commit c90eaeb7af65a9a015b60c211c30665a73197fad parent 00a4d600c1e60f64f7f3f54509314ea6b4454267 Author: Alexandru Marc <amarc@mozilla.com> Date: Tue, 28 Oct 2025 20:49:04 +0200 Revert "Bug 1996388 - extend 1-QWAC API to also verify 2-QWACs r=jschanck" for causing non-unified build bustages @ QWACs.cpp This reverts commit 65740bbfc05adb7e717cbf8561f2699588ecb7d4. Diffstat:
34 files changed, 158 insertions(+), 434 deletions(-)
diff --git a/security/manager/ssl/QWACs.cpp b/security/manager/ssl/QWACs.cpp @@ -20,31 +20,26 @@ using namespace mozilla::psm; using mozilla::dom::Promise; -class VerifyQWACTask : public mozilla::CryptoTask { +class Verify1QWACTask : public mozilla::CryptoTask { public: - VerifyQWACTask(nsIX509CertDB::QWACType aType, nsIX509Cert* aCert, - const nsACString& aHostname, - const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, - RefPtr<Promise>& aPromise) - : mType(aType), - mCert(aCert), - mHostname(aHostname), + Verify1QWACTask(nsIX509Cert* aCert, + const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, + RefPtr<Promise>& aPromise) + : mCert(aCert), mCollectedCerts(aCollectedCerts.Clone()), - mPromise(new nsMainThreadPtrHolder<Promise>("VerifyQWACTask::mPromise", + mPromise(new nsMainThreadPtrHolder<Promise>("Verify1QWACTask::mPromise", aPromise)), - mVerified(false) {} + mVerifiedAs1QWAC(false) {} private: virtual nsresult CalculateResult() override; virtual void CallCallback(nsresult rv) override; - nsIX509CertDB::QWACType mType; RefPtr<nsIX509Cert> mCert; - nsCString mHostname; nsTArray<RefPtr<nsIX509Cert>> mCollectedCerts; nsMainThreadPtrHandle<Promise> mPromise; - bool mVerified; + bool mVerifiedAs1QWAC; }; // Does this certificate have the correct qcStatements ("qualified certificate @@ -56,7 +51,7 @@ class VerifyQWACTask : public mozilla::CryptoTask { // 2) a QCStatement with statementId equal to id-etsi-qcs-QcType and a // statementInfo of length one that contains the id-etsi-qct-web // identifier. -bool CertHasQWACSQCStatements(Input cert) { +bool CertHasQWACSQCStatements(const nsTArray<uint8_t>& certDER) { using namespace mozilla::pkix::der; // python DottedOIDToCode.py id-etsi-qcs-QcCompliance 0.4.0.1862.1.1 @@ -71,6 +66,10 @@ bool CertHasQWACSQCStatements(Input cert) { static const uint8_t id_etsi_qct_web[] = {0x04, 0x00, 0x8e, 0x46, 0x01, 0x06, 0x03}; + Input cert; + if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { + return false; + } BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); if (backCert.Init() != Success) { return false; @@ -128,17 +127,30 @@ bool CertHasQWACSQCStatements(Input cert) { if (rv != Success) { return false; } - if (!qcStatements.AtEnd()) { - return false; - } return foundQCComplianceStatement && foundQCTypeStatementWithWebType; } -// Helper function to determine if a certificate has a policy from the given -// list of acceptable policies. -bool CertHasPolicyFrom(Input cert, const nsTArray<Input>& policies) { +// For 1-QWACs, ETSI TS 119 411-5 V2.1.1 clause 6.1.2 ("Validation of QWACs") +// item 5 references clause 4.1.2, which references clause 4.1.1, which states +// that such certificates must have either the QEVCP-w or QNCP-w policy as +// specified in ETSI EN 319 411-2. +bool CertHas1QWACPolicy(const nsTArray<uint8_t>& certDER) { using namespace mozilla::pkix::der; + // QEVCP-w is itu-t(0) identified-organization(4) etsi(0) + // qualified-certificate-policies(194112) policy-identifiers(1) qcp-web (4) + // python DottedOIDToCode.py qevcp-w 0.4.0.194112.1.4 + static const uint8_t qevcp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x04}; + + // QNCP-w is itu-t(0) identified-organization(4) etsi(0) + // qualified-certificate-policies(194112) policy-identifiers(1) qncp-web (5) + // python DottedOIDToCode.py qncp-w 0.4.0.194112.1.5 + static const uint8_t qncp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x05}; + + Input cert; + if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { + return false; + } BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); if (backCert.Init() != Success) { return false; @@ -154,7 +166,7 @@ bool CertHasPolicyFrom(Input cert, const nsTArray<Input>& policies) { // ... // } // CertPolicyId ::= OBJECT IDENTIFIER - bool foundPolicy = false; + bool found1QWACPolicy = false; mozilla::pkix::Result rv = NestedOf(certificatePolicies, SEQUENCE, SEQUENCE, EmptyAllowed::No, [&](Reader& policyInformationContents) { @@ -164,178 +176,57 @@ bool CertHasPolicyFrom(Input cert, const nsTArray<Input>& policies) { if (rv != Success) { return rv; } - for (const auto& policy : policies) { - if (policyIdentifier.MatchRest(policy)) { - foundPolicy = true; - } + if (policyIdentifier.MatchRest(qevcp_w) || + policyIdentifier.MatchRest(qncp_w)) { + found1QWACPolicy = true; } return Success; }); if (rv != Success) { return false; } - if (!certificatePolicies.AtEnd()) { - return false; - } - return foundPolicy; -} - -// For 1-QWACs, ETSI TS 119 411-5 V2.1.1 clause 6.1.2 ("Validation of QWACs") -// item 5 references clause 4.1.2, which references clause 4.1.1, which states -// that such certificates must have either the QEVCP-w or QNCP-w policy as -// specified in ETSI EN 319 411-2. -bool CertHas1QWACPolicy(Input cert) { - // QEVCP-w is itu-t(0) identified-organization(4) etsi(0) - // qualified-certificate-policies(194112) policy-identifiers(1) qcp-web (4) - // python DottedOIDToCode.py qevcp-w 0.4.0.194112.1.4 - static const uint8_t qevcp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x04}; - - // QNCP-w is itu-t(0) identified-organization(4) etsi(0) - // qualified-certificate-policies(194112) policy-identifiers(1) qncp-web (5) - // python DottedOIDToCode.py qncp-w 0.4.0.194112.1.5 - static const uint8_t qncp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x05}; - - return CertHasPolicyFrom(cert, {Input(qevcp_w), Input(qncp_w)}); -} - -// For 2-QWACs, ETSI TS 119 411-5 V2.1.1 clause 6.1.2 ("Validation of QWACs") -// item 5 references clause 4.2.2, which references clause 4.2.1, which states -// that such certificates must have the QNCP-w-gen policy as specified in ETSI -// EN 319 411-2. -bool CertHas2QWACPolicy(Input cert) { - // QEVCP-w-gen is itu-t(0) identified-organization(4) etsi(0) - // qualified-certificate-policies(194112) policy-identifiers(1) - // qncp-web-gen (6) - // python DottedOIDToCode.py qevcp-w-gen 0.4.0.194112.1.6 - static const uint8_t qevcp_w_gen[] = {0x04, 0x00, 0x8b, 0xec, - 0x40, 0x01, 0x06}; - - return CertHasPolicyFrom(cert, {Input(qevcp_w_gen)}); -} - -// ETSI TS 119 411-5 V2.1.1 states that "The 2-QWAC certificate shall be issued -// in accordance with ETSI EN 319 412-4 [4] for the relevant certificate policy -// as identified in clause 4.2.1 of the present document, except as described -// below: -// * the extKeyUsage value shall only assert the extendedKeyUsage purpose of -// id-kp-tls-binding as specified in Annex A." -// This is interpreted to mean the 2-QWAC certificate must have an -// extendedKeyUsage extension and it must contain only id-kp-tls-binding, and -// that there are no particular restrictions or requirements of the other -// certificates in the chain with regard to EKU extensions. -bool CertOnlyHasTLSBindingEKU(Input cert) { - using namespace mozilla::pkix::der; - - // ETSI TS 119 411-5 V2.1.1 Annex A: - // id-tlsBinding OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) - // etsi(0) id-qwacImplementation(194115) tls-binding (1) } - // id-kp-tls-binding OBJECT IDENTIFIER ::= { id-tlsBinding - // id-kp-tls-binding(0) } - // python DottedOIDToCode.py id-kp-tls-binding 0.4.0.194115.1.0 - static const uint8_t id_kp_tls_binding[] = {0x04, 0x00, 0x8b, 0xec, - 0x43, 0x01, 0x00}; - - BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); - if (backCert.Init() != Success) { - return false; - } - const Input* ekuInput(backCert.GetExtKeyUsage()); - if (!ekuInput) { - return false; - } - Reader eku(*ekuInput); - // Normally, the extended key usage extension is defined like so: - // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId - // KeyPurposeId ::= OBJECT IDENTIFIER - // That is, it consists of a SEQUENCE of OBJECT IDENTIFIERs, where each OID - // identifies a key purpose. However, for 2-QWACs, the EKU must consist of - // exactly one key purpose ID of id-kp-tls-binding. - mozilla::pkix::Result rv = Nested(eku, SEQUENCE, OIDTag, [&](Reader& r) { - if (r.MatchRest(id_kp_tls_binding)) { - return Success; - } - return mozilla::pkix::Result::ERROR_INADEQUATE_CERT_TYPE; - }); - if (rv != Success) { - return false; - } - return eku.AtEnd(); + return found1QWACPolicy; } -nsresult VerifyQWACTask::CalculateResult() { +nsresult Verify1QWACTask::CalculateResult() { mozilla::psm::QWACTrustDomain trustDomain(mCollectedCerts); nsTArray<uint8_t> certDER; nsresult rv = mCert->GetRawDER(certDER); if (NS_FAILED(rv)) { return rv; } - Input cert; - if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { - return NS_ERROR_FAILURE; + if (!CertHasQWACSQCStatements(certDER)) { + return NS_OK; } - if (!CertHasQWACSQCStatements(cert)) { + if (!CertHas1QWACPolicy(certDER)) { return NS_OK; } - if (mType == nsIX509CertDB::QWACType::OneQWAC) { - if (!CertHas1QWACPolicy(cert)) { - return NS_OK; - } - } else if (mType == nsIX509CertDB::QWACType::TwoQWAC) { - if (!CertHas2QWACPolicy(cert)) { - return NS_OK; - } - if (!CertOnlyHasTLSBindingEKU(cert)) { - return NS_OK; - } - } else { - MOZ_ASSERT_UNREACHABLE("unhandled QWAC type"); + Input cert; + if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { return NS_ERROR_FAILURE; } - if (BuildCertChain(trustDomain, cert, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::anyExtendedKeyUsage, CertPolicyId::anyPolicy, nullptr) != Success) { return NS_OK; } - - // For 1-QWACs, the hostname should have already been validated in the TLS - // handshake. However, this operation is not expensive, and it ensures all - // required checks have been done, in case 1-QWACs are ever re-used in a - // different context. - Input hostname; - if (hostname.Init( - BitwiseCast<const uint8_t*, const char*>(mHostname.BeginReading()), - mHostname.Length()) != Success) { - return NS_OK; - } - // According to ETSI EN 319 412-4 V1.4.1 section 4, certificates following - // EVCP or QEVCP-w (which includes 1-QWACs) are subject to the CA/Browser - // Forum's EV Guidelines, which incorporates the Baseline Requirements. - // Certificates following QNCP-w-gen (which includes 2-QWACs) are subject to - // the Baseline Requirements with respect to the subject alternative name - // extension. - if (CheckCertHostname(cert, hostname) != Success) { - return NS_OK; - } - - mVerified = true; + mVerifiedAs1QWAC = true; return NS_OK; } -void VerifyQWACTask::CallCallback(nsresult rv) { +void Verify1QWACTask::CallCallback(nsresult rv) { if (NS_FAILED(rv)) { mPromise->MaybeReject(rv); } else { - mPromise->MaybeResolve(mVerified); + mPromise->MaybeResolve(mVerifiedAs1QWAC); } } NS_IMETHODIMP -nsNSSCertificateDB::AsyncVerifyQWAC( - QWACType aType, nsIX509Cert* aCert, const nsACString& aHostname, - const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, JSContext* aCx, - mozilla::dom::Promise** aPromise) { +nsNSSCertificateDB::AsyncVerify1QWAC( + nsIX509Cert* aCert, const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, + JSContext* aCx, mozilla::dom::Promise** aPromise) { NS_ENSURE_ARG_POINTER(aCx); nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); @@ -348,8 +239,8 @@ nsNSSCertificateDB::AsyncVerifyQWAC( return result.StealNSResult(); } - RefPtr<VerifyQWACTask> task( - new VerifyQWACTask(aType, aCert, aHostname, aCollectedCerts, promise)); + RefPtr<Verify1QWACTask> task( + new Verify1QWACTask(aCert, aCollectedCerts, promise)); nsresult rv = task->Dispatch(); if (NS_FAILED(rv)) { return rv; diff --git a/security/manager/ssl/nsIX509CertDB.idl b/security/manager/ssl/nsIX509CertDB.idl @@ -386,23 +386,14 @@ interface nsIX509CertDB : nsISupports { [must_use] nsIX509Cert getAndroidCertificateFromAlias(in AString alias); - cenum QWACType : 8 { - OneQWAC, - TwoQWAC, - }; - /** - * For a QWAC type (1-QWAC or 2-QWAC), given a certificate, a hostname, and a - * list of other certificates that may be useful in path building, - * asynchronously determines whether or not the certificate in question is a - * QWAC ("qualified website authentication certificate") of that type as per - * ETSI TS 119 411-5 and related standards. + * Given a certificate and a list of other certificates that may be useful in + * path building, asynchronously determines whether or not the certificate in + * question is a 1-QWAC ("qualified website authentication certificate") as + * per ETSI TS 119 411-5 and related standards. */ [implicit_jscontext] - Promise asyncVerifyQWAC(in nsIX509CertDB_QWACType type, - in nsIX509Cert cert, - in ACString hostname, - in Array<nsIX509Cert> collectedCerts); + Promise asyncVerify1QWAC(in nsIX509Cert cert, in Array<nsIX509Cert> collectedCerts); /** * Verifies that the all the signatures in the PKCS7 CMS message are valid for the associated data. @@ -431,4 +422,5 @@ interface nsIX509CertDB : nsISupports { in Array<Array<uint8_t> > data, in nsIX509CertDB_PDFSignatureAlgorithm signatureType ); + }; diff --git a/security/manager/ssl/tests/unit/test_qwacs.js b/security/manager/ssl/tests/unit/test_qwacs.js @@ -12,10 +12,8 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( async function verify_1_qwacs(filename, expectSuccess, extraCertNames = []) { let cert = constructCertFromFile(filename); - let result = await certdb.asyncVerifyQWAC( - Ci.nsIX509CertDB.OneQWAC, + let result = await certdb.asyncVerify1QWAC( cert, - "example.com", extraCertNames.map(filename => constructCertFromFile(filename)) ); equal( @@ -26,7 +24,6 @@ async function verify_1_qwacs(filename, expectSuccess, extraCertNames = []) { } add_task(async function test_verify_1_qwacs() { - Services.prefs.clearUserPref("security.qwacs.enable_test_trust_anchors"); // By default, the QWACs test trust anchors are not used. await verify_1_qwacs("test_qwacs/1-qwac.pem", false); await verify_1_qwacs("test_qwacs/1-qwac-qevcpw.pem", false); @@ -50,40 +47,4 @@ add_task(async function test_verify_1_qwacs() { await verify_1_qwacs("test_qwacs/wrong-qc-type.pem", false); await verify_1_qwacs("test_qwacs/no-1-qwac-policies.pem", false); await verify_1_qwacs("test_qwacs/no-policies.pem", false); - await verify_1_qwacs("test_qwacs/2-qwac.pem", false); -}); - -async function verify_2_qwacs( - filename, - expectSuccess, - hostname = "example.com" -) { - let cert = constructCertFromFile(filename); - let result = await certdb.asyncVerifyQWAC( - Ci.nsIX509CertDB.TwoQWAC, - cert, - hostname, - [] - ); - equal( - result, - expectSuccess, - `${filename} ${expectSuccess ? "should" : "should not"} verify as 2-QWAC` - ); -} - -add_task(async function test_verify_2_qwacs() { - Services.prefs.clearUserPref("security.qwacs.enable_test_trust_anchors"); - // By default, the QWACs test trust anchors are not used. - await verify_2_qwacs("test_qwacs/2-qwac.pem", false); - - Services.prefs.setBoolPref("security.qwacs.enable_test_trust_anchors", true); - - await verify_2_qwacs("test_qwacs/2-qwac.pem", true); - - await verify_2_qwacs("test_qwacs/1-qwac.pem", false); - await verify_2_qwacs("test_qwacs/2-qwac-no-eku.pem", false); - await verify_2_qwacs("test_qwacs/2-qwac-tls-server-eku.pem", false); - await verify_2_qwacs("test_qwacs/2-qwac-multiple-key-purpose-eku.pem", false); - await verify_2_qwacs("test_qwacs/2-qwac.pem", false, "example.org"); }); diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDYzCCAkugAwIBAgIUI/oo87khfS5TsbQOTVpkwwj3NqEwDQYJKoZIhvcNAQEL +MIIDSTCCAjGgAwIBAgIUaZ76rjPYP4T+dytmDJ7/oGjMu6wwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAyMTAwLgYDVQQDDCcxLVFXQUMgd2l0aCBvdGhlciBvcHRpb25h bCBxY1N0YXRlbWVudHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 @@ -8,14 +8,13 @@ iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr 8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ 77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J -I/pyUcQx1QOs2hgKNe2NAgMBAAGjgYwwgYkwWQYIKwYBBQUHAQMETTBLMCoGEisG -AQQB60mFGoUahRoBg3QJATAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCAYGBACORgEB -MBMGBgQAjkYBBjAJBgcEAI5GAQYDMBQGA1UdIAQNMAswCQYHBACL7EABBTAWBgNV -HREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAUs4m4+zFsQ/d -MYWojI8kGBSl7vxHVIzN5YI22MkddgIlLHUa6Cjg8LKmv8KMsHvLNEmWu8psJ/99 -oNbsu8qMKlZh4QiK7rnvLfDejAZgckRj3c9+jmpLwtZci2BI8nep8ea+BccV9K5Q -JVKLlrAIKuL/M93+K+LwyAcWxYnRz2L/7yU3By1dcl3lVKjE9gRGGJs0SKxRrLEF -wpHhc1Ox80lN6Rtc+wj0yjZFIGQ23UmDpI/GD4nxPWUgd7ACz1NQQHi8CHSNfth/ -bl9vfrj0ie/OzjrtgoZ0OF3zDsSGwcQzJo/keWacs9aeoMbNC9JP0bVFZtCEICJi -SO+0wqpLJg== +I/pyUcQx1QOs2hgKNe2NAgMBAAGjczBxMFkGCCsGAQUFBwEDBE0wSzAqBhIrBgEE +AetJhRqFGoUaAYN0CQEwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAgGBgQAjkYBATAT +BgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQUwDQYJKoZI +hvcNAQELBQADggEBAIksotr4cBkTAcLiJZltl8K0DpQE2uCXJmSuoRbvM+7dzUjQ +yT5mnNpY86+itom5xi+kVgobctZNB7qKNCelNLnF5xcQdvnSYfJgvHQGRZBVvtJ+ +3HprWWMFl3h2oADnyGftOGNtwFOSBja68uVY5R/hHyI518lxNcp6ON3BBamJMrTt +FLmEqCE9ixFlUY12XIc0Vw828hvP3WDkzrNqRTuSZwnM9J0wUO6te8PRIlVodsJU +T7WfRa/7/MLed5SkHo7HfUOgg/LGFPKWRTZCbbmf0T0r1nE5T8NgauqLaJQKCAH3 +xsWkQK2Jo+1hVmW5QKqRt68Cv8YoN/lPzWkzY+k= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:1-QWAC with other optional qcStatements extension:qcStatements:1.3.6.1.4.1.13769.666.666.666.1.500.9.1:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDHjCCAgagAwIBAgIUTUmIUofkufiQc+GWG42KrNYKGUkwDQYJKoZIhvcNAQEL +MIIDBjCCAe6gAwIBAgIUG1MjuksFls8P6XUPgmjbaz1pu8QwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAbMRkwFwYDVQQDDBAxLVFXQUMgKFFFVkNQLXcpMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK @@ -7,13 +7,13 @@ tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl -nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo18w -XTAtBggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYD -MBQGA1UdIAQNMAswCQYHBACL7EABBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAN -BgkqhkiG9w0BAQsFAAOCAQEATzgg0JEIVsIDJCS4utDxFf4Go1G3VvadDHLsPNwa -mQsyzT/IXQj8WuUEoJFpKVjarQI2oQAJepE4h3LxIBYQVUSWejpp1LTbRuUtKcD9 -UAUvHEqzeReXH+Nlqx7hmPTG20woyX7uFxe8giobfNGImS5+r2b0mfMh1Q9o2+Hd -9nk1QnTdkTWQTZ0jp2P3bXstvo7KEyxmg+e9w74Re+3M9R828boHs/uDbfFh3If+ -ZvhUEEmwKKVFoP0hfr5p7KBIjToGkHr/Ciuj8p5voT6ZuQ/oEO6WhFDSGUONlATI -HcO2qhxC6W6hv48tpZKjUxl6cke8fWQ2JVCx8eEUcIGDjQ== +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0cw +RTAtBggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYD +MBQGA1UdIAQNMAswCQYHBACL7EABBDANBgkqhkiG9w0BAQsFAAOCAQEACEmrysb7 +7MPsWOwPKr8rbQzmEo149mKXrSMi9tDJk+DlPrkcGo8jz2zLMXEADbFoCBBv1YGO +41ro2r4MVHyH2f/AGk18h5aYL2jQTufLTCcuoPo7B078jMmAdivOICdzarjuMZrR +9yU2+6JHTpEUtnquSw7td/+dJqaVtT8wRe9GdnqPWnVdkfWkoNdY72gZ+4dWihnn +SacQYj6gL/OW8EGYl8JSL+c+lD6FsPRW8UH4UkgXQPzFSMlbq7QyLOi0EU9zqIxE +2LMUl3WXBi2k4ecVHI0gJGiXg1m8MxhToRDftiq79Tw+elqJwj1ychUNMERNAy0X +t2rLLMYA5DIieA== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:1-QWAC (QEVCP-w) extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.4 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIUH9ZcqeRHfVSU5dx2MuMnzwSfbfYwDQYJKoZIhvcNAQEL +MIIDHDCCAgSgAwIBAgIUN3k8AnTEt+DKd7zpHnxNCcNWrj4wDQYJKoZIhvcNAQEL BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMzExMjgwMDAw MDBaGA8yMDI2MDIwNTAwMDAwMFowJzElMCMGA1UEAwwcMS1RV0FDIHZpYSBUZXN0 IEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI @@ -8,13 +8,12 @@ r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD 7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj -+nJRxDHVA6zaGAo17Y0CAwEAAaNfMF0wLQYIKwYBBQUHAQMEITAfMAgGBgQAjkYB -ATATBgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQUwFgYD -VR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAI7fK3tABC4e -OlFOEa6QH+PsfCVsJGPAE7S7KeQsls9iDiXafA1RSgOflqEWLMN0aP4R6miSmEPq -rgVsG4iq+Ahz9IZoeUU21orO4Fd9Z8u4CPwrt7EaIECKgNBXeMNiix/Ey54hiYnq -KGFM+KcVB7gkTlNKZGtvgvaiRxCGJO//DwvBmf2fs51v++YRADvUaPSo9VR20v3e -13vLB3JmTls7pQZgOcGk30BsY2jcQE1ahmvb8zBFafxt2JJSEq29hke5R4NAQYOb -mH8fCIVyFjNtj5baE6pRRv2gFUY1iS2mqXLCbVS8y2umeaFaK4D7wRDg9iaOjoiW -op+vVR3UBBI= ++nJRxDHVA6zaGAo17Y0CAwEAAaNHMEUwLQYIKwYBBQUHAQMEITAfMAgGBgQAjkYB +ATATBgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQUwDQYJ +KoZIhvcNAQELBQADggEBADogfTffZJ+lbfrIb4XjWIgW9/N8wfTK0wAkiynauW+K +Kz/DCwZtxof9WDoQnYNM8w4aBMA3EdCoHqbU94HHtRqLSsysuqrM4/FiMhOrdJyB +I7JOMODuCPTC937ec9DoHO17YvgM+Lr9ou+tixPa9ADTye7FmTq/tvWa9+qJWB1L +GNoMaDsOBiZRKkanNdsrN0KdidcMCg/5PWGf/r93VZJBa+O3UrJjqn+QbBrZxMUa +2UhOOdUN1ERAj1CC/dKnswB4gqNaZvLSvN4WhoDxgfVSe9tq8pbYwLfb/RwNOheH +TMoBXC6RWm6gucuiLbsCknjDKfRIF7q+R9Ewun5mxLs= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem.certspec @@ -2,4 +2,3 @@ issuer:Test Intermediate subject:1-QWAC via Test Intermediate extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDFDCCAfygAwIBAgIURTKOgtp24HFZdewuzQ73/SaHjF4wDQYJKoZIhvcNAQEL +MIIC/DCCAeSgAwIBAgIUG6a58w0ViFDNph9sc09nWvAw2s8wDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYxLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH @@ -7,13 +7,12 @@ Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE -LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjXzBdMC0GCCsGAQUF +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjRzBFMC0GCCsGAQUF BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFAYDVR0gBA0w -CzAJBgcEAIvsQAEFMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEB -CwUAA4IBAQAIcJh4+ZNn0boY1XZzhlmBUrvqjPWaraAe3b+TUWfSzI13yD+F6fIM -HyCRF3i+fLvhopx9UynOJj01yOIlmUzlpB4CSbq2f49h2Xy/fw44TpFtgzuOA5vG -7xHf+DwASs/BgfP7P+hxLcWMUy3R6dcRTHnfykwDaOZKBZVb4amF/JqjIrIwuwFq -miO2n6py008yu7ugNCn7Ozh1Wy5Tdlcg8HoQUE3sbuoJi8ivoQJTjpj10xWnvGwU -iq1mDf7W8O3U8YpU8C5l2HaWmpJU8uMG3NxNyeJZ6MThWzy2nJdps1JcqRqjPPcs -fEBfvQ/NAqSOhPdheR+aJ/uTjxhQCTH4 +CzAJBgcEAIvsQAEFMA0GCSqGSIb3DQEBCwUAA4IBAQBdFd+lIMnM3+kH30yHcfQE +446VQxv+ZpjAixYn/yGl2U5feVTpuDC2yYlV5ehbfvefpl/NqCEwQNU+3DOslp31 +aAJIE4RsHbS/aXXVVhvaJJFpP16nzCMTLmtamUESMRzOYYbWMCsCpvy49ygc+C2Q +qKAew6UFYaBwtlH01U5gkbF2SNiuTKcw8Eb32jLoILn6uypEd7QVSRBvnRRVM+ZW +qgAP3/WPuSBVuBnGgD7xOzPyjti/Gyvv7t6eO54mBhZ4076WTda5E78GwNgS+Vnz +NgCwmmGf+pZsuFfMjF+rvjftOUCQHJkl+bEF+20dZF+4WbrXYqFjFZc09j9cjMrm -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:1-QWAC extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMjCCAhqgAwIBAgIUL+f4J/SXqWfIZicJ/0ILx7suxfQwDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw -MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYyLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH -Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr -IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ -sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA -dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE -LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjfTB7MC0GCCsGAQUF -BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFAYDVR0gBA0w -CzAJBgcEAIvsQAEGMBwGA1UdJQQVMBMGBwQAi+xDAQAGCCsGAQUFBwMBMBYGA1Ud -EQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAEVrEtyXKzohAA -lax9ZbvvkD/ifDTa+LSiTU87aqC70ybUs5wLUwQrLkiHbsaj7vzCk/+VJcicctGg -M0UdXPUE1BumTnLXt1imeBF2Gl5MzDK1lNjF5wz5OHZEQRnCocYqqDademP9FJ7r -8x3e40tUU6Ej7aGQW/Ag7YPY84gspB6uFUzO5GZhQY04mKYfVxEJRYyM8qDScoJp -e6KzuDgJF9H0SYJmLo130EHG2VhvL9ns7ERKtTxcKxT1fW1LPs/H5PuPxexMS374 -fKigeHbOP2vvI/EmfAkh7ayZxNY+DM3SPtNnx7m7/gu7b40Ckql1Q0dzFuYXBYl6 -zkzxqkWy ------END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem.certspec @@ -1,6 +0,0 @@ -issuer:Test CA -subject:2-QWAC -extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 -extension:certificatePolicies:0.4.0.194112.1.6 -extension:extKeyUsage:tlsBinding,serverAuth -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIUFZ8CNnnECeipfbVs6O78+F9+mJEwDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw -MjA1MDAwMDAwWjAdMRswGQYDVQQDDBIyLVFXQUMgd2l0aCBubyBFS1UwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk -NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC -fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m -CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM -HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m -1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj -XzBdMC0GCCsGAQUFBwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYB -BgMwFAYDVR0gBA0wCzAJBgcEAIvsQAEGMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t -MA0GCSqGSIb3DQEBCwUAA4IBAQBMUAUcfKL25pszcVGD5DPygl8g3JFD0lO/2T/r -P7uWddCTfVG16UGaCkUqANCnuRCMEDbcGMOhYCmCQwnBDkSEwFtfJhzgzIlwg0QS -1+K/+yGoMI2DcmRBq6IvSCnH80MHjLKQNHnDCEEC+DDgUfFcQmBP199E27nppZzc -FlHaLuFGni5hJQyXAEVzekhnqdzXaWykf04Q+Un4pc8sMaJB6PQGpLPw12usT2In -tTEEuPffb8V40ek3876cl/rcLXX1SX2y9ZBUf8wmriE71WI704x9itlmsV0/gITK -R326M7XiWoo1wnv+FmNBTM+/gwXl/jsoinNCH62f6Puh4PrO ------END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem.certspec @@ -1,5 +0,0 @@ -issuer:Test CA -subject:2-QWAC with no EKU -extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 -extension:certificatePolicies:0.4.0.194112.1.6 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDPTCCAiWgAwIBAgIUfVrYO0VOgzmQI8p+JT3JjVmSze4wDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw -MjA1MDAwMDAwWjAlMSMwIQYDVQQDDBoyLVFXQUMgd2l0aCBUTFMgc2VydmVyIEVL -VTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG -NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn -RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu -p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ -Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p -47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 -7Y0CAwEAAaN0MHIwLQYIKwYBBQUHAQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYw -CQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQYwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEB -ADUZ0yreEq4UeltRlfAREQE+FLOedFu70QThSTKmYAnhUdIdWOSeb6JlOST0YaXx -LQvqKZlq8T+JwDHXT55Oatlkbnm7ajVm9BLi0nba51FRr6hK6R+QgdXCejXSF064 -8HfrPvwaWkT9Ky2RVOVarwwrL4lHWT/c/gBnpz5c5y9wmSYlUeo+k0Mnuoio/mnX -u6Uwrij01gdA8maHrqDdrMCKbTsLPJ2i7gLzAIJYfEmy2zS/EnEb7S6Kl99ca60r -piwefwOL+ITY272UfJdAbVZSYgcPoYZnp3NQh6dyi00XitKGzMOHuHXT0ZkQvphc -I2870v8D0vJCq+0eZIZv6AA= ------END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem.certspec @@ -1,6 +0,0 @@ -issuer:Test CA -subject:2-QWAC with TLS server EKU -extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 -extension:certificatePolicies:0.4.0.194112.1.6 -extension:extKeyUsage:serverAuth -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDKDCCAhCgAwIBAgIUaftyq0ZjetaVgwcpWRWdNagNGIEwDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw -MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYyLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH -Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr -IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ -sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA -dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE -LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjczBxMC0GCCsGAQUF -BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFAYDVR0gBA0w -CzAJBgcEAIvsQAEGMBIGA1UdJQQLMAkGBwQAi+xDAQAwFgYDVR0RBA8wDYILZXhh -bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAJkT6YhaZ4W5A45bhPt8e3Jskqoa -g4DX/Gg68/5c/pUAG9W1MTKlGX7fQ3LZUgVdcfR1hXSCVbVgOXj5gueG5Xxx7qxB -4S41fRsH6EEHGfp8/Qw1QkrG0/bbG5cpFv6idM4M4YId8hRr2z5r1rqbIk3svdto -tLYzcOeorIU7XKWxe4u6BiQ4GzK9g50wu/tI22zCTFT5pMV5w5S39zkZoIrvUcOB -tUgwEeuHOWRlk/nrnCsA21lBrlYtoARPwKbFS/WbqgqDNQM2jehxYN13Q5gRDA6v -E/5B13uiGONDo7o4R3/b/KvKWzqLuU8/jjSD+Yf4K/LtS1/Us3j6hh/wWpw= ------END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem.certspec @@ -1,6 +0,0 @@ -issuer:Test CA -subject:2-QWAC -extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 -extension:certificatePolicies:0.4.0.194112.1.6 -extension:extKeyUsage:tlsBinding -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem b/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDGjCCAgKgAwIBAgIUFRtJMtvE63gcmwBNcK6iXk4uvPswDQYJKoZIhvcNAQEL +MIIDAjCCAeqgAwIBAgIUG/8itJaXGtCPAToj0JqD7QsK42wwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdFbXB0eSBRQyBUeXBlIFN0YXRlbWVudDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 @@ -8,12 +8,12 @@ HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C -AwEAAaNUMFIwIgYIKwYBBQUHAQMEFjAUMAgGBgQAjkYBATAIBgYEAI5GAQYwFAYD -VR0gBA0wCzAJBgcEAIvsQAEFMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqG -SIb3DQEBCwUAA4IBAQCoHsafgLW4DfMH7IQNZ2eMSbqIFoVFufIRODgGjvfjOdNE -UbvWSzocEDdExHDI+I8dbfR8ZfuLWS0eA3KMmwW7NySaJSL/RD1Kv8YwIcDsG+tU -EVnj6sKXBskayKbA+m3HbtaXvXgQr1Bw4M/MOl9Kly9YyjiUOBhFk++q78//8kJY -lEltuF5nIB8ZCemnEteQ4AfecfomY+//pKDQS5TrYYc1VZdQlyLQm78gbgx3XAxB -32t6JsXquzQr9rGyICPfLzMEadY0WP3qAqVTsIkOUqqf3p4vvbjgEuwDb6yM72U8 -pGTTIVByFCSaKJaYaDzxJLtGQVcYH/dduj5qPi0p +AwEAAaM8MDowIgYIKwYBBQUHAQMEFjAUMAgGBgQAjkYBATAIBgYEAI5GAQYwFAYD +VR0gBA0wCzAJBgcEAIvsQAEFMA0GCSqGSIb3DQEBCwUAA4IBAQAo2MYcle2cwk6W +pTVzxh95bQ1yxBo6o6sDXekk+cuf8ym4vjBugJ2/WPC8kWrctlOqEVeuLJJ7Q2cS +6N4Sp+03jms5lJ98T6sl+OinunVXP+Uu1CTPxhxPWCvVZAdWh5HeNJ64XT0xcNEF +f+IMF13H74Od4rvKv0ukvJxI+Cgl72yg1eieSQ1NaJOuATUQMT/v+7MMdGTwxVMe +ZH2iXs4+3xulnBQmCGIJ6fVj3F3KLqkBU0/2pgYf4j/xT4FbvETVaE/VVqhM3tsR +Pue3QSeu9DvjbZCaMP1yWrEM/IOnDk6OpmMzgRLXAHIKe6yzB9EXEaal82tllc4G +UbFJrkB0 -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:Empty QC Type Statement extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem b/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDMzCCAhugAwIBAgIUI5KHHlTNgLJdd6iZP2driK6YhdQwDQYJKoZIhvcNAQEL +MIIDGzCCAgOgAwIBAgIUEzwCkT4XVYVO5bTzSiEpxRsgMMowDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAkMSIwIAYDVQQDDBlNaXNzaW5nIFFDIFR5cGUgU3RhdGVtZW50 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 @@ -8,13 +8,12 @@ h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt -jQIDAQABo2swaTA5BggrBgEFBQcBAwQtMCswCAYGBACORgEBMB8GEisGAQQB60mF -GoUahRoBg3QJATAJBgcEAI5GAQYDMBQGA1UdIAQNMAswCQYHBACL7EABBTAWBgNV -HREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEWXKYGSu+Cpl -bbqdmvzO5N8wAoSstfqjuEatD4JUJCfGr6coeHSmZA4qnB9nKHD9JcY+JE/LwWLe -XulfnVBm2j/uoZoUeN9zexOh0yIRVk2JNzy6MB4R1KmgqH7pezjmIVAff7CUhhb6 -0uEgM9PDBVOdB9py7U8KQ0xmBRENmSpqPOsVnuh7AxHF8Xqg0ZdyEWeRVE/i+FAi -IeWDZ/Vs3KENzXN/QOylSWHesQQxNiHymxZNWlUXJXQtNJVZ4BN+XZOA498JZ/NF -+lvZC+Wy7AKFANdEfCobeP7O/gv9bpa+Gwexb6JRmQ+1Zfe45n8Fc0KM0YnamhSL -vdiXGcOPWQ== +jQIDAQABo1MwUTA5BggrBgEFBQcBAwQtMCswCAYGBACORgEBMB8GEisGAQQB60mF +GoUahRoBg3QJATAJBgcEAI5GAQYDMBQGA1UdIAQNMAswCQYHBACL7EABBTANBgkq +hkiG9w0BAQsFAAOCAQEAXxAyC4SBAqDdOUTXpg4dA5CAzROKiraYZydzpj+j73OQ +SsNikXrW2BUVfYxzra240lwDq6eav5Vf/c8BrKo7IdxQMnce9/gqzIc8JI3GbVok +QObdWlqRYeb2KWmk9bwY5JnM9YLRKzhbM6alzg11auqAFGxeEaU7VPG/WhEzcqF3 +mQLIpP4hwUHkyEXd3JeauttqaEEj/WEngr4ao5vVbDkJR1hW8y/wNBseosGMU6ic +LEVt/0vYWqol6RLN2zXQmsRVA6Mc2FS+blmR/mPInXyS6cSxWPHzWrYqybvWmK8z +Cp975qaVck+1IYHRvyOfMNw3TWnZj5lP/eQgqOCRyw== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:Missing QC Type Statement extension:qcStatements:0.4.0.1862.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem b/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDOjCCAiKgAwIBAgIUS0Vla/X5RnbXwp0w7AsDkJ1JT3wwDQYJKoZIhvcNAQEL +MIIDIjCCAgqgAwIBAgIUaZvo2Y3hVFCeBwu8hzBI0oJHtNswDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBNaXNzaW5nIFFDUyBDb21wbGlhbmNlIFN0 YXRlbWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW @@ -8,13 +8,12 @@ cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV -A6zaGAo17Y0CAwEAAaNrMGkwOQYIKwYBBQUHAQMELTArMBQGEisGAQQB60mFGoUa +A6zaGAo17Y0CAwEAAaNTMFEwOQYIKwYBBQUHAQMELTArMBQGEisGAQQB60mFGoUa hRoBg3QJATATBgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xA -AQUwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAC9z -8M15/6PyvXCqE7A02xSxFFPN//ZHESAGS35pUbtz2sXGX67nbVxV2SUjfg7ggj+k -sI5o8mtXa06DyNJ3PJMyXJRMXADyrmFy/d2GNGaBMpZx+d9CJ0W6Lkd1tpyrHVHa -XdIbrgVosz3LZvZ3aTzhs+nuP8To0LphYZBBuqTznBF6PeUAQJVCKBZee2E9FoGk -X7rd+ztLofgOZPBy6FApCoCCEBnF3wVT0ag/TR+XH+4+nPBNy17CEodpdqC7daMX -+4rC5800wIx76eZBpuR0VWSt8LpB51pAJazXTEFcrxlhDdVgc66rvbsYbQ+MgRzX -EqM30MHsUDPCzWkzU5k= +AQUwDQYJKoZIhvcNAQELBQADggEBADcufbfoLrTniJeqUAgaRUevqbbl4J+w9tq0 +xcwjN1+hIrfCORT0gvI88Vl01U7cqoAwne15coe0oPXdcoLqY4iEtYuqi7wpOiOo +mzK3pUdRaM5XXbver5tm7cpQ7PtaSozYqXYxahSqqdVbmhwjzXCqa8ZURIK2optB +xly1CnGsd+3oiHVz6LBJV2d+sk7OAucwhhcHgO7XjRYiCaOeOFtmA1ZQ+4hlSifU +/ITGU8QC+P0h3NvJmTjHlK8yGn0z4c9CbHvAP2FbqXAbP1OlD+IAyWF4GwGrBAEq +GIXL79Q11oVlBSB9QmB9njOUF3keLA7Hcs8gqqph0idaTe8Zp5w= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:Missing QCS Compliance Statement extension:qcStatements:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem b/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDHzCCAgegAwIBAgIUU+NV4cSEdzFj42+DvLyRa/NsIE4wDQYJKoZIhvcNAQEL +MIIDBzCCAe+gAwIBAgIUGzv6BXRxTNNy3E3lbxuIjV4kzsgwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYxLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH @@ -7,13 +7,13 @@ Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE -LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjajBoMC0GCCsGAQUF +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjUjBQMC0GCCsGAQUF BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwHwYDVR0gBBgw -FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w -DQYJKoZIhvcNAQELBQADggEBAFzDDaBscyusAEq2tGNu8+C0dfgGign4OiI1UBaH -WzNlw2OJQGXbUK06x/Kw2RcJ0ap+/ayyBFaU0ScKnJade48u8/e7wGlTiSjI3Y1y -oXrhx/i/wa9DAqHXEyvvHLMNuySYaTDRVuW/3AMtQArk6RlJ5vpIOEbX1Z6P7RKj -G94UkktzhCFI9O8yiYhbMkFx0LDXsSh5ABg8Ebzy4LP7OvQ8BNc7Mhd45ID3jzJk -pBZp+p8OcHdMzo0bkYZysNgMhr3sKzRUrtO8liPa/SrocTeDxEZHuSzdEZFSx3ki -PqkRAHuPnNgnL9upwA17hoR79TaIN7lzQXROL9iInG0bl6o= +FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBAEQ1JL7Q +k6l9ZqMbskPdZBZVedIgRBcAC2wVlHkjdMSnmenD3GcXtAh2XVJRSoh2tl9IutEJ +lVJReisdoXFlmdY8QO4G9vuNvMIIpU/6CeKGaFNYIjquo1q+FQVsoWzFM3TZLA36 +xDWTokhf3EFYuFcvNpn5xFwtiKY9OT94wyREVOdSvPV+AyheGEOD3Bqym0Du8644 +ypJzKTqxVz2W5j/lhNLY2J7+YfjqgaTyq73zdFjl+4UEzLeXIJRc19HysBNFeDd+ +I1loTkXyTOGv/mpmqAY+yi69JIw6nss9jkckvuyg/XPQX0ilBVNUUD0zWVp/vLou +ZufjNWk/k0Kq6nk= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:1-QWAC extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem b/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDAzCCAeugAwIBAgIUeY1irrTutNVgoPfDQs6ruDuxTyowDQYJKoZIhvcNAQEL +MIIC6zCCAdOgAwIBAgIUQfGUxOhuv1LSHMj4LnmvsWzMUGYwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAWMRQwEgYDVQQDDAtObyBQb2xpY2llczCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX @@ -7,13 +7,12 @@ bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO -NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNJMEcwLQYI -KwYBBQUHAQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzAWBgNV -HREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAAcM7nrHwKbtB -6Kp3S3bFKN2fW2e6bs3FPv6/46XK/n+yTYlMFWQTNI5bZfRdJxDtD2HQ9CxLYvKv -qpk6tWi9nmxt4aVCTKyJatAlZ9BlavzUjXg8fIZ8umIRG307a5aB3Zku2M9pQsBh -WVwiaHOxt0Zsx7wpYhJ49/8FD+tGVgZNf2skq9AbViEQfYEeZ83TV7TGULXIHmU1 -YEX3uq5YH4W2tKw7mGVDPWdnN84AUa+Ov6FMnOR5633WYozwWcToF0hTpMsSWN6U -t8g0zirfLz8+NYpOBdJWL1Q2d1ixRh3CGMyfOycI9UN3Zof8KcyziX5HiXvEEL6t -F/kY4RxSnA== +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMxMC8wLQYI +KwYBBQUHAQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzANBgkq +hkiG9w0BAQsFAAOCAQEAdBHBIcFca3o2l8/guLJSx+m+8Vt5940Lt5oMxZM2P2SJ +nrBM+i6kGZ0vkXUICF9VoQQRpxCj3quYrt2c0KjjGjXRV6T5hFF7G3SSFzpTXX5V +jTIHrBEd09/g7juhY7KIxAbHYJecIC+PQNMJxCVzrYcao07w5QHOeSbWSjB+UDa7 +emVXrcs7UNk2wEYzGTnkdhTu40DbFRIou/wRBKOmiAYny4/lak/XnwLgX9UOV6Am +Boz3pOzY3w4iNHYLGqOldzhHwuCDHWDYYFPpNmA45yTpWaoGr6Gd4h7/bbwqOiXO +YotZEvSKufwkeBoKfdWRS38TVJnIyDs+2rgjmqGRWQ== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem.certspec @@ -1,4 +1,3 @@ issuer:Test CA subject:No Policies extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/test-int.pem b/security/manager/ssl/tests/unit/test_qwacs/test-int.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIC9TCCAd2gAwIBAgIUQRknqy2ezhJLsknv7BXCPTOnXT0wDQYJKoZIhvcNAQEL +MIIC3TCCAcWgAwIBAgIUAxPrsRjtbFinLUfRzhtR8EeYh4YwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 @@ -7,12 +7,12 @@ SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW -JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM1 -MDMwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwFgYDVR0RBA8wDYILZXhhbXBs -ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAE0PfNeUJk77Cm8hLnsNRS0HSqE5nlIh -6zooj6XywgJ/l0D3tN8AmBaKbdaPazsXPBWxorCYc752qKJ8CRrt2yT6PteSvRar -WrN6OfZGyyIrF3WN3pnUhsSytmfck/8wFGyLAXUVfK9iugfP/Z5lCERHIDEVX3to -+zbDwQK3FSrVnziyVYDdwhiI/YJ2WFyeyw6yGNoc1Lu3M7obc7WEtReVTXOJc8OL -HyUL9rlP7Y28QCTmqd4dZvzC67o9X+exGHEom/La1lWQcYYml8Z6zn82h2Sg12Es -gLIb+CzG76XnX2oDKPs0b+ghZCUhc1dsCdmBMYpMo1rYQXEfFybpFoA= +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AKMLQxpBsyCNjuzQZY6Y8dJVzmNwfa0mvzDCLI6ltjK3X4pzz7tCb+hXH+Z3lhf+ +t5N4eSMnXgobxb3tya8/2c+3kp6oxx+BwyvvA7zLPrTgHed8/G8z9tpZJrJxTcOB +83fDkvTE9/49KIffeSF7I/IedybWjqO93IZMqVVB5xfbD3WoYCe6SipiUqvVB3oy +4PBC5ONA1ZFGwqj7/6vgmgHukWIc6GogczKdLIR/Wu5laV8Wug+xP/GUUcuAOIuY +hk6WMVRikq8g+wf2FG0i0NcGDOAK0Z/1nFvKpIJomZ8Q9NYVs0tfhoSLPwtd7cDT +XYDC9Gn4ncbAQIRIAnNm2Ew= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/test-int.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:Test Intermediate extension:basicConstraints:cA, extension:keyUsage:cRLSign,keyCertSign -extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem b/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDGzCCAgOgAwIBAgIUWxLva6lTWIUyCH8F92hdVvaTE7gwDQYJKoZIhvcNAQEL +MIIDAzCCAeugAwIBAgIUYegOCXCmPzhM1hjEkCosdeKOs2UwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1Xcm9uZyBRQyBUeXBlMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 @@ -7,13 +7,13 @@ aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR -CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo18wXTAt +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0cwRTAt BggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYCMBQG -A1UdIAQNMAswCQYHBACL7EABBTAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkq -hkiG9w0BAQsFAAOCAQEAV+xcKoEgaA9Kk+MDJir8JpXqbOQ5D1PLaRSFH8aGyMir -1sYBpidUIpQPjKLpiDSrok3E2gvyD0Xenv32RXoqHV9LvL9aqo5vSj4qL1bhTBac -dfVy/e+CRJlP8pkE/n1kSCOsMkl+CC2Itk+vfL0ZbRc7ITS7Oj8NiSxv/oiPLfHB -4b7qUM6B8gD87Jwz+01RkAzIV8IZZ1DGC5clJH7Mn2sUbIP4jNmlKjT8ujFWB7x+ -/ntJ3NF3+BzPLaWbe0Q8IPuTqg33aXf2jzcRrdOmq0PBUrQ2BPShzYLaBtsxtfsv -LZMdJVRgM06wrqEkSad4A/Pw6HNdyHdKJY+odl6xyg== +A1UdIAQNMAswCQYHBACL7EABBTANBgkqhkiG9w0BAQsFAAOCAQEAClyA/q0iAF1j +acwk1apKyp2b5O+fMJhPtx3ulZXkMXexJaF+f9uIgpYniHkRSYaTaYEPbCk8dWmq +NNSMbIhTJAwUloFzcxalzkSg3l9yDg/pEinmw0d+C4eUF/gKeiZ9nPY2hxOBDZHl +Lo0U7UOeqWlI92x+OpmbID+TR8ZAgl3tD8EPsl2Z32PzYpx/MPwHy1gAclgUnJz9 +4NTYqMra1KLYNzvPHB5kGXwewxIpWZF2Fj+6uP4aXeKyVsEYNUDAL60JyZA5UCQh +JDCPADRfuaSpLNWCPZJH5uSrovrUDTihT12SAdaIB/a0K4FeWL3IZJFb2OJHnr57 +oicH3X8XsA== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem.certspec @@ -2,4 +2,3 @@ issuer:Test CA subject:Wrong QC Type extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.2 extension:certificatePolicies:0.4.0.194112.1.5 -extension:subjectAlternativeName:example.com diff --git a/security/manager/tools/pycert.py b/security/manager/tools/pycert.py @@ -29,7 +29,7 @@ keyUsage:[digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment,keyAgreement,keyCertSign,cRLSign] extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection nsSGC, # Netscape Server Gated Crypto - OCSPSigning,timeStamping,tlsBinding] + OCSPSigning,timeStamping] subjectAlternativeName:[<dNSName|directoryName|"ip4:"iPV4Address>,...] authorityInformationAccess:<OCSP URI> certificatePolicies:[<policy OID>,...] @@ -578,8 +578,6 @@ class Certificate: return univ.ObjectIdentifier("1.3.6.1.5.5.7.3.9") if keyPurpose == "timeStamping": return rfc2459.id_kp_timeStamping - if keyPurpose == "tlsBinding": - return univ.ObjectIdentifier("0.4.0.194115.1.0") raise UnknownKeyPurposeTypeError(keyPurpose) def addExtKeyUsage(self, extKeyUsage, critical):