd3,0x06,0xe8,0xc2,0xdc,0x08,0x63,0x3d,0x69,0xb6,0x89, + 0x5f,0x3f,0x9c,0xdc,0x21,0xa8,0xbd,0x0a,0xbe,0xc2,0x0e,0x08,0x06,0x05,0xb7,0x46, + 0x96,0xec,0x08,0x5c,0xb9,0xef,0xfa,0x4b,0xd1,0x60,0x10,0xac,0xc8,0x88,0xbf,0xb7, + 0xb1,0xb1,0x7a,0x55,0xdd,0xd9,0x96,0x06,0x5b,0xfb,0xc2,0xa5,0xd4,0x9c,0xde,0x24, + 0x0c,0x7e,0x22,0x59,0xb0,0xa6,0x7a,0xc7,0x18,0x02,0x6c,0x1a,0x21,0x8c,0x79,0x8a, + 0xc5,0xbb,0x10,0x54,0x1b,0x77,0x04,0xcf,0x46,0x60,0x36,0x42,0xfb,0x8a,0x13,0xf7, + 0xa0,0xd6,0x03,0x33,0xb6,0xc4,0x1e,0x08,0x58,0x5d,0xb3,0xd3,0xc3,0x6c,0x0e,0x9f, + 0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xfb,0x30,0x82,0x01,0xf7,0x30,0x09,0x06, + 0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x73,0x06,0x08,0x2b,0x06,0x01,0x05, + 0x05,0x07,0x01,0x01,0x04,0x67,0x30,0x65,0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05, + 0x05,0x07,0x30,0x01,0x86,0x1c,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73, + 0x70,0x73,0x68,0x61,0x32,0x73,0x73,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63, + 0x6e,0x2f,0x30,0x39,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x2d, + 0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63, + 0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72, + 0x74,0x2f,0x53,0x48,0x41,0x32,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x36,0x06, + 0x03,0x55,0x1d,0x11,0x04,0x2f,0x30,0x2d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x71, + 0x62,0x61,0x6f,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69, + 0x71,0x62,0x2e,0x63,0x6f,0x6d,0x82,0x0d,0x77,0x77,0x77,0x2e,0x72,0x75,0x69,0x71, + 0x74,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02, + 0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x50,0x0e,0x94, + 0x7e,0x68,0x20,0x2d,0x95,0x58,0x3f,0x8f,0x51,0xa6,0xdd,0x5a,0xb9,0xef,0xfe,0xf0, + 0x50,0x30,0x1d,0x06,0x03,0x55,0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06, + 0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02, + 0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xb7,0xd1,0x59, + 0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00,0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53, + 0x3c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a, + 0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x01,0x30,0x26,0x30,0x24,0x06,0x08, + 0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f, + 0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70, + 0x73,0x2f,0x30,0x81,0x8f,0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x87,0x30,0x81,0x84, + 0x30,0x4d,0xa0,0x4b,0xa0,0x49,0xa4,0x47,0x30,0x45,0x31,0x0b,0x30,0x09,0x06,0x03, + 0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a, + 0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53, + 0x53,0x4c,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03,0x63,0x72,0x6c, + 0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72,0x6c,0x31,0x30, + 0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72, + 0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c, + 0x6f,0x61,0x64,0x2f,0x73,0x68,0x61,0x32,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31, + 0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01, + 0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x26,0xa8,0x7c,0x88,0x57,0xb7,0xe2,0xa0, + 0xf5,0x55,0xbb,0x93,0xa1,0xea,0xc2,0x0a,0x82,0xa1,0x82,0x3d,0xe1,0x85,0xfe,0x26, + 0x95,0x5f,0x16,0x13,0x88,0x87,0x2d,0x6f,0xbe,0x0a,0xe8,0xe7,0x04,0xcd,0xa5,0x9e, + 0xac,0x69,0xd5,0xa0,0x81,0x27,0x91,0xdc,0xcd,0xa6,0xbd,0x62,0x0c,0x67,0x3f,0x39, + 0xdf,0x23,0xa8,0xf5,0xd5,0xb6,0xa8,0x14,0x93,0x80,0x0b,0x17,0x04,0xbd,0x0a,0x75, + 0x74,0x34,0x26,0xf6,0x46,0x82,0x34,0x1d,0x26,0x06,0x43,0x2a,0xd8,0xff,0x0e,0xf1, + 0xf0,0xf1,0x74,0x8b,0x17,0x9a,0x6d,0x24,0x90,0x8d,0x35,0x69,0xc4,0xff,0xf7,0x6a, + 0x81,0x00,0x27,0x11,0xd5,0xc7,0xc4,0xac,0x98,0x15,0x20,0xe7,0x90,0x8a,0xb7,0x3d, + 0xdf,0xbf,0x18,0x7f,0x7c,0xa7,0x38,0x42,0xa7,0xe2,0x94,0xda,0xcb,0xb5,0x84,0x67, + 0x9d,0x82,0x37,0x58,0xa0,0x7f,0x06,0xcb,0xf5,0x3b,0x22,0x8f,0x54,0x19,0x8e,0xad, + 0x82,0x14,0xf3,0x8f,0xcd,0x55,0x93,0xb6,0xa7,0xdb,0xf5,0x25,0xd9,0x04,0x7c,0x69, + 0xc7,0x08,0x7e,0x32,0xcb,0xce,0x9d,0xb2,0x45,0x25,0x61,0x6b,0x7b,0xd3,0xb0,0x2a, + 0xd1,0xa8,0x1c,0xab,0x5b,0x3f,0x1d,0x8f,0xbd,0x46,0xb8,0x0d,0x33,0x4b,0xc9,0x3b, + 0x94,0x7f,0xa8,0x28,0x0f,0xa8,0xb7,0xbc,0x0d,0xcf,0xf7,0x7e,0xc1,0xcf,0xc7,0xf2, + 0x2f,0x1d,0x77,0xe4,0xdc,0x15,0xb0,0x42,0x0c,0x4d,0xd2,0x8d,0x6e,0x58,0x31,0x5b, + 0x5f,0xc9,0x4f,0x43,0x53,0x76,0x7b,0x2a,0xd6,0x65,0x93,0x28,0xb4,0xb8,0xdc,0x3c, + 0x3c,0x03,0xcc,0x5e,0x9f,0x52,0x28,0x9a, +}; + +/* On allow list until: + Not After : Dec 24 08:34:15 2016 GMT +*/ +static const UInt8 cert1[1475]={ + 0x30,0x82,0x05,0xBF,0x30,0x82,0x04,0xA7,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x1A, + 0x2F,0xDD,0xD9,0x35,0x3B,0x65,0xEE,0x1B,0xB4,0x66,0x19,0x4D,0xF3,0x10,0xE1,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x58, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30, + 0x30,0x06,0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E, + 0x74,0x65,0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49, + 0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65, + 0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0C,0x0C,0x43,0x4E,0x4E,0x49, + 0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x32, + 0x32,0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x17,0x0D,0x31,0x36,0x31,0x32,0x32, + 0x34,0x30,0x38,0x33,0x34,0x31,0x35,0x5A,0x30,0x81,0xF3,0x31,0x1B,0x30,0x19,0x06, + 0x03,0x55,0x04,0x0F,0x13,0x12,0x56,0x31,0x2E,0x30,0x2C,0x20,0x43,0x6C,0x61,0x75, + 0x73,0x65,0x20,0x35,0x2E,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04, + 0x05,0x13,0x0F,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x33,0x39,0x33,0x39, + 0x35,0x39,0x31,0x13,0x30,0x11,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C, + 0x02,0x01,0x03,0x13,0x02,0x43,0x4E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01, + 0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,0x13,0x07,0x53,0x69,0x63,0x68,0x75,0x61, + 0x6E,0x31,0x18,0x30,0x16,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02, + 0x01,0x01,0x13,0x07,0x63,0x68,0x65,0x6E,0x67,0x44,0x75,0x31,0x0B,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04, + 0x08,0x1E,0x04,0x56,0xDB,0x5D,0xDD,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x07, + 0x1E,0x04,0x62,0x10,0x90,0xFD,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x1E, + 0x14,0x56,0xDB,0x5D,0xDD,0x9E,0x4F,0x59,0x29,0x62,0x95,0x8D,0x44,0x67,0x09,0x96, + 0x50,0x51,0x6C,0x53,0xF8,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x0B,0x1E,0x06, + 0x62,0x80,0x67,0x2F,0x90,0xE8,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13, + 0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x30,0x82, + 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05, + 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0x99, + 0x31,0x25,0x93,0xE0,0x9A,0x65,0x36,0xCC,0x16,0x86,0xAF,0xBF,0x0D,0x2D,0x0B,0xE6, + 0x9A,0xD5,0x00,0x89,0xAD,0x6B,0x49,0x59,0x10,0x74,0x3A,0xA7,0x4F,0xEB,0xBD,0xC0, + 0xEE,0x46,0x1A,0x4E,0x9B,0x96,0x20,0xD7,0x2C,0xF8,0x93,0x5C,0x2A,0xAF,0x57,0x15, + 0x0C,0x57,0x3A,0xD0,0x25,0x92,0x2E,0x18,0xB4,0xDF,0xD8,0x3E,0xA2,0xC0,0xC6,0x5E, + 0x7A,0xD1,0xDA,0xAD,0x99,0x12,0x24,0x04,0xA1,0x42,0x5A,0xB0,0x42,0x3A,0x4F,0x02, + 0xDE,0x8A,0x55,0xD7,0xB0,0x24,0x97,0x62,0xF9,0x95,0x70,0xFA,0xA8,0x81,0xFC,0x3A, + 0xB5,0xA0,0x94,0x8E,0x42,0x89,0xF9,0x15,0x4B,0x06,0xD8,0xA1,0xC7,0xB0,0xC8,0x94, + 0x03,0x57,0xF0,0x01,0xDB,0x0D,0x85,0xFD,0xA1,0xCD,0x1D,0x3C,0xF5,0x14,0x6C,0x79, + 0x46,0xCF,0x00,0x3A,0x6C,0x74,0xD9,0x79,0xFD,0x9C,0xD9,0x61,0x7D,0x84,0x4F,0x82, + 0x2A,0x40,0x00,0x58,0x2C,0xF0,0x3A,0xDF,0xD4,0x8A,0x39,0x24,0x5C,0xB1,0xA6,0xAD, + 0x02,0x4C,0x16,0xCE,0x82,0xE6,0x22,0x32,0xC2,0x2A,0x93,0x94,0x25,0x5D,0x42,0xF9, + 0xD2,0x2B,0xD5,0x9F,0xDB,0x45,0x51,0xE4,0x0E,0xD4,0x48,0x12,0xB1,0x67,0xF4,0x6D, + 0x91,0x86,0xBC,0xFB,0xC6,0xE6,0xA0,0x7F,0x2B,0x8F,0xFB,0x67,0xEA,0x5D,0xAB,0x73, + 0xDD,0x9D,0x40,0xFA,0xF7,0xDC,0xDE,0x48,0x20,0x47,0x32,0xC0,0xD1,0x98,0x4F,0x81, + 0xDF,0xAF,0x96,0xDB,0x83,0xEE,0xC5,0x3A,0x4E,0x67,0xE1,0xF4,0x83,0x27,0x46,0x0D, + 0x78,0xB1,0xC6,0x42,0xEF,0xD9,0x76,0xD3,0xAC,0x7C,0x5A,0xF8,0x09,0xCF,0x0B,0x02, + 0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xE7,0x30,0x82,0x01,0xE3,0x30,0x09,0x06,0x03, + 0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2B,0x06,0x01,0x05,0x05, + 0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2B,0x06,0x01,0x05,0x05, + 0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70, + 0x65,0x76,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x30,0x3C,0x06,0x08,0x2B, + 0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, + 0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77, + 0x6E,0x6C,0x6F,0x61,0x64,0x2F,0x63,0x65,0x72,0x74,0x2F,0x43,0x4E,0x4E,0x49,0x43, + 0x45,0x56,0x53,0x53,0x4C,0x2E,0x63,0x65,0x72,0x30,0x18,0x06,0x03,0x55,0x1D,0x11, + 0x04,0x11,0x30,0x0F,0x82,0x0D,0x77,0x77,0x77,0x2E,0x70,0x74,0x63,0x66,0x74,0x2E, + 0x63,0x6F,0x6D,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0, + 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x04,0x26,0xBE,0x73,0x88, + 0x8C,0xF6,0x64,0xBA,0xBB,0x09,0x34,0x7A,0x09,0xF9,0x51,0x57,0x43,0x8D,0x86,0x30, + 0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80, + 0x14,0x0C,0xCF,0xB4,0x48,0x2C,0x50,0xE8,0x8B,0xD2,0x72,0xFD,0x1C,0xF0,0x2F,0xBC, + 0x52,0xAB,0x2B,0x69,0x5E,0x30,0x3F,0x06,0x03,0x55,0x1D,0x20,0x04,0x38,0x30,0x36, + 0x30,0x34,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x81,0xE9,0x0C,0x01,0x0A,0x30,0x26, + 0x30,0x24,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74, + 0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63,0x6E,0x6E,0x69,0x63,0x2E,0x63, + 0x6E,0x2F,0x63,0x70,0x73,0x2F,0x30,0x81,0xA6,0x06,0x03,0x55,0x1D,0x1F,0x04,0x81, + 0x9E,0x30,0x81,0x9B,0x30,0x66,0xA0,0x64,0xA0,0x62,0xA4,0x60,0x30,0x5E,0x31,0x0B, + 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x32,0x30,0x30,0x06, + 0x03,0x55,0x04,0x0A,0x0C,0x29,0x43,0x68,0x69,0x6E,0x61,0x20,0x49,0x6E,0x74,0x65, + 0x72,0x6E,0x65,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x20,0x49,0x6E,0x66, + 0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x65,0x6E,0x74,0x65,0x72,0x31, + 0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x03,0x63,0x72,0x6C,0x31,0x0D,0x30, + 0x0B,0x06,0x03,0x55,0x04,0x03,0x0C,0x04,0x63,0x72,0x6C,0x31,0x30,0x31,0xA0,0x2F, + 0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x63, + 0x6E,0x6E,0x69,0x63,0x2E,0x63,0x6E,0x2F,0x64,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64, + 0x2F,0x65,0x76,0x63,0x72,0x6C,0x2F,0x63,0x72,0x6C,0x31,0x2E,0x63,0x72,0x6C,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82, + 0x01,0x01,0x00,0xA3,0xDE,0x24,0x78,0xF5,0x07,0x23,0xEC,0x77,0x62,0x71,0x60,0x01, + 0xAE,0xC7,0xBD,0x49,0x8D,0x40,0x0C,0x49,0xAE,0x1A,0x47,0x2B,0x22,0xAE,0x66,0x2B, + 0x34,0x83,0xAD,0x17,0xA1,0x45,0xC7,0xEC,0x16,0x80,0x2F,0x24,0x41,0xDF,0xFF,0xB0, + 0x9D,0xE0,0x47,0x51,0x53,0x10,0xDC,0x85,0xC3,0xF9,0x72,0x3A,0xC9,0x79,0x22,0x89, + 0xD4,0xCB,0x40,0x60,0x7E,0x3E,0x86,0x52,0x01,0xD2,0xA5,0x41,0x57,0x0C,0xB0,0x5C, + 0xDD,0x24,0x0E,0xB2,0xF4,0x7E,0xB7,0x45,0xCE,0xA2,0x1B,0x3B,0x77,0xC6,0x9B,0x1E, + 0x7D,0x7F,0x42,0x53,0xE4,0xF4,0xE6,0x84,0xFD,0xCC,0x27,0xB2,0xC9,0x72,0x30,0x09, + 0xEE,0xC7,0x8B,0xE5,0xBF,0x2C,0x3B,0x73,0xA0,0x9C,0xD8,0x3E,0x81,0xED,0xB4,0x74, + 0x88,0x67,0x99,0x69,0xE5,0x3A,0x3C,0x5A,0xA4,0xE4,0xD3,0x6D,0xBF,0xF6,0xF0,0x0C, + 0x92,0x9C,0xB4,0x53,0x39,0x70,0x9A,0x3D,0xF4,0x3F,0x9D,0x07,0x66,0x3F,0x85,0x09, + 0x07,0x8E,0x5C,0x9D,0x83,0x23,0x0F,0x45,0xE7,0x3C,0xE5,0x7F,0x6C,0x0C,0x29,0x3B, + 0x2B,0x5D,0xE2,0xB7,0xCB,0x0E,0xEF,0xC8,0x14,0x4C,0x30,0xD0,0xD0,0x9C,0x7D,0x8E, + 0x67,0x94,0xD9,0xB2,0x71,0x7E,0x74,0x0F,0x5C,0xD7,0xB5,0xFB,0x35,0x13,0x3F,0x05, + 0xD7,0x7C,0x08,0x2F,0x7A,0x31,0x78,0x99,0xF8,0x76,0x0D,0xB3,0xFB,0xD2,0xD3,0x6C, + 0xC7,0x32,0x61,0x2E,0x8E,0x64,0x96,0xFD,0xB1,0xFA,0x73,0xC7,0x56,0x54,0x8B,0x0D, + 0x27,0xD2,0x66,0x9E,0xA5,0xCB,0xCE,0xD0,0xA4,0x9C,0x03,0xDD,0x9D,0x1F,0xED,0x5E, + 0x7A,0x73,0x5D, +}; + +/* expired: + Not After : Oct 20 03:20:57 2015 GMT +*/ +static const UInt8 cert1_expired[] = { + 0x30,0x82,0x05,0xd6,0x30,0x82,0x04,0xbe,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1a, + 0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x10,0xd5,0x30, + 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x58, + 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30, + 0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e, + 0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49, + 0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65, + 0x72,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49, + 0x43,0x20,0x45,0x56,0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x30, + 0x32,0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x17,0x0d,0x31,0x35,0x31,0x30,0x32, + 0x30,0x30,0x33,0x32,0x30,0x35,0x37,0x5a,0x30,0x82,0x01,0x05,0x31,0x1b,0x30,0x19, + 0x06,0x03,0x55,0x04,0x0f,0x13,0x12,0x56,0x31,0x2e,0x30,0x2c,0x20,0x43,0x6c,0x61, + 0x75,0x73,0x65,0x20,0x35,0x2e,0x28,0x64,0x29,0x31,0x18,0x30,0x16,0x06,0x03,0x55, + 0x04,0x05,0x13,0x0f,0x34,0x34,0x30,0x33,0x30,0x31,0x35,0x30,0x33,0x34,0x32,0x36, + 0x35,0x34,0x36,0x31,0x13,0x30,0x11,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82,0x37, + 0x3c,0x02,0x01,0x03,0x13,0x02,0x43,0x4e,0x31,0x1a,0x30,0x18,0x06,0x0b,0x2b,0x06, + 0x01,0x04,0x01,0x82,0x37,0x3c,0x02,0x01,0x02,0x13,0x09,0x67,0x75,0x61,0x6e,0x67, + 0x64,0x6f,0x6e,0x67,0x31,0x19,0x30,0x17,0x06,0x0b,0x2b,0x06,0x01,0x04,0x01,0x82, + 0x37,0x3c,0x02,0x01,0x01,0x13,0x08,0x73,0x68,0x65,0x6e,0x7a,0x68,0x65,0x6e,0x31, + 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0d,0x30,0x0b, + 0x06,0x03,0x55,0x04,0x08,0x1e,0x04,0x5e,0x7f,0x4e,0x1c,0x31,0x0d,0x30,0x0b,0x06, + 0x03,0x55,0x04,0x07,0x1e,0x04,0x6d,0xf1,0x57,0x33,0x31,0x21,0x30,0x1f,0x06,0x03, + 0x55,0x04,0x0a,0x1e,0x18,0x80,0x54,0x54,0x08,0x51,0x49,0x4f,0x0f,0x00,0x28,0x6d, + 0xf1,0x57,0x33,0x00,0x29,0x67,0x09,0x96,0x50,0x51,0x6c,0x53,0xf8,0x31,0x16,0x30, + 0x14,0x06,0x03,0x55,0x04,0x0b,0x13,0x0d,0x49,0x54,0x20,0x44,0x65,0x70,0x61,0x72, + 0x74,0x6d,0x65,0x6e,0x74,0x31,0x1a,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x13,0x11, + 0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e,0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f, + 0x6d,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01, + 0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01, + 0x01,0x00,0xc0,0x5c,0x75,0x0e,0x29,0x93,0xf9,0xc2,0x0f,0x9e,0x24,0xeb,0x6d,0xb8, + 0xb5,0x09,0x79,0xfe,0xbb,0xa0,0x78,0x20,0xbf,0xeb,0xc3,0x3d,0x00,0xb2,0x75,0x20, + 0xa1,0x26,0x40,0x9e,0x0e,0x38,0x3c,0x38,0x89,0x5a,0x4f,0x46,0x5d,0xaf,0x0f,0x49, + 0x58,0xf5,0x9f,0x34,0x0f,0x1d,0x57,0xd0,0xa7,0x89,0x88,0x58,0xe6,0x00,0xca,0xde, + 0x0e,0x61,0xc6,0x3f,0xf4,0x08,0x9e,0x4e,0xf9,0x8e,0xdc,0xc6,0x1f,0xab,0x56,0x38, + 0xf7,0x8f,0xd4,0xb7,0x0c,0x77,0xf9,0xdf,0x02,0x26,0xc3,0xf3,0x2a,0x7e,0x7b,0x02, + 0x89,0x75,0x50,0xf6,0x4b,0x98,0xe7,0x02,0xdc,0xe0,0xb2,0x57,0xa6,0x50,0xa3,0x27, + 0x48,0xaf,0x26,0x6e,0xf5,0x47,0x04,0x9b,0x26,0x1f,0x10,0x84,0x26,0xbe,0x4e,0xa7, + 0xd5,0x7d,0xad,0xe0,0x0f,0x78,0xfa,0x5e,0xcd,0xf1,0xce,0x6f,0x06,0x39,0x4b,0xa1, + 0xd7,0xce,0x01,0xfb,0x58,0x8c,0x47,0x24,0xfd,0x9f,0x6e,0xb0,0x5b,0x51,0x62,0x6f, + 0x9c,0xd5,0xaf,0xaf,0xc1,0x6d,0xcc,0x22,0x3e,0x04,0xcc,0xe8,0x41,0x98,0xc0,0xc7, + 0xb0,0xf5,0x59,0x0e,0x26,0xed,0x1f,0x7b,0x0a,0xce,0xb6,0xa5,0xfe,0xa6,0xc7,0xba, + 0x1b,0x6b,0x11,0xc6,0x15,0x10,0x5b,0x8b,0x34,0x14,0xd9,0x3c,0x4d,0xc6,0x6c,0x89, + 0x01,0xf3,0xd1,0x5a,0xf3,0x2b,0x9b,0x28,0x16,0xbe,0x6d,0x43,0x66,0xf8,0x56,0x15, + 0x3b,0xaf,0x79,0xda,0x46,0x22,0xd4,0x2b,0xd3,0x9d,0x99,0x53,0x2f,0xa0,0x39,0x59, + 0x4e,0x22,0x54,0x1e,0x47,0xf5,0xa9,0xa9,0x4e,0xf5,0x1d,0x9d,0x98,0x45,0xc6,0x85, + 0xae,0x01,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0xeb,0x30,0x82,0x01,0xe7,0x30, + 0x09,0x06,0x03,0x55,0x1d,0x13,0x04,0x02,0x30,0x00,0x30,0x70,0x06,0x08,0x2b,0x06, + 0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x64,0x30,0x62,0x30,0x22,0x06,0x08,0x2b,0x06, + 0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x16,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f, + 0x63,0x73,0x70,0x65,0x76,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x3c, + 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x30,0x68,0x74,0x74,0x70, + 0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f, + 0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63,0x65,0x72,0x74,0x2f,0x43,0x4e, + 0x4e,0x49,0x43,0x45,0x56,0x53,0x53,0x4c,0x2e,0x63,0x65,0x72,0x30,0x1c,0x06,0x03, + 0x55,0x1d,0x11,0x04,0x15,0x30,0x13,0x82,0x11,0x77,0x77,0x77,0x2e,0x63,0x6d,0x6e, + 0x65,0x63,0x68,0x69,0x6e,0x61,0x2e,0x63,0x6f,0x6d,0x30,0x0b,0x06,0x03,0x55,0x1d, + 0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16, + 0x04,0x14,0xd7,0x06,0xeb,0x3b,0x83,0x70,0x55,0x58,0x9a,0x40,0x03,0xd5,0x7e,0x8e, + 0xcb,0x49,0x23,0x10,0x67,0xc4,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04,0x0c,0x30, + 0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1f,0x06,0x03,0x55, + 0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b, + 0xd2,0x72,0xfd,0x1c,0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x3f,0x06,0x03, + 0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01, + 0x81,0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05, + 0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e, + 0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xa6, + 0x06,0x03,0x55,0x1d,0x1f,0x04,0x81,0x9e,0x30,0x81,0x9b,0x30,0x66,0xa0,0x64,0xa0, + 0x62,0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69, + 0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77, + 0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20, + 0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c, + 0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63, + 0x72,0x6c,0x31,0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a, + 0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64, + 0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x63,0x72,0x6c,0x2f,0x63,0x72, + 0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d, + 0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6e,0x84,0xe5,0x57,0x7e,0x96, + 0xaf,0x39,0xbf,0xa0,0x2a,0xf2,0xd1,0x10,0x57,0x8e,0x3d,0x68,0x4d,0x61,0x35,0x97, + 0xbb,0xed,0x7f,0x5e,0x4f,0x17,0x58,0x2f,0x4b,0x94,0x4f,0xda,0xd8,0x9c,0x78,0x52, + 0x2e,0xec,0xcd,0x86,0x87,0xa1,0x64,0xdc,0x41,0x0e,0x44,0x23,0xdb,0x7d,0xc8,0x86, + 0xef,0x07,0x29,0xaa,0x78,0x1b,0x95,0x84,0xb8,0xf9,0x60,0x95,0x89,0x3f,0x58,0x3d, + 0x42,0x74,0x4b,0x82,0x0d,0x65,0x16,0x1a,0x70,0xaa,0x2d,0xb2,0xab,0x79,0x27,0x2e, + 0x7e,0x6f,0x44,0xfb,0xdf,0xf5,0xff,0x3e,0xc3,0x67,0xa5,0xe1,0x6b,0xe3,0xf7,0xcc, + 0x11,0x9f,0x2a,0xe8,0x87,0x46,0x3d,0x5c,0xbf,0x5f,0xca,0x9b,0x09,0xbe,0x0a,0x83, + 0xb0,0x98,0x03,0x3a,0x67,0xb1,0xe9,0xa4,0x04,0x96,0x2b,0x24,0xe1,0xcd,0xc1,0x26, + 0x88,0x76,0x10,0x41,0x85,0xf0,0x07,0xb0,0x4b,0x6b,0xd2,0x25,0x0f,0x12,0x52,0xea, + 0x3b,0xac,0xc3,0xfa,0x56,0x5f,0xfb,0x3b,0x4b,0x86,0xf6,0x67,0x45,0x51,0xb4,0xb4, + 0x94,0x98,0xa6,0xac,0x46,0x8b,0x42,0x94,0xff,0x9e,0x71,0x09,0x7c,0x87,0xb0,0x36, + 0x70,0x8a,0x5e,0x88,0x33,0x79,0x85,0x78,0x30,0x56,0x4a,0x6a,0xfc,0x5b,0x34,0xe9, + 0xb7,0x57,0xde,0xdc,0x0a,0x3c,0x1e,0x71,0xfc,0x23,0xc6,0x5a,0xd3,0x1a,0x50,0x06, + 0xbe,0x9c,0x60,0xd5,0x36,0x44,0x65,0x59,0x89,0xe6,0xda,0x1b,0xc9,0x89,0x21,0xe0, + 0x59,0x7d,0x25,0x4f,0x76,0x87,0x4f,0x7e,0xb1,0x1a,0x43,0xff,0x00,0xbb,0xc7,0xc5, + 0x5e,0xcc,0xfd,0x4a,0x1b,0xc1,0x6e,0x75,0xd9,0xe6 +}; + +/* On allow list until: + Not After : Jun 6 02:00:32 2017 GMT +*/ +static const UInt8 cert2[] = { + 0x30,0x82,0x04,0x2d,0x30,0x82,0x03,0x15,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x1c, + 0x2f,0xdd,0xd9,0x35,0x3b,0x65,0xee,0x1b,0xb4,0x66,0x19,0x4d,0xf3,0x11,0x3c,0x30, + 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34, + 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30, + 0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30, + 0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51, + 0x20,0x53,0x53,0x4c,0x30,0x1e,0x17,0x0d,0x31,0x34,0x30,0x36,0x30,0x39,0x30,0x33, + 0x33,0x36,0x33,0x37,0x5a,0x17,0x0d,0x31,0x37,0x30,0x36,0x30,0x36,0x30,0x32,0x30, + 0x30,0x33,0x32,0x5a,0x30,0x54,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13, + 0x02,0x43,0x4e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,0x77,0x77, + 0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x31,0x17,0x30,0x15,0x06,0x03, + 0x55,0x04,0x03,0x13,0x0e,0x6d,0x61,0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67, + 0x2e,0x63,0x6e,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c,0x77,0x77, + 0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d, + 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01, + 0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xc7,0x2f,0x0e,0xba,0xf0, + 0xff,0x9e,0x56,0x3b,0x88,0x3b,0x94,0x0d,0xc6,0x81,0x22,0xe7,0xeb,0x1b,0x22,0x1d, + 0xb2,0x75,0x5b,0xae,0x41,0xea,0x55,0x6a,0x7c,0x95,0x85,0x3e,0x0e,0xd1,0x95,0xf4, + 0x71,0xdf,0x7c,0x5c,0x8e,0xcc,0x25,0xb9,0xae,0x15,0xc9,0xf2,0xd0,0x30,0xe8,0x7c, + 0x91,0x5d,0x24,0x09,0x93,0x23,0x3f,0x55,0x7b,0x09,0x17,0x82,0x37,0x0b,0xf8,0x1a, + 0x6e,0xaa,0x08,0x0d,0xa8,0x2d,0xb7,0x6d,0x38,0x24,0xc0,0x48,0x5d,0x29,0x7a,0xe9, + 0xac,0x4d,0x93,0xec,0xd0,0x6c,0x62,0x1e,0x17,0xe7,0x2d,0xd7,0x0b,0x64,0x8f,0x56, + 0xd3,0x82,0x37,0xad,0x2d,0x28,0xe8,0x7e,0x9d,0x83,0x7d,0x6d,0x06,0xa2,0x36,0x62, + 0x60,0x30,0xbe,0x31,0xf9,0x9e,0xe0,0xb7,0x5b,0x72,0x6e,0x16,0x36,0x75,0xdc,0x17, + 0x56,0xff,0x5f,0x27,0x57,0x34,0xdc,0x2a,0x98,0xcd,0x9d,0x3f,0x5c,0x48,0x79,0x0b, + 0xa5,0xcf,0x16,0x20,0xc5,0x57,0x5f,0xa6,0xd6,0x1d,0xd6,0x6a,0x17,0x89,0x2d,0xb8, + 0xde,0xc5,0x30,0xe4,0xf0,0x39,0xf6,0x87,0x87,0x54,0x5c,0xc0,0x34,0x0f,0x1c,0xfb, + 0xf0,0xe4,0xc5,0xde,0xe1,0xa7,0xcf,0x54,0x2a,0x02,0x20,0x94,0xf9,0xd1,0xf8,0xb6, + 0x97,0xe2,0x3a,0x30,0x43,0x24,0x45,0x2d,0x9a,0xd3,0xe0,0x6a,0x70,0x41,0x96,0xf0, + 0x4d,0x21,0x8d,0x61,0x2c,0x2c,0x56,0xda,0xec,0xc8,0xdc,0xbf,0xce,0x75,0x9d,0xd9, + 0x5a,0x2d,0x39,0xc7,0xef,0x29,0x32,0xd6,0x6c,0xf8,0xc7,0x88,0x84,0xfc,0x51,0x5b, + 0x11,0x44,0xde,0x87,0xd3,0x6f,0x05,0x0c,0x8e,0xc7,0x0f,0x02,0x03,0x01,0x00,0x01, + 0xa3,0x82,0x01,0x19,0x30,0x82,0x01,0x15,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04, + 0x18,0x30,0x16,0x80,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18,0xfc, + 0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x09,0x06,0x03,0x55,0x1d,0x13, + 0x04,0x02,0x30,0x00,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30, + 0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30, + 0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74, + 0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e, + 0x2f,0x63,0x70,0x73,0x2f,0x30,0x3c,0x06,0x03,0x55,0x1d,0x1f,0x04,0x35,0x30,0x33, + 0x30,0x31,0xa0,0x2f,0xa0,0x2d,0x86,0x2b,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63, + 0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e, + 0x6c,0x6f,0x61,0x64,0x2f,0x64,0x71,0x63,0x72,0x6c,0x2f,0x63,0x72,0x6c,0x31,0x2e, + 0x63,0x72,0x6c,0x30,0x27,0x06,0x03,0x55,0x1d,0x11,0x04,0x20,0x30,0x1e,0x82,0x0c, + 0x77,0x77,0x77,0x2e,0x6e,0x61,0x62,0x6c,0x61,0x2e,0x63,0x6e,0x82,0x0e,0x6d,0x61, + 0x6c,0x6c,0x2e,0x6e,0x61,0x77,0x61,0x6e,0x67,0x2e,0x63,0x6e,0x30,0x0b,0x06,0x03, + 0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x05,0xa0,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e, + 0x04,0x16,0x04,0x14,0x00,0x8b,0xf0,0x61,0xdf,0xf1,0x0b,0x53,0xd8,0x52,0x97,0xfe, + 0x23,0x9f,0x34,0x50,0x1d,0xac,0xec,0x90,0x30,0x13,0x06,0x03,0x55,0x1d,0x25,0x04, + 0x0c,0x30,0x0a,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x0d,0x06, + 0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01, + 0x00,0x86,0x62,0x31,0x67,0xba,0x3e,0x2b,0x1f,0xf7,0xdd,0xc0,0x9b,0xa2,0x27,0xb5, + 0x61,0x8c,0xd8,0x68,0xc1,0x58,0x47,0xb2,0x72,0xb9,0xfe,0x06,0x52,0x7d,0x92,0x35, + 0x9b,0xa9,0x08,0xa7,0x3a,0x37,0x70,0x9d,0xe1,0x47,0xbe,0x3d,0x15,0x20,0x35,0x9a, + 0x79,0x7c,0x16,0xe8,0x8e,0xa5,0x0f,0x42,0xd5,0x6b,0x5b,0x9e,0x55,0x2b,0xdd,0x35, + 0x3e,0x32,0x41,0xef,0x14,0xa0,0x15,0x70,0xf8,0x8c,0x3f,0x9e,0xc0,0xc2,0x32,0x4d, + 0x90,0x9a,0xd0,0x9b,0xc1,0x72,0x64,0x2f,0x2e,0x8c,0x44,0x80,0x5a,0x6f,0xb7,0x08, + 0xa9,0x0e,0x76,0xa4,0x82,0xd6,0x2e,0x64,0xf6,0xe4,0x5e,0x1b,0xb4,0x09,0xbc,0x1d, + 0x80,0x46,0xd7,0x35,0x7f,0x58,0x70,0x09,0x10,0x7a,0x1e,0xe5,0x28,0xf5,0x5a,0x28, + 0x7e,0x54,0x52,0x88,0xe6,0x3f,0x4e,0x55,0xb3,0x15,0x67,0x4c,0xac,0x82,0xbb,0xf8, + 0x98,0xd0,0xd2,0x69,0x17,0x70,0x6a,0x09,0x52,0x91,0xc1,0xe7,0xbb,0xa7,0xe8,0x78, + 0xdb,0x57,0xa3,0x37,0x3f,0x3c,0x7f,0x80,0xc2,0x40,0x61,0xd2,0xe5,0x6f,0xe8,0x93, + 0xa2,0xb7,0x84,0x00,0x4e,0x4d,0xed,0xf3,0x87,0x14,0x35,0xd2,0xdb,0xf6,0x6b,0xc0, + 0x2a,0xb2,0x9c,0xc3,0x48,0xba,0xd0,0xb9,0x55,0xf2,0x1a,0x17,0xa0,0x0d,0x45,0x2c, + 0x28,0x0a,0xba,0x60,0x4a,0xb8,0x73,0xd6,0xb0,0x83,0x6e,0x92,0x87,0x1f,0x39,0x91, + 0xa5,0x4f,0xef,0xcb,0xf7,0xee,0x28,0x39,0x5e,0x21,0xf0,0xc1,0x91,0x23,0x24,0x78, + 0xbc,0x01,0xb6,0xf1,0x4d,0x58,0x63,0xa6,0x89,0xf4,0x8b,0xa9,0xc9,0xad,0xfa,0xe1, + 0x9b +}; + +static const UInt8 intermediate0[] = { + 0x30,0x82,0x04,0x99,0x30,0x82,0x03,0x81,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49, + 0x33,0x00,0x7c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b, + 0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43, + 0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49, + 0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49, + 0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x34,0x31,0x32,0x31,0x38, + 0x31,0x32,0x33,0x32,0x31,0x38,0x5a,0x17,0x0d,0x32,0x34,0x31,0x32,0x31,0x38,0x31, + 0x32,0x33,0x32,0x31,0x38,0x5a,0x30,0x43,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x43,0x4e,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x0c,0x10, + 0x43,0x4e,0x4e,0x49,0x43,0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c, + 0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x0c,0x10,0x43,0x4e,0x4e,0x49,0x43, + 0x20,0x53,0x48,0x41,0x32,0x35,0x36,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30, + 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82, + 0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xf0,0xa3,0x8d,0x71, + 0x34,0xfe,0x11,0x3c,0xc7,0x98,0x61,0x0b,0xc5,0xaa,0x7b,0x13,0xd9,0x40,0x7f,0x9b, + 0x59,0xd0,0x4a,0xc0,0x93,0x45,0x5e,0x48,0xf1,0xfe,0xb1,0x8f,0xb9,0x4c,0xdf,0x53, + 0x50,0x15,0x19,0xf9,0xea,0xe7,0x22,0x8d,0xa8,0xdb,0x09,0x45,0xa6,0x86,0xc6,0xf8, + 0xd5,0xdc,0x55,0xb4,0x8f,0xeb,0x56,0x3d,0x1f,0x36,0xc7,0x95,0x55,0xf4,0x4e,0x11, + 0xc7,0x08,0x6f,0xe8,0xf9,0x7f,0x9e,0x85,0x9a,0x65,0x10,0x9b,0x87,0x86,0xb4,0x42, + 0x92,0xaf,0x3f,0x5b,0xd9,0x8b,0x2f,0x68,0xc2,0x08,0x58,0xf6,0xe4,0x5f,0x3b,0x79, + 0x8b,0x9e,0xde,0xb1,0x48,0x1f,0x59,0x40,0xb9,0xea,0x24,0x07,0x66,0x97,0xf6,0x2f, + 0x52,0xec,0x0c,0xc8,0x4e,0x65,0x5a,0x60,0x6f,0xe5,0x8f,0x9d,0xfd,0x6a,0xde,0x89, + 0xe4,0x7a,0x4b,0xb6,0x1e,0x82,0x8d,0x9c,0xdd,0x8d,0x73,0x33,0x92,0xd3,0x46,0x8e, + 0x9e,0x58,0x01,0xf3,0x2e,0x83,0xe0,0xd2,0x4a,0x13,0x94,0x2c,0xd0,0x8a,0x12,0xd0, + 0x29,0x34,0xed,0x6b,0xea,0xc6,0xc9,0x14,0x7a,0x75,0x92,0x8e,0x42,0x7e,0xd2,0x76, + 0x88,0xdb,0xad,0x9b,0x20,0xe2,0x30,0x94,0x97,0xa3,0xa3,0xae,0x52,0x4c,0x2d,0xa3, + 0x77,0x79,0x74,0xf7,0x87,0x8c,0x86,0x8f,0xb3,0x63,0x51,0x3e,0xf6,0xc0,0x6e,0x25, + 0x9b,0x0d,0xc1,0x99,0x4f,0xf2,0x5c,0x9d,0xf5,0x21,0x04,0x42,0xde,0x74,0x59,0xe4, + 0x39,0x80,0x82,0x50,0x21,0xde,0x49,0xe3,0x14,0x83,0xa7,0xc8,0xce,0x6d,0xfa,0x49, + 0x5b,0x5e,0x3f,0x55,0x65,0xc1,0x5d,0x57,0x41,0x00,0x7d,0x43,0x02,0x03,0x01,0x00, + 0x01,0xa3,0x82,0x01,0xa4,0x30,0x82,0x01,0xa0,0x30,0x76,0x06,0x08,0x2b,0x06,0x01, + 0x05,0x05,0x07,0x01,0x01,0x04,0x6a,0x30,0x68,0x30,0x29,0x06,0x08,0x2b,0x06,0x01, + 0x05,0x05,0x07,0x30,0x01,0x86,0x1d,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63, + 0x73,0x70,0x63,0x6e,0x6e,0x69,0x63,0x72,0x6f,0x6f,0x74,0x2e,0x63,0x6e,0x6e,0x69, + 0x63,0x2e,0x63,0x6e,0x30,0x3b,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x02, + 0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e, + 0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x63, + 0x65,0x72,0x74,0x2f,0x43,0x4e,0x4e,0x49,0x43,0x52,0x4f,0x4f,0x54,0x2e,0x63,0x65, + 0x72,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x65,0xf2, + 0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a,0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5, + 0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03, + 0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34, + 0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9,0x0c,0x01,0x06,0x30,0x26,0x30,0x24, + 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70, + 0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f, + 0x63,0x70,0x73,0x2f,0x30,0x81,0x86,0x06,0x03,0x55,0x1d,0x1f,0x04,0x7f,0x30,0x7d, + 0x30,0x42,0xa0,0x40,0xa0,0x3e,0xa4,0x3c,0x30,0x3a,0x31,0x0b,0x30,0x09,0x06,0x03, + 0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a, + 0x0c,0x05,0x43,0x4e,0x4e,0x49,0x43,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b, + 0x0c,0x03,0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04, + 0x63,0x72,0x6c,0x31,0x30,0x37,0xa0,0x35,0xa0,0x33,0x86,0x31,0x68,0x74,0x74,0x70, + 0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f, + 0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x73,0x68,0x61, + 0x32,0x63,0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0b,0x06, + 0x03,0x55,0x1d,0x0f,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d, + 0x0e,0x04,0x16,0x04,0x14,0xb7,0xd1,0x59,0x8b,0x8c,0x0d,0x06,0x28,0x47,0x23,0x00, + 0x3a,0x36,0x04,0xa5,0xee,0x38,0x76,0x53,0x3c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48, + 0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4f,0xc7,0x80, + 0x5e,0x29,0x70,0x8c,0xd6,0x59,0xae,0x59,0x4f,0xd1,0xd8,0x41,0xa8,0xa7,0xa8,0x58, + 0xa6,0x06,0x25,0xd2,0xf8,0x3c,0x13,0x52,0xec,0x51,0x54,0x38,0xb6,0x60,0xd0,0x95, + 0xaf,0x30,0xbf,0x78,0xa3,0x19,0xfd,0x6b,0x54,0x98,0x49,0xc4,0x81,0x84,0xaa,0x51, + 0x54,0xd3,0x95,0x9d,0x92,0x66,0x02,0x6e,0x55,0x4b,0xf1,0xe0,0x4e,0x02,0x05,0xb5, + 0x67,0x3b,0x31,0x4d,0xb3,0xb3,0xb7,0xa2,0x13,0xff,0x28,0x10,0xbc,0xa4,0x9b,0x71, + 0x4c,0x36,0x9c,0x60,0xac,0x65,0x7c,0x66,0x8a,0xb6,0x1c,0x7f,0xa1,0xad,0xe8,0x6e, + 0xce,0x0b,0xee,0x85,0xe6,0x01,0xe5,0xab,0x7f,0x11,0x1f,0x33,0xd9,0x1d,0xa1,0x0c, + 0xf2,0x3a,0x7e,0xdb,0xf5,0x63,0xe2,0x77,0xdb,0x01,0x1a,0x60,0xe8,0xfb,0x42,0xd4, + 0xf3,0xdf,0x8d,0xec,0x4f,0x4f,0xc8,0xa7,0x24,0xf7,0xb5,0xb7,0x58,0xae,0xad,0x0c, + 0x9b,0x7a,0x39,0x81,0xd9,0xd0,0x8a,0x18,0x28,0x8a,0xf2,0x91,0x88,0x11,0x3d,0xb1, + 0x42,0x5d,0x0e,0x31,0xfe,0x00,0x99,0xfe,0x87,0x3f,0x8e,0xbd,0xef,0x83,0x72,0xd7, + 0x49,0x22,0xfd,0x82,0xe2,0xfc,0xe8,0xe8,0xf7,0x4b,0xff,0xa5,0x62,0xec,0xd3,0x87, + 0x51,0x6f,0x35,0xbc,0x51,0x54,0x6c,0x36,0xfe,0x88,0xcb,0xaf,0xb1,0x0e,0x7b,0x76, + 0x9c,0x16,0x11,0xda,0x7f,0xd1,0xf4,0x85,0xce,0xb8,0x87,0x45,0x0c,0x43,0xe4,0xb3, + 0x6f,0xbc,0x95,0xce,0x59,0x57,0xf3,0xb4,0xec,0xa8,0xc2,0x1f,0x98,0x77,0x93,0x7d, + 0xad,0x92,0x4e,0xba,0xab,0x5d,0x45,0x93,0x7c,0xf0,0x17,0xcd,0xc7 +}; + +static const UInt8 intermediate1[] = { + 0x30,0x82,0x04,0xf8,0x30,0x82,0x03,0xe0,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x0b, + 0x24,0x01,0xb7,0x39,0x86,0x38,0x3c,0x29,0xc2,0xf8,0x19,0x4d,0x23,0x10,0x7b,0x30, + 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x81, + 0x8a,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32, + 0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49, + 0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20, + 0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74, + 0x65,0x72,0x31,0x47,0x30,0x45,0x06,0x03,0x55,0x04,0x03,0x0c,0x3e,0x43,0x68,0x69, + 0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77, + 0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20, + 0x43,0x65,0x6e,0x74,0x65,0x72,0x20,0x45,0x56,0x20,0x43,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x65,0x73,0x20,0x52,0x6f,0x6f,0x74,0x30,0x1e,0x17,0x0d,0x31, + 0x30,0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x17,0x0d,0x32,0x30, + 0x30,0x39,0x30,0x31,0x30,0x39,0x30,0x32,0x31,0x30,0x5a,0x30,0x58,0x31,0x0b,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4e,0x31,0x32,0x30,0x30,0x06,0x03, + 0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e,0x61,0x20,0x49,0x6e,0x74,0x65,0x72, + 0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f, + 0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43,0x65,0x6e,0x74,0x65,0x72,0x31,0x15, + 0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x0c,0x0c,0x43,0x4e,0x4e,0x49,0x43,0x20,0x45, + 0x56,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48, + 0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01, + 0x0a,0x02,0x82,0x01,0x01,0x00,0xc9,0x8b,0x5d,0x84,0x90,0x33,0x98,0x83,0xdd,0xa1, + 0x9a,0x76,0x4f,0xd2,0xff,0xf4,0xbc,0x5d,0x7f,0xd5,0x0c,0xdc,0xd1,0x58,0xe8,0x3a, + 0xd7,0xab,0xa9,0x24,0x05,0x78,0x28,0x3d,0x64,0x03,0x7d,0x7f,0xee,0x16,0x3e,0x51, + 0xc7,0x69,0xb4,0x06,0xe8,0xa5,0x3b,0x7a,0xf0,0xac,0xcd,0x9e,0xb4,0x00,0xbf,0x25, + 0xe5,0xd9,0x95,0x45,0x31,0x20,0x59,0xed,0xf0,0xbc,0x86,0x02,0x9a,0xa6,0x52,0x73, + 0xaf,0x02,0x09,0x22,0xf1,0x04,0x97,0xe3,0x15,0x8c,0x7e,0xa5,0xc7,0x37,0xbd,0x42, + 0x4f,0x27,0x85,0x9d,0xb9,0x24,0x29,0xcb,0x4c,0xd4,0xd2,0xed,0x79,0x3b,0x39,0xa1, + 0x08,0x26,0xba,0x14,0xb3,0x49,0x0f,0x8e,0xd7,0x9d,0x5f,0xde,0x72,0xf0,0x53,0xee, + 0x8a,0x4e,0x6c,0x06,0x6f,0xea,0x9f,0x25,0x4a,0x23,0x80,0x7e,0x2e,0xb2,0x81,0x9d, + 0x3b,0x4e,0xdf,0x73,0xbe,0x1b,0x89,0x10,0x89,0xf7,0xac,0xa0,0x2f,0xfb,0x71,0xc4, + 0xe2,0xe9,0xd0,0x79,0xb7,0x54,0x9d,0xf6,0xcc,0x3a,0x6c,0x88,0x25,0xf4,0x0e,0xf4, + 0x49,0xa1,0x23,0xd2,0xe2,0x71,0xb8,0x1c,0x44,0x46,0xb4,0x70,0x5d,0x5d,0xab,0x7f, + 0x0e,0x27,0x8d,0x4b,0xf4,0xe1,0x52,0x88,0x58,0xf9,0xec,0x1e,0xbb,0x56,0x1f,0x37, + 0x1a,0xce,0x74,0xf3,0x6d,0x63,0xbc,0x18,0xa8,0x95,0x30,0x8b,0x16,0xe2,0x9f,0x0a, + 0x89,0xe0,0x36,0xba,0x0f,0x90,0x5e,0x67,0x6c,0x04,0x77,0xfa,0xd1,0x6e,0xdb,0x1c, + 0x3c,0x1f,0x9f,0x83,0xb5,0x4b,0xc8,0x4e,0x90,0xf8,0x02,0x26,0x2e,0xce,0x7c,0xe6, + 0x3e,0xe8,0x0e,0xf0,0x77,0xf1,0x02,0x03,0x01,0x00,0x01,0xa3,0x82,0x01,0x89,0x30, + 0x82,0x01,0x85,0x30,0x34,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04, + 0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86, + 0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x72,0x6f,0x6f,0x74, + 0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23, + 0x04,0x18,0x30,0x16,0x80,0x14,0x7c,0x72,0x4b,0x39,0xc7,0xc0,0xdb,0x62,0xa5,0x4f, + 0x9b,0xaa,0x18,0x34,0x92,0xa2,0xca,0x83,0x82,0x59,0x30,0x0f,0x06,0x03,0x55,0x1d, + 0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55, + 0x1d,0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81, + 0xe9,0x0c,0x01,0x0a,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07, + 0x02,0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63, + 0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x81,0xaa,0x06, + 0x03,0x55,0x1d,0x1f,0x04,0x81,0xa2,0x30,0x81,0x9f,0x30,0x66,0xa0,0x64,0xa0,0x62, + 0xa4,0x60,0x30,0x5e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43, + 0x4e,0x31,0x32,0x30,0x30,0x06,0x03,0x55,0x04,0x0a,0x0c,0x29,0x43,0x68,0x69,0x6e, + 0x61,0x20,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x20,0x4e,0x65,0x74,0x77,0x6f, + 0x72,0x6b,0x20,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x20,0x43, + 0x65,0x6e,0x74,0x65,0x72,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x0b,0x0c,0x03, + 0x63,0x72,0x6c,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x03,0x0c,0x04,0x63,0x72, + 0x6c,0x31,0x30,0x35,0xa0,0x33,0xa0,0x31,0x86,0x2f,0x68,0x74,0x74,0x70,0x3a,0x2f, + 0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x64,0x6f, + 0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x65,0x76,0x72,0x6f,0x6f,0x74,0x63,0x72,0x6c, + 0x2f,0x63,0x72,0x6c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f, + 0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e, + 0x04,0x16,0x04,0x14,0x0c,0xcf,0xb4,0x48,0x2c,0x50,0xe8,0x8b,0xd2,0x72,0xfd,0x1c, + 0xf0,0x2f,0xbc,0x52,0xab,0x2b,0x69,0x5e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86, + 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0xf9,0xad,0x13, + 0x7b,0x62,0x9b,0x8b,0xa5,0xfd,0x52,0x5d,0xd1,0x13,0xca,0x28,0x92,0xdc,0xc3,0x84, + 0x3d,0xf1,0xc5,0x9b,0x2a,0xc3,0x15,0xfc,0x1d,0x4f,0x30,0x54,0x77,0x9a,0x5a,0x5a, + 0x1b,0x07,0xbb,0xf7,0x7e,0xea,0x47,0x01,0xc7,0x6d,0x30,0xe0,0x2e,0xcc,0x44,0xea, + 0x6c,0xa5,0xcd,0x42,0x86,0x38,0xf5,0x88,0x9c,0xff,0x74,0xc1,0x3d,0x70,0xfa,0x9a, + 0x54,0xbd,0x37,0xb0,0x38,0x9f,0xb6,0xe4,0x51,0xec,0x24,0xa0,0xa4,0xbe,0x9f,0x6e, + 0xad,0x3b,0x0f,0x30,0xa0,0xd2,0x37,0x67,0x9b,0xc2,0x6f,0xd5,0xfd,0x9a,0xfd,0xc6, + 0x56,0x08,0x64,0x84,0x74,0x12,0xfe,0xa8,0xe3,0x26,0x4a,0x08,0x2f,0xdb,0x32,0x9a, + 0xae,0xaf,0x01,0x75,0xf0,0x7b,0x28,0xb6,0xb2,0x4a,0xf0,0xd8,0xfd,0xb4,0x11,0xf5, + 0x26,0x31,0x49,0xd1,0x82,0x91,0x04,0x3b,0x4b,0x79,0x3c,0x57,0x2e,0x38,0x9f,0x9a, + 0xfd,0xdf,0x53,0xd9,0xbd,0x48,0x96,0xfb,0xbb,0x21,0x64,0xdd,0xec,0x68,0xc3,0x77, + 0x7d,0x41,0xcf,0x7c,0x2f,0xa8,0x87,0xf0,0x8f,0xf0,0x0c,0xdd,0x3f,0x88,0x5c,0x23, + 0x49,0x26,0x1b,0x60,0xff,0xbc,0x9e,0xb8,0xc0,0xf6,0xe0,0x21,0xf1,0x44,0x44,0x21, + 0x81,0x06,0x9b,0x39,0xf0,0xaf,0xf0,0x5c,0x44,0x44,0xc7,0x51,0xf2,0x1d,0xf3,0x06, + 0x1a,0x14,0x04,0xd1,0xa4,0xed,0x92,0x39,0x21,0x77,0xe9,0x77,0x1f,0xd6,0x80,0x5e, + 0x42,0xb4,0xd5,0x44,0xd1,0xd2,0xd6,0x84,0xca,0xa5,0xb8,0xee,0x48,0x4f,0x93,0x2d, + 0xca,0x82,0x46,0xff,0x77,0x5b,0x18,0x79,0x88,0x14,0x4c,0x0d +}; + +static const UInt8 intermediate2[] = { + 0x30,0x82,0x03,0xca,0x30,0x82,0x02,0xb2,0xa0,0x03,0x02,0x01,0x02,0x02,0x04,0x49, + 0x33,0x00,0x65,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05, + 0x05,0x00,0x30,0x32,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43, + 0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05,0x43,0x4e,0x4e,0x49, + 0x43,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x43,0x4e,0x4e,0x49, + 0x43,0x20,0x52,0x4f,0x4f,0x54,0x30,0x1e,0x17,0x0d,0x31,0x30,0x31,0x32,0x31,0x35, + 0x30,0x35,0x30,0x37,0x30,0x30,0x5a,0x17,0x0d,0x32,0x30,0x31,0x32,0x31,0x35,0x30, + 0x35,0x30,0x37,0x30,0x30,0x5a,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x43,0x4e,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x0a,0x13,0x05, + 0x43,0x4e,0x4e,0x49,0x43,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0c, + 0x43,0x4e,0x4e,0x49,0x43,0x20,0x44,0x51,0x20,0x53,0x53,0x4c,0x30,0x82,0x01,0x22, + 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03, + 0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa8,0x7f,0xa9, + 0x2d,0x47,0xc3,0xdb,0xdb,0x10,0x79,0xa0,0xae,0xd5,0x80,0xfa,0x5b,0xbe,0x64,0x5f, + 0x26,0xb9,0x5a,0x84,0x0d,0x1b,0x56,0x14,0x49,0xe1,0xda,0xfb,0x83,0x07,0xaf,0x80, + 0x2d,0x93,0xbf,0x44,0xd9,0x85,0x1f,0x18,0xb0,0xe1,0xb9,0x06,0x34,0x24,0xd1,0xf9, + 0x9f,0x34,0xe0,0x26,0x3e,0xce,0x57,0xca,0x30,0x3b,0xae,0x44,0x55,0x47,0x7f,0x2e, + 0xe5,0xe8,0x51,0x55,0x90,0x95,0x23,0xde,0xd3,0xb4,0x88,0xf8,0x33,0x1e,0x5e,0xe6, + 0x2b,0xae,0x9b,0x94,0x2c,0xec,0xd9,0xc9,0x47,0x67,0x14,0x54,0x6a,0x33,0x6f,0xe1, + 0x0c,0x7f,0x0f,0xa0,0x7e,0xb5,0xc3,0x0f,0x63,0x4f,0xdf,0x38,0x9d,0x73,0xea,0x9f, + 0xaa,0x34,0x30,0xbf,0xba,0x83,0x56,0x65,0x26,0x90,0x01,0xf6,0xfc,0x93,0xc6,0x2b, + 0xcc,0xf2,0x90,0x7d,0x2a,0x31,0xe1,0xcd,0x0f,0x23,0xd1,0x78,0x2b,0x49,0xc5,0x21, + 0x77,0xc9,0x8b,0x02,0x70,0xf1,0xc2,0xa3,0xdf,0xca,0xb7,0x73,0x06,0x76,0xfd,0xcb, + 0xc0,0xc9,0x23,0x21,0x17,0x34,0x1c,0x80,0xa9,0xc6,0x92,0x95,0xd0,0xc6,0xeb,0x83, + 0x56,0xb0,0x98,0x90,0x50,0xf4,0xcf,0x9b,0x3b,0x2d,0x3e,0xcf,0x94,0x27,0x69,0x9f, + 0xdc,0x66,0xfb,0x05,0x0c,0xe3,0x99,0x1e,0x06,0x86,0xd9,0xe6,0xf5,0x6c,0xfe,0x98, + 0x5d,0x61,0xb1,0x89,0x01,0xc4,0x7f,0x48,0x68,0x62,0x06,0x26,0x95,0x40,0xcd,0x93, + 0x46,0xf8,0xb0,0x8d,0x28,0x3a,0xc7,0x0e,0x46,0x42,0x9f,0x32,0xc3,0xc6,0x78,0xc7, + 0x10,0xd5,0x37,0xff,0x17,0x4c,0x24,0x60,0xc6,0xd5,0x18,0x9a,0x7d,0x02,0x03,0x01, + 0x00,0x01,0xa3,0x81,0xe5,0x30,0x81,0xe2,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04, + 0x18,0x30,0x16,0x80,0x14,0x65,0xf2,0x31,0xad,0x2a,0xf7,0xf7,0xdd,0x52,0x96,0x0a, + 0xc7,0x02,0xc1,0x0e,0xef,0xa6,0xd5,0x3b,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13, + 0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x3f,0x06,0x03,0x55,0x1d, + 0x20,0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x0a,0x2b,0x06,0x01,0x04,0x01,0x81,0xe9, + 0x0c,0x01,0x06,0x30,0x26,0x30,0x24,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02, + 0x01,0x16,0x18,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e, + 0x6e,0x69,0x63,0x2e,0x63,0x6e,0x2f,0x63,0x70,0x73,0x2f,0x30,0x3e,0x06,0x03,0x55, + 0x1d,0x1f,0x04,0x37,0x30,0x35,0x30,0x33,0xa0,0x31,0xa0,0x2f,0x86,0x2d,0x68,0x74, + 0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x63,0x6e,0x6e,0x69,0x63,0x2e,0x63, + 0x6e,0x2f,0x64,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x2f,0x72,0x6f,0x6f,0x74,0x63, + 0x72,0x6c,0x2f,0x43,0x52,0x4c,0x31,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55, + 0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1d,0x06,0x03,0x55, + 0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0x63,0x96,0xfa,0x78,0x2d,0x7d,0xf6,0x92,0x18, + 0xfc,0x89,0x7c,0xb8,0x53,0x1a,0xbb,0x0c,0xba,0x05,0x30,0x0d,0x06,0x09,0x2a,0x86, + 0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xb6,0x37, + 0x1c,0xdb,0x09,0x29,0xbd,0x24,0x76,0x1b,0x7f,0x6b,0x36,0x25,0xd2,0x43,0xf2,0x09, + 0x22,0x63,0x3f,0x8e,0xd6,0x15,0xf9,0x9c,0x36,0xc9,0xb1,0x1c,0x10,0x61,0x39,0x24, + 0x96,0x76,0xa4,0xa3,0x70,0xa4,0xe5,0x52,0xc1,0xba,0xb9,0xbb,0x72,0x1a,0xdc,0x76, + 0x05,0x86,0x45,0x03,0x0a,0xb8,0x95,0xd5,0xb2,0x63,0xb4,0x7b,0x9a,0x00,0xd5,0x31, + 0x76,0x50,0x25,0xc0,0x98,0x17,0xc9,0xfa,0x57,0x36,0x50,0x1f,0x66,0x2b,0xb1,0xd1, + 0xe6,0xcf,0x14,0x56,0xf2,0xb9,0x9f,0xa9,0x6f,0x2d,0x15,0xb7,0x66,0x46,0x9e,0x85, + 0x7c,0x68,0xbd,0xf3,0x5f,0x9f,0xbf,0xbe,0xf8,0xf9,0x7f,0x7b,0x1b,0xca,0x51,0xc2, + 0xae,0x43,0x20,0x83,0x90,0xab,0xb5,0x70,0x73,0x42,0xa9,0xc1,0xd5,0x4f,0x89,0xcf, + 0x72,0xba,0x86,0x5c,0xd8,0x8c,0xaf,0x85,0xf1,0x3d,0x52,0x23,0xac,0x68,0x05,0x73, + 0xca,0x36,0x7c,0x12,0x86,0xae,0xdc,0xda,0x91,0x40,0x1f,0xe0,0x6b,0x26,0x43,0x64, + 0xe9,0x5f,0x71,0xbf,0x22,0x6c,0x6e,0xd1,0x32,0x0c,0x7c,0x07,0x36,0x3a,0x09,0xef, + 0xe7,0xa7,0x9b,0x73,0x19,0xe3,0x6a,0xd2,0x41,0x43,0x23,0xef,0x63,0x30,0xa0,0x34, + 0x12,0x2c,0xe5,0x23,0x5f,0x46,0x87,0xcc,0xf1,0x2f,0x0b,0xd1,0x72,0x58,0xc5,0x36, + 0xcb,0x4e,0x00,0x5f,0x15,0x80,0x0a,0x05,0xb5,0x34,0x34,0x9c,0x19,0x20,0xc1,0x5b, + 0x80,0x98,0x96,0x42,0x01,0x54,0x6c,0x65,0x4e,0xc5,0x2b,0x04,0x55,0x63,0x71,0x5e, + 0x99,0x79,0xc5,0xfb,0x03,0xbf,0x27,0x56,0xa6,0xdf,0x3a,0x4c,0xea,0x63 +}; + + +/* subject:/C=RU/CN=telegram.im */ +/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */ +/* Not After : Sep 3 23:57:19 2019 GMT */ + +unsigned char leafOnAllowList_Cert[1719]={ + 0x30,0x82,0x06,0xB3,0x30,0x82,0x05,0x9B,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x31, + 0x4E,0xCD,0xA3,0x65,0x0B,0x68,0x8D,0x7D,0x77,0xD3,0x5A,0x00,0x4A,0xC5,0x94,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30, + 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43, + 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55, + 0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72, + 0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61, + 0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x39,0x30,0x33,0x32, + 0x33,0x35,0x37,0x31,0x39,0x5A,0x17,0x0D,0x31,0x39,0x30,0x39,0x30,0x33,0x32,0x33, + 0x35,0x37,0x31,0x39,0x5A,0x30,0x23,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06, + 0x13,0x02,0x52,0x55,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x0C,0x0B,0x74, + 0x65,0x6C,0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x82,0x02,0x22,0x30,0x0D, + 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02, + 0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xCA,0xCD,0x7B,0x38,0x40, + 0x59,0xBD,0xD7,0x0D,0xB4,0xDA,0xA7,0x43,0x3F,0x64,0xE7,0xD5,0x88,0x4A,0xA3,0x7D, + 0xA1,0x8A,0x6C,0x3B,0x1B,0xE0,0xE4,0xE0,0x82,0xCD,0xD3,0x38,0x7D,0x6E,0x49,0x0F, + 0x56,0x2D,0xA7,0x3A,0x1D,0x7A,0x5C,0x48,0x0D,0x15,0xBD,0x68,0xC0,0x24,0xAE,0x9B, + 0x03,0x33,0x5E,0xBB,0x12,0x13,0x32,0xDA,0xAF,0xAD,0xEB,0x36,0x76,0x6F,0xBD,0x91, + 0xF0,0xC1,0xC6,0x14,0xE1,0xDA,0x88,0x32,0x47,0x26,0x5C,0x92,0x5D,0xE1,0xA4,0x3E, + 0x99,0xCD,0x5B,0xFB,0x92,0x3C,0xA9,0x56,0xEC,0x6B,0xA9,0xEB,0xB0,0x34,0x89,0x4B, + 0x96,0x1A,0x57,0x0D,0x5F,0x94,0x7C,0x25,0x67,0xCE,0xC0,0x6A,0xB1,0x73,0xE4,0xB3, + 0x56,0xD8,0xE9,0x09,0x4F,0x5D,0x91,0xBB,0x5E,0x6C,0x13,0xE7,0x18,0xDB,0x62,0x0D, + 0xDA,0xB9,0xCD,0x97,0xC1,0xD4,0x35,0x0F,0x1A,0x4B,0xCA,0xFC,0x9D,0x88,0xD1,0xE4, + 0xFC,0x1D,0x43,0x7E,0xE7,0x1A,0xEB,0xED,0x1F,0x7D,0x1F,0x2B,0xF9,0x3A,0x0D,0x06, + 0x03,0x3F,0x2D,0xAF,0xF4,0xDB,0xCC,0x91,0x7B,0xF7,0x9D,0xAA,0x13,0x41,0xC0,0x57, + 0x8F,0x3E,0xE2,0xCA,0x45,0x7D,0x35,0x1B,0x0C,0x51,0x53,0x81,0x05,0x74,0x88,0xA2, + 0x37,0x9B,0x26,0x34,0xAE,0x49,0xB6,0x97,0x9F,0x81,0xFB,0x45,0x7F,0x65,0x82,0x1F, + 0x8E,0xC1,0xF0,0xC0,0x63,0x1F,0x7B,0xE4,0x45,0xA7,0x4C,0x1C,0x09,0x10,0xF6,0x8A, + 0x81,0x8E,0x3B,0x6E,0xFF,0x15,0x53,0x9D,0x36,0x2F,0x52,0x01,0x0C,0x34,0x59,0x12, + 0x9C,0xCA,0xAF,0xF5,0x58,0x31,0x37,0xE6,0x44,0xE5,0x0D,0xDB,0x0F,0x43,0xA3,0x09, + 0x79,0x78,0x00,0x3D,0x7F,0x3B,0x2F,0xB8,0x28,0x58,0x79,0x35,0xEE,0xA1,0xDA,0x1B, + 0xF2,0x8F,0x9C,0xAB,0x3F,0x38,0xB5,0x88,0x85,0x78,0x48,0xAA,0x67,0x41,0x0A,0xAB, + 0x1D,0x89,0xE1,0x60,0x39,0x9A,0x6B,0x88,0xE3,0xB9,0x78,0x02,0x2F,0x74,0x58,0xDD, + 0xBD,0xEE,0x51,0x8E,0xA9,0x1E,0x5E,0xFD,0x84,0x2B,0x94,0x55,0x14,0xAE,0x68,0x71, + 0x73,0xC7,0xE3,0xAE,0x9E,0xD9,0x54,0xB4,0x6D,0xE1,0x9A,0x10,0x1A,0x51,0x68,0x13, + 0x8E,0x51,0x18,0xBF,0xA8,0x7C,0x1A,0x18,0x2C,0xCE,0xF6,0x56,0xFD,0x9E,0xDC,0x97, + 0xE8,0x95,0x08,0xDA,0xC6,0xBC,0x8C,0x9C,0xDC,0x70,0x45,0xFD,0xD2,0x3E,0x83,0xE3, + 0x01,0x23,0xD4,0x74,0x6D,0xFD,0x2B,0x55,0x97,0x99,0x96,0xEB,0xD3,0x2D,0x5A,0xA7, + 0xEF,0xC8,0x89,0x4C,0xA3,0xC1,0xDA,0x17,0xD0,0xDE,0x9C,0xB6,0xA3,0x1D,0x14,0x05, + 0x65,0xCA,0x5C,0x32,0xD0,0x58,0x62,0xAA,0x56,0x72,0x90,0x02,0xC0,0xFC,0xB6,0x85, + 0x5A,0x53,0xC2,0xC1,0x31,0xAE,0xD6,0xC8,0x54,0xBE,0x78,0xE2,0x44,0x41,0x58,0xC3, + 0xEE,0xA7,0x38,0x6D,0x4E,0xAF,0xF1,0xD2,0xD1,0xD9,0xB1,0x17,0x5D,0x10,0x00,0x1D, + 0x8A,0x07,0xF6,0x5C,0x2C,0x1D,0x2B,0xDB,0xDE,0x3C,0x5B,0x22,0xC4,0xBB,0x27,0xC6, + 0x5A,0x78,0x25,0x7A,0x8F,0x86,0x42,0x6A,0x82,0xD3,0x7C,0xCA,0x07,0x62,0x23,0x09, + 0x44,0xEE,0x3B,0xEF,0x0E,0xB7,0x1A,0xA4,0x4D,0xBB,0x93,0xFD,0x83,0xCD,0x67,0x22, + 0x4B,0xE9,0x37,0x23,0x99,0x3F,0xD7,0xD4,0xEE,0x5C,0x4B,0x02,0x03,0x01,0x00,0x01, + 0xA3,0x82,0x02,0xAF,0x30,0x82,0x02,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01, + 0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04, + 0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B, + 0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02, + 0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x2A,0x36,0x37, + 0x39,0xD2,0xCA,0x66,0xB3,0xF8,0x12,0x94,0x78,0xB1,0xD9,0x18,0x1C,0x11,0xD9,0x7C, + 0xD7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7, + 0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E, + 0xA8,0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71, + 0x30,0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28, + 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73, + 0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76, + 0x65,0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61, + 0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36, + 0x2E,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65, + 0x72,0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30, + 0xA0,0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31, + 0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D, + 0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C, + 0x30,0x16,0x06,0x03,0x55,0x1D,0x11,0x04,0x0F,0x30,0x0D,0x82,0x0B,0x74,0x65,0x6C, + 0x65,0x67,0x72,0x61,0x6D,0x2E,0x69,0x6D,0x30,0x4F,0x06,0x03,0x55,0x1D,0x20,0x04, + 0x48,0x30,0x46,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3A,0x06, + 0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x01,0x01,0x02,0x30,0x2B,0x30,0x29, + 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70, + 0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F, + 0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x82,0x01,0x06,0x06,0x0A,0x2B, + 0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x81,0xF7,0x04,0x81,0xF4,0x00, + 0xF2,0x00,0x77,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE,0x3A,0x8C,0xEE,0xB9, + 0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1,0x0A,0x67,0xAC,0xBB, + 0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x56,0xF2,0x97,0xEB,0x40,0x00,0x00,0x04,0x03, + 0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xBC,0xC2,0x3C,0xA9,0x92,0x2F,0x3D,0x59,0x3C, + 0x82,0x38,0xD6,0x1A,0x83,0x95,0x04,0x15,0x1C,0x85,0x19,0x8F,0x12,0x33,0x01,0x1B, + 0xB1,0xCF,0xBE,0xE6,0xC1,0x6F,0xBE,0x02,0x21,0x00,0xB2,0x3B,0x8C,0xA0,0xB0,0x9C, + 0xCF,0xBA,0xFA,0x4E,0xBA,0xE7,0x95,0x85,0x89,0x5C,0xE1,0x5F,0x34,0x7A,0xA8,0xCB, + 0x19,0xC8,0x0C,0xED,0x3A,0xA4,0xE2,0x29,0xCD,0xBF,0x00,0x77,0x00,0xA4,0xB9,0x09, + 0x90,0xB4,0x18,0x58,0x14,0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98, + 0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01, + 0x56,0xF2,0x97,0xEC,0x65,0x00,0x00,0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00, + 0x96,0x67,0x94,0x08,0x36,0x41,0xF7,0x3F,0x97,0x0B,0xAE,0xAB,0x2F,0xD4,0x0C,0xE5, + 0xFA,0x3F,0xB2,0x0B,0x4F,0x57,0x1C,0xDF,0x0A,0xF4,0xE7,0x04,0x59,0x1F,0x0D,0xEF, + 0x02,0x21,0x00,0xBC,0xB5,0xAD,0xF5,0x60,0x34,0x47,0xD5,0x23,0x08,0x12,0xDE,0x8F, + 0xC7,0xE9,0x14,0x0C,0x02,0x25,0x0B,0x6D,0xB8,0xBF,0x1C,0x0D,0x65,0xEC,0x86,0x9B, + 0x30,0x88,0x2F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B, + 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x3B,0x9A,0xD3,0xED,0xF3,0xA8,0x95,0x4E,0x35, + 0x96,0xFF,0xA4,0xF1,0x61,0xB1,0x97,0xCA,0xF1,0xC8,0xDC,0x82,0x51,0xB9,0x29,0x3D, + 0x77,0x59,0x96,0xF4,0x32,0x1F,0xCC,0xF9,0xC6,0x71,0x9E,0x6E,0xB4,0x83,0xFC,0xD9, + 0xBF,0x21,0x43,0xAF,0xEB,0xB1,0x37,0x36,0x91,0x26,0x72,0xF8,0xAA,0x3A,0x38,0xBE, + 0x51,0x27,0xBB,0x07,0x48,0x92,0x4E,0xFA,0xA0,0x5A,0x00,0x0D,0x81,0xCB,0x3B,0x17, + 0x4E,0x04,0x0A,0xF7,0x0E,0x53,0xCD,0xAC,0x5E,0xC8,0xA5,0xE3,0x31,0x6E,0x9F,0x45, + 0x65,0xA1,0x81,0x5C,0x98,0xF9,0x7E,0x07,0xC1,0x05,0x92,0xBD,0xCD,0xEA,0x5C,0xC7, + 0x0B,0xC1,0x22,0x8F,0x13,0x7E,0xA2,0xB5,0xE2,0x88,0xBF,0x00,0xF0,0xC5,0xCA,0x99, + 0xB2,0x59,0x9E,0x6E,0x71,0x35,0x49,0xC5,0xAF,0xAB,0x9B,0x80,0x2A,0xE1,0x8F,0x82, + 0x98,0x43,0x54,0x8D,0x7A,0x28,0x98,0xA4,0xAE,0xDE,0x29,0xCC,0x15,0xBF,0x2E,0x4F, + 0xD8,0x70,0x2E,0x8F,0xD8,0xE0,0xB9,0xC0,0x37,0x67,0x7A,0x29,0x35,0x0B,0xCD,0x7D, + 0xF9,0x59,0x4A,0x6C,0x1C,0x87,0x31,0x2C,0x85,0x83,0x08,0x4E,0xAB,0xED,0xA1,0xEF, + 0x76,0x90,0x32,0x71,0x6D,0xE6,0x13,0xE5,0x70,0xB8,0x7B,0xF3,0x6C,0x47,0x04,0xDE, + 0xCC,0x61,0x67,0x5D,0x98,0xC0,0xDB,0x7D,0x24,0x3D,0x60,0xA9,0x60,0x9D,0xD8,0xC7, + 0x27,0x8C,0x5F,0xA7,0x5A,0xE9,0x58,0x2C,0x2A,0x03,0x92,0xB6,0xF1,0x51,0xC6,0x1D, + 0xA4,0x7B,0xDF,0xE6,0xF3,0x1A,0xD4,0x23,0x6C,0x4E,0x8D,0x5F,0xFB,0x98,0xD2,0xB3, + 0x0B,0x73,0x41,0xB6,0x5C,0x84,0xEF, +}; + +/* subject:/CN=mmime.info */ +/* issuer :/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */ +/* Not After : Sep 12 17:15:48 2016 GMT */ + +unsigned char leafNotOnAllowList_Cert[1343]={ + 0x30,0x82,0x05,0x3B,0x30,0x82,0x04,0x23,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x6A, + 0xC3,0x4F,0x8F,0xC7,0x97,0x97,0x53,0xE4,0x61,0x64,0x13,0xC4,0x2E,0x92,0x9B,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30, + 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43, + 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55, + 0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x46,0x72, + 0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61, + 0x74,0x65,0x20,0x47,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x31,0x32,0x31, + 0x37,0x31,0x35,0x34,0x38,0x5A,0x17,0x0D,0x31,0x36,0x30,0x39,0x31,0x32,0x31,0x37, + 0x31,0x35,0x34,0x38,0x5A,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03, + 0x0C,0x0A,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x82,0x01,0x22, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03, + 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB6,0x88,0xD4, + 0xC3,0xBE,0x56,0x7F,0xB1,0xF1,0x48,0x37,0x71,0x3F,0xC7,0x72,0x53,0x95,0x64,0xAC, + 0x60,0xF6,0x8C,0x01,0x15,0x2C,0xBD,0x6D,0x43,0x3F,0x8F,0x50,0x12,0x03,0x72,0x0C, + 0x0D,0x37,0xD7,0x00,0x13,0xEC,0x49,0xC5,0xCF,0x00,0xE1,0x84,0x01,0x8B,0x1A,0xD7, + 0x6D,0x8A,0xC7,0xB9,0xA7,0x3F,0x3A,0xE5,0xDD,0x1A,0xC9,0xCD,0x30,0xB5,0x74,0x0B, + 0xFD,0x3C,0x70,0x8D,0xCF,0xCC,0xB7,0xB7,0x52,0x95,0x47,0xDB,0x47,0x2F,0x9C,0x5C, + 0x06,0x6B,0x3D,0xA4,0xE5,0x42,0x6C,0x85,0x69,0xF3,0x35,0x07,0x3C,0xEF,0xA2,0xFB, + 0x81,0x3F,0xF6,0x1C,0x51,0x17,0xA6,0x19,0x70,0xF3,0x02,0x43,0x8C,0xC3,0x42,0xED, + 0xFE,0xF7,0x5F,0xD1,0xF3,0xBB,0x46,0xE9,0x11,0xB8,0x39,0x2E,0xE6,0x8E,0x00,0x48, + 0x66,0xDF,0x78,0xDE,0x1A,0x27,0x71,0xF1,0x13,0x37,0xC7,0x65,0xA0,0x03,0x41,0xF9, + 0xB2,0xE1,0x82,0x54,0x38,0x60,0x7E,0x1A,0x5A,0x77,0xC6,0x6E,0x9C,0x91,0x06,0x62, + 0x84,0xA6,0x91,0xF0,0x3E,0x10,0x4F,0x83,0x1D,0x87,0x94,0xEB,0x0F,0x14,0x91,0xEC, + 0x58,0xFC,0x15,0x60,0x16,0xF6,0xCD,0x88,0xF7,0x7C,0xE9,0x26,0x71,0x3C,0x14,0x3E, + 0xD0,0xE0,0x06,0x3B,0xC2,0xAC,0xC0,0x16,0x16,0x0B,0x43,0xD2,0x92,0x96,0x84,0xC9, + 0x65,0x6E,0xC9,0x76,0x8A,0xE3,0x5B,0x96,0xDE,0xB9,0x57,0xB0,0x7C,0xC2,0xE9,0x74, + 0x2D,0x6D,0x6F,0x58,0x23,0xC9,0xEB,0xB3,0x63,0xB6,0x18,0xC6,0xD6,0x6B,0xF0,0x88, + 0xAC,0x2D,0x3E,0x05,0x6D,0x00,0xC0,0x25,0x9A,0x4C,0x3E,0xFE,0xA5,0x02,0x03,0x01, + 0x00,0x01,0xA3,0x82,0x02,0x45,0x30,0x82,0x02,0x41,0x30,0x0B,0x06,0x03,0x55,0x1D, + 0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16, + 0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06, + 0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30, + 0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x3D,0xAB,0x6A,0xB5, + 0xCC,0x2F,0xFE,0x38,0x1F,0xEF,0x88,0xA0,0xF7,0xBC,0x2A,0x44,0xEA,0x9E,0xE6,0xBD, + 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0xA7,0x16, + 0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E,0xA8, + 0xC7,0x30,0x7D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x71,0x30, + 0x6F,0x30,0x34,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x28,0x68, + 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x36,0x2E,0x77,0x6F,0x73,0x69, + 0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2F,0x73,0x65,0x72,0x76,0x65, + 0x72,0x31,0x2F,0x66,0x72,0x65,0x65,0x30,0x37,0x06,0x08,0x2B,0x06,0x01,0x05,0x05, + 0x07,0x30,0x02,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x36, + 0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2E, + 0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2E,0x66,0x72,0x65,0x65,0x2E,0x63,0x65,0x72, + 0x30,0x3D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x36,0x30,0x34,0x30,0x32,0xA0,0x30,0xA0, + 0x2E,0x86,0x2C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x36,0x2E, + 0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x36,0x2D,0x73, + 0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E,0x63,0x72,0x6C,0x30, + 0x81,0xB6,0x06,0x03,0x55,0x1D,0x11,0x04,0x81,0xAE,0x30,0x81,0xAB,0x82,0x0A,0x6D, + 0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0E,0x77,0x77,0x77,0x2E,0x6D, + 0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x63,0x6C,0x6F,0x75,0x64, + 0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x12,0x77,0x65,0x62, + 0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82, + 0x0E,0x76,0x70,0x6E,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82, + 0x11,0x62,0x61,0x63,0x6B,0x75,0x70,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E,0x69,0x6E, + 0x66,0x6F,0x82,0x10,0x66,0x69,0x6C,0x65,0x73,0x2E,0x6D,0x6D,0x69,0x6D,0x65,0x2E, + 0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6D,0x61,0x69,0x6C,0x2E,0x6D,0x6D,0x69,0x6D,0x65, + 0x2E,0x69,0x6E,0x66,0x6F,0x82,0x10,0x73,0x68,0x61,0x72,0x65,0x2E,0x6D,0x6D,0x69, + 0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x82,0x0F,0x6E,0x65,0x77,0x73,0x2E,0x6D,0x6D, + 0x69,0x6D,0x65,0x2E,0x69,0x6E,0x66,0x6F,0x30,0x51,0x06,0x03,0x55,0x1D,0x20,0x04, + 0x4A,0x30,0x48,0x30,0x08,0x06,0x06,0x67,0x81,0x0C,0x01,0x02,0x01,0x30,0x3C,0x06, + 0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30,0x2B, + 0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68,0x74, + 0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E, + 0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09,0x2A, + 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x7A, + 0x93,0xB0,0x04,0xAB,0xCA,0x53,0x61,0x83,0xC4,0xDC,0x8B,0xE9,0xA5,0x62,0x46,0x9E, + 0x22,0x7A,0xBB,0x23,0x32,0xC9,0xC8,0x55,0xA7,0x87,0x53,0x68,0x61,0xF4,0x14,0x9B, + 0xA6,0xC1,0xC2,0x2D,0xF1,0xD6,0x2F,0x58,0x6D,0xCC,0xF9,0x47,0x4F,0x49,0x82,0xDD, + 0xFA,0x61,0xD4,0xE1,0x99,0xB3,0x1E,0x5A,0x44,0x1E,0xA3,0xC2,0x1E,0x83,0x4F,0x9C, + 0xB8,0xBC,0x25,0xCD,0x32,0x13,0xCA,0xA8,0xEC,0x17,0xD6,0xEB,0x96,0x38,0xFF,0x26, + 0xF7,0x76,0x85,0xA0,0x96,0x7C,0x70,0xCE,0xFC,0xBF,0x23,0x1D,0xF8,0xFB,0x0F,0x3E, + 0xA8,0x22,0xF4,0xE6,0x96,0xD7,0x38,0xF3,0xCE,0xA2,0xDE,0xD3,0xAA,0x11,0x61,0x2E, + 0x41,0xBF,0xE0,0xAD,0x65,0x88,0x06,0xB4,0x8E,0x45,0x38,0xEB,0x48,0xA5,0xEB,0xE6, + 0x88,0xD2,0x0D,0x83,0x8B,0x6A,0x2A,0x97,0xC6,0xBD,0x01,0x39,0x71,0x0A,0xDA,0xF3, + 0x2A,0x8D,0x7F,0x5C,0xCC,0xF0,0x05,0x17,0x99,0x98,0x11,0xD3,0x43,0x23,0xCE,0x91, + 0x55,0x02,0x7E,0x93,0x1B,0x37,0xE9,0x81,0x84,0x7D,0xEE,0x80,0x0D,0x69,0xF5,0x77, + 0x20,0x8B,0x39,0x7F,0x4E,0x52,0x94,0xED,0x07,0x76,0xF0,0xB6,0x12,0x39,0xDA,0xEB, + 0x80,0x42,0x02,0xD4,0xFE,0xE6,0x42,0xB7,0xC5,0xA8,0xEC,0xA6,0x83,0x9C,0x68,0x60, + 0x9A,0x52,0xF2,0x7F,0xF6,0x48,0x92,0x93,0x10,0x43,0xDE,0x5E,0x75,0x18,0x1B,0x22, + 0x12,0x3F,0xEB,0x7A,0x38,0x6E,0x73,0xBD,0x6A,0x2C,0xE6,0x07,0xEA,0xFC,0x50,0x31, + 0x54,0xC3,0x7B,0xD1,0x0B,0xC1,0x78,0x9D,0x6E,0xF2,0xAF,0x65,0xB9,0xF1,0xB5, +}; + +/* subject:/C=CN/O=WoSign CA Limited/CN=WoSign CA Free SSL Certificate G2 */ +/* issuer :/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */ +/* Not After : Nov 8 00:58:58 2029 GMT */ + +unsigned char ca1_Cert[1456]={ + 0x30,0x82,0x05,0xAC,0x30,0x82,0x03,0x94,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x38, + 0xF6,0x45,0xC1,0xE2,0x5D,0x91,0x2C,0xCE,0x3B,0x2B,0x39,0x12,0x31,0x74,0x0D,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x55, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x4E,0x31,0x1A,0x30, + 0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F,0x53,0x69,0x67,0x6E,0x20,0x43, + 0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31,0x2A,0x30,0x28,0x06,0x03,0x55, + 0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F, + 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x6F,0x66,0x20,0x57, + 0x6F,0x53,0x69,0x67,0x6E,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x31,0x30,0x38,0x30, + 0x30,0x35,0x38,0x35,0x38,0x5A,0x17,0x0D,0x32,0x39,0x31,0x31,0x30,0x38,0x30,0x30, + 0x35,0x38,0x35,0x38,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06, + 0x13,0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57, + 0x6F,0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64, + 0x31,0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x57,0x6F,0x53,0x69,0x67, + 0x6E,0x20,0x43,0x41,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53,0x4C,0x20,0x43,0x65, + 0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x47,0x32,0x30,0x82,0x01,0x22, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03, + 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE3,0xB4,0x80, + 0x0E,0x6B,0x30,0x50,0x82,0x2F,0x1F,0xE7,0x9D,0xBF,0xF8,0x7C,0x42,0x25,0xED,0xAE, + 0x61,0xC4,0xEB,0x86,0x87,0x23,0x7F,0x11,0x1F,0xC0,0x93,0x5F,0x1B,0x92,0x90,0x1E, + 0x77,0x8C,0xBC,0x76,0xF7,0xFB,0x0A,0xA5,0xD5,0x7D,0xAC,0xDC,0x4B,0x18,0xD8,0x58, + 0x2E,0xDF,0x46,0x6B,0x34,0x0F,0x45,0x64,0x60,0x84,0xC2,0xEB,0x9A,0x0E,0x51,0xD4, + 0x2A,0x54,0x51,0x3E,0x27,0x3B,0x64,0x68,0x86,0x6F,0x7C,0x6B,0x00,0x3C,0x99,0xF6, + 0x4C,0xA8,0x45,0x27,0xAD,0xA5,0xCB,0x2B,0x37,0xED,0x59,0xC3,0x52,0x4C,0x4F,0xDE, + 0x34,0x9C,0xF2,0xB7,0xD1,0xFA,0x58,0xCB,0xE5,0x62,0x9E,0x55,0x46,0x5C,0xB7,0xC5, + 0x8D,0x38,0x24,0x35,0xEF,0x97,0x2C,0x7C,0x65,0x10,0x0D,0xEF,0x9F,0x97,0x08,0xD5, + 0xE5,0xB3,0x12,0x7A,0x92,0xDD,0xFE,0x88,0x0F,0x8F,0xA4,0xAF,0xBD,0xC5,0xD6,0x36, + 0xF7,0x41,0x1B,0xE8,0x59,0xDD,0x86,0xFF,0x35,0xBF,0xED,0xE4,0xD1,0xA0,0x93,0x6E, + 0x51,0xA8,0x99,0xCB,0xDF,0xDD,0xBE,0x71,0x88,0xC3,0xDA,0xB1,0x65,0xCC,0x7B,0x95, + 0xC4,0x66,0x8F,0xBE,0x4E,0x06,0x7F,0x9B,0x53,0x8C,0x6B,0x3C,0xCE,0x97,0x26,0x82, + 0x1F,0x17,0x30,0xBA,0x3F,0xC8,0xDE,0xCC,0x0B,0xA1,0xB4,0xEF,0x12,0x3D,0x93,0xCB, + 0x08,0x30,0xE7,0x1A,0x98,0x97,0x80,0x3A,0x26,0x84,0x8F,0xFE,0x73,0x74,0x95,0x53, + 0x0F,0x51,0xB2,0xAA,0x89,0x57,0xF4,0x96,0x40,0x72,0x13,0x1D,0xE4,0x67,0x98,0x4E, + 0x8F,0xC6,0x40,0x0B,0xF5,0x1D,0x0C,0x45,0x2D,0xE0,0xD5,0x92,0x83,0x02,0x03,0x01, + 0x00,0x01,0xA3,0x82,0x01,0x76,0x30,0x82,0x01,0x72,0x30,0x0E,0x06,0x03,0x55,0x1D, + 0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D, + 0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06, + 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x12,0x06,0x03,0x55,0x1D,0x13, + 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,0x30,0x06, + 0x03,0x55,0x1D,0x1F,0x04,0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F, + 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x73,0x31,0x2E,0x77,0x6F,0x73, + 0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30, + 0x72,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x66,0x30,0x64,0x30, + 0x27,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74, + 0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E, + 0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31,0x30,0x39,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x30,0x02,0x86,0x2D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61, + 0x31,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x61,0x31, + 0x67,0x32,0x2D,0x73,0x65,0x72,0x76,0x65,0x72,0x31,0x2D,0x66,0x72,0x65,0x65,0x2E, + 0x63,0x65,0x72,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xA7, + 0x16,0x20,0x7C,0xAF,0xD9,0x95,0x9E,0xEB,0x43,0x0A,0x19,0xF2,0xE0,0xB9,0x74,0x0E, + 0xA8,0xC7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE1, + 0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B,0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6, + 0xFE,0xFB,0x3E,0x30,0x47,0x06,0x03,0x55,0x1D,0x20,0x04,0x40,0x30,0x3E,0x30,0x3C, + 0x06,0x0D,0x2B,0x06,0x01,0x04,0x01,0x82,0x9B,0x51,0x06,0x01,0x02,0x02,0x01,0x30, + 0x2B,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1D,0x68, + 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x77,0x6F,0x73,0x69,0x67,0x6E, + 0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2F,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00, + 0x96,0x5A,0xDF,0x96,0x91,0x17,0x68,0x90,0x5D,0x2F,0xB4,0x32,0x15,0x80,0x03,0x03, + 0x0B,0xE9,0x1C,0xB7,0x73,0x6C,0xDA,0xA8,0xFA,0x94,0xDD,0xDD,0x3E,0x34,0x2B,0x2E, + 0x80,0x93,0x6C,0xFA,0xA6,0x67,0xD3,0x1B,0x7A,0x82,0x41,0xCE,0x9E,0xFF,0x3F,0xEF, + 0xB2,0x83,0x6A,0x9E,0xFC,0x32,0xFD,0x44,0xF3,0x82,0x66,0xAA,0xCF,0x44,0x2F,0xB3, + 0x37,0x41,0xF0,0x79,0x12,0xE3,0x02,0x27,0x86,0x48,0x92,0xBE,0xCF,0x56,0xD7,0xCB, + 0xD7,0xE7,0x1E,0x25,0x9D,0x41,0xDB,0x0A,0xE7,0x33,0x12,0x58,0xAD,0x95,0xD8,0x9E, + 0xD4,0xB7,0x95,0x29,0xBA,0xFE,0xFF,0xDF,0x80,0xA4,0x77,0x5B,0x15,0x62,0x0F,0x69, + 0xF8,0x87,0x6D,0x74,0xEA,0x85,0xA2,0x76,0x5D,0x9F,0x95,0x2E,0x03,0xBC,0x8A,0xF9, + 0x8A,0xAC,0x81,0x64,0x50,0xF2,0x0B,0x45,0x4B,0xEC,0x97,0x30,0x39,0x74,0xE5,0xA7, + 0x7E,0x16,0x24,0x62,0x2B,0x50,0xF1,0x5C,0xD8,0x4F,0xCD,0x2E,0xA2,0x18,0x25,0xA3, + 0xCE,0xF6,0x1F,0x60,0xDD,0x15,0xDE,0x20,0x15,0x1B,0x0E,0x7F,0xAF,0x85,0xD9,0x40, + 0xAC,0x07,0x2A,0x34,0xDD,0x51,0xB0,0x1A,0xA8,0xE6,0x0E,0x9F,0x5F,0xDB,0x46,0x70, + 0xE6,0xF5,0xD9,0x25,0x1C,0xF0,0x1D,0xE5,0x42,0xA1,0x2D,0x22,0x9D,0x6E,0x11,0xC9, + 0x8D,0xA6,0x65,0xBC,0x0E,0xAA,0x76,0x73,0xC8,0x56,0x60,0x2F,0xFB,0x3F,0x86,0xB9, + 0xA5,0xF5,0x33,0xEF,0xD5,0x13,0x1F,0x49,0x4C,0x38,0x07,0x9E,0x59,0x22,0x5A,0xC7, + 0x4E,0xD9,0x25,0x24,0xBA,0x53,0x70,0xFC,0x63,0x2A,0x54,0x51,0xEB,0xC3,0x4B,0x41, + 0x7D,0xE4,0xE8,0x3C,0x2C,0xA5,0x76,0x5A,0xBF,0xD9,0x4C,0xA8,0x0D,0xAE,0x52,0x6E, + 0xA5,0x5D,0x98,0x3D,0x6C,0x90,0x6D,0x78,0x1F,0xC3,0x70,0x95,0x86,0x07,0x3F,0x54, + 0xE3,0xEA,0x8A,0x81,0x64,0x62,0x9A,0x8F,0x31,0xAF,0x7B,0x2A,0x7E,0x92,0x22,0xC3, + 0x8E,0xCC,0x53,0xAC,0xC7,0x9C,0x99,0x11,0x2B,0x48,0x3F,0x52,0x71,0x2B,0x6E,0xC0, + 0xE1,0xB3,0x0A,0xE5,0x03,0x62,0xD7,0x89,0x18,0x28,0x4C,0x0A,0x8D,0x3F,0x0B,0x45, + 0x89,0x81,0x8B,0x88,0xA4,0x93,0xC2,0x7F,0x44,0xE5,0x1E,0x5B,0x40,0x00,0xFC,0x2F, + 0xCC,0x3B,0xF8,0x6A,0x79,0x31,0xFD,0x44,0x14,0xB6,0x8F,0x48,0x85,0x4C,0xAB,0x0A, + 0x9D,0xBB,0x37,0x0A,0xFC,0x51,0x19,0xE0,0xFE,0x59,0x6A,0x3B,0x8F,0x60,0x62,0xA7, + 0x07,0x82,0xAF,0x08,0x66,0xA0,0xF2,0xDA,0x60,0x02,0xEA,0xD8,0x34,0x7E,0x57,0x71, + 0xA1,0xB5,0xFE,0x69,0xD7,0xFB,0xDD,0x5A,0x9C,0xF3,0xFF,0xC4,0xEA,0xCD,0x74,0xFA, + 0x94,0x70,0xD3,0x58,0x92,0xCE,0xAF,0x12,0xE4,0x6E,0xEB,0xDD,0xB8,0xAF,0x1D,0xE2, + 0x65,0xD4,0x46,0xEA,0x0B,0x3E,0xE3,0x68,0x0E,0x0A,0x4C,0x27,0x83,0x50,0x91,0x06, + 0xC6,0x7B,0xF8,0xFA,0x9B,0x26,0xED,0x2C,0x0E,0x67,0xB8,0x6C,0xE5,0x2C,0x98,0x6D, + 0x5F,0x7A,0x28,0xC3,0x84,0x3C,0x03,0x0D,0xF7,0xE2,0x03,0xE1,0x94,0xC2,0x58,0x27, + 0xF8,0x4D,0x81,0x59,0x2F,0xF1,0x7C,0x61,0xC9,0x57,0x5D,0xBD,0xDC,0x9C,0x80,0xD0, + 0x64,0xDF,0x7C,0x87,0x78,0x85,0xE6,0x94,0x8B,0x70,0x8B,0x05,0x47,0xE4,0xC8,0x7B, +}; + +/* subject:/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign */ +/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */ +/* Not After : Dec 31 23:59:59 2019 GMT */ + +unsigned char ca2_Cert[1632]={ + 0x30,0x82,0x06,0x5C,0x30,0x82,0x04,0x44,0xA0,0x03,0x02,0x01,0x02,0x02,0x07,0x19, + 0xC2,0x85,0x30,0xE9,0x3B,0x36,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D, + 0x01,0x01,0x0B,0x05,0x00,0x30,0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06, + 0x13,0x02,0x49,0x4C,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53, + 0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29, + 0x06,0x03,0x55,0x04,0x0B,0x13,0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69, + 0x67,0x69,0x74,0x61,0x6C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55, + 0x04,0x03,0x13,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72, + 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F, + 0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x32,0x32, + 0x34,0x36,0x33,0x36,0x5A,0x17,0x0D,0x31,0x39,0x31,0x32,0x33,0x31,0x32,0x33,0x35, + 0x39,0x35,0x39,0x5A,0x30,0x55,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13, + 0x02,0x43,0x4E,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x0A,0x13,0x11,0x57,0x6F, + 0x53,0x69,0x67,0x6E,0x20,0x43,0x41,0x20,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x31, + 0x2A,0x30,0x28,0x06,0x03,0x55,0x04,0x03,0x13,0x21,0x43,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74, + 0x79,0x20,0x6F,0x66,0x20,0x57,0x6F,0x53,0x69,0x67,0x6E,0x30,0x82,0x02,0x22,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82, + 0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xBD,0xCA,0x8D,0xAC, + 0xB8,0x91,0x15,0x56,0x97,0x7B,0x6B,0x5C,0x7A,0xC2,0xDE,0x6B,0xD9,0xA1,0xB0,0xC3, + 0x10,0x23,0xFA,0xA7,0xA1,0xB2,0xCC,0x31,0xFA,0x3E,0xD9,0xA6,0x29,0x6F,0x16,0x3D, + 0xE0,0x6B,0xF8,0xB8,0x40,0x5F,0xDB,0x39,0xA8,0x00,0x7A,0x8B,0xA0,0x4D,0x54,0x7D, + 0xC2,0x22,0x78,0xFC,0x8E,0x09,0xB8,0xA8,0x85,0xD7,0xCC,0x95,0x97,0x4B,0x74,0xD8, + 0x9E,0x7E,0xF0,0x00,0xE4,0x0E,0x89,0xAE,0x49,0x28,0x44,0x1A,0x10,0x99,0x32,0x0F, + 0x25,0x88,0x53,0xA4,0x0D,0xB3,0x0F,0x12,0x08,0x16,0x0B,0x03,0x71,0x27,0x1C,0x7F, + 0xE1,0xDB,0xD2,0xFD,0x67,0x68,0xC4,0x05,0x5D,0x0A,0x0E,0x5D,0x70,0xD7,0xD8,0x97, + 0xA0,0xBC,0x53,0x41,0x9A,0x91,0x8D,0xF4,0x9E,0x36,0x66,0x7A,0x7E,0x56,0xC1,0x90, + 0x5F,0xE6,0xB1,0x68,0x20,0x36,0xA4,0x8C,0x24,0x2C,0x2C,0x47,0x0B,0x59,0x76,0x66, + 0x30,0xB5,0xBE,0xDE,0xED,0x8F,0xF8,0x9D,0xD3,0xBB,0x01,0x30,0xE6,0xF2,0xF3,0x0E, + 0xE0,0x2C,0x92,0x80,0xF3,0x85,0xF9,0x28,0x8A,0xB4,0x54,0x2E,0x9A,0xED,0xF7,0x76, + 0xFC,0x15,0x68,0x16,0xEB,0x4A,0x6C,0xEB,0x2E,0x12,0x8F,0xD4,0xCF,0xFE,0x0C,0xC7, + 0x5C,0x1D,0x0B,0x7E,0x05,0x32,0xBE,0x5E,0xB0,0x09,0x2A,0x42,0xD5,0xC9,0x4E,0x90, + 0xB3,0x59,0x0D,0xBB,0x7A,0x7E,0xCD,0xD5,0x08,0x5A,0xB4,0x7F,0xD8,0x1C,0x69,0x11, + 0xF9,0x27,0x0F,0x7B,0x06,0xAF,0x54,0x83,0x18,0x7B,0xE1,0xDD,0x54,0x7A,0x51,0x68, + 0x6E,0x77,0xFC,0xC6,0xBF,0x52,0x4A,0x66,0x46,0xA1,0xB2,0x67,0x1A,0xBB,0xA3,0x4F, + 0x77,0xA0,0xBE,0x5D,0xFF,0xFC,0x56,0x0B,0x43,0x72,0x77,0x90,0xCA,0x9E,0xF9,0xF2, + 0x39,0xF5,0x0D,0xA9,0xF4,0xEA,0xD7,0xE7,0xB3,0x10,0x2F,0x30,0x42,0x37,0x21,0xCC, + 0x30,0x70,0xC9,0x86,0x98,0x0F,0xCC,0x58,0x4D,0x83,0xBB,0x7D,0xE5,0x1A,0xA5,0x37, + 0x8D,0xB6,0xAC,0x32,0x97,0x00,0x3A,0x63,0x71,0x24,0x1E,0x9E,0x37,0xC4,0xFF,0x74, + 0xD4,0x37,0xC0,0xE2,0xFE,0x88,0x46,0x60,0x11,0xDD,0x08,0x3F,0x50,0x36,0xAB,0xB8, + 0x7A,0xA4,0x95,0x62,0x6A,0x6E,0xB0,0xCA,0x6A,0x21,0x5A,0x69,0xF3,0xF3,0xFB,0x1D, + 0x70,0x39,0x95,0xF3,0xA7,0x6E,0xA6,0x81,0x89,0xA1,0x88,0xC5,0x3B,0x71,0xCA,0xA3, + 0x52,0xEE,0x83,0xBB,0xFD,0xA0,0x77,0xF4,0xE4,0x6F,0xE7,0x42,0xDB,0x6D,0x4A,0x99, + 0x8A,0x34,0x48,0xBC,0x17,0xDC,0xE4,0x80,0x08,0x22,0xB6,0xF2,0x31,0xC0,0x3F,0x04, + 0x3E,0xEB,0x9F,0x20,0x79,0xD6,0xB8,0x06,0x64,0x64,0x02,0x31,0xD7,0xA9,0xCD,0x52, + 0xFB,0x84,0x45,0x69,0x09,0x00,0x2A,0xDC,0x55,0x8B,0xC4,0x06,0x46,0x4B,0xC0,0x4A, + 0x1D,0x09,0x5B,0x39,0x28,0xFD,0xA9,0xAB,0xCE,0x00,0xF9,0x2E,0x48,0x4B,0x26,0xE6, + 0x30,0x4C,0xA5,0x58,0xCA,0xB4,0x44,0x82,0x4F,0xE7,0x91,0x1E,0x33,0xC3,0xB0,0x93, + 0xFF,0x11,0xFC,0x81,0xD2,0xCA,0x1F,0x71,0x29,0xDD,0x76,0x4F,0x92,0x25,0xAF,0x1D, + 0x81,0xB7,0x0F,0x2F,0x8C,0xC3,0x06,0xCC,0x2F,0x27,0xA3,0x4A,0xE4,0x0E,0x99,0xBA, + 0x7C,0x1E,0x45,0x1F,0x7F,0xAA,0x19,0x45,0x96,0xFD,0xFC,0x3D,0x02,0x03,0x01,0x00, + 0x01,0xA3,0x82,0x01,0x07,0x30,0x82,0x01,0x03,0x30,0x12,0x06,0x03,0x55,0x1D,0x13, + 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06, + 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06, + 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xE1,0x66,0xCF,0x0E,0xD1,0xF1,0xB3,0x4B, + 0xB7,0x06,0x20,0x14,0xFE,0x87,0x12,0xD5,0xF6,0xFE,0xFB,0x3E,0x30,0x1F,0x06,0x03, + 0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B, + 0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68,0x43,0xD0,0x41,0xAE,0xF2,0x30,0x69,0x06, + 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x5D,0x30,0x5B,0x30,0x27,0x06, + 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x1B,0x68,0x74,0x74,0x70,0x3A, + 0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E, + 0x63,0x6F,0x6D,0x2F,0x63,0x61,0x30,0x30,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07, + 0x30,0x02,0x86,0x24,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x61,0x69,0x61,0x2E,0x73, + 0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,0x74, + 0x73,0x2F,0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x32,0x06,0x03,0x55,0x1D,0x1F,0x04, + 0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3A, + 0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x73,0x74,0x61,0x72,0x74,0x73,0x73,0x6C,0x2E,0x63, + 0x6F,0x6D,0x2F,0x73,0x66,0x73,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x02,0x01,0x00, + 0xB6,0x6D,0xF8,0x70,0xFB,0xE2,0x0D,0x4C,0x98,0xB3,0x07,0x49,0x15,0xF5,0x04,0xC4, + 0x6C,0xCA,0xCA,0xF5,0x68,0xA0,0x08,0xFE,0x12,0x6D,0x9C,0x04,0x06,0xC9,0xAD,0x9A, + 0x91,0x52,0x3E,0x78,0xC4,0x5C,0xEE,0x9F,0x54,0x1D,0xEE,0xE3,0xF1,0x5E,0x30,0xC9, + 0x49,0xE1,0x39,0xE0,0xA6,0x9D,0x36,0x6C,0x57,0xFA,0xE6,0x34,0x4F,0x55,0xE8,0x87, + 0xA8,0x2C,0xDD,0x05,0xF1,0x58,0x12,0x91,0xE8,0xCA,0xCE,0x28,0x78,0x8F,0xDF,0x07, + 0x85,0x01,0xA5,0xDC,0x45,0x96,0x05,0xD4,0x80,0xB2,0x2B,0x05,0x9A,0xCB,0x9A,0xA5, + 0x8B,0xE0,0x3A,0x67,0xE6,0x73,0x47,0xBE,0x4A,0xFD,0x27,0xB1,0x88,0xEF,0xE6,0xCA, + 0xCF,0x8D,0x0E,0x26,0x9F,0xFA,0x5F,0x57,0x78,0xAD,0x6D,0xFE,0xAE,0x9B,0x35,0x08, + 0xB1,0xC3,0xBA,0xC1,0x00,0x4A,0x4B,0x7D,0x14,0xBD,0xF7,0xF1,0xD3,0x55,0x18,0xAC, + 0xD0,0x33,0x70,0x88,0x6D,0xC4,0x09,0x71,0x14,0xA6,0x2B,0x4F,0x88,0x81,0xE7,0x0B, + 0x00,0x37,0xA9,0x15,0x7D,0x7E,0xD7,0x01,0x96,0x3F,0x2F,0xAF,0x7B,0x62,0xAE,0x0A, + 0x4A,0xBF,0x4B,0x39,0x2E,0x35,0x10,0x8B,0xFE,0x04,0x39,0xE4,0x3C,0x3A,0x0C,0x09, + 0x56,0x40,0x3A,0xB5,0xF4,0xC2,0x68,0x0C,0xB5,0xF9,0x52,0xCD,0xEE,0x9D,0xF8,0x98, + 0xFC,0x78,0xE7,0x58,0x47,0x8F,0x1C,0x73,0x58,0x69,0x33,0xAB,0xFF,0xDD,0xDF,0x8E, + 0x24,0x01,0x77,0x98,0x19,0x3A,0xB0,0x66,0x79,0xBC,0xE1,0x08,0xA3,0x0E,0x4F,0xC1, + 0x04,0xB3,0xF3,0x01,0xC8,0xEB,0xD3,0x59,0x1C,0x35,0xD2,0x93,0x1E,0x70,0x65,0x82, + 0x7F,0xDB,0xCF,0xFB,0xC8,0x99,0x12,0x60,0xC3,0x44,0x6F,0x3A,0x80,0x4B,0xD7,0xBE, + 0x21,0xAA,0x14,0x7A,0x64,0xCB,0xDD,0x37,0x43,0x45,0x5B,0x32,0x2E,0x45,0xF0,0xD9, + 0x59,0x1F,0x6B,0x18,0xF0,0x7C,0xE9,0x55,0x36,0x19,0x61,0x5F,0xB5,0x7D,0xF1,0x8D, + 0xBD,0x88,0xE4,0x75,0x4B,0x98,0xDD,0x27,0xB0,0xE4,0x84,0x44,0x2A,0x61,0x84,0x57, + 0x05,0x82,0x11,0x1F,0xAA,0x35,0x58,0xF3,0x20,0x0E,0xAF,0x59,0xEF,0xFA,0x55,0x72, + 0x72,0x0D,0x26,0xD0,0x9B,0x53,0x49,0xAC,0xCE,0x37,0x2E,0x65,0x61,0xFF,0xF6,0xEC, + 0x1B,0xEA,0xF6,0xF1,0xA6,0xD3,0xD1,0xB5,0x7B,0xBE,0x35,0xF4,0x22,0xC1,0xBC,0x8D, + 0x01,0xBD,0x68,0x5E,0x83,0x0D,0x2F,0xEC,0xD6,0xDA,0x63,0x0C,0x27,0xD1,0x54,0x3E, + 0xE4,0xA8,0xD3,0xCE,0x4B,0x32,0xB8,0x91,0x94,0xFF,0xFB,0x5B,0x49,0x2D,0x75,0x18, + 0xA8,0xBA,0x71,0x9A,0x3B,0xAE,0xD9,0xC0,0xA9,0x4F,0x87,0x91,0xED,0x8B,0x7B,0x6B, + 0x20,0x98,0x89,0x39,0x83,0x4F,0x80,0xC4,0x69,0xCC,0x17,0xC9,0xC8,0x4E,0xBE,0xE4, + 0xA9,0xA5,0x81,0x76,0x70,0x06,0x04,0x32,0xCD,0x83,0x65,0xF4,0xBC,0x7D,0x3E,0x13, + 0xBC,0xD2,0xE8,0x6F,0x63,0xAA,0xB5,0x3B,0xDA,0x8D,0x86,0x32,0x82,0x78,0x9D,0xD9, + 0xCC,0xFF,0xBF,0x57,0x64,0x74,0xED,0x28,0x3D,0x44,0x62,0x15,0x61,0x4B,0xF7,0x94, + 0xB0,0x0D,0x2A,0x67,0x1C,0xF0,0xCB,0x9B,0xA5,0x92,0xBF,0xF8,0x41,0x5A,0xC1,0x3D, + 0x60,0xED,0x9F,0xBB,0xB8,0x6D,0x9B,0xCE,0xA9,0x6A,0x16,0x3F,0x7E,0xEA,0x06,0xF1, +}; + +/* subject:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */ +/* issuer :/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority */ +/* Not After : Sep 17 19:46:36 2036 GMT */ + +unsigned char root_Cert[1997]={ + 0x30,0x82,0x07,0xC9,0x30,0x82,0x05,0xB1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30, + 0x7D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16, + 0x30,0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F, + 0x6D,0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13, + 0x22,0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20, + 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E, + 0x69,0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74, + 0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61, + 0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E, + 0x17,0x0D,0x30,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x17, + 0x0D,0x33,0x36,0x30,0x39,0x31,0x37,0x31,0x39,0x34,0x36,0x33,0x36,0x5A,0x30,0x7D, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x4C,0x31,0x16,0x30, + 0x14,0x06,0x03,0x55,0x04,0x0A,0x13,0x0D,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D, + 0x20,0x4C,0x74,0x64,0x2E,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x0B,0x13,0x22, + 0x53,0x65,0x63,0x75,0x72,0x65,0x20,0x44,0x69,0x67,0x69,0x74,0x61,0x6C,0x20,0x43, + 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x53,0x69,0x67,0x6E,0x69, + 0x6E,0x67,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x13,0x20,0x53,0x74,0x61, + 0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x02, + 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00, + 0x03,0x82,0x02,0x0F,0x00,0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xC1,0x88, + 0xDB,0x09,0xBC,0x6C,0x46,0x7C,0x78,0x9F,0x95,0x7B,0xB5,0x33,0x90,0xF2,0x72,0x62, + 0xD6,0xC1,0x36,0x20,0x22,0x24,0x5E,0xCE,0xE9,0x77,0xF2,0x43,0x0A,0xA2,0x06,0x64, + 0xA4,0xCC,0x8E,0x36,0xF8,0x38,0xE6,0x23,0xF0,0x6E,0x6D,0xB1,0x3C,0xDD,0x72,0xA3, + 0x85,0x1C,0xA1,0xD3,0x3D,0xB4,0x33,0x2B,0xD3,0x2F,0xAF,0xFE,0xEA,0xB0,0x41,0x59, + 0x67,0xB6,0xC4,0x06,0x7D,0x0A,0x9E,0x74,0x85,0xD6,0x79,0x4C,0x80,0x37,0x7A,0xDF, + 0x39,0x05,0x52,0x59,0xF7,0xF4,0x1B,0x46,0x43,0xA4,0xD2,0x85,0x85,0xD2,0xC3,0x71, + 0xF3,0x75,0x62,0x34,0xBA,0x2C,0x8A,0x7F,0x1E,0x8F,0xEE,0xED,0x34,0xD0,0x11,0xC7, + 0x96,0xCD,0x52,0x3D,0xBA,0x33,0xD6,0xDD,0x4D,0xDE,0x0B,0x3B,0x4A,0x4B,0x9F,0xC2, + 0x26,0x2F,0xFA,0xB5,0x16,0x1C,0x72,0x35,0x77,0xCA,0x3C,0x5D,0xE6,0xCA,0xE1,0x26, + 0x8B,0x1A,0x36,0x76,0x5C,0x01,0xDB,0x74,0x14,0x25,0xFE,0xED,0xB5,0xA0,0x88,0x0F, + 0xDD,0x78,0xCA,0x2D,0x1F,0x07,0x97,0x30,0x01,0x2D,0x72,0x79,0xFA,0x46,0xD6,0x13, + 0x2A,0xA8,0xB9,0xA6,0xAB,0x83,0x49,0x1D,0xE5,0xF2,0xEF,0xDD,0xE4,0x01,0x8E,0x18, + 0x0A,0x8F,0x63,0x53,0x16,0x85,0x62,0xA9,0x0E,0x19,0x3A,0xCC,0xB5,0x66,0xA6,0xC2, + 0x6B,0x74,0x07,0xE4,0x2B,0xE1,0x76,0x3E,0xB4,0x6D,0xD8,0xF6,0x44,0xE1,0x73,0x62, + 0x1F,0x3B,0xC4,0xBE,0xA0,0x53,0x56,0x25,0x6C,0x51,0x09,0xF7,0xAA,0xAB,0xCA,0xBF, + 0x76,0xFD,0x6D,0x9B,0xF3,0x9D,0xDB,0xBF,0x3D,0x66,0xBC,0x0C,0x56,0xAA,0xAF,0x98, + 0x48,0x95,0x3A,0x4B,0xDF,0xA7,0x58,0x50,0xD9,0x38,0x75,0xA9,0x5B,0xEA,0x43,0x0C, + 0x02,0xFF,0x99,0xEB,0xE8,0x6C,0x4D,0x70,0x5B,0x29,0x65,0x9C,0xDD,0xAA,0x5D,0xCC, + 0xAF,0x01,0x31,0xEC,0x0C,0xEB,0xD2,0x8D,0xE8,0xEA,0x9C,0x7B,0xE6,0x6E,0xF7,0x27, + 0x66,0x0C,0x1A,0x48,0xD7,0x6E,0x42,0xE3,0x3F,0xDE,0x21,0x3E,0x7B,0xE1,0x0D,0x70, + 0xFB,0x63,0xAA,0xA8,0x6C,0x1A,0x54,0xB4,0x5C,0x25,0x7A,0xC9,0xA2,0xC9,0x8B,0x16, + 0xA6,0xBB,0x2C,0x7E,0x17,0x5E,0x05,0x4D,0x58,0x6E,0x12,0x1D,0x01,0xEE,0x12,0x10, + 0x0D,0xC6,0x32,0x7F,0x18,0xFF,0xFC,0xF4,0xFA,0xCD,0x6E,0x91,0xE8,0x36,0x49,0xBE, + 0x1A,0x48,0x69,0x8B,0xC2,0x96,0x4D,0x1A,0x12,0xB2,0x69,0x17,0xC1,0x0A,0x90,0xD6, + 0xFA,0x79,0x22,0x48,0xBF,0xBA,0x7B,0x69,0xF8,0x70,0xC7,0xFA,0x7A,0x37,0xD8,0xD8, + 0x0D,0xD2,0x76,0x4F,0x57,0xFF,0x90,0xB7,0xE3,0x91,0xD2,0xDD,0xEF,0xC2,0x60,0xB7, + 0x67,0x3A,0xDD,0xFE,0xAA,0x9C,0xF0,0xD4,0x8B,0x7F,0x72,0x22,0xCE,0xC6,0x9F,0x97, + 0xB6,0xF8,0xAF,0x8A,0xA0,0x10,0xA8,0xD9,0xFB,0x18,0xC6,0xB6,0xB5,0x5C,0x52,0x3C, + 0x89,0xB6,0x19,0x2A,0x73,0x01,0x0A,0x0F,0x03,0xB3,0x12,0x60,0xF2,0x7A,0x2F,0x81, + 0xDB,0xA3,0x6E,0xFF,0x26,0x30,0x97,0xF5,0x8B,0xDD,0x89,0x57,0xB6,0xAD,0x3D,0xB3, + 0xAF,0x2B,0xC5,0xB7,0x76,0x02,0xF0,0xA5,0xD6,0x2B,0x9A,0x86,0x14,0x2A,0x72,0xF6, + 0xE3,0x33,0x8C,0x5D,0x09,0x4B,0x13,0xDF,0xBB,0x8C,0x74,0x13,0x52,0x4B,0x02,0x03, + 0x01,0x00,0x01,0xA3,0x82,0x02,0x52,0x30,0x82,0x02,0x4E,0x30,0x0C,0x06,0x03,0x55, + 0x1D,0x13,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F, + 0x04,0x04,0x03,0x02,0x01,0xAE,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, + 0x14,0x4E,0x0B,0xEF,0x1A,0xA4,0x40,0x5B,0xA5,0x17,0x69,0x87,0x30,0xCA,0x34,0x68, + 0x43,0xD0,0x41,0xAE,0xF2,0x30,0x64,0x06,0x03,0x55,0x1D,0x1F,0x04,0x5D,0x30,0x5B, + 0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63, + 0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67, + 0x2F,0x73,0x66,0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x2B, + 0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C, + 0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x73,0x66, + 0x73,0x63,0x61,0x2D,0x63,0x72,0x6C,0x2E,0x63,0x72,0x6C,0x30,0x82,0x01,0x5D,0x06, + 0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x54,0x30,0x82,0x01,0x50,0x30,0x82,0x01,0x4C, + 0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x81,0xB5,0x37,0x01,0x01,0x01,0x30,0x82,0x01, + 0x3B,0x30,0x2F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x23,0x68, + 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74, + 0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70, + 0x64,0x66,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29, + 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72, + 0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72,0x67,0x2F,0x69,0x6E,0x74,0x65,0x72,0x6D,0x65, + 0x64,0x69,0x61,0x74,0x65,0x2E,0x70,0x64,0x66,0x30,0x81,0xD0,0x06,0x08,0x2B,0x06, + 0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xC3,0x30,0x27,0x16,0x20,0x53,0x74,0x61, + 0x72,0x74,0x20,0x43,0x6F,0x6D,0x6D,0x65,0x72,0x63,0x69,0x61,0x6C,0x20,0x28,0x53, + 0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x29,0x20,0x4C,0x74,0x64,0x2E,0x30,0x03,0x02, + 0x01,0x01,0x1A,0x81,0x97,0x4C,0x69,0x6D,0x69,0x74,0x65,0x64,0x20,0x4C,0x69,0x61, + 0x62,0x69,0x6C,0x69,0x74,0x79,0x2C,0x20,0x72,0x65,0x61,0x64,0x20,0x74,0x68,0x65, + 0x20,0x73,0x65,0x63,0x74,0x69,0x6F,0x6E,0x20,0x2A,0x4C,0x65,0x67,0x61,0x6C,0x20, + 0x4C,0x69,0x6D,0x69,0x74,0x61,0x74,0x69,0x6F,0x6E,0x73,0x2A,0x20,0x6F,0x66,0x20, + 0x74,0x68,0x65,0x20,0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x43,0x65,0x72, + 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F, + 0x72,0x69,0x74,0x79,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x76,0x61,0x69, + 0x6C,0x61,0x62,0x6C,0x65,0x20,0x61,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, + 0x63,0x65,0x72,0x74,0x2E,0x73,0x74,0x61,0x72,0x74,0x63,0x6F,0x6D,0x2E,0x6F,0x72, + 0x67,0x2F,0x70,0x6F,0x6C,0x69,0x63,0x79,0x2E,0x70,0x64,0x66,0x30,0x11,0x06,0x09, + 0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,0x04,0x04,0x03,0x02,0x00,0x07,0x30, + 0x38,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,0x04,0x2B,0x16,0x29, + 0x53,0x74,0x61,0x72,0x74,0x43,0x6F,0x6D,0x20,0x46,0x72,0x65,0x65,0x20,0x53,0x53, + 0x4C,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20, + 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48, + 0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0x16,0x6C,0x99, + 0xF4,0x66,0x0C,0x34,0xF5,0xD0,0x85,0x5E,0x7D,0x0A,0xEC,0xDA,0x10,0x4E,0x38,0x1C, + 0x5E,0xDF,0xA6,0x25,0x05,0x4B,0x91,0x32,0xC1,0xE8,0x3B,0xF1,0x3D,0xDD,0x44,0x09, + 0x5B,0x07,0x49,0x8A,0x29,0xCB,0x66,0x02,0xB7,0xB1,0x9A,0xF7,0x25,0x98,0x09,0x3C, + 0x8E,0x1B,0xE1,0xDD,0x36,0x87,0x2B,0x4B,0xBB,0x68,0xD3,0x39,0x66,0x3D,0xA0,0x26, + 0xC7,0xF2,0x39,0x91,0x1D,0x51,0xAB,0x82,0x7B,0x7E,0xD5,0xCE,0x5A,0xE4,0xE2,0x03, + 0x57,0x70,0x69,0x97,0x08,0xF9,0x5E,0x58,0xA6,0x0A,0xDF,0x8C,0x06,0x9A,0x45,0x16, + 0x16,0x38,0x0A,0x5E,0x57,0xF6,0x62,0xC7,0x7A,0x02,0x05,0xE6,0xBC,0x1E,0xB5,0xF2, + 0x9E,0xF4,0xA9,0x29,0x83,0xF8,0xB2,0x14,0xE3,0x6E,0x28,0x87,0x44,0xC3,0x90,0x1A, + 0xDE,0x38,0xA9,0x3C,0xAC,0x43,0x4D,0x64,0x45,0xCE,0xDD,0x28,0xA9,0x5C,0xF2,0x73, + 0x7B,0x04,0xF8,0x17,0xE8,0xAB,0xB1,0xF3,0x2E,0x5C,0x64,0x6E,0x73,0x31,0x3A,0x12, + 0xB8,0xBC,0xB3,0x11,0xE4,0x7D,0x8F,0x81,0x51,0x9A,0x3B,0x8D,0x89,0xF4,0x4D,0x93, + 0x66,0x7B,0x3C,0x03,0xED,0xD3,0x9A,0x1D,0x9A,0xF3,0x65,0x50,0xF5,0xA0,0xD0,0x75, + 0x9F,0x2F,0xAF,0xF0,0xEA,0x82,0x43,0x98,0xF8,0x69,0x9C,0x89,0x79,0xC4,0x43,0x8E, + 0x46,0x72,0xE3,0x64,0x36,0x12,0xAF,0xF7,0x25,0x1E,0x38,0x89,0x90,0x77,0x7E,0xC3, + 0x6B,0x6A,0xB9,0xC3,0xCB,0x44,0x4B,0xAC,0x78,0x90,0x8B,0xE7,0xC7,0x2C,0x1E,0x4B, + 0x11,0x44,0xC8,0x34,0x52,0x27,0xCD,0x0A,0x5D,0x9F,0x85,0xC1,0x89,0xD5,0x1A,0x78, + 0xF2,0x95,0x10,0x53,0x32,0xDD,0x80,0x84,0x66,0x75,0xD9,0xB5,0x68,0x28,0xFB,0x61, + 0x2E,0xBE,0x84,0xA8,0x38,0xC0,0x99,0x12,0x86,0xA5,0x1E,0x67,0x64,0xAD,0x06,0x2E, + 0x2F,0xA9,0x70,0x85,0xC7,0x96,0x0F,0x7C,0x89,0x65,0xF5,0x8E,0x43,0x54,0x0E,0xAB, + 0xDD,0xA5,0x80,0x39,0x94,0x60,0xC0,0x34,0xC9,0x96,0x70,0x2C,0xA3,0x12,0xF5,0x1F, + 0x48,0x7B,0xBD,0x1C,0x7E,0x6B,0xB7,0x9D,0x90,0xF4,0x22,0x3B,0xAE,0xF8,0xFC,0x2A, + 0xCA,0xFA,0x82,0x52,0xA0,0xEF,0xAF,0x4B,0x55,0x93,0xEB,0xC1,0xB5,0xF0,0x22,0x8B, + 0xAC,0x34,0x4E,0x26,0x22,0x04,0xA1,0x87,0x2C,0x75,0x4A,0xB7,0xE5,0x7D,0x13,0xD7, + 0xB8,0x0C,0x64,0xC0,0x36,0xD2,0xC9,0x2F,0x86,0x12,0x8C,0x23,0x09,0xC1,0x1B,0x82, + 0x3B,0x73,0x49,0xA3,0x6A,0x57,0x87,0x94,0xE5,0xD6,0x78,0xC5,0x99,0x43,0x63,0xE3, + 0x4D,0xE0,0x77,0x2D,0xE1,0x65,0x99,0x72,0x69,0x04,0x1A,0x47,0x09,0xE6,0x0F,0x01, + 0x56,0x24,0xFB,0x1F,0xBF,0x0E,0x79,0xA9,0x58,0x2E,0xB9,0xC4,0x09,0x01,0x7E,0x95, + 0xBA,0x6D,0x00,0x06,0x3E,0xB2,0xEA,0x4A,0x10,0x39,0xD8,0xD0,0x2B,0xF5,0xBF,0xEC, + 0x75,0xBF,0x97,0x02,0xC5,0x09,0x1B,0x08,0xDC,0x55,0x37,0xE2,0x81,0xFB,0x37,0x84, + 0x43,0x62,0x20,0xCA,0xE7,0x56,0x4B,0x65,0xEA,0xFE,0x6C,0xC1,0x24,0x93,0x24,0xA1, + 0x34,0xEB,0x05,0xFF,0x9A,0x22,0xAE,0x9B,0x7D,0x3F,0xF1,0x65,0x51,0x0A,0xA6,0x30, + 0x6A,0xB3,0xF4,0x88,0x1C,0x80,0x0D,0xFC,0x72,0x8A,0xE8,0x83,0x5E, +}; + + +static SecCertificateRef createCertFromStaticData(const UInt8 *certData, CFIndex certLength) +{ + SecCertificateRef cert = NULL; + CFDataRef data = CFDataCreateWithBytesNoCopy(NULL, certData, certLength, kCFAllocatorNull); + if (data) { + cert = SecCertificateCreateWithData(NULL, data); + CFRelease(data); + } + return cert; +} + +static void TestLeafOnAllowList() +{ + SecCertificateRef certs[4]; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CFDateRef date = NULL; + CFArrayRef certArray = NULL; + CFArrayRef anchorsArray = NULL; + + isnt(certs[0] = createCertFromStaticData(leafOnAllowList_Cert, sizeof(leafOnAllowList_Cert)), + NULL, "allowlist: create leaf cert"); + isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)), + NULL, "allowlist: create intermediate ca 1"); + isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)), + NULL, "allowlist: create intermediate ca 2"); + isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)), + NULL, "allowlist: create root"); + + isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks), + NULL, "allowlist: create cert array"); + + /* create a trust reference with basic policy */ + isnt(policy = SecPolicyCreateBasicX509(), NULL, "allowlist: create policy"); + ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "allowlist: create trust"); + + /* set evaluate date: September 12, 2016 at 1:30:00 PM PDT */ + isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "allowlist: create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "allowlist: set verify date"); + + /* use a known root CA at this point in time to anchor the chain */ + isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks), + NULL, "allowlist: create anchors array"); + ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "allowlist: set anchors"); + + SecTrustResultType trustResult = kSecTrustResultInvalid; + ok_status(SecTrustEvaluate(trust, &trustResult), "allowlist: evaluate"); + + /* expected result is kSecTrustResultUnspecified since cert is on allow list and its issuer chains to a trusted root */ + ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)", + (int)trustResult); + + /* clean up */ + for(CFIndex idx=0; idx < 4; idx++) { + if (certs[idx]) { CFRelease(certs[idx]); } + } + if (policy) { CFRelease(policy); } + if (trust) { CFRelease(trust); } + if (date) { CFRelease(date); } + if (certArray) { CFRelease(certArray); } + if (anchorsArray) { CFRelease(anchorsArray); } +} + +static void TestLeafNotOnAllowList() +{ + SecCertificateRef certs[4]; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CFDateRef date = NULL; + CFArrayRef certArray = NULL; + CFArrayRef anchorsArray = NULL; + + isnt(certs[0] = createCertFromStaticData(leafNotOnAllowList_Cert, sizeof(leafNotOnAllowList_Cert)), + NULL, "!allowlist: create leaf cert"); + isnt(certs[1] = createCertFromStaticData(ca1_Cert, sizeof(ca1_Cert)), + NULL, "!allowlist: create intermediate ca 1"); + isnt(certs[2] = createCertFromStaticData(ca2_Cert, sizeof(ca2_Cert)), + NULL, "!allowlist: create intermediate ca 2"); + isnt(certs[3] = createCertFromStaticData(root_Cert, sizeof(root_Cert)), + NULL, "!allowlist: create root"); + + isnt(certArray = CFArrayCreate(kCFAllocatorDefault, (const void **)&certs[0], 4, &kCFTypeArrayCallBacks), + NULL, "!allowlist: create cert array"); + + /* create a trust reference with basic policy */ + isnt(policy = SecPolicyCreateBasicX509(), NULL, "!allowlist: create policy"); + ok_status(SecTrustCreateWithCertificates(certArray, policy, &trust), "!allowlist: create trust"); + + /* set evaluate date: September 7, 2016 at 9:00:00 PM PDT */ + isnt(date = CFDateCreate(NULL, 495000000.0), NULL, "!allowlist: create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "!allowlist: set verify date"); + + /* use a known root CA at this point in time to anchor the chain */ + isnt(anchorsArray = CFArrayCreate(NULL, (const void **)&certs[3], 1, &kCFTypeArrayCallBacks), + NULL, "allowlist: create anchors array"); + ok_status((anchorsArray) ? SecTrustSetAnchorCertificates(trust, anchorsArray) : errSecParam, "!allowlist: set anchors"); + + SecTrustResultType trustResult = kSecTrustResultInvalid; + ok_status(SecTrustEvaluate(trust, &trustResult), "!allowlist: evaluate"); + + /* expected result is kSecTrustResultRecoverableTrustFailure (if issuer is distrusted) + or kSecTrustResultFatalTrustFailure (if issuer is revoked), since cert is not on allow list */ + ok(trustResult == kSecTrustResultRecoverableTrustFailure || + trustResult == kSecTrustResultFatalTrustFailure, + "trustResult 5 or 6 expected (got %d)", (int)trustResult); + + /* clean up */ + for(CFIndex idx=0; idx < 4; idx++) { + if (certs[idx]) { CFRelease(certs[idx]); } + } + if (policy) { CFRelease(policy); } + if (trust) { CFRelease(trust); } + if (date) { CFRelease(date); } + if (certArray) { CFRelease(certArray); } + if (anchorsArray) { CFRelease(anchorsArray); } +} + +static void TestAllowListForRootCA(void) +{ + SecCertificateRef test0[2] = {NULL,NULL}; + SecCertificateRef test1[2] = {NULL,NULL}; + SecCertificateRef test1e[2] = {NULL,NULL}; + SecCertificateRef test2[2] = {NULL,NULL}; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CFDateRef date = NULL; + SecTrustResultType trustResult; + + isnt(test0[0] = createCertFromStaticData(cert0, sizeof(cert0)), + NULL, "create first leaf"); + isnt(test1[0] = createCertFromStaticData(cert1, sizeof(cert1)), + NULL, "create second leaf"); + isnt(test1e[0] = createCertFromStaticData(cert1_expired, sizeof(cert1_expired)), + NULL, "create second leaf (expired)"); + isnt(test2[0] = createCertFromStaticData(cert2, sizeof(cert2)), + NULL, "create third leaf"); + + isnt(test0[1] = createCertFromStaticData(intermediate0, sizeof(intermediate0)), + NULL, "create intermediate"); + isnt(test1[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)), + NULL, "create intermediate"); + isnt(test1e[1] = createCertFromStaticData(intermediate1, sizeof(intermediate1)), + NULL, "create intermediate"); + isnt(test2[1] = createCertFromStaticData(intermediate2, sizeof(intermediate2)), + NULL, "create intermediate"); + + CFArrayRef certs0 = CFArrayCreate(kCFAllocatorDefault, (const void **)test0, 2, &kCFTypeArrayCallBacks); + CFArrayRef certs1 = CFArrayCreate(kCFAllocatorDefault, (const void **)test1, 2, &kCFTypeArrayCallBacks); + CFArrayRef certs1e = CFArrayCreate(kCFAllocatorDefault, (const void **)test1e, 2, &kCFTypeArrayCallBacks); + CFArrayRef certs2 = CFArrayCreate(kCFAllocatorDefault, (const void **)test2, 2, &kCFTypeArrayCallBacks); + + /* + * Whitelisted certificates issued by untrusted root CA. + */ + isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy"); + ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust"); + /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */ + isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)", + (int)trustResult); + if (trust) { CFRelease(trust); } + if (date) { CFRelease(date); } + + ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust"); + /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */ + isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)", + (int)trustResult); + if (trust) { CFRelease(trust); } + if (date) { CFRelease(date); } + + ok_status(SecTrustCreateWithCertificates(certs2, policy, &trust), "create trust"); + /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */ + isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)", + (int)trustResult); + /* + * Same certificate, on allow list but past expiration. Expect to fail. + */ + if (date) { CFRelease(date); } + isnt(date = CFDateCreate(NULL, 667680000.0), NULL, "create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set date to far future so certs are expired"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)", + (int)trustResult); + if (trust) { CFRelease(trust); } + if (date) { CFRelease(date); } + + /* + * Expired certificate not on allow list. Expect to fail. + */ + ok_status(SecTrustCreateWithCertificates(certs1e, policy, &trust), "create trust"); + /* set evaluate date within validity range: September 12, 2016 at 1:30:00 PM PDT */ + isnt(date = CFDateCreate(NULL, 495405000.0), NULL, "create date"); + ok_status((date) ? SecTrustSetVerifyDate(trust, date) : errSecParam, "set verify date"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)", + (int)trustResult); + if (trust) { CFRelease(trust); } + if (date) { CFRelease(date); } + + + /* Clean up. */ + if (policy) { CFRelease(policy); } + if (certs0) { CFRelease(certs0); } + if (certs1) { CFRelease(certs1); } + if (certs1e) { CFRelease(certs1e); } + if (certs2) { CFRelease(certs2); } + + if (test0[0]) { CFRelease(test0[0]); } + if (test0[1]) { CFRelease(test0[1]); } + if (test1[0]) { CFRelease(test1[0]); } + if (test1[1]) { CFRelease(test1[1]); } + if (test1e[0]) { CFRelease(test1e[0]); } + if (test1e[1]) { CFRelease(test1e[1]); } + if (test2[0]) { CFRelease(test2[0]); } + if (test2[1]) { CFRelease(test2[1]); } +} + +static void tests(void) +{ + TestAllowListForRootCA(); + TestLeafOnAllowList(); + TestLeafNotOnAllowList(); +} + +int si_84_sectrust_allowlist(int argc, char *const *argv) +{ + plan_tests(59); + tests(); + + return 0; +} diff --git a/OSX/sec/Security/SecAccessControl.c b/OSX/sec/Security/SecAccessControl.c index 752cf3e3..d7c506d4 100644 --- a/OSX/sec/Security/SecAccessControl.c +++ b/OSX/sec/Security/SecAccessControl.c @@ -175,6 +175,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF require_quiet(constraint = SecAccessConstraintCreateValueOfKofN(allocator, or?1:constraints_count, constraints, error), errOut); if (flags & kSecAccessControlPrivateKeyUsage) { require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, constraint, error), errOut); + require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, constraint, error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut); } else { @@ -189,6 +190,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF #if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) if (flags & kSecAccessControlPrivateKeyUsage) { require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, CFArrayGetValueAtIndex(constraints, 0), error), errOut); + require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, CFArrayGetValueAtIndex(constraints, 0), error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut); } else { @@ -203,6 +205,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF #if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) if (flags & kSecAccessControlPrivateKeyUsage) { require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, kCFBooleanTrue, error), errOut); + require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, kCFBooleanTrue, error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut); } @@ -340,7 +343,7 @@ errOut: bool SecAccessControlAddConstraintForOperation(SecAccessControlRef access_control, CFTypeRef operation, CFTypeRef constraint, CFErrorRef *error) { CheckItemInArray(operation, ItemArray(kAKSKeyOpEncrypt, kAKSKeyOpDecrypt, #if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) - kAKSKeyOpSign, kAKSKeyOpAttest, + kAKSKeyOpSign, kAKSKeyOpAttest, kAKSKeyOpComputeKey, #endif kAKSKeyOpSync, kAKSKeyOpDefaultAcl, kAKSKeyOpDelete), "SecAccessControl: invalid operation %@"); diff --git a/OSX/sec/Security/SecCTKKey.c b/OSX/sec/Security/SecCTKKey.c index 93181ca1..bbc468d8 100644 --- a/OSX/sec/Security/SecCTKKey.c +++ b/OSX/sec/Security/SecCTKKey.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include @@ -227,6 +228,8 @@ out: return attrs; } +static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key); + static SecKeyDescriptor kSecCTKKeyDescriptor = { .version = kSecKeyDescriptorVersion, .name = "CTKKey", @@ -239,8 +242,26 @@ static SecKeyDescriptor kSecCTKKeyDescriptor = { .getAlgorithmID = SecCTKGetAlgorithmID, .copyPublic = SecCTKKeyCopyPublicOctets, .copyOperationResult = SecCTKKeyCopyOperationResult, + .createDuplicate = SecCTKKeyCreateDuplicate, }; +static SecKeyRef SecCTKKeyCreateDuplicate(SecKeyRef key) { + SecKeyRef result = SecKeyCreate(CFGetAllocator(key), &kSecCTKKeyDescriptor, 0, 0, 0); + SecCTKKeyData *kd = key->key, *rd = result->key; + rd->token = CFRetainSafe(kd->token); + rd->objectID = CFRetainSafe(kd->objectID); + rd->token_id = CFRetainSafe(kd->token_id); + if (kd->attributes.dictionary != NULL) { + rd->attributes.dictionary = kd->attributes.dictionary; + SecCFDictionaryCOWGetMutable(&rd->attributes); + } + if (kd->auth_params.dictionary != NULL) { + rd->auth_params.dictionary = kd->auth_params.dictionary; + SecCFDictionaryCOWGetMutable(&rd->auth_params); + } + return result; +} + SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttributes, CFErrorRef *error) { SecKeyRef key = SecKeyCreate(allocator, &kSecCTKKeyDescriptor, 0, 0, 0); SecCTKKeyData *kd = key->key; @@ -425,18 +446,57 @@ out: } Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) { + CFTypeRef acm_reference = NULL; require_action_quiet(key->key_class == &kSecCTKKeyDescriptor, out, SecError(errSecUnimplemented, error, CFSTR("SecKeySetParameter() not supported for key %@"), key)); SecCTKKeyData *kd = key->key; - if (kd->params == NULL) { - kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); + + static const CFStringRef *const knownUseFlags[] = { + &kSecUseOperationPrompt, + &kSecUseAuthenticationContext, + &kSecUseAuthenticationUI, + &kSecUseCallerName, + &kSecUseCredentialReference, + }; + + // Check, whether name is part of known use flags. + bool isUseFlag = false; + for (size_t i = 0; i < array_size(knownUseFlags); i++) { + if (CFEqual(*knownUseFlags[i], name)) { + isUseFlag = true; + break; + } } - if (value != NULL) { - CFDictionarySetValue(kd->params, name, value); + + if (CFEqual(name, kSecUseAuthenticationContext)) { + // Preprocess LAContext to ACMRef value. + if (value != NULL) { + require_quiet(acm_reference = SecItemAttributesCopyPreparedAuthContext(value, error), out); + value = acm_reference; + } + name = kSecUseCredentialReference; + } + + if (isUseFlag) { + // Release existing token connection to enforce creation of new connection with new auth params. + CFReleaseNull(kd->token); + if (value != NULL) { + CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name, value); + } else { + CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->auth_params), name); + } } else { - CFDictionaryRemoveValue(kd->params, name); + if (kd->params == NULL) { + kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); + } + if (value != NULL) { + CFDictionarySetValue(kd->params, name, value); + } else { + CFDictionaryRemoveValue(kd->params, name); + } } out: + CFReleaseSafe(acm_reference); return TRUE; } diff --git a/OSX/sec/Security/SecCertificate.c b/OSX/sec/Security/SecCertificate.c index 674e1607..3d437f1f 100644 --- a/OSX/sec/Security/SecCertificate.c +++ b/OSX/sec/Security/SecCertificate.c @@ -5045,7 +5045,7 @@ SecKeyRef SecCertificateCopyPublicKey(SecCertificateRef certificate) return CFRetainSafe(certificate->_pubKey); } -bool SecCertificateIsWeak(SecCertificateRef certificate) { +bool SecCertificateIsWeakKey(SecCertificateRef certificate) { bool weak = true; SecKeyRef pubKey = NULL; #if SECTRUST_OSX @@ -5070,6 +5070,19 @@ out: return weak; } +bool SecCertificateIsWeakHash(SecCertificateRef certificate) { + SecSignatureHashAlgorithm certAlg = 0; + certAlg = SecCertificateGetSignatureHashAlgorithm(certificate); + if (certAlg == kSecSignatureHashAlgorithmUnknown || + certAlg == kSecSignatureHashAlgorithmMD2 || + certAlg == kSecSignatureHashAlgorithmMD4 || + certAlg == kSecSignatureHashAlgorithmMD5 || + certAlg == kSecSignatureHashAlgorithmSHA1) { + return true; + } + return false; +} + bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate, CFDictionaryRef keySizes) { bool goodSize = false; diff --git a/OSX/sec/Security/SecCertificateInternal.h b/OSX/sec/Security/SecCertificateInternal.h index 262c0377..da7de66f 100644 --- a/OSX/sec/Security/SecCertificateInternal.h +++ b/OSX/sec/Security/SecCertificateInternal.h @@ -329,7 +329,7 @@ OSStatus SecCertificateParseGeneralNameContentProperty(DERTag tag, OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *context, parseGeneralNameCallback callback); -bool SecCertificateIsWeak(SecCertificateRef certificate); +bool SecCertificateIsWeakKey(SecCertificateRef certificate); bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate, CFDictionaryRef keySizes); @@ -343,6 +343,8 @@ extern const CFStringRef kSecSignatureDigestAlgorithmSHA256; extern const CFStringRef kSecSignatureDigestAlgorithmSHA384; extern const CFStringRef kSecSignatureDigestAlgorithmSHA512; +bool SecCertificateIsWeakHash(SecCertificateRef certificate); + CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string); bool SecCertificateIsOidString(CFStringRef oid); diff --git a/OSX/sec/Security/SecCertificatePath.c b/OSX/sec/Security/SecCertificatePath.c index 9b47506b..1e05a332 100644 --- a/OSX/sec/Security/SecCertificatePath.c +++ b/OSX/sec/Security/SecCertificatePath.c @@ -600,7 +600,7 @@ SecPathVerifyStatus SecCertificatePathVerify( return kSecPathVerifySuccess; } -static bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime) { +bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime) { CFIndex ix; for (ix = 0; ix < certificatePath->count; ++ix) { if (!SecCertificateIsValid(certificatePath->certificates[ix], @@ -619,13 +619,7 @@ bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath) { count--; } for (ix = 0; ix < count; ++ix) { - SecSignatureHashAlgorithm certAlg = 0; - certAlg = SecCertificateGetSignatureHashAlgorithm(certificatePath->certificates[ix]); - if (certAlg == kSecSignatureHashAlgorithmUnknown || - certAlg == kSecSignatureHashAlgorithmMD2 || - certAlg == kSecSignatureHashAlgorithmMD4 || - certAlg == kSecSignatureHashAlgorithmMD5 || - certAlg == kSecSignatureHashAlgorithmSHA1) { + if (SecCertificateIsWeakHash(certificatePath->certificates[ix])) { return true; } } diff --git a/OSX/sec/Security/SecCertificatePath.h b/OSX/sec/Security/SecCertificatePath.h index b87932b5..a1e5e966 100644 --- a/OSX/sec/Security/SecCertificatePath.h +++ b/OSX/sec/Security/SecCertificatePath.h @@ -123,6 +123,8 @@ enum { SecPathVerifyStatus SecCertificatePathVerify( SecCertificatePathRef certificatePath); +bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime); + bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath); CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath, diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in index f2356874..4399d1e5 100644 --- a/OSX/sec/Security/SecExports.exp-in +++ b/OSX/sec/Security/SecExports.exp-in @@ -96,6 +96,7 @@ _kSecPolicyAppleProfileSigner _kSecPolicyApplePushService _kSecPolicyAppleQAProfileSigner _kSecPolicyAppleRevocation +_kSecPolicyAppleSecureIOStaticAsset _kSecPolicyAppleServerAuthentication _kSecPolicyAppleSMIME _kSecPolicyAppleSMPEncryption @@ -110,6 +111,7 @@ _kSecPolicyAppleTimeStamping _kSecPolicyAppleTVOSApplicationSigning _kSecPolicyAppleUniqueDeviceIdentifierCertificate _kSecPolicyAppleURLBag +_kSecPolicyAppleWarsaw _kSecPolicyAppleX509Basic _kSecPolicyMacAppStoreReceipt @@ -226,12 +228,14 @@ _SecPolicyCreateApplePPQService _SecPolicyCreateApplePPQSigning _SecPolicyCreateApplePushService _SecPolicyCreateApplePushServiceLegacy +_SecPolicyCreateAppleSecureIOStaticAsset _SecPolicyCreateAppleSMPEncryption _SecPolicyCreateAppleSoftwareSigning _SecPolicyCreateAppleSSLPinned _SecPolicyCreateAppleSSLService _SecPolicyCreateAppleTimeStamping _SecPolicyCreateAppleTVOSApplicationSigning +_SecPolicyCreateAppleWarsaw _SecPolicyCreateBasicX509 _SecPolicyCreateCodeSigning _SecPolicyCreateConfigurationProfileSigner @@ -484,7 +488,8 @@ _SecCertificateIsSelfSigned _SecCertificateIsSelfSignedCA _SecCertificateIsSignedBy _SecCertificateIsValid -_SecCertificateIsWeak +_SecCertificateIsWeakHash +_SecCertificateIsWeakKey _SecCertificateNotValidAfter _SecCertificateNotValidBefore _SecCertificateParseGeneralNameContentProperty @@ -503,6 +508,7 @@ _SecCertificatePathGetRoot _SecCertificatePathGetUsageConstraintsAtIndex _SecCertificatePathHasWeakHash _SecCertificatePathIsAnchored +_SecCertificatePathIsValid _SecCertificatePathScore _SecCertificatePathSelfSignedIndex _SecCertificatePathSetIsAnchored @@ -779,6 +785,7 @@ _SecKeyCreate _SecKeyCreateAttestation _SecKeyCreateEncryptedData _SecKeyCreateDecryptedData +_SecKeyCreateDuplicate _SecKeyCreatePublicFromPrivate _SecKeyCreateSignature _SecKeyCreateFromAttributeDictionary diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c index 161f56ce..18c36670 100644 --- a/OSX/sec/Security/SecItem.c +++ b/OSX/sec/Security/SecItem.c @@ -231,6 +231,8 @@ static OSStatus osstatus_for_ctk_error(CFIndex ctkError) { return errSecUnimplemented; case kTKErrorCodeCanceledByUser: return errSecUserCanceled; + case kTKErrorCodeCorruptedData: + return errSecDecode; default: return errSecInternal; } @@ -1028,6 +1030,23 @@ out: return ok; } +CFDataRef SecItemAttributesCopyPreparedAuthContext(CFTypeRef la_context, CFErrorRef *error) { + void *la_lib = NULL; + CFDataRef acm_context = NULL; + require_action_quiet(la_lib = dlopen("/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication", RTLD_LAZY), out, + SecError(errSecInternal, error, CFSTR("failed to open LocalAuthentication.framework"))); + LAFunctionCopyExternalizedContext fnCopyExternalizedContext = NULL; + require_action_quiet(fnCopyExternalizedContext = dlsym(la_lib, "LACopyExternalizedContext"), out, + SecError(errSecInternal, error, CFSTR("failed to obtain LACopyExternalizedContext"))); + require_action_quiet(acm_context = fnCopyExternalizedContext(la_context), out, + SecError(errSecInternal, error, CFSTR("failed to get ACM handle from LAContext"))); +out: + if (la_lib != NULL) { + dlclose(la_lib); + } + return acm_context; +} + static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, CFErrorRef *error) { bool ok = false; CFDataRef ac_data = NULL, acm_context = NULL; @@ -1043,13 +1062,7 @@ static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, C if (la_context) { require_action_quiet(!CFDictionaryContainsKey(attrs->dictionary, kSecUseCredentialReference), out, SecError(errSecParam, error, CFSTR("kSecUseAuthenticationContext cannot be used together with kSecUseCredentialReference"))); - require_action_quiet(la_lib = dlopen("/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication", RTLD_LAZY), out, - SecError(errSecInternal, error, CFSTR("failed to open LocalAuthentication.framework"))); - LAFunctionCopyExternalizedContext fnCopyExternalizedContext = NULL; - require_action_quiet(fnCopyExternalizedContext = dlsym(la_lib, "LACopyExternalizedContext"), out, - SecError(errSecInternal, error, CFSTR("failed to obtain LACopyExternalizedContext"))); - require_action_quiet(acm_context = fnCopyExternalizedContext(la_context), out, - SecError(errSecInternal, error, CFSTR("failed to get ACM handle from LAContext"))); + require_quiet(acm_context = SecItemAttributesCopyPreparedAuthContext(la_context, error), out); CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(attrs), kSecUseAuthenticationContext); CFDictionarySetValue(SecCFDictionaryCOWGetMutable(attrs), kSecUseCredentialReference, acm_context); } diff --git a/OSX/sec/Security/SecItemInternal.h b/OSX/sec/Security/SecItemInternal.h index 6312eb69..fb1fda87 100644 --- a/OSX/sec/Security/SecItemInternal.h +++ b/OSX/sec/Security/SecItemInternal.h @@ -88,6 +88,8 @@ TKTokenRef SecTokenCreate(CFStringRef token_id, CFDictionaryRef auth_params, CFE CFDataRef _SecTokenItemCopyValueData(CFDataRef db_value, CFErrorRef *error); +CFDataRef SecItemAttributesCopyPreparedAuthContext(CFTypeRef la_context, CFErrorRef *error); + __END_DECLS #endif /* !_SECURITY_SECITEMINTERNAL_H_ */ diff --git a/OSX/sec/Security/SecKey.c b/OSX/sec/Security/SecKey.c index 7b4bc43b..90cef042 100644 --- a/OSX/sec/Security/SecKey.c +++ b/OSX/sec/Security/SecKey.c @@ -579,7 +579,7 @@ out: CFReleaseSafe(in2); CFReleaseSafe(output); if (error != NULL) { - status = (OSStatus)CFErrorGetCode(error); + status = SecErrorGetOSStatus(error); if (status == errSecVerifyFailed) { // Legacy functions used errSSLCrypto, while new implementation uses errSecVerifyFailed. status = errSSLCrypto; @@ -1172,6 +1172,14 @@ SecKeyRef SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error) { return privKey; } +SecKeyRef SecKeyCreateDuplicate(SecKeyRef key) { + if (key->key_class->version >= 4 && key->key_class->createDuplicate) { + return key->key_class->createDuplicate(key); + } else { + return (SecKeyRef)CFRetain(key); + } +} + #pragma mark Generic algorithm adaptor lookup and invocation static CFTypeRef SecKeyCopyBackendOperationResult(SecKeyOperationContext *context, SecKeyAlgorithm algorithm, diff --git a/OSX/sec/Security/SecKeyPriv.h b/OSX/sec/Security/SecKeyPriv.h index b2d7bfcd..51704ea9 100644 --- a/OSX/sec/Security/SecKeyPriv.h +++ b/OSX/sec/Security/SecKeyPriv.h @@ -132,6 +132,7 @@ typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key); typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error); typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key); typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2); +typedef SecKeyRef (*SecKeyCreateDuplicateMethod)(SecKeyRef key); /*! @abstract Performs cryptographic operation with the key. @@ -198,6 +199,7 @@ typedef struct __SecKeyDescriptor { SecKeyCopyPublicKeyMethod copyPublicKey; SecKeyCopyOperationResultMethod copyOperationResult; SecKeyIsEqualMethod isEqual; + SecKeyCreateDuplicateMethod createDuplicate; #endif } SecKeyDescriptor; @@ -462,6 +464,19 @@ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AV Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); +/*! + @function SecKeyCreateDuplicate + @abstract Creates duplicate fo the key. + + @param key Source key to be duplicated + + @discussion Only memory representation of the key is duplicated, so if the key is backed by keychain, only one instance + stays in the keychain. Duplicating key is useful for setting 'temporary' key parameters using SecKeySetParameter. + If the key is immutable (i.e. does not support SecKeySetParameter), calling this method is identical to calling CFRetain(). + */ +SecKeyRef SecKeyCreateDuplicate(SecKeyRef key) +__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); + /*! Algorithms for converting between bigendian and core-crypto ccunit data representation. */ diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c index 339c029d..3b0ed374 100644 --- a/OSX/sec/Security/SecPolicy.c +++ b/OSX/sec/Security/SecPolicy.c @@ -44,11 +44,6 @@ #include #include #include -#if TARGET_OS_EMBEDDED -#include -#else -#include -#endif #include @@ -265,6 +260,8 @@ SEC_CONST_DECL (kSecPolicyAppleTVOSApplicationSigning, "1.2.840.113635.100.1.71" SEC_CONST_DECL (kSecPolicyAppleUniqueDeviceIdentifierCertificate, "1.2.840.113635.100.1.72"); SEC_CONST_DECL (kSecPolicyAppleEscrowProxyCompatibilityServerAuth, "1.2.840.113635.100.1.73"); SEC_CONST_DECL (kSecPolicyAppleMMCSCompatibilityServerAuth, "1.2.840.113635.100.1.74"); +SEC_CONST_DECL (kSecPolicyAppleSecureIOStaticAsset, "1.2.840.113635.100.1.75"); +SEC_CONST_DECL (kSecPolicyAppleWarsaw, "1.2.840.113635.100.1.76"); SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid"); SEC_CONST_DECL (kSecPolicyName, "SecPolicyName"); @@ -354,6 +351,8 @@ static CFStringRef kSecPolicyNameAppleGSService = CFSTR("GS"); static CFStringRef kSecPolicyNameAppleMMCSService = CFSTR("MMCS"); static CFStringRef kSecPolicyNameApplePPQService = CFSTR("PPQ"); static CFStringRef kSecPolicyNameAppleUniqueDeviceCertificate = CFSTR("UCRT"); +static CFStringRef kSecPolicyNameAppleSecureIOStaticAsset = CFSTR("SecureIOStaticAsset"); +static CFStringRef kSecPolicyNameAppleWarsaw = CFSTR("Warsaw"); /* Policies will now change to multiple categories of checks. @@ -651,6 +650,7 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, } /* These are in the same order as the constant declarations. */ + /* @@@ This should be turned into a table. */ if (CFEqual(policyIdentifier, kSecPolicyAppleX509Basic)) { policy = SecPolicyCreateBasicX509(); } @@ -890,6 +890,9 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } + } + else if (CFEqual(policyIdentifier, kSecPolicyAppleSecureIOStaticAsset)) { + policy = SecPolicyCreateAppleSecureIOStaticAsset(); } else { secerror("ERROR: policy \"%@\" is unsupported", policyIdentifier); @@ -1630,6 +1633,8 @@ static bool allowTestHierarchyForPolicy(CFStringRef policyName) { require(setting, fail); if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL)) { allow = true; + } else { + secnotice("pinningQA", "could not enable test hierarchy: %@ not true", setting); } CFRelease(setting); fail: @@ -1638,7 +1643,7 @@ fail: static bool SecPolicyAddAppleAnchorOptions(CFMutableDictionaryRef options, CFStringRef policyName) { - CFMutableDictionaryRef appleAnchorOptions; + CFMutableDictionaryRef appleAnchorOptions = NULL; appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL); if (!appleAnchorOptions) { return false; @@ -1766,9 +1771,14 @@ requireUATPinning(CFStringRef service) if (SecIsInternalRelease()) { CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationNoPinning%@"), service); require(setting, fail); - if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) + if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) { pinningRequired = false; + } else { + secnotice("pinningQA", "could not disable pinning: %@ not true", setting); + } CFRelease(setting); + } else { + secnotice("pinningQA", "could not disable pinning: not an internal release"); } fail: return pinningRequired; @@ -3065,7 +3075,13 @@ allowUATRoot(bool allowNonProd, CFStringRef service, CFDictionaryRef context) if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL)) { UATAllowed = true; } + + if (!UATAllowed) { + secnotice("pinningQA", "could not enable test cert: %@ not true", setting); + } CFRelease(setting); + } else { + secnotice("pinningQA", "could not enable test cert: not an internal release"); } fail: return UATAllowed; @@ -3840,3 +3856,121 @@ errOut: CFReleaseSafe(ecSize); return result; } + +SecPolicyRef SecPolicyCreateAppleWarsaw(void) { + CFMutableDictionaryRef options = NULL; + CFDictionaryRef keySizes = NULL; + CFNumberRef rsaSize = NULL, ecSize = NULL; + SecPolicyRef result = NULL; +#if TARGET_OS_BRIDGE + CFMutableDictionaryRef appleAnchorOptions = NULL; +#endif + + require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks), errOut); + + SecPolicyAddBasicX509Options(options); + + /* Anchored to the Apple Roots. */ +#if TARGET_OS_BRIDGE + /* On the bridge, test roots are gated in the trust and policy servers. */ + require_quiet(appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL), errOut); + CFDictionarySetValue(appleAnchorOptions, + kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue); + add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions); + CFReleaseSafe(appleAnchorOptions); +#else + require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleWarsaw), + errOut); +#endif + + /* Exactly 3 certs in the chain */ + require(SecPolicyAddChainLengthOptions(options, 3), errOut); + + /* Intermediate marker OID matches input OID */ + add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.14")); + + /* Leaf marker OID matches input OID */ + add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.29")); + + /* Check revocation using any available method */ + add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny); + + /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */ + require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut); + require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut); + const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC }; + const void *values[] = { rsaSize, ecSize }; + require(keySizes = CFDictionaryCreate(NULL, keys, values, 2, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut); + add_element(options, kSecPolicyCheckKeySize, keySizes); + + require(result = SecPolicyCreate(kSecPolicyAppleWarsaw, + kSecPolicyNameAppleWarsaw, options), errOut); + +errOut: + CFReleaseSafe(options); + CFReleaseSafe(keySizes); + CFReleaseSafe(rsaSize); + CFReleaseSafe(ecSize); + return result; +} + +SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) { + CFMutableDictionaryRef options = NULL; + CFDictionaryRef keySizes = NULL; + CFNumberRef rsaSize = NULL, ecSize = NULL; + SecPolicyRef result = NULL; +#if TARGET_OS_BRIDGE + CFMutableDictionaryRef appleAnchorOptions = NULL; +#endif + + require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks), errOut); + + /* This certificate cannot expire so that assets always load */ + SecPolicyAddBasicCertOptions(options); + + /* Anchored to the Apple Roots. */ +#if TARGET_OS_BRIDGE + /* On the bridge, test roots are gated in the trust and policy servers. */ + require_quiet(appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL), errOut); + CFDictionarySetValue(appleAnchorOptions, + kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue); + add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions); + CFReleaseSafe(appleAnchorOptions); +#else + require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSecureIOStaticAsset), + errOut); +#endif + + /* Exactly 3 certs in the chain */ + require(SecPolicyAddChainLengthOptions(options, 3), errOut); + + /* Intermediate marker OID matches input OID */ + add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.10")); + + /* Leaf marker OID matches input OID */ + add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.50")); + + /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */ + require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut); + require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut); + const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC }; + const void *values[] = { rsaSize, ecSize }; + require(keySizes = CFDictionaryCreate(NULL, keys, values, 2, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut); + add_element(options, kSecPolicyCheckKeySize, keySizes); + + require(result = SecPolicyCreate(kSecPolicyAppleSecureIOStaticAsset, + kSecPolicyNameAppleSecureIOStaticAsset, options), errOut); + +errOut: + CFReleaseSafe(options); + CFReleaseSafe(keySizes); + CFReleaseSafe(rsaSize); + CFReleaseSafe(ecSize); + return result; +} diff --git a/OSX/sec/Security/SecPolicyLeafCallbacks.c b/OSX/sec/Security/SecPolicyLeafCallbacks.c index c3cb359b..081b1ece 100644 --- a/OSX/sec/Security/SecPolicyLeafCallbacks.c +++ b/OSX/sec/Security/SecPolicyLeafCallbacks.c @@ -592,7 +592,7 @@ static bool SecPolicyCheckCertCertificatePolicyOid(SecCertificateRef cert, CFTyp } static bool SecPolicyCheckCertWeak(SecCertificateRef cert, CFTypeRef __unused pvcValue) { - if (cert && SecCertificateIsWeak(cert)) { + if (cert && SecCertificateIsWeakKey(cert)) { /* Leaf certificate has a weak key. */ return false; } diff --git a/OSX/sec/Security/SecPolicyPriv.h b/OSX/sec/Security/SecPolicyPriv.h index 049b9498..ee635e69 100644 --- a/OSX/sec/Security/SecPolicyPriv.h +++ b/OSX/sec/Security/SecPolicyPriv.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved. + * Copyright (c) 2003-2016 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -22,9 +22,9 @@ */ /*! - @header SecPolicyPriv - The functions provided in SecPolicyPriv provide an interface to various - X.509 certificate trust policies. + @header SecPolicyPriv + The functions provided in SecPolicyPriv provide an interface to various + X.509 certificate trust policies. */ #ifndef _SECURITY_SECPOLICYPRIV_H_ @@ -95,6 +95,8 @@ CF_IMPLICIT_BRIDGING_ENABLED @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth @constant kSecPolicyAppleMMCSCompatibilityServerAuth + @constant kSecPolicyAppleSecureIOStaticAsset + @constant kSecPolicyAppleWarsaw */ extern const CFStringRef kSecPolicyAppleMobileStore __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); @@ -200,6 +202,11 @@ extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); +extern const CFStringRef kSecPolicyAppleSecureIOStaticAsset + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); +extern const CFStringRef kSecPolicyAppleWarsaw + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); + /*! @enum Policy Value Constants @@ -265,7 +272,7 @@ extern const CFStringRef kSecPolicyRootDigest * The intermediate has a marker extension with OID matching the intermediateMarkerOID parameter. * The leaf has a marker extension with OID matching the leafMarkerOID parameter. - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -298,236 +305,240 @@ SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName extension or Common Name. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. - For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL - on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@" - (where %@ is the policyName parameter) in the com.apple.Security preferences for the user - of the calling application. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname, - CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID) + CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID) __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); /*! - @function SecPolicyCreateiPhoneActivation - @abstract Returns a policy object for verifying iPhone Activation - certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "iPhone Activation". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiPhoneActivation + @abstract Returns a policy object for verifying iPhone Activation + certificate chains. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". + * The leaf has Common Name "iPhone Activation". + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneActivation(void); /*! - @function SecPolicyCreateiPhoneDeviceCertificate - @abstract Returns a policy object for verifying iPhone Device certificate - chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * There are exactly 4 certs in chain. - * The chain is anchored to "Apple Root CA" certificate. - * The first intermediate has Common Name "Apple iPhone Device CA". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiPhoneDeviceCertificate + @abstract Returns a policy object for verifying iPhone Device certificate + chains. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 4 certs in chain. + * The first intermediate has Common Name "Apple iPhone Device CA". + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void); /*! - @function SecPolicyCreateFactoryDeviceCertificate - @abstract Returns a policy object for verifying Factory Device certificate - chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to the Factory Device CA. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateFactoryDeviceCertificate + @abstract Returns a policy object for verifying Factory Device certificate + chains. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to the Factory Device CA. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void); /*! - @function SecPolicyCreateiAP - @abstract Returns a policy object for verifying iAP certificate chains. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The leaf has notBefore date after 5/31/2006 midnight GMT. - * The leaf has Common Name beginning with "IPA_". - The intended use of this policy is that the caller pass in the - intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates(). - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiAP + @abstract Returns a policy object for verifying iAP certificate chains. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The leaf has notBefore date after 5/31/2006 midnight GMT. + * The leaf has Common Name beginning with "IPA_". + The intended use of this policy is that the caller pass in the + intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates(). + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiAP(void); /*! - @function SecPolicyCreateiTunesStoreURLBag - @abstract Returns a policy object for verifying iTunes Store URL bag - certificates. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to the iTMS CA. - * There are exactly 2 certs in the chain. - * The leaf has Organization "Apple Inc.". - * The leaf has Common Name "iTunes Store URL Bag". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiTunesStoreURLBag + @abstract Returns a policy object for verifying iTunes Store URL bag + certificates. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to the iTMS CA. + * There are exactly 2 certs in the chain. + * The leaf has Organization "Apple Inc.". + * The leaf has Common Name "iTunes Store URL Bag". + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void); /*! - @function SecPolicyCreateEAP - @abstract Returns a policy object for verifying for 802.1x/EAP certificates. - @param server Passing true for this parameter create a policy for EAP - server certificates. - @param trustedServerNames Optional; if present, the hostname in the leaf - certificate must be in the trustedServerNames list. Note that contrary - to all other policies the trustedServerNames list entries can have wildcards - whilst the certificate cannot. This matches the existing deployments. - @discussion This policy uses the Basic X.509 policy with validity check but - disallowing network fetching. If trustedServerNames param is non-null, the - ExtendedKeyUsage extension, if present, of the leaf certificate is verified - to contain either the ServerAuth OID, if the server param is true or - ClientAuth OID, otherwise. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateEAP + @abstract Returns a policy object for verifying for 802.1x/EAP certificates. + @param server Passing true for this parameter create a policy for EAP + server certificates. + @param trustedServerNames Optional; if present, the hostname in the leaf + certificate must be in the trustedServerNames list. Note that contrary + to all other policies the trustedServerNames list entries can have wildcards + whilst the certificate cannot. This matches the existing deployments. + @discussion This policy uses the Basic X.509 policy with validity check but + disallowing network fetching. If trustedServerNames param is non-null, the + ExtendedKeyUsage extension, if present, of the leaf certificate is verified + to contain either the ServerAuth OID, if the server param is true or + ClientAuth OID, otherwise. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames); /*! - @function SecPolicyCreateIPSec - @abstract Returns a policy object for evaluating IPSec certificate chains. - @param server Passing true for this parameter create a policy for IPSec - server certificates. - @param hostname Optional; if present, the policy will require the specified - hostname or ip address to match the hostname in the leaf certificate. - @discussion This policy uses the Basic X.509 policy with validity check. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateIPSec + @abstract Returns a policy object for evaluating IPSec certificate chains. + @param server Passing true for this parameter create a policy for IPSec + server certificates. + @param hostname Optional; if present, the policy will require the specified + hostname or ip address to match the hostname in the leaf certificate. + @discussion This policy uses the Basic X.509 policy with validity check. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname); /*! - @function SecPolicyCreateAppleSWUpdateSigning - @abstract Returns a policy object for evaluating SW update signing certs. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateAppleSWUpdateSigning + @abstract Returns a policy object for evaluating SW update signing certs. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate ExtendedKeyUsage Extension contains 1.2.840.113635.100.4.1. + * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void); /*! - @function SecPolicyCreateApplePackageSigning - @abstract Returns a policy object for evaluating installer package signing certs. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateApplePackageSigning + @abstract Returns a policy object for evaluating installer package signing certs. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The leaf KeyUsage extension has the digital signature bit set. + * The leaf ExtendedKeyUsage extension has the CodeSigning OID. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateApplePackageSigning(void); /*! - @function SecPolicyCreateiPhoneApplicationSigning - @abstract Returns a policy object for evaluating signed application - signatures. This is for apps signed directly by the app store. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Apple iPhone OS Application Signing". - * If the device is not a production device and is running an internal - release, the leaf may have the Common Name "TEST Apple iPhone OS - Application Signing TEST". - * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID - or the CodeSigning OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiPhoneApplicationSigning + @abstract Returns a policy object for evaluating signed application + signatures. This is for apps signed directly by the app store. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". + * The leaf has Common Name "Apple iPhone OS Application Signing". + * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.3 or OID + 1.2.840.113635.100.6.1.6. + * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID + or the CodeSigning OID. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void); /*! - @function SecPolicyCreateiPhoneProfileApplicationSigning - @abstract Returns a policy object for evaluating signed application - signatures. This policy is for certificates inside a UPP or regular - profile. - @discussion This policy only verifies that the leaf is temporally valid - and not revoked. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiPhoneProfileApplicationSigning + @abstract Returns a policy object for evaluating signed application + signatures. This policy is for certificates inside a UPP or regular + profile. + @discussion This policy only verifies that the leaf is temporally valid + and not revoked via any available method. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void); /*! - @function SecPolicyCreateiPhoneProvisioningProfileSigning - @abstract Returns a policy object for evaluating provisioning profile signatures. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * There are exactly 3 certs in the chain. - * The intermediate has Common Name "Apple iPhone Certification Authority". - * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing". - * If the device is not a production device and is running an internal - release, the leaf may have the Common Name "TEST Apple iPhone OS - Provisioning Profile Signing TEST". - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateiPhoneProvisioningProfileSigning + @abstract Returns a policy object for evaluating provisioning profile signatures. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". + * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing". + * If the device is not a production device and is running an internal + release, the leaf may have the Common Name "TEST Apple iPhone OS + Provisioning Profile Signing TEST". + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void); /*! - @function SecPolicyCreateAppleTVOSApplicationSigning - @abstract Returns a policy object for evaluating signed application - signatures. This is for apps signed directly by the Apple TV app store, - and allows for both the prod and the dev/test certs. - @discussion This policy uses the Basic X.509 policy with no validity check - and pinning options: - * The chain is anchored to any of the production Apple Root CAs. - Test roots are never permitted. - * There are exactly 3 certs in the chain. - * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. - * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or - the CodeSigning OID. - * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID - 1.2.840.113635.100.6.1.24.1. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateAppleTVOSApplicationSigning + @abstract Returns a policy object for evaluating signed application + signatures. This is for apps signed directly by the Apple TV app store, + and allows for both the prod and the dev/test certs. + @discussion This policy uses the Basic X.509 policy with no validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs. + Test roots are never permitted. + * There are exactly 3 certs in the chain. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. + * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or + the CodeSigning OID. + * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID + 1.2.840.113635.100.6.1.24.1. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void); /*! - @function SecPolicyCreateOCSPSigner - @abstract Returns a policy object for evaluating ocsp response signers. - @discussion This policy uses the Basic X.509 policy with validity check and - requires the leaf to have an ExtendedKeyUsage of OCSPSigning. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateOCSPSigner + @abstract Returns a policy object for evaluating ocsp response signers. + @discussion This policy uses the Basic X.509 policy with validity check and + requires the leaf to have an ExtendedKeyUsage of OCSPSigning. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateOCSPSigner(void); @@ -545,46 +556,46 @@ enum { }; /*! - @function SecPolicyCreateSMIME - @abstract Returns a policy object for evaluating S/MIME certificate chains. - @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage - flags, to indicate the intended usage of this certificate. - @param email Optional; if present, the policy will require the specified - email to match the email in the leaf certificate. - @discussion This policy uses the Basic X.509 policy with validity check and - requires the leaf to have - * a KeyUsage matching the smimeUsage, - * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the - EmailProtection OID, and - * if the email param is specified, the email address in the RFC822Name in the - SubjectAlternativeName extension or in the Email Address field of the - Subject Name. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateSMIME + @abstract Returns a policy object for evaluating S/MIME certificate chains. + @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage + flags, to indicate the intended usage of this certificate. + @param email Optional; if present, the policy will require the specified + email to match the email in the leaf certificate. + @discussion This policy uses the Basic X.509 policy with validity check and + requires the leaf to have + * a KeyUsage matching the smimeUsage, + * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the + EmailProtection OID, and + * if the email param is specified, the email address in the RFC822Name in the + SubjectAlternativeName extension or in the Email Address field of the + Subject Name. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email); /*! - @function SecPolicyCreateCodeSigning - @abstract Returns a policy object for evaluating code signing certificate chains. - @discussion This policy uses the Basic X.509 policy with validity check and - requires the leaf to have - * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and - * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateCodeSigning + @abstract Returns a policy object for evaluating code signing certificate chains. + @discussion This policy uses the Basic X.509 policy with validity check and + requires the leaf to have + * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and + * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateCodeSigning(void); /*! - @function SecPolicyCreateLockdownPairing - @abstract basic x509 policy for checking lockdown pairing certificate chains. - @disucssion This policy checks some of the Basic X.509 policy options with no - validity check. It explicitly allows for empty subjects. - @result A policy object. The caller is responsible for calling CFRelease - on this when it is no longer needed. + @function SecPolicyCreateLockdownPairing + @abstract basic x509 policy for checking lockdown pairing certificate chains. + @disucssion This policy checks some of the Basic X.509 policy options with no + validity check. It explicitly allows for empty subjects. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateLockdownPairing(void); @@ -592,7 +603,7 @@ SecPolicyRef SecPolicyCreateLockdownPairing(void); /*! @function SecPolicyCreateURLBag @abstract Returns a policy object for evaluating certificate chains for signing URL bags. - @discussion This policy uses the Basic X.509 policy with no validity check and requires + @discussion This policy uses the Basic X.509 policy with no validity check and requires that the leaf has ExtendedKeyUsage extension with the CodeSigning OID. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -603,10 +614,12 @@ SecPolicyRef SecPolicyCreateURLBag(void); /*! @function SecPolicyCreateOTATasking @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking. - @discussion This policy uses the Basic X.509 policy with validity check and + @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". * The leaf has Common Name "OTA Task Signing". @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -617,10 +630,12 @@ SecPolicyRef SecPolicyCreateOTATasking(void); /*! @function SecPolicyCreateMobileAsset @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets. - @discussion This policy uses the Basic X.509 policy with no validity check + @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. + * The intermediate has Common Name "Apple iPhone Certification Authority". * The leaf has Common Name "Asset Manifest Signing". @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -633,8 +648,9 @@ SecPolicyRef SecPolicyCreateMobileAsset(void); @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 or OID 1.2.840.113635.100.6.2.7. * The leaf has a marker extension with OID 1.2.840.113635.100.4.7. @result A policy object. The caller is responsible for calling CFRelease @@ -649,7 +665,13 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void); Mac App Store Receipts. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. + * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.6.1. + * The leaf has a marker extension with OID 1.2.840.113635.100.6.11.1. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -664,7 +686,8 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void); team ID to match the organizationalUnit field in the leaf certificate's subject. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the cardIssuer. * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14. @@ -681,7 +704,8 @@ SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, @abstract Returns a policy object for evaluating Mobile Store certificate chains. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification Authority". * The leaf has KeyUsage with the DigitalSignature bit set. @@ -697,7 +721,8 @@ SecPolicyRef SecPolicyCreateMobileStoreSigner(void); @abstract Returns a policy object for evaluating Test Mobile Store certificate chains. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification Authority". * The leaf has KeyUsage with the DigitalSignature bit set. @@ -742,7 +767,8 @@ SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void); Provisioning Profiles. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1. * The leaf has KeyUsage with the DigitalSignature bit set. * The leaf has a marker extension with OID 1.2.840.113635.100.4.11. @@ -759,7 +785,10 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void); Configuration Profiles. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3. * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -770,10 +799,13 @@ SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void); /*! @function SecPolicyCreateQAConfigurationProfileSigner @abstract Returns a policy object for evaluating certificate chains for signing - QA Configuration Profiles. + QA Configuration Profiles. On customer builds, this function returns the same + policy as SecPolicyCreateConfigurationProfileSigner. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.3. * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -813,8 +845,9 @@ SecPolicyRef SecPolicyCreateTestOTAPKISigner(void); Apple ID Validation Records. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. - * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3 or OID 1.2.840.113635.100.6.2.10. * The leaf has a marker extension with OID 1.2.840.113635.100.6.25. * Revocation is checked via OCSP. @@ -829,7 +862,8 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void); @abstract Returns a policy object for evaluating SMP certificate chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA - ECC" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13. * The leaf has KeyUsage with the KeyEncipherment bit set. @@ -862,7 +896,8 @@ SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void); @abstract Returns a policy object for verifying production PPQ Signing certificates. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification Authority". @@ -877,10 +912,12 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void); /*! @function SecPolicyCreateTestApplePPQSigning - @abstract Returns a policy object for verifying test PPQ Signing certificates. + @abstract Returns a policy object for verifying test PPQ Signing certificates. On + customer builds, this function returns the same policy as SecPolicyCreateApplePPQSigning. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple System Integration 2 Certification Authority". @@ -921,7 +958,7 @@ SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname); extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -946,7 +983,7 @@ SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDicti extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -964,7 +1001,7 @@ SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryR extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1033,7 +1070,7 @@ SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname) extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1059,7 +1096,7 @@ SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1084,7 +1121,7 @@ SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRe extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1110,7 +1147,7 @@ and pinning options: extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via CRL. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1160,7 +1197,7 @@ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via CRL. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1174,14 +1211,15 @@ SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryR @param hostname Optional; hostname to verify the certificate name against. @discussion This policy uses the Basic X.509 policy with validity check and pinning options: - * The chain is anchored to "Apple Root CA" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12. * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1 * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName - extension or Common Name. + extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID. - * Revocation is checked via OCSP. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1204,7 +1242,8 @@ SecPolicyRef SecPolicyCreateAppleTimeStamping(void); @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains. @discussion This policy uses the Basic X.509 policy with no validity check and pinning options: - * The chain is anchored to "Apple Root CA - ECC" certificate. + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. * There are exactly 3 certs in the chain. * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2". * The leaf has KeyUsage with the KeyEncipherment bit set. @@ -1248,7 +1287,7 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void) extension or Common Name. * The leaf is checked against the Black and Gray lists. * The leaf has ExtendedKeyUsage with the ServerAuth OID. - * Revocation is checked via CRL. + * Revocation is checked via any available method. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ @@ -1281,7 +1320,7 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) * 1.2.840.113635.100.4.8 ("Safari Developer" EKU) * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU) * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU) - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -1301,7 +1340,7 @@ SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void) * The intermediate has the Common Name "Apple Code Signing Certification Authority". * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22. * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing). - * Revocation is checked via OCSP or CRL. + * Revocation is checked via any available method. * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. @@ -1342,13 +1381,50 @@ CFStringRef SecPolicyGetOidString(SecPolicyRef policy) * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value of "ucrt". * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1. - * RSA key sizes are are disallowed. EC key sizes are P-256 or larger. + * RSA key sizes are disallowed. EC key sizes are P-256 or larger. @result A policy object. The caller is responsible for calling CFRelease on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash) -__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); + __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0); + +/*! + @function SecPolicyCreateAppleWarsaw + @abstract Returns a policy object for verifying signed Warsaw assets. + @discussion The resulting policy uses the Basic X.509 policy with validity check and + pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.14. + * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.29. + * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. + @result A policy object. The caller is responsible for calling CFRelease on this when + it is no longer needed. + */ +__nullable CF_RETURNS_RETAINED +SecPolicyRef SecPolicyCreateAppleWarsaw(void) + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); + +/*! + @function SecPolicyCreateAppleSecureIOStaticAsset + @abstract Returns a policy object for verifying signed static assets for Secure IO. + @discussion The resulting policy uses the Basic X.509 policy with no validity check and + pinning options: + * The chain is anchored to any of the production Apple Root CAs. Internal releases allow + the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set. + * There are exactly 3 certs in the chain. + * The intermediate has an extension with OID matching 1.2.840.113635.100.6.2.10. + * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.50. + * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. + @result A policy object. The caller is responsible for calling CFRelease on this when + it is no longer needed. + */ +__nullable CF_RETURNS_RETAINED +SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) + __OSX_AVAILABLE(10.12.1) __IOS_AVAILABLE(10.1) __TVOS_AVAILABLE(10.0.1) __WATCHOS_AVAILABLE(3.1); + CF_IMPLICIT_BRIDGING_DISABLED CF_ASSUME_NONNULL_END diff --git a/OSX/sec/sec.xcodeproj/project.pbxproj b/OSX/sec/sec.xcodeproj/project.pbxproj index 98166cd8..3fa4b64b 100644 --- a/OSX/sec/sec.xcodeproj/project.pbxproj +++ b/OSX/sec/sec.xcodeproj/project.pbxproj @@ -283,6 +283,7 @@ BE53FA301B0AC5C300719A63 /* SecKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563C14CB6EB9008233F2 /* SecKey.c */; }; BE53FA311B0AC65500719A63 /* SecECKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562C14CB6EB9008233F2 /* SecECKey.c */; }; BE53FA321B0AC65B00719A63 /* SecRSAKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564714CB6EB9008233F2 /* SecRSAKey.c */; }; + BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */ = {isa = PBXBuildFile; fileRef = BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */; }; BE5EC1F018C80108005E7682 /* swcagent_client.c in Sources */ = {isa = PBXBuildFile; fileRef = BEF9640A18B418A400813FA3 /* swcagent_client.c */; }; BE62D7601747FF3E001EAA9D /* si-72-syncableitems.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */; }; BE642BB2188F32C200C899A2 /* SecSharedCredential.c in Sources */ = {isa = PBXBuildFile; fileRef = BE642BB1188F32C200C899A2 /* SecSharedCredential.c */; }; @@ -373,6 +374,8 @@ D40771BE1C9B50590016AA66 /* si-82-seccertificate-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = D40771AB1C9B4C530016AA66 /* si-82-seccertificate-ct.c */; }; D40771BF1C9B50590016AA66 /* si-82-sectrust-ct.m in Sources */ = {isa = PBXBuildFile; fileRef = D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */; }; D4273AA61B5D54E70007D67B /* nameconstraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4273AA21B5D54CA0007D67B /* nameconstraints.c */; }; + D43091551D84D7FE004097DA /* si-25-cms-skid.m in Sources */ = {isa = PBXBuildFile; fileRef = D43091511D84D482004097DA /* si-25-cms-skid.m */; }; + D43091561D84D80B004097DA /* si-25-cms-skid.h in Headers */ = {isa = PBXBuildFile; fileRef = D43091531D84D494004097DA /* si-25-cms-skid.h */; }; D43CDF731C9C77540020217E /* si-28-sectrustsettings.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */; }; D442160A1CCAD9C200D2D455 /* si-22-sectrust-iap.h in Headers */ = {isa = PBXBuildFile; fileRef = D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */; }; D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */ = {isa = PBXBuildFile; fileRef = D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */; }; @@ -918,6 +921,7 @@ BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecSignatureVerificationSupport.c; sourceTree = ""; }; BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSignatureVerificationSupport.h; sourceTree = ""; }; BE556A5D19550E1600E6EE8C /* SecPolicyCerts.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecPolicyCerts.h; sourceTree = ""; }; + BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-whitelist.c"; sourceTree = ""; }; BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-72-syncableitems.c"; sourceTree = ""; }; BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-70-sectrust-unified.c"; sourceTree = ""; }; BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSharedCredential.h; sourceTree = ""; }; @@ -999,6 +1003,8 @@ D40771B81C9B4D200016AA66 /* libSharedRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSharedRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; }; D4273AA21B5D54CA0007D67B /* nameconstraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = nameconstraints.c; sourceTree = ""; }; D4273AA31B5D54CA0007D67B /* nameconstraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = nameconstraints.h; sourceTree = ""; }; + D43091511D84D482004097DA /* si-25-cms-skid.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-25-cms-skid.m"; sourceTree = ""; }; + D43091531D84D494004097DA /* si-25-cms-skid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-25-cms-skid.h"; sourceTree = ""; }; D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-22-sectrust-iap.h"; sourceTree = ""; }; D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-97-sectrust-path-scoring.m"; sourceTree = ""; }; D44C81E91CD1947200BE9A0D /* si-97-sectrust-path-scoring.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-97-sectrust-path-scoring.h"; sourceTree = ""; }; @@ -1574,6 +1580,8 @@ 4CC92A2615A3ABD400C6D578 /* si-24-sectrust-itms.c */, 4CC92A2815A3ABD400C6D578 /* si-24-sectrust-nist.c */, 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-passbook.c */, + D43091511D84D482004097DA /* si-25-cms-skid.m */, + D43091531D84D494004097DA /* si-25-cms-skid.h */, 4CC92A2C15A3ABD400C6D578 /* si-26-sectrust-copyproperties.c */, 4CC92A2D15A3ABD400C6D578 /* si-27-sectrust-exceptions.c */, 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */, @@ -1620,6 +1628,7 @@ D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */, 440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */, BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */, + BE5C5BD01D8C90C200A97339 /* si-84-sectrust-whitelist.c */, D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */, D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */, D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */, @@ -2223,6 +2232,7 @@ files = ( 0C0C887A1CCED00E00617D1B /* shared_regressions.h in Headers */, D44C81EA1CD1947200BE9A0D /* si-97-sectrust-path-scoring.h in Headers */, + D43091561D84D80B004097DA /* si-25-cms-skid.h in Headers */, D4653DEB1C9E2299002ED6D5 /* si-28-sectrustsettings.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; @@ -2965,11 +2975,13 @@ 09AE116F1CEDA1E4004C617D /* si-44-seckey-ies.m in Sources */, 09EC947F1CEDEA70003E5101 /* si-44-seckey-rsa.m in Sources */, D4D887531CED0A9100DC7583 /* si-24-sectrust-digicert-malaysia.c in Sources */, + D43091551D84D7FE004097DA /* si-25-cms-skid.m in Sources */, D4D886C21CEB9FC600DC7583 /* si-85-sectrust-ssl-policy.c in Sources */, D4D887541CED0A9700DC7583 /* si-24-sectrust-diginotar.c in Sources */, D4D887571CED0B9400DC7583 /* si-27-sectrust-exceptions.c in Sources */, 0982E02C1D19695B0060002E /* si-44-seckey-ec.m in Sources */, D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */, + BE5C5BD11D8C90F500A97339 /* si-84-sectrust-whitelist.c in Sources */, D4D886F01CEC008600DC7583 /* si-23-sectrust-ocsp.c in Sources */, D4D8875E1CED490700DC7583 /* si-74-OTAPKISigner.c in Sources */, D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */, diff --git a/OSX/sec/securityd/OTATrustUtilities.c b/OSX/sec/securityd/OTATrustUtilities.c index dbe5ba77..cd8fc600 100644 --- a/OSX/sec/securityd/OTATrustUtilities.c +++ b/OSX/sec/securityd/OTATrustUtilities.c @@ -125,18 +125,19 @@ typedef struct index_record index_record; struct _OpaqueSecOTAPKI { - CFRuntimeBase _base; - CFSetRef _blackListSet; - CFSetRef _grayListSet; - CFDictionaryRef _allowList; - CFArrayRef _trustedCTLogs; - CFDataRef _CTWhiteListData; - CFArrayRef _escrowCertificates; - CFArrayRef _escrowPCSCertificates; - CFDictionaryRef _evPolicyToAnchorMapping; - CFDictionaryRef _anchorLookupTable; - const char* _anchorTable; - int _assetVersion; + CFRuntimeBase _base; + CFSetRef _blackListSet; + CFSetRef _grayListSet; + CFDictionaryRef _allowList; + CFArrayRef _trustedCTLogs; + CFDataRef _CTWhiteListData; + CFArrayRef _escrowCertificates; + CFArrayRef _escrowPCSCertificates; + CFDictionaryRef _evPolicyToAnchorMapping; + CFDictionaryRef _anchorLookupTable; + const char* _anchorTable; + const char* _assetPath; + int _assetVersion; }; CFGiblisFor(SecOTAPKI) @@ -159,10 +160,17 @@ static void SecOTAPKIDestroy(CFTypeRef cf) CFReleaseNull(otapkiref->_evPolicyToAnchorMapping); CFReleaseNull(otapkiref->_anchorLookupTable); - free((void *)otapkiref->_anchorTable); - CFReleaseNull(otapkiref->_trustedCTLogs); CFReleaseNull(otapkiref->_CTWhiteListData); + + if (otapkiref->_anchorTable) { + free((void *)otapkiref->_anchorTable); + otapkiref->_anchorTable = NULL; + } + if (otapkiref->_assetPath) { + free((void *)otapkiref->_assetPath); + otapkiref->_assetPath = NULL; + } } static CFDataRef SecOTACopyFileContents(const char *path) @@ -965,7 +973,7 @@ static SecOTAPKIRef SecOTACreate() SecOTAPKIRef otapkiref = NULL; - otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault); + otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault); if (NULL == otapkiref) { @@ -976,19 +984,21 @@ static SecOTAPKIRef SecOTACreate() // will do the right thing otapkiref->_blackListSet = NULL; otapkiref->_grayListSet = NULL; - otapkiref->_allowList = NULL; - otapkiref->_trustedCTLogs = NULL; - otapkiref->_CTWhiteListData = NULL; + otapkiref->_allowList = NULL; + otapkiref->_trustedCTLogs = NULL; + otapkiref->_CTWhiteListData = NULL; otapkiref->_escrowCertificates = NULL; otapkiref->_escrowPCSCertificates = NULL; otapkiref->_evPolicyToAnchorMapping = NULL; otapkiref->_anchorLookupTable = NULL; otapkiref->_anchorTable = NULL; + otapkiref->_assetPath = NULL; otapkiref->_assetVersion = 0; // Start off by getting the correct asset directory info int asset_version = 0; const char* path_ptr = InitOTADirectory(&asset_version); + otapkiref->_assetPath = path_ptr; otapkiref->_assetVersion = asset_version; TestOTALog("SecOTACreate: asset_path = %s\n", path_ptr); @@ -998,9 +1008,6 @@ static SecOTAPKIRef SecOTACreate() CFSetRef blackKeysSet = InitializeBlackList(path_ptr); if (NULL == blackKeysSet) { - if (path_ptr) { - free((void *)path_ptr); - } CFReleaseNull(otapkiref); return otapkiref; } @@ -1010,31 +1017,25 @@ static SecOTAPKIRef SecOTACreate() CFSetRef grayKeysSet = InitializeGrayList(path_ptr); if (NULL == grayKeysSet) { - if (path_ptr) { - free((void *)path_ptr); - } CFReleaseNull(otapkiref); return otapkiref; } otapkiref->_grayListSet = grayKeysSet; - // Get the allow list dictionary - otapkiref->_allowList = InitializeAllowList(path_ptr); + // Get the allow list dictionary + // (now loaded lazily in SecOTAPKICopyAllowList) - // Get the trusted Certificate Transparency Logs - otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(path_ptr); + // Get the trusted Certificate Transparency Logs + otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(path_ptr); - // Get the EV whitelist - otapkiref->_CTWhiteListData = InitializeCTWhiteListData(path_ptr); + // Get the EV whitelist + otapkiref->_CTWhiteListData = InitializeCTWhiteListData(path_ptr); CFArrayRef escrowCerts = NULL; CFArrayRef escrowPCSCerts = NULL; InitializeEscrowCertificates(path_ptr, &escrowCerts, &escrowPCSCerts); if (NULL == escrowCerts || NULL == escrowPCSCerts) { - if (path_ptr) { - free((void *)path_ptr); - } CFReleaseNull(escrowCerts); CFReleaseNull(escrowPCSCerts); CFReleaseNull(otapkiref); @@ -1047,9 +1048,6 @@ static SecOTAPKIRef SecOTACreate() CFDictionaryRef evOidToAnchorDigestMap = InitializeEVPolicyToAnchorDigestsTable(path_ptr); if (NULL == evOidToAnchorDigestMap) { - if (path_ptr) { - free((void *)path_ptr); - } CFReleaseNull(otapkiref); return otapkiref; } @@ -1064,9 +1062,6 @@ static SecOTAPKIRef SecOTACreate() if (anchorTablePtr) { free((void *)anchorTablePtr); } - if (path_ptr) { - free((void *)path_ptr); - } CFReleaseNull(otapkiref); return otapkiref; } @@ -1127,15 +1122,54 @@ CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef) CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef) { - CFDictionaryRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } + CFDictionaryRef result = NULL; + if (NULL == otapkiRef) + { + return result; + } - result = otapkiRef->_allowList; - CFRetainSafe(result); - return result; + result = otapkiRef->_allowList; + if (!result) { + result = InitializeAllowList(otapkiRef->_assetPath); + otapkiRef->_allowList = result; + } + + CFRetainSafe(result); + return result; +} + +CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRef authKeyID) +{ + // %%% temporary performance optimization: + // only load dictionary if we know an allow list exists for this key + const CFStringRef keyIDs[3] = { + CFSTR("7C724B39C7C0DB62A54F9BAA183492A2CA838259"), + CFSTR("65F231AD2AF7F7DD52960AC702C10EEFA6D53B11"), + CFSTR("D2A716207CAFD9959EEB430A19F2E0B9740EA8C7") + }; + CFArrayRef result = NULL; + bool hasAllowList = false; + CFIndex count = (sizeof(keyIDs) / sizeof(keyIDs[0])); + for (CFIndex ix=0; ixfilter == kSecBackupableItemFilter; + /* Skip akpu items when backing up, those are intentionally lost across restores. The same applies to SEP-based keys */ + bool skip_akpu_or_token = c->filter == kSecBackupableItemFilter; sqlite_int64 rowid = sqlite3_column_int64(stmt, 0); - CFMutableDictionaryRef item; + CFMutableDictionaryRef item = NULL; bool ok = s3dl_item_from_col(stmt, q, 1, c->qc.accessGroups, &item, &access_control, &localError); bool is_akpu = access_control ? CFEqualSafe(SecAccessControlGetProtection(access_control), kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly) : false; + bool is_token = (ok && item != NULL) ? CFDictionaryContainsKey(item, kSecAttrTokenID) : false; - if (ok && item && !(skip_akpu && is_akpu)) { + if (ok && item && !(skip_akpu_or_token && (is_akpu || is_token))) { /* Only export sysbound items if do_sys_bound is true, only export non sysbound items otherwise. */ bool do_sys_bound = c->filter == kSecSysBoundItemFilter; if (c->filter == kSecNoItemFilter || @@ -1286,7 +1287,7 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) { } else { OSStatus status = SecErrorGetOSStatus(localError); - if (status == errSecInteractionNotAllowed && is_akpu && skip_akpu) { + if (status == errSecInteractionNotAllowed && is_akpu && skip_akpu_or_token) { // We expect akpu items to be inaccessible when the device is locked. CFReleaseNull(localError); } else { @@ -1481,6 +1482,14 @@ SecServerImportItem(const void *value, void *context) return; } } + + /* Avoid importing token-based items. Although newer backups should not have them, + * older (iOS9, iOS10.0) produced backups with token-based items. + */ + if (CFDictionaryContainsKey(dict, kSecAttrTokenID)) { + secdebug("item", "Skipping token-based item : %@", dict); + return; + } } SecDbItemRef item; diff --git a/OSX/sec/securityd/SecKeybagSupport.c b/OSX/sec/securityd/SecKeybagSupport.c index e22897b7..88aeeb00 100644 --- a/OSX/sec/securityd/SecKeybagSupport.c +++ b/OSX/sec/securityd/SecKeybagSupport.c @@ -132,9 +132,12 @@ bool ks_crypt(CFTypeRef operation, keybag_handle_t keybag, if (kernResult != KERN_SUCCESS) { if ((kernResult == kIOReturnNotPermitted) || (kernResult == kIOReturnNotPrivileged)) { + const char *substatus = ""; + if (keyclass == key_class_ck || keyclass == key_class_cku) + substatus = " (hiberation ?)"; /* Access to item attempted while keychain is locked. */ - return SecError(errSecInteractionNotAllowed, error, CFSTR("ks_crypt: %x failed to '%@' item (class %"PRId32", bag: %"PRId32") Access to item attempted while keychain is locked."), - kernResult, operation, keyclass, keybag); + return SecError(errSecInteractionNotAllowed, error, CFSTR("ks_crypt: %x failed to '%@' item (class %"PRId32", bag: %"PRId32") Access to item attempted while keychain is locked%s."), + kernResult, operation, keyclass, keybag, substatus); } else if (kernResult == kIOReturnError) { /* Item can't be decrypted on this device, ever, so drop the item. */ return SecError(errSecDecode, error, CFSTR("ks_crypt: %x failed to '%@' item (class %"PRId32", bag: %"PRId32") Item can't be decrypted on this device, ever, so drop the item."), diff --git a/OSX/sec/securityd/SecKeybagSupport.h b/OSX/sec/securityd/SecKeybagSupport.h index ee240cf2..565952c0 100644 --- a/OSX/sec/securityd/SecKeybagSupport.h +++ b/OSX/sec/securityd/SecKeybagSupport.h @@ -43,11 +43,7 @@ __BEGIN_DECLS -// TODO: Get this out of this file -#if USE_KEYSTORE -typedef int32_t keyclass_t; -#else - +#if !USE_KEYSTORE /* TODO: this needs to be available in the sim! */ typedef int32_t keyclass_t; typedef int32_t key_handle_t; diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c index 2835e685..2730c316 100644 --- a/OSX/sec/securityd/SecPolicyServer.c +++ b/OSX/sec/securityd/SecPolicyServer.c @@ -1186,21 +1186,24 @@ static void SecPolicyCheckIntermediateEKU(SecPVCRef pvc, CFStringRef key) } } -/* Returns true if path is on the allow list, false otherwise */ -static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc) +/* Returns true if path is on the allow list for the authority key of the + certificate at certix, false otherwise. + */ +static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc, CFIndex certix) { bool result = false; CFIndex ix = 0, count = SecPVCGetCertificateCount(pvc); CFStringRef authKey = NULL; + CFArrayRef allowedCerts = NULL; SecOTAPKIRef otapkiRef = NULL; - CFDictionaryRef allowList = NULL; - //get authKeyID from the last chain in the cert - if (count < 1) { + if (certix < 0 || certix >= count) { return result; } - SecCertificateRef lastCert = SecPVCGetCertificateAtIndex(pvc, count - 1); - CFDataRef authKeyID = SecCertificateGetAuthorityKeyID(lastCert); + + //get authKeyID from the specified cert in the chain + SecCertificateRef issuedCert = SecPVCGetCertificateAtIndex(pvc, certix); + CFDataRef authKeyID = SecCertificateGetAuthorityKeyID(issuedCert); if (NULL == authKeyID) { return result; } @@ -1209,24 +1212,19 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc) goto errout; } - //if allowList && key is in allowList, this would have chained up to a now-removed anchor otapkiRef = SecOTAPKICopyCurrentOTAPKIRef(); if (NULL == otapkiRef) { goto errout; } - allowList = SecOTAPKICopyAllowList(otapkiRef); - if (NULL == allowList) { - goto errout; - } - CFArrayRef allowedCerts = CFDictionaryGetValue(allowList, authKey); - if (!allowedCerts || !CFArrayGetCount(allowedCerts)) { + allowedCerts = SecOTAPKICopyAllowListForAuthKeyID(otapkiRef, authKey); + if (NULL == allowedCerts || !CFArrayGetCount(allowedCerts)) { goto errout; } //search sorted array for the SHA256 hash of a cert in the chain CFRange range = CFRangeMake(0, CFArrayGetCount(allowedCerts)); - for (ix = 0; ix < count; ix++) { + for (ix = 0; ix <= certix; ix++) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); if (!cert) { goto errout; @@ -1253,7 +1251,7 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc) errout: CFReleaseNull(authKey); CFReleaseNull(otapkiRef); - CFReleaseNull(allowList); + CFReleaseNull(allowedCerts); return result; } @@ -1460,7 +1458,8 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, n--; } else { /* trust may be restored for a path with an untrusted root that matches the allow list */ - if (!SecPVCCheckCertificateAllowList(pvc)) { + pvc->is_allowlisted = SecPVCCheckCertificateAllowList(pvc, n - 1); + if (!pvc->is_allowlisted) { /* Add a detail for the root not being trusted. */ if (SecPVCSetResultForced(pvc, kSecPolicyCheckAnchorTrusted, n - 1, kCFBooleanFalse, true)) @@ -1516,7 +1515,7 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, goto errOut; } } - if (SecCertificateIsWeak(cert)) { + if (SecCertificateIsWeakKey(cert)) { CFStringRef fail_key = i == n ? kSecPolicyCheckWeakLeaf : kSecPolicyCheckWeakIntermediates; if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse)) { goto errOut; @@ -2467,7 +2466,7 @@ static void SecPolicyCheckWeakIntermediates(SecPVCRef pvc, CFIndex ix, count = SecPVCGetCertificateCount(pvc); for (ix = 1; ix < count - 1; ++ix) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - if (cert && SecCertificateIsWeak(cert)) { + if (cert && SecCertificateIsWeakKey(cert)) { /* Intermediate certificate has a weak key. */ if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) return; @@ -2478,7 +2477,7 @@ static void SecPolicyCheckWeakIntermediates(SecPVCRef pvc, static void SecPolicyCheckWeakLeaf(SecPVCRef pvc, CFStringRef key) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, 0); - if (cert && SecCertificateIsWeak(cert)) { + if (cert && SecCertificateIsWeakKey(cert)) { /* Leaf certificate has a weak key. */ if (!SecPVCSetResult(pvc, key, 0, kCFBooleanFalse)) return; @@ -2490,7 +2489,7 @@ static void SecPolicyCheckWeakRoot(SecPVCRef pvc, CFIndex ix, count = SecPVCGetCertificateCount(pvc); ix = count - 1; SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - if (cert && SecCertificateIsWeak(cert)) { + if (cert && SecCertificateIsWeakKey(cert)) { /* Root certificate has a weak key. */ if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) return; @@ -3333,6 +3332,13 @@ static bool SecPVCCheckRevocation(SecPVCRef pvc) { SecORVCProcessStapledResponses(rvc->orvc); } +#if TARGET_OS_BRIDGE + /* The bridge has no writeable storage and no network. Nothing else we can + * do here. */ + rvc->done = true; + return completed; +#endif + /* Then check the caches for revocation results. */ SecRVCCheckRevocationCaches(rvc); @@ -3537,23 +3543,14 @@ void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies, secdebug("alloc", "%p", pvc); // Weird logging policies crashes. //secdebug("policy", "%@", policies); + + // Zero the pvc struct so only non-zero fields need to be explicitly set + memset(pvc, 0, sizeof(struct OpaqueSecPVC)); pvc->builder = builder; pvc->policies = policies; if (policies) CFRetain(policies); pvc->verifyTime = verifyTime; - pvc->path = NULL; - pvc->details = NULL; - pvc->info = NULL; - pvc->valid_policy_tree = NULL; - pvc->callbacks = NULL; - pvc->policyIX = 0; - pvc->rvcs = NULL; - pvc->asyncJobCount = 0; - pvc->check_revocation = NULL; - pvc->response_required = false; - pvc->optionally_ev = false; - pvc->is_ev = false; pvc->result = true; } @@ -3810,7 +3807,7 @@ bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix) { goto errOut; } - if (SecCertificateIsWeak(cert)) { + if (SecCertificateIsWeakKey(cert)) { /* Certificate uses weak key. */ if (!SecPVCSetResult(pvc, is_anchor ? kSecPolicyCheckWeakRoot : kSecPolicyCheckWeakIntermediates, ix, kCFBooleanFalse)) @@ -3860,22 +3857,33 @@ bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix) { if (NULL != blackListedKeys) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - bool is_anchor = (ix == SecPVCGetCertificateCount(pvc) - 1 - && SecPVCIsAnchored(pvc)); - if (!is_anchor) { - /* Check for blacklisted intermediates keys. */ - CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert); - if (dgst) { - /* Check dgst against blacklist. */ - if (CFSetContainsValue(blackListedKeys, dgst)) { - SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey, - ix, kCFBooleanFalse, true); - } - CFRelease(dgst); - } - } + CFIndex count = SecPVCGetCertificateCount(pvc); + bool is_last = (ix == count - 1); + bool is_anchor = (is_last && SecPVCIsAnchored(pvc)); + if (!is_anchor) { + /* Check for blacklisted intermediate issuer keys. */ + CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert); + if (dgst) { + /* Check dgst against blacklist. */ + if (CFSetContainsValue(blackListedKeys, dgst)) { + /* Check allow list for this blacklisted issuer key, + which is the authority key of the issued cert at ix-1. + If ix is the last cert, the root is missing, so we + also check our own authority key in that case. + */ + bool allowed = ((ix && SecPVCCheckCertificateAllowList(pvc, ix - 1)) || + (is_last && SecPVCCheckCertificateAllowList(pvc, ix))); + if (!allowed) { + SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey, + ix, kCFBooleanFalse, true); + } + pvc->is_allowlisted = allowed; + } + CFRelease(dgst); + } + } CFRelease(blackListedKeys); - return pvc->result; + return pvc->result; } } // Assume OK @@ -3884,7 +3892,7 @@ bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix) { bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix) { - /* Check stuff common to intermediate and anchors. */ + /* Check stuff common to intermediate and anchors. */ SecOTAPKIRef otapkiRef = SecOTAPKICopyCurrentOTAPKIRef(); if (NULL != otapkiRef) { @@ -3893,22 +3901,33 @@ bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix) if (NULL != grayListKeys) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - bool is_anchor = (ix == SecPVCGetCertificateCount(pvc) - 1 - && SecPVCIsAnchored(pvc)); - if (!is_anchor) { - /* Check for gray listed intermediates keys. */ - CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert); - if (dgst) { - /* Check dgst against gray list. */ - if (CFSetContainsValue(grayListKeys, dgst)) { - SecPVCSetResultForced(pvc, kSecPolicyCheckGrayListedKey, - ix, kCFBooleanFalse, true); - } - CFRelease(dgst); - } - } + CFIndex count = SecPVCGetCertificateCount(pvc); + bool is_last = (ix == count - 1); + bool is_anchor = (is_last && SecPVCIsAnchored(pvc)); + if (!is_anchor) { + /* Check for gray listed intermediate issuer keys. */ + CFDataRef dgst = SecCertificateCopyPublicKeySHA1Digest(cert); + if (dgst) { + /* Check dgst against gray list. */ + if (CFSetContainsValue(grayListKeys, dgst)) { + /* Check allow list for this graylisted issuer key, + which is the authority key of the issued cert at ix-1. + If ix is the last cert, the root is missing, so we + also check our own authority key in that case. + */ + bool allowed = ((ix && SecPVCCheckCertificateAllowList(pvc, ix - 1)) || + (is_last && SecPVCCheckCertificateAllowList(pvc, ix))); + if (!allowed) { + SecPVCSetResultForced(pvc, kSecPolicyCheckGrayListedKey, + ix, kCFBooleanFalse, true); + } + pvc->is_allowlisted = allowed; + } + CFRelease(dgst); + } + } CFRelease(grayListKeys); - return pvc->result; + return pvc->result; } } // Assume ok diff --git a/OSX/sec/securityd/SecPolicyServer.h b/OSX/sec/securityd/SecPolicyServer.h index f1393c03..ecae581d 100644 --- a/OSX/sec/securityd/SecPolicyServer.h +++ b/OSX/sec/securityd/SecPolicyServer.h @@ -63,6 +63,7 @@ struct OpaqueSecPVC { bool is_ev; bool is_ct; bool is_ct_whitelisted; + bool is_allowlisted; bool result; }; diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c index 2d6edacb..1b36ba36 100644 --- a/OSX/sec/securityd/SecTrustServer.c +++ b/OSX/sec/securityd/SecTrustServer.c @@ -33,6 +33,7 @@ #include #include +#include #include #include @@ -61,6 +62,8 @@ #include #include #include "OTATrustUtilities.h" +#include "personalization.h" +#include /******************************************************** @@ -770,6 +773,7 @@ struct SecPathBuilder { SecCertificateSourceRef certificateSource; SecCertificateSourceRef itemCertificateSource; SecCertificateSourceRef anchorSource; + SecCertificateSourceRef appleAnchorSource; CFMutableArrayRef anchorSources; CFIndex nextParentSource; CFMutableArrayRef parentSources; @@ -861,11 +865,8 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, builder->queue = dispatch_queue_create("builder", DISPATCH_QUEUE_SERIAL); builder->nextParentSource = 1; - builder->considerPartials = false; #if !TARGET_OS_WATCH builder->canAccessNetwork = true; -#else - builder->canAccessNetwork = false; #endif builder->anchorSources = CFArrayCreateMutable(allocator, 0, NULL); @@ -876,70 +877,90 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, builder->partialPaths = CFArrayCreateMutable(allocator, 0, NULL); builder->rejectedPaths = CFArrayCreateMutable(allocator, 0, NULL); builder->candidatePaths = CFArrayCreateMutable(allocator, 0, NULL); - builder->partialIX = 0; /* Init the policy verification context. */ SecPVCInit(&builder->path, builder, policies, verifyTime); - builder->bestPath = NULL; - builder->bestPathIsEV = false; - builder->bestPathIsSHA2 = false; - builder->denyBestPath = false; - builder->bestPathScore = 0; /* Let's create all the certificate sources we might want to use. */ builder->certificateSource = SecMemoryCertificateSourceCreate(certificates); - if (anchors) + if (anchors) { builder->anchorSource = SecMemoryCertificateSourceCreate(anchors); - else - builder->anchorSource = NULL; + } + + bool allowNonProduction = false; + builder->appleAnchorSource = SecMemoryCertificateSourceCreate(SecGetAppleTrustAnchors(allowNonProduction)); + /** Parent Sources ** The order here avoids the most expensive methods if the cheaper methods ** produce an acceptable chain: client-provided, keychains, network-fetched. **/ +#if !TARGET_OS_BRIDGE CFArrayAppendValue(builder->parentSources, builder->certificateSource); builder->itemCertificateSource = SecItemCertificateSourceCreate(accessGroups); if (keychainsAllowed) { CFArrayAppendValue(builder->parentSources, builder->itemCertificateSource); -#if !TARGET_OS_IPHONE + #if TARGET_OS_OSX /* On OS X, need additional parent source to search legacy keychain files. */ if (kSecLegacyCertificateSource.contains && kSecLegacyCertificateSource.copyParents) { CFArrayAppendValue(builder->parentSources, &kSecLegacyCertificateSource); } -#endif + #endif } if (anchorsOnly) { - /* Add the system and user anchor certificate db to the search list + /* Add the Apple, system, and user anchor certificate db to the search list if we don't explicitly trust them. */ + CFArrayAppendValue(builder->parentSources, builder->appleAnchorSource); CFArrayAppendValue(builder->parentSources, &kSecSystemAnchorSource); -#if TARGET_OS_IPHONE + #if TARGET_OS_IPHONE CFArrayAppendValue(builder->parentSources, &kSecUserAnchorSource); -#endif + #endif } if (keychainsAllowed && builder->canAccessNetwork) { CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource); } +#else /* TARGET_OS_BRIDGE */ + /* Bridge can only access memory sources. */ + CFArrayAppendValue(builder->parentSources, builder->certificateSource); + if (anchorsOnly) { + /* Add the Apple, system, and user anchor certificate db to the search list + if we don't explicitly trust them. */ + CFArrayAppendValue(builder->parentSources, builder->appleAnchorSource); + } +#endif /* !TARGET_OS_BRIDGE */ /** Anchor Sources ** The order here allows a client-provided anchor to overrule ** a user or admin trust setting which can overrule the system anchors. + ** Apple's anchors cannot be overriden by a trust setting. **/ +#if !TARGET_OS_BRIDGE if (builder->anchorSource) { CFArrayAppendValue(builder->anchorSources, builder->anchorSource); } if (!anchorsOnly) { /* Only add the system and user anchor certificate db to the anchorSources if we are supposed to trust them. */ -#if TARGET_OS_IPHONE + CFArrayAppendValue(builder->anchorSources, builder->appleAnchorSource); + #if TARGET_OS_IPHONE CFArrayAppendValue(builder->anchorSources, &kSecUserAnchorSource); -#else + #else /* TARGET_OS_OSX */ if (keychainsAllowed && kSecLegacyAnchorSource.contains && kSecLegacyAnchorSource.copyParents) { CFArrayAppendValue(builder->anchorSources, &kSecLegacyAnchorSource); } -#endif + #endif CFArrayAppendValue(builder->anchorSources, &kSecSystemAnchorSource); } +#else /* TARGET_OS_BRIDGE */ + /* Bridge can only access memory sources. */ + if (builder->anchorSource) { + CFArrayAppendValue(builder->anchorSources, builder->anchorSource); + } + if (!anchorsOnly) { + CFArrayAppendValue(builder->anchorSources, builder->appleAnchorSource); + } +#endif /* !TARGET_OS_BRIDGE */ /* Now let's get the leaf cert and turn it into a path. */ SecCertificateRef leaf = @@ -975,7 +996,6 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, CFReleaseSafe(otapkiref); } - builder->activations = 0; builder->state = SecPathBuilderGetNext; builder->completed = completed; builder->context = context; @@ -988,6 +1008,7 @@ SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken, CFAbsoluteTime verifyTime, CFArrayRef accessGroups, SecPathBuilderCompleted completed, const void *context) { SecPathBuilderRef builder = malloc(sizeof(*builder)); + memset(builder, 0, sizeof(*builder)); SecPathBuilderInit(builder, clientAuditToken, certificates, anchors, anchorsOnly, keychainsAllowed, policies, ocspResponses, signedCertificateTimestamps, trustedLogs, verifyTime, @@ -998,12 +1019,14 @@ SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken, static void SecPathBuilderDestroy(SecPathBuilderRef builder) { secdebug("alloc", "%p", builder); dispatch_release_null(builder->queue); - if (builder->anchorSource) - SecMemoryCertificateSourceDestroy(builder->anchorSource); - if (builder->certificateSource) - SecMemoryCertificateSourceDestroy(builder->certificateSource); - if (builder->itemCertificateSource) - SecItemCertificateSourceDestroy(builder->itemCertificateSource); + if (builder->anchorSource) { + SecMemoryCertificateSourceDestroy(builder->anchorSource); } + if (builder->certificateSource) { + SecMemoryCertificateSourceDestroy(builder->certificateSource); } + if (builder->itemCertificateSource) { + SecItemCertificateSourceDestroy(builder->itemCertificateSource); } + if (builder->appleAnchorSource) { + SecMemoryCertificateSourceDestroy(builder->appleAnchorSource); } CFReleaseSafe(builder->clientAuditToken); CFReleaseSafe(builder->anchorSources); CFReleaseSafe(builder->parentSources); @@ -1419,6 +1442,7 @@ static void SecPathBuilderAccept(SecPathBuilderRef builder) { check(builder); SecPVCRef pvc = &builder->path; bool isSHA2 = !SecCertificatePathHasWeakHash(pvc->path); + bool isOptionallySHA2 = !SecCertificateIsWeakHash(SecPVCGetCertificateAtIndex(pvc, 0)); CFIndex bestScore = builder->bestPathScore; /* Score this path. Note that all points awarded or deducted in * SecCertificatePathScore are < 100,000 */ @@ -1442,7 +1466,7 @@ static void SecPathBuilderAccept(SecPathBuilderRef builder) { /* If we found the best accept we can, we want to switch directly to the SecPathBuilderComputeDetails state here, since we're done. */ - if ((pvc->is_ev || !pvc->optionally_ev) && isSHA2) + if ((pvc->is_ev || !pvc->optionally_ev) && (isSHA2 || !isOptionallySHA2)) builder->state = SecPathBuilderComputeDetails; else builder->state = SecPathBuilderGetNext; @@ -1511,6 +1535,14 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) { builder->bestPathScore = 0; } + /* Accept a partial path if certificate is on the allow list + and is temporally valid. */ + if (completed && pvc->is_allowlisted && + builder->bestPathScore < ACCEPT_PATH_SCORE && + SecCertificatePathIsValid(pvc->path, pvc->verifyTime)) { + builder->bestPathScore += ACCEPT_PATH_SCORE; + } + CFReleaseSafe(details); return completed; diff --git a/OSX/shared_regressions/shared_regressions.h b/OSX/shared_regressions/shared_regressions.h index 64686bad..24acf828 100644 --- a/OSX/shared_regressions/shared_regressions.h +++ b/OSX/shared_regressions/shared_regressions.h @@ -24,6 +24,7 @@ ONE_TEST(si_24_sectrust_nist) ONE_TEST(si_24_sectrust_diginotar) ONE_TEST(si_24_sectrust_digicert_malaysia) ONE_TEST(si_24_sectrust_passbook) +ONE_TEST(si_25_cms_skid) ONE_TEST(si_26_sectrust_copyproperties) ONE_TEST(si_27_sectrust_exceptions) ONE_TEST(si_28_sectrustsettings) @@ -33,8 +34,10 @@ ONE_TEST(si_44_seckey_ec) ONE_TEST(si_44_seckey_ies) #if !TARGET_OS_WATCH ONE_TEST(si_67_sectrust_blacklist) +ONE_TEST(si_84_sectrust_allowlist) #else DISABLED_ONE_TEST(si_67_sectrust_blacklist) +DISABLED_ONE_TEST(si_84_sectrust_allowlist) #endif ONE_TEST(si_70_sectrust_unified) ONE_TEST(si_71_mobile_store_policy) diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore b/OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore new file mode 100644 index 00000000..82b43177 --- /dev/null +++ b/OSX/shared_regressions/si-20-sectrust-policies-data/.gitignore @@ -0,0 +1,2 @@ +.DS_Store +debugging.plist diff --git a/OSX/utilities/.gitignore b/OSX/utilities/.gitignore new file mode 100644 index 00000000..e43b0f98 --- /dev/null +++ b/OSX/utilities/.gitignore @@ -0,0 +1 @@ +.DS_Store diff --git a/OSX/utilities/src/SecAppleAnchor.c b/OSX/utilities/src/SecAppleAnchor.c index b453b927..4fcc5481 100644 --- a/OSX/utilities/src/SecAppleAnchor.c +++ b/OSX/utilities/src/SecAppleAnchor.c @@ -30,18 +30,6 @@ static CFDictionaryRef getAnchors(void); -static bool testAppleAnchorsAllowed(SecAppleTrustAnchorFlags flags) { - if (!(flags & kSecAppleTrustAnchorFlagsIncludeTestAnchors)) { - /* user does not want test anchors */ - return false; - } - if (SecIsInternalRelease() || - flags & kSecAppleTrustAnchorFlagsAllowNonProduction) { - /* device allows test anchors */ - return true; - } - return false; -} bool SecIsAppleTrustAnchorData(CFDataRef cert, @@ -59,11 +47,8 @@ SecIsAppleTrustAnchorData(CFDataRef cert, require(isBoolean(value), fail); - if (testAppleAnchorsAllowed(flags)) { - res = true; - } else { - res = CFBooleanGetValue(value); - } + res = CFBooleanGetValue(value); + fail: return res; @@ -114,32 +99,6 @@ static const unsigned char AppleRootG3Hash[32] = { 0x7c, 0x4f, 0x5c, 0x75, 0x6f, 0x30, 0x17, 0xb3, 0xa8, 0xc4, 0x88, 0xc3, 0x65, 0x3e, 0x91, 0x79 }; -/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ -/* SKID: 59:B8:2B:94:3A:1B:BA:F1:00:AE:EE:50:52:23:33:C9:59:C3:54:98 */ -/* Not Before: Apr 22 02:15:48 2015 GMT, Not After : Feb 9 21:40:36 2035 GMT */ -/* Signature Algorithm: sha1WithRSAEncryption */ -static const unsigned char TestAppleRootCAHash[32] = { - 0x08, 0x47, 0x99, 0xfb, 0xa9, 0x9c, 0x06, 0x46, 0xe5, 0xcf, 0x0b, 0xf2, 0x73, 0x7f, 0x23, 0xa4, - 0x77, 0xe4, 0x98, 0x05, 0x5b, 0x9e, 0xf9, 0x0c, 0xdf, 0x40, 0xc2, 0x92, 0xfd, 0x46, 0x6c, 0xd7 -}; - -/* subject:/CN=Test Apple Global Root CA/OU=Apple Certification Authority/O=Apple Inc./C=US */ -/* SKID: 96:D3:56:5F:F8:49:C1:40:DF:3B:82:36:5F:09:75:EE:95:58:32:43 */ -/* Not Before: Apr 22 02:43:57 2015 GMT, Not After : Dec 26 03:13:37 2040 GMT */ -/* Signature Algorithm: ecdsa-with-SHA384 */ -static const unsigned char TestAppleRootG2Hash[32] = { - 0x0c, 0x14, 0x3e, 0xab, 0x0e, 0xb9, 0x23, 0xbe, 0xa5, 0xc5, 0x3e, 0xe4, 0x24, 0xcf, 0xdb, 0x63, - 0xc6, 0xa9, 0xc2, 0x38, 0x0f, 0x6b, 0xf6, 0xbf, 0xb2, 0x62, 0xdd, 0x36, 0x92, 0x25, 0xfb, 0xea -}; - -/* subject:/CN=Test Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */ -/* SKID: FC:46:D8:83:6C:1F:E6:F2:DC:DF:A7:99:17:AE:0B:44:67:17:1B:46 */ -/* Not Before: Apr 22 03:17:44 2015 GMT, Not After : Dec 26 03:13:37 2040 GMT */ -/* Signature Algorithm: ecdsa-with-SHA384 */ -static const unsigned char TestAppleRootG3Hash[32] = { - 0xbe, 0x9f, 0x7d, 0x2b, 0x62, 0x81, 0x8b, 0xb0, 0xce, 0x6d, 0x7d, 0x73, 0x65, 0xcc, 0x9f, 0xbc, - 0xbe, 0xa4, 0x1b, 0x5a, 0xe1, 0xd4, 0xe9, 0xdd, 0xd5, 0x4c, 0x1b, 0x34, 0x9e, 0x7a, 0x2d, 0xa6 -}; static void addAnchor(CFMutableDictionaryRef anchors, @@ -166,11 +125,261 @@ getAnchors(void) addAnchor(temp, AppleRootCAHash, sizeof(AppleRootCAHash), true); addAnchor(temp, AppleRootG2Hash, sizeof(AppleRootG2Hash), true); addAnchor(temp, AppleRootG3Hash, sizeof(AppleRootG3Hash), true); - addAnchor(temp, TestAppleRootCAHash, sizeof(TestAppleRootCAHash), false); - addAnchor(temp, TestAppleRootG2Hash, sizeof(TestAppleRootG2Hash), false); - addAnchor(temp, TestAppleRootG3Hash, sizeof(TestAppleRootG3Hash), false); + anchors = temp; + }); + return anchors; +} + +/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */ +/* SKID: 2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E */ +/* Not Before: Apr 25 21:40:36 2006 GMT, Not After : Feb 9 21:40:36 2035 GMT */ +/* Signature Algorithm: sha1WithRSAEncryption */ +static const unsigned char AppleRootCA[1215]={ + 0x30,0x82,0x04,0xBB,0x30,0x82,0x03,0xA3,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x02, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30, + 0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49, + 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70, + 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F, + 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06, + 0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74, + 0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x36,0x30,0x34,0x32,0x35,0x32,0x31,0x34, + 0x30,0x33,0x36,0x5A,0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30, + 0x33,0x36,0x5A,0x30,0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70, + 0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B, + 0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63, + 0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31, + 0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20, + 0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A, + 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30, + 0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE4,0x91,0xA9,0x09,0x1F,0x91,0xDB,0x1E, + 0x47,0x50,0xEB,0x05,0xED,0x5E,0x79,0x84,0x2D,0xEB,0x36,0xA2,0x57,0x4C,0x55,0xEC, + 0x8B,0x19,0x89,0xDE,0xF9,0x4B,0x6C,0xF5,0x07,0xAB,0x22,0x30,0x02,0xE8,0x18,0x3E, + 0xF8,0x50,0x09,0xD3,0x7F,0x41,0xA8,0x98,0xF9,0xD1,0xCA,0x66,0x9C,0x24,0x6B,0x11, + 0xD0,0xA3,0xBB,0xE4,0x1B,0x2A,0xC3,0x1F,0x95,0x9E,0x7A,0x0C,0xA4,0x47,0x8B,0x5B, + 0xD4,0x16,0x37,0x33,0xCB,0xC4,0x0F,0x4D,0xCE,0x14,0x69,0xD1,0xC9,0x19,0x72,0xF5, + 0x5D,0x0E,0xD5,0x7F,0x5F,0x9B,0xF2,0x25,0x03,0xBA,0x55,0x8F,0x4D,0x5D,0x0D,0xF1, + 0x64,0x35,0x23,0x15,0x4B,0x15,0x59,0x1D,0xB3,0x94,0xF7,0xF6,0x9C,0x9E,0xCF,0x50, + 0xBA,0xC1,0x58,0x50,0x67,0x8F,0x08,0xB4,0x20,0xF7,0xCB,0xAC,0x2C,0x20,0x6F,0x70, + 0xB6,0x3F,0x01,0x30,0x8C,0xB7,0x43,0xCF,0x0F,0x9D,0x3D,0xF3,0x2B,0x49,0x28,0x1A, + 0xC8,0xFE,0xCE,0xB5,0xB9,0x0E,0xD9,0x5E,0x1C,0xD6,0xCB,0x3D,0xB5,0x3A,0xAD,0xF4, + 0x0F,0x0E,0x00,0x92,0x0B,0xB1,0x21,0x16,0x2E,0x74,0xD5,0x3C,0x0D,0xDB,0x62,0x16, + 0xAB,0xA3,0x71,0x92,0x47,0x53,0x55,0xC1,0xAF,0x2F,0x41,0xB3,0xF8,0xFB,0xE3,0x70, + 0xCD,0xE6,0xA3,0x4C,0x45,0x7E,0x1F,0x4C,0x6B,0x50,0x96,0x41,0x89,0xC4,0x74,0x62, + 0x0B,0x10,0x83,0x41,0x87,0x33,0x8A,0x81,0xB1,0x30,0x58,0xEC,0x5A,0x04,0x32,0x8C, + 0x68,0xB3,0x8F,0x1D,0xDE,0x65,0x73,0xFF,0x67,0x5E,0x65,0xBC,0x49,0xD8,0x76,0x9F, + 0x33,0x14,0x65,0xA1,0x77,0x94,0xC9,0x2D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01, + 0x7A,0x30,0x82,0x01,0x76,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04, + 0x04,0x03,0x02,0x01,0x06,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04, + 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, + 0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6,0xF7, + 0x47,0x4D,0x7F,0x08,0x5E,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16, + 0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6, + 0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20,0x04, + 0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86,0x48, + 0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06,0x01, + 0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77, + 0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70, + 0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07, + 0x02,0x02,0x30,0x81,0xB6,0x1A,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65, + 0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69, + 0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74, + 0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74, + 0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E, + 0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E, + 0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63, + 0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65, + 0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F, + 0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69, + 0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20, + 0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0D,0x06,0x09,0x2A, + 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x5C, + 0x36,0x99,0x4C,0x2D,0x78,0xB7,0xED,0x8C,0x9B,0xDC,0xF3,0x77,0x9B,0xF2,0x76,0xD2, + 0x77,0x30,0x4F,0xC1,0x1F,0x85,0x83,0x85,0x1B,0x99,0x3D,0x47,0x37,0xF2,0xA9,0x9B, + 0x40,0x8E,0x2C,0xD4,0xB1,0x90,0x12,0xD8,0xBE,0xF4,0x73,0x9B,0xEE,0xD2,0x64,0x0F, + 0xCB,0x79,0x4F,0x34,0xD8,0xA2,0x3E,0xF9,0x78,0xFF,0x6B,0xC8,0x07,0xEC,0x7D,0x39, + 0x83,0x8B,0x53,0x20,0xD3,0x38,0xC4,0xB1,0xBF,0x9A,0x4F,0x0A,0x6B,0xFF,0x2B,0xFC, + 0x59,0xA7,0x05,0x09,0x7C,0x17,0x40,0x56,0x11,0x1E,0x74,0xD3,0xB7,0x8B,0x23,0x3B, + 0x47,0xA3,0xD5,0x6F,0x24,0xE2,0xEB,0xD1,0xB7,0x70,0xDF,0x0F,0x45,0xE1,0x27,0xCA, + 0xF1,0x6D,0x78,0xED,0xE7,0xB5,0x17,0x17,0xA8,0xDC,0x7E,0x22,0x35,0xCA,0x25,0xD5, + 0xD9,0x0F,0xD6,0x6B,0xD4,0xA2,0x24,0x23,0x11,0xF7,0xA1,0xAC,0x8F,0x73,0x81,0x60, + 0xC6,0x1B,0x5B,0x09,0x2F,0x92,0xB2,0xF8,0x44,0x48,0xF0,0x60,0x38,0x9E,0x15,0xF5, + 0x3D,0x26,0x67,0x20,0x8A,0x33,0x6A,0xF7,0x0D,0x82,0xCF,0xDE,0xEB,0xA3,0x2F,0xF9, + 0x53,0x6A,0x5B,0x64,0xC0,0x63,0x33,0x77,0xF7,0x3A,0x07,0x2C,0x56,0xEB,0xDA,0x0F, + 0x21,0x0E,0xDA,0xBA,0x73,0x19,0x4F,0xB5,0xD9,0x36,0x7F,0xC1,0x87,0x55,0xD9,0xA7, + 0x99,0xB9,0x32,0x42,0xFB,0xD8,0xD5,0x71,0x9E,0x7E,0xA1,0x52,0xB7,0x1B,0xBD,0x93, + 0x42,0x24,0x12,0x2A,0xC7,0x0F,0x1D,0xB6,0x4D,0x9C,0x5E,0x63,0xC8,0x4B,0x80,0x17, + 0x50,0xAA,0x8A,0xD5,0xDA,0xE4,0xFC,0xD0,0x09,0x07,0x37,0xB0,0x75,0x75,0x21, +}; + +/* subject:/CN=Apple Root CA - G2/OU=Apple Certification Authority/O=Apple Inc./C=US */ +/* SKID: C4:99:13:6C:18:03:C2:7B:C0:A3:A0:0D:7F:72:80:7A:1C:77:26:8D */ +/* Not Before: Apr 30 18:10:09 2014 GMT, Not After : Apr 30 18:10:09 2039 GMT */ +/* Signature Algorithm: sha384WithRSAEncryption */ +static const unsigned char AppleRootG2[1430]={ + 0x30,0x82,0x05,0x92,0x30,0x82,0x03,0x7A,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x01, + 0xE0,0xE5,0xB5,0x83,0x67,0xA3,0xE0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0C,0x05,0x00,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04, + 0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41, + 0x20,0x2D,0x20,0x47,0x32,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30, + 0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E, + 0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30, + 0x1E,0x17,0x0D,0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x30,0x30,0x39,0x5A, + 0x17,0x0D,0x33,0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x30,0x30,0x39,0x5A,0x30, + 0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C, + 0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x32,0x31,0x26, + 0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43, + 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74, + 0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C, + 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x02,0x22,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x02,0x0F,0x00, + 0x30,0x82,0x02,0x0A,0x02,0x82,0x02,0x01,0x00,0xD8,0x11,0x12,0x48,0x48,0xDA,0x29, + 0x8A,0x49,0xC5,0x1C,0xC7,0xEC,0x6E,0x33,0x6D,0xFE,0x4D,0xFB,0xE0,0x1C,0xDE,0xAC, + 0x5E,0xE2,0x36,0xA7,0x24,0xF9,0x7F,0x50,0x6B,0x4C,0xCE,0xB9,0x30,0x54,0x27,0xE5, + 0xB3,0xD6,0xED,0x25,0xE6,0x30,0xB6,0x05,0x37,0x5E,0x14,0x22,0x11,0xC5,0xE8,0xAA, + 0x1B,0xD2,0xFB,0xB2,0xD2,0x09,0x95,0x38,0xA4,0xEF,0x2A,0x49,0x8C,0x5D,0x3E,0x71, + 0x66,0x03,0x38,0xFB,0x16,0xF5,0x85,0x88,0xE4,0x5A,0x92,0x0C,0x04,0x32,0xF2,0xC8, + 0x40,0xFB,0x52,0x5F,0x9F,0xF6,0xC0,0xF1,0xE3,0xBA,0x45,0xA0,0x50,0xD5,0x12,0x8B, + 0xF2,0xDD,0xDE,0x91,0x86,0x23,0xF0,0xF5,0xB6,0x72,0x2E,0x01,0xDA,0x0B,0xF6,0x2E, + 0x39,0x08,0x5F,0x19,0xA1,0x63,0x41,0x0B,0x1C,0xA7,0x94,0xC1,0x86,0xC4,0x53,0x2F, + 0x76,0xF6,0x0A,0xD7,0x0C,0xD1,0x83,0x3F,0x1A,0x53,0x19,0xF3,0x57,0xD5,0x27,0x7F, + 0xFC,0x13,0xB8,0xF8,0x92,0x8D,0xFC,0xD3,0x28,0x43,0x3C,0xB5,0x68,0x00,0x25,0x5D, + 0x27,0x62,0xD3,0xDD,0x55,0xDD,0x44,0x20,0x90,0x83,0x35,0x93,0xC5,0xBF,0xB8,0x19, + 0xFB,0x6B,0xE3,0xDC,0x08,0x42,0xE6,0xAF,0x6D,0xFA,0x9E,0x40,0xCA,0x4E,0x85,0x85, + 0x78,0x49,0xB1,0xD7,0xC3,0xC1,0x30,0x39,0x32,0xAB,0x7E,0x5F,0xAA,0xD3,0x8B,0x6F, + 0x9F,0x2D,0x1A,0x21,0x68,0x70,0x67,0xB3,0xA3,0xF1,0x98,0x41,0x6D,0x91,0x7C,0xF8, + 0xD7,0xDB,0xA8,0xE7,0x5F,0x21,0x1A,0x8C,0x33,0xBF,0x31,0x74,0xB7,0xB8,0xD1,0xF4, + 0xE0,0x22,0xF4,0xBF,0x72,0x34,0xDF,0xF7,0x81,0x4D,0x71,0x7D,0x51,0xA1,0xE2,0xB3, + 0xF0,0xD3,0x28,0x16,0x73,0x6F,0xCD,0xCC,0xAD,0x37,0x7D,0x4E,0xEB,0xAD,0x40,0xE1, + 0x3F,0x81,0xFD,0xF7,0x3D,0x0A,0x3E,0xA2,0xF1,0xBD,0x31,0x96,0x29,0x59,0xDC,0xC2, + 0x19,0x80,0x8C,0x5B,0x74,0xC6,0x2C,0xD3,0x10,0x53,0x26,0x1D,0x14,0x4F,0xC4,0xD4, + 0x81,0x66,0x3C,0x87,0x67,0x33,0x27,0x14,0x08,0xE9,0xB4,0x77,0x84,0x34,0x52,0x8F, + 0x89,0xF8,0x68,0x98,0x17,0xBF,0xC3,0xBB,0xAA,0x13,0x93,0x1F,0x5D,0x54,0x2F,0xA8, + 0xC7,0x7C,0xFB,0x0D,0x14,0xBE,0x15,0x3D,0x24,0x34,0xF2,0x9A,0xDC,0x75,0x41,0x66, + 0x22,0xB4,0x01,0xD6,0x0B,0xAF,0x90,0x9E,0x0C,0xEA,0x62,0xF8,0x9B,0x59,0x3C,0x08, + 0xE2,0x96,0x34,0xE4,0x63,0xDE,0xBC,0x37,0xD4,0xEB,0x0C,0x88,0x03,0x43,0x0B,0x50, + 0xAF,0xA0,0x34,0xDD,0x50,0x4D,0x15,0xFB,0x5A,0x24,0xD8,0x0C,0xFA,0x0C,0x63,0x9E, + 0x1F,0x03,0xB1,0xE1,0xEE,0xE1,0xAA,0x43,0xF4,0x66,0x65,0x28,0x37,0x02,0x31,0xEF, + 0x01,0xC7,0x1E,0xD1,0xCC,0x9F,0x6D,0xCA,0x54,0x3A,0x40,0xDB,0xCE,0xCF,0x4F,0x46, + 0x8B,0x4A,0x65,0x9A,0x6A,0xC6,0x68,0x6C,0xD7,0xCC,0x99,0x1B,0x47,0xB0,0x72,0xC3, + 0x77,0x8F,0xC4,0xF7,0x61,0x9C,0x74,0x1F,0xCE,0xFD,0x6B,0xA1,0xC2,0x9C,0x94,0x82, + 0xAB,0x94,0xA2,0xE7,0xBD,0x1B,0xBA,0xB9,0x70,0x39,0x95,0x17,0xC5,0x29,0xF3,0x39, + 0x58,0x34,0xF5,0xC4,0xA4,0xC6,0x7B,0x60,0xB9,0x66,0x43,0x50,0x3F,0x6E,0x61,0xFC, + 0x0E,0xF9,0x86,0xAA,0x60,0x0C,0x43,0x4B,0x95,0x02,0x03,0x01,0x00,0x01,0xA3,0x42, + 0x30,0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC4,0x99,0x13, + 0x6C,0x18,0x03,0xC2,0x7B,0xC0,0xA3,0xA0,0x0D,0x7F,0x72,0x80,0x7A,0x1C,0x77,0x26, + 0x8D,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01, + 0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02, + 0x01,0x06,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,0x05, + 0x00,0x03,0x82,0x02,0x01,0x00,0x51,0xA6,0xF3,0xE2,0xF4,0xB8,0x3D,0x93,0xBF,0x2D, + 0xCE,0x0F,0xBB,0x5B,0xE1,0x55,0x14,0x4E,0x4E,0xD1,0xE5,0xCE,0x79,0x5D,0x81,0x7F, + 0xFE,0xB6,0xF0,0x87,0x33,0xF8,0xEF,0x94,0xE5,0x7E,0xDC,0x6A,0x79,0xA7,0x1C,0xBE, + 0xF0,0x94,0xB7,0xA6,0xD1,0x30,0x9C,0xC8,0x0D,0x0A,0x75,0x9E,0x7D,0x92,0x95,0x7E, + 0x18,0x9D,0x7E,0xC2,0x71,0x69,0x7C,0x14,0xEA,0xCF,0x83,0x0E,0xE4,0x14,0x42,0x9E, + 0x74,0x0E,0x10,0xCD,0xAB,0x1A,0xBA,0x11,0x61,0x81,0x78,0xD8,0xF1,0xB5,0x45,0x40, + 0x78,0xAB,0xA8,0xC0,0xCE,0xFB,0x7D,0x63,0x37,0x68,0xF6,0xE7,0xFB,0xAF,0xC6,0xC3, + 0x4B,0xEC,0x1F,0x36,0x26,0x13,0x54,0x86,0x94,0x72,0xB2,0xEA,0x02,0xED,0x8B,0x6D, + 0xE4,0x0C,0xA6,0x90,0xC0,0x57,0x75,0xCF,0x8C,0x42,0x7D,0x5C,0xE6,0x31,0x7D,0xF3, + 0xC9,0xB2,0x92,0x69,0x46,0x0E,0x88,0xF8,0xE3,0x2D,0x42,0xB2,0x38,0xA8,0xA6,0x19, + 0x8D,0xF1,0x9F,0xCD,0xEE,0x6A,0x65,0xBC,0x1A,0xB0,0x25,0xBD,0xA7,0x29,0xFD,0xF4, + 0x3E,0xA2,0x75,0x49,0xBF,0x9E,0xDB,0xC9,0xF7,0xA7,0x1E,0x63,0x99,0xE1,0x5C,0x46, + 0xFF,0x92,0x05,0x8C,0xFA,0x1E,0x20,0xF9,0x86,0x94,0x56,0x25,0xE5,0xB4,0x57,0x38, + 0x9D,0xEB,0x88,0x64,0x14,0x21,0x49,0x21,0x39,0xBF,0x62,0x66,0xA9,0xB1,0xA2,0xCA, + 0x6F,0x3F,0x21,0x60,0xC5,0x89,0xD4,0x45,0x36,0xC8,0x98,0x7C,0xBD,0xF6,0xFE,0x99, + 0x49,0x80,0x3B,0x2C,0xD2,0xA6,0xA7,0x88,0x03,0x04,0x31,0x19,0xB7,0xB6,0x3A,0x61, + 0x45,0xFA,0xC9,0xF2,0x23,0xC8,0x63,0x73,0xBF,0x56,0x89,0x31,0xB0,0xD9,0x7C,0x62, + 0xA7,0x7B,0x15,0xA8,0x88,0x8A,0xAB,0x38,0x40,0xC2,0xCC,0x12,0xFF,0x15,0xE3,0xF0, + 0x37,0xDF,0x37,0x72,0xCB,0xCC,0x98,0xE6,0xBF,0xA2,0xBC,0xFA,0x26,0x8A,0x71,0x56, + 0xD7,0xE7,0x24,0x1B,0x48,0x44,0x3E,0x9E,0xFC,0x9F,0xC9,0xCC,0x1A,0xEC,0x43,0x3C, + 0x01,0xBC,0x34,0x78,0xC8,0x69,0xF5,0xC6,0xE6,0x56,0xEC,0x06,0x09,0x36,0x90,0xEB, + 0x14,0x4A,0x1B,0x5E,0xC9,0x88,0x23,0xDA,0x03,0x30,0x91,0x0B,0xB8,0x36,0x3E,0xF9, + 0xE7,0xB5,0x28,0x6F,0xBE,0x3F,0xEC,0x3C,0x8F,0x65,0x1D,0xE5,0xC0,0x1E,0x87,0xA4, + 0xAA,0xBA,0x98,0xFD,0x92,0xE3,0x6C,0x26,0x77,0xDD,0x06,0xB4,0x64,0x06,0x87,0xF4, + 0x4E,0xD6,0xBA,0x4A,0xAA,0x16,0xA8,0xF4,0x05,0x67,0x66,0x96,0xBA,0xE2,0x55,0x79, + 0xC3,0x2C,0x5D,0x49,0x8F,0x80,0x49,0x2B,0x8A,0x12,0xC7,0x76,0x80,0x51,0xDF,0xBA, + 0xBD,0x65,0x5D,0x3E,0x37,0x47,0x63,0x31,0xE9,0xE5,0xF4,0xC5,0x3F,0x4B,0xAD,0x04, + 0x8A,0x7A,0x71,0x2C,0xAF,0x09,0x43,0x37,0x0F,0xA8,0xE3,0x32,0x4F,0xF4,0x45,0xB6, + 0x6D,0x97,0x36,0xEC,0x84,0xF5,0x0A,0x01,0xEA,0x17,0xBB,0x85,0x8D,0x42,0x93,0x70, + 0xC3,0x50,0xE5,0x14,0x8B,0xBF,0x3F,0xC3,0x41,0x0F,0xDD,0x22,0x04,0x23,0x08,0x8A, + 0xBA,0x6D,0x71,0x44,0xAB,0x73,0x09,0x3A,0xC9,0xF9,0x52,0x80,0x09,0xDF,0xBA,0xE9, + 0xE6,0x16,0xCA,0x2E,0x2E,0x4C,0xB2,0xD3,0xDC,0xE5,0x04,0x54,0xB2,0xD4,0x34,0x80, + 0x32,0xB5,0xBC,0x0F,0x17,0xE1, +}; + +/* subject:/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */ +/* SKID: BB:B0:DE:A1:58:33:88:9A:A4:8A:99:DE:BE:BD:EB:AF:DA:CB:24:AB */ +/* Not Before: Apr 30 18:19:06 2014 GMT, Not After : Apr 30 18:19:06 2039 GMT */ +/* Signature Algorithm: ecdsa-with-SHA38 */ +static const unsigned char AppleRootG3[583]={ + 0x30,0x82,0x02,0x43,0x30,0x82,0x01,0xC9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x2D, + 0xC5,0xFC,0x88,0xD2,0xC5,0x4B,0x95,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D, + 0x04,0x03,0x03,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20, + 0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70, + 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E, + 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31, + 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D, + 0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x17,0x0D,0x33, + 0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x30,0x67,0x31,0x1B, + 0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52, + 0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x31,0x26,0x30,0x24,0x06, + 0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74, + 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72, + 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70, + 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x30,0x76,0x30,0x10,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D, + 0x02,0x01,0x06,0x05,0x2B,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0x98,0xE9,0x2F, + 0x3D,0x40,0x72,0xA4,0xED,0x93,0x22,0x72,0x81,0x13,0x1C,0xDD,0x10,0x95,0xF1,0xC5, + 0xA3,0x4E,0x71,0xDC,0x14,0x16,0xD9,0x0E,0xE5,0xA6,0x05,0x2A,0x77,0x64,0x7B,0x5F, + 0x4E,0x38,0xD3,0xBB,0x1C,0x44,0xB5,0x7F,0xF5,0x1F,0xB6,0x32,0x62,0x5D,0xC9,0xE9, + 0x84,0x5B,0x4F,0x30,0x4F,0x11,0x5A,0x00,0xFD,0x58,0x58,0x0C,0xA5,0xF5,0x0F,0x2C, + 0x4D,0x07,0x47,0x13,0x75,0xDA,0x97,0x97,0x97,0x6F,0x31,0x5C,0xED,0x2B,0x9D,0x7B, + 0x20,0x3B,0xD8,0xB9,0x54,0xD9,0x5E,0x99,0xA4,0x3A,0x51,0x0A,0x31,0xA3,0x42,0x30, + 0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xBB,0xB0,0xDE,0xA1, + 0x58,0x33,0x88,0x9A,0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB, + 0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01, + 0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01, + 0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,0x03,0x68,0x00, + 0x30,0x65,0x02,0x31,0x00,0x83,0xE9,0xC1,0xC4,0x16,0x5E,0x1A,0x5D,0x34,0x18,0xD9, + 0xED,0xEF,0xF4,0x6C,0x0E,0x00,0x46,0x4B,0xB8,0xDF,0xB2,0x46,0x11,0xC5,0x0F,0xFD, + 0xE6,0x7A,0x8C,0xA1,0xA6,0x6B,0xCE,0xC2,0x03,0xD4,0x9C,0xF5,0x93,0xC6,0x74,0xB8, + 0x6A,0xDF,0xAA,0x23,0x15,0x02,0x30,0x6D,0x66,0x8A,0x10,0xCA,0xD4,0x0D,0xD4,0x4F, + 0xCD,0x8D,0x43,0x3E,0xB4,0x8A,0x63,0xA5,0x33,0x6E,0xE3,0x6D,0xDA,0x17,0xB7,0x64, + 0x1F,0xC8,0x53,0x26,0xF9,0x88,0x62,0x74,0x39,0x0B,0x17,0x5B,0xCB,0x51,0xA8,0x0C, + 0xE8,0x18,0x03,0xE7,0xA2,0xB2,0x28, +}; + + +static void +addCertificate(CFMutableArrayRef anchors, + const unsigned char *anchor, size_t size) { + SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, anchor, size); + if (CFArrayContainsValue(anchors, CFRangeMake(0, CFArrayGetCount(anchors)), cert)) { + abort(); + } + CFArrayAppendValue(anchors, cert); + CFReleaseNull(cert); +} + +CFArrayRef SecGetAppleTrustAnchors(bool allowNonProduction) +{ + static CFArrayRef anchors = NULL; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + CFMutableArrayRef temp = NULL; + temp = CFArrayCreateMutableForCFTypesWithCapacity(NULL, 3); + + addCertificate(temp, AppleRootCA, sizeof(AppleRootCA)); + addCertificate(temp, AppleRootG2, sizeof(AppleRootG2)); + addCertificate(temp, AppleRootG3, sizeof(AppleRootG3)); + anchors = temp; }); return anchors; diff --git a/OSX/utilities/src/SecAppleAnchorPriv.h b/OSX/utilities/src/SecAppleAnchorPriv.h index c24e3a0f..2918c5cd 100644 --- a/OSX/utilities/src/SecAppleAnchorPriv.h +++ b/OSX/utilities/src/SecAppleAnchorPriv.h @@ -47,6 +47,8 @@ bool SecIsAppleTrustAnchorData(CFDataRef cert, SecAppleTrustAnchorFlags flags); +CFArrayRef SecGetAppleTrustAnchors(bool allowNonProduction); + __END_DECLS diff --git a/OSX/utilities/src/SecInternalRelease.c b/OSX/utilities/src/SecInternalRelease.c index 6acb8b17..5317d596 100644 --- a/OSX/utilities/src/SecInternalRelease.c +++ b/OSX/utilities/src/SecInternalRelease.c @@ -31,7 +31,7 @@ #if TARGET_OS_EMBEDDED #include #else -#include +#include #endif diff --git a/OSX/utilities/utilities.xcodeproj/.gitignore b/OSX/utilities/utilities.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/OSX/utilities/utilities.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/Security.xcodeproj/.gitignore b/Security.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/Security.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/Security.xcodeproj/project.pbxproj b/Security.xcodeproj/project.pbxproj index 926bc1da..228278c6 100644 --- a/Security.xcodeproj/project.pbxproj +++ b/Security.xcodeproj/project.pbxproj @@ -8791,7 +8791,6 @@ MobileKeyBag, "-laks", "-lACM", - "-lmis", "-lImg4Decode", ); PRODUCT_NAME = securityd; @@ -8817,7 +8816,6 @@ MobileKeyBag, "-laks", "-lACM", - "-lmis", "-lImg4Decode", ); PRODUCT_NAME = securityd; diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme index 26df7a71..9d93c518 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme @@ -256,6 +256,10 @@ argument = "si_24_sectrust_passbook" isEnabled = "NO"> + + @@ -412,6 +416,10 @@ argument = "si_83_seccertificate_sighashalg" isEnabled = "NO"> + + diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme index 1aaca97b..d1ca217f 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme @@ -386,6 +386,10 @@ argument = "si_83_seccertificate_sighashalg" isEnabled = "NO"> + + diff --git a/SecurityTests/.gitignore b/SecurityTests/.gitignore new file mode 100644 index 00000000..d56a7f18 --- /dev/null +++ b/SecurityTests/.gitignore @@ -0,0 +1,6 @@ +*.o +clxutils/certChain/certChain +clxutils/dotMacArchive/dotMacArchive +clxutils/findCert/findCert +cspxutils/hashTimeSA/hashTimeSA +cspxutils/sha2Vectors/sha2Vectors diff --git a/libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore b/libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore new file mode 100644 index 00000000..7f42cdde --- /dev/null +++ b/libsecurity_smime/libsecurity_smime.xcodeproj/.gitignore @@ -0,0 +1,2 @@ +project.xcworkspace +xcuserdata diff --git a/securityd/securityd_service/securityd_service/main.c b/securityd/securityd_service/securityd_service/main.c index df04c16b..46a444fb 100644 --- a/securityd/securityd_service/securityd_service/main.c +++ b/securityd/securityd_service/securityd_service/main.c @@ -75,21 +75,21 @@ openiodev(void) io_registry_entry_t service; io_connect_t conn; kern_return_t kr; - + service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(kAppleFDEKeyStoreServiceName)); if (service == IO_OBJECT_NULL) return IO_OBJECT_NULL; - + kr = IOServiceOpen(service, mach_task_self(), 0, &conn); if (kr != KERN_SUCCESS) return IO_OBJECT_NULL; - + kr = IOConnectCallMethod(conn, kAppleFDEKeyStoreUserClientOpen, NULL, 0, NULL, 0, NULL, NULL, NULL, NULL); if (kr != KERN_SUCCESS) { IOServiceClose(conn); return IO_OBJECT_NULL; } - + return conn; } @@ -108,11 +108,11 @@ _kb_service_get_dispatch_queue() { static dispatch_once_t onceToken = 0; static dispatch_queue_t connection_queue = NULL; - + dispatch_once(&onceToken, ^{ connection_queue = dispatch_queue_create("kb-service-queue", DISPATCH_QUEUE_SERIAL); }); - + return connection_queue; } @@ -190,9 +190,9 @@ _kb_copy_bag_filename(service_user_record_t * ur, kb_bag_type_t type) bag_file = calloc(1u, PATH_MAX); require(bag_file, done); - + snprintf(bag_file, PATH_MAX, "%s/%s/%s/%s", ur->home, kb_home_path, get_host_uuid(), name); - + done: return bag_file; } @@ -279,16 +279,16 @@ _kb_save_bag_to_disk(service_user_record_t * ur, const char * bag_file, void * d int fd = -1; require(bag_file, done); - + _set_thread_credentials(ur); require(_kb_verify_create_path(ur), done); fd = open(bag_file, O_CREAT | O_TRUNC | O_WRONLY | O_NOFOLLOW, 0600); require_action(fd != -1, done, syslog(LOG_ERR, "could not create file: %s (%s)", bag_file, strerror(errno))); require_action(write(fd, data, length) != -1, done, syslog(LOG_ERR, "failed to write keybag to disk %s", strerror(errno))); - + result = true; - + done: if (fd != -1) { close(fd); } _clear_thread_credentials(); @@ -303,7 +303,7 @@ _kb_load_bag_from_disk(service_user_record_t * ur, const char * bag_file, uint8_ uint8_t * buf = NULL; size_t buf_size = 0; struct stat st_info = {}; - + require(bag_file, done); _set_thread_credentials(ur); @@ -311,19 +311,19 @@ _kb_load_bag_from_disk(service_user_record_t * ur, const char * bag_file, uint8_ require_quiet(lstat(bag_file, &st_info) == 0, done); require_action(S_ISREG(st_info.st_mode), done, syslog(LOG_ERR, "failed to load, not a file: %s", bag_file)); buf_size = (size_t)st_info.st_size; - + fd = open(bag_file, O_RDONLY | O_NOFOLLOW); require_action(fd != -1, done, syslog(LOG_ERR, "could not open file: %s (%s)", bag_file, strerror(errno))); - + buf = (uint8_t *)calloc(1u, buf_size); require(buf != NULL, done); require(read(fd, buf, buf_size) == buf_size, done); - + *data = buf; *length = buf_size; buf = NULL; result = true; - + done: if (fd != -1) { close(fd); } if (buf) { free(buf); } @@ -354,17 +354,25 @@ _kb_delete_bag_on_disk(service_user_record_t * ur, const char * bag_file) } } +static int service_kb_load(service_context_t *context); +static int service_kb_load_uid(uid_t s_uid); + static int _kb_get_session_handle(service_context_t * context, keybag_handle_t * handle_out) { int rc = KB_BagNotLoaded; - keybag_handle_t session_handle = bad_keybag_handle; - require_noerr_quiet(aks_get_system(context->s_uid, &session_handle), done); - - *handle_out = session_handle; + require_noerr_quiet(aks_get_system(context->s_uid, handle_out), done); + rc = KB_Success; - + done: + if (rc == KB_BagNotLoaded) { + if (service_kb_load(context) == KB_Success) { + if (aks_get_system(context->s_uid, handle_out) == kIOReturnSuccess) { + rc = KB_Success; + } + } + } return rc; } @@ -395,77 +403,90 @@ static int service_kb_create(service_context_t * context, const void * secret, int secret_len) { __block int rc = KB_GeneralError; - + dispatch_sync(_kb_service_get_dispatch_queue(), ^{ uint8_t * buf = NULL; size_t buf_size = 0; keybag_handle_t session_handle = bad_keybag_handle; service_user_record_t * ur = get_user_record(context->s_uid); char * bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user); - + require(bag_file, done); // check for the existance of the bagfile require_action(!_kb_bag_exists(ur, bag_file), done, rc = KB_BagExists); - + require_noerr(rc = aks_create_bag(secret, secret_len, kAppleKeyStoreDeviceBag, &session_handle), done); require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done); require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError); require_noerr(rc = aks_set_system(session_handle, context->s_uid), done); aks_unload_bag(session_handle); require_noerr(rc = _kb_get_session_handle(context, &session_handle), done); - + if (secret && rc == KB_Success) { aks_unlock_bag(session_handle, secret, secret_len); } - + done: if (buf) free(buf); if (bag_file) { free(bag_file); } if (ur) free_user_record(ur); }); - + return rc; } +/* Load s_uid's keybag, unless already loaded */ static int -service_kb_load(service_context_t * context) +_service_kb_load_uid(uid_t s_uid) { __block int rc = KB_GeneralError; - + dispatch_sync(_kb_service_get_dispatch_queue(), ^{ uint8_t * buf = NULL; size_t buf_size = 0; keybag_handle_t session_handle = bad_keybag_handle; service_user_record_t * ur = NULL; char * bag_file = NULL; - - rc = aks_get_system(context->s_uid, &session_handle); + + rc = aks_get_system(s_uid, &session_handle); if (rc == kIOReturnNotFound) { - require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError); + require_action(ur = get_user_record(s_uid), done, rc = KB_GeneralError); require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError); require_action_quiet(_kb_load_bag_from_disk(ur, bag_file, &buf, &buf_size), done, rc = KB_BagNotFound); rc = aks_load_bag(buf, (int)buf_size, &session_handle); if (rc == kIOReturnNotPermitted) { - syslog(LOG_ERR, "error loading keybag for uid (%i) in session (%i)", context->s_uid, context->s_id); + syslog(LOG_ERR, "error loading keybag for uid (%i)", s_uid); _kb_rename_bag_on_disk(ur, bag_file); rc = KB_BagNotFound; } require_noerr(rc, done); - require_noerr(rc = aks_set_system(session_handle, context->s_uid), done); + require_noerr(rc = aks_set_system(session_handle, s_uid), done); aks_unload_bag(session_handle); } require(rc == KB_Success, done); - + done: if (buf) free(buf); if (ur) free_user_record(ur); if (bag_file) free(bag_file); }); - + return rc; } +static int +service_kb_load_uid(uid_t s_uid) +{ + return _service_kb_load_uid(s_uid); +} + +static int +service_kb_load(service_context_t * context) +{ + return _service_kb_load_uid(context->s_uid); +} + static int service_kb_unload(service_context_t *context) { @@ -534,9 +555,9 @@ service_kb_unlock(service_context_t * context, const void * secret, int secret_l int rc = KB_GeneralError; keybag_handle_t session_handle; require_noerr(rc = _kb_get_session_handle(context, &session_handle), done); - + rc = aks_unlock_bag(session_handle, secret, secret_len); - + done: return rc; } @@ -554,19 +575,19 @@ service_kb_change_secret(service_context_t * context, const void * secret, int s __block int rc = KB_GeneralError; keybag_handle_t session_handle; require_noerr(rc = _kb_get_session_handle(context, &session_handle), done); - + dispatch_sync(_kb_service_get_dispatch_queue(), ^{ uint8_t * buf = NULL; size_t buf_size = 0; service_user_record_t * ur = NULL; char * bag_file = NULL; - + require_noerr(rc = aks_change_secret(session_handle, secret, secret_len, new_secret, new_secret_len, NULL, NULL), done); require_noerr(rc = aks_save_bag(session_handle, (void**)&buf, (int*)&buf_size), done); require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError); require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_user), done, rc = KB_GeneralError); require_action(_kb_save_bag_to_disk(ur, bag_file, buf, buf_size), done, rc = KB_BagError); - + rc = KB_Success; done: @@ -575,7 +596,7 @@ service_kb_change_secret(service_context_t * context, const void * secret, int s if (bag_file) free(bag_file); return; }); - + done: return rc; } @@ -627,12 +648,12 @@ service_kb_is_locked(service_context_t * context, xpc_object_t reply) keybag_state_t state; keybag_handle_t session_handle; require_noerr(rc = _kb_get_session_handle(context, &session_handle), done); - + require_noerr(rc = aks_get_lock_state(session_handle, &state), done); - + xpc_dictionary_set_bool(reply, SERVICE_XPC_LOCKED, state & keybag_state_locked); xpc_dictionary_set_bool(reply, SERVICE_XPC_NO_PIN, state & keybag_state_no_pin); - + done: return rc; } @@ -677,12 +698,12 @@ service_kb_stash_load(service_context_t * context, const void * key, unsigned ke service_user_record_t * ur = NULL; __block uint8_t * stashbag = NULL; __block size_t stashbag_size = 0; - + require(key, done); require_noerr(rc = _kb_get_session_handle(context, &session_handle), done); require_action(ur = get_user_record(context->s_uid), done, rc = KB_GeneralError); require_action(bag_file = _kb_copy_bag_filename(ur, kb_bag_type_stash), done, rc = KB_GeneralError); - + // sync loading the bag from disk dispatch_sync(_kb_service_get_dispatch_queue(), ^{ if (!_kb_load_bag_from_disk(ur, bag_file, &stashbag, &stashbag_size)) { @@ -693,7 +714,7 @@ service_kb_stash_load(service_context_t * context, const void * key, unsigned ke require_noerr(rc = aks_stash_escrow(session_handle, false, key, key_size, stashbag, (int)stashbag_size, NULL, NULL), done); rc = KB_Success; - + done: if (stashbag) { free(stashbag); } if ((bag_file) && (!nondestructive)) { @@ -716,17 +737,17 @@ OSStatus service_stash_get_key(service_context_t * context, xpc_object_t event, getStashKey_OutStruct_t outStruct; size_t outSize = sizeof(outStruct); kern_return_t kr = KERN_INVALID_ARGUMENT; - + io_connect_t conn = openiodev(); require(conn, done); inStruct.type = kAppleFDEKeyStoreStash_master; - + kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_getStashKey, NULL, 0, &inStruct, sizeof(inStruct), NULL, NULL, &outStruct, &outSize); - + if (kr == KERN_SUCCESS) { xpc_dictionary_set_data(reply, SERVICE_XPC_KEY, outStruct.outBuf.key.key, outStruct.outBuf.key.keysize); service_kb_stash_load(context, outStruct.outBuf.key.key, outStruct.outBuf.key.keysize, false); @@ -735,7 +756,7 @@ OSStatus service_stash_get_key(service_context_t * context, xpc_object_t event, done: if (conn) closeiodev(conn); - + return kr; } @@ -759,14 +780,14 @@ OSStatus service_stash_set_key(service_context_t * context, xpc_object_t event, require_noerr(_kb_get_session_handle(context, &session_handle), done); require_noerr(aks_get_lock_state(session_handle, &state), done); require_action(!(state & keybag_lock_locked), done, kr = CSSMERR_CSP_OS_ACCESS_DENIED; LOG("stash failed keybag locked")); - + conn = openiodev(); require(conn, done); // Store the key in the keystore and get its uuid setKeyGetUUID_InStruct_t inStruct1; uuid_OutStruct_t outStruct1; - + const uint8_t *keydata = xpc_dictionary_get_data(event, SERVICE_XPC_KEY, &keydata_len); require(keydata, done); @@ -780,12 +801,12 @@ OSStatus service_stash_set_key(service_context_t * context, xpc_object_t event, NULL, NULL, &outStruct1, &len); require(kr == KERN_SUCCESS, done); - + // Now using the uuid stash it as the master key setStashKey_InStruct_t inStruct2; memcpy(&inStruct2.uuid, &outStruct1.uuid, sizeof(outStruct1.uuid)); inStruct2.type = kAppleFDEKeyStoreStash_master; - + kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_setStashKey, NULL, 0, &inStruct2, sizeof(inStruct2), @@ -809,13 +830,13 @@ OSStatus service_stash_load_key(service_context_t * context, xpc_object_t event, { kern_return_t kr = KERN_SUCCESS; size_t keydata_len = 0; - + const uint8_t *keydata = xpc_dictionary_get_data(event, SERVICE_XPC_KEY, &keydata_len); require(keydata, done); - + kr = service_kb_stash_load(context, keydata, (cryptosize_t) keydata_len, true); done: - + return kr; } @@ -829,19 +850,19 @@ done: OSStatus service_stash_blob(xpc_object_t event, xpc_object_t reply) { kern_return_t kr = KERN_INVALID_ARGUMENT; - + io_connect_t conn = openiodev(); require(conn, done); - + kr = IOConnectCallMethod(conn, kAppleFDEKeyStore_commitStash, NULL, 0, NULL, 0, NULL, NULL, - NULL, NULL); + NULL, NULL); done: if (conn) closeiodev(conn); - + return kr; } #endif @@ -849,12 +870,12 @@ done: bool peer_has_entitlement(xpc_connection_t peer, const char * entitlement) { bool entitled = false; - + xpc_object_t value = xpc_connection_copy_entitlement_value(peer, entitlement); if (value && (xpc_get_type(value) == XPC_TYPE_BOOL)) { entitled = xpc_bool_get_value(value); } - + if (value) xpc_release(value); return entitled; } @@ -886,6 +907,8 @@ static char * sel_to_char(uint64_t sel) return "kb_reset"; case SERVICE_KB_UNLOAD: return "kb_unload"; + case SERVICE_KB_LOAD_UID: + return "kb_load_uid"; default: return "unknown"; } @@ -916,13 +939,14 @@ static char * err_to_char(int err) void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event) { xpc_type_t type = xpc_get_type(event); - + uid_t uid; + if (type == XPC_TYPE_ERROR) { if (event == XPC_ERROR_CONNECTION_INVALID) { } } else { assert(type == XPC_TYPE_DICTIONARY); - + int rc = KB_GeneralError; uint64_t request = 0; const uint8_t * secret = NULL, * new_secret = NULL; @@ -930,15 +954,25 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event) service_context_t * context = NULL; bool free_context = false; const void * data; - + const char *entitlement; + xpc_object_t reply = xpc_dictionary_create_reply(event); request = xpc_dictionary_get_uint64(event, SERVICE_XPC_REQUEST); - // For SERVICE_KB_UNLOAD only, allow non-securityd, non-root but + + // For SERVICE_KB_{UNLOAD,LOAD} only, allow non-securityd, non-root but // entitled callers. - if (request == SERVICE_KB_UNLOAD) { - if (!peer_has_entitlement(connection, "com.apple.private.securityd.keybag-unload")) { + if (request == SERVICE_KB_UNLOAD || request == SERVICE_KB_LOAD_UID) { + switch (request) { + case SERVICE_KB_UNLOAD: + entitlement = "com.apple.private.securityd.keybag-unload"; + break; + case SERVICE_KB_LOAD_UID: + entitlement = "com.apple.private.securityd.keybag-load"; + break; + } + if (!peer_has_entitlement(connection, entitlement) && !peer_has_entitlement(connection, "com.apple.keystore.device")) { xpc_connection_cancel(connection); return; } @@ -954,7 +988,7 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event) } data = xpc_dictionary_get_data(event, SERVICE_XPC_CONTEXT, &data_len); - require_action(data || request == SERVICE_KB_UNLOAD, done, rc = KB_GeneralError); + require_action(data || request == SERVICE_KB_UNLOAD || request == SERVICE_KB_LOAD_UID, done, rc = KB_GeneralError); if (data) { require(data_len == sizeof(service_context_t), done); context = (service_context_t*)data; @@ -1015,6 +1049,10 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event) case SERVICE_STASH_LOAD_KEY: rc = service_stash_load_key(context, event, reply); break; + case SERVICE_KB_LOAD_UID: + uid = (uid_t)xpc_dictionary_get_uint64(event, SERVICE_XPC_UID); + rc = service_kb_load_uid(uid); + break; #if DEBUG case SERVICE_STASH_BLOB: rc = service_stash_blob(event, reply); @@ -1024,7 +1062,7 @@ void service_peer_event_handler(xpc_connection_t connection, xpc_object_t event) LOG("unknown service type"); break; } - + done: #if DEBUG LOG("selector: %s (%llu), error: %s (%x), sid: %d, suid: %d, pid: %d", sel_to_char(request), request, err_to_char(rc), rc, context ? context->s_id : 0, context ? context->s_uid : 0, context ? get_caller_pid(&context->procToken) : 0); @@ -1146,7 +1184,7 @@ int main(int argc, const char * argv[]) xpc_connection_resume(peer); }); xpc_connection_resume(listener); - + dispatch_main(); exit(EXIT_FAILURE); } diff --git a/securityd/securityd_service/securityd_service/securityd_service.h b/securityd/securityd_service/securityd_service/securityd_service.h index b2eac5c7..ee9178f4 100644 --- a/securityd/securityd_service/securityd_service/securityd_service.h +++ b/securityd/securityd_service/securityd_service/securityd_service.h @@ -13,6 +13,8 @@ #define SERVICE_XPC_CONTEXT "_context" #define SERVICE_XPC_LOCKED "_locked" #define SERVICE_XPC_NO_PIN "_no_pin" +#define SERVICE_XPC_UID "_uid" + enum { SERVICE_STASH_SET_KEY = 1, @@ -28,6 +30,7 @@ enum { SERVICE_KB_RESET, SERVICE_STASH_LOAD_KEY, SERVICE_KB_UNLOAD, + SERVICE_KB_LOAD_UID, }; #endif diff --git a/securityd/securityd_service/securityd_service/securityd_service_client.c b/securityd/securityd_service/securityd_service/securityd_service_client.c index 851586db..047498be 100644 --- a/securityd/securityd_service/securityd_service/securityd_service_client.c +++ b/securityd/securityd_service/securityd_service/securityd_service_client.c @@ -12,11 +12,11 @@ _service_get_connection() { static dispatch_once_t onceToken; static xpc_connection_t connection = NULL; - + dispatch_once(&onceToken, ^{ connection = xpc_connection_create_mach_service(SECURITYD_SERVICE_NAME, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); require(connection, done); - + xpc_connection_set_event_handler(connection, ^(xpc_object_t event) { if (xpc_get_type(event) == XPC_TYPE_ERROR) { if (event == XPC_ERROR_CONNECTION_INVALID) { @@ -30,7 +30,7 @@ _service_get_connection() free(desc); } }); - + xpc_connection_resume(connection); done: return; @@ -56,39 +56,59 @@ _service_send_msg(service_context_t *context, xpc_object_t message, xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, message); require(reply, done); require(xpc_get_type(reply) != XPC_TYPE_ERROR, done); - + rc = (int)xpc_dictionary_get_int64(reply, SERVICE_XPC_RC); - + if (reply_out) { *reply_out = reply; reply = NULL; } - + done: if (reply) xpc_release(reply); return rc; } +int +_service_client_send_uid(service_context_t *context, uint64_t request, uid_t uid) +{ + int rc = KB_GeneralError; + xpc_object_t message = NULL; + + message = xpc_dictionary_create(NULL, NULL, 0); + require_quiet(message, done); + + xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, request); + xpc_dictionary_set_uint64(message, SERVICE_XPC_UID, uid); + + rc = _service_send_msg(context, message, NULL); + +done: + if (message) xpc_release(message); + return rc; +} + + int _service_client_send_secret(service_context_t *context, uint64_t request, const void * secret, int secret_len, const void * new_secret, int new_secret_len) { int rc = KB_GeneralError; xpc_object_t message = NULL; - + message = xpc_dictionary_create(NULL, NULL, 0); require_quiet(message, done); - + xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, request); if (secret) { xpc_dictionary_set_data(message, SERVICE_XPC_SECRET, secret, secret_len); } - + if (new_secret) { xpc_dictionary_set_data(message, SERVICE_XPC_SECRET_NEW, new_secret, new_secret_len); } rc = _service_send_msg(context, message, NULL); - + done: if (message) xpc_release(message); return rc; @@ -106,6 +126,12 @@ service_client_kb_load(service_context_t *context) return _service_client_send_secret(context, SERVICE_KB_LOAD, NULL, 0, NULL, 0); } +int +service_client_kb_load_uid(uid_t uid) +{ + return _service_client_send_uid(NULL, SERVICE_KB_LOAD_UID, uid); +} + int service_client_kb_unload(service_context_t *context) { @@ -117,7 +143,7 @@ service_client_kb_save(service_context_t *context) { return _service_client_send_secret(context, SERVICE_KB_SAVE, NULL, 0, NULL, 0); } - + int service_client_kb_unlock(service_context_t *context, const void * secret, int secret_len) { @@ -178,17 +204,17 @@ service_client_stash_set_key(service_context_t *context, const void * key, int k { int rc = KB_GeneralError; xpc_object_t message = NULL; - + message = xpc_dictionary_create(NULL, NULL, 0); require_quiet(message, done); - + xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, SERVICE_STASH_SET_KEY); - + if (key) xpc_dictionary_set_data(message, SERVICE_XPC_KEY, key, key_len); - + rc = _service_send_msg(context, message, NULL); - + done: if (message) xpc_release(message); return rc; @@ -199,17 +225,17 @@ service_client_stash_load_key(service_context_t *context, const void * key, int { int rc = KB_GeneralError; xpc_object_t message = NULL; - + message = xpc_dictionary_create(NULL, NULL, 0); require_quiet(message, done); - + xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, SERVICE_STASH_LOAD_KEY); - + if (key) xpc_dictionary_set_data(message, SERVICE_XPC_KEY, key, key_len); - + rc = _service_send_msg(context, message, NULL); - + done: if (message) xpc_release(message); return rc; @@ -221,17 +247,17 @@ service_client_stash_get_key(service_context_t *context, void ** key, int * key_ int rc = KB_GeneralError; xpc_object_t message = NULL; xpc_object_t reply = NULL; - + require(key, done); require(key_len, done); - + message = xpc_dictionary_create(NULL, NULL, 0); require_quiet(message, done); - + xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, SERVICE_STASH_GET_KEY); - + rc = _service_send_msg(context, message, &reply); - + if (rc == KB_Success) { size_t data_len = 0; const void * data = xpc_dictionary_get_data(reply, SERVICE_XPC_KEY, &data_len); @@ -241,7 +267,7 @@ service_client_stash_get_key(service_context_t *context, void ** key, int * key_ *key_len = (int)data_len; } } - + done: if (message) xpc_release(message); if (reply) xpc_release(reply); diff --git a/securityd/securityd_service/securityd_service/securityd_service_client.h b/securityd/securityd_service/securityd_service/securityd_service_client.h index 393f6a4d..123f10ef 100644 --- a/securityd/securityd_service/securityd_service/securityd_service_client.h +++ b/securityd/securityd_service/securityd_service/securityd_service_client.h @@ -10,7 +10,7 @@ extern "C" { #include #include #include - + enum { KB_Success = 0, KB_GeneralError, @@ -26,9 +26,10 @@ typedef struct { uid_t s_uid; audit_token_t procToken; } service_context_t; - + int service_client_kb_create(service_context_t *context, const void * secret, int secret_len); int service_client_kb_load(service_context_t *context); +int service_client_kb_load_uid(uid_t uid); int service_client_kb_unload(service_context_t *context); int service_client_kb_save(service_context_t *context); int service_client_kb_unlock(service_context_t *context, const void * secret, int secret_len); diff --git a/securityd/securityd_service/securitydservicectrl/main.c b/securityd/securityd_service/securitydservicectrl/main.c index f31d2cff..bd61c2b8 100644 --- a/securityd/securityd_service/securitydservicectrl/main.c +++ b/securityd/securityd_service/securitydservicectrl/main.c @@ -36,37 +36,38 @@ int main(int argc, const char * argv[]) OSStatus status = noErr; uint8_t testkey[128] = "\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef"; xpc_connection_t connection = xpc_connection_create_mach_service(SECURITYD_SERVICE_NAME, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); - + xpc_object_t message = NULL, reply = NULL; + xpc_connection_set_event_handler(connection, ^(xpc_object_t event) { if (xpc_get_type(event) == XPC_TYPE_ERROR) { printf("XPC error\n"); } }); xpc_connection_resume(connection); - - if (argc != 2) { - printf("Usage: securityservicectrl < get | set | stash | login | loginstash | unload >\n"); + + if (argc < 2) { + printf("Usage: securityservicectrl < get | set | stash | login | loginstash | unload | load >\n"); return 1; } - + if (strcmp(argv[1], "get") == 0) { action = SERVICE_STASH_GET_KEY; printf("Get key\n"); - + } else if (strcmp(argv[1], "set") == 0) { action = SERVICE_STASH_SET_KEY; printf("Set key\n"); - + } else if (strcmp(argv[1], "stash") == 0) { action = SERVICE_STASH_BLOB; printf("Stash\n"); - + } else if (strcmp(argv[1], "login") == 0) { printf("SecKeychainLogin() null passwd\n"); status = SecKeychainLogin((uint32) strlen("test"), "test", 0, NULL); printf("Returned: %i\n", status); return status ? 1 : 0; - + } else if (strcmp(argv[1], "loginstash") == 0) { printf("SecKeychainStash()\n"); status = SecKeychainStash(); @@ -75,23 +76,26 @@ int main(int argc, const char * argv[]) } else if (strcmp(argv[1], "unload") == 0) { return service_client_kb_unload(NULL); - + } else if (strcmp(argv[1], "load") == 0) { + require_action(argc == 3, done, printf("missing \n")); + uid_t uid = atoi(argv[2]); + return service_client_kb_load_uid(uid); } else { printf("%s not known\n", argv[1]); return 1; } // Send - xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0); + message = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_uint64(message, SERVICE_XPC_REQUEST, action); - + if (action == SERVICE_STASH_SET_KEY) xpc_dictionary_set_data(message, SERVICE_XPC_KEY, testkey, 16); - - xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, message); + + reply = xpc_connection_send_message_with_reply_sync(connection, message); require_action(reply != NULL, done, status = -1); require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = -1); - + if (action == SERVICE_STASH_GET_KEY) { size_t len = 0; const uint8_t *keydata = xpc_dictionary_get_data(reply, SERVICE_XPC_KEY, &len); @@ -100,7 +104,7 @@ int main(int argc, const char * argv[]) printf("\tkey = %s\n", hextostr(keydata, len > sizeof(testkey) ? sizeof(testkey) : len, buf)); } } - + status = (OSStatus)xpc_dictionary_get_int64(reply, SERVICE_XPC_RC); done: @@ -112,7 +116,7 @@ done: xpc_release(connection); printf("Returned: %i\n", status); - + return status ? 1 : 0; } diff --git a/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements b/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements index d3d534f2..92c73b1f 100644 --- a/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements +++ b/securityd/securityd_service/securitydservicectrl/securitydservicectrl.entitlements @@ -2,7 +2,9 @@ - com.apple.security.keybag-unload + com.apple.private.securityd.keybag-load + + com.apple.private.securityd.keybag-unload -- 2.47.2