From 8dec463a609706480a6ae9057702ec662843acc2 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 31 Jul 2023 11:06:42 -0700 Subject: [PATCH 01/19] Remove old asm source lists from Android sources.mk These should not be necessary as of aosp/2673984. Bug: 542 Change-Id: Ice0d8a6c535bb2bd4549cbf88197a36c8e859e74 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62085 Commit-Queue: Adam Langley Reviewed-by: Adam Langley Auto-Submit: David Benjamin --- util/generate_build_files.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/util/generate_build_files.py b/util/generate_build_files.py index 7ff0f124d..07bfc0f76 100644 --- a/util/generate_build_files.py +++ b/util/generate_build_files.py @@ -133,14 +133,6 @@ class Android(object): self.PrintVariableSection(makefile, 'crypto_sources_asm', files['crypto_asm']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - if osname != 'linux': - continue - self.PrintVariableSection( - makefile, '%s_%s_sources' % (osname, arch), asm_files) - def PrintDefaults(self, blueprint, name, files, asm_files=[]): """Print a cc_defaults section from a list of C files and optionally assembly outputs""" if asm_files: From 6738d477b8763abf38f6d1b60b6d799167ce9c8c Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 31 Jul 2023 13:19:54 -0700 Subject: [PATCH 02/19] Restore OPENSSL_RAND_TRUSTY With b/291102972 resolved, we can try this again. Bug: 629, b:291102972 Change-Id: Ic04d1855f185ead6ae2e151dcc56493afce40b4f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62105 Auto-Submit: David Benjamin Reviewed-by: Bob Beck Commit-Queue: Bob Beck --- crypto/fipsmodule/rand/internal.h | 5 +---- include/openssl/base.h | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/crypto/fipsmodule/rand/internal.h b/crypto/fipsmodule/rand/internal.h index 029e0f7e6..91bbe5897 100644 --- a/crypto/fipsmodule/rand/internal.h +++ b/crypto/fipsmodule/rand/internal.h @@ -29,10 +29,7 @@ extern "C" { #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) #define OPENSSL_RAND_DETERMINISTIC #elif defined(OPENSSL_TRUSTY) -// TODO(b/291102972): This should define OPENSSL_RAND_TRUSTY to activate the -// Trusty RNG implementation. However, due to a different, non-Trusty target -// incorrectly defining __TRUSTY__, things will break if we follow our standard -// pattern here. +#define OPENSSL_RAND_TRUSTY #elif defined(OPENSSL_WINDOWS) #define OPENSSL_RAND_WINDOWS #elif defined(OPENSSL_LINUX) diff --git a/include/openssl/base.h b/include/openssl/base.h index 87ffe214b..97a17bb3a 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -108,7 +108,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 25 +#define BORINGSSL_API_VERSION 26 #if defined(BORINGSSL_SHARED_LIBRARY) From 04487c4e98fd34f1bfcc7ae3757efbaff7b26e4e Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 31 Jul 2023 21:17:48 +0000 Subject: [PATCH 03/19] MD5 and SHA-1 are not actually approved in the TLS KDF. They are NIST hash functions, but this service indicator function is specific to their use in the TLS KDF. Change-Id: I5a1f9d2865813f436a8e2a7548dffefcb2813c5f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62086 Auto-Submit: Adam Langley Reviewed-by: David Benjamin Commit-Queue: Adam Langley --- .../service_indicator/service_indicator.c | 11 ++++------- .../service_indicator_test.cc | 18 ++---------------- 2 files changed, 6 insertions(+), 23 deletions(-) diff --git a/crypto/fipsmodule/service_indicator/service_indicator.c b/crypto/fipsmodule/service_indicator/service_indicator.c index b1ea28e80..64325bea1 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator.c +++ b/crypto/fipsmodule/service_indicator/service_indicator.c @@ -303,14 +303,11 @@ void HMAC_verify_service_indicator(const EVP_MD *evp_md) { } void TLSKDF_verify_service_indicator(const EVP_MD *md) { - // HMAC-MD5, HMAC-SHA1, and HMAC-MD5/HMAC-SHA1 (both used concurrently) are - // approved for use in the KDF in TLS 1.0/1.1. - // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2. - // These Key Derivation functions are to be used in the context of the TLS - // protocol. + // HMAC-MD5/HMAC-SHA1 (both used concurrently) is approved for use in the KDF + // in TLS 1.0/1.1. HMAC-SHA{256, 384, 512} are approved for use in the KDF in + // TLS 1.2. These Key Derivation functions are to be used in the context of + // the TLS protocol. switch (EVP_MD_type(md)) { - case NID_md5: - case NID_sha1: case NID_md5_sha1: case NID_sha256: case NID_sha384: diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc index 27042e04e..ee66fc3f7 100644 --- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc +++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc @@ -422,24 +422,12 @@ static const uint8_t kTLSSeed2[16] = { 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, }; -static const uint8_t kTLSOutput_mdsha1[32] = { +static const uint8_t kTLSOutput_md5_sha1[32] = { 0x36, 0xa9, 0x31, 0xb0, 0x43, 0xe3, 0x64, 0x72, 0xb9, 0x47, 0x54, 0x0d, 0x8a, 0xfc, 0xe3, 0x5c, 0x1c, 0x15, 0x67, 0x7e, 0xa3, 0x5d, 0xf2, 0x3a, 0x57, 0xfd, 0x50, 0x16, 0xe1, 0xa4, 0xa6, 0x37, }; -static const uint8_t kTLSOutput_md[32] = { - 0x79, 0xef, 0x46, 0xc4, 0x35, 0xbc, 0xe5, 0xda, 0xd3, 0x66, 0x91, - 0xdc, 0x86, 0x09, 0x41, 0x66, 0xf2, 0x0c, 0xeb, 0xe6, 0xab, 0x5c, - 0x58, 0xf4, 0x65, 0xce, 0x2f, 0x5f, 0x4b, 0x34, 0x1e, 0xa1, -}; - -static const uint8_t kTLSOutput_sha1[32] = { - 0xbb, 0x0a, 0x73, 0x52, 0xf8, 0x85, 0xd7, 0xbd, 0x12, 0x34, 0x78, - 0x3b, 0x54, 0x4c, 0x75, 0xfe, 0xd7, 0x23, 0x6e, 0x22, 0x3f, 0x42, - 0x34, 0x99, 0x57, 0x6b, 0x14, 0xc4, 0xc8, 0xae, 0x9f, 0x4c, -}; - static const uint8_t kTLSOutput_sha224[32] = { 0xdd, 0xaf, 0x6f, 0xaa, 0xd9, 0x2b, 0x3d, 0xb9, 0x46, 0x4c, 0x55, 0x8a, 0xf7, 0xa6, 0x9b, 0x0b, 0x35, 0xcc, 0x07, 0xa7, 0x55, 0x5b, @@ -1783,9 +1771,7 @@ static const struct KDFTestVector { const uint8_t *expected_output; const FIPSStatus expect_approved; } kKDFTestVectors[] = { - {EVP_md5, kTLSOutput_md, FIPSStatus::APPROVED}, - {EVP_sha1, kTLSOutput_sha1, FIPSStatus::APPROVED}, - {EVP_md5_sha1, kTLSOutput_mdsha1, FIPSStatus::APPROVED}, + {EVP_md5_sha1, kTLSOutput_md5_sha1, FIPSStatus::APPROVED}, {EVP_sha224, kTLSOutput_sha224, FIPSStatus::NOT_APPROVED}, {EVP_sha256, kTLSOutput_sha256, FIPSStatus::APPROVED}, {EVP_sha384, kTLSOutput_sha384, FIPSStatus::APPROVED}, From 7ae2b910c13017b63f1a8bd6c8decfce692869b0 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 31 Jul 2023 21:55:28 +0000 Subject: [PATCH 04/19] Split TLS 1.0 and 1.2 self checks. While it's the same code path, NIST may consider these different functions and thus want separate checks for them. Change-Id: Ic391b5e656b22c5e11d94ec22398346669833bd9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62087 Commit-Queue: Adam Langley Reviewed-by: David Benjamin --- crypto/fipsmodule/self_check/self_check.c | 55 ++++++++++++++++------- util/fipstools/break-kat.go | 5 +-- util/fipstools/test_fips.c | 13 ++++++ 3 files changed, 54 insertions(+), 19 deletions(-) diff --git a/crypto/fipsmodule/self_check/self_check.c b/crypto/fipsmodule/self_check/self_check.c index db61485dc..1984630b6 100644 --- a/crypto/fipsmodule/self_check/self_check.c +++ b/crypto/fipsmodule/self_check/self_check.c @@ -913,11 +913,6 @@ static int boringssl_self_test_fast(void) { } // TLS KDF KAT - static const uint8_t kTLSSecret[32] = { - 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, - 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, - 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, - }; static const char kTLSLabel[] = "FIPS self test"; static const uint8_t kTLSSeed1[16] = { 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2, @@ -927,17 +922,45 @@ static int boringssl_self_test_fast(void) { 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c, 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, }; - static const uint8_t kTLSOutput[32] = { - 0xe2, 0x1d, 0xd6, 0xc2, 0x68, 0xc7, 0x57, 0x03, 0x2c, 0x2c, 0xeb, - 0xbb, 0xb8, 0xa9, 0x7d, 0xe9, 0xee, 0xe6, 0xc9, 0x47, 0x83, 0x0a, - 0xbd, 0x11, 0x60, 0x5d, 0xd5, 0x2c, 0x47, 0xb6, 0x05, 0x88, + + static const uint8_t kTLS10Secret[32] = { + 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, + 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, + 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, }; - uint8_t tls_output[sizeof(kTLSOutput)]; - if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret, - sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel), - kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2, - sizeof(kTLSSeed2)) || - !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS-KDF KAT")) { + static const uint8_t kTLS10Output[32] = { + 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90, + 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f, + 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8, + }; + uint8_t tls10_output[sizeof(kTLS10Output)]; + if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output), + kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel, + sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), + kTLSSeed2, sizeof(kTLSSeed2)) || + !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output), + "TLS10-KDF KAT")) { + fprintf(stderr, "TLS KDF failed.\n"); + goto err; + } + + static const uint8_t kTLS12Secret[32] = { + 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9, + 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc, + 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81, + }; + static const uint8_t kTLS12Output[32] = { + 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1, + 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85, + 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51, + }; + uint8_t tls12_output[sizeof(kTLS12Output)]; + if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output), + kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel, + sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), + kTLSSeed2, sizeof(kTLSSeed2)) || + !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output), + "TLS12-KDF KAT")) { fprintf(stderr, "TLS KDF failed.\n"); goto err; } @@ -978,7 +1001,7 @@ static int boringssl_self_test_fast(void) { !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output, sizeof(kTLS13ExpandLabelOutput), "CRYPTO_tls13_hkdf_expand_label")) { - fprintf(stderr, "TLSv1.3 KDF failed.\n"); + fprintf(stderr, "TLS13-KDF failed.\n"); goto err; } diff --git a/util/fipstools/break-kat.go b/util/fipstools/break-kat.go index e4d323abc..67c330027 100644 --- a/util/fipstools/break-kat.go +++ b/util/fipstools/break-kat.go @@ -1,5 +1,3 @@ -//go:build - // break-kat corrupts a known-answer-test input in a binary and writes the // corrupted binary to stdout. This is used to demonstrate that the KATs in the // binary notice the error. @@ -27,7 +25,8 @@ var ( "SHA-1": "132fd9bad5c1826263bafbb699f707a5", "SHA-256": "ff3b857da7236a2baa0f396b51522217", "SHA-512": "212512f8d2ad8322781c6c4d69a9daa1", - "TLS-KDF": "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731", + "TLS10-KDF": "abc3657b094c7628a0b282996fe75a75f4984fd94d4ecc2fcf53a2c469a3f731", + "TLS12-KDF": "c5438ee26fd4acbd259fc91855dc69bf884ee29322fcbfd2966a4623d42ec781", "TLS13-KDF": "024a0d80f357f2499a1244dac26dab66fc13ed85fca71dace146211119525874", "RSA-sign": "d2b56e53306f720d7929d8708bf46f1c22300305582b115bedcac722d8aa5ab2", "RSA-verify": "abe2cbc13d6bd39d48db5334ddbf8d070a93bdcb104e2cc5d0ee486ee295f6b31bda126c41890b98b73e70e6b65d82f95c663121755a90744c8d1c21148a1960be0eca446e9ff497f1345c537ef8119b9a4398e95c5c6de2b1c955905c5299d8ce7a3b6ab76380d9babdd15f610237e1f3f2aa1c1f1e770b62fbb596381b2ebdd77ecef9c90d4c92f7b6b05fed2936285fa94826e62055322a33b6f04c74ce69e5d8d737fb838b79d2d48e3daf71387531882531a95ac964d02ea413bf85952982bbc089527daff5b845c9a0f4d14ef1956d9c3acae882d12da66da0f35794f5ee32232333517db9315232a183b991654dbea41615345c885325926744a53915", diff --git a/util/fipstools/test_fips.c b/util/fipstools/test_fips.c index 3a1f7fceb..13b8d7d3d 100644 --- a/util/fipstools/test_fips.c +++ b/util/fipstools/test_fips.c @@ -291,6 +291,19 @@ int main(int argc, char **argv) { printf(" got "); hexdump(hkdf_output, sizeof(hkdf_output)); + /* TLS v1.0 KDF */ + printf("About to run TLS v1.0 KDF\n"); + uint8_t tls10_output[32]; + if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output), + kAESKey, sizeof(kAESKey), "foo", 3, kPlaintextSHA256, + sizeof(kPlaintextSHA256), kPlaintextSHA256, + sizeof(kPlaintextSHA256))) { + fprintf(stderr, "TLS v1.0 KDF failed.\n"); + goto err; + } + printf(" got "); + hexdump(tls10_output, sizeof(tls10_output)); + /* TLS v1.2 KDF */ printf("About to run TLS v1.2 KDF\n"); uint8_t tls12_output[32]; From e28988ecaa5e72523a982915084c9422e495116d Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Fri, 4 Aug 2023 14:21:43 -0700 Subject: [PATCH 05/19] Disable assembly for Android's darwin build e4acd6cb568214b1c7db4e59ce54ea2e1deae1f5 enabled assembly for more platforms on Android, but the way Android's FIPS build is set up, we currently require ld -r to work on any platform with assembly. See b/294399371. This should be fixable with more time spent on the Android build (and possibly missing features added to Soong, as Soong is quite limited), but as we've never had assembly working here, just restore the old state of things. Change-Id: I8f4e66979a003a5692389ef7e127c8d9f1630773 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62165 Reviewed-by: Adam Langley Commit-Queue: David Benjamin --- util/generate_build_files.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/util/generate_build_files.py b/util/generate_build_files.py index 07bfc0f76..d0c01d580 100644 --- a/util/generate_build_files.py +++ b/util/generate_build_files.py @@ -152,14 +152,14 @@ class Android(object): if asm_files: blueprint.write(' target: {\n') - # Only emit asm for non-Windows. On Windows, BoringSSL requires NASM, - # which is not available in AOSP. Note that, despite the name, - # "not_windows" covers only non-Windows host devices. - blueprint.write(' android: {\n') + # Only emit asm for Linux. On Windows, BoringSSL requires NASM, which is + # not available in AOSP. On Darwin, the assembly works fine, but it + # conflicts with Android's FIPS build. See b/294399371. + blueprint.write(' linux: {\n') blueprint.write(' srcs: %s_asm,\n' % name) blueprint.write(' },\n') - blueprint.write(' not_windows: {\n') - blueprint.write(' srcs: %s_asm,\n' % name) + blueprint.write(' darwin: {\n') + blueprint.write(' cflags: ["-DOPENSSL_NO_ASM"],\n') blueprint.write(' },\n') blueprint.write(' windows: {\n') blueprint.write(' cflags: ["-DOPENSSL_NO_ASM"],\n') From 822d63cb07c7d7f435bd6893193eb05153a58b3d Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Wed, 2 Aug 2023 17:24:30 -0400 Subject: [PATCH 06/19] Remove the old asm lists from JSON and android-cmake output The android-cmake one should no longer be needed as of aosp/2673299, and the JSON one as of https://github.com/grpc/grpc/pull/33700 Bug: 542 Change-Id: I3c7b752806d82a5a01b5ad9180771e88d2810b70 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62185 Reviewed-by: Adam Langley Commit-Queue: Adam Langley Auto-Submit: David Benjamin --- util/generate_build_files.py | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/util/generate_build_files.py b/util/generate_build_files.py index d0c01d580..b3ce2d37f 100644 --- a/util/generate_build_files.py +++ b/util/generate_build_files.py @@ -224,12 +224,6 @@ class AndroidCMake(object): files['crypto_test']) self.PrintVariableSection(out, 'ssl_test_sources', files['ssl_test']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - self.PrintVariableSection( - out, 'crypto_sources_%s_%s' % (osname, arch), asm_files) - class Bazel(object): """Bazel outputs files suitable for including in Bazel files.""" @@ -565,13 +559,8 @@ endif() class JSON(object): def WriteFiles(self, files, asm_outputs): - sources = dict(files) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - sources['crypto_%s_%s' % (osname, arch)] = asm_files with open('sources.json', 'w+') as f: - json.dump(sources, f, sort_keys=True, indent=2) + json.dump(files, f, sort_keys=True, indent=2) def FindCMakeFiles(directory): """Returns list of all CMakeLists.txt files recursively in directory.""" From 5d9ffb810b2c5c7aaa6700161989d19547983b5f Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 7 Aug 2023 18:01:11 -0400 Subject: [PATCH 07/19] Remove the remaining old-style asm lists I think there are a couple projects remaining that still use the old lists here, but they're in repositories we don't spend as much time in, and it should be straightforward for them to update when they get here. Removing these should put us in a good place to check in pre-generated asm lists. While I'm here, fix a few typos in TODOs I previously added. Update-Note: If you're one of those projects and have trouble switching to the new lists, let us know. Bug: 542 Change-Id: I57559bafc85eceacc7a237e2f29db6eaf492a8cb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62186 Reviewed-by: Adam Langley Commit-Queue: David Benjamin --- util/generate_build_files.py | 48 ++++++++++++++---------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/util/generate_build_files.py b/util/generate_build_files.py index b3ce2d37f..d7ae8b1f4 100644 --- a/util/generate_build_files.py +++ b/util/generate_build_files.py @@ -26,7 +26,7 @@ import json # OS_ARCH_COMBOS maps from OS and platform to the OpenSSL assembly "style" for # that platform and the extension used by asm files. # -# TODO(https://crbug.com/boringssl/524): This probably should be a map, but some +# TODO(https://crbug.com/boringssl/542): This probably should be a map, but some # downstream scripts import this to find what folders to add/remove from git. OS_ARCH_COMBOS = [ ('apple', 'arm', 'ios32', [], 'S'), @@ -106,7 +106,7 @@ class Android(object): out.write(' %s\\\n' % f) out.write('\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): # New Android.bp format with open('sources.bp', 'w+') as blueprint: blueprint.write(self.header.replace('#', '//')) @@ -204,7 +204,7 @@ class AndroidCMake(object): out.write(' ${BORINGSSL_ROOT}%s\n' % f) out.write(')\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): # The Android emulator uses a custom CMake buildsystem. # # TODO(crbug.com/boringssl/542): Move our various source lists into @@ -245,7 +245,7 @@ class Bazel(object): out.write(' "%s",\n' % PathOf(f)) out.write(']\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('BUILD.generated.bzl', 'w+') as out: out.write(self.header) @@ -306,7 +306,7 @@ class Eureka(object): out.write(' %s\\\n' % f) out.write('\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): # Legacy Android.mk format with open('eureka.mk', 'w+') as makefile: makefile.write(self.header) @@ -319,14 +319,6 @@ class Eureka(object): self.PrintVariableSection(makefile, 'ssl_sources', files['ssl']) self.PrintVariableSection(makefile, 'tool_sources', files['tool']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - if osname != 'linux': - continue - self.PrintVariableSection( - makefile, '%s_%s_sources' % (osname, arch), asm_files) - class GN(object): @@ -347,7 +339,7 @@ class GN(object): out.write(' "%s",\n' % f) out.write(']\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('BUILD.generated.gni', 'w+') as out: out.write(self.header) @@ -397,7 +389,7 @@ class GYP(object): out.write(' \'%s\',\n' % f) out.write(' ],\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('boringssl.gypi', 'w+') as gypi: gypi.write(self.header + '{\n \'variables\': {\n') @@ -412,12 +404,6 @@ class GYP(object): self.PrintVariableSection(gypi, 'boringssl_crypto_nasm_sources', files['crypto_nasm']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - self.PrintVariableSection(gypi, 'boringssl_%s_%s_sources' % - (osname, arch), asm_files) - gypi.write(' }\n}\n') class CMake(object): @@ -522,7 +508,7 @@ endif() out.write(' %s\n' % PathOf(f)) out.write(')\n\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('CMakeLists.txt', 'w+') as cmake: cmake.write(self.header) @@ -558,7 +544,7 @@ endif() ''') class JSON(object): - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('sources.json', 'w+') as f: json.dump(files, f, sort_keys=True, indent=2) @@ -703,7 +689,7 @@ def WriteAsmFiles(perlasms): for (osname, arch, perlasm_style, extra_args, asm_ext) in OS_ARCH_COMBOS: if arch != perlasm['arch']: continue - # TODO(https://crbug.com/boringssl/524): Now that we incorporate osname in + # TODO(https://crbug.com/boringssl/542): Now that we incorporate osname in # the output filename, the asm files can just go in a single directory. # For now, we keep them in target-specific directories to avoid breaking # downstream scripts. @@ -816,11 +802,13 @@ def main(platforms): asm_outputs = sorted(WriteAsmFiles(ReadPerlAsmOperations()).items()) - # Generate combined source lists for gas and nasm. Build files have a choice - # of using the per-platform ones or the combined ones. In the combined mode, - # Windows x86 and Windows x86_64 must still be special-cased, but otherwise - # all assembly files can be linked together. Some files appear in multiple - # per-platform lists, so we duplicate. + # Generate combined source lists for gas and nasm. Some files appear in + # multiple per-platform lists, so we de-duplicate. + # + # TODO(https://crbug.com/boringssl/542): It would be simpler to build the + # combined source lists directly. This is a remnant of the previous assembly + # strategy. When we move to pre-generated assembly files, this will be + # removed. asm_sources = set() nasm_sources = set() for ((osname, arch), asm_files) in asm_outputs: @@ -856,7 +844,7 @@ def main(platforms): } for platform in platforms: - platform.WriteFiles(files, asm_outputs) + platform.WriteFiles(files) return 0 From 77d431746df1f86927cf8462533aa5b0f67323a1 Mon Sep 17 00:00:00 2001 From: Maurice Lam Date: Wed, 7 Jun 2023 01:39:51 +0000 Subject: [PATCH 08/19] Fix FFI slice usage Use CSlice instead of a regular Rust slice when passing pointers to C FFI. Change-Id: Iccd827f4c6f005d860993e97fef5e9caf514885b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60525 Reviewed-by: David Benjamin Commit-Queue: Bob Beck --- rust/bssl-crypto/src/digest.rs | 7 ++++--- rust/bssl-crypto/src/ed25519.rs | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/rust/bssl-crypto/src/digest.rs b/rust/bssl-crypto/src/digest.rs index 35b653452..aa6355d5c 100644 --- a/rust/bssl-crypto/src/digest.rs +++ b/rust/bssl-crypto/src/digest.rs @@ -15,7 +15,7 @@ use core::marker::PhantomData; -use crate::ForeignTypeRef; +use crate::{ForeignTypeRef, CSlice}; /// The SHA-256 digest algorithm. #[derive(Clone)] @@ -110,10 +110,11 @@ impl Digest { /// Hashes the provided input into the current digest operation. pub fn update(&mut self, data: &[u8]) { + let data_ffi = CSlice(data); // Safety: - // - `data` is a slice from safe Rust. + // - `data` is a CSlice from safe Rust. let result = unsafe { - bssl_sys::EVP_DigestUpdate(&mut self.0, data.as_ptr() as *const _, data.len()) + bssl_sys::EVP_DigestUpdate(&mut self.0, data_ffi.as_ptr() as *const _, data_ffi.len()) }; assert_eq!(result, 1, "bssl_sys::EVP_DigestUpdate failed"); } diff --git a/rust/bssl-crypto/src/ed25519.rs b/rust/bssl-crypto/src/ed25519.rs index df3650797..f4ab5becb 100644 --- a/rust/bssl-crypto/src/ed25519.rs +++ b/rust/bssl-crypto/src/ed25519.rs @@ -89,14 +89,15 @@ impl PrivateKey { pub fn sign(&self, msg: &[u8]) -> Signature { let mut sig_bytes = [0u8; SIGNATURE_LENGTH]; + let msg_ffi = CSlice(msg); // Safety: // - On allocation failure we panic. // - Signature and private keys are always the correct length. let result = unsafe { bssl_sys::ED25519_sign( sig_bytes.as_mut_ptr(), - msg.as_ptr(), - msg.len(), + msg_ffi.as_ptr(), + msg_ffi.len(), self.0.as_ptr(), ) }; From 8d19c850d4dbde4bd7ece463c3b3f3685571a779 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Tue, 8 Aug 2023 14:29:58 -0600 Subject: [PATCH 09/19] Add rust API instability warning Change-Id: I203a19b59c23def9bca6f01c2b6e8c885b0c9c3f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62205 Reviewed-by: David Benjamin Commit-Queue: Bob Beck Auto-Submit: Bob Beck --- rust/bssl-crypto/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rust/bssl-crypto/README.md b/rust/bssl-crypto/README.md index bc7371a2f..95188626c 100644 --- a/rust/bssl-crypto/README.md +++ b/rust/bssl-crypto/README.md @@ -9,3 +9,6 @@ cd rust/bssl-crypto && cargo clippy && cargo deny check && cargo test ``` Unlike BoringSSL itself, this crate does not attempt to handle allocation failures. If an allocation fails, functions in this crate will panic. + +WARNING - This crate is experimental and does *NOT* have a stable API. We expect to iterate on the API as it develops. If you use this crate you must be prepared to adapt your code to future changes as they occur. + From 58adb8e1d62d6da9c1ab9f73e986273992a2b742 Mon Sep 17 00:00:00 2001 From: Yi Chou Date: Thu, 20 Jul 2023 21:46:32 +0800 Subject: [PATCH 10/19] Add ChromeOS EC related targets ChromeOS EC and ChromeOS Zephyr EC are the open source software for embedded controllers (EC) used in recent ARM and x86 based Chromebooks. https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/README.md https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/zephyr/README.md Bug: 629 Change-Id: If07bd77135fc28f5321643c568784c05bbe390f4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/61865 Reviewed-by: Bob Beck Commit-Queue: Bob Beck --- include/openssl/target.h | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/include/openssl/target.h b/include/openssl/target.h index f830c14ce..53d7f15b6 100644 --- a/include/openssl/target.h +++ b/include/openssl/target.h @@ -117,6 +117,30 @@ #define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED #endif +// CROS_EC is an embedded target for ChromeOS Embedded Controller. Defining +// this on any other platform is not supported. Other embedded platforms must +// introduce their own defines. +// +// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/README.md +#if defined(CROS_EC) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// CROS_ZEPHYR is an embedded target for ChromeOS Zephyr Embedded Controller. +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +// +// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/zephyr/README.md +#if defined(CROS_ZEPHYR) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + #if defined(__ANDROID_API__) #define OPENSSL_ANDROID #endif From dbd143c24784e0eeb7082f840dba937f958e517f Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 31 Jul 2023 21:06:03 -0700 Subject: [PATCH 11/19] Add a basic sanity test for getentropy() if we are using it. Change-Id: I78df8697814361993adafc342387a7d1804be371 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62125 Reviewed-by: David Benjamin Commit-Queue: David Benjamin --- crypto/rand_extra/getentropy_test.cc | 65 ++++++++++++++++++++++++++++ sources.cmake | 1 + 2 files changed, 66 insertions(+) create mode 100644 crypto/rand_extra/getentropy_test.cc diff --git a/crypto/rand_extra/getentropy_test.cc b/crypto/rand_extra/getentropy_test.cc new file mode 100644 index 000000000..d6919139a --- /dev/null +++ b/crypto/rand_extra/getentropy_test.cc @@ -0,0 +1,65 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#if !defined(_DEFAULT_SOURCE) +#define _DEFAULT_SOURCE // Needed for getentropy on musl and glibc +#endif + +#include + +#include "../fipsmodule/rand/internal.h" + +#if defined(OPENSSL_RAND_GETENTROPY) + +#include + +#include + +#if defined(OPENSSL_MACOS) || defined(OPENSSL_FUCHSIA) +#include +#endif + +#include + +#include + +#include "../test/test_util.h" + +// This test is, strictly speaking, flaky, but we use large enough buffers +// that the probability of failing when we should pass is negligible. + +TEST(GetEntropyTest, NotObviouslyBroken) { + static const uint8_t kZeros[256] = {0}; + + uint8_t buf1[256], buf2[256]; + + EXPECT_EQ(getentropy(buf1, sizeof(buf1)), 0); + EXPECT_EQ(getentropy(buf2, sizeof(buf2)), 0); + EXPECT_NE(Bytes(buf1), Bytes(buf2)); + EXPECT_NE(Bytes(buf1), Bytes(kZeros)); + EXPECT_NE(Bytes(buf2), Bytes(kZeros)); + uint8_t buf3[256]; + // Ensure that the implementation is not simply returning the memory unchanged. + memcpy(buf3, buf1, sizeof(buf3)); + EXPECT_EQ(getentropy(buf1, sizeof(buf1)), 0); + EXPECT_NE(Bytes(buf1), Bytes(buf3)); + errno = 0; + uint8_t toobig[257]; + // getentropy should fail returning -1 and setting errno to EIO if you request + // more than 256 bytes of entropy. macOS's man page says EIO but it actually + // returns EINVAL, so we accept either. + EXPECT_EQ(getentropy(toobig, 257), -1); + EXPECT_TRUE(errno == EIO || errno == EINVAL); +} +#endif diff --git a/sources.cmake b/sources.cmake index 3153efc01..1ebc44ad3 100644 --- a/sources.cmake +++ b/sources.cmake @@ -60,6 +60,7 @@ set( crypto/poly1305/poly1305_test.cc crypto/pool/pool_test.cc crypto/rand_extra/rand_test.cc + crypto/rand_extra/getentropy_test.cc crypto/refcount_test.cc crypto/rsa_extra/rsa_test.cc crypto/self_test.cc From 2e1191725f4d291cbaf9d35bb5bcbad3852fc5d2 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 14 Aug 2023 11:06:38 -0600 Subject: [PATCH 12/19] Sync pki to chromium 8049b24a3fa617e66c5d3fc0e9322bb07c500f49 Change-Id: Ib65febca30ce312f2c8fd6d6dbc85f24987b50d8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62245 Auto-Submit: Bob Beck Reviewed-by: David Benjamin Commit-Queue: David Benjamin --- pki/cert_net_fetcher.h | 98 --- pki/certificate_policies_unittest.cc | 38 +- pki/crl.cc | 7 +- pki/fillins/log.h | 2 + pki/general_names_unittest.cc | 30 +- pki/import_spec.json | 1 - pki/input.cc | 12 +- pki/input.h | 45 +- pki/name_constraints.cc | 13 +- pki/name_constraints_unittest.cc | 260 +++--- pki/ocsp.h | 2 +- pki/ocsp_unittest.cc | 3 +- pki/parse_certificate_unittest.cc | 28 +- pki/parse_name_unittest.cc | 12 +- pki/parsed_certificate.h | 4 +- pki/path_builder_pkits_unittest.cc | 3 +- pki/signature_algorithm_unittest.cc | 6 +- pki/simple_path_builder_delegate_unittest.cc | 4 +- pki/test_helpers.cc | 4 +- pki/test_helpers.h | 3 +- .../generate_name_constraints.py | 17 + .../ipaddress-mapped_addrs.pem | 29 + pki/testdata/ssl/certificates/README | 25 +- .../ssl/certificates/ec-prime256v1-1.key | 5 + .../ssl/certificates/ec-prime256v1-2.key | 5 + .../ssl/certificates/ec-prime256v1-3.key | 5 + .../ssl/certificates/leaf_from_known_root.pem | 832 +++++++++++++----- pki/testdata/ssl/certificates/rsa-1024-1.key | 16 + pki/testdata/ssl/certificates/rsa-1024-2.key | 16 + pki/testdata/ssl/certificates/rsa-1024-3.key | 16 + pki/testdata/ssl/certificates/rsa-2048-1.key | 28 + pki/testdata/ssl/certificates/rsa-2048-2.key | 28 + pki/testdata/ssl/certificates/rsa-2048-3.key | 28 + pki/testdata/ssl/certificates/rsa-768-1.key | 13 + pki/testdata/ssl/certificates/rsa-768-2.key | 13 + pki/testdata/ssl/certificates/rsa-768-3.key | 13 + pki/testdata/ssl/certificates/rsa-8200-1.key | 100 +++ pki/verify_name_match_fuzzer.cc | 9 +- pki/verify_name_match_normalizename_fuzzer.cc | 10 +- pki/verify_name_match_unittest.cc | 252 +++--- ...y_name_match_verifynameinsubtree_fuzzer.cc | 11 +- pki/verify_signed_data_unittest.cc | 8 +- 42 files changed, 1357 insertions(+), 697 deletions(-) delete mode 100644 pki/cert_net_fetcher.h create mode 100644 pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem create mode 100644 pki/testdata/ssl/certificates/ec-prime256v1-1.key create mode 100644 pki/testdata/ssl/certificates/ec-prime256v1-2.key create mode 100644 pki/testdata/ssl/certificates/ec-prime256v1-3.key create mode 100644 pki/testdata/ssl/certificates/rsa-1024-1.key create mode 100644 pki/testdata/ssl/certificates/rsa-1024-2.key create mode 100644 pki/testdata/ssl/certificates/rsa-1024-3.key create mode 100644 pki/testdata/ssl/certificates/rsa-2048-1.key create mode 100644 pki/testdata/ssl/certificates/rsa-2048-2.key create mode 100644 pki/testdata/ssl/certificates/rsa-2048-3.key create mode 100644 pki/testdata/ssl/certificates/rsa-768-1.key create mode 100644 pki/testdata/ssl/certificates/rsa-768-2.key create mode 100644 pki/testdata/ssl/certificates/rsa-768-3.key create mode 100644 pki/testdata/ssl/certificates/rsa-8200-1.key diff --git a/pki/cert_net_fetcher.h b/pki/cert_net_fetcher.h deleted file mode 100644 index 27341aefa..000000000 --- a/pki/cert_net_fetcher.h +++ /dev/null @@ -1,98 +0,0 @@ -// Copyright 2015 The Chromium Authors -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef BSSL_PKI_CERT_NET_FETCHER_H_ -#define BSSL_PKI_CERT_NET_FETCHER_H_ - -#include "webutil/url/url.h" -#include "fillins/openssl_util.h" -#include - -#include -#include - -#include -#include "fillins/log.h" -#include "fillins/net_errors.h" - - - -class URL; - -namespace bssl { - -// CertNetFetcher is a synchronous interface for fetching AIA URLs and CRL -// URLs. It is shared between a caller thread (which starts and waits for -// fetches), and a network thread (which does the actual fetches). It can be -// shutdown from the network thread to cancel outstanding requests. -// -// A Request object is returned when starting a fetch. The consumer can -// use this as a handle for aborting the request (by freeing it), or reading -// the result of the request (WaitForResult) -class OPENSSL_EXPORT CertNetFetcher - { - public: - class Request { - public: - virtual ~Request() = default; - - // WaitForResult() can be called at most once. - // - // It will block and wait for the (network) request to complete, and - // then write the result into the provided out-parameters. - virtual void WaitForResult(Error* error, std::vector* bytes) = 0; - }; - - // This value can be used in place of timeout or max size limits. - enum { DEFAULT = -1 }; - - CertNetFetcher() = default; - - CertNetFetcher(const CertNetFetcher&) = delete; - CertNetFetcher& operator=(const CertNetFetcher&) = delete; - - // Shuts down the CertNetFetcher and cancels outstanding network requests. It - // is not guaranteed that any outstanding or subsequent - // Request::WaitForResult() calls will be completed. Shutdown() must be called - // from the network thread. It can be called more than once, but must be - // called before the CertNetFetcher is destroyed. - virtual void Shutdown() = 0; - - // The Fetch*() methods start a request which can be cancelled by - // deleting the returned Request. Here is the meaning of the common - // parameters: - // - // * url -- The http:// URL to fetch. - // * timeout_seconds -- The maximum allowed duration for the fetch job. If - // this delay is exceeded then the request will fail. To use a default - // timeout pass DEFAULT. - // * max_response_bytes -- The maximum size of the response body. If this - // size is exceeded then the request will fail. To use a default timeout - // pass DEFAULT. - - [[nodiscard]] virtual std::unique_ptr FetchCaIssuers( - const URL& url, - int timeout_milliseconds, - int max_response_bytes) = 0; - - [[nodiscard]] virtual std::unique_ptr FetchCrl( - const URL& url, - int timeout_milliseconds, - int max_response_bytes) = 0; - - [[nodiscard]] virtual std::unique_ptr FetchOcsp( - const URL& url, - int timeout_milliseconds, - int max_response_bytes) = 0; - - protected: - virtual ~CertNetFetcher() = default; - - private: - -}; - -} // namespace net - -#endif // BSSL_PKI_CERT_NET_FETCHER_H_ diff --git a/pki/certificate_policies_unittest.cc b/pki/certificate_policies_unittest.cc index af9332c69..fcf10b85a 100644 --- a/pki/certificate_policies_unittest.cc +++ b/pki/certificate_policies_unittest.cc @@ -44,7 +44,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidEmpty) { std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -54,7 +54,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidIdentifierNotOid) { std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -64,7 +64,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, AnyPolicy) { std::vector policies; CertErrors errors; EXPECT_TRUE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); ASSERT_EQ(1U, policies.size()); EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]); @@ -76,7 +76,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, AnyPolicyWithQualifier) { std::vector policies; CertErrors errors; EXPECT_TRUE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); ASSERT_EQ(1U, policies.size()); EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]); @@ -90,7 +90,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -100,7 +100,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, OnePolicy) { std::vector policies; CertErrors errors; EXPECT_TRUE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); ASSERT_EQ(1U, policies.size()); EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]); @@ -112,7 +112,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, OnePolicyWithQualifier) { std::vector policies; CertErrors errors; EXPECT_TRUE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); ASSERT_EQ(1U, policies.size()); EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]); @@ -125,7 +125,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, std::vector policies; CertErrors errors; bool result = ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors); if (fail_parsing_unknown_qualifier_oids()) { @@ -144,7 +144,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -156,7 +156,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -168,7 +168,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -180,7 +180,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, std::vector policies; CertErrors errors; EXPECT_FALSE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); } @@ -190,7 +190,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, TwoPolicies) { std::vector policies; CertErrors errors; EXPECT_TRUE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); ASSERT_EQ(2U, policies.size()); EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]); @@ -203,7 +203,7 @@ TEST_P(ParseCertificatePoliciesExtensionOidsTest, TwoPoliciesWithQualifiers) { std::vector policies; CertErrors errors; EXPECT_TRUE(ParseCertificatePoliciesExtensionOids( - der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies, + der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies, &errors)); ASSERT_EQ(2U, policies.size()); EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]); @@ -216,7 +216,7 @@ TEST(ParseCertificatePoliciesExtensionTest, InvalidEmpty) { std::vector policies; CertErrors errors; EXPECT_FALSE( - ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors)); + ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors)); } TEST(ParseCertificatePoliciesExtensionTest, @@ -226,7 +226,7 @@ TEST(ParseCertificatePoliciesExtensionTest, std::vector policies; CertErrors errors; EXPECT_FALSE( - ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors)); + ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors)); } TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) { @@ -235,7 +235,7 @@ TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) { std::vector policies; CertErrors errors; EXPECT_TRUE( - ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors)); + ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors)); ASSERT_EQ(1U, policies.size()); PolicyInformation& policy = policies[0]; EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid); @@ -256,7 +256,7 @@ TEST(ParseCertificatePoliciesExtensionTest, TwoPolicies) { std::vector policies; CertErrors errors; EXPECT_TRUE( - ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors)); + ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors)); ASSERT_EQ(2U, policies.size()); { PolicyInformation& policy = policies[0]; @@ -276,7 +276,7 @@ TEST(ParseCertificatePoliciesExtensionTest, TwoPoliciesWithQualifiers) { std::vector policies; CertErrors errors; EXPECT_TRUE( - ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors)); + ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors)); ASSERT_EQ(2U, policies.size()); { PolicyInformation& policy = policies[0]; diff --git a/pki/crl.cc b/pki/crl.cc index ff3e7040b..99eb359ac 100644 --- a/pki/crl.cc +++ b/pki/crl.cc @@ -467,8 +467,9 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl, std::string normalized_crl_issuer; if (!NormalizeNameTLV(tbs_cert_list.issuer_tlv, &normalized_crl_issuer)) return CRLRevocationStatus::UNKNOWN; - if (der::Input(&normalized_crl_issuer) != target_cert->normalized_issuer()) + if (der::Input(normalized_crl_issuer) != target_cert->normalized_issuer()) { return CRLRevocationStatus::UNKNOWN; + } if (tbs_cert_list.crl_extensions_tlv.has_value()) { std::map extensions; @@ -584,8 +585,10 @@ CRLRevocationStatus CheckCRL(std::string_view raw_crl, // // As the |issuer_cert| is from the already validated chain, it is already // known to chain to the same trust anchor as the target certificate. - if (der::Input(&normalized_crl_issuer) != issuer_cert->normalized_subject()) + if (der::Input(normalized_crl_issuer) != + issuer_cert->normalized_subject()) { continue; + } // 6.3.3 (f) If a key usage extension is present in the CRL issuer's // certificate, verify that the cRLSign bit is set. diff --git a/pki/fillins/log.h b/pki/fillins/log.h index 74007ec2c..f0bbe61e0 100644 --- a/pki/fillins/log.h +++ b/pki/fillins/log.h @@ -17,8 +17,10 @@ #if defined(_BORINGSSL_LIBPKI_VERBOSE_) #define DVLOG(l) std::cerr +#define LOG(l) std::cerr #else #define DVLOG(l) 0 && std::cerr +#define LOG(l) 0 && std::cerr #endif // _BORINGSSL_LIBPKI_VERBOSE_ #endif // BSSL_FILLINS_LOG_H_ diff --git a/pki/general_names_unittest.cc b/pki/general_names_unittest.cc index 0f7754dc2..2c04e7b49 100644 --- a/pki/general_names_unittest.cc +++ b/pki/general_names_unittest.cc @@ -44,7 +44,7 @@ TEST(GeneralNames, CreateFailsOnEmptySubjectAltName) { ASSERT_TRUE( LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der)); CertErrors errors; - EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors)); + EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors)); } TEST(GeneralNames, OtherName) { @@ -53,7 +53,7 @@ TEST(GeneralNames, OtherName) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_OTHER_NAME, general_names->present_name_types); const uint8_t expected_der[] = {0x06, 0x04, 0x2a, 0x03, 0x04, 0x05, @@ -68,7 +68,7 @@ TEST(GeneralNames, RFC822Name) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, general_names->present_name_types); ASSERT_EQ(1U, general_names->rfc822_names.size()); @@ -80,7 +80,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiRFC822Name) { ASSERT_TRUE(LoadTestSubjectAltNameData("san-rfc822name.pem", &san_der)); ReplaceFirstSubstring(&san_der, "foo@example.com", "f\xF6\xF6@example.com"); CertErrors errors; - EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors)); + EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors)); } TEST(GeneralNames, DnsName) { @@ -89,7 +89,7 @@ TEST(GeneralNames, DnsName) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_DNS_NAME, general_names->present_name_types); ASSERT_EQ(1U, general_names->dns_names.size()); @@ -101,7 +101,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiDnsName) { ASSERT_TRUE(LoadTestSubjectAltNameData("san-dnsname.pem", &san_der)); ReplaceFirstSubstring(&san_der, "foo.example.com", "f\xF6\xF6.example.com"); CertErrors errors; - EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors)); + EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors)); } TEST(GeneralNames, X400Address) { @@ -110,7 +110,7 @@ TEST(GeneralNames, X400Address) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, general_names->present_name_types); ASSERT_EQ(1U, general_names->x400_addresses.size()); @@ -125,7 +125,7 @@ TEST(GeneralNames, DirectoryName) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, general_names->present_name_types); ASSERT_EQ(1U, general_names->directory_names.size()); @@ -140,7 +140,7 @@ TEST(GeneralNames, EDIPartyName) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, general_names->present_name_types); ASSERT_EQ(1U, general_names->edi_party_names.size()); @@ -154,7 +154,7 @@ TEST(GeneralNames, URI) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, general_names->present_name_types); @@ -169,7 +169,7 @@ TEST(GeneralNames, CreateFailsOnNonAsciiURI) { ReplaceFirstSubstring(&san_der, "http://example.com", "http://ex\xE4mple.com"); CertErrors errors; - EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors)); + EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors)); } TEST(GeneralNames, IPAddress_v4) { @@ -178,7 +178,7 @@ TEST(GeneralNames, IPAddress_v4) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types); ASSERT_EQ(1U, general_names->ip_addresses.size()); @@ -192,7 +192,7 @@ TEST(GeneralNames, IPAddress_v6) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types); ASSERT_EQ(1U, general_names->ip_addresses.size()); @@ -207,7 +207,7 @@ TEST(GeneralNames, CreateFailsOnInvalidLengthIpAddress) { ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem", &invalid_san_der)); CertErrors errors; - EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors)); + EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors)); } TEST(GeneralNames, RegisteredIDs) { @@ -216,7 +216,7 @@ TEST(GeneralNames, RegisteredIDs) { CertErrors errors; std::unique_ptr general_names = - GeneralNames::Create(der::Input(&san_der), &errors); + GeneralNames::Create(der::Input(san_der), &errors); ASSERT_TRUE(general_names); EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, general_names->present_name_types); ASSERT_EQ(1U, general_names->registered_ids.size()); diff --git a/pki/import_spec.json b/pki/import_spec.json index f81c87a58..f6617cd5a 100644 --- a/pki/import_spec.json +++ b/pki/import_spec.json @@ -244,7 +244,6 @@ "files": [ "net/cert/asn1_util.h", "net/cert/asn1_util.cc", - "net/cert/cert_net_fetcher.h", "net/cert/cert_status_flags.h", "net/cert/cert_status_flags_list.h", "net/cert/cert_verify_proc_blocklist.inc", diff --git a/pki/input.cc b/pki/input.cc index cf8320121..d8e9391fb 100644 --- a/pki/input.cc +++ b/pki/input.cc @@ -10,21 +10,17 @@ namespace bssl::der { -Input::Input(std::string_view in) - : data_(reinterpret_cast(in.data())), len_(in.length()) {} - -Input::Input(const std::string* s) : Input(std::string_view(*s)) {} - std::string Input::AsString() const { - return std::string(reinterpret_cast(data_), len_); + return std::string(reinterpret_cast(data_.data()), data_.size()); } std::string_view Input::AsStringView() const { - return std::string_view(reinterpret_cast(data_), len_); + return std::string_view(reinterpret_cast(data_.data()), + data_.size()); } bssl::Span Input::AsSpan() const { - return bssl::MakeSpan(data_, len_); + return data_; } bool operator==(const Input& lhs, const Input& rhs) { diff --git a/pki/input.h b/pki/input.h index 14a1feff2..e0dff1ffb 100644 --- a/pki/input.h +++ b/pki/input.h @@ -10,10 +10,11 @@ #include #include +#include + #include - namespace bssl::der { // An opaque class that represents a fixed buffer of data of a fixed length, @@ -31,30 +32,30 @@ class OPENSSL_EXPORT Input { // Creates an empty Input, one from which no data can be read. constexpr Input() = default; - // Creates an Input from a constant array |data|. - template - constexpr explicit Input(const uint8_t (&data)[N]) : data_(data), len_(N) {} + // Creates an Input from a span. The constructed Input is only valid as long + // as |data| points to live memory. If constructed from, say, a + // |std::vector|, mutating the vector will invalidate the Input. + constexpr explicit Input(bssl::Span data) : data_(data) {} // Creates an Input from the given |data| and |len|. constexpr explicit Input(const uint8_t* data, size_t len) - : data_(data), len_(len) {} + : data_(bssl::MakeConstSpan(data, len)) {} - // Creates an Input from a std::string_view - explicit Input(std::string_view sp); - - // Creates an Input from a std::string. The lifetimes are a bit subtle when - // using this function: The constructed Input is only valid so long as |s| is - // still alive and not mutated. - explicit Input(const std::string* s); + // Creates an Input from a std::string_view. The constructed Input is only + // valid as long as |data| points to live memory. If constructed from, say, a + // |std::string|, mutating the vector will invalidate the Input. + explicit Input(std::string_view str) + : data_(bssl::MakeConstSpan(reinterpret_cast(str.data()), + str.size())) {} // Returns the length in bytes of an Input's data. - constexpr size_t Length() const { return len_; } + constexpr size_t Length() const { return data_.size(); } // Returns a pointer to the Input's data. This method is marked as "unsafe" // because access to the Input's data should be done through ByteReader // instead. This method should only be used where using a ByteReader truly // is not an option. - constexpr const uint8_t* UnsafeData() const { return data_; } + constexpr const uint8_t* UnsafeData() const { return data_.data(); } // Returns a copy of the data represented by this object as a std::string. std::string AsString() const; @@ -64,21 +65,13 @@ class OPENSSL_EXPORT Input { // this Input. std::string_view AsStringView() const; - // Returns a bssl::Span pointing to the same data as the Input. The resulting - // bssl::Span must not outlive the data that was used to construct this - // Input. + // Returns a span pointing to the same data as the Input. The resulting span + // must not outlive the data that was used to construct this Input. bssl::Span AsSpan() const; private: - // This constructor is deleted to prevent constructing an Input from a - // std::string r-value. Since the Input points to memory owned by another - // object, such an Input would point to invalid memory. Without this deleted - // constructor, a std::string could be passed in to the std::string_view - // constructor because of std::string_view's implicit constructor. - Input(std::string) = delete; - - const uint8_t* data_ = nullptr; - size_t len_ = 0; + // TODO(crbug.com/770501): Replace this type with span altogether. + bssl::Span data_; }; // Return true if |lhs|'s data and |rhs|'s data are byte-wise equal. diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc index 6dbe2fb07..eba142de9 100644 --- a/pki/name_constraints.cc +++ b/pki/name_constraints.cc @@ -653,19 +653,26 @@ bool NameConstraints::IsPermittedDirectoryName( } bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const { + // fillins::IPAddressMatchesPrefix internally maps v4 addresses to/from v6 on type + // mismatch. We don't wish to do this, so check the sizes match first. for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) { - if (fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) + if (ip.size() == excluded_ip.first.size() && + fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) { return false; + } } // If permitted subtrees are not constrained, any name that is not excluded is // allowed. - if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS)) + if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS)) { return true; + } for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) { - if (fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) + if (ip.size() == permitted_ip.first.size() && + fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) { return true; + } } return false; diff --git a/pki/name_constraints_unittest.cc b/pki/name_constraints_unittest.cc index 6d6a12121..1fe58ed7a 100644 --- a/pki/name_constraints_unittest.cc +++ b/pki/name_constraints_unittest.cc @@ -10,7 +10,6 @@ #include "common_cert_errors.h" #include "test_helpers.h" #include -#include namespace bssl { namespace { @@ -49,12 +48,14 @@ namespace { std::string* result_der) { ::testing::AssertionResult load_result = LoadTestSubjectAltNameData(basename, result_der); - if (!load_result) + if (!load_result) { return load_result; + } CertErrors errors; - *result = GeneralNames::Create(der::Input(result_der), &errors); - if (!*result) + *result = GeneralNames::Create(der::Input(*result_der), &errors); + if (!*result) { return ::testing::AssertionFailure() << "Create failed"; + } return ::testing::AssertionSuccess(); } @@ -92,7 +93,7 @@ TEST_P(ParseNameConstraints, DNSNames) { CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); @@ -181,7 +182,7 @@ TEST_P(ParseNameConstraints, ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // Matches permitted exactly. @@ -212,7 +213,7 @@ TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) { LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // A permitted dNSName constraint of ".bar.com" should only match subdomains @@ -230,7 +231,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) { LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // An excluded dNSName constraint of ".bar.com" should only match subdomains @@ -247,7 +248,7 @@ TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) { ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // A dNSName constraint of ".." isn't meaningful. Shouldn't match anything. @@ -263,7 +264,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // Only "excluded.permitted.example.com" is excluded, and since permitted is @@ -283,7 +284,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // "permitted.example.com" is in the permitted section, but since "" is @@ -301,7 +302,7 @@ TEST_P(ParseNameConstraints, DNSNamesExcludeDot) { CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // "." is excluded, which should match nothing. @@ -320,7 +321,7 @@ TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) { a.replace(replace_location, 1, 1, -1); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors)); } TEST_P(ParseNameConstraints, DirectoryNames) { @@ -347,49 +348,49 @@ TEST_P(ParseNameConstraints, DirectoryNames) { CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // Not in any permitted subtree. EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_ca))); + SequenceValueFromString(name_ca))); // Within the permitted C=US subtree. EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us))); + SequenceValueFromString(name_us))); // Within the permitted C=US subtree. EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us_az))); + SequenceValueFromString(name_us_az))); // Within the permitted C=US subtree, however the excluded C=US,ST=California // subtree takes priority. EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us_ca))); + SequenceValueFromString(name_us_ca))); // Within the permitted C=US subtree as well as the permitted // C=US,ST=California,L=Mountain View subtree, however the excluded // C=US,ST=California subtree still takes priority. EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us_ca_mountain_view))); + SequenceValueFromString(name_us_ca_mountain_view))); // Not in any permitted subtree, and also inside the extraneous excluded C=DE // subtree. EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_de))); + SequenceValueFromString(name_de))); // Not in any permitted subtree. EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_jp))); + SequenceValueFromString(name_jp))); // Within the permitted C=JP,ST=Tokyo subtree. EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_jp_tokyo))); + SequenceValueFromString(name_jp_tokyo))); EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, name_constraints->constrained_name_types()); // Within the permitted C=US subtree. EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us), + SequenceValueFromString(name_us), nullptr /* subject_alt_names */)); // Within the permitted C=US subtree, however the excluded C=US,ST=California // subtree takes priority. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_ca), + SequenceValueFromString(name_us_ca), nullptr /* subject_alt_names */)); std::string san_der; @@ -417,7 +418,7 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name_empty; @@ -433,13 +434,13 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { // Only "C=US,ST=California" is excluded, and since permitted is empty, // any directoryName outside that is allowed. EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_empty))); + SequenceValueFromString(name_empty))); EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us))); + SequenceValueFromString(name_us))); EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us_ca))); + SequenceValueFromString(name_us_ca))); EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us_ca_mountain_view))); + SequenceValueFromString(name_us_ca_mountain_view))); } TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { @@ -448,7 +449,7 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name_empty; @@ -466,22 +467,22 @@ TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { // "C=US" is in the permitted section, but since an empty // directoryName is excluded, nothing is permitted. EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_empty))); + SequenceValueFromString(name_empty))); EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us))); + SequenceValueFromString(name_us))); EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_us_ca))); + SequenceValueFromString(name_us_ca))); EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( - SequenceValueFromString(&name_jp))); + SequenceValueFromString(name_jp))); } -TEST_P(ParseNameConstraints, IPAdresses) { +TEST_P(ParseNameConstraints, IPAddresses) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // IPv4 tests: @@ -597,13 +598,13 @@ TEST_P(ParseNameConstraints, IPAdresses) { IsPermittedCert(name_constraints.get(), der::Input(), san.get())); } -TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { +TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty, @@ -614,13 +615,13 @@ TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); } -TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { +TEST_P(ParseNameConstraints, IPAddressesExcludeAll) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); // 192.168.0.0/255.255.0.0 and @@ -634,13 +635,13 @@ TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); } -TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) { +TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros())); @@ -651,13 +652,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) { EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255))); } -TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) { +TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros())); @@ -669,13 +670,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) { EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255))); } -TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) { +TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros())); @@ -686,13 +687,13 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) { name_constraints->IsPermittedIP(fillins::IPAddress(0xFF, 0xFF, 0xFF, 0xFF))); } -TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) { +TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a)); CertErrors errors; std::unique_ptr name_constraints( - NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros())); @@ -700,32 +701,65 @@ TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) { EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255))); } -TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) { +TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) { std::string a; ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors)); } -TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) { +TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) { std::string a; ASSERT_TRUE(LoadTestNameConstraint( "ipaddress-invalid_mask_not_contiguous_1.pem", &a)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(LoadTestNameConstraint( "ipaddress-invalid_mask_not_contiguous_2.pem", &a)); - EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(LoadTestNameConstraint( "ipaddress-invalid_mask_not_contiguous_3.pem", &a)); - EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors)); ASSERT_TRUE(LoadTestNameConstraint( "ipaddress-invalid_mask_not_contiguous_4.pem", &a)); - EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors)); + EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors)); +} + +// Test that v4/v6 mapping is not applied when evaluating name constraints. +TEST_P(ParseNameConstraints, IPAddressesMapped) { + std::string a; + ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a)); + + CertErrors errors; + std::unique_ptr name_constraints( + NameConstraints::Create(der::Input(a), is_critical(), &errors)); + ASSERT_TRUE(name_constraints); + + // 192.168.1.0/24 is a permitted subtree. + EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 0))); + // This does not cover ::ffff:192.168.1.0. + EXPECT_FALSE(name_constraints->IsPermittedIP( + fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0))); + // 192.168.1.1 is excluded. + EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1))); + // ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2. + EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2))); + + // ::ffff:192.168.2.0/120 is a permitted subtree. + EXPECT_TRUE(name_constraints->IsPermittedIP( + fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0))); + // This does not cover 192.168.2.0. + EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 2, 0))); + // ::ffff:192.168.2.1 is excluded. + EXPECT_FALSE(name_constraints->IsPermittedIP( + fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1))); + // 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2. + EXPECT_TRUE(name_constraints->IsPermittedIP( + fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2))); } TEST_P(ParseNameConstraints, OtherNamesInPermitted) { @@ -734,7 +768,7 @@ TEST_P(ParseNameConstraints, OtherNamesInPermitted) { LoadTestNameConstraint("othername-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -757,7 +791,7 @@ TEST_P(ParseNameConstraints, OtherNamesInExcluded) { LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -780,7 +814,7 @@ TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -842,7 +876,7 @@ TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -892,7 +926,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameInPermitted) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -951,7 +985,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameInExcluded) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1000,7 +1034,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInPermitted) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1050,7 +1084,7 @@ TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInExcluded) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1100,7 +1134,7 @@ TEST_P(ParseNameConstraints, Rfc822NameSubdomainInPermitted) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1138,7 +1172,7 @@ TEST_P(ParseNameConstraints, Rfc822NameSubdomainInExcluded) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1177,7 +1211,7 @@ TEST_P(ParseNameConstraints, Rfc822NameEmptyPermitted) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1202,7 +1236,7 @@ TEST_P(ParseNameConstraints, Rfc822NameEmptyExcluded) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1227,7 +1261,7 @@ TEST_P(ParseNameConstraints, Rfc822NameIPv4Permitted) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1257,7 +1291,7 @@ TEST_P(ParseNameConstraints, Rfc822NameIPv4Excluded) { LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); EXPECT_EQ(GENERAL_NAME_RFC822_NAME, @@ -1288,7 +1322,7 @@ TEST_P(ParseNameConstraints, QuotedRfc822SanWithNoRfc822Constraints) { LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string san_der; @@ -1306,7 +1340,7 @@ TEST_P(ParseNameConstraints, QuotedRfc822SanMatchesQuotedPermitted) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string san_der; @@ -1325,7 +1359,7 @@ TEST_P(ParseNameConstraints, UnquotedRfc822SanNotMatchingQuotedExcluded) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string san_der; @@ -1345,7 +1379,7 @@ TEST_P(ParseNameConstraints, X400AddresssInPermitted) { LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1368,7 +1402,7 @@ TEST_P(ParseNameConstraints, X400AddresssInExcluded) { LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1391,7 +1425,7 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1414,7 +1448,7 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1436,7 +1470,7 @@ TEST_P(ParseNameConstraints, URIsInPermitted) { ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1458,7 +1492,7 @@ TEST_P(ParseNameConstraints, URIsInExcluded) { ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1481,7 +1515,7 @@ TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1504,7 +1538,7 @@ TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); if (is_critical()) { @@ -1530,7 +1564,7 @@ TEST_P(ParseNameConstraints, // could be changed to allowed if there are buggy encoders out there that // include it anyway. CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1539,7 +1573,7 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) { ASSERT_TRUE( LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1549,7 +1583,7 @@ TEST_P(ParseNameConstraints, ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1558,7 +1592,7 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) { ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1566,14 +1600,14 @@ TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) { std::string constraints_der; ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) { std::string constraints_der = ""; CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1582,7 +1616,7 @@ TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) { ASSERT_TRUE( LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1591,7 +1625,7 @@ TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) { ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1600,7 +1634,7 @@ TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) { ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem", &constraints_der)); CertErrors errors; - EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der), + EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der), is_critical(), &errors)); } @@ -1610,7 +1644,7 @@ TEST_P(ParseNameConstraints, ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name; @@ -1618,14 +1652,14 @@ TEST_P(ParseNameConstraints, // Name constraints don't contain rfc822Name, so emailAddress in subject is // allowed regardless. EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name)); // Name constraints don't contain rfc822Name, so emailAddress in subject is // allowed regardless. EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); } @@ -1635,7 +1669,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name; @@ -1644,21 +1678,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { // Name constraints contain rfc822Name, and the address matches the // constraint (which is all addresses on the hostname.) EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name)); // The bytes of the name string match, but the string type is VISIBLESTRING // which is not supported, so this should fail. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name)); // Subject contains multiple rfc822Names, and they all match the constraint // (which is all addresses on the hostname.) EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); } @@ -1668,7 +1702,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name; @@ -1677,21 +1711,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { // Name constraints contain rfc822Name, and the address does not match the // constraint. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); // Address is a case-insensitive match, but name constraints (permitted) are // case-sensitive, so this fails. ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name)); EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name)); // Subject contains multiple rfc822Names, and only the first one matches the // constraint. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); } @@ -1701,7 +1735,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) { LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name; @@ -1710,21 +1744,21 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) { // Name constraints contain excluded rfc822Name, and the address does not // match the constraint. EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); // Name constraints for excluded are done case-insensitive in the local part, // so this is not allowed. ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name)); EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name)); // Subject contains multiple rfc822Names, and one of them is excluded by the // constraint. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name), + SequenceValueFromString(name), /*subject_alt_names=*/nullptr)); } @@ -1737,7 +1771,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name_us_az_foocom; @@ -1746,7 +1780,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { // (The commonName hostname is not within permitted dNSName constraints, so // this would not be permitted if hostnames in commonName were checked.) EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_az_foocom), + SequenceValueFromString(name_us_az_foocom), nullptr /* subject_alt_names */)); std::string name_us_az_permitted; @@ -1756,7 +1790,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { // permitted dNSName constraints, so this should be permitted regardless if // hostnames in commonName are checked or not. EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_az_permitted), + SequenceValueFromString(name_us_az_permitted), nullptr /* subject_alt_names */)); std::string name_us_ca_permitted; @@ -1766,7 +1800,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { // this should not be allowed, regardless of checking the // permitted.example.com in commonName. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_ca_permitted), + SequenceValueFromString(name_us_ca_permitted), nullptr /* subject_alt_names */)); } @@ -1779,7 +1813,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); CertErrors errors; std::unique_ptr name_constraints(NameConstraints::Create( - der::Input(&constraints_der), is_critical(), &errors)); + der::Input(constraints_der), is_critical(), &errors)); ASSERT_TRUE(name_constraints); std::string name_us_az_1_1_1_1; @@ -1788,7 +1822,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // (The commonName IP address is not within permitted iPAddresses constraints, // so this would not be permitted if IP addresses in commonName were checked.) EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_az_1_1_1_1), + SequenceValueFromString(name_us_az_1_1_1_1), nullptr /* subject_alt_names */)); std::string name_us_az_192_168_1_1; @@ -1798,7 +1832,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // permitted iPAddress constraints, so this should be permitted regardless if // IP addresses in commonName are checked or not. EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_az_192_168_1_1), + SequenceValueFromString(name_us_az_192_168_1_1), nullptr /* subject_alt_names */)); std::string name_us_ca_192_168_1_1; @@ -1808,7 +1842,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // this should not be allowed, regardless of checking the // IP address in commonName. EXPECT_FALSE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_ca_192_168_1_1), + SequenceValueFromString(name_us_ca_192_168_1_1), nullptr /* subject_alt_names */)); std::string name_us_az_ipv6; @@ -1817,7 +1851,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // (The commonName is an ipv6 address which wasn't supported in the past, but // since commonName checking is ignored entirely, this is permitted.) EXPECT_TRUE(IsPermittedCert(name_constraints.get(), - SequenceValueFromString(&name_us_az_ipv6), + SequenceValueFromString(name_us_az_ipv6), nullptr /* subject_alt_names */)); } diff --git a/pki/ocsp.h b/pki/ocsp.h index c5bbd89b4..496378bfb 100644 --- a/pki/ocsp.h +++ b/pki/ocsp.h @@ -5,8 +5,8 @@ #ifndef BSSL_PKI_OCSP_H_ #define BSSL_PKI_OCSP_H_ -#include "webutil/url/url.h" #include "fillins/openssl_util.h" +#include "webutil/url/url.h" #include #include diff --git a/pki/ocsp_unittest.cc b/pki/ocsp_unittest.cc index 80137ffd6..32fc1f339 100644 --- a/pki/ocsp_unittest.cc +++ b/pki/ocsp_unittest.cc @@ -175,8 +175,7 @@ TEST_P(CheckOCSPTest, FromFile) { std::vector encoded_request; ASSERT_TRUE(CreateOCSPRequest(cert.get(), issuer.get(), &encoded_request)); - EXPECT_EQ(der::Input(encoded_request.data(), encoded_request.size()), - der::Input(&request_data)); + EXPECT_EQ(der::Input(encoded_request), der::Input(request_data)); } std::string_view kGetURLTestParams[] = { diff --git a/pki/parse_certificate_unittest.cc b/pki/parse_certificate_unittest.cc index 196d401da..fc79ca34d 100644 --- a/pki/parse_certificate_unittest.cc +++ b/pki/parse_certificate_unittest.cc @@ -63,7 +63,7 @@ void RunCertificateTest(const std::string& file_name) { der::BitString signature_value; CertErrors errors; bool actual_result = - ParseCertificate(der::Input(&data), &tbs_certificate_tlv, + ParseCertificate(der::Input(data), &tbs_certificate_tlv, &signature_algorithm_tlv, &signature_value, &errors); EXPECT_EQ(expected_result, actual_result); @@ -72,10 +72,10 @@ void RunCertificateTest(const std::string& file_name) { // Ensure that the parsed certificate matches expectations. if (expected_result && actual_result) { EXPECT_EQ(0, signature_value.unused_bits()); - EXPECT_EQ(der::Input(&expected_signature), signature_value.bytes()); - EXPECT_EQ(der::Input(&expected_signature_algorithm), + EXPECT_EQ(der::Input(expected_signature), signature_value.bytes()); + EXPECT_EQ(der::Input(expected_signature_algorithm), signature_algorithm_tlv); - EXPECT_EQ(der::Input(&expected_tbs_certificate), tbs_certificate_tlv); + EXPECT_EQ(der::Input(expected_tbs_certificate), tbs_certificate_tlv); } } @@ -167,7 +167,7 @@ void RunTbsCertificateTestGivenVersion(const std::string& file_name, ParsedTbsCertificate parsed; CertErrors errors; bool actual_result = - ParseTbsCertificate(der::Input(&data), {}, &parsed, &errors); + ParseTbsCertificate(der::Input(data), {}, &parsed, &errors); EXPECT_EQ(expected_result, actual_result); VerifyCertErrors(expected_errors, errors, test_file_path); @@ -178,36 +178,36 @@ void RunTbsCertificateTestGivenVersion(const std::string& file_name, // Ensure that the ParsedTbsCertificate matches expectations. EXPECT_EQ(expected_version, parsed.version); - EXPECT_EQ(der::Input(&expected_serial_number), parsed.serial_number); - EXPECT_EQ(der::Input(&expected_signature_algorithm), + EXPECT_EQ(der::Input(expected_serial_number), parsed.serial_number); + EXPECT_EQ(der::Input(expected_signature_algorithm), parsed.signature_algorithm_tlv); - EXPECT_EQ(der::Input(&expected_issuer), parsed.issuer_tlv); + EXPECT_EQ(der::Input(expected_issuer), parsed.issuer_tlv); // In the test expectations PEM file, validity is described as a // textual string of the parsed value (rather than as DER). EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before)); EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after)); - EXPECT_EQ(der::Input(&expected_subject), parsed.subject_tlv); - EXPECT_EQ(der::Input(&expected_spki), parsed.spki_tlv); + EXPECT_EQ(der::Input(expected_subject), parsed.subject_tlv); + EXPECT_EQ(der::Input(expected_spki), parsed.spki_tlv); EXPECT_EQ(!expected_issuer_unique_id.empty(), parsed.issuer_unique_id.has_value()); if (parsed.issuer_unique_id.has_value()) { - EXPECT_EQ(der::Input(&expected_issuer_unique_id), + EXPECT_EQ(der::Input(expected_issuer_unique_id), parsed.issuer_unique_id->bytes()); } EXPECT_EQ(!expected_subject_unique_id.empty(), parsed.subject_unique_id.has_value()); if (parsed.subject_unique_id.has_value()) { - EXPECT_EQ(der::Input(&expected_subject_unique_id), + EXPECT_EQ(der::Input(expected_subject_unique_id), parsed.subject_unique_id->bytes()); } EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value()); if (parsed.extensions_tlv) { - EXPECT_EQ(der::Input(&expected_extensions), parsed.extensions_tlv.value()); + EXPECT_EQ(der::Input(expected_extensions), parsed.extensions_tlv.value()); } } @@ -1008,7 +1008,7 @@ bool ParseAuthorityKeyIdentifierTestData( file_name; EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings)); - return ParseAuthorityKeyIdentifier(der::Input(backing_bytes), + return ParseAuthorityKeyIdentifier(der::Input(*backing_bytes), authority_key_identifier); } diff --git a/pki/parse_name_unittest.cc b/pki/parse_name_unittest.cc index a3585bbb5..fec2e0790 100644 --- a/pki/parse_name_unittest.cc +++ b/pki/parse_name_unittest.cc @@ -201,7 +201,7 @@ TEST(ParseNameTest, InvalidNameExtraData) { ASSERT_TRUE( LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid)); RDNSequence atv; - ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv)); + ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv)); } TEST(ParseNameTest, InvalidNameEmpty) { @@ -209,7 +209,7 @@ TEST(ParseNameTest, InvalidNameEmpty) { ASSERT_TRUE( LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid)); RDNSequence atv; - ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv)); + ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv)); } TEST(ParseNameTest, InvalidNameBadType) { @@ -217,7 +217,7 @@ TEST(ParseNameTest, InvalidNameBadType) { ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue", "badAttributeType", &invalid)); RDNSequence atv; - ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv)); + ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv)); } TEST(ParseNameTest, InvalidNameNotSequence) { @@ -225,21 +225,21 @@ TEST(ParseNameTest, InvalidNameNotSequence) { ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue", "setNotSequence", &invalid)); RDNSequence atv; - ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv)); + ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv)); } TEST(ParseNameTest, InvalidNameNotSet) { std::string invalid; ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid)); RDNSequence atv; - ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv)); + ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv)); } TEST(ParseNameTest, InvalidNameEmptyRdn) { std::string invalid; ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid)); RDNSequence atv; - ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv)); + ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv)); } TEST(ParseNameTest, RFC2253FormatBasic) { diff --git a/pki/parsed_certificate.h b/pki/parsed_certificate.h index 20fd89594..5fbef8291 100644 --- a/pki/parsed_certificate.h +++ b/pki/parsed_certificate.h @@ -110,7 +110,7 @@ class OPENSSL_EXPORT ParsedCertificate { // Sequence tag). This is guaranteed to be valid DER, though the contents of // unhandled string types are treated as raw bytes. der::Input normalized_subject() const { - return der::Input(&normalized_subject_); + return der::Input(normalized_subject_); } // Returns the DER-encoded raw issuer value (including the outer sequence // tag). This is guaranteed to be valid DER, though the contents of unhandled @@ -120,7 +120,7 @@ class OPENSSL_EXPORT ParsedCertificate { // Sequence tag). This is guaranteed to be valid DER, though the contents of // unhandled string types are treated as raw bytes. der::Input normalized_issuer() const { - return der::Input(&normalized_issuer_); + return der::Input(normalized_issuer_); } // Returns true if the certificate has a BasicConstraints extension. diff --git a/pki/path_builder_pkits_unittest.cc b/pki/path_builder_pkits_unittest.cc index b49a34da5..620205ce2 100644 --- a/pki/path_builder_pkits_unittest.cc +++ b/pki/path_builder_pkits_unittest.cc @@ -5,7 +5,6 @@ #include "path_builder.h" #include -#include #include "fillins/log.h" #include "fillins/net_errors.h" @@ -237,7 +236,7 @@ class PathBuilderPkitsTestDelegate { for (size_t i = 0; i < result.paths.size(); ++i) { const CertPathBuilderResultPath* result_path = result.paths[i].get(); - std::cerr << "path " << i << " errors:\n" + LOG(ERROR) << "path " << i << " errors:\n" << result_path->errors.ToDebugString(result_path->certs); } } diff --git a/pki/signature_algorithm_unittest.cc b/pki/signature_algorithm_unittest.cc index 1c420a361..9673ab212 100644 --- a/pki/signature_algorithm_unittest.cc +++ b/pki/signature_algorithm_unittest.cc @@ -1155,8 +1155,7 @@ TEST(SignatureAlgorithmTest, ParseRsaPss) { 0x04, 0x02, 0x03, 0xa2, 0x03, 0x02, 0x01, 0x40}, SignatureAlgorithm::kRsaPssSha512}}; for (const auto& t : kValidTests) { - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())), - t.expected); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data)), t.expected); } struct { @@ -1346,8 +1345,7 @@ TEST(SignatureAlgorithmTest, ParseRsaPss) { 0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x41}}, }; for (const auto& t : kInvalidTests) { - EXPECT_FALSE( - ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size()))); + EXPECT_FALSE(ParseSignatureAlgorithm(der::Input(t.data))); } } diff --git a/pki/simple_path_builder_delegate_unittest.cc b/pki/simple_path_builder_delegate_unittest.cc index 7d47406d4..7b6206cb8 100644 --- a/pki/simple_path_builder_delegate_unittest.cc +++ b/pki/simple_path_builder_delegate_unittest.cc @@ -38,11 +38,11 @@ void ReadTestCase(const char* file_name, ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings)); std::optional sigalg_opt = - ParseSignatureAlgorithm(der::Input(&algorithm_str)); + ParseSignatureAlgorithm(der::Input(algorithm_str)); ASSERT_TRUE(sigalg_opt); *signature_algorithm = *sigalg_opt; - ASSERT_TRUE(ParsePublicKey(der::Input(&public_key_str), public_key)); + ASSERT_TRUE(ParsePublicKey(der::Input(public_key_str), public_key)); } class SimplePathBuilderDelegate1024SuccessTest diff --git a/pki/test_helpers.cc b/pki/test_helpers.cc index 98487d75b..36f0ffb96 100644 --- a/pki/test_helpers.cc +++ b/pki/test_helpers.cc @@ -110,7 +110,7 @@ void PrintTo(const Input& data, ::std::ostream* os) { } // namespace der -der::Input SequenceValueFromString(const std::string* s) { +der::Input SequenceValueFromString(std::string_view s) { der::Parser parser((der::Input(s))); der::Input data; if (!parser.ReadTag(der::kSequence, &data)) { @@ -284,7 +284,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, if (value == "DEFAULT") { value = "211005120000Z"; } - if (!der::ParseUTCTime(der::Input(&value), &test->time)) { + if (!der::ParseUTCTime(der::Input(value), &test->time)) { ADD_FAILURE() << "Failed parsing UTC time"; return false; } diff --git a/pki/test_helpers.h b/pki/test_helpers.h index 73e8afd2e..6857dd362 100644 --- a/pki/test_helpers.h +++ b/pki/test_helpers.h @@ -9,6 +9,7 @@ #include #include +#include #include #include "parsed_certificate.h" @@ -33,7 +34,7 @@ void PrintTo(const Input& data, ::std::ostream* os); // // The returned der::Input() is only valid so long as the input string is alive // and is not mutated. -der::Input SequenceValueFromString(const std::string* s); +der::Input SequenceValueFromString(std::string_view s); // Helper structure that maps a PEM block header (for instance "CERTIFICATE") to // the destination where the value for that block should be written. diff --git a/pki/testdata/name_constraints_unittest/generate_name_constraints.py b/pki/testdata/name_constraints_unittest/generate_name_constraints.py index bf7e89bac..0c474a796 100755 --- a/pki/testdata/name_constraints_unittest/generate_name_constraints.py +++ b/pki/testdata/name_constraints_unittest/generate_name_constraints.py @@ -317,6 +317,23 @@ def main(): enforce_length=False)) generate(c, "ipaddress-invalid_addr.pem") + v4_mapped_prefix = (0, ) * 10 + (255, ) * 2 + v4_mapped_mask = (255, ) * 12 + c = NameConstraintsGenerator() + c.add_permitted(ip_address_range((192, 168, 1, 0), (255, 255, 255, 0))) + c.add_excluded(ip_address_range((192, 168, 1, 1), (255, 255, 255, 255))) + c.add_excluded( + ip_address_range(v4_mapped_prefix + (192, 168, 1, 2), + v4_mapped_mask + (255, 255, 255, 255))) + c.add_permitted( + ip_address_range(v4_mapped_prefix + (192, 168, 2, 0), + v4_mapped_mask + (255, 255, 255, 0))) + c.add_excluded( + ip_address_range(v4_mapped_prefix + (192, 168, 2, 1), + v4_mapped_mask + (255, 255, 255, 255))) + c.add_excluded(ip_address_range((192, 168, 2, 2), (255, 255, 255, 255))) + generate(c, "ipaddress-mapped_addrs.pem") + n_us = generate_names.NameGenerator() n_us.add_rdn().add_attr('countryName', 'PRINTABLESTRING', 'US') generate(n_us, "name-us.pem") diff --git a/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem b/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem new file mode 100644 index 000000000..62dc085d5 --- /dev/null +++ b/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem @@ -0,0 +1,29 @@ +SEQUENCE { + [0] { + SEQUENCE { + [7 PRIMITIVE] { `c0a80100ffffff00` } + } + SEQUENCE { + [7 PRIMITIVE] { `00000000000000000000ffffc0a80200ffffffffffffffffffffffffffffff00` } + } + } + [1] { + SEQUENCE { + [7 PRIMITIVE] { `c0a80101ffffffff` } + } + SEQUENCE { + [7 PRIMITIVE] { `00000000000000000000ffffc0a80102ffffffffffffffffffffffffffffffff` } + } + SEQUENCE { + [7 PRIMITIVE] { `00000000000000000000ffffc0a80201ffffffffffffffffffffffffffffffff` } + } + SEQUENCE { + [7 PRIMITIVE] { `c0a80202ffffffff` } + } + } +} +-----BEGIN NAME CONSTRAINTS----- +MIGUoDAwCocIwKgBAP///wAwIocgAAAAAAAAAAAAAP//wKgCAP///////////////////wChYDAK +hwjAqAEB/////zAihyAAAAAAAAAAAAAA///AqAEC/////////////////////zAihyAAAAAAAAAA +AAAA///AqAIB/////////////////////zAKhwjAqAIC/////w== +-----END NAME CONSTRAINTS----- diff --git a/pki/testdata/ssl/certificates/README b/pki/testdata/ssl/certificates/README index c56b7e18f..6e3db6490 100644 --- a/pki/testdata/ssl/certificates/README +++ b/pki/testdata/ssl/certificates/README @@ -46,10 +46,6 @@ unit tests. purposes is not recommended. This needs to be updated periodically so the server name the cert is valid for may change. -- treadclimber.pem: A chain where the leaf does not contain embedded SCTs, - and which has a notBefore date after 2018/10/15. Expires 2020/02/07. -- treadclimber.sctlist: The TLS encoded SignedCertificateTimestampList for the - treadclimber.pem leaf certificate. - lets-encrypt-dst-x3-root.pem: A chain that ends in the Lets encrypt DST X3 root (https://crt.sh/?id=8395). Has the same leaf as lets-encrypt-isrg-x1-root.pem. @@ -193,18 +189,15 @@ unit tests. Certificates for testing EV display (including regression test for https://crbug.com/1069113). -===== From net/data/ssl/scripts/generate-weak-test-chains.sh -- 2048-rsa-root.pem -- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem -- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by- - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem - Test certificates used to ensure that weak keys are detected and rejected - -===== From net/data/ssl/scripts/generate-cross-signed-certs.sh -- cross-signed-leaf.pem -- cross-signed-root-md5.pem -- cross-signed-root-sha256.pem - A certificate chain for regression testing http://crbug.com/108514 +===== From net/data/ssl/scripts/generate-test-keys.sh +- rsa-{768,1024,2048}-{1..3}.key +- ec-prime256v1-{1..3}.key + Pre-generated keys of various types/sizes. + Useful for tests that generate RSA certificates with CertBuilder without + having to pay the cost of generating RSA keys at runtime. Multiple keys + of each size are provided. (EC keys are cheap to generate at runtime, but + having some as files simplifies test logic in cases where the test is + reading both RSA and EC keys from files.) ===== From net/data/ssl/scripts/generate-redundant-test-chains.sh - redundant-validated-chain.pem diff --git a/pki/testdata/ssl/certificates/ec-prime256v1-1.key b/pki/testdata/ssl/certificates/ec-prime256v1-1.key new file mode 100644 index 000000000..43ba03418 --- /dev/null +++ b/pki/testdata/ssl/certificates/ec-prime256v1-1.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8YeFfq6kLtUZziTV +eBxKf4sdzWhBIrmoa7R6IQ/L0g2hRANCAATwrGqIPnPdqDreHFlZqECUQ0AjHbyi +NWFYmGc3FkPsCS1MWu2WhMYdw7UuLDdMKge7Q6IWMsHum/4G04hRdTYL +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/ec-prime256v1-2.key b/pki/testdata/ssl/certificates/ec-prime256v1-2.key new file mode 100644 index 000000000..bfdcc94c5 --- /dev/null +++ b/pki/testdata/ssl/certificates/ec-prime256v1-2.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSCf4GodSLqPExkQ0 +Ik8+89ysmrauzOM+YOw7a6XXxpOhRANCAASTFjEdz9MMLzVvqiKJ6hiEmG7+tfn1 +6r5Odwu8dkIr69J5RljzPLAbHXN4kXF/ohZbBvKnX+1cEUDO+kBtAHMB +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/ec-prime256v1-3.key b/pki/testdata/ssl/certificates/ec-prime256v1-3.key new file mode 100644 index 000000000..de0b671e0 --- /dev/null +++ b/pki/testdata/ssl/certificates/ec-prime256v1-3.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSFwCrUE0q+J8WdaB +wuQtvtQuvSVy4xrVUVKbg/b8qmShRANCAAQ0MQNe+C3m+ZxRjUC2VHut66EhAqDQ +EXOCJ3se7ctMpdmVa2ml/4cjz3lnrfbSYe/mM5v3hDN8u8dYmk7zDoL3 +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/leaf_from_known_root.pem b/pki/testdata/ssl/certificates/leaf_from_known_root.pem index 0594ff8c0..a3d612038 100644 --- a/pki/testdata/ssl/certificates/leaf_from_known_root.pem +++ b/pki/testdata/ssl/certificates/leaf_from_known_root.pem @@ -1,274 +1,666 @@ =========================================== -Certificate0: c74f724a594ff8156228aa8d5b06c2335c45bcc0381cf16deb7ec0330cb454a0 +Certificate0: 43a7c7f7b28f92beac4b5e7e002c69801fd82c8656d9cb2993dba2bab0c4ec1e =========================================== Certificate: Data: Version: 3 (0x2) - Serial Number: - 13:00:0f:ee:63:1b:df:c3:25:02:e3:e0:7e:a6:39:50 + Serial Number: 5475531677529648189 (0x4bfcff0cd38dac3d) Signature Algorithm: sha256WithRSAEncryption - Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA + Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2 Validity - Not Before: Apr 10 00:00:00 2023 GMT - Not After : May 10 23:59:59 2024 GMT - Subject: CN = horseweather.com + Not Before: Jul 25 02:05:05 2023 GMT + Not After : Aug 24 00:14:22 2024 GMT + Subject: CN = tntpowerwashservices.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: - 00:b5:4f:7d:c0:1a:22:1c:a6:88:a0:85:01:3e:4a: - 56:e3:3e:2a:f9:9c:f8:15:ce:6f:f7:44:74:00:41: - 0f:d9:54:ce:7b:51:70:95:0c:9b:35:b1:68:b9:a6: - 75:1a:28:93:4b:c9:64:9c:7e:ea:30:d4:4b:73:44: - 62:fa:97:0d:5b:19:f6:6e:a3:44:b1:ea:67:7b:c6: - 86:c6:1f:b8:1b:9b:ce:b1:9d:f7:f1:63:f4:63:03: - 6b:07:72:f8:9c:f7:62:89:5d:15:2f:eb:ea:f8:18: - 8f:55:1d:33:e7:2c:76:fd:3e:1a:16:fb:42:c1:02: - 3a:03:82:f8:92:9a:a2:de:f1:8b:06:8e:cc:f9:ca: - 1e:29:1c:48:7e:dc:0f:c1:5e:81:91:5c:36:eb:41: - 1f:55:23:67:f2:b3:3b:10:73:fc:f0:48:2c:9e:8e: - 1b:66:1e:52:38:09:0b:53:10:47:96:39:47:bb:81: - 67:c4:4f:33:f2:74:19:c8:b5:16:0b:27:1e:d2:0e: - 09:c7:4e:c5:e3:a8:8f:aa:00:1a:3c:9a:19:45:09: - c8:aa:74:e0:7e:a0:7f:e2:46:8e:27:42:d4:ee:80: - 60:5d:e1:b4:fc:23:9d:cb:70:be:d6:5b:88:ee:15: - 61:1d:f5:4b:8d:02:ae:2f:19:5c:20:fc:17:9f:fc: - 5d:b9 + 00:af:a6:20:2e:e2:8f:f6:61:ba:78:bd:8c:c9:b4: + 84:6a:38:53:33:4a:28:e1:f6:9a:f8:be:45:14:18: + ef:0c:57:6c:ae:89:7b:8d:06:89:58:b4:76:21:2c: + 43:1f:b9:5d:e0:8d:4b:83:ad:3d:04:fb:e1:bf:76: + f2:e9:1a:80:42:f7:24:65:6d:c9:90:fc:fd:8e:82: + 0a:0e:5e:22:78:09:68:59:2a:4b:58:10:99:2d:f8: + 57:56:d9:92:a6:58:7e:89:c2:12:ea:c6:e2:43:86: + 07:6f:84:e2:c2:cd:1e:9d:4f:ee:62:58:35:a2:13: + d5:bc:20:cf:69:65:c4:74:2a:4d:b1:c2:7b:03:85: + b2:fc:dd:c7:36:30:c2:d6:59:02:e8:7c:41:26:ce: + 6b:f0:7a:55:1f:90:42:07:53:2e:a1:47:2e:53:42: + a6:48:1c:d0:d2:bb:9c:76:bf:89:4b:39:9d:69:f5: + 80:a4:38:b3:bd:e7:cd:41:0c:69:d7:3d:c1:78:27: + 88:05:ee:c7:f3:87:9d:01:e1:fd:70:e4:be:4d:97: + d3:2b:61:f3:0a:d3:2f:63:a9:ce:61:22:08:2e:a3: + d6:ba:de:fe:6b:df:69:ed:2f:50:dd:b8:72:c4:d6: + 6b:00:5e:a4:8b:9b:58:c0:43:32:ab:cc:44:55:d7: + 70:2f Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Authority Key Identifier: - 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1 - X509v3 Subject Key Identifier: - DE:B8:1F:8D:E5:9F:B7:B7:F7:B6:96:56:D3:F4:2F:58:30:4C:36:0D - X509v3 Key Usage: critical - Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 CRL Distribution Points: + Full Name: + URI:http://crl.godaddy.com/gdig2s1-7257.crl X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.6449.1.2.2.7 - CPS: https://sectigo.com/CPS + Policy: 2.16.840.1.114413.1.7.23.1 + CPS: http://certificates.godaddy.com/repository/ Policy: 2.23.140.1.2.1 Authority Information Access: - CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt - OCSP - URI:http://ocsp.sectigo.com + OCSP - URI:http://ocsp.godaddy.com/ + CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt + X509v3 Authority Key Identifier: + 40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE X509v3 Subject Alternative Name: - DNS:horseweather.com, DNS:www.horseweather.com + DNS:tntpowerwashservices.com, DNS:www.tntpowerwashservices.com + X509v3 Subject Key Identifier: + 15:BE:40:63:3C:B1:6A:3C:27:52:B1:1E:43:06:A1:1C:0B:09:C7:C8 CT Precertificate SCTs: - Signed Certificate Timestamp: - Version : v1 (0x0) - Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34: - B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74 - Timestamp : Apr 10 14:57:58.554 2023 GMT - Extensions: none - Signature : ecdsa-with-SHA256 - 30:44:02:20:2C:72:0F:4C:A5:E0:DE:BA:0F:50:D6:79: - 57:BB:1E:4C:57:63:08:41:3E:CE:92:04:AF:1D:8B:43: - AC:D3:E0:A9:02:20:73:BD:5A:86:55:76:F4:84:E5:71: - CE:D4:3B:D4:2F:7F:9F:7F:E9:DB:10:8B:97:0B:A5:EC: - FB:B3:99:03:5A:DF - Signed Certificate Timestamp: - Version : v1 (0x0) - Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70: - 91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB - Timestamp : Apr 10 14:57:58.648 2023 GMT - Extensions: none - Signature : ecdsa-with-SHA256 - 30:45:02:20:6A:FD:3F:78:6C:23:EE:5E:6D:6F:4C:67: - D5:22:B0:9A:CB:78:01:D2:24:79:DF:56:44:40:23:4E: - 8B:CE:B9:10:02:21:00:E7:15:11:84:48:04:FC:2C:CD: - F1:88:4E:79:31:19:4B:DC:E0:B3:74:12:49:3C:DD:4E: - DB:E5:6D:D9:1B:B9:60 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2: 32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B - Timestamp : Apr 10 14:57:58.679 2023 GMT + Timestamp : Jul 25 02:05:06.473 2023 GMT Extensions: none Signature : ecdsa-with-SHA256 - 30:46:02:21:00:AF:8C:27:AC:66:5E:08:AC:BA:19:1D: - 5A:CF:9A:F5:B8:28:A6:CC:9F:C4:99:45:59:10:2E:80: - 17:BA:BA:B0:5E:02:21:00:CD:4E:51:2B:C6:12:73:4D: - 7E:23:61:15:22:CB:08:CA:19:62:81:95:7E:31:08:B9: - 64:F7:96:71:B0:1E:D2:A8 + 30:45:02:21:00:B6:D5:26:94:10:7C:69:75:D5:83:A6: + 4A:7F:4D:87:A3:86:3D:C6:AD:47:17:B7:04:9F:83:0B: + 51:7E:41:C5:06:02:20:1E:2C:1C:2F:03:D1:1B:AB:E2: + F5:A0:65:BC:EC:BE:15:D2:05:ED:CC:AC:1A:44:70:DC: + 19:B6:87:58:4E:DF:EA + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB: + 1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73 + Timestamp : Jul 25 02:05:06.771 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:20:6F:76:37:49:56:F0:9D:7F:F7:94:58:C9: + 9E:D3:D6:36:7D:BD:56:F4:92:41:0B:3E:97:0B:95:84: + 53:C6:68:24:02:21:00:87:45:7A:45:89:8E:C0:D9:44: + 82:56:24:C1:0D:A3:C4:FC:F8:C8:8E:1D:71:CC:0C:B5: + 6E:03:40:8D:3C:34:3A + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70: + 91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB + Timestamp : Jul 25 02:05:06.882 2023 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:46:02:21:00:A1:1F:15:0A:5A:5A:E7:ED:6D:61:5F: + 9C:13:0B:66:70:62:95:31:C8:ED:D0:8A:B9:58:B1:90: + 97:63:21:C8:2B:02:21:00:F9:67:A5:79:88:32:96:48: + CB:6C:B9:27:76:0D:B6:7C:3A:AE:CB:65:40:87:E3:A5: + A9:FA:03:CA:61:F3:C7:9D Signature Algorithm: sha256WithRSAEncryption Signature Value: - 3b:67:4e:46:c0:7f:d6:2f:4e:64:63:80:21:e4:ea:af:46:06: - e3:83:47:99:88:73:27:6c:96:ae:5e:eb:d3:36:60:4a:1d:b4: - 28:57:7d:07:df:40:e2:87:54:d3:dd:bc:5a:e4:e7:9b:f7:72: - 4b:c7:5f:5d:50:da:c6:c0:6a:0d:36:c3:f9:ff:db:b5:d2:71: - 84:b6:66:0a:15:31:46:79:39:0f:b2:bc:c0:91:8f:d6:03:ab: - 10:7d:ea:7e:59:16:13:6c:3a:47:55:12:8b:c5:4a:1f:21:bc: - 00:f1:a1:0a:0e:e5:e8:b5:af:38:47:78:44:e9:ab:d9:0c:94: - a1:af:a1:2c:18:5a:15:00:e1:4e:9f:c5:06:88:87:41:25:e7: - 92:bf:9e:ee:66:93:88:4d:15:ae:c5:d8:1b:c4:58:e1:3c:fd: - 12:bc:8e:44:fa:74:4b:a3:37:bd:7d:49:f9:3e:90:a7:bd:2e: - dc:3d:24:5d:5b:9f:47:3e:6c:3a:7d:17:ab:dc:3b:3c:53:f1: - ac:39:1b:74:51:a9:47:08:d2:af:c1:0c:5b:d3:4c:ed:85:97: - 5a:d6:75:1e:d7:d5:69:50:e3:1e:bd:26:cf:b9:94:1a:fb:74: - 0b:ac:18:48:6b:61:10:6a:4e:89:6e:b5:c6:eb:c3:90:64:ee: - 38:5d:18:17 + 26:c1:ee:ce:fb:7c:3d:bd:15:19:f7:6e:bc:f2:b0:d3:8b:a0: + d0:26:84:83:2c:06:65:50:68:0e:9a:1e:96:9e:2b:64:ae:7a: + 0a:05:e9:78:0a:cc:d5:0d:44:7a:d5:ae:4b:25:0c:a1:5d:a0: + b4:3a:1b:60:6c:6a:e2:30:7e:30:23:2e:eb:74:85:80:84:0f: + e6:cb:89:ee:b8:a9:9d:79:8a:da:dc:13:e1:6d:77:4f:81:7e: + 55:b4:0f:4f:41:6d:02:89:bf:73:95:7c:7f:b2:d8:9b:50:4a: + f8:60:36:11:e2:13:32:1f:e5:0f:3a:7d:0e:42:1e:b0:90:eb: + dd:41:57:0c:52:72:28:31:87:13:cb:39:9a:2f:23:66:9f:ca: + a9:4a:d3:26:30:71:ad:72:e2:83:b7:00:29:92:2c:b9:9f:c9: + a2:85:b2:90:29:c0:10:41:e4:6f:6e:d7:3c:ad:96:06:81:75: + 09:ff:7e:47:ff:3d:93:18:f5:e8:62:44:f9:8a:6c:37:db:5a: + a6:66:78:ae:3a:84:9b:7c:d0:f0:c9:9d:99:ce:8d:4a:9f:ab: + d6:e1:bd:7c:bc:9c:9d:f2:00:c9:17:aa:7d:97:9f:3f:27:9c: + 6c:91:16:a6:8e:39:c8:86:db:0c:14:ea:20:3d:f7:aa:7d:a3: + e2:67:9d:9a + +SEQUENCE { + SEQUENCE { + [0] { + INTEGER { 2 } + } + INTEGER { `4bfcff0cd38dac3d` } + SEQUENCE { + # sha256WithRSAEncryption + OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } + NULL {} + } + SEQUENCE { + SET { + SEQUENCE { + # countryName + OBJECT_IDENTIFIER { 2.5.4.6 } + PrintableString { "US" } + } + } + SET { + SEQUENCE { + # stateOrProvinceName + OBJECT_IDENTIFIER { 2.5.4.8 } + PrintableString { "Arizona" } + } + } + SET { + SEQUENCE { + # localityName + OBJECT_IDENTIFIER { 2.5.4.7 } + PrintableString { "Scottsdale" } + } + } + SET { + SEQUENCE { + # organizationName + OBJECT_IDENTIFIER { 2.5.4.10 } + PrintableString { "GoDaddy.com, Inc." } + } + } + SET { + SEQUENCE { + # organizationUnitName + OBJECT_IDENTIFIER { 2.5.4.11 } + PrintableString { "http://certs.godaddy.com/repository/" } + } + } + SET { + SEQUENCE { + # commonName + OBJECT_IDENTIFIER { 2.5.4.3 } + PrintableString { "Go Daddy Secure Certificate Authority - G2" } + } + } + } + SEQUENCE { + UTCTime { "230725020505Z" } + UTCTime { "240824001422Z" } + } + SEQUENCE { + SET { + SEQUENCE { + # commonName + OBJECT_IDENTIFIER { 2.5.4.3 } + PrintableString { "tntpowerwashservices.com" } + } + } + } + SEQUENCE { + SEQUENCE { + # rsaEncryption + OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 } + NULL {} + } + BIT_STRING { + `00` + SEQUENCE { + INTEGER { `00afa6202ee28ff661ba78bd8cc9b4846a3853334a28e1f69af8be451418ef0c576cae897b8d068958b476212c431fb95de08d4b83ad3d04fbe1bf76f2e91a8042f724656dc990fcfd8e820a0e5e22780968592a4b5810992df85756d992a6587e89c212eac6e24386076f84e2c2cd1e9d4fee625835a213d5bc20cf6965c4742a4db1c27b0385b2fcddc73630c2d65902e87c4126ce6bf07a551f904207532ea1472e5342a6481cd0d2bb9c76bf894b399d69f580a438b3bde7cd410c69d73dc178278805eec7f3879d01e1fd70e4be4d97d32b61f30ad32f63a9ce6122082ea3d6badefe6bdf69ed2f50ddb872c4d66b005ea48b9b58c04332abcc4455d7702f` } + INTEGER { 65537 } + } + } + } + [3] { + SEQUENCE { + SEQUENCE { + # basicConstraints + OBJECT_IDENTIFIER { 2.5.29.19 } + BOOLEAN { TRUE } + OCTET_STRING { + SEQUENCE {} + } + } + SEQUENCE { + # extKeyUsage + OBJECT_IDENTIFIER { 2.5.29.37 } + OCTET_STRING { + SEQUENCE { + # serverAuth + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.1 } + # clientAuth + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.2 } + } + } + } + SEQUENCE { + # keyUsage + OBJECT_IDENTIFIER { 2.5.29.15 } + BOOLEAN { TRUE } + OCTET_STRING { + BIT_STRING { b`101` } + } + } + SEQUENCE { + # cRLDistributionPoints + OBJECT_IDENTIFIER { 2.5.29.31 } + OCTET_STRING { + SEQUENCE { + SEQUENCE { + [0] { + [0] { + [6 PRIMITIVE] { "http://crl.godaddy.com/gdig2s1-7257.crl" } + } + } + } + } + } + } + SEQUENCE { + # certificatePolicies + OBJECT_IDENTIFIER { 2.5.29.32 } + OCTET_STRING { + SEQUENCE { + SEQUENCE { + OBJECT_IDENTIFIER { 2.16.840.1.114413.1.7.23.1 } + SEQUENCE { + SEQUENCE { + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 } + IA5String { "http://certificates.godaddy.com/repository/" } + } + } + } + SEQUENCE { + # domain-validated + OBJECT_IDENTIFIER { 2.23.140.1.2.1 } + } + } + } + } + SEQUENCE { + # authorityInfoAccess + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 } + OCTET_STRING { + SEQUENCE { + SEQUENCE { + # ocsp + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 } + [6 PRIMITIVE] { "http://ocsp.godaddy.com/" } + } + SEQUENCE { + # caIssuers + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 } + [6 PRIMITIVE] { "http://certificates.godaddy.com/repository/gdig2.crt" } + } + } + } + } + SEQUENCE { + # authorityKeyIdentifier + OBJECT_IDENTIFIER { 2.5.29.35 } + OCTET_STRING { + SEQUENCE { + [0 PRIMITIVE] { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` } + } + } + } + SEQUENCE { + # subjectAltName + OBJECT_IDENTIFIER { 2.5.29.17 } + OCTET_STRING { + SEQUENCE { + [2 PRIMITIVE] { "tntpowerwashservices.com" } + [2 PRIMITIVE] { "www.tntpowerwashservices.com" } + } + } + } + SEQUENCE { + # subjectKeyIdentifier + OBJECT_IDENTIFIER { 2.5.29.14 } + OCTET_STRING { + OCTET_STRING { `15be40633cb16a3c2752b11e4306a11c0b09c7c8` } + } + } + SEQUENCE { + # embeddedSCTList + OBJECT_IDENTIFIER { 1.3.6.1.4.1.11129.2.4.2 } + OCTET_STRING { + OCTET_STRING { `0169007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b000001898acafe290000040300473045022100b6d52694107c6975d583a64a7f4d87a3863dc6ad4717b7049f830b517e41c50602201e2c1c2f03d11babe2f5a065bcecbe15d205edccac1a4470dc19b687584edfea00760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d88473000001898acaff53000004030047304502206f76374956f09d7ff79458c99ed3d6367dbd56f492410b3e970b958453c6682402210087457a45898ec0d944825624c10da3c4fcf8c88e1d71cc0cb56e03408d3c343a007700dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab000001898acaffc20000040300483046022100a11f150a5a5ae7ed6d615f9c130b6670629531c8edd08ab958b190976321c82b022100f967a57988329648cb6cb927760db67c3aaecb654087e3a5a9fa03ca61f3c79d` } + } + } + } + } + } + SEQUENCE { + # sha256WithRSAEncryption + OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } + NULL {} + } + BIT_STRING { `00` `26c1eecefb7c3dbd1519f76ebcf2b0d38ba0d02684832c066550680e9a1e969e2b64ae7a0a05e9780accd50d447ad5ae4b250ca15da0b43a1b606c6ae2307e30232eeb748580840fe6cb89eeb8a99d798adadc13e16d774f817e55b40f4f416d0289bf73957c7fb2d89b504af8603611e213321fe50f3a7d0e421eb090ebdd41570c527228318713cb399a2f23669fcaa94ad3263071ad72e283b70029922cb99fc9a285b29029c01041e46f6ed73cad9606817509ff7e47ff3d9318f5e86244f98a6c37db5aa66678ae3a849b7cd0f0c99d99ce8d4a9fabd6e1bd7cbc9c9df200c917aa7d979f3f279c6c9116a68e39c886db0c14ea203df7aa7da3e2679d9a` } +} -----BEGIN CERTIFICATE----- -MIIGPzCCBSegAwIBAgIQEwAP7mMb38MlAuPgfqY5UDANBgkqhkiG9w0BAQsFADCB -jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G -A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD -Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB -MB4XDTIzMDQxMDAwMDAwMFoXDTI0MDUxMDIzNTk1OVowGzEZMBcGA1UEAxMQaG9y -c2V3ZWF0aGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVP -fcAaIhymiKCFAT5KVuM+Kvmc+BXOb/dEdABBD9lUzntRcJUMmzWxaLmmdRook0vJ -ZJx+6jDUS3NEYvqXDVsZ9m6jRLHqZ3vGhsYfuBubzrGd9/Fj9GMDawdy+Jz3Yold -FS/r6vgYj1UdM+csdv0+Ghb7QsECOgOC+JKaot7xiwaOzPnKHikcSH7cD8FegZFc -NutBH1UjZ/KzOxBz/PBILJ6OG2YeUjgJC1MQR5Y5R7uBZ8RPM/J0Gci1FgsnHtIO -CcdOxeOoj6oAGjyaGUUJyKp04H6gf+JGjidC1O6AYF3htPwjnctwvtZbiO4VYR31 -S40Cri8ZXCD8F5/8XbkCAwEAAaOCAwgwggMEMB8GA1UdIwQYMBaAFI2MXsRUrYrh -d+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTeuB+N5Z+3t/e2llbT9C9YMEw2DTAOBgNV -HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI -KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIB -FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEB -BHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdv -UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcw -AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wMQYDVR0RBCowKIIQaG9yc2V3ZWF0 -aGVyLmNvbYIUd3d3LmhvcnNld2VhdGhlci5jb20wggF+BgorBgEEAdZ5AgQCBIIB -bgSCAWoBaAB1AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABh2us -exoAAAQDAEYwRAIgLHIPTKXg3roPUNZ5V7seTFdjCEE+zpIErx2LQ6zT4KkCIHO9 -WoZVdvSE5XHO1DvUL3+ff+nbEIuXC6Xs+7OZA1rfAHYA2ra/az+1tiKfm8K7XGvo -cJFxbLtRhIU0vaQ9MEjX+6sAAAGHa6x7eAAABAMARzBFAiBq/T94bCPuXm1vTGfV -IrCay3gB0iR531ZEQCNOi865EAIhAOcVEYRIBPwszfGITnkxGUvc4LN0Ekk83U7b -5W3ZG7lgAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGHa6x7 -lwAABAMASDBGAiEAr4wnrGZeCKy6GR1az5r1uCimzJ/EmUVZEC6AF7q6sF4CIQDN -TlErxhJzTX4jYRUiywjKGWKBlX4xCLlk95ZxsB7SqDANBgkqhkiG9w0BAQsFAAOC -AQEAO2dORsB/1i9OZGOAIeTqr0YG44NHmYhzJ2yWrl7r0zZgSh20KFd9B99A4odU -0928WuTnm/dyS8dfXVDaxsBqDTbD+f/btdJxhLZmChUxRnk5D7K8wJGP1gOrEH3q -flkWE2w6R1USi8VKHyG8APGhCg7l6LWvOEd4ROmr2QyUoa+hLBhaFQDhTp/FBoiH -QSXnkr+e7maTiE0VrsXYG8RY4Tz9EryORPp0S6M3vX1J+T6Qp70u3D0kXVufRz5s -On0Xq9w7PFPxrDkbdFGpRwjSr8EMW9NM7YWXWtZ1HtfVaVDjHr0mz7mUGvt0C6wY -SGthEGpOiW61xuvDkGTuOF0YFw== +MIIGtDCCBZygAwIBAgIIS/z/DNONrD0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow +GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz +LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 +cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjMwNzI1MDIwNTA1WhcN +MjQwODI0MDAxNDIyWjAjMSEwHwYDVQQDExh0bnRwb3dlcndhc2hzZXJ2aWNlcy5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvpiAu4o/2Ybp4vYzJ +tIRqOFMzSijh9pr4vkUUGO8MV2yuiXuNBolYtHYhLEMfuV3gjUuDrT0E++G/dvLp +GoBC9yRlbcmQ/P2OggoOXiJ4CWhZKktYEJkt+FdW2ZKmWH6JwhLqxuJDhgdvhOLC +zR6dT+5iWDWiE9W8IM9pZcR0Kk2xwnsDhbL83cc2MMLWWQLofEEmzmvwelUfkEIH +Uy6hRy5TQqZIHNDSu5x2v4lLOZ1p9YCkOLO9581BDGnXPcF4J4gF7sfzh50B4f1w +5L5Nl9MrYfMK0y9jqc5hIgguo9a63v5r32ntL1DduHLE1msAXqSLm1jAQzKrzERV +13AvAgMBAAGjggNYMIIDVDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF +BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn +aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTcyNTcuY3JsMF0GA1UdIARW +MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj +YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH +AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI +KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np +dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w +QQYDVR0RBDowOIIYdG50cG93ZXJ3YXNoc2VydmljZXMuY29tghx3d3cudG50cG93 +ZXJ3YXNoc2VydmljZXMuY29tMB0GA1UdDgQWBBQVvkBjPLFqPCdSsR5DBqEcCwnH +yDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA7s3QZNXbGs7FXLedtM0TojKH +Rny87N7DUUhZRnEftZsAAAGJisr+KQAABAMARzBFAiEAttUmlBB8aXXVg6ZKf02H +o4Y9xq1HF7cEn4MLUX5BxQYCIB4sHC8D0Rur4vWgZbzsvhXSBe3MrBpEcNwZtodY +Tt/qAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGJisr/UwAA +BAMARzBFAiBvdjdJVvCdf/eUWMme09Y2fb1W9JJBCz6XC5WEU8ZoJAIhAIdFekWJ +jsDZRIJWJMENo8T8+MiOHXHMDLVuA0CNPDQ6AHcA2ra/az+1tiKfm8K7XGvocJFx +bLtRhIU0vaQ9MEjX+6sAAAGJisr/wgAABAMASDBGAiEAoR8VClpa5+1tYV+cEwtm +cGKVMcjt0Iq5WLGQl2MhyCsCIQD5Z6V5iDKWSMtsuSd2DbZ8Oq7LZUCH46Wp+gPK +YfPHnTANBgkqhkiG9w0BAQsFAAOCAQEAJsHuzvt8Pb0VGfduvPKw04ug0CaEgywG +ZVBoDpoelp4rZK56CgXpeArM1Q1EetWuSyUMoV2gtDobYGxq4jB+MCMu63SFgIQP +5suJ7ripnXmK2twT4W13T4F+VbQPT0FtAom/c5V8f7LYm1BK+GA2EeITMh/lDzp9 +DkIesJDr3UFXDFJyKDGHE8s5mi8jZp/KqUrTJjBxrXLig7cAKZIsuZ/JooWykCnA +EEHkb27XPK2WBoF1Cf9+R/89kxj16GJE+YpsN9tapmZ4rjqEm3zQ8Mmdmc6NSp+r +1uG9fLycnfIAyReqfZefPyecbJEWpo45yIbbDBTqID33qn2j4medmg== -----END CERTIFICATE----- =========================================== -Certificate1: 7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676 +Certificate1: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6 =========================================== Certificate: Data: Version: 3 (0x2) - Serial Number: - 7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7 - Signature Algorithm: sha384WithRSAEncryption - Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority + Serial Number: 7 (0x7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2 Validity - Not Before: Nov 2 00:00:00 2018 GMT - Not After : Dec 31 23:59:59 2030 GMT - Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA + Not Before: May 3 07:00:00 2011 GMT + Not After : May 3 07:00:00 2031 GMT + Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: - 00:d6:73:33:d6:d7:3c:20:d0:00:d2:17:45:b8:d6: - 3e:07:a2:3f:c7:41:ee:32:30:c9:b0:6c:fd:f4:9f: - cb:12:98:0f:2d:3f:8d:4d:01:0c:82:0f:17:7f:62: - 2e:e9:b8:48:79:fb:16:83:4e:ad:d7:32:25:93:b7: - 07:bf:b9:50:3f:a9:4c:c3:40:2a:e9:39:ff:d9:81: - ca:1f:16:32:41:da:80:26:b9:23:7a:87:20:1e:e3: - ff:20:9a:3c:95:44:6f:87:75:06:90:40:b4:32:93: - 16:09:10:08:23:3e:d2:dd:87:0f:6f:5d:51:14:6a: - 0a:69:c5:4f:01:72:69:cf:d3:93:4c:6d:04:a0:a3: - 1b:82:7e:b1:9a:b9:ed:c5:9e:c5:37:78:9f:9a:08: - 34:fb:56:2e:58:c4:09:0e:06:64:5b:bc:37:dc:f1: - 9f:28:68:a8:56:b0:92:a3:5c:9f:bb:88:98:08:1b: - 24:1d:ab:30:85:ae:af:b0:2e:9e:7a:9d:c1:c0:42: - 1c:e2:02:f0:ea:e0:4a:d2:ef:90:0e:b4:c1:40:16: - f0:6f:85:42:4a:64:f7:a4:30:a0:fe:bf:2e:a3:27: - 5a:8e:8b:58:b8:ad:c3:19:17:84:63:ed:6f:56:fd: - 83:cb:60:34:c4:74:be:e6:9d:db:e1:e4:e5:ca:0c: - 5f:15 + 00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64: + b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf: + 8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b: + 63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc: + 45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57: + c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37: + 96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30: + 38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f: + 38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc: + 71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47: + f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4: + 33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0: + a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e: + f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a: + ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69: + 02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18: + 50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2: + 52:fb Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Authority Key Identifier: - 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB - X509v3 Subject Key Identifier: - 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1 - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Certificate Policies: - Policy: X509v3 Any Policy - Policy: 2.23.140.1.2.1 + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE + X509v3 Authority Key Identifier: + 3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE + Authority Information Access: + OCSP - URI:http://ocsp.godaddy.com/ X509v3 CRL Distribution Points: Full Name: - URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl - Authority Information Access: - CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt - OCSP - URI:http://ocsp.usertrust.com - Signature Algorithm: sha384WithRSAEncryption + URI:http://crl.godaddy.com/gdroot-g2.crl + X509v3 Certificate Policies: + Policy: X509v3 Any Policy + CPS: https://certs.godaddy.com/repository/ + Signature Algorithm: sha256WithRSAEncryption Signature Value: - 32:bf:61:bd:0e:48:c3:4f:c7:ba:47:4d:f8:9c:78:19:01:dc: - 13:1d:80:6f:fc:c3:70:b4:52:9a:31:33:9a:57:52:fb:31:9e: - 6b:a4:ef:54:aa:89:8d:40:17:68:f8:11:10:7c:d2:ca:b1:f1: - 55:86:c7:ee:b3:36:91:86:f6:39:51:bf:46:bf:0f:a0:ba:b4: - f7:7e:49:c4:2a:36:17:9e:e4:68:39:7a:af:94:4e:56:6f:b2: - 7b:3b:bf:0a:86:bd:cd:c5:77:1c:03:b8:38:b1:a2:1f:5f:7e: - db:8a:dc:46:48:b6:68:0a:cf:b2:b5:b4:e2:34:e4:67:a9:38: - 66:09:5e:d2:b8:fc:9d:28:3a:17:40:27:c2:72:4e:29:fd:21: - 3c:7c:cf:13:fb:96:2c:c5:31:44:fd:13:ed:d5:9b:a9:69:68: - 77:7c:ee:e1:ff:a4:f9:36:38:08:53:39:a2:84:34:9c:19:f3: - be:0e:ac:d5:24:37:eb:23:a8:78:d0:d3:e7:ef:92:47:64:62: - 39:22:ef:c6:f7:11:be:22:85:c6:66:44:24:26:8e:10:32:8d: - c8:93:ae:07:9e:83:3e:2f:d9:f9:f5:46:8e:63:be:c1:e6:b4: - dc:a6:cd:21:a8:86:0a:95:d9:2e:85:26:1a:fd:fc:b1:b6:57: - 42:6d:95:d1:33:f6:39:14:06:82:41:38:f5:8f:58:dc:80:5b: - a4:d5:7d:95:78:fd:a7:9b:ff:fd:c5:a8:69:ab:26:e7:a7:a4: - 05:87:5b:a9:b7:b8:a3:20:0b:97:a9:45:85:dd:b3:8b:e5:89: - 37:8e:29:0d:fc:06:17:f6:38:40:0e:42:e4:12:06:fb:7b:f3: - c6:11:68:62:df:e3:98:f4:13:d8:15:4f:8b:b1:69:d9:10:60: - bc:64:2a:ea:31:b7:e4:b5:a3:3a:14:9b:26:e3:0b:7b:fd:02: - 8e:b6:99:c1:38:97:59:36:f6:a8:74:a2:86:b6:5e:eb:c6:64: - ea:cf:a0:a3:f9:6e:9e:ba:2d:11:b6:86:98:08:58:2d:c9:ac: - 25:64:f2:5e:75:b4:38:c1:ae:7f:5a:46:83:ea:51:ca:b6:f1: - 99:11:35:6b:a5:6a:7b:c6:00:b0:e7:f8:be:64:b2:ad:c8:c2: - f1:ac:e3:51:ea:a4:93:e0:79:c8:e1:81:40:c9:0a:5b:e1:12: - 3c:c1:60:2a:e3:97:c0:89:42:ca:94:cf:46:98:12:69:bb:98: - d0:c2:d3:0d:72:4b:47:6e:e5:93:c4:32:28:63:87:43:e4:b0: - 32:3e:0a:d3:4b:bf:23:9b:14:29:41:2b:9a:04:1f:93:2d:f1: - c7:39:48:3c:ad:5a:12:7f + 08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef: + 6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f: + db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73: + 31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11: + 56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4: + 2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f: + f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca: + 17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51: + b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c: + ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d: + 5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce: + c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7: + 8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87: + 6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8: + bc:04:30:01 + +SEQUENCE { + SEQUENCE { + [0] { + INTEGER { 2 } + } + INTEGER { 7 } + SEQUENCE { + # sha256WithRSAEncryption + OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } + NULL {} + } + SEQUENCE { + SET { + SEQUENCE { + # countryName + OBJECT_IDENTIFIER { 2.5.4.6 } + PrintableString { "US" } + } + } + SET { + SEQUENCE { + # stateOrProvinceName + OBJECT_IDENTIFIER { 2.5.4.8 } + PrintableString { "Arizona" } + } + } + SET { + SEQUENCE { + # localityName + OBJECT_IDENTIFIER { 2.5.4.7 } + PrintableString { "Scottsdale" } + } + } + SET { + SEQUENCE { + # organizationName + OBJECT_IDENTIFIER { 2.5.4.10 } + PrintableString { "GoDaddy.com, Inc." } + } + } + SET { + SEQUENCE { + # commonName + OBJECT_IDENTIFIER { 2.5.4.3 } + PrintableString { "Go Daddy Root Certificate Authority - G2" } + } + } + } + SEQUENCE { + UTCTime { "110503070000Z" } + UTCTime { "310503070000Z" } + } + SEQUENCE { + SET { + SEQUENCE { + # countryName + OBJECT_IDENTIFIER { 2.5.4.6 } + PrintableString { "US" } + } + } + SET { + SEQUENCE { + # stateOrProvinceName + OBJECT_IDENTIFIER { 2.5.4.8 } + PrintableString { "Arizona" } + } + } + SET { + SEQUENCE { + # localityName + OBJECT_IDENTIFIER { 2.5.4.7 } + PrintableString { "Scottsdale" } + } + } + SET { + SEQUENCE { + # organizationName + OBJECT_IDENTIFIER { 2.5.4.10 } + PrintableString { "GoDaddy.com, Inc." } + } + } + SET { + SEQUENCE { + # organizationUnitName + OBJECT_IDENTIFIER { 2.5.4.11 } + PrintableString { "http://certs.godaddy.com/repository/" } + } + } + SET { + SEQUENCE { + # commonName + OBJECT_IDENTIFIER { 2.5.4.3 } + PrintableString { "Go Daddy Secure Certificate Authority - G2" } + } + } + } + SEQUENCE { + SEQUENCE { + # rsaEncryption + OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 } + NULL {} + } + BIT_STRING { + `00` + SEQUENCE { + INTEGER { `00b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb` } + INTEGER { 65537 } + } + } + } + [3] { + SEQUENCE { + SEQUENCE { + # basicConstraints + OBJECT_IDENTIFIER { 2.5.29.19 } + BOOLEAN { TRUE } + OCTET_STRING { + SEQUENCE { + BOOLEAN { TRUE } + } + } + } + SEQUENCE { + # keyUsage + OBJECT_IDENTIFIER { 2.5.29.15 } + BOOLEAN { TRUE } + OCTET_STRING { + BIT_STRING { b`0000011` } + } + } + SEQUENCE { + # subjectKeyIdentifier + OBJECT_IDENTIFIER { 2.5.29.14 } + OCTET_STRING { + OCTET_STRING { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` } + } + } + SEQUENCE { + # authorityKeyIdentifier + OBJECT_IDENTIFIER { 2.5.29.35 } + OCTET_STRING { + SEQUENCE { + [0 PRIMITIVE] { `3a9a8507106728b6eff6bd05416e20c194da0fde` } + } + } + } + SEQUENCE { + # authorityInfoAccess + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 } + OCTET_STRING { + SEQUENCE { + SEQUENCE { + # ocsp + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 } + [6 PRIMITIVE] { "http://ocsp.godaddy.com/" } + } + } + } + } + SEQUENCE { + # cRLDistributionPoints + OBJECT_IDENTIFIER { 2.5.29.31 } + OCTET_STRING { + SEQUENCE { + SEQUENCE { + [0] { + [0] { + [6 PRIMITIVE] { "http://crl.godaddy.com/gdroot-g2.crl" } + } + } + } + } + } + } + SEQUENCE { + # certificatePolicies + OBJECT_IDENTIFIER { 2.5.29.32 } + OCTET_STRING { + SEQUENCE { + SEQUENCE { + # anyPolicy + OBJECT_IDENTIFIER { 2.5.29.32.0 } + SEQUENCE { + SEQUENCE { + OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 } + IA5String { "https://certs.godaddy.com/repository/" } + } + } + } + } + } + } + } + } + } + SEQUENCE { + # sha256WithRSAEncryption + OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 } + NULL {} + } + BIT_STRING { `00` `087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001` } +} -----BEGIN CERTIFICATE----- -MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB -iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl -cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV -BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx -MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV -BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE -ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g -VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N -TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj -eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E -oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk -Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY -uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j -BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb -+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G -A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw -CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 -LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr -BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv -bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov -L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H -ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH -7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi -H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx -RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv -xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 -sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL -l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq -6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY -LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 -yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K -00u/I5sUKUErmgQfky3xxzlIPK1aEn8= +MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT +EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3 +MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH +EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE +CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD +EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD +BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv +K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e +cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY +pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n +eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB +AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV +HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv +9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v +b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n +b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG +CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv +MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz +91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 +RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi +DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 +GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x +LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB -----END CERTIFICATE----- diff --git a/pki/testdata/ssl/certificates/rsa-1024-1.key b/pki/testdata/ssl/certificates/rsa-1024-1.key new file mode 100644 index 000000000..5355480d8 --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-1024-1.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICeQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBAL7mb78RnGZpGth3 +z5ilQTmz77Cc6YOqZPulE83+Vnjy39YzK0csTluvbWqVMUHtYGsRF8h+gYvywt8l +zITocpE0UyeXlzsoOI8h7SgUCrYPAl9l6VydsUQ3F14uJ4LWaQcz/R601LhYrvQc +XgpDr4U1rp108EAFG01BVFFiInCVAgMBAAECgYEAtGnxuCC7r+mrTmNE1d1wHEma +wE47Po0d7NlhMzAopxvaQYSQZS5RS8MqZC1lpQnjMqyvznMImauvUddWR1GrWz6T +jU7YJiq/NJZ26qzACKCJWj9UG37fzC3L7JDMz4Yz3K/iISH7iDLIrh4JWw8A6xQL ++cq8/u4ZhjtODbxYHu0CQQDuPMkrqPolGpy6mo18jP8QuNooZmpZ5z5C72GtqqRz +AMcfIOtluBBcFef7iZoKa+YcEldjpdiCK0I3qy86G9JLAkEAzSIg3A8qta3o/U2d +TwUq5BMGUotHmG/A1MwEK5GnRHj3L0nu/HpE3tjrKrkMC4i+zVTYBop90XFBPdy6 +d+v8nwJBAM6Qdf0dLoctY+eISlVMC3x8SuvsoRoCnsF6vb7OznfInN4otPIlfknZ +1KMM1DtlAsgkPxFvoyJ6T5flHbXMmbECQQCaKR/QwYUzbDNAyeeCzztgk/uYZRu1 +L6cXRQuNQrUV/GKno0R7cdf4McTqIo8uy+G4ph6DK+lKUXbaatun7C25AkEAsr/A +yOyChfU16iQMa45LhT9FoplbNbDvczJ3EUUsf8i1I/8FG/GM4AaUMUshdwCf7hdh +ZBHFE6S2PIUV9iZVbA== +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-1024-2.key b/pki/testdata/ssl/certificates/rsa-1024-2.key new file mode 100644 index 000000000..14feba295 --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-1024-2.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM3oM+IGvDDamzE+ +5cZRkeoH8PBYH5HSChJOcRepGpPMxsOjR3aomPCi0eI3cR4IOqaakpxDJswp+ioA +H4hEMDMoVZijvpXEto0QAy/2O7K7QzhQ1ylFNM8k6WD4xfM8W6PlrlxFHjH47QDq +k/njjASgxTfj6zHCwauQG4FYTmZNAgMBAAECgYBuds82yDQ35V9yuPKeRW6JZj89 +QZmWKl+a2JhVgDQw7KAJntQc9XAvULpWqTW3TeThMnXK/T+YMkDyPWStPx+3q9PR +AQS65Bz8BltepO5sdy2QWGnOss97fLG5DJgTHrAZYDKLxJah9hDOf5Tjq4d9GYka +D6cOgWErS3wv+ERZhQJBAOuVmTnEywk0TIGjIOWud+Yv2TUIc3IqBZnyF1RN8y1y +NFVGwpCb8aKLRawfDta/kNkQVOkYZCtZRdYb1NHqBJMCQQDfwDel33a3OnVdQNoB +GbfEJYqmgY7JCzFfH9EVzqB45x6yYvwAHStp1r5dYmwMUSIVs5B8SFA4bUN6cAMr +BJWfAkEA4xGOXuAP0w9Vrp5NVxSS/IuiEDvVCnT2cSum0NtRSLyLNKa/YiLtBH64 +6O4Gn3aFZrMXJJUd96pUZcrtlma5gQJAaUR0qdxNbPza1Km7JwNjequy5I1VkO5s +JvXAF8Njqh4KSiDZsHAIyb2XSDYS4WSWZaFaW65l13ZIZeUnCGkavwJAMn0mC5e4 +idlSe3QqaOa3haxAXquQkImH6pSI4jRPzTJxPd8BlShlZeVC4IyCwfz/o6Azce+W +w+5b/8VIMO2s9g== +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-1024-3.key b/pki/testdata/ssl/certificates/rsa-1024-3.key new file mode 100644 index 000000000..4a8af8f25 --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-1024-3.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMqUxHtJfHQ6709j +T1yMqY/JH/dg0Kl3DaddDScaVRiv2X+0mhxkFu4/rWEYslj1aSS8CgcdVxSdHsI0 +dXEsumoRFJl/EmfBAwQkukgpkjuE5uUORuxt2vzT1zGPutX0UlMiLINdZ1AB45D6 +c78SBTiIoXai7FZ+SayOf/3MQsYpAgMBAAECgYB7nbITpTD7X+cd43TO/cqOQeVu +t7Y8YriDMyXOgaQBr3SiF9uejXjsoxCyWjaiUAZ78v6PftjfbE0Tpp0vlWKeNo0q +iJ0rjbxf04bIpU7+Q+/I4hkXngu7WvmXS8ZjmamEvT1a9XN8bZ1QD+lglYAkZKj5 +iwlVpZfYokj+4sMIgQJBAOnkLBrmlaXhh3KbzLcKPMtmOlm8y2PuSziJN7JTdkb7 +gwaQAa1+5ToOEjAS64qP+BRp9uLTnPuVnbyd27nDElkCQQDduu9KbS2o9IazrVeR +FMqAitIWb9v/k98IfOc7/LKeyA7oVCzqAsq0nlYM4unGYSiIdlJLLnQCtbVABB4D +6rhRAkEApM49cbsWqWsQCObVSgixq9Tdusu4OTL4196AW2xKBFxHCAHC3OB0XwL5 +N9ytEda+RIwiBdR8Yh4bpoNJB0z4CQJBAI9yo+LztUmMQSU3LOK4n7X/maFYZuz3 +HqDgJb0iY/Djnvlhk9klSz0E/sjBeNqV+uImImFvQTCLnCI5R63jCbECQQDpeDiP +DcKOL773vayJixOvvSqruHGvM87KMkpW2zsLbxrlN2gKyf3iMkQX1Kat945qPD98 +kpnDpyVRVRxIc6Sg +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-2048-1.key b/pki/testdata/ssl/certificates/rsa-2048-1.key new file mode 100644 index 000000000..384bf6850 --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-2048-1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvBAyWDWogcaoH +kjhp9fmm7OognM/SNfIuEKMiqmFLz4GsiNa1I4By8kPqcI8u0KRBvX0F/DDfBvDy +8nm7gbfMliILkPTKlDqAKY51kV1qBkSQhhiQ7Tl3KXjB4tbdjJemv9TrXfwfr+k4 +9dP8oYLmVmyYRWMGybW7tA6MJewLYeAIBZpbcz0okrKD7izMEi7eCWvQ9O6PdVMG +atBfUbGrZ0oX0XzsJQgI6iJNq88WQCbfybQLDvXleneem8NHVYO8fCmgVzgsiVw5 +fgaeYWBfCVOGUHsoVwxTDThAfoIGHX1ldQ+3YP+pyph43h5e9jWHHwAjg45SFqkI +XRTu4I/HAgMBAAECggEASmt63J10qLocdl63TVtSXqg0QEzd1AGrauoZLGbtu3pP +pimDvv+LIZWhyoE1aU8/4VJtZMuhjlyZvXzcxZ45pS2b6XYomTGhlJjXImf/JFPo ++NmEfa/Z9TE1z6AhBJFBdR7yL2lGCcVX8ygZDb4x9rb+M1uh6aOA+wFsBC0l64pt +YNGaOtgR1DCqn6mtxFcUOMt6gWEbgu2gwieo4qSGPmGOwNxhEbMWPL+0CPemW+li +K+fB2RrYpGdSD8kyWHWqZTUT7SegcT2mO3F+eNwwy69srb/R/MAUfbYXbQhTrPuI +vavor2vT7++Ha2Z7FV+715Jsn2f8OkW0UyFzb7PQsQKBgQDUG5H0XR34wqAfNgaZ +lzJqDeh6Tg0v991t4imNd/yFBJEa4PyonM9m9ka9o13ySPyIuUyqvUDm0/geVH1g +dn7o3rTVCKbfeCeDWaU00elMjtCezeDUlnsTgcHpLEpb/5uxJhAL2/KcMlOvHzGv +ima5zj2tB0dvUfkCtzLthb/etwKBgQDTO4hNrTcNQBTg/XUG2TSERo6WslVOZjJ5 +70AlE9PYgqmoNUONg8XxGwj8n7lx+AY2BB0kfM9ANVc+BNjI2fqFLba2DYDGMpsq +XrxR2SiRe8UCjftFgHSElIx/mGplgAbElGrSd+pkONwnxtE3E0JD/+y+/dKQeg9z +iVraymnHcQKBgQC8/9gdU3/qcpo1VXGqGGTuxXfay4PKs2WWjUkTatATQw99UO8x +25CfoWFFh7Wlt812kw6ysTKMvGJBvG1/r/bDz/Z4QV5Yj/s9enrQRx9IfZV9e9wT +8ga3Sg8ck7+qnGgCAPWZa6KR9fJFgFlInt2MQS8J6AuKMRPejJmPtndSnwKBgFPP +dCZ1yrkMKvyWNB+ygL7XC+5I9cX0kKSGxCmx80UdmtktwQ7eMOSYOHmbmkXZBgXa +ngGDL+wm/eWSoL0Yl+jNmYgkVWrOW3h1PD0xb4JB3IpF8WPDMvgDxLc/rz90i7rl +tHirsalwUhHKNeqnToySd8nUBf7jH0xVPGJBG7VRAoGBAIty6nRYERJkdWgzrrU+ +TmSxTAFi4hqc/RXMa7kda40SBp3339+/KxaNCQ5YUJjDI/cggEc/Tnm2MjkheH5W +nBC1iP1A1g9wlk6Ak/RQIq8FRiQFdVwGU2Xa+dRQAyEj8Xq2KudmKkj1M630/kSg +3qCwc3kKPf2N5fjAtHUwLLHP +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-2048-2.key b/pki/testdata/ssl/certificates/rsa-2048-2.key new file mode 100644 index 000000000..3336ce7d0 --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-2048-2.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCncOKXlHiC4cH7 +YiXsOMc3Vh3OBN26dK/c9tiVG7zQU9EbXbUWz9NNI8+wUDwyBtrR54zH+5R9+cj/ +9QOPd2Vsv3wfaSIaR3qfsag/TK2rooYAis11F17lUHx02KZlZodagEuLCMgdlyIL +F0RTW4+Nt9ZklEFMXHYxZW2odDiimaUl0tJ3//jGNEBQwHSS7BbA88vKBknjRP4d +0lFZGJPM7VyEkYElp4qcTBvn4VY89lbgUdVcZjaMOtoUnK6DUZN7GAsWr222y7kc +BEH5fFOWB2PrgKY//tb41fujm16u2r4jjHngZ8FSs5md3A7z1CP4ChpNF33k9z6s +AzWb+GNhAgMBAAECggEAFFJdDeyVG71un6Xv2FWjyBGJmIF6r7CNz5GeA6rUJaym +il27JsOeb5RTFqEGTUQLtsIVkgf0o713KamA/x6MjsBGvkEyRGI8fblAJD6YLWaS +QOqXuQhXGhnEoSHSQChLcS50/LDaKM048oOmZT+NkrOnL5nWuv/V0HTw9Cr23LT6 +wMuefBrN9cr8ZMmlOMNvJaoTKbCxr6bg4bKjfGr40QX05GnLXaOhg74wWPWMCFZQ +CfyFhCJvBcXk9Xifb2pMTk9GezfSd28JKy3XKjd2bUTD8KGStgnKvIB7FXVqaQb/ +QOTE0USkYn3l6g53fXWdgk9i87ZRHmMarTv4K8wvaQKBgQDbe6v0CS6ui5A4bliC +z8EoZVmxxT+vgOf56ZOE65lGcPHOtTMDDL2u8MxqyjnWc7dXrw8FvfpurIe/TEU9 +Y5kCj9NUA08940RKX/5u5RDaW9X2cGVlv7yJSDbA1JxpUjSzc98VFWQJrFkhHBfI +3eLdVLp+dHBBpGCgZuVQD2ymGwKBgQDDTJwspscuh9q9SWWgcyJv5ke+4MwosgkP +g8IC2dFFHr3j3GoFnVrrVP6w8zzezNb2ba+9xGaohNgHjmwC203ZcdDCUxem3t/L +GUM4+dCUC87nB/bGd772pu1jbZZ9bRUBvgf4x1zhlShQNnD+UL2/p/stzWl6SE47 +Yva2416kMwKBgCBZ7lKeN99KewuWWD2P2ezWY44sgOKhoY/YugHRqFoVs87ALrC4 +ZA0xOTBUdooBrHikORajlhJSJAAygdI2qAsUoBW2FywMH7jGxX4bDYziFHuqvYdt +56BkoI1zyUpM76+z2KIG8SPr34dd2LOm4RW2s3aIOzOxwvxhrlNKsr0ZAoGBALTH +4LUweKYo2aFoJKueiB0fBAC75CAzlVGIPHoZGK8r4sjfCkFCRJwcpFo1/n2bDc01 +AX3fJMwPlE2CV5dZW7nRslV/RyCPpIdDTkeab6nrOE4BwDw9MkbthEcKdUiLRevD +9WsjWGX0hUmi63tuUAbuPwNJ5r5r2gb897WZyMyjAoGAYcNgSL1udQE7pEqrAl0t +ffTbbTJQ487sZm3qhFNXtuitC3h6eXpJecsWRoB/Jnhi4cpSjWgYJzjV4rkZSF79 +es031jtdnPf6G94ZzjTKnkr4z34reDQusukuuD1SSsbURBGVacgZxkq0UaRAROfT +BTPraf9GfA9BnUEIFdjeKwI= +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-2048-3.key b/pki/testdata/ssl/certificates/rsa-2048-3.key new file mode 100644 index 000000000..9a6f4993c --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-2048-3.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDW8jowfwvUgEye +CyzXw4rrlw1+liz+s9nWucRN5t8dia9L9dQhT0aBg7mUKOQ7L1wcRwzPMVoyFF3G +KsJw829iMm65P4fy+L9/C1XFfJ9x4rMeya9bHZuKxr29Ieia9KFAaWtASSngF6Uc +zwvGJ4AZQzUIiE6Ku/ZpGBjki9k36LsufQIeOaEaoHlSPS1K6pMh9Br40xQ+FkB4 +OwFt7zNQygiSJt6NHvET4ib2i+0lZXRa32yl/dEJyf3aWT3iMxm4wLslLOI7Bud+ +y04bVYi6hw+JFUFmFCLkrMW/iZ69S3lUPoUO9xz8fuCR64KjwjSR4FFawZ7ZQUKf +OUOu3dcXAgMBAAECggEAMss1AwbSxdm3wVVEuIwmBPxCHRrh8SKRJNPrVrlrGjDS +MvIZufFg6PQ245MyM+ZCLxB/L2srNFBpxI2QO17bgGoIjlA8ESfFIQGNuEh16VS4 +HVtty+tYOVgzuEEOFagffvgqdxuTALi1tPQchSwKcm3WV3jWjqRSW41tPHzrzPEM +gNw6mlLIUxgaxJ31SytDPfLcCxhjyY1cLOseAtD37x8HZVw52cojmjn0Uy2+TeLu +6e34KqWzTcO8U7w4mBu6KyQYS5Q2GxR4eMfrja2nmQEJjjtL/MjPCr1RavzRmeO8 +j2w0GbTZaM2otzI21VbNpM+OmX3OkGmKiPNIm0HVKQKBgQDufzscdRfcJSng9Wb/ +kB1mr+AYZubzhHIVgN50UWnzqiLsVBWRGT6+y49z7dN3+4aGHXKjmV0Ceimi/6uC +nNsZ1kfJrHWXmTbTslQlBxOwyMuBsolWBSZdaqoX3dhDNu7EbUPgWqWjrv412EhH +UIH/mpmu8TgyA/SPT7BiHjuDcwKBgQDmuIkAYWseZ5iEWXPX2rH1XTtvKAHuzjf7 +yPk5QX+ZeTZiPZPzvn4I6x4kMjnpn5wrVkm5QMQVK2NKpaQwMtdkQcevVybXVJ/u +0SMRHgXiesF6pG4YgREEJjbHdwmRgAaLffOPVSOvEGPc8ha1tEE7ZwgpKfjnCStC +2VkmWpcczQKBgQDsn3MIUuxvULfyJ8ge+t8QyKIv07iEFv4Rc6BCC5xxUnX/v5T+ +NuvX5KLZRDaxLe5UFddtlXWARbAVtlB18CY5xi3HW8H3vN12v9FYQ2M33KB8d6Rm +oglkWbWUpFgyp8fRPw8/AvCgK7ivt3xOtQOlk7+yoEU+6kmz/j5jutcVHQKBgQDP ++ocdPbP3C4GzxIMlkHGc8fcyo0jiwSg8IxVuJHnmmhqJAmNNdGlelrtr+46y53s6 +oaUBhr17K8psrtZL0HjTWmyrxY8wyosFF6dZtcuuNeQVLwZDtozlRaFZuxd3/oVn +1xjoGuJ42/h5Yg1QrHWlG6KCoOBLO7uwnga8CStw/QKBgQDSzUAJaak3XFAfdou3 +GxWLQJcOXB/WxrZA7gq6K2aWvkY80AOPMGLhVFXA8k1fLI7jn2f9x7Ff6PNrzclf +mvvN6g6YH0vH9k+W6aHBnen8oGjW3XU4MHn7dPxfxPJ/MDT3toVAvD+6QnKFdd7o +xCDad5+lKr6f0yyPije/ZDkSSA== +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-768-1.key b/pki/testdata/ssl/certificates/rsa-768-1.key new file mode 100644 index 000000000..2ccd98723 --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-768-1.key @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAn8Be4Q88Bif6duPK +vG+iyt96BFtCTUgjuNEwhcWoeSO6BeZPeu1VRqOHI7/GE4jHO6iVRCnhw9DJg5eb ++p6zX1IWytyhke/psWBl3RNGXOvLucVWUJctS5pgKN1FNsILAgMBAAECYQCDjRaU +nsb/CszmOo8ovYWBKqaAD+Z5XX6NIzah8jLaDuGRGic5Q1eF5APVHIcwbuDU2Fyv +NIJqf768Gx/lUzmAlcGjF9hIRh5vrE4zfeCa2wSUjWNZPmqdTzjkM3r0NYECMQDM +1ORCXgP/DYHQbCTRFvNA/jYaIXRjUs+HXefXe27jJD32W3Mf+lyIcBV/mR7lRkUC +MQDHqJMkx3TiRsP2cYmG8citPrEjEA0TwPg181Kvi3N6aE5QzNHHLvl2nVJi7VPl +VA8CMQCayYKY2J0if52K2D5WN4appbFSu9dNO4YSYJdT0jYwtfGRGvh7wOFuRW0p +mJetYRUCMQCN9fiZoBAli3duVRAaGPQ86mR8r778mqphgd763kZ/dIaqwNcvruDF +S9r2aBTM7FUCMD46f/dAx2EfxsAfn3lYQWVpuxFQpK+tIqYzjeKsu/zRaqEkcog5 +BOq06OV3qPYsVA== +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-768-2.key b/pki/testdata/ssl/certificates/rsa-768-2.key new file mode 100644 index 000000000..6c834c4ee --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-768-2.key @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5wIBADANBgkqhkiG9w0BAQEFAASCAdEwggHNAgEAAmEA4SDrD2C751/n+lHQ +UBn5YynSU9hrO9ttTcnvMgqiL0gv2lAsx0N9QM0dg8rHsQodUYZotUQ0qbzCxzEw +pRVTHcEYHSnjaO7OfsqpGke+66jK0VhsQBkGbU2RznY3at3fAgMBAAECYQCRzs4v +QYmxy03ltENk/c2lyhptL4gUVoOulBEVqgls8iX8EV1PGYjwBWkOSLGZGmC3u4KI +le1z9L9iZxO5GGO0SJ/bLW/pGofgHCikBjLmhhyLuV0oFsY6te/q21fWu2ECMQD0 +nbX+qhNgXYsZ96cb71ZfD80yGtu7dCVEYL/iC30P3BEztLabEIdVwmoUyBFfCDkC +MQDrmwnyqGx431YH3uyBrlwbJhRvAFfwACMy+6sY54BZdaPni9hHcQoKrAiQOe92 +ptcCMQDcS5AUefybQ4M7bpIbkU7aq7NjVVbgGbhaPTtximElwE3pn+z390m6TS0V +7Bvg1tkCMQCDkPdUJ1MziFvtV0IxBKHwkyoz9jglEJ6XWMxpwtT8n+HgakpjUq9t +2DWL/J5JXs8CMQDsP+WjN9GzsQtuUMXEUxc1wgMVRFwvQ55hmXfeWaT2bgX+jpAn ++SreMT1bErrH2M8= +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-768-3.key b/pki/testdata/ssl/certificates/rsa-768-3.key new file mode 100644 index 000000000..fcf0680cc --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-768-3.key @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEAtngFrnpogJ4DAPMt +Jvxxl3vSNFdnNMlpRGlHpPqhtOHTzYzXvRvSmSGzpYhvzVCFujjTvtszd86yehxr ++081ZtQbhHGhPKnudoPfqfYGUB6djJX4+I1pm2cWTOIXiGL7AgMBAAECYE7lbId5 +tA/Qwrm5a8+Mnc0DI+uv0xc280Y6Q1kpaZwdfQhGms3Q5umBcfzkFntvEfgMJstC +KDWgH5Vo6v7oR/Hk8D0NzOyFNfEU10g72EG47PF2qFMlCZ3dTV5U3lPtOQIxAOfC +NB/LuHFiMA5LeFlfbV0Fyj4Kr+lqtGdwClmX3+KgfTUj9RcEMs+34z+UpYXt3wIx +AMmN/LkrZpwktp/iZuaKDvkA5foN660LguOt87/NdIN4l2hn8auEhwmh0Vno5gu2 +ZQIwf6kWFT2eh7ZSSk2AKZrLHyaFVM+GPsksPp4U1W03QhqtXYxFATyq0Ii2gNtc +of15AjEAvCh2HnM61lebuYTE5UFLGv/QsfBe7GvLpDsXSx5FQBrK1ef7f1A4NDDB +XLsETzjVAjAegTa8Fk65Qc3YODZhIcDRbJ195DLUaw7ETgpT0utLPH7Kkn1GNyZf +wzlUtrz3r58= +-----END PRIVATE KEY----- diff --git a/pki/testdata/ssl/certificates/rsa-8200-1.key b/pki/testdata/ssl/certificates/rsa-8200-1.key new file mode 100644 index 000000000..74cf0d9fa --- /dev/null +++ b/pki/testdata/ssl/certificates/rsa-8200-1.key @@ -0,0 +1,100 @@ +-----BEGIN PRIVATE KEY----- +MIISRQIBADANBgkqhkiG9w0BAQEFAASCEi8wghIrAgEAAoIEAgCryOGbBSSQ/E53 +duYJ8JpWms7zJk8+FpvZGW8CwGH2Qjs9UQmqMhGKTNySND6Gfk+tAGxd8zWGayyJ +rVhi5Sigr3+lPieGLt3TLke8LKysm0sSJU+xUUdZUTRjE3eff9Qb2NmgJ0uQIYic +jSUDznRiOpblzEhX4Rw1Kiw+fkqqsnXRg1+gonL9EmWl28zoeQFvcGRyknZCDpyR +K4Z667TuPoLk6F8S1IxyIEQPZciFbUnUTABbZTHQWZ33y7HmB3vc/P98PFilXsXH +41h4AdxzN/5pTI7flRP/bu+4NiVHE/rM1h+ag29R1McxzxoOi9ToYgVRenjSSkgs +/kjOELvBtIyivHNCwJjRrSXZi9fpZjgGTCqOg2mebU3qWDe0zL97jt9wGG612oFu +pqCBFnBSn6L/dc03K9Ckx9xuRYv3upc4xOMQnOXKLb9/k/TPpTmSQEk1qhEGOoKw +NC769IiTo69IxhJbB67gBVQzgJ5CVHfEzFid2SM1g59N3gNezjPb3y44ESlPJSfm +I/S9Yg/divrE7F4BvFGDP5TIaN3sYZf0IEN6140bz3gNhCP5vD64xFt+Mn3sUfWo +pAmUpKWY7u7YCn2B3XWg65jHelgzC+itLKHRMt0nSlKCLmIKS/UC/PnmRdNIekBh +46tS29d3vC9cbeTpeZwneOEP789KO0yqeckGmZyktw6VvF7bFKDyrFQONeYz85No ++dw3L54jnv4BV0bTwuv3CoU6MQI+DSfqaGxv5kmVxMDlLGpGJsezarUyrTseJBSE +DxungNAGktEawqkyk7ZRWdAUSZlgX/qanVenJ3pwrWWagqkyW5BKmzh+EhnGXnoM +t23+a2FjyoQRKYFhKL8pJ1QLBYJMNvqK+j2tUWHzgwwYV5YlOdDYz+U3+mQH7xOC +d0Egg61ci0RmRBRTwLqHWvKhMpOD6JEFhuCEALSe6b73faNkaTvUFV6y7SDkkAea +fLpBFosHCtGoC5ZwklD9rCKKxcdjJJESMi5RutOMYzA4Y9dayUBN7k1LVx0dw8ei +ZbWBvETGT3qIbMI9hjvRnJ3x35KyoKbvFXDtbKCQ58HbfO5kk4BAEoFhete+UsFO +KgMQoKue4Ps9sPNWVWwg7ZxrTKsHMje3dpklMNHdqtgHt69eio88z7zX4ZQPUEN6 +PVUPosX0qWtW/sHVet0iDt0BANKD9T8/iwrns9HbPd2d/LwAOyU0kywdNkplCFOP +vNHaeSjbrIQq5/SEszLSmbh1kaNOimVBFwjie5Ju5q+4n2FahMtKkEqBajj1f4eT +dR8hs4evuZaKkzs6jGvQyuI28lBfkz3M9cfumHAShfXoihZcwrb53CBmjN+UBe8l +LaV0kGIknQIDAQABAoIEAR7kr337fMn+NfZSEaiz9m2gxZsAxrt5wWlXo5kxE+z/ +mDu8uSo8et8OV5SLhLsXOCj6rIJw3K1h1M6luAGBCL9tEF2dQeplv0rdRdVXi243 +N1b6Eszmuxga/Hrc42Rxzql7ZBfjOTmgbjsJPyDiHhgURVLqXBBB0ZrWDMLoX3E3 +Suz03Vu8G0Xb6x/a2YztRg7OfaIFKPNUQV/yHes5PH6kC1IzX/W499EGcHb8bQVh +1Cczy9Sj7EN1+my32zRtIB9r+F5VU/PZiWQbRKvAWe72oPA67m7TFpeXUdElG6se +srnnwCM/g+OJipEwl5UKHK32AtLWXagj57r/uAQnCj0ZxTj2/xuAG3uJ0ga/mYLF ++UlYpUaf53ywV5TPbKU9NSp5VUGJg099Dk3h9XeBm42gW+XpP5CudoVL1B6Yr0VL +7yosblFshf7IH2pIJ3y4UBQ3L3NRNGKUXzBlEhXbqDw08a76wA5S4WY0TyI7/Toc +irV/smggxq43D40nYh/IoZbnGh7HJ1Cuc/B1guwUGJpVBigoAff58AbUhmNMSKzc +GEG1E62h2iSoOQTlQLsG2ZjM509YsUCwtKcxaO+sdIN+ZMHBkTSrqR3ZgM5O+FGl +0KBkKG3A4fjQ6umygbssUdHJwP9ii067fZydHxB1rNhBpZrPwJ0kW6rVmFQPYo4M ++1ENsX0AIz8hLx+10G602hcWu8MVgqO+E1Yoo5n6eNxCbKootZwSRQSwcUXgE9m0 +Q1NHKHsK+pvjR/QyvoEr7SRmcox4PHcYID7EMfPMu2UtsIdRKi4NkIvmzE9a52s1 +MPoanT+t9a4Zte4nQ+htFFFQFt10ue8Vqm16wPJ97gnpEM8keQhVYrttIKDVr2vs +QEcHJ/PgDeIihy44AbPTQKUYzZ4YEMAkDgoVsBq3Ktk8DTjxOZrZw7xq9xJPS9N3 +5oLaTcUX2670SZUpRAg4/wArQncuE2pfsYP+beaGnUATiYRd8GoDSYtPOSa7BcyN +Eexo8tB5Kzmvgcypk5N5jefLaVdUdczroIlSDlUcdAQb35Yvnd7F3HLWXJtUIPbh +LZTJwJWooQVJLDt2lzrg/HQnD+UaYNI1Z8/oMaZ+zUBvQ8gBzArO3SRGfRI7lzvk +wcJM4LqBO0pIO67NzhVCyhJn7Ua3P++W9d7LULb5fqy/O64W2J2o2Xd9hZEdA47A +6JidJ2yNsv0p3AUgtVebEhBRQs6bPX4/siYif3xgT1ZZb8fTtQBYWsW8LS4Itdf9 +WaJuUlfI7xdHpQnMVd5qiEjrDk02/x4JI4DmveO/pLyQAJ3qQpvGxXUZ70ecfSAk +ASn2OADu76TclVlQ4hvZ5913jxx8PWHFykK3w7N82xGZAoICAQ4FzISY+EaKydn8 +jOfOirjfct+0x0PYeDZ3XFEq1CcW7nHARMxlGBe9IwEgoAn/RtLmHtSrscPLpN+8 +mXS8ucPZwxIrbg2tCTZ2FktxAHldz3Fr7aGGeT4F7jE3e0gwYgU1h+CIMyDZZY/H +j/hANx1a+mAkDr7jafEuOe6nOfnWSuCaTPbyYcyGQ4pIe2Z5A0A6MFATT2Z2YOC6 +tW98BNtw9ucOFNo9ZNakB8ZZ4WOG4vpFSSoSO3xJ2STn5HwuO+j2UF0ptmt5H6Pc +LzYnbbengq5H0dsnyw/sKbTO4jzXfORjxPhwpvrwNlNvs9hmLB6IKzfiN1PXKITS +updr+Ts72zD1I95dF3F0TsefncBSY9qq8D0Nq08zF4yYanxPLOmqjc1iCoSWyx95 +RjNTiAoTWqmXvbtd4Z6OBU3M2m5QQYLu1mGcfKveRvW6KdueBhZwXEcY7Vb+pU3q +1J+Omh4wCQiyuuwsGu6QXmfkcVBOhLDoKxzAQJlch1l3zJdAQoul3iCYnptz6weR +47Ceg4cdP50KLvgboq4N1VJgI7ivMB9gfP+J/J7JogjUigoQNOLqb/X7Zwmv5ZIX +ZaKIB39HtKFvo1b/zpZagnx4y1K39pUFY8Nm3v0xZNU+keT3FCjOk44L+sXhdu5F +tbA81qb+7kBhZn9LMfz9sDTIUXq3OwKCAgEMQCGtq+7q0Scml0Ds5ORrymYX/zhh +xrkc/jbEHefvq50cCE7Sxmvm+NdFDz3JEpenWR4zPR0+39j8lNCWUK6azUhvqSK/ +HYLLI2EDeUyeCQyULoNT4qva6wnJNuufjaNsOOmwwuBAIgurFKYaTEMD+m+1hYG9 +Pe4drKMm3e3Xdg9IlJdKmY7MY+chxeCuiPfGO/MAm0Rz8pcKo1/cd308HuDL+CnE +LAFDYc7fa7oaj8i698m6QGeadltIPoggOTntoto659SK8ZLWOHsD3E2YC4Iq6dtQ +U8p8qWqn2kdWbLPnRhy5BXFcxeVFAbJOvgFMlSw1cCpoOySczBDlSpRjZV3ZP0R3 +gCG6Hjh5N8S+N7aLtQQvurMa/9qz6e1p54LCkXqevDp52wwM2DnjC05J+FaevvWW +FjIaE8SU+Que77xakQYu7Vk1T2MoTimDAjduqtSTIvDb4uX1WNjgkX66AWUCzbEt +Gp67cMYh0DjwaLgos6t9XdRp5964m4YPewhAcpVppFV45MOKcBWD99d3nYgOGYs1 +D8+4wXHpEJoU7r0pdz0buljZ1+bPmOiViShWmQgxIrKOCpOMuLKQJl2zJyVam8MN +dy8xYm3RZF3hCNyROeHp8lEt5dSOpw82LchW2f5ErVYatYzJu/opdu9ToczNuvdU +/U0liMxSEBr3RgcCggIBBHQzEarEsSNEGcjtuHMR/MZ8ZjG1WQdYp3QiDmXcHM5b +ziWTtJgnnuKkS6dhLcu3YyVUhZhDTj1QkQAGfd2z41E3dH325sEfO/0l97Bcxi/V +w+DUCYn82IZpsZg9wCAeAimOjvKzyqtCZvir8d3zo49SF1dcl6UD8WcNX5AeCgzW +m6Bm8cjq51t9+F4tU878CVpyHf0EKzdObhLfrhlmMY0f3yPJ28fET6iqD4Zc4I/n +aDa5lnNUEZYjMmW1XPwSa1xRCkZFer1uH03AcSL05nB+QXzuWv24scYBOTy8/zYy +pRhLZ93gK7RAjR/dr85EFS6LC6T+jdK5O/by7UWOVBIe/N3gFrDa0V5v51f7cyq4 +LKw+wiWlU/KWeEGxEOrVCSLzB1ksnhCHU+fhNExD2W9sTJG14d1f3EyfwqZeestj +A4N49GgP8UcYotQOl4MJy/bEWJDCUe9v8d+0yTkyGoSHWgvq8zjPFRcl5TnaA/fs +jYQwrWEjI5MQKoqyoRf4CwMUGqZfOmEHNdBQ0biHblML8YVahdPBSCd8qj1/GxoJ +3u12xnO9mXHR1ZwsfCXJpolwJmFDyP/lmxFzZrxuJS9RYDVlXCzEIV1+NKrpacyk +tZCQr2/tQ958eH73OBKChLOYinWjoVaLwALEQsYQJ9qxMiG9vJDVv9WUMi+uMZwh +AoICAQeazA1OfPrBqWcYX9Ju6KlNNIFTCsIPpZws5vxpgDBUvSvIsH3BdPwlnySc +qIMoioH1HX07Q+ti9AUfsDiPj0RDiOLgANTY0feeV7vbUceM4IUgNqAdRweX/jQt +ZqleOIOW9OKopqLJP6sNH2uVycgvb6ckYHyEdEtxfrpC7EFjZWtt6lkB6BZTMgjS +GH7gQceKMXg/6od7oW2WK4zllBV9KZkUzYCcvJACqHQjIJ0agsYlydFX57iIHnRD +dSdjvuUYwhXtEhDKk5dt6ldkK7rl8gEHuQAtc7ZdSPs30i8BPdCkwnHMwimQI5np +yrF827uZop7tqTWY+Upol1hvKpxlMZQJ5Uu1e7pYxj/hcb2PQj+JuDaU1Fg/WZlz +7tBeSdrUimT9feNlKh7TH2QlAY2Dnuneqv9neeScPt0nmKIqOieSfV8mMcmZJXnA +w54zAwws+db4ysIFITFj3QXS6/M1qGnMHF9edgjvod8drir3JtMFbcBePd0cdjLt +QJRdkKrJNp0kyXZJtGU83O5WLShw3yO5kaP307/iPf8rMisqZLzX61RKIpvgncRj +LIafZS4Uw3QVEPiB8kRZ52b6mhH7jAGqTbQPN3mVm4xvnKN0Z8+zOd2Lcf9m+8Mu +S5AbbZEUs/YYECp2ZxZYHZwd28Vz3HodxSm6MGjLeeK7YrH7gwKCAgBm0zD2DvKK +EfDQOk2DpnScdNkuYlRD7WADQfgKg6GheSWIvAi9Dh/Ks3ZIcVAcpQgWQoMlhTie +ZudfSjWxfFwlTAYKfF1kUnlrOACz04ZqsFMzx7Ks1HkvG1KEBTenAetcDPcL1b79 +U01tql7T6NIkxwtOR/nr1CvxgJa2wuuLYiUIAyIQYY0c18FkyFii1nJuneGb/Zvf +ctf+S5O+GuSOc+LjDSGIa8RZf5ScxRmKGj6OSrYRGrM7ZoS/psvGQSOJeITN5SNJ +umAA89mfpz8V87HHn520Vo7G9vmm5pQr27Nu1RBQJBXgrhC5fWXBXk/zmnyqskDM +Bcb1h3nppB6dr5263iy+HHMxS/L0m6kCUfxfj6A4d1/fTGbv1tRCtlR9Rq4EJxWr +8n49pbluSvL5XZoJJH2PGjjxNurSpnXVRFFOjpvl73wE/X/bH/Gs8AMtIrpnBRmM +viaX/AOym3DFU2RTgNIt8zmNtqq/NhAuQmYEhodODXtnzzquh4Z4EZmhfzq/do5e +nGTfN4hN7a9ODtP9Gt+w2CBCnE+7OnWo6Asj+wK0H59c2wfSD68d5n+V7U+BHHkN +E8uwIjFNZ+n3LRdH/iY7w4ujgIdZRcQuOMf00a3950mcJM0hz278FuDIipbMFCxG +qrLjqBtCTH9vu/Df2F0JNICD6Ro21WM/YQ== +-----END PRIVATE KEY----- diff --git a/pki/verify_name_match_fuzzer.cc b/pki/verify_name_match_fuzzer.cc index d76abc6a6..5b2b1599e 100644 --- a/pki/verify_name_match_fuzzer.cc +++ b/pki/verify_name_match_fuzzer.cc @@ -6,6 +6,7 @@ #include #include +#include #include @@ -24,11 +25,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { std::vector second_part = fuzzed_data.ConsumeRemainingBytes(); - bssl::der::Input in1(first_part.data(), first_part.size()); - bssl::der::Input in2(second_part.data(), second_part.size()); + bssl::der::Input in1(first_part); + bssl::der::Input in2(second_part); bool match = net::VerifyNameMatch(in1, in2); bool reverse_order_match = net::VerifyNameMatch(in2, in1); // Result should be the same regardless of argument order. - CHECK_EQ(match, reverse_order_match); + if (match != reverse_order_match) { + abort(); + } return 0; } diff --git a/pki/verify_name_match_normalizename_fuzzer.cc b/pki/verify_name_match_normalizename_fuzzer.cc index 96f4608fb..0bf31bb07 100644 --- a/pki/verify_name_match_normalizename_fuzzer.cc +++ b/pki/verify_name_match_normalizename_fuzzer.cc @@ -18,9 +18,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // produce the same output again. std::string renormalized_der; bool renormalize_success = net::NormalizeName( - bssl::der::Input(&normalized_der), &renormalized_der, &errors); - CHECK(renormalize_success); - CHECK_EQ(normalized_der, renormalized_der); + bssl::der::Input(normalized_der), &renormalized_der, &errors); + if (!renormalize_success) { + abort(); + } + if (normalized_der != renormalized_der) { + abort(); + } } return 0; } diff --git a/pki/verify_name_match_unittest.cc b/pki/verify_name_match_unittest.cc index 7bdacb2b2..4e5725065 100644 --- a/pki/verify_name_match_unittest.cc +++ b/pki/verify_name_match_unittest.cc @@ -71,20 +71,20 @@ class VerifyNameMatchSimpleTest TEST_P(VerifyNameMatchSimpleTest, ExactEquality) { std::string der; ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix(), &der)); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der), - SequenceValueFromString(&der))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der), + SequenceValueFromString(der))); std::string der_extra_attr; ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr", &der_extra_attr)); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr), - SequenceValueFromString(&der_extra_attr))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_attr), + SequenceValueFromString(der_extra_attr))); std::string der_extra_rdn; ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn", &der_extra_rdn)); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn), - SequenceValueFromString(&der_extra_rdn))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn), + SequenceValueFromString(der_extra_rdn))); } // Ensure that a Name does not match another Name which is exactly the same but @@ -95,10 +95,10 @@ TEST_P(VerifyNameMatchSimpleTest, ExtraAttrDoesNotMatch) { std::string der_extra_attr; ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr", &der_extra_attr)); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der), - SequenceValueFromString(&der_extra_attr))); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr), - SequenceValueFromString(&der))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der), + SequenceValueFromString(der_extra_attr))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr), + SequenceValueFromString(der))); } // Ensure that a Name does not match another Name which has the same number of @@ -111,13 +111,13 @@ TEST_P(VerifyNameMatchSimpleTest, DupeAttrDoesNotMatch) { std::string der_extra_attr; ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr", &der_extra_attr)); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr), - SequenceValueFromString(&der_extra_attr))); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr), - SequenceValueFromString(&der_dupe_attr))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr), + SequenceValueFromString(der_extra_attr))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr), + SequenceValueFromString(der_dupe_attr))); // However, the name with a dupe attribute should match itself. - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr), - SequenceValueFromString(&der_dupe_attr))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr), + SequenceValueFromString(der_dupe_attr))); } // Ensure that a Name does not match another Name which is exactly the same but @@ -128,10 +128,10 @@ TEST_P(VerifyNameMatchSimpleTest, ExtraRdnDoesNotMatch) { std::string der_extra_rdn; ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn", &der_extra_rdn)); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der), - SequenceValueFromString(&der_extra_rdn))); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn), - SequenceValueFromString(&der))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der), + SequenceValueFromString(der_extra_rdn))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn), + SequenceValueFromString(der))); } // Runs VerifyNameMatchSimpleTest for all combinations of value_type and and @@ -156,11 +156,11 @@ TEST_P(VerifyNameMatchNormalizationTest, CaseInsensitivity) { std::string case_swap; ASSERT_TRUE(LoadTestData("ascii", value_type(), "case_swap", &case_swap)); EXPECT_EQ(expected_result(), - VerifyNameMatch(SequenceValueFromString(&normal), - SequenceValueFromString(&case_swap))); + VerifyNameMatch(SequenceValueFromString(normal), + SequenceValueFromString(case_swap))); EXPECT_EQ(expected_result(), - VerifyNameMatch(SequenceValueFromString(&case_swap), - SequenceValueFromString(&normal))); + VerifyNameMatch(SequenceValueFromString(case_swap), + SequenceValueFromString(normal))); } // Verify matching folds whitespace (for the types which currently support @@ -172,11 +172,11 @@ TEST_P(VerifyNameMatchNormalizationTest, CollapseWhitespace) { ASSERT_TRUE( LoadTestData("ascii", value_type(), "extra_whitespace", &whitespace)); EXPECT_EQ(expected_result(), - VerifyNameMatch(SequenceValueFromString(&normal), - SequenceValueFromString(&whitespace))); + VerifyNameMatch(SequenceValueFromString(normal), + SequenceValueFromString(whitespace))); EXPECT_EQ(expected_result(), - VerifyNameMatch(SequenceValueFromString(&whitespace), - SequenceValueFromString(&normal))); + VerifyNameMatch(SequenceValueFromString(whitespace), + SequenceValueFromString(normal))); } // Runs VerifyNameMatchNormalizationTest for each (expected_result, value_type) @@ -207,11 +207,11 @@ TEST_P(VerifyNameMatchDifferingTypesTest, NormalizableTypesAreEqual) { std::string der_2; ASSERT_TRUE(LoadTestData("ascii", value_type_2(), "unmangled", &der_2)); if (TypesAreComparable(value_type_1(), value_type_2())) { - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1), + SequenceValueFromString(der_2))); } else { - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_1), + SequenceValueFromString(der_2))); } } @@ -234,37 +234,37 @@ TEST_P(VerifyNameMatchDifferingTypesTest, NormalizableTypesInSubtrees) { &der_2_extra_attr)); if (TypesAreComparable(value_type_1(), value_type_2())) { - EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2))); - EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2), - SequenceValueFromString(&der_1))); - EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn), - SequenceValueFromString(&der_2))); - EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn), - SequenceValueFromString(&der_1))); + EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1), + SequenceValueFromString(der_2))); + EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2), + SequenceValueFromString(der_1))); + EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn), + SequenceValueFromString(der_2))); + EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn), + SequenceValueFromString(der_1))); } else { - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2), - SequenceValueFromString(&der_1))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn), - SequenceValueFromString(&der_2))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn), - SequenceValueFromString(&der_1))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1), + SequenceValueFromString(der_2))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2), + SequenceValueFromString(der_1))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn), + SequenceValueFromString(der_2))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn), + SequenceValueFromString(der_1))); } - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2_extra_rdn))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2), - SequenceValueFromString(&der_1_extra_rdn))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_attr), - SequenceValueFromString(&der_2))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_attr), - SequenceValueFromString(&der_1))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2_extra_attr))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2), - SequenceValueFromString(&der_1_extra_attr))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1), + SequenceValueFromString(der_2_extra_rdn))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2), + SequenceValueFromString(der_1_extra_rdn))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_attr), + SequenceValueFromString(der_2))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_attr), + SequenceValueFromString(der_1))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1), + SequenceValueFromString(der_2_extra_attr))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2), + SequenceValueFromString(der_1_extra_attr))); } // Runs VerifyNameMatchDifferingTypesTest for all combinations of value types in @@ -293,8 +293,8 @@ TEST_P(VerifyNameMatchUnicodeConversionTest, UnicodeConversionsAreEqual) { ASSERT_TRUE(LoadTestData(prefix(), value_type_1(), "unmangled", &der_1)); std::string der_2; ASSERT_TRUE(LoadTestData(prefix(), value_type_2(), "unmangled", &der_2)); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1), - SequenceValueFromString(&der_2))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1), + SequenceValueFromString(der_2))); } // Runs VerifyNameMatchUnicodeConversionTest with prefix="unicode_bmp" for all @@ -351,12 +351,12 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidPrintableStringChars) { } der.replace(replace_location, 1, 1, c); // Verification should fail due to the invalid character. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der), - SequenceValueFromString(&der))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der), + SequenceValueFromString(der))); std::string normalized_der; CertErrors errors; EXPECT_FALSE( - NormalizeName(SequenceValueFromString(&der), &normalized_der, &errors)); + NormalizeName(SequenceValueFromString(der), &normalized_der, &errors)); } } @@ -371,11 +371,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidIA5StringChars) { SCOPED_TRACE(c); der.replace(replace_location, 1, 1, c); bool expected_result = (c <= 127); - EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(&der), - SequenceValueFromString(&der))); + EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(der), + SequenceValueFromString(der))); std::string normalized_der; CertErrors errors; - EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(&der), + EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(der), &normalized_der, &errors)); } } @@ -386,11 +386,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueExtraData) { LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid)); // Verification should fail due to extra element in AttributeTypeAndValue // sequence. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -400,11 +400,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueShort) { &invalid)); // Verification should fail due to AttributeTypeAndValue sequence having only // one element. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -413,11 +413,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueEmpty) { ASSERT_TRUE( LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid)); // Verification should fail due to empty AttributeTypeAndValue sequence. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -426,11 +426,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnBadAttributeType) { ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue", "badAttributeType", &invalid)); // Verification should fail due to Attribute Type not being an OID. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -440,11 +440,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnAttributeTypeAndValueNotSequence) { &invalid)); // Verification should fail due to AttributeTypeAndValue being a Set instead // of a Sequence. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -452,11 +452,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnRdnNotSet) { std::string invalid; ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid)); // Verification should fail due to RDN being a Sequence instead of a Set. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -464,11 +464,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnEmptyRdn) { std::string invalid; ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid)); // Verification should fail due to RDN having zero AttributeTypeAndValues. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -484,11 +484,11 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnBmpStringSurrogates) { std::string invalid = normal.replace(replace_location, 4, std::string("\xd8\x35\xdc\x00", 4)); // Verification should fail due to the invalid codepoints. - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); std::string normalized_der; CertErrors errors; - EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der, + EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der, &errors)); } @@ -496,23 +496,23 @@ TEST(VerifyNameMatchTest, EmptyNameMatching) { std::string empty; ASSERT_TRUE(LoadTestData("valid", "Name", "empty", &empty)); // Empty names are equal. - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&empty), - SequenceValueFromString(&empty))); + EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(empty), + SequenceValueFromString(empty))); // An empty name normalized is unchanged. std::string normalized_empty_der; CertErrors errors; - EXPECT_TRUE(NormalizeName(SequenceValueFromString(&empty), + EXPECT_TRUE(NormalizeName(SequenceValueFromString(empty), &normalized_empty_der, &errors)); - EXPECT_EQ(SequenceValueFromString(&empty), der::Input(&normalized_empty_der)); + EXPECT_EQ(SequenceValueFromString(empty), der::Input(normalized_empty_der)); // An empty name is not equal to non-empty name. std::string non_empty; ASSERT_TRUE( LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty)); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&empty), - SequenceValueFromString(&non_empty))); - EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&non_empty), - SequenceValueFromString(&empty))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(empty), + SequenceValueFromString(non_empty))); + EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(non_empty), + SequenceValueFromString(empty))); } // Matching should succeed when the RDNs are sorted differently but are still @@ -522,10 +522,10 @@ TEST(VerifyNameMatchRDNSorting, Simple) { ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_1", &a)); std::string b; ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_2", &b)); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a), - SequenceValueFromString(&b))); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b), - SequenceValueFromString(&a))); + EXPECT_TRUE( + VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b))); + EXPECT_TRUE( + VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a))); } // Matching should succeed when the RDNs are sorted differently but are still @@ -536,10 +536,10 @@ TEST(VerifyNameMatchRDNSorting, DuplicateTypes) { ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_1", &a)); std::string b; ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_2", &b)); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a), - SequenceValueFromString(&b))); - EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b), - SequenceValueFromString(&a))); + EXPECT_TRUE( + VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b))); + EXPECT_TRUE( + VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a))); } TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) { @@ -549,12 +549,12 @@ TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) { ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid)); // For both |name| and |parent|, a RelativeDistinguishedName must have at // least one AttributeTypeAndValue. - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&valid), - SequenceValueFromString(&invalid))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid), - SequenceValueFromString(&valid))); - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid), - SequenceValueFromString(&invalid))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(valid), + SequenceValueFromString(invalid))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid), + SequenceValueFromString(valid))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid), + SequenceValueFromString(invalid))); } TEST(VerifyNameInSubtreeTest, EmptyNameMatching) { @@ -564,14 +564,14 @@ TEST(VerifyNameInSubtreeTest, EmptyNameMatching) { ASSERT_TRUE( LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty)); // Empty name is in the subtree defined by empty name. - EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&empty), - SequenceValueFromString(&empty))); + EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(empty), + SequenceValueFromString(empty))); // Any non-empty name is in the subtree defined by empty name. - EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&non_empty), - SequenceValueFromString(&empty))); + EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(non_empty), + SequenceValueFromString(empty))); // Empty name is not in the subtree defined by non-empty name. - EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&empty), - SequenceValueFromString(&non_empty))); + EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(empty), + SequenceValueFromString(non_empty))); } // Verify that the normalized output matches the pre-generated expected value @@ -587,14 +587,14 @@ TEST(NameNormalizationTest, TestEverything) { ASSERT_TRUE(LoadTestData("unicode", "mixed", "unnormalized", &raw_der)); std::string normalized_der; CertErrors errors; - ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der, + ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der, &errors)); - EXPECT_EQ(SequenceValueFromString(&expected_normalized_der), - der::Input(&normalized_der)); + EXPECT_EQ(SequenceValueFromString(expected_normalized_der), + der::Input(normalized_der)); // Re-normalizing an already normalized Name should not change it. std::string renormalized_der; ASSERT_TRUE( - NormalizeName(der::Input(&normalized_der), &renormalized_der, &errors)); + NormalizeName(der::Input(normalized_der), &renormalized_der, &errors)); EXPECT_EQ(normalized_der, renormalized_der); } @@ -605,9 +605,9 @@ TEST(NameNormalizationTest, NormalizeCustom) { std::string normalized_der; CertErrors errors; - ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der, + ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der, &errors)); - EXPECT_EQ(SequenceValueFromString(&raw_der), der::Input(&normalized_der)); + EXPECT_EQ(SequenceValueFromString(raw_der), der::Input(normalized_der)); } } // namespace net diff --git a/pki/verify_name_match_verifynameinsubtree_fuzzer.cc b/pki/verify_name_match_verifynameinsubtree_fuzzer.cc index 94cc3bf8d..bfc70d331 100644 --- a/pki/verify_name_match_verifynameinsubtree_fuzzer.cc +++ b/pki/verify_name_match_verifynameinsubtree_fuzzer.cc @@ -24,12 +24,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { std::vector second_part = fuzzed_data.ConsumeRemainingBytes(); - bssl::der::Input in1(first_part.data(), first_part.size()); - bssl::der::Input in2(second_part.data(), second_part.size()); + bssl::der::Input in1(first_part); + bssl::der::Input in2(second_part); bool match = net::VerifyNameInSubtree(in1, in2); bool reverse_order_match = net::VerifyNameInSubtree(in2, in1); // If both InSubtree matches are true, then in1 == in2 (modulo normalization). - if (match && reverse_order_match) - CHECK(net::VerifyNameMatch(in1, in2)); + if (match && reverse_order_match) { + if (!net::VerifyNameMatch(in1, in2)) { + abort(); + } + } return 0; } diff --git a/pki/verify_signed_data_unittest.cc b/pki/verify_signed_data_unittest.cc index 3dd5702ac..6ab08789f 100644 --- a/pki/verify_signed_data_unittest.cc +++ b/pki/verify_signed_data_unittest.cc @@ -55,10 +55,10 @@ void RunTestCase(VerifyResult expected_result, ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings)); std::optional signature_algorithm = - ParseSignatureAlgorithm(der::Input(&algorithm)); + ParseSignatureAlgorithm(der::Input(algorithm)); ASSERT_TRUE(signature_algorithm); - der::Parser signature_value_parser((der::Input(&signature_value))); + der::Parser signature_value_parser((der::Input(signature_value))); std::optional signature_value_bit_string = signature_value_parser.ReadBitString(); ASSERT_TRUE(signature_value_bit_string.has_value()) @@ -66,9 +66,9 @@ void RunTestCase(VerifyResult expected_result, bool expected_result_bool = expected_result == SUCCESS; - bool result = VerifySignedData(*signature_algorithm, der::Input(&signed_data), + bool result = VerifySignedData(*signature_algorithm, der::Input(signed_data), signature_value_bit_string.value(), - der::Input(&public_key), cache); + der::Input(public_key), cache); EXPECT_EQ(expected_result_bool, result); } From 4b040e562e950b168d49c1a1dd453cf460ab81c9 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Fri, 11 Aug 2023 15:02:00 -0400 Subject: [PATCH 13/19] Document and test DH_generate_key's weird key reuse behavior If the DH object already has a private key, DH_generate_key is actually a function to compute the corresponding public key. This is very weird, but as we don't really care about DH, just document and test it. Change-Id: Idbddfd06839450a198fdf8a34bf2f53b0250c400 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62225 Reviewed-by: Adam Langley Auto-Submit: David Benjamin Commit-Queue: Adam Langley --- crypto/dh_extra/dh_test.cc | 29 +++++++++++++++++++++++++++++ include/openssl/dh.h | 4 +++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/crypto/dh_extra/dh_test.cc b/crypto/dh_extra/dh_test.cc index 8d2c5871e..f27c8f01f 100644 --- a/crypto/dh_extra/dh_test.cc +++ b/crypto/dh_extra/dh_test.cc @@ -427,3 +427,32 @@ TEST(DHTest, Overwrite) { ASSERT_GT(DH_compute_key_padded(buf2.data(), peer_key.get(), key2.get()), 0); EXPECT_EQ(Bytes(buf1), Bytes(buf2)); } + +TEST(DHTest, GenerateKeyTwice) { + bssl::UniquePtr p(BN_get_rfc3526_prime_2048(nullptr)); + ASSERT_TRUE(p); + bssl::UniquePtr g(BN_new()); + ASSERT_TRUE(g); + ASSERT_TRUE(BN_set_word(g.get(), 2)); + bssl::UniquePtr key1(DH_new()); + ASSERT_TRUE(key1); + ASSERT_TRUE(DH_set0_pqg(key1.get(), p.get(), /*q=*/nullptr, g.get())); + p.release(); + g.release(); + ASSERT_TRUE(DH_generate_key(key1.get())); + + // Copy the parameters and private key to a new DH object. + bssl::UniquePtr key2(DHparams_dup(key1.get())); + ASSERT_TRUE(key2); + bssl::UniquePtr priv_key(BN_dup(DH_get0_priv_key(key1.get()))); + ASSERT_TRUE(DH_set0_key(key2.get(), /*pub_key=*/NULL, priv_key.get())); + priv_key.release(); + + // This time, calling |DH_generate_key| preserves the old key and recomputes + // the public key. + ASSERT_TRUE(DH_generate_key(key2.get())); + EXPECT_EQ(BN_cmp(DH_get0_priv_key(key1.get()), DH_get0_priv_key(key2.get())), + 0); + EXPECT_EQ(BN_cmp(DH_get0_pub_key(key1.get()), DH_get0_pub_key(key2.get())), + 0); +} diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 660627db7..b83fb5ee1 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -193,7 +193,9 @@ OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits, // Diffie-Hellman operations. // DH_generate_key generates a new, random, private key and stores it in -// |dh|. It returns one on success and zero on error. +// |dh|, if |dh| does not already have a private key. Otherwise, it updates +// |dh|'s public key to match the private key. It returns one on success and +// zero on error. OPENSSL_EXPORT int DH_generate_key(DH *dh); // DH_compute_key_padded calculates the shared key between |dh| and |peers_key| From 18b1b8b1c4567190fe4a37262fdfba57aa446dc7 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 14 Aug 2023 14:32:58 -0600 Subject: [PATCH 14/19] use instead of Change-Id: I05a3b0cb7ffaee90ed85d2cf795feded8fbad1df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62305 Reviewed-by: David Benjamin Commit-Queue: David Benjamin Auto-Submit: Bob Beck --- crypto/rand_extra/getentropy_test.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rand_extra/getentropy_test.cc b/crypto/rand_extra/getentropy_test.cc index d6919139a..7f0c43ac7 100644 --- a/crypto/rand_extra/getentropy_test.cc +++ b/crypto/rand_extra/getentropy_test.cc @@ -24,7 +24,7 @@ #include -#include +#include #if defined(OPENSSL_MACOS) || defined(OPENSSL_FUCHSIA) #include From d85444e741b73a77fe4359cd3db189482d4f4806 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 27 Jul 2023 13:54:29 -0700 Subject: [PATCH 15/19] Consistently reject large p and large q in DH When applications use Diffie-Hellman incorrectly, and use attacker-supplied domain parameters, rather than known-valid ones (as required by SP 800-56A, 5.5.2), algorithms that aren't designed with attacker-supplied parameters in mind become attack surfaces. CVE-2023-3446 and CVE-2023-3817 in OpenSSL cover problems with the DH_check function given large p and large q. This CL adds some fast validity checks to the DH parameters before running any operation. This differs from upstream in a few ways: - Upstream only addressed issues with DH_check. We also check in DH_generate_key and DH_check_pub_key. - For a more consistent invariant, reuse the existing DH modulus limit. Ideally we'd enforce these invariants on DH creation, but this is not possible due to OpenSSL's API. We additionally check some other cheap invariants. This does not impact TLS, or any applications that used Diffie-Hellman correctly, with trusted, well-known domain parameters. Ultimately, that this comes up at all is a flaw in how DH was specified. This is analogous to the issues with ECC with arbitrary groups and DSA, which led to https://github.com/openssl/openssl/issues/20268 CVE-2022-0778, CVE-2020-0601, and likely others. Cryptographic primitives should be limited to a small set of named, well-known domain parameters. Update-Note: Egregiously large or invalid DH p, q, or g values will be more consistently rejected in DH operations. This does not impact TLS. Applications should switch to modern primitives such as X25519 or ECDH with P-256. Change-Id: I666fe0b9f8b71632f6cf8064c8ea0251e5c286bb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62226 Reviewed-by: Adam Langley Commit-Queue: David Benjamin --- crypto/dh_extra/dh_asn1.c | 4 ++ crypto/dh_extra/dh_test.cc | 121 ++++++++++++++++++++++++-------- crypto/dh_extra/params.c | 5 ++ crypto/err/dh.errordata | 1 + crypto/fipsmodule/dh/check.c | 45 +++++++++--- crypto/fipsmodule/dh/dh.c | 14 ++-- crypto/fipsmodule/dh/internal.h | 7 ++ include/openssl/dh.h | 1 + 8 files changed, 153 insertions(+), 45 deletions(-) diff --git a/crypto/dh_extra/dh_asn1.c b/crypto/dh_extra/dh_asn1.c index de01077d7..4e2e2c44f 100644 --- a/crypto/dh_extra/dh_asn1.c +++ b/crypto/dh_extra/dh_asn1.c @@ -110,6 +110,10 @@ DH *DH_parse_parameters(CBS *cbs) { goto err; } + if (!dh_check_params_fast(ret)) { + goto err; + } + return ret; err: diff --git a/crypto/dh_extra/dh_test.cc b/crypto/dh_extra/dh_test.cc index f27c8f01f..881f72dde 100644 --- a/crypto/dh_extra/dh_test.cc +++ b/crypto/dh_extra/dh_test.cc @@ -71,7 +71,6 @@ #include #include "../fipsmodule/dh/internal.h" -#include "../internal.h" #include "../test/test_util.h" @@ -195,15 +194,35 @@ static const uint8_t kRFC5114_2048_224BadY[] = { 0x93, 0x74, 0x89, 0x59, }; -TEST(DHTest, BadY) { +static bssl::UniquePtr NewDHGroup(const BIGNUM *p, const BIGNUM *q, + const BIGNUM *g) { + bssl::UniquePtr p_copy(BN_dup(p)); + bssl::UniquePtr q_copy(q != nullptr ? BN_dup(q) : nullptr); + bssl::UniquePtr g_copy(BN_dup(g)); bssl::UniquePtr dh(DH_new()); + if (p_copy == nullptr || (q != nullptr && q_copy == nullptr) || + g_copy == nullptr || dh == nullptr || + !DH_set0_pqg(dh.get(), p_copy.get(), q_copy.get(), g_copy.get())) { + return nullptr; + } + p_copy.release(); + q_copy.release(); + g_copy.release(); + return dh; +} + +TEST(DHTest, BadY) { + bssl::UniquePtr p( + BN_bin2bn(kRFC5114_2048_224P, sizeof(kRFC5114_2048_224P), nullptr)); + bssl::UniquePtr q( + BN_bin2bn(kRFC5114_2048_224Q, sizeof(kRFC5114_2048_224Q), nullptr)); + bssl::UniquePtr g( + BN_bin2bn(kRFC5114_2048_224G, sizeof(kRFC5114_2048_224G), nullptr)); + ASSERT_TRUE(p); + ASSERT_TRUE(q); + ASSERT_TRUE(g); + bssl::UniquePtr dh = NewDHGroup(p.get(), q.get(), g.get()); ASSERT_TRUE(dh); - dh->p = BN_bin2bn(kRFC5114_2048_224P, sizeof(kRFC5114_2048_224P), nullptr); - dh->g = BN_bin2bn(kRFC5114_2048_224G, sizeof(kRFC5114_2048_224G), nullptr); - dh->q = BN_bin2bn(kRFC5114_2048_224Q, sizeof(kRFC5114_2048_224Q), nullptr); - ASSERT_TRUE(dh->p); - ASSERT_TRUE(dh->g); - ASSERT_TRUE(dh->q); bssl::UniquePtr pub_key( BN_bin2bn(kRFC5114_2048_224BadY, sizeof(kRFC5114_2048_224BadY), nullptr)); @@ -336,11 +355,8 @@ TEST(DHTest, LeadingZeros) { ASSERT_TRUE(g); ASSERT_TRUE(BN_set_word(g.get(), 2)); - bssl::UniquePtr dh(DH_new()); + bssl::UniquePtr dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(dh); - ASSERT_TRUE(DH_set0_pqg(dh.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); // These values are far too small to be reasonable Diffie-Hellman keys, but // they are an easy way to get a shared secret with leading zeros. @@ -375,11 +391,8 @@ TEST(DHTest, Overwrite) { ASSERT_TRUE(g); ASSERT_TRUE(BN_set_word(g.get(), 2)); - bssl::UniquePtr key1(DH_new()); + bssl::UniquePtr key1 = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(key1); - ASSERT_TRUE(DH_set0_pqg(key1.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); ASSERT_TRUE(DH_generate_key(key1.get())); bssl::UniquePtr peer_key(BN_new()); @@ -393,15 +406,8 @@ TEST(DHTest, Overwrite) { // Generate a different key with a different group. p.reset(BN_get_rfc3526_prime_2048(nullptr)); ASSERT_TRUE(p); - g.reset(BN_new()); - ASSERT_TRUE(g); - ASSERT_TRUE(BN_set_word(g.get(), 2)); - - bssl::UniquePtr key2(DH_new()); + bssl::UniquePtr key2 = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(key2); - ASSERT_TRUE(DH_set0_pqg(key2.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); ASSERT_TRUE(DH_generate_key(key2.get())); // Overwrite |key1|'s contents with |key2|. @@ -434,11 +440,8 @@ TEST(DHTest, GenerateKeyTwice) { bssl::UniquePtr g(BN_new()); ASSERT_TRUE(g); ASSERT_TRUE(BN_set_word(g.get(), 2)); - bssl::UniquePtr key1(DH_new()); + bssl::UniquePtr key1 = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(key1); - ASSERT_TRUE(DH_set0_pqg(key1.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); ASSERT_TRUE(DH_generate_key(key1.get())); // Copy the parameters and private key to a new DH object. @@ -456,3 +459,65 @@ TEST(DHTest, GenerateKeyTwice) { EXPECT_EQ(BN_cmp(DH_get0_pub_key(key1.get()), DH_get0_pub_key(key2.get())), 0); } + +// Bad parameters should be rejected, rather than cause a DoS risk in the +// event that an application uses Diffie-Hellman incorrectly, with untrusted +// domain parameters. +TEST(DHTest, InvalidParameters) { + auto check_invalid_group = [](DH *dh) { + // All operations on egregiously invalid groups should fail. + EXPECT_FALSE(DH_generate_key(dh)); + int check_result; + EXPECT_FALSE(DH_check(dh, &check_result)); + bssl::UniquePtr pub_key(BN_new()); + ASSERT_TRUE(pub_key); + ASSERT_TRUE(BN_set_u64(pub_key.get(), 42)); + EXPECT_FALSE(DH_check_pub_key(dh, pub_key.get(), &check_result)); + uint8_t buf[1024]; + EXPECT_EQ(DH_compute_key(buf, pub_key.get(), dh), -1); + EXPECT_EQ(DH_compute_key_padded(buf, pub_key.get(), dh), -1); + }; + + bssl::UniquePtr p(BN_get_rfc3526_prime_2048(nullptr)); + ASSERT_TRUE(p); + bssl::UniquePtr g(BN_new()); + ASSERT_TRUE(g); + ASSERT_TRUE(BN_set_word(g.get(), 2)); + + // p is negative. + BN_set_negative(p.get(), 1); + bssl::UniquePtr dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + BN_set_negative(p.get(), 0); + check_invalid_group(dh.get()); + + // g is negative. + BN_set_negative(g.get(), 1); + dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + BN_set_negative(g.get(), 0); + check_invalid_group(dh.get()); + + // g is not reduced mod p. + dh = NewDHGroup(p.get(), /*q=*/nullptr, p.get()); + ASSERT_TRUE(dh); + BN_set_negative(g.get(), 0); + check_invalid_group(dh.get()); + + // p is too large. + bssl::UniquePtr large(BN_new()); + ASSERT_TRUE(BN_set_bit(large.get(), 0)); + ASSERT_TRUE(BN_set_bit(large.get(), 10000000)); + dh = NewDHGroup(large.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + check_invalid_group(dh.get()); + + // q is too large. + dh = NewDHGroup(p.get(), large.get(), g.get()); + ASSERT_TRUE(dh); + check_invalid_group(dh.get()); + + // Attempting to generate too large of a Diffie-Hellman group should fail. + EXPECT_FALSE( + DH_generate_parameters_ex(dh.get(), 20000, DH_GENERATOR_5, nullptr)); +} diff --git a/crypto/dh_extra/params.c b/crypto/dh_extra/params.c index 0e76747e0..548c4c8f3 100644 --- a/crypto/dh_extra/params.c +++ b/crypto/dh_extra/params.c @@ -337,6 +337,11 @@ int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, // It's just as OK (and in some sense better) to use a generator of the // order-q subgroup. + if (prime_bits <= 0 || prime_bits > OPENSSL_DH_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); + return 0; + } + BIGNUM *t1, *t2; int g, ok = 0; BN_CTX *ctx = NULL; diff --git a/crypto/err/dh.errordata b/crypto/err/dh.errordata index 9e1b87d85..09053aec6 100644 --- a/crypto/err/dh.errordata +++ b/crypto/err/dh.errordata @@ -1,6 +1,7 @@ DH,100,BAD_GENERATOR DH,104,DECODE_ERROR DH,105,ENCODE_ERROR +DH,106,INVALID_PARAMETERS DH,101,INVALID_PUBKEY DH,102,MODULUS_TOO_LARGE DH,103,NO_PRIVATE_VALUE diff --git a/crypto/fipsmodule/dh/check.c b/crypto/fipsmodule/dh/check.c index 0c82c17f0..b92b700d3 100644 --- a/crypto/fipsmodule/dh/check.c +++ b/crypto/fipsmodule/dh/check.c @@ -57,12 +57,40 @@ #include #include +#include #include "internal.h" +int dh_check_params_fast(const DH *dh) { + // Most operations scale with p and q. + if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) || + BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + // q must be bounded by p. + if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + // g must be an element of p's multiplicative group. + if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || + BN_ucmp(dh->g, dh->p) >= 0) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + return 1; +} + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { *out_flags = 0; + if (!dh_check_params_fast(dh)) { + return 0; + } BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { @@ -73,17 +101,14 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { int ok = 0; // Check |pub_key| is greater than 1. - BIGNUM *tmp = BN_CTX_get(ctx); - if (tmp == NULL || - !BN_set_word(tmp, 1)) { - goto err; - } - if (BN_cmp(pub_key, tmp) <= 0) { + if (BN_cmp(pub_key, BN_value_one()) <= 0) { *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL; } // Check |pub_key| is less than |dh->p| - 1. - if (!BN_copy(tmp, dh->p) || + BIGNUM *tmp = BN_CTX_get(ctx); + if (tmp == NULL || + !BN_copy(tmp, dh->p) || !BN_sub_word(tmp, 1)) { goto err; } @@ -113,6 +138,11 @@ err: int DH_check(const DH *dh, int *out_flags) { + *out_flags = 0; + if (!dh_check_params_fast(dh)) { + return 0; + } + // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a // suitable generator where: // for 2, p mod 24 == 11 @@ -124,7 +154,6 @@ int DH_check(const DH *dh, int *out_flags) { BN_ULONG l; BIGNUM *t1 = NULL, *t2 = NULL; - *out_flags = 0; ctx = BN_CTX_new(); if (ctx == NULL) { goto err; diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c index 80940fdb1..1e8971a4a 100644 --- a/crypto/fipsmodule/dh/dh.c +++ b/crypto/fipsmodule/dh/dh.c @@ -70,8 +70,6 @@ #include "internal.h" -#define OPENSSL_DH_MAX_MODULUS_BITS 10000 - DH *DH_new(void) { DH *dh = OPENSSL_malloc(sizeof(DH)); if (dh == NULL) { @@ -191,16 +189,15 @@ int DH_set_length(DH *dh, unsigned priv_length) { int DH_generate_key(DH *dh) { boringssl_ensure_ffdh_self_test(); + if (!dh_check_params_fast(dh)) { + return 0; + } + int ok = 0; int generate_new_key = 0; BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); - goto err; - } - ctx = BN_CTX_new(); if (ctx == NULL) { goto err; @@ -279,8 +276,7 @@ err: static int dh_compute_key(DH *dh, BIGNUM *out_shared_key, const BIGNUM *peers_key, BN_CTX *ctx) { - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); + if (!dh_check_params_fast(dh)) { return 0; } diff --git a/crypto/fipsmodule/dh/internal.h b/crypto/fipsmodule/dh/internal.h index fe7fda4e9..d11e59b50 100644 --- a/crypto/fipsmodule/dh/internal.h +++ b/crypto/fipsmodule/dh/internal.h @@ -26,6 +26,8 @@ extern "C" { #endif +#define OPENSSL_DH_MAX_MODULUS_BITS 10000 + struct dh_st { BIGNUM *p; BIGNUM *g; @@ -44,6 +46,11 @@ struct dh_st { CRYPTO_refcount_t references; }; +// dh_check_params_fast checks basic invariants on |dh|'s domain parameters. It +// does not check that |dh| forms a valid group, only that the sizes are within +// DoS bounds. +int dh_check_params_fast(const DH *dh); + // dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|, // but doesn't try to run the self-test first. This is for use in the self tests // themselves, to prevent an infinite loop. diff --git a/include/openssl/dh.h b/include/openssl/dh.h index b83fb5ee1..a3094d8f6 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -353,5 +353,6 @@ BSSL_NAMESPACE_END #define DH_R_NO_PRIVATE_VALUE 103 #define DH_R_DECODE_ERROR 104 #define DH_R_ENCODE_ERROR 105 +#define DH_R_INVALID_PARAMETERS 106 #endif // OPENSSL_HEADER_DH_H From c3b236d325bbdcbb4621815704c7e7e927923042 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 14 Aug 2023 14:26:22 -0600 Subject: [PATCH 16/19] add missing test file to sources.cmake Change-Id: I3cbe4b7c580a0a5576554a9fe1da7a79518b0eb5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62285 Auto-Submit: Bob Beck Reviewed-by: Adam Langley Commit-Queue: Adam Langley --- sources.cmake | 1 + 1 file changed, 1 insertion(+) diff --git a/sources.cmake b/sources.cmake index 1ebc44ad3..988088e8c 100644 --- a/sources.cmake +++ b/sources.cmake @@ -587,6 +587,7 @@ set( pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_2.pem pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_3.pem pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_4.pem + pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem pki/testdata/name_constraints_unittest/ipaddress-permit_all.pem pki/testdata/name_constraints_unittest/ipaddress-permit_prefix1.pem pki/testdata/name_constraints_unittest/ipaddress-permit_prefix31.pem From 87c00d522b6c7be2f11eb967705d73a7271a0a64 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Fri, 11 Aug 2023 18:56:16 -0400 Subject: [PATCH 17/19] Align DH keygen with NIST's formulation when q is available Section 5.6.1.1.4 of SP 800-56A Rev 3 and Appendix B.1.2 of FIPS 186-4 select the private key out of the range [1, q-1]. We used [2, q-1]. This distinction is unimportant. 0, 1, 2, 3, 4, etc. all make equally bad private keys. The defense against each of these is their negligible probability, not rejection sampling. Nonetheless, we may as well align with *some* specification, and NIST's formulation works fine. Change-Id: I33352061f3fbdbec5b14b576d15be98464a57536 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62227 Commit-Queue: David Benjamin Reviewed-by: Adam Langley --- crypto/fipsmodule/dh/dh.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c index 1e8971a4a..400a8ebcc 100644 --- a/crypto/fipsmodule/dh/dh.c +++ b/crypto/fipsmodule/dh/dh.c @@ -229,7 +229,13 @@ int DH_generate_key(DH *dh) { if (generate_new_key) { if (dh->q) { - if (!BN_rand_range_ex(priv_key, 2, dh->q)) { + // Section 5.6.1.1.4 of SP 800-56A Rev3 generates a private key uniformly + // from [1, min(2^N-1, q-1)]. + // + // Although SP 800-56A Rev3 now permits a private key length N, + // |dh->priv_length| historically was ignored when q is available. We + // continue to ignore it and interpret such a configuration as N = len(q). + if (!BN_rand_range_ex(priv_key, 1, dh->q)) { goto err; } } else { From 180066d66d469c26ca605f522bf5c1f08547be3e Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 14 Aug 2023 14:44:20 -0600 Subject: [PATCH 18/19] Add the rest of the new test data files to sources.cmake Change-Id: I235d81c6e6b013b25488355ccd5de254e7c172b8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62306 Commit-Queue: Bob Beck Auto-Submit: Bob Beck Reviewed-by: David Benjamin --- sources.cmake | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/sources.cmake b/sources.cmake index 988088e8c..1a6e8e418 100644 --- a/sources.cmake +++ b/sources.cmake @@ -1530,6 +1530,9 @@ set( pki/testdata/ssl/certificates/duplicate_cn_1.pem pki/testdata/ssl/certificates/duplicate_cn_2.p12 pki/testdata/ssl/certificates/duplicate_cn_2.pem + pki/testdata/ssl/certificates/ec-prime256v1-1.key + pki/testdata/ssl/certificates/ec-prime256v1-2.key + pki/testdata/ssl/certificates/ec-prime256v1-3.key pki/testdata/ssl/certificates/eku-test-root.pem pki/testdata/ssl/certificates/ev_test.pem pki/testdata/ssl/certificates/ev_test_state_only.pem @@ -1608,6 +1611,16 @@ set( pki/testdata/ssl/certificates/redundant-validated-chain-root.pem pki/testdata/ssl/certificates/redundant-validated-chain.pem pki/testdata/ssl/certificates/root_ca_cert.pem + pki/testdata/ssl/certificates/rsa-1024-1.key + pki/testdata/ssl/certificates/rsa-1024-2.key + pki/testdata/ssl/certificates/rsa-1024-3.key + pki/testdata/ssl/certificates/rsa-2048-1.key + pki/testdata/ssl/certificates/rsa-2048-2.key + pki/testdata/ssl/certificates/rsa-2048-3.key + pki/testdata/ssl/certificates/rsa-768-1.key + pki/testdata/ssl/certificates/rsa-768-2.key + pki/testdata/ssl/certificates/rsa-768-3.key + pki/testdata/ssl/certificates/rsa-8200-1.key pki/testdata/ssl/certificates/salesforce_com_test.pem pki/testdata/ssl/certificates/self-signed-invalid-name.pem pki/testdata/ssl/certificates/self-signed-invalid-sig.pem From 39a75071535f3389751ca22e73b5ccfef1b1bc59 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 14 Aug 2023 20:48:50 -0400 Subject: [PATCH 19/19] Hash-to-curve is now RFC 9380 There don't appear to be any changes since draft-16 beyond some copy-editing, so we can just update the comments. https://author-tools.ietf.org/iddiff?url1=draft-irtf-cfrg-hash-to-curve-16&url2=rfc9380&difftype=--html Change-Id: Ida48b647c146f1fb1eeb6033b8878cba880c4b9b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62326 Reviewed-by: Adam Langley Auto-Submit: David Benjamin Commit-Queue: Adam Langley --- crypto/ec_extra/hash_to_curve.c | 23 +++++++++-------------- crypto/ec_extra/internal.h | 10 ++++------ crypto/fipsmodule/ec/ec_test.cc | 2 +- include/openssl/ec.h | 16 +++++++--------- 4 files changed, 21 insertions(+), 30 deletions(-) diff --git a/crypto/ec_extra/hash_to_curve.c b/crypto/ec_extra/hash_to_curve.c index 2d11ef5d8..f29ef1306 100644 --- a/crypto/ec_extra/hash_to_curve.c +++ b/crypto/ec_extra/hash_to_curve.c @@ -26,8 +26,7 @@ #include "../internal.h" -// This file implements hash-to-curve, as described in -// draft-irtf-cfrg-hash-to-curve-16. +// This file implements hash-to-curve, as described in RFC 9380. // // This hash-to-curve implementation is written generically with the // expectation that we will eventually wish to support other curves. If it @@ -48,8 +47,7 @@ // templates to make specializing more convenient. // expand_message_xmd implements the operation described in section 5.3.1 of -// draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// RFC 9380. It returns one on success and zero on error. static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, const uint8_t *msg, size_t msg_len, const uint8_t *dst, size_t dst_len) { @@ -138,7 +136,7 @@ err: // num_bytes_to_derive determines the number of bytes to derive when hashing to // a number modulo |modulus|. See the hash_to_field operation defined in -// section 5.2 of draft-irtf-cfrg-hash-to-curve-16. +// section 5.2 of RFC 9380. static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { size_t bits = BN_num_bits(modulus); size_t L = (bits + k + 7) / 8; @@ -171,8 +169,7 @@ static void big_endian_to_words(BN_ULONG *out, size_t num_words, } // hash_to_field implements the operation described in section 5.2 -// of draft-irtf-cfrg-hash-to-curve-16, with count = 2. |k| is the security -// factor. +// of RFC 9380, with count = 2. |k| is the security factor. static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, @@ -221,8 +218,7 @@ static inline void mul_A(const EC_GROUP *group, EC_FELEM *out, ec_felem_sub(group, out, in, &tmp); // out = -3*in } -// sgn0 implements the operation described in section 4.1.2 of -// draft-irtf-cfrg-hash-to-curve-16. +// sgn0 implements the operation described in section 4.1.2 of RFC 9380. static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) { uint8_t buf[EC_MAX_BYTES]; size_t len; @@ -235,7 +231,7 @@ OPENSSL_UNUSED static int is_3mod4(const EC_GROUP *group) { } // sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2 -// of draft-irtf-cfrg-hash-to-curve-16. +// of RFC 9380. static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_FELEM *out_y, @@ -270,8 +266,7 @@ static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, } // map_to_curve_simple_swu implements the operation described in section 6.6.2 -// of draft-irtf-cfrg-hash-to-curve-16, using the straight-line implementation -// in appendix F.2. +// of RFC 9380, using the straight-line implementation in appendix F.2. static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_JACOBIAN *out, @@ -405,7 +400,7 @@ int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; @@ -438,7 +433,7 @@ int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_secp384r1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; diff --git a/crypto/ec_extra/internal.h b/crypto/ec_extra/internal.h index 8a9d99000..6b865a37a 100644 --- a/crypto/ec_extra/internal.h +++ b/crypto/ec_extra/internal.h @@ -30,24 +30,22 @@ extern "C" { // ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group| // and writes the result to |out|, using the hash_to_field operation from the -// P384_XMD:SHA-384_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-16, but -// generating a value modulo the group order rather than a field element. +// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo +// the group order rather than a field element. OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384( const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); diff --git a/crypto/fipsmodule/ec/ec_test.cc b/crypto/fipsmodule/ec/ec_test.cc index 75e11f846..b9bc1a269 100644 --- a/crypto/fipsmodule/ec/ec_test.cc +++ b/crypto/fipsmodule/ec/ec_test.cc @@ -1223,7 +1223,7 @@ TEST(ECTest, HashToCurve) { const char *y_hex; }; const HashToCurveTest kTests[] = { - // See draft-irtf-cfrg-hash-to-curve-16, appendix J.1.1. + // See RFC 9380, appendix J.1.1. {&EC_hash_to_curve_p256_xmd_sha256_sswu, EC_group_p256(), "QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_", "", "2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91" diff --git a/include/openssl/ec.h b/include/openssl/ec.h index f1a77b229..2d005af6c 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -340,24 +340,22 @@ OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, // Hash-to-curve. // -// The following functions implement primitives from -// draft-irtf-cfrg-hash-to-curve-16. The |dst| parameter in each function is the -// domain separation tag and must be unique for each protocol and between the -// |hash_to_curve| and |hash_to_scalar| variants. See section 3.1 of the spec -// for additional guidance on this parameter. +// The following functions implement primitives from RFC 9380. The |dst| +// parameter in each function is the domain separation tag and must be unique +// for each protocol and between the |hash_to_curve| and |hash_to_scalar| +// variants. See section 3.1 of the spec for additional guidance on this +// parameter. // EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len);