commit e3d6fb9d8b9e8132b3dba6747008f67e76c9e9b5 parent dcdc6b0900b0f6865eec98ac966d77faa783ee8e Author: Dana Keeler <dkeeler@mozilla.com> Date: Tue, 28 Oct 2025 21:14:16 +0000 Bug 1996388 - extend 1-QWAC API to also verify 2-QWACs r=jschanck Differential Revision: https://phabricator.services.mozilla.com/D270220 Diffstat:
34 files changed, 434 insertions(+), 158 deletions(-)
diff --git a/security/manager/ssl/QWACs.cpp b/security/manager/ssl/QWACs.cpp @@ -20,26 +20,31 @@ using namespace mozilla::psm; using mozilla::dom::Promise; -class Verify1QWACTask : public mozilla::CryptoTask { +class VerifyQWACTask : public mozilla::CryptoTask { public: - Verify1QWACTask(nsIX509Cert* aCert, - const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, - RefPtr<Promise>& aPromise) - : mCert(aCert), + VerifyQWACTask(nsIX509CertDB::QWACType aType, nsIX509Cert* aCert, + const nsACString& aHostname, + const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, + RefPtr<Promise>& aPromise) + : mType(aType), + mCert(aCert), + mHostname(aHostname), mCollectedCerts(aCollectedCerts.Clone()), - mPromise(new nsMainThreadPtrHolder<Promise>("Verify1QWACTask::mPromise", + mPromise(new nsMainThreadPtrHolder<Promise>("VerifyQWACTask::mPromise", aPromise)), - mVerifiedAs1QWAC(false) {} + mVerified(false) {} private: virtual nsresult CalculateResult() override; virtual void CallCallback(nsresult rv) override; + nsIX509CertDB::QWACType mType; RefPtr<nsIX509Cert> mCert; + nsCString mHostname; nsTArray<RefPtr<nsIX509Cert>> mCollectedCerts; nsMainThreadPtrHandle<Promise> mPromise; - bool mVerifiedAs1QWAC; + bool mVerified; }; // Does this certificate have the correct qcStatements ("qualified certificate @@ -51,7 +56,7 @@ class Verify1QWACTask : public mozilla::CryptoTask { // 2) a QCStatement with statementId equal to id-etsi-qcs-QcType and a // statementInfo of length one that contains the id-etsi-qct-web // identifier. -bool CertHasQWACSQCStatements(const nsTArray<uint8_t>& certDER) { +bool CertHasQWACSQCStatements(Input cert) { using namespace mozilla::pkix::der; // python DottedOIDToCode.py id-etsi-qcs-QcCompliance 0.4.0.1862.1.1 @@ -66,10 +71,6 @@ bool CertHasQWACSQCStatements(const nsTArray<uint8_t>& certDER) { static const uint8_t id_etsi_qct_web[] = {0x04, 0x00, 0x8e, 0x46, 0x01, 0x06, 0x03}; - Input cert; - if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { - return false; - } BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); if (backCert.Init() != Success) { return false; @@ -127,30 +128,17 @@ bool CertHasQWACSQCStatements(const nsTArray<uint8_t>& certDER) { if (rv != Success) { return false; } + if (!qcStatements.AtEnd()) { + return false; + } return foundQCComplianceStatement && foundQCTypeStatementWithWebType; } -// For 1-QWACs, ETSI TS 119 411-5 V2.1.1 clause 6.1.2 ("Validation of QWACs") -// item 5 references clause 4.1.2, which references clause 4.1.1, which states -// that such certificates must have either the QEVCP-w or QNCP-w policy as -// specified in ETSI EN 319 411-2. -bool CertHas1QWACPolicy(const nsTArray<uint8_t>& certDER) { +// Helper function to determine if a certificate has a policy from the given +// list of acceptable policies. +bool CertHasPolicyFrom(Input cert, const nsTArray<Input>& policies) { using namespace mozilla::pkix::der; - // QEVCP-w is itu-t(0) identified-organization(4) etsi(0) - // qualified-certificate-policies(194112) policy-identifiers(1) qcp-web (4) - // python DottedOIDToCode.py qevcp-w 0.4.0.194112.1.4 - static const uint8_t qevcp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x04}; - - // QNCP-w is itu-t(0) identified-organization(4) etsi(0) - // qualified-certificate-policies(194112) policy-identifiers(1) qncp-web (5) - // python DottedOIDToCode.py qncp-w 0.4.0.194112.1.5 - static const uint8_t qncp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x05}; - - Input cert; - if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { - return false; - } BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); if (backCert.Init() != Success) { return false; @@ -166,7 +154,7 @@ bool CertHas1QWACPolicy(const nsTArray<uint8_t>& certDER) { // ... // } // CertPolicyId ::= OBJECT IDENTIFIER - bool found1QWACPolicy = false; + bool foundPolicy = false; mozilla::pkix::Result rv = NestedOf(certificatePolicies, SEQUENCE, SEQUENCE, EmptyAllowed::No, [&](Reader& policyInformationContents) { @@ -176,57 +164,178 @@ bool CertHas1QWACPolicy(const nsTArray<uint8_t>& certDER) { if (rv != Success) { return rv; } - if (policyIdentifier.MatchRest(qevcp_w) || - policyIdentifier.MatchRest(qncp_w)) { - found1QWACPolicy = true; + for (const auto& policy : policies) { + if (policyIdentifier.MatchRest(policy)) { + foundPolicy = true; + } } return Success; }); if (rv != Success) { return false; } - return found1QWACPolicy; + if (!certificatePolicies.AtEnd()) { + return false; + } + return foundPolicy; +} + +// For 1-QWACs, ETSI TS 119 411-5 V2.1.1 clause 6.1.2 ("Validation of QWACs") +// item 5 references clause 4.1.2, which references clause 4.1.1, which states +// that such certificates must have either the QEVCP-w or QNCP-w policy as +// specified in ETSI EN 319 411-2. +bool CertHas1QWACPolicy(Input cert) { + // QEVCP-w is itu-t(0) identified-organization(4) etsi(0) + // qualified-certificate-policies(194112) policy-identifiers(1) qcp-web (4) + // python DottedOIDToCode.py qevcp-w 0.4.0.194112.1.4 + static const uint8_t qevcp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x04}; + + // QNCP-w is itu-t(0) identified-organization(4) etsi(0) + // qualified-certificate-policies(194112) policy-identifiers(1) qncp-web (5) + // python DottedOIDToCode.py qncp-w 0.4.0.194112.1.5 + static const uint8_t qncp_w[] = {0x04, 0x00, 0x8b, 0xec, 0x40, 0x01, 0x05}; + + return CertHasPolicyFrom(cert, {Input(qevcp_w), Input(qncp_w)}); +} + +// For 2-QWACs, ETSI TS 119 411-5 V2.1.1 clause 6.1.2 ("Validation of QWACs") +// item 5 references clause 4.2.2, which references clause 4.2.1, which states +// that such certificates must have the QNCP-w-gen policy as specified in ETSI +// EN 319 411-2. +bool CertHas2QWACPolicy(Input cert) { + // QEVCP-w-gen is itu-t(0) identified-organization(4) etsi(0) + // qualified-certificate-policies(194112) policy-identifiers(1) + // qncp-web-gen (6) + // python DottedOIDToCode.py qevcp-w-gen 0.4.0.194112.1.6 + static const uint8_t qevcp_w_gen[] = {0x04, 0x00, 0x8b, 0xec, + 0x40, 0x01, 0x06}; + + return CertHasPolicyFrom(cert, {Input(qevcp_w_gen)}); +} + +// ETSI TS 119 411-5 V2.1.1 states that "The 2-QWAC certificate shall be issued +// in accordance with ETSI EN 319 412-4 [4] for the relevant certificate policy +// as identified in clause 4.2.1 of the present document, except as described +// below: +// * the extKeyUsage value shall only assert the extendedKeyUsage purpose of +// id-kp-tls-binding as specified in Annex A." +// This is interpreted to mean the 2-QWAC certificate must have an +// extendedKeyUsage extension and it must contain only id-kp-tls-binding, and +// that there are no particular restrictions or requirements of the other +// certificates in the chain with regard to EKU extensions. +bool CertOnlyHasTLSBindingEKU(Input cert) { + using namespace mozilla::pkix::der; + + // ETSI TS 119 411-5 V2.1.1 Annex A: + // id-tlsBinding OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) + // etsi(0) id-qwacImplementation(194115) tls-binding (1) } + // id-kp-tls-binding OBJECT IDENTIFIER ::= { id-tlsBinding + // id-kp-tls-binding(0) } + // python DottedOIDToCode.py id-kp-tls-binding 0.4.0.194115.1.0 + static const uint8_t id_kp_tls_binding[] = {0x04, 0x00, 0x8b, 0xec, + 0x43, 0x01, 0x00}; + + BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr); + if (backCert.Init() != Success) { + return false; + } + const Input* ekuInput(backCert.GetExtKeyUsage()); + if (!ekuInput) { + return false; + } + Reader eku(*ekuInput); + // Normally, the extended key usage extension is defined like so: + // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + // KeyPurposeId ::= OBJECT IDENTIFIER + // That is, it consists of a SEQUENCE of OBJECT IDENTIFIERs, where each OID + // identifies a key purpose. However, for 2-QWACs, the EKU must consist of + // exactly one key purpose ID of id-kp-tls-binding. + mozilla::pkix::Result rv = Nested(eku, SEQUENCE, OIDTag, [&](Reader& r) { + if (r.MatchRest(id_kp_tls_binding)) { + return Success; + } + return mozilla::pkix::Result::ERROR_INADEQUATE_CERT_TYPE; + }); + if (rv != Success) { + return false; + } + return eku.AtEnd(); } -nsresult Verify1QWACTask::CalculateResult() { +nsresult VerifyQWACTask::CalculateResult() { mozilla::psm::QWACTrustDomain trustDomain(mCollectedCerts); nsTArray<uint8_t> certDER; nsresult rv = mCert->GetRawDER(certDER); if (NS_FAILED(rv)) { return rv; } - if (!CertHasQWACSQCStatements(certDER)) { - return NS_OK; + Input cert; + if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { + return NS_ERROR_FAILURE; } - if (!CertHas1QWACPolicy(certDER)) { + if (!CertHasQWACSQCStatements(cert)) { return NS_OK; } - Input cert; - if (cert.Init(certDER.Elements(), certDER.Length()) != Success) { + if (mType == nsIX509CertDB::QWACType::OneQWAC) { + if (!CertHas1QWACPolicy(cert)) { + return NS_OK; + } + } else if (mType == nsIX509CertDB::QWACType::TwoQWAC) { + if (!CertHas2QWACPolicy(cert)) { + return NS_OK; + } + if (!CertOnlyHasTLSBindingEKU(cert)) { + return NS_OK; + } + } else { + MOZ_ASSERT_UNREACHABLE("unhandled QWAC type"); return NS_ERROR_FAILURE; } + if (BuildCertChain(trustDomain, cert, Now(), EndEntityOrCA::MustBeEndEntity, KeyUsage::noParticularKeyUsageRequired, KeyPurposeId::anyExtendedKeyUsage, CertPolicyId::anyPolicy, nullptr) != Success) { return NS_OK; } - mVerifiedAs1QWAC = true; + + // For 1-QWACs, the hostname should have already been validated in the TLS + // handshake. However, this operation is not expensive, and it ensures all + // required checks have been done, in case 1-QWACs are ever re-used in a + // different context. + Input hostname; + if (hostname.Init(mozilla::BitwiseCast<const uint8_t*, const char*>( + mHostname.BeginReading()), + mHostname.Length()) != Success) { + return NS_OK; + } + // According to ETSI EN 319 412-4 V1.4.1 section 4, certificates following + // EVCP or QEVCP-w (which includes 1-QWACs) are subject to the CA/Browser + // Forum's EV Guidelines, which incorporates the Baseline Requirements. + // Certificates following QNCP-w-gen (which includes 2-QWACs) are subject to + // the Baseline Requirements with respect to the subject alternative name + // extension. + if (CheckCertHostname(cert, hostname) != Success) { + return NS_OK; + } + + mVerified = true; return NS_OK; } -void Verify1QWACTask::CallCallback(nsresult rv) { +void VerifyQWACTask::CallCallback(nsresult rv) { if (NS_FAILED(rv)) { mPromise->MaybeReject(rv); } else { - mPromise->MaybeResolve(mVerifiedAs1QWAC); + mPromise->MaybeResolve(mVerified); } } NS_IMETHODIMP -nsNSSCertificateDB::AsyncVerify1QWAC( - nsIX509Cert* aCert, const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, - JSContext* aCx, mozilla::dom::Promise** aPromise) { +nsNSSCertificateDB::AsyncVerifyQWAC( + QWACType aType, nsIX509Cert* aCert, const nsACString& aHostname, + const nsTArray<RefPtr<nsIX509Cert>>& aCollectedCerts, JSContext* aCx, + mozilla::dom::Promise** aPromise) { NS_ENSURE_ARG_POINTER(aCx); nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx); @@ -239,8 +348,8 @@ nsNSSCertificateDB::AsyncVerify1QWAC( return result.StealNSResult(); } - RefPtr<Verify1QWACTask> task( - new Verify1QWACTask(aCert, aCollectedCerts, promise)); + RefPtr<VerifyQWACTask> task( + new VerifyQWACTask(aType, aCert, aHostname, aCollectedCerts, promise)); nsresult rv = task->Dispatch(); if (NS_FAILED(rv)) { return rv; diff --git a/security/manager/ssl/nsIX509CertDB.idl b/security/manager/ssl/nsIX509CertDB.idl @@ -386,14 +386,23 @@ interface nsIX509CertDB : nsISupports { [must_use] nsIX509Cert getAndroidCertificateFromAlias(in AString alias); + cenum QWACType : 8 { + OneQWAC, + TwoQWAC, + }; + /** - * Given a certificate and a list of other certificates that may be useful in - * path building, asynchronously determines whether or not the certificate in - * question is a 1-QWAC ("qualified website authentication certificate") as - * per ETSI TS 119 411-5 and related standards. + * For a QWAC type (1-QWAC or 2-QWAC), given a certificate, a hostname, and a + * list of other certificates that may be useful in path building, + * asynchronously determines whether or not the certificate in question is a + * QWAC ("qualified website authentication certificate") of that type as per + * ETSI TS 119 411-5 and related standards. */ [implicit_jscontext] - Promise asyncVerify1QWAC(in nsIX509Cert cert, in Array<nsIX509Cert> collectedCerts); + Promise asyncVerifyQWAC(in nsIX509CertDB_QWACType type, + in nsIX509Cert cert, + in ACString hostname, + in Array<nsIX509Cert> collectedCerts); /** * Verifies that the all the signatures in the PKCS7 CMS message are valid for the associated data. @@ -422,5 +431,4 @@ interface nsIX509CertDB : nsISupports { in Array<Array<uint8_t> > data, in nsIX509CertDB_PDFSignatureAlgorithm signatureType ); - }; diff --git a/security/manager/ssl/tests/unit/test_qwacs.js b/security/manager/ssl/tests/unit/test_qwacs.js @@ -12,8 +12,10 @@ const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( async function verify_1_qwacs(filename, expectSuccess, extraCertNames = []) { let cert = constructCertFromFile(filename); - let result = await certdb.asyncVerify1QWAC( + let result = await certdb.asyncVerifyQWAC( + Ci.nsIX509CertDB.OneQWAC, cert, + "example.com", extraCertNames.map(filename => constructCertFromFile(filename)) ); equal( @@ -24,6 +26,7 @@ async function verify_1_qwacs(filename, expectSuccess, extraCertNames = []) { } add_task(async function test_verify_1_qwacs() { + Services.prefs.clearUserPref("security.qwacs.enable_test_trust_anchors"); // By default, the QWACs test trust anchors are not used. await verify_1_qwacs("test_qwacs/1-qwac.pem", false); await verify_1_qwacs("test_qwacs/1-qwac-qevcpw.pem", false); @@ -47,4 +50,40 @@ add_task(async function test_verify_1_qwacs() { await verify_1_qwacs("test_qwacs/wrong-qc-type.pem", false); await verify_1_qwacs("test_qwacs/no-1-qwac-policies.pem", false); await verify_1_qwacs("test_qwacs/no-policies.pem", false); + await verify_1_qwacs("test_qwacs/2-qwac.pem", false); +}); + +async function verify_2_qwacs( + filename, + expectSuccess, + hostname = "example.com" +) { + let cert = constructCertFromFile(filename); + let result = await certdb.asyncVerifyQWAC( + Ci.nsIX509CertDB.TwoQWAC, + cert, + hostname, + [] + ); + equal( + result, + expectSuccess, + `${filename} ${expectSuccess ? "should" : "should not"} verify as 2-QWAC` + ); +} + +add_task(async function test_verify_2_qwacs() { + Services.prefs.clearUserPref("security.qwacs.enable_test_trust_anchors"); + // By default, the QWACs test trust anchors are not used. + await verify_2_qwacs("test_qwacs/2-qwac.pem", false); + + Services.prefs.setBoolPref("security.qwacs.enable_test_trust_anchors", true); + + await verify_2_qwacs("test_qwacs/2-qwac.pem", true); + + await verify_2_qwacs("test_qwacs/1-qwac.pem", false); + await verify_2_qwacs("test_qwacs/2-qwac-no-eku.pem", false); + await verify_2_qwacs("test_qwacs/2-qwac-tls-server-eku.pem", false); + await verify_2_qwacs("test_qwacs/2-qwac-multiple-key-purpose-eku.pem", false); + await verify_2_qwacs("test_qwacs/2-qwac.pem", false, "example.org"); }); diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDSTCCAjGgAwIBAgIUaZ76rjPYP4T+dytmDJ7/oGjMu6wwDQYJKoZIhvcNAQEL +MIIDYzCCAkugAwIBAgIUI/oo87khfS5TsbQOTVpkwwj3NqEwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAyMTAwLgYDVQQDDCcxLVFXQUMgd2l0aCBvdGhlciBvcHRpb25h bCBxY1N0YXRlbWVudHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 @@ -8,13 +8,14 @@ iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr 8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ 77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J -I/pyUcQx1QOs2hgKNe2NAgMBAAGjczBxMFkGCCsGAQUFBwEDBE0wSzAqBhIrBgEE -AetJhRqFGoUaAYN0CQEwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAgGBgQAjkYBATAT -BgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQUwDQYJKoZI -hvcNAQELBQADggEBAIksotr4cBkTAcLiJZltl8K0DpQE2uCXJmSuoRbvM+7dzUjQ -yT5mnNpY86+itom5xi+kVgobctZNB7qKNCelNLnF5xcQdvnSYfJgvHQGRZBVvtJ+ -3HprWWMFl3h2oADnyGftOGNtwFOSBja68uVY5R/hHyI518lxNcp6ON3BBamJMrTt -FLmEqCE9ixFlUY12XIc0Vw828hvP3WDkzrNqRTuSZwnM9J0wUO6te8PRIlVodsJU -T7WfRa/7/MLed5SkHo7HfUOgg/LGFPKWRTZCbbmf0T0r1nE5T8NgauqLaJQKCAH3 -xsWkQK2Jo+1hVmW5QKqRt68Cv8YoN/lPzWkzY+k= +I/pyUcQx1QOs2hgKNe2NAgMBAAGjgYwwgYkwWQYIKwYBBQUHAQMETTBLMCoGEisG +AQQB60mFGoUahRoBg3QJATAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCAYGBACORgEB +MBMGBgQAjkYBBjAJBgcEAI5GAQYDMBQGA1UdIAQNMAswCQYHBACL7EABBTAWBgNV +HREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAUs4m4+zFsQ/d +MYWojI8kGBSl7vxHVIzN5YI22MkddgIlLHUa6Cjg8LKmv8KMsHvLNEmWu8psJ/99 +oNbsu8qMKlZh4QiK7rnvLfDejAZgckRj3c9+jmpLwtZci2BI8nep8ea+BccV9K5Q +JVKLlrAIKuL/M93+K+LwyAcWxYnRz2L/7yU3By1dcl3lVKjE9gRGGJs0SKxRrLEF +wpHhc1Ox80lN6Rtc+wj0yjZFIGQ23UmDpI/GD4nxPWUgd7ACz1NQQHi8CHSNfth/ +bl9vfrj0ie/OzjrtgoZ0OF3zDsSGwcQzJo/keWacs9aeoMbNC9JP0bVFZtCEICJi +SO+0wqpLJg== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-other-optional-qcs.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:1-QWAC with other optional qcStatements extension:qcStatements:1.3.6.1.4.1.13769.666.666.666.1.500.9.1:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDBjCCAe6gAwIBAgIUG1MjuksFls8P6XUPgmjbaz1pu8QwDQYJKoZIhvcNAQEL +MIIDHjCCAgagAwIBAgIUTUmIUofkufiQc+GWG42KrNYKGUkwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAbMRkwFwYDVQQDDBAxLVFXQUMgKFFFVkNQLXcpMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK @@ -7,13 +7,13 @@ tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl -nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0cw -RTAtBggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYD -MBQGA1UdIAQNMAswCQYHBACL7EABBDANBgkqhkiG9w0BAQsFAAOCAQEACEmrysb7 -7MPsWOwPKr8rbQzmEo149mKXrSMi9tDJk+DlPrkcGo8jz2zLMXEADbFoCBBv1YGO -41ro2r4MVHyH2f/AGk18h5aYL2jQTufLTCcuoPo7B078jMmAdivOICdzarjuMZrR -9yU2+6JHTpEUtnquSw7td/+dJqaVtT8wRe9GdnqPWnVdkfWkoNdY72gZ+4dWihnn -SacQYj6gL/OW8EGYl8JSL+c+lD6FsPRW8UH4UkgXQPzFSMlbq7QyLOi0EU9zqIxE -2LMUl3WXBi2k4ecVHI0gJGiXg1m8MxhToRDftiq79Tw+elqJwj1ychUNMERNAy0X -t2rLLMYA5DIieA== +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo18w +XTAtBggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYD +MBQGA1UdIAQNMAswCQYHBACL7EABBDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAN +BgkqhkiG9w0BAQsFAAOCAQEATzgg0JEIVsIDJCS4utDxFf4Go1G3VvadDHLsPNwa +mQsyzT/IXQj8WuUEoJFpKVjarQI2oQAJepE4h3LxIBYQVUSWejpp1LTbRuUtKcD9 +UAUvHEqzeReXH+Nlqx7hmPTG20woyX7uFxe8giobfNGImS5+r2b0mfMh1Q9o2+Hd +9nk1QnTdkTWQTZ0jp2P3bXstvo7KEyxmg+e9w74Re+3M9R828boHs/uDbfFh3If+ +ZvhUEEmwKKVFoP0hfr5p7KBIjToGkHr/Ciuj8p5voT6ZuQ/oEO6WhFDSGUONlATI +HcO2qhxC6W6hv48tpZKjUxl6cke8fWQ2JVCx8eEUcIGDjQ== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-qevcpw.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:1-QWAC (QEVCP-w) extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.4 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDHDCCAgSgAwIBAgIUN3k8AnTEt+DKd7zpHnxNCcNWrj4wDQYJKoZIhvcNAQEL +MIIDNDCCAhygAwIBAgIUH9ZcqeRHfVSU5dx2MuMnzwSfbfYwDQYJKoZIhvcNAQEL BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMzExMjgwMDAw MDBaGA8yMDI2MDIwNTAwMDAwMFowJzElMCMGA1UEAwwcMS1RV0FDIHZpYSBUZXN0 IEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI @@ -8,12 +8,13 @@ r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD 7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj -+nJRxDHVA6zaGAo17Y0CAwEAAaNHMEUwLQYIKwYBBQUHAQMEITAfMAgGBgQAjkYB -ATATBgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQUwDQYJ -KoZIhvcNAQELBQADggEBADogfTffZJ+lbfrIb4XjWIgW9/N8wfTK0wAkiynauW+K -Kz/DCwZtxof9WDoQnYNM8w4aBMA3EdCoHqbU94HHtRqLSsysuqrM4/FiMhOrdJyB -I7JOMODuCPTC937ec9DoHO17YvgM+Lr9ou+tixPa9ADTye7FmTq/tvWa9+qJWB1L -GNoMaDsOBiZRKkanNdsrN0KdidcMCg/5PWGf/r93VZJBa+O3UrJjqn+QbBrZxMUa -2UhOOdUN1ERAj1CC/dKnswB4gqNaZvLSvN4WhoDxgfVSe9tq8pbYwLfb/RwNOheH -TMoBXC6RWm6gucuiLbsCknjDKfRIF7q+R9Ewun5mxLs= ++nJRxDHVA6zaGAo17Y0CAwEAAaNfMF0wLQYIKwYBBQUHAQMEITAfMAgGBgQAjkYB +ATATBgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQUwFgYD +VR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAI7fK3tABC4e +OlFOEa6QH+PsfCVsJGPAE7S7KeQsls9iDiXafA1RSgOflqEWLMN0aP4R6miSmEPq +rgVsG4iq+Ahz9IZoeUU21orO4Fd9Z8u4CPwrt7EaIECKgNBXeMNiix/Ey54hiYnq +KGFM+KcVB7gkTlNKZGtvgvaiRxCGJO//DwvBmf2fs51v++YRADvUaPSo9VR20v3e +13vLB3JmTls7pQZgOcGk30BsY2jcQE1ahmvb8zBFafxt2JJSEq29hke5R4NAQYOb +mH8fCIVyFjNtj5baE6pRRv2gFUY1iS2mqXLCbVS8y2umeaFaK4D7wRDg9iaOjoiW +op+vVR3UBBI= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac-via-intermediate.pem.certspec @@ -2,3 +2,4 @@ issuer:Test Intermediate subject:1-QWAC via Test Intermediate extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem b/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIC/DCCAeSgAwIBAgIUG6a58w0ViFDNph9sc09nWvAw2s8wDQYJKoZIhvcNAQEL +MIIDFDCCAfygAwIBAgIURTKOgtp24HFZdewuzQ73/SaHjF4wDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYxLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH @@ -7,12 +7,13 @@ Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE -LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjRzBFMC0GCCsGAQUF +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjXzBdMC0GCCsGAQUF BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFAYDVR0gBA0w -CzAJBgcEAIvsQAEFMA0GCSqGSIb3DQEBCwUAA4IBAQBdFd+lIMnM3+kH30yHcfQE -446VQxv+ZpjAixYn/yGl2U5feVTpuDC2yYlV5ehbfvefpl/NqCEwQNU+3DOslp31 -aAJIE4RsHbS/aXXVVhvaJJFpP16nzCMTLmtamUESMRzOYYbWMCsCpvy49ygc+C2Q -qKAew6UFYaBwtlH01U5gkbF2SNiuTKcw8Eb32jLoILn6uypEd7QVSRBvnRRVM+ZW -qgAP3/WPuSBVuBnGgD7xOzPyjti/Gyvv7t6eO54mBhZ4076WTda5E78GwNgS+Vnz -NgCwmmGf+pZsuFfMjF+rvjftOUCQHJkl+bEF+20dZF+4WbrXYqFjFZc09j9cjMrm +CzAJBgcEAIvsQAEFMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEB +CwUAA4IBAQAIcJh4+ZNn0boY1XZzhlmBUrvqjPWaraAe3b+TUWfSzI13yD+F6fIM +HyCRF3i+fLvhopx9UynOJj01yOIlmUzlpB4CSbq2f49h2Xy/fw44TpFtgzuOA5vG +7xHf+DwASs/BgfP7P+hxLcWMUy3R6dcRTHnfykwDaOZKBZVb4amF/JqjIrIwuwFq +miO2n6py008yu7ugNCn7Ozh1Wy5Tdlcg8HoQUE3sbuoJi8ivoQJTjpj10xWnvGwU +iq1mDf7W8O3U8YpU8C5l2HaWmpJU8uMG3NxNyeJZ6MThWzy2nJdps1JcqRqjPPcs +fEBfvQ/NAqSOhPdheR+aJ/uTjxhQCTH4 -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/1-qwac.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:1-QWAC extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMjCCAhqgAwIBAgIUL+f4J/SXqWfIZicJ/0ILx7suxfQwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw +MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYyLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjfTB7MC0GCCsGAQUF +BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFAYDVR0gBA0w +CzAJBgcEAIvsQAEGMBwGA1UdJQQVMBMGBwQAi+xDAQAGCCsGAQUFBwMBMBYGA1Ud +EQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAEVrEtyXKzohAA +lax9ZbvvkD/ifDTa+LSiTU87aqC70ybUs5wLUwQrLkiHbsaj7vzCk/+VJcicctGg +M0UdXPUE1BumTnLXt1imeBF2Gl5MzDK1lNjF5wz5OHZEQRnCocYqqDademP9FJ7r +8x3e40tUU6Ej7aGQW/Ag7YPY84gspB6uFUzO5GZhQY04mKYfVxEJRYyM8qDScoJp +e6KzuDgJF9H0SYJmLo130EHG2VhvL9ns7ERKtTxcKxT1fW1LPs/H5PuPxexMS374 +fKigeHbOP2vvI/EmfAkh7ayZxNY+DM3SPtNnx7m7/gu7b40Ckql1Q0dzFuYXBYl6 +zkzxqkWy +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-multiple-key-purpose-eku.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:2-QWAC +extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 +extension:certificatePolicies:0.4.0.194112.1.6 +extension:extKeyUsage:tlsBinding,serverAuth +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIDCCAgigAwIBAgIUFZ8CNnnECeipfbVs6O78+F9+mJEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw +MjA1MDAwMDAwWjAdMRswGQYDVQQDDBIyLVFXQUMgd2l0aCBubyBFS1UwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +XzBdMC0GCCsGAQUFBwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYB +BgMwFAYDVR0gBA0wCzAJBgcEAIvsQAEGMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29t +MA0GCSqGSIb3DQEBCwUAA4IBAQBMUAUcfKL25pszcVGD5DPygl8g3JFD0lO/2T/r +P7uWddCTfVG16UGaCkUqANCnuRCMEDbcGMOhYCmCQwnBDkSEwFtfJhzgzIlwg0QS +1+K/+yGoMI2DcmRBq6IvSCnH80MHjLKQNHnDCEEC+DDgUfFcQmBP199E27nppZzc +FlHaLuFGni5hJQyXAEVzekhnqdzXaWykf04Q+Un4pc8sMaJB6PQGpLPw12usT2In +tTEEuPffb8V40ek3876cl/rcLXX1SX2y9ZBUf8wmriE71WI704x9itlmsV0/gITK +R326M7XiWoo1wnv+FmNBTM+/gwXl/jsoinNCH62f6Puh4PrO +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-no-eku.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:2-QWAC with no EKU +extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 +extension:certificatePolicies:0.4.0.194112.1.6 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPTCCAiWgAwIBAgIUfVrYO0VOgzmQI8p+JT3JjVmSze4wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw +MjA1MDAwMDAwWjAlMSMwIQYDVQQDDBoyLVFXQUMgd2l0aCBUTFMgc2VydmVyIEVL +VTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaN0MHIwLQYIKwYBBQUHAQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYw +CQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xAAQYwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEB +ADUZ0yreEq4UeltRlfAREQE+FLOedFu70QThSTKmYAnhUdIdWOSeb6JlOST0YaXx +LQvqKZlq8T+JwDHXT55Oatlkbnm7ajVm9BLi0nba51FRr6hK6R+QgdXCejXSF064 +8HfrPvwaWkT9Ky2RVOVarwwrL4lHWT/c/gBnpz5c5y9wmSYlUeo+k0Mnuoio/mnX +u6Uwrij01gdA8maHrqDdrMCKbTsLPJ2i7gLzAIJYfEmy2zS/EnEb7S6Kl99ca60r +piwefwOL+ITY272UfJdAbVZSYgcPoYZnp3NQh6dyi00XitKGzMOHuHXT0ZkQvphc +I2870v8D0vJCq+0eZIZv6AA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac-tls-server-eku.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:2-QWAC with TLS server EKU +extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 +extension:certificatePolicies:0.4.0.194112.1.6 +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem b/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKDCCAhCgAwIBAgIUaftyq0ZjetaVgwcpWRWdNagNGIEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw +MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYyLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjczBxMC0GCCsGAQUF +BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwFAYDVR0gBA0w +CzAJBgcEAIvsQAEGMBIGA1UdJQQLMAkGBwQAi+xDAQAwFgYDVR0RBA8wDYILZXhh +bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAJkT6YhaZ4W5A45bhPt8e3Jskqoa +g4DX/Gg68/5c/pUAG9W1MTKlGX7fQ3LZUgVdcfR1hXSCVbVgOXj5gueG5Xxx7qxB +4S41fRsH6EEHGfp8/Qw1QkrG0/bbG5cpFv6idM4M4YId8hRr2z5r1rqbIk3svdto +tLYzcOeorIU7XKWxe4u6BiQ4GzK9g50wu/tI22zCTFT5pMV5w5S39zkZoIrvUcOB +tUgwEeuHOWRlk/nrnCsA21lBrlYtoARPwKbFS/WbqgqDNQM2jehxYN13Q5gRDA6v +E/5B13uiGONDo7o4R3/b/KvKWzqLuU8/jjSD+Yf4K/LtS1/Us3j6hh/wWpw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/2-qwac.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:2-QWAC +extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 +extension:certificatePolicies:0.4.0.194112.1.6 +extension:extKeyUsage:tlsBinding +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem b/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIUG/8itJaXGtCPAToj0JqD7QsK42wwDQYJKoZIhvcNAQEL +MIIDGjCCAgKgAwIBAgIUFRtJMtvE63gcmwBNcK6iXk4uvPswDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdFbXB0eSBRQyBUeXBlIFN0YXRlbWVudDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 @@ -8,12 +8,12 @@ HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C -AwEAAaM8MDowIgYIKwYBBQUHAQMEFjAUMAgGBgQAjkYBATAIBgYEAI5GAQYwFAYD -VR0gBA0wCzAJBgcEAIvsQAEFMA0GCSqGSIb3DQEBCwUAA4IBAQAo2MYcle2cwk6W -pTVzxh95bQ1yxBo6o6sDXekk+cuf8ym4vjBugJ2/WPC8kWrctlOqEVeuLJJ7Q2cS -6N4Sp+03jms5lJ98T6sl+OinunVXP+Uu1CTPxhxPWCvVZAdWh5HeNJ64XT0xcNEF -f+IMF13H74Od4rvKv0ukvJxI+Cgl72yg1eieSQ1NaJOuATUQMT/v+7MMdGTwxVMe -ZH2iXs4+3xulnBQmCGIJ6fVj3F3KLqkBU0/2pgYf4j/xT4FbvETVaE/VVqhM3tsR -Pue3QSeu9DvjbZCaMP1yWrEM/IOnDk6OpmMzgRLXAHIKe6yzB9EXEaal82tllc4G -UbFJrkB0 +AwEAAaNUMFIwIgYIKwYBBQUHAQMEFjAUMAgGBgQAjkYBATAIBgYEAI5GAQYwFAYD +VR0gBA0wCzAJBgcEAIvsQAEFMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqG +SIb3DQEBCwUAA4IBAQCoHsafgLW4DfMH7IQNZ2eMSbqIFoVFufIRODgGjvfjOdNE +UbvWSzocEDdExHDI+I8dbfR8ZfuLWS0eA3KMmwW7NySaJSL/RD1Kv8YwIcDsG+tU +EVnj6sKXBskayKbA+m3HbtaXvXgQr1Bw4M/MOl9Kly9YyjiUOBhFk++q78//8kJY +lEltuF5nIB8ZCemnEteQ4AfecfomY+//pKDQS5TrYYc1VZdQlyLQm78gbgx3XAxB +32t6JsXquzQr9rGyICPfLzMEadY0WP3qAqVTsIkOUqqf3p4vvbjgEuwDb6yM72U8 +pGTTIVByFCSaKJaYaDzxJLtGQVcYH/dduj5qPi0p -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/empty-qc-type-statement.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:Empty QC Type Statement extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem b/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDGzCCAgOgAwIBAgIUEzwCkT4XVYVO5bTzSiEpxRsgMMowDQYJKoZIhvcNAQEL +MIIDMzCCAhugAwIBAgIUI5KHHlTNgLJdd6iZP2driK6YhdQwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAkMSIwIAYDVQQDDBlNaXNzaW5nIFFDIFR5cGUgU3RhdGVtZW50 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 @@ -8,12 +8,13 @@ h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt -jQIDAQABo1MwUTA5BggrBgEFBQcBAwQtMCswCAYGBACORgEBMB8GEisGAQQB60mF -GoUahRoBg3QJATAJBgcEAI5GAQYDMBQGA1UdIAQNMAswCQYHBACL7EABBTANBgkq -hkiG9w0BAQsFAAOCAQEAXxAyC4SBAqDdOUTXpg4dA5CAzROKiraYZydzpj+j73OQ -SsNikXrW2BUVfYxzra240lwDq6eav5Vf/c8BrKo7IdxQMnce9/gqzIc8JI3GbVok -QObdWlqRYeb2KWmk9bwY5JnM9YLRKzhbM6alzg11auqAFGxeEaU7VPG/WhEzcqF3 -mQLIpP4hwUHkyEXd3JeauttqaEEj/WEngr4ao5vVbDkJR1hW8y/wNBseosGMU6ic -LEVt/0vYWqol6RLN2zXQmsRVA6Mc2FS+blmR/mPInXyS6cSxWPHzWrYqybvWmK8z -Cp975qaVck+1IYHRvyOfMNw3TWnZj5lP/eQgqOCRyw== +jQIDAQABo2swaTA5BggrBgEFBQcBAwQtMCswCAYGBACORgEBMB8GEisGAQQB60mF +GoUahRoBg3QJATAJBgcEAI5GAQYDMBQGA1UdIAQNMAswCQYHBACL7EABBTAWBgNV +HREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEWXKYGSu+Cpl +bbqdmvzO5N8wAoSstfqjuEatD4JUJCfGr6coeHSmZA4qnB9nKHD9JcY+JE/LwWLe +XulfnVBm2j/uoZoUeN9zexOh0yIRVk2JNzy6MB4R1KmgqH7pezjmIVAff7CUhhb6 +0uEgM9PDBVOdB9py7U8KQ0xmBRENmSpqPOsVnuh7AxHF8Xqg0ZdyEWeRVE/i+FAi +IeWDZ/Vs3KENzXN/QOylSWHesQQxNiHymxZNWlUXJXQtNJVZ4BN+XZOA498JZ/NF ++lvZC+Wy7AKFANdEfCobeP7O/gv9bpa+Gwexb6JRmQ+1Zfe45n8Fc0KM0YnamhSL +vdiXGcOPWQ== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/missing-qc-type-statement.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:Missing QC Type Statement extension:qcStatements:0.4.0.1862.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem b/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDIjCCAgqgAwIBAgIUaZvo2Y3hVFCeBwu8hzBI0oJHtNswDQYJKoZIhvcNAQEL +MIIDOjCCAiKgAwIBAgIUS0Vla/X5RnbXwp0w7AsDkJ1JT3wwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBNaXNzaW5nIFFDUyBDb21wbGlhbmNlIFN0 YXRlbWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW @@ -8,12 +8,13 @@ cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV -A6zaGAo17Y0CAwEAAaNTMFEwOQYIKwYBBQUHAQMELTArMBQGEisGAQQB60mFGoUa +A6zaGAo17Y0CAwEAAaNrMGkwOQYIKwYBBQUHAQMELTArMBQGEisGAQQB60mFGoUa hRoBg3QJATATBgYEAI5GAQYwCQYHBACORgEGAzAUBgNVHSAEDTALMAkGBwQAi+xA -AQUwDQYJKoZIhvcNAQELBQADggEBADcufbfoLrTniJeqUAgaRUevqbbl4J+w9tq0 -xcwjN1+hIrfCORT0gvI88Vl01U7cqoAwne15coe0oPXdcoLqY4iEtYuqi7wpOiOo -mzK3pUdRaM5XXbver5tm7cpQ7PtaSozYqXYxahSqqdVbmhwjzXCqa8ZURIK2optB -xly1CnGsd+3oiHVz6LBJV2d+sk7OAucwhhcHgO7XjRYiCaOeOFtmA1ZQ+4hlSifU -/ITGU8QC+P0h3NvJmTjHlK8yGn0z4c9CbHvAP2FbqXAbP1OlD+IAyWF4GwGrBAEq -GIXL79Q11oVlBSB9QmB9njOUF3keLA7Hcs8gqqph0idaTe8Zp5w= +AQUwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAC9z +8M15/6PyvXCqE7A02xSxFFPN//ZHESAGS35pUbtz2sXGX67nbVxV2SUjfg7ggj+k +sI5o8mtXa06DyNJ3PJMyXJRMXADyrmFy/d2GNGaBMpZx+d9CJ0W6Lkd1tpyrHVHa +XdIbrgVosz3LZvZ3aTzhs+nuP8To0LphYZBBuqTznBF6PeUAQJVCKBZee2E9FoGk +X7rd+ztLofgOZPBy6FApCoCCEBnF3wVT0ag/TR+XH+4+nPBNy17CEodpdqC7daMX ++4rC5800wIx76eZBpuR0VWSt8LpB51pAJazXTEFcrxlhDdVgc66rvbsYbQ+MgRzX +EqM30MHsUDPCzWkzU5k= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/missing-qcs-compliance.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:Missing QCS Compliance Statement extension:qcStatements:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem b/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDBzCCAe+gAwIBAgIUGzv6BXRxTNNy3E3lbxuIjV4kzsgwDQYJKoZIhvcNAQEL +MIIDHzCCAgegAwIBAgIUU+NV4cSEdzFj42+DvLyRa/NsIE4wDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAYxLVFXQUMwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH @@ -7,13 +7,13 @@ Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE -LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjUjBQMC0GCCsGAQUF +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjajBoMC0GCCsGAQUF BwEDBCEwHzAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgMwHwYDVR0gBBgw -FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBAEQ1JL7Q -k6l9ZqMbskPdZBZVedIgRBcAC2wVlHkjdMSnmenD3GcXtAh2XVJRSoh2tl9IutEJ -lVJReisdoXFlmdY8QO4G9vuNvMIIpU/6CeKGaFNYIjquo1q+FQVsoWzFM3TZLA36 -xDWTokhf3EFYuFcvNpn5xFwtiKY9OT94wyREVOdSvPV+AyheGEOD3Bqym0Du8644 -ypJzKTqxVz2W5j/lhNLY2J7+YfjqgaTyq73zdFjl+4UEzLeXIJRc19HysBNFeDd+ -I1loTkXyTOGv/mpmqAY+yi69JIw6nss9jkckvuyg/XPQX0ilBVNUUD0zWVp/vLou -ZufjNWk/k0Kq6nk= +FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20w +DQYJKoZIhvcNAQELBQADggEBAFzDDaBscyusAEq2tGNu8+C0dfgGign4OiI1UBaH +WzNlw2OJQGXbUK06x/Kw2RcJ0ap+/ayyBFaU0ScKnJade48u8/e7wGlTiSjI3Y1y +oXrhx/i/wa9DAqHXEyvvHLMNuySYaTDRVuW/3AMtQArk6RlJ5vpIOEbX1Z6P7RKj +G94UkktzhCFI9O8yiYhbMkFx0LDXsSh5ABg8Ebzy4LP7OvQ8BNc7Mhd45ID3jzJk +pBZp+p8OcHdMzo0bkYZysNgMhr3sKzRUrtO8liPa/SrocTeDxEZHuSzdEZFSx3ki +PqkRAHuPnNgnL9upwA17hoR79TaIN7lzQXROL9iInG0bl6o= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/no-1-qwac-policies.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:1-QWAC extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem b/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIC6zCCAdOgAwIBAgIUQfGUxOhuv1LSHMj4LnmvsWzMUGYwDQYJKoZIhvcNAQEL +MIIDAzCCAeugAwIBAgIUeY1irrTutNVgoPfDQs6ruDuxTyowDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAWMRQwEgYDVQQDDAtObyBQb2xpY2llczCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX @@ -7,12 +7,13 @@ bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO -NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMxMC8wLQYI -KwYBBQUHAQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzANBgkq -hkiG9w0BAQsFAAOCAQEAdBHBIcFca3o2l8/guLJSx+m+8Vt5940Lt5oMxZM2P2SJ -nrBM+i6kGZ0vkXUICF9VoQQRpxCj3quYrt2c0KjjGjXRV6T5hFF7G3SSFzpTXX5V -jTIHrBEd09/g7juhY7KIxAbHYJecIC+PQNMJxCVzrYcao07w5QHOeSbWSjB+UDa7 -emVXrcs7UNk2wEYzGTnkdhTu40DbFRIou/wRBKOmiAYny4/lak/XnwLgX9UOV6Am -Boz3pOzY3w4iNHYLGqOldzhHwuCDHWDYYFPpNmA45yTpWaoGr6Gd4h7/bbwqOiXO -YotZEvSKufwkeBoKfdWRS38TVJnIyDs+2rgjmqGRWQ== +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNJMEcwLQYI +KwYBBQUHAQMEITAfMAgGBgQAjkYBATATBgYEAI5GAQYwCQYHBACORgEGAzAWBgNV +HREEDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAAcM7nrHwKbtB +6Kp3S3bFKN2fW2e6bs3FPv6/46XK/n+yTYlMFWQTNI5bZfRdJxDtD2HQ9CxLYvKv +qpk6tWi9nmxt4aVCTKyJatAlZ9BlavzUjXg8fIZ8umIRG307a5aB3Zku2M9pQsBh +WVwiaHOxt0Zsx7wpYhJ49/8FD+tGVgZNf2skq9AbViEQfYEeZ83TV7TGULXIHmU1 +YEX3uq5YH4W2tKw7mGVDPWdnN84AUa+Ov6FMnOR5633WYozwWcToF0hTpMsSWN6U +t8g0zirfLz8+NYpOBdJWL1Q2d1ixRh3CGMyfOycI9UN3Zof8KcyziX5HiXvEEL6t +F/kY4RxSnA== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/no-policies.pem.certspec @@ -1,3 +1,4 @@ issuer:Test CA subject:No Policies extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.3 +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/test-int.pem b/security/manager/ssl/tests/unit/test_qwacs/test-int.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIC3TCCAcWgAwIBAgIUAxPrsRjtbFinLUfRzhtR8EeYh4YwDQYJKoZIhvcNAQEL +MIIC9TCCAd2gAwIBAgIUQRknqy2ezhJLsknv7BXCPTOnXT0wDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 @@ -7,12 +7,12 @@ SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW -JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd -MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB -AKMLQxpBsyCNjuzQZY6Y8dJVzmNwfa0mvzDCLI6ltjK3X4pzz7tCb+hXH+Z3lhf+ -t5N4eSMnXgobxb3tya8/2c+3kp6oxx+BwyvvA7zLPrTgHed8/G8z9tpZJrJxTcOB -83fDkvTE9/49KIffeSF7I/IedybWjqO93IZMqVVB5xfbD3WoYCe6SipiUqvVB3oy -4PBC5ONA1ZFGwqj7/6vgmgHukWIc6GogczKdLIR/Wu5laV8Wug+xP/GUUcuAOIuY -hk6WMVRikq8g+wf2FG0i0NcGDOAK0Z/1nFvKpIJomZ8Q9NYVs0tfhoSLPwtd7cDT -XYDC9Gn4ncbAQIRIAnNm2Ew= +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM1 +MDMwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwFgYDVR0RBA8wDYILZXhhbXBs +ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAE0PfNeUJk77Cm8hLnsNRS0HSqE5nlIh +6zooj6XywgJ/l0D3tN8AmBaKbdaPazsXPBWxorCYc752qKJ8CRrt2yT6PteSvRar +WrN6OfZGyyIrF3WN3pnUhsSytmfck/8wFGyLAXUVfK9iugfP/Z5lCERHIDEVX3to ++zbDwQK3FSrVnziyVYDdwhiI/YJ2WFyeyw6yGNoc1Lu3M7obc7WEtReVTXOJc8OL +HyUL9rlP7Y28QCTmqd4dZvzC67o9X+exGHEom/La1lWQcYYml8Z6zn82h2Sg12Es +gLIb+CzG76XnX2oDKPs0b+ghZCUhc1dsCdmBMYpMo1rYQXEfFybpFoA= -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/test-int.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:Test Intermediate extension:basicConstraints:cA, extension:keyUsage:cRLSign,keyCertSign +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem b/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem @@ -1,5 +1,5 @@ -----BEGIN CERTIFICATE----- -MIIDAzCCAeugAwIBAgIUYegOCXCmPzhM1hjEkCosdeKOs2UwDQYJKoZIhvcNAQEL +MIIDGzCCAgOgAwIBAgIUWxLva6lTWIUyCH8F92hdVvaTE7gwDQYJKoZIhvcNAQEL BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIzMTEyODAwMDAwMFoYDzIwMjYw MjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1Xcm9uZyBRQyBUeXBlMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 @@ -7,13 +7,13 @@ aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR -CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0cwRTAt +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo18wXTAt BggrBgEFBQcBAwQhMB8wCAYGBACORgEBMBMGBgQAjkYBBjAJBgcEAI5GAQYCMBQG -A1UdIAQNMAswCQYHBACL7EABBTANBgkqhkiG9w0BAQsFAAOCAQEAClyA/q0iAF1j -acwk1apKyp2b5O+fMJhPtx3ulZXkMXexJaF+f9uIgpYniHkRSYaTaYEPbCk8dWmq -NNSMbIhTJAwUloFzcxalzkSg3l9yDg/pEinmw0d+C4eUF/gKeiZ9nPY2hxOBDZHl -Lo0U7UOeqWlI92x+OpmbID+TR8ZAgl3tD8EPsl2Z32PzYpx/MPwHy1gAclgUnJz9 -4NTYqMra1KLYNzvPHB5kGXwewxIpWZF2Fj+6uP4aXeKyVsEYNUDAL60JyZA5UCQh -JDCPADRfuaSpLNWCPZJH5uSrovrUDTihT12SAdaIB/a0K4FeWL3IZJFb2OJHnr57 -oicH3X8XsA== +A1UdIAQNMAswCQYHBACL7EABBTAWBgNVHREEDzANggtleGFtcGxlLmNvbTANBgkq +hkiG9w0BAQsFAAOCAQEAV+xcKoEgaA9Kk+MDJir8JpXqbOQ5D1PLaRSFH8aGyMir +1sYBpidUIpQPjKLpiDSrok3E2gvyD0Xenv32RXoqHV9LvL9aqo5vSj4qL1bhTBac +dfVy/e+CRJlP8pkE/n1kSCOsMkl+CC2Itk+vfL0ZbRc7ITS7Oj8NiSxv/oiPLfHB +4b7qUM6B8gD87Jwz+01RkAzIV8IZZ1DGC5clJH7Mn2sUbIP4jNmlKjT8ujFWB7x+ +/ntJ3NF3+BzPLaWbe0Q8IPuTqg33aXf2jzcRrdOmq0PBUrQ2BPShzYLaBtsxtfsv +LZMdJVRgM06wrqEkSad4A/Pw6HNdyHdKJY+odl6xyg== -----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem.certspec b/security/manager/ssl/tests/unit/test_qwacs/wrong-qc-type.pem.certspec @@ -2,3 +2,4 @@ issuer:Test CA subject:Wrong QC Type extension:qcStatements:0.4.0.1862.1.1,0.4.0.1862.1.6:0.4.0.1862.1.6.2 extension:certificatePolicies:0.4.0.194112.1.5 +extension:subjectAlternativeName:example.com diff --git a/security/manager/tools/pycert.py b/security/manager/tools/pycert.py @@ -29,7 +29,7 @@ keyUsage:[digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment,keyAgreement,keyCertSign,cRLSign] extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection nsSGC, # Netscape Server Gated Crypto - OCSPSigning,timeStamping] + OCSPSigning,timeStamping,tlsBinding] subjectAlternativeName:[<dNSName|directoryName|"ip4:"iPV4Address>,...] authorityInformationAccess:<OCSP URI> certificatePolicies:[<policy OID>,...] @@ -578,6 +578,8 @@ class Certificate: return univ.ObjectIdentifier("1.3.6.1.5.5.7.3.9") if keyPurpose == "timeStamping": return rfc2459.id_kp_timeStamping + if keyPurpose == "tlsBinding": + return univ.ObjectIdentifier("0.4.0.194115.1.0") raise UnknownKeyPurposeTypeError(keyPurpose) def addExtKeyUsage(self, extKeyUsage, critical):