ExtendedValidation.cpp (64900B)
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- 2 * 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "ExtendedValidation.h" 8 9 #include "cert.h" 10 #include "hasht.h" 11 #include "mozilla/ArrayUtils.h" 12 #include "mozilla/Assertions.h" 13 #include "mozilla/Base64.h" 14 #include "mozilla/Casting.h" 15 #include "mozilla/PodOperations.h" 16 #include "mozpkix/pkixder.h" 17 #include "mozpkix/pkixtypes.h" 18 #include "mozpkix/pkixutil.h" 19 20 #include "nsDependentString.h" 21 #include "nsString.h" 22 #include "pk11pub.h" 23 24 namespace mozilla { 25 26 namespace psm { 27 28 struct EVInfo { 29 // See bug 1338873 about making these fields const. 30 const char* dottedOid; 31 const char* 32 oidName; // Set this to null to signal an invalid structure, 33 // (We can't have an empty list, so we'll use a dummy entry) 34 unsigned char sha256Fingerprint[SHA256_LENGTH]; 35 const char* issuerBase64; 36 const char* serialBase64; 37 }; 38 39 // HOWTO enable additional CA root certificates for EV: 40 // 41 // For each combination of "root certificate" and "policy OID", 42 // one entry must be added to the array named kEVInfos. 43 // 44 // We use the combination of "issuer name" and "serial number" to 45 // uniquely identify the certificate. In order to avoid problems 46 // because of encodings when comparing certificates, we don't 47 // use plain text representation, we rather use the original encoding 48 // as it can be found in the root certificate (in base64 format). 49 // 50 // We can use the NSS utility named "pp" to extract the encoding. 51 // 52 // Build standalone NSS including the NSS tools, then run 53 // pp -t certificate-identity -i the-cert-filename 54 // 55 // You will need the output from sections "Issuer", "Fingerprint (SHA-256)", 56 // "Issuer DER Base64" and "Serial DER Base64". 57 // 58 // The new section consists of the following components: 59 // 60 // - a comment that should contain the human readable issuer name 61 // of the certificate, as printed by the pp tool 62 // - the EV policy OID that is associated to the EV grant 63 // - a text description of the EV policy OID. The array can contain 64 // multiple entries with the same OID. 65 // Please make sure to use the identical OID text description for 66 // all entries with the same policy OID (use the text search 67 // feature of your text editor to find duplicates). 68 // When adding a new policy OID that is not yet contained in the array, 69 // please make sure that your new description is different from 70 // all the other descriptions (again use the text search feature 71 // to be sure). 72 // - the SHA-256 fingerprint 73 // - the "Issuer DER Base64" as printed by the pp tool. 74 // Remove all whitespaces. If you use multiple lines, make sure that 75 // only the final line will be followed by a comma. 76 // - the "Serial DER Base64" (as printed by pp) 77 // 78 // After adding an entry, test it locally against the test site that 79 // has been provided by the CA. Note that you must use a version of NSS 80 // where the root certificate has already been added and marked as trusted 81 // for issuing SSL server certificates (at least). 82 // 83 // If you are able to connect to the site without certificate errors, 84 // but you don't see the EV status indicator, then most likely the CA 85 // has a problem in their infrastructure. The most common problems are 86 // related to the CA's OCSP infrastructure, either they use an incorrect 87 // OCSP signing certificate, or OCSP for the intermediate certificates 88 // isn't working, or OCSP isn't working at all. 89 90 #ifdef DEBUG 91 static const size_t NUM_TEST_EV_ROOTS = 2; 92 #endif 93 94 static const struct EVInfo kEVInfos[] = { 95 // clang-format off 96 // IMPORTANT! When extending this list, if you add another entry that uses 97 // the same dottedOid as an existing entry, use the same oidName. 98 #ifdef DEBUG 99 // Debug EV certificates should all use the following OID: 100 // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1. 101 // (multiple entries with the same OID is ok) 102 // If you add or remove debug EV certs you must also modify NUM_TEST_EV_ROOTS 103 // so that the correct number of certs are skipped as these debug EV certs 104 // are NOT part of the default trust store. 105 { 106 // This is the PSM xpcshell testing EV certificate. It can be generated 107 // using pycert.py and the following specification: 108 // 109 // issuer:evroot 110 // subject:evroot 111 // subjectKey:ev 112 // issuerKey:ev 113 // validity:20150101-20350101 114 // extension:basicConstraints:cA, 115 // extension:keyUsage:keyCertSign,cRLSign 116 // 117 // If this ever needs to change, re-generate the certificate and update the 118 // following entry with the new fingerprint, issuer, and serial number. 119 "1.3.6.1.4.1.13769.666.666.666.1.500.9.1", 120 "DEBUGtesting EV OID", 121 { 0x70, 0xED, 0xCB, 0x5A, 0xCE, 0x02, 0xC7, 0xC5, 0x0B, 0xA3, 0xD2, 0xD7, 122 0xC6, 0xF5, 0x0E, 0x18, 0x02, 0x19, 0x17, 0xF5, 0x48, 0x08, 0x9C, 0xB3, 123 0x8E, 0xEF, 0x9A, 0x1A, 0x4D, 0x7F, 0x82, 0x94 }, 124 "MBExDzANBgNVBAMMBmV2cm9vdA==", 125 "IZSHsVgzcvhPgdfrgdMGlpSfMeg=", 126 }, 127 { 128 // This is an RSA root with an inadequate key size. It is used to test that 129 // minimum key sizes are enforced when verifying for EV. It can be 130 // generated using pycert.py and the following specification: 131 // 132 // issuer:ev_root_rsa_2040 133 // subject:ev_root_rsa_2040 134 // issuerKey:evRSA2040 135 // subjectKey:evRSA2040 136 // validity:20150101-20350101 137 // extension:basicConstraints:cA, 138 // extension:keyUsage:cRLSign,keyCertSign 139 // 140 // If this ever needs to change, re-generate the certificate and update the 141 // following entry with the new fingerprint, issuer, and serial number. 142 "1.3.6.1.4.1.13769.666.666.666.1.500.9.1", 143 "DEBUGtesting EV OID", 144 { 0x40, 0xAB, 0x5D, 0xA5, 0x89, 0x15, 0xA9, 0x4B, 0x82, 0x87, 0xB8, 0xA6, 145 0x9A, 0x84, 0xB1, 0xDB, 0x7A, 0x9D, 0xDB, 0xB8, 0x4E, 0xE1, 0x23, 0xE3, 146 0xC6, 0x64, 0xE7, 0x50, 0xDC, 0x35, 0x8C, 0x68 }, 147 "MBsxGTAXBgNVBAMMEGV2X3Jvb3RfcnNhXzIwNDA=", 148 "J7nCMgtzNcSPG7jAh3CWzlTGHQg=", 149 }, 150 #endif 151 { 152 // CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH 153 "2.16.756.1.89.1.2.1.1", 154 "SwissSign EV OID", 155 { 0x62, 0xDD, 0x0B, 0xE9, 0xB9, 0xF5, 0x0A, 0x16, 0x3E, 0xA0, 0xF8, 156 0xE7, 0x5C, 0x05, 0x3B, 0x1E, 0xCA, 0x57, 0xEA, 0x55, 0xC8, 0x68, 157 0x8F, 0x64, 0x7C, 0x68, 0x81, 0xF2, 0xC8, 0x35, 0x7B, 0x95 }, 158 "MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT" 159 "FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=", 160 "ALtAHEP1Xk+w", 161 }, 162 { 163 // CN=SecureTrust CA,O=SecureTrust Corporation,C=US 164 "2.16.840.1.114404.1.1.2.4.1", 165 "Trustwave EV OID", 166 { 0xF1, 0xC1, 0xB5, 0x0A, 0xE5, 0xA2, 0x0D, 0xD8, 0x03, 0x0E, 0xC9, 167 0xF6, 0xBC, 0x24, 0x82, 0x3D, 0xD3, 0x67, 0xB5, 0x25, 0x57, 0x59, 168 0xB4, 0xE7, 0x1B, 0x61, 0xFC, 0xE9, 0xF7, 0x37, 0x5D, 0x73 }, 169 "MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv" 170 "bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E=", 171 "DPCOXAgWpa1Cf/DrJxhZ0A==", 172 }, 173 { 174 // CN=Secure Global CA,O=SecureTrust Corporation,C=US 175 "2.16.840.1.114404.1.1.2.4.1", 176 "Trustwave EV OID", 177 { 0x42, 0x00, 0xF5, 0x04, 0x3A, 0xC8, 0x59, 0x0E, 0xBB, 0x52, 0x7D, 178 0x20, 0x9E, 0xD1, 0x50, 0x30, 0x29, 0xFB, 0xCB, 0xD4, 0x1C, 0xA1, 179 0xB5, 0x06, 0xEC, 0x27, 0xF1, 0x5A, 0xDE, 0x7D, 0xAC, 0x69 }, 180 "MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv" 181 "bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ==", 182 "B1YipOjUiolN9BPI8PjqpQ==", 183 }, 184 { 185 // CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 186 "1.3.6.1.4.1.6449.1.2.1.5.1", 187 "Comodo EV OID", 188 { 0x17, 0x93, 0x92, 0x7A, 0x06, 0x14, 0x54, 0x97, 0x89, 0xAD, 0xCE, 189 0x2F, 0x8F, 0x34, 0xF7, 0xF0, 0xB6, 0x6D, 0x0F, 0x3A, 0xE3, 0xA3, 190 0xB8, 0x4D, 0x21, 0xEC, 0x15, 0xDB, 0xBA, 0x4F, 0xAD, 0xC7 }, 191 "MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw" 192 "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG" 193 "A1UEAxMiQ09NT0RPIEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", 194 "H0evqmIAcFBUTAGem2OZKg==", 195 }, 196 { 197 // CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 198 "1.3.6.1.4.1.6449.1.2.1.5.1", 199 "Comodo EV OID", 200 { 0x0C, 0x2C, 0xD6, 0x3D, 0xF7, 0x80, 0x6F, 0xA3, 0x99, 0xED, 0xE8, 201 0x09, 0x11, 0x6B, 0x57, 0x5B, 0xF8, 0x79, 0x89, 0xF0, 0x65, 0x18, 202 0xF9, 0x80, 0x8C, 0x86, 0x05, 0x03, 0x17, 0x8B, 0xAF, 0x66 }, 203 "MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw" 204 "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG" 205 "A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5", 206 "ToEtioJl4AsC7j41AkblPQ==", 207 }, 208 { 209 // CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US 210 "2.16.840.1.114413.1.7.23.3", 211 "Go Daddy EV OID a", 212 { 0x45, 0x14, 0x0B, 0x32, 0x47, 0xEB, 0x9C, 0xC8, 0xC5, 0xB4, 0xF0, 213 0xD7, 0xB5, 0x30, 0x91, 0xF7, 0x32, 0x92, 0x08, 0x9E, 0x6E, 0x5A, 214 0x63, 0xE2, 0x74, 0x9D, 0xD3, 0xAC, 0xA9, 0x19, 0x8E, 0xDA }, 215 "MIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv" 216 "dHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMTKEdv" 217 "IERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzI=", 218 "AA==", 219 }, 220 { 221 // CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US 222 "2.16.840.1.114414.1.7.23.3", 223 "Go Daddy EV OID b", 224 { 0x2C, 0xE1, 0xCB, 0x0B, 0xF9, 0xD2, 0xF9, 0xE1, 0x02, 0x99, 0x3F, 225 0xBE, 0x21, 0x51, 0x52, 0xC3, 0xB2, 0xDD, 0x0C, 0xAB, 0xDE, 0x1C, 226 0x68, 0xE5, 0x31, 0x9B, 0x83, 0x91, 0x54, 0xDB, 0xB7, 0xF5 }, 227 "MIGPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv" 228 "dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEy" 229 "MDAGA1UEAxMpU3RhcmZpZWxkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g" 230 "RzI=", 231 "AA==", 232 }, 233 { 234 // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US 235 "2.16.840.1.114412.2.1", 236 "DigiCert EV OID", 237 { 0x74, 0x31, 0xE5, 0xF4, 0xC3, 0xC1, 0xCE, 0x46, 0x90, 0x77, 0x4F, 238 0x0B, 0x61, 0xE0, 0x54, 0x40, 0x88, 0x3B, 0xA9, 0xA0, 0x1E, 0xD0, 239 0x0B, 0xA6, 0xAB, 0xD7, 0x80, 0x6E, 0xD3, 0xB1, 0x18, 0xCF }, 240 "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" 241 "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh" 242 "bmNlIEVWIFJvb3QgQ0E=", 243 "AqxcJmoLQJuPC3nyrkYldw==", 244 }, 245 { 246 // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM 247 "1.3.6.1.4.1.8024.0.2.100.1.2", 248 "Quo Vadis EV OID", 249 { 0x85, 0xA0, 0xDD, 0x7D, 0xD7, 0x20, 0xAD, 0xB7, 0xFF, 0x05, 0xF8, 250 0x3D, 0x54, 0x2B, 0x20, 0x9D, 0xC7, 0xFF, 0x45, 0x28, 0xF7, 0xD6, 251 0x77, 0xB1, 0x83, 0x89, 0xFE, 0xA5, 0xE5, 0xC4, 0x9E, 0x86 }, 252 "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD" 253 "VQQDExJRdW9WYWRpcyBSb290IENBIDI=", 254 "BQk=", 255 }, 256 { 257 // CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US 258 "2.16.840.1.114028.10.1.2", 259 "Entrust EV OID", 260 { 0x73, 0xC1, 0x76, 0x43, 0x4F, 0x1B, 0xC6, 0xD5, 0xAD, 0xF4, 0x5B, 261 0x0E, 0x76, 0xE7, 0x27, 0x28, 0x7C, 0x8D, 0xE5, 0x76, 0x16, 0xC1, 262 0xE6, 0xE6, 0x14, 0x1A, 0x2B, 0x2C, 0xBC, 0x7D, 0x8E, 0x4C }, 263 "MIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UE" 264 "CxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJl" 265 "bmNlMR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRF" 266 "bnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=", 267 "RWtQVA==", 268 }, 269 { 270 // CN=Entrust Root Certification Authority - G4,OU="(c) 2015 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US 271 "2.16.840.1.114028.10.1.2", 272 "Entrust EV OID", 273 { 0xDB, 0x35, 0x17, 0xD1, 0xF6, 0x73, 0x2A, 0x2D, 0x5A, 0xB9, 0x7C, 274 0x53, 0x3E, 0xC7, 0x07, 0x79, 0xEE, 0x32, 0x70, 0xA6, 0x2F, 0xB4, 275 0xAC, 0x42, 0x38, 0x37, 0x24, 0x60, 0xE6, 0xF0, 0x1E, 0x88 }, 276 "MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" 277 "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" 278 "IDIwMTUgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIw" 279 "MAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH" 280 "NA==", 281 "ANm1Q3+vqTkPAAAAAFVlrVg=", 282 }, 283 { 284 // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 285 "2.23.140.1.1", 286 "CA/Browser Forum EV OID", 287 { 0xCB, 0xB5, 0x22, 0xD7, 0xB7, 0xF1, 0x27, 0xAD, 0x6A, 0x01, 0x13, 288 0x86, 0x5B, 0xDF, 0x1C, 0xD4, 0x10, 0x2E, 0x7D, 0x07, 0x59, 0xAF, 289 0x63, 0x5A, 0x7C, 0xF4, 0x72, 0x0D, 0xC9, 0x63, 0xC5, 0x3B }, 290 "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpH" 291 "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu", 292 "BAAAAAABIVhTCKI=", 293 }, 294 { 295 // CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO 296 "2.16.578.1.26.1.3.3", 297 "Buypass EV OID", 298 { 0xED, 0xF7, 0xEB, 0xBC, 0xA2, 0x7A, 0x2A, 0x38, 0x4D, 0x38, 0x7B, 299 0x7D, 0x40, 0x10, 0xC6, 0x66, 0xE2, 0xED, 0xB4, 0x84, 0x3E, 0x4C, 300 0x29, 0xB4, 0xAE, 0x1D, 0x5B, 0x93, 0x32, 0xE6, 0xB2, 0x4D }, 301 "ME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEg" 302 "MB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0E=", 303 "Ag==", 304 }, 305 { 306 // CN=AffirmTrust Commercial,O=AffirmTrust,C=US 307 "1.3.6.1.4.1.34697.2.1", 308 "AffirmTrust EV OID a", 309 { 0x03, 0x76, 0xAB, 0x1D, 0x54, 0xC5, 0xF9, 0x80, 0x3C, 0xE4, 0xB2, 310 0xE2, 0x01, 0xA0, 0xEE, 0x7E, 0xEF, 0x7B, 0x57, 0xB6, 0x36, 0xE8, 311 0xA9, 0x3C, 0x9B, 0x8D, 0x48, 0x60, 0xC9, 0x6F, 0x5F, 0xA7 }, 312 "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW" 313 "QWZmaXJtVHJ1c3QgQ29tbWVyY2lhbA==", 314 "d3cGJyapsXw=", 315 }, 316 { 317 // CN=AffirmTrust Networking,O=AffirmTrust,C=US 318 "1.3.6.1.4.1.34697.2.2", 319 "AffirmTrust EV OID b", 320 { 0x0A, 0x81, 0xEC, 0x5A, 0x92, 0x97, 0x77, 0xF1, 0x45, 0x90, 0x4A, 321 0xF3, 0x8D, 0x5D, 0x50, 0x9F, 0x66, 0xB5, 0xE2, 0xC5, 0x8F, 0xCD, 322 0xB5, 0x31, 0x05, 0x8B, 0x0E, 0x17, 0xF3, 0xF0, 0xB4, 0x1B }, 323 "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW" 324 "QWZmaXJtVHJ1c3QgTmV0d29ya2luZw==", 325 "fE8EORzUmS0=", 326 }, 327 { 328 // CN=AffirmTrust Premium,O=AffirmTrust,C=US 329 "1.3.6.1.4.1.34697.2.3", 330 "AffirmTrust EV OID c", 331 { 0x70, 0xA7, 0x3F, 0x7F, 0x37, 0x6B, 0x60, 0x07, 0x42, 0x48, 0x90, 332 0x45, 0x34, 0xB1, 0x14, 0x82, 0xD5, 0xBF, 0x0E, 0x69, 0x8E, 0xCC, 333 0x49, 0x8D, 0xF5, 0x25, 0x77, 0xEB, 0xF2, 0xE9, 0x3B, 0x9A }, 334 "MEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEcMBoGA1UEAwwT" 335 "QWZmaXJtVHJ1c3QgUHJlbWl1bQ==", 336 "bYwURrGmCu4=", 337 }, 338 { 339 // CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US 340 "1.3.6.1.4.1.34697.2.4", 341 "AffirmTrust EV OID d", 342 { 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, 343 0x7A, 0xDD, 0x25, 0x81, 0xB0, 0x7D, 0x79, 0xAD, 0xF8, 0x39, 0x7E, 344 0xB4, 0xEC, 0xBA, 0x9C, 0x5E, 0x84, 0x88, 0x82, 0x14, 0x23 }, 345 "MEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwX" 346 "QWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0M=", 347 "dJclisc/elQ=", 348 }, 349 { 350 // CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL 351 "1.2.616.1.113527.2.5.1.1", 352 "Certum EV OID", 353 { 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, 354 0x82, 0xD2, 0xB5, 0x00, 0x10, 0xB6, 0xD1, 0x65, 0x37, 0x4A, 0xCF, 355 0x83, 0xA7, 0xD4, 0xA3, 0x2D, 0xB7, 0x68, 0xC4, 0x40, 0x8E }, 356 "MH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT" 357 "LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg" 358 "BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0E=", 359 "BETA", 360 }, 361 { 362 // CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL 363 "1.2.616.1.113527.2.5.1.1", 364 "Certum EV OID", 365 { 0xB6, 0x76, 0xF2, 0xED, 0xDA, 0xE8, 0x77, 0x5C, 0xD3, 0x6C, 0xB0, 366 0xF6, 0x3C, 0xD1, 0xD4, 0x60, 0x39, 0x61, 0xF4, 0x9E, 0x62, 0x65, 367 0xBA, 0x01, 0x3A, 0x2F, 0x03, 0x07, 0xB6, 0xD0, 0xB8, 0x04 }, 368 "MIGAMQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg" 369 "Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSQw" 370 "IgYDVQQDExtDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBIDI=", 371 "IdbQSk8lD8kyN/yqXhKN6Q==", 372 }, 373 { 374 // CN=Izenpe.com,O=IZENPE S.A.,C=ES 375 "1.3.6.1.4.1.14777.6.1.1", 376 "Izenpe EV OID 1", 377 { 0x25, 0x30, 0xCC, 0x8E, 0x98, 0x32, 0x15, 0x02, 0xBA, 0xD9, 0x6F, 378 0x9B, 0x1F, 0xBA, 0x1B, 0x09, 0x9E, 0x2D, 0x29, 0x9E, 0x0F, 0x45, 379 0x48, 0xBB, 0x91, 0x4F, 0x36, 0x3B, 0xC0, 0xD4, 0x53, 0x1F }, 380 "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK" 381 "SXplbnBlLmNvbQ==", 382 "ALC3WhZIX7/hy/WL1xnmfQ==", 383 }, 384 { 385 // CN=Izenpe.com,O=IZENPE S.A.,C=ES 386 "1.3.6.1.4.1.14777.6.1.2", 387 "Izenpe EV OID 2", 388 { 0x25, 0x30, 0xCC, 0x8E, 0x98, 0x32, 0x15, 0x02, 0xBA, 0xD9, 0x6F, 389 0x9B, 0x1F, 0xBA, 0x1B, 0x09, 0x9E, 0x2D, 0x29, 0x9E, 0x0F, 0x45, 390 0x48, 0xBB, 0x91, 0x4F, 0x36, 0x3B, 0xC0, 0xD4, 0x53, 0x1F }, 391 "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK" 392 "SXplbnBlLmNvbQ==", 393 "ALC3WhZIX7/hy/WL1xnmfQ==", 394 }, 395 { 396 // CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE 397 "1.3.6.1.4.1.7879.13.24.1", 398 "T-Systems EV OID", 399 { 0xFD, 0x73, 0xDA, 0xD3, 0x1C, 0x64, 0x4F, 0xF1, 0xB4, 0x3B, 0xEF, 400 0x0C, 0xCD, 0xDA, 0x96, 0x71, 0x0B, 0x9C, 0xD9, 0x87, 0x5E, 0xCA, 401 0x7E, 0x31, 0x70, 0x7A, 0xF3, 0xE9, 0x6D, 0x52, 0x2B, 0xBD }, 402 "MIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2Ug" 403 "U2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjEl" 404 "MCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMw==", 405 "AQ==", 406 }, 407 { 408 // CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW 409 "1.3.6.1.4.1.40869.1.1.22.3", 410 "TWCA EV OID", 411 { 0xBF, 0xD8, 0x8F, 0xE1, 0x10, 0x1C, 0x41, 0xAE, 0x3E, 0x80, 0x1B, 412 0xF8, 0xBE, 0x56, 0x35, 0x0E, 0xE9, 0xBA, 0xD1, 0xA6, 0xB9, 0xBD, 413 0x51, 0x5E, 0xDC, 0x5C, 0x6D, 0x5B, 0x87, 0x11, 0xAC, 0x44 }, 414 "MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jv" 415 "b3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0" 416 "eQ==", 417 "AQ==", 418 }, 419 { 420 // CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE 421 "1.3.6.1.4.1.4788.2.202.1", 422 "D-TRUST EV OID", 423 { 0xEE, 0xC5, 0x49, 0x6B, 0x98, 0x8C, 0xE9, 0x86, 0x25, 0xB9, 0x34, 424 0x09, 0x2E, 0xEC, 0x29, 0x08, 0xBE, 0xD0, 0xB0, 0xF3, 0x16, 0xC2, 425 0xD4, 0x73, 0x0C, 0x84, 0xEA, 0xF1, 0xF3, 0xD3, 0x48, 0x81 }, 426 "MFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMM" 427 "IUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOQ==", 428 "CYP0", 429 }, 430 { 431 // CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW 432 "1.3.6.1.4.1.40869.1.1.22.3", 433 "TWCA EV OID", 434 { 0x59, 0x76, 0x90, 0x07, 0xF7, 0x68, 0x5D, 0x0F, 0xCD, 0x50, 0x87, 435 0x2F, 0x9F, 0x95, 0xD5, 0x75, 0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 436 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B }, 437 "MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv" 438 "b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=", 439 "DL4=", 440 }, 441 { 442 // CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT 443 "1.3.159.1.17.1", 444 "Actalis EV OID", 445 { 0x55, 0x92, 0x60, 0x84, 0xEC, 0x96, 0x3A, 0x64, 0xB9, 0x6E, 0x2A, 446 0xBE, 0x01, 0xCE, 0x0B, 0xA8, 0x6A, 0x64, 0xFB, 0xFE, 0xBC, 0xC7, 447 0xAA, 0xB5, 0xAF, 0xC1, 0x55, 0xB3, 0x7F, 0xD7, 0x60, 0x66 }, 448 "MGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxp" 449 "cyBTLnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGlj" 450 "YXRpb24gUm9vdCBDQQ==", 451 "VwoRl0LE48w=", 452 }, 453 { 454 // CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US 455 "2.16.840.1.114412.2.1", 456 "DigiCert EV OID", 457 { 0x7D, 0x05, 0xEB, 0xB6, 0x82, 0x33, 0x9F, 0x8C, 0x94, 0x51, 0xEE, 458 0x09, 0x4E, 0xEB, 0xFE, 0xFA, 0x79, 0x53, 0xA1, 0x14, 0xED, 0xB2, 459 0xF4, 0x49, 0x49, 0x45, 0x2F, 0xAB, 0x7D, 0x2F, 0xC1, 0x85 }, 460 "MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" 461 "EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg" 462 "Um9vdCBHMg==", 463 "C5McOtY5Z+pnI7/Dr5r0Sw==", 464 }, 465 { 466 // CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US 467 "2.16.840.1.114412.2.1", 468 "DigiCert EV OID", 469 { 0x7E, 0x37, 0xCB, 0x8B, 0x4C, 0x47, 0x09, 0x0C, 0xAB, 0x36, 0x55, 470 0x1B, 0xA6, 0xF4, 0x5D, 0xB8, 0x40, 0x68, 0x0F, 0xBA, 0x16, 0x6A, 471 0x95, 0x2D, 0xB1, 0x00, 0x71, 0x7F, 0x43, 0x05, 0x3F, 0xC2 }, 472 "MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" 473 "EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg" 474 "Um9vdCBHMw==", 475 "C6Fa+h3foLVJRK/NJKBs7A==", 476 }, 477 { 478 // CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US 479 "2.16.840.1.114412.2.1", 480 "DigiCert EV OID", 481 { 0xCB, 0x3C, 0xCB, 0xB7, 0x60, 0x31, 0xE5, 0xE0, 0x13, 0x8F, 0x8D, 482 0xD3, 0x9A, 0x23, 0xF9, 0xDE, 0x47, 0xFF, 0xC3, 0x5E, 0x43, 0xC1, 483 0x14, 0x4C, 0xEA, 0x27, 0xD4, 0x6A, 0x5A, 0xB1, 0xCB, 0x5F }, 484 "MGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" 485 "EHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290" 486 "IEcy", 487 "Azrx5qcRqaC7KGSxHQn65Q==", 488 }, 489 { 490 // CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US 491 "2.16.840.1.114412.2.1", 492 "DigiCert EV OID", 493 { 0x31, 0xAD, 0x66, 0x48, 0xF8, 0x10, 0x41, 0x38, 0xC7, 0x38, 0xF3, 494 0x9E, 0xA4, 0x32, 0x01, 0x33, 0x39, 0x3E, 0x3A, 0x18, 0xCC, 0x02, 495 0x29, 0x6E, 0xF9, 0x7C, 0x2A, 0xC9, 0xEF, 0x67, 0x31, 0xD0 }, 496 "MGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" 497 "EHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290" 498 "IEcz", 499 "BVVWvPJepDU1w6QP1atFcg==", 500 }, 501 { 502 // CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US 503 "2.16.840.1.114412.2.1", 504 "DigiCert EV OID", 505 { 0x55, 0x2F, 0x7B, 0xDC, 0xF1, 0xA7, 0xAF, 0x9E, 0x6C, 0xE6, 0x72, 506 0x01, 0x7F, 0x4F, 0x12, 0xAB, 0xF7, 0x72, 0x40, 0xC7, 0x8E, 0x76, 507 0x1A, 0xC2, 0x03, 0xD1, 0xD9, 0xD2, 0x0A, 0xC8, 0x99, 0x88 }, 508 "MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT" 509 "EHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9v" 510 "dCBHNA==", 511 "BZsbV56OITLiOQe9p3d1XA==", 512 }, 513 { 514 // CN=DigiCert TLS RSA4096 Root G5,O="DigiCert, Inc.",C=US 515 "2.23.140.1.1", 516 "CA/Browser Forum EV OID", 517 { 0x37, 0x1A, 0x00, 0xDC, 0x05, 0x33, 0xB3, 0x72, 0x1A, 0x7E, 0xEB, 518 0x40, 0xE8, 0x41, 0x9E, 0x70, 0x79, 0x9D, 0x2B, 0x0A, 0x0F, 0x2C, 519 0x1D, 0x80, 0x69, 0x31, 0x65, 0xF7, 0xCE, 0xC4, 0xAD, 0x75 }, 520 "ME0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjElMCMGA1UE" 521 "AxMcRGlnaUNlcnQgVExTIFJTQTQwOTYgUm9vdCBHNQ==", 522 "CPm0eKj6ftpqMzeJ3nzPig==", 523 }, 524 { 525 // CN=DigiCert TLS ECC P384 Root G5,O="DigiCert, Inc.",C=US 526 "2.23.140.1.1", 527 "CA/Browser Forum EV OID", 528 { 0x01, 0x8E, 0x13, 0xF0, 0x77, 0x25, 0x32, 0xCF, 0x80, 0x9B, 0xD1, 529 0xB1, 0x72, 0x81, 0x86, 0x72, 0x83, 0xFC, 0x48, 0xC6, 0xE1, 0x3B, 530 0xE9, 0xC6, 0x98, 0x12, 0x85, 0x4A, 0x49, 0x0C, 0x1B, 0x05 }, 531 "ME4xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjEmMCQGA1UE" 532 "AxMdRGlnaUNlcnQgVExTIEVDQyBQMzg0IFJvb3QgRzU=", 533 "CeCTZaz32ci5PhwLBCou8w==", 534 }, 535 { 536 // CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM 537 "1.3.6.1.4.1.8024.0.2.100.1.2", 538 "QuoVadis EV OID", 539 { 0x8F, 0xE4, 0xFB, 0x0A, 0xF9, 0x3A, 0x4D, 0x0D, 0x67, 0xDB, 0x0B, 540 0xEB, 0xB2, 0x3E, 0x37, 0xC7, 0x1B, 0xF3, 0x25, 0xDC, 0xBC, 0xDD, 541 0x24, 0x0E, 0xA0, 0x4D, 0xAF, 0x58, 0xB4, 0x7E, 0x18, 0x40 }, 542 "MEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYD" 543 "VQQDExVRdW9WYWRpcyBSb290IENBIDIgRzM=", 544 "RFc0JFuBiZs18s64KztbpybwdSg=", 545 }, 546 { 547 // CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 548 "1.3.6.1.4.1.6449.1.2.1.5.1", 549 "Comodo EV OID", 550 { 0x52, 0xF0, 0xE1, 0xC4, 0xE5, 0x8E, 0xC6, 0x29, 0x29, 0x1B, 0x60, 551 0x31, 0x7F, 0x07, 0x46, 0x71, 0xB8, 0x5D, 0x7E, 0xA8, 0x0D, 0x5B, 552 0x07, 0x27, 0x34, 0x63, 0x53, 0x4B, 0x32, 0xB4, 0x02, 0x34 }, 553 "MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw" 554 "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG" 555 "A1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", 556 "TKr5yttjb+Af907YWwOGnQ==", 557 }, 558 { 559 // CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US 560 "1.3.6.1.4.1.6449.1.2.1.5.1", 561 "Comodo EV OID", 562 { 0xE7, 0x93, 0xC9, 0xB0, 0x2F, 0xD8, 0xAA, 0x13, 0xE2, 0x1C, 0x31, 563 0x22, 0x8A, 0xCC, 0xB0, 0x81, 0x19, 0x64, 0x3B, 0x74, 0x9C, 0x89, 564 0x89, 0x64, 0xB1, 0x74, 0x6D, 0x46, 0xC3, 0xD4, 0xCB, 0xD2 }, 565 "MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxML" 566 "SmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwG" 567 "A1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", 568 "Af1tMPyjylGoG7xkDjUDLQ==", 569 }, 570 { 571 // CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US 572 "1.3.6.1.4.1.6449.1.2.1.5.1", 573 "Comodo EV OID", 574 { 0x4F, 0xF4, 0x60, 0xD5, 0x4B, 0x9C, 0x86, 0xDA, 0xBF, 0xBC, 0xFC, 575 0x57, 0x12, 0xE0, 0x40, 0x0D, 0x2B, 0xED, 0x3F, 0xBC, 0x4D, 0x4F, 576 0xBD, 0xAA, 0x86, 0xE0, 0x6A, 0xDC, 0xD2, 0xA9, 0xAD, 0x7A }, 577 "MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxML" 578 "SmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwG" 579 "A1UEAxMlVVNFUlRydXN0IEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", 580 "XIuZxVqUxdJxVt7NiYDMJg==", 581 }, 582 { 583 // CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 584 "2.23.140.1.1", 585 "CA/Browser Forum EV OID", 586 { 0x17, 0x9F, 0xBC, 0x14, 0x8A, 0x3D, 0xD0, 0x0F, 0xD2, 0x4E, 0xA1, 587 0x34, 0x58, 0xCC, 0x43, 0xBF, 0xA7, 0xF5, 0x9C, 0x81, 0x82, 0xD7, 588 0x83, 0xA5, 0x13, 0xF6, 0xEB, 0xEC, 0x10, 0x0C, 0x89, 0x24 }, 589 "MFAxJDAiBgNVBAsTG0dsb2JhbFNpZ24gRUNDIFJvb3QgQ0EgLSBSNTETMBEGA1UE" 590 "ChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbg==", 591 "YFlJ4CYuu1X5CneKcflK2Gw=", 592 }, 593 { 594 // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 595 "2.23.140.1.1", 596 "CA/Browser Forum EV OID", 597 { 0x2C, 0xAB, 0xEA, 0xFE, 0x37, 0xD0, 0x6C, 0xA2, 0x2A, 0xBA, 0x73, 598 0x91, 0xC0, 0x03, 0x3D, 0x25, 0x98, 0x29, 0x52, 0xC4, 0x53, 0x64, 599 0x73, 0x49, 0x76, 0x3A, 0x3A, 0xB5, 0xAD, 0x6C, 0xCF, 0x69 }, 600 "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFI2MRMwEQYDVQQKEwpH" 601 "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu", 602 "Rea7A4Mzw4VlSOb/RVE=", 603 }, 604 { 605 // CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US 606 "2.16.840.1.114028.10.1.2", 607 "Entrust EV OID", 608 { 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D, 609 0x93, 0x1A, 0x7B, 0xED, 0xF1, 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C, 610 0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 }, 611 "MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" 612 "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" 613 "IDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIw" 614 "MAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH" 615 "Mg==", 616 "SlOMKA==", 617 }, 618 { 619 // CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US 620 "2.16.840.1.114028.10.1.2", 621 "Entrust EV OID", 622 { 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56, 623 0x67, 0x91, 0x70, 0x0D, 0x64, 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2, 624 0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 }, 625 "MIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" 626 "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" 627 "IDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMw" 628 "MQYDVQQDEypFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBF" 629 "QzE=", 630 "AKaLeSkAAAAAUNCR+Q==", 631 }, 632 { 633 // CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN 634 "2.16.156.112554.3", 635 "CFCA EV OID", 636 { 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04, 637 0xE6, 0x87, 0x3E, 0x64, 0xF9, 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC, 638 0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD }, 639 "MFYxCzAJBgNVBAYTAkNOMTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlm" 640 "aWNhdGlvbiBBdXRob3JpdHkxFTATBgNVBAMMDENGQ0EgRVYgUk9PVA==", 641 "GErM1g==", 642 }, 643 { 644 // OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP 645 "1.2.392.200091.100.721.1", 646 "SECOM EV OID", 647 { 0x51, 0x3B, 0x2C, 0xEC, 0xB8, 0x10, 0xD4, 0xCD, 0xE5, 0xDD, 0x85, 648 0x39, 0x1A, 0xDF, 0xC6, 0xC2, 0xDD, 0x60, 0xD8, 0x7B, 0xB7, 0x36, 649 0xD2, 0xB5, 0x21, 0x48, 0x4A, 0xA4, 0x7A, 0x0E, 0xBE, 0xF6 }, 650 "MF0xCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP" 651 "LixMVEQuMScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTI=", 652 "AA==", 653 }, 654 { 655 // CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH 656 "2.16.756.5.14.7.4.8", 657 "WISeKey EV OID", 658 { 0x6B, 0x9C, 0x08, 0xE8, 0x6E, 0xB0, 0xF7, 0x67, 0xCF, 0xAD, 0x65, 659 0xCD, 0x98, 0xB6, 0x21, 0x49, 0xE5, 0x49, 0x4A, 0x67, 0xF5, 0x84, 660 0x5E, 0x7B, 0xD1, 0xED, 0x01, 0x9F, 0x27, 0xB8, 0x6B, 0xD6 }, 661 "MG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNU" 662 "RSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEds" 663 "b2JhbCBSb290IEdCIENB", 664 "drEgUnTwhYdGs/gjGvbCwA==", 665 }, 666 { 667 // CN=Amazon Root CA 1,O=Amazon,C=US 668 "2.23.140.1.1", 669 "CA/Browser Forum EV OID", 670 { 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, 671 0x1A, 0xC3, 0xFC, 0xB1, 0x3D, 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, 672 0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E }, 673 "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" 674 "biBSb290IENBIDE=", 675 "Bmyfz5m/jAo54vB4ikPmljZbyg==", 676 }, 677 { 678 // CN=Amazon Root CA 2,O=Amazon,C=US 679 "2.23.140.1.1", 680 "CA/Browser Forum EV OID", 681 { 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, 682 0x18, 0xF8, 0x0B, 0xEC, 0x4F, 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, 683 0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 }, 684 "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" 685 "biBSb290IENBIDI=", 686 "Bmyf0pY1hp8KD+WGePhbJruKNw==", 687 }, 688 { 689 // CN=Amazon Root CA 3,O=Amazon,C=US 690 "2.23.140.1.1", 691 "CA/Browser Forum EV OID", 692 { 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, 693 0xB8, 0xDF, 0xE8, 0x68, 0xCB, 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, 694 0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 }, 695 "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" 696 "biBSb290IENBIDM=", 697 "Bmyf1XSXNmY/Owua2eiedgPySg==", 698 }, 699 { 700 // CN=Amazon Root CA 4,O=Amazon,C=US 701 "2.23.140.1.1", 702 "CA/Browser Forum EV OID", 703 { 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, 704 0x38, 0xCD, 0x62, 0x39, 0x62, 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, 705 0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 }, 706 "MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv" 707 "biBSb290IENBIDQ=", 708 "Bmyf18G7EEwpQ+Vxe3ssyBrBDg==", 709 }, 710 { 711 // CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US 712 "2.23.140.1.1", 713 "CA/Browser Forum EV OID", 714 { 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, 715 0x51, 0x90, 0xED, 0xCF, 0xED, 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, 716 0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 }, 717 "MIGYMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv" 718 "dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7" 719 "MDkGA1UEAxMyU3RhcmZpZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0" 720 "aG9yaXR5IC0gRzI=", 721 "AA==", 722 }, 723 { 724 // CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN 725 "1.2.156.112559.1.1.6.1", 726 "GDCA EV OID", 727 { 0xBF, 0xFF, 0x8F, 0xD0, 0x44, 0x33, 0x48, 0x7D, 0x6A, 0x8A, 0xA6, 728 0x0C, 0x1A, 0x29, 0x76, 0x7A, 0x9F, 0xC2, 0xBB, 0xB0, 0x5E, 0x42, 729 0x0F, 0x71, 0x3A, 0x13, 0xB9, 0x92, 0x89, 0x1D, 0x38, 0x93 }, 730 "MGIxCzAJBgNVBAYTAkNOMTIwMAYDVQQKDClHVUFORyBET05HIENFUlRJRklDQVRF" 731 "IEFVVEhPUklUWSBDTy4sTFRELjEfMB0GA1UEAwwWR0RDQSBUcnVzdEFVVEggUjUg" 732 "Uk9PVA==", 733 "fQmX/vBH6no=", 734 }, 735 { 736 // CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US 737 "2.23.140.1.1", 738 "CA/Browser Forum EV OID", 739 { 0x22, 0xA2, 0xC1, 0xF7, 0xBD, 0xED, 0x70, 0x4C, 0xC1, 0xE7, 0x01, 740 0xB5, 0xF4, 0x08, 0xC3, 0x10, 0x88, 0x0F, 0xE9, 0x56, 0xB5, 0xDE, 741 0x2A, 0x4A, 0x44, 0xF9, 0x9C, 0x87, 0x3A, 0x25, 0xA7, 0xC8 }, 742 "MH8xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3Rv" 743 "bjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTQwMgYDVQQDDCtTU0wuY29tIEVW" 744 "IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgRUND", 745 "LCmcWxbtBZU=", 746 }, 747 { 748 // CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US 749 "2.23.140.1.1", 750 "CA/Browser Forum EV OID", 751 { 0x2E, 0x7B, 0xF1, 0x6C, 0xC2, 0x24, 0x85, 0xA7, 0xBB, 0xE2, 0xAA, 752 0x86, 0x96, 0x75, 0x07, 0x61, 0xB0, 0xAE, 0x39, 0xBE, 0x3B, 0x2F, 753 0xE9, 0xD0, 0xCC, 0x6D, 0x4E, 0xF7, 0x34, 0x91, 0x42, 0x5C }, 754 "MIGCMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0" 755 "b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE3MDUGA1UEAwwuU1NMLmNvbSBF" 756 "ViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQSBSMg==", 757 "VrYpzTS8ePY=", 758 }, 759 { 760 // CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US 761 "2.23.140.1.1", 762 "CA/Browser Forum EV OID", 763 { 0xC3, 0x2F, 0xFD, 0x9F, 0x46, 0xF9, 0x36, 0xD1, 0x6C, 0x36, 0x73, 764 0x99, 0x09, 0x59, 0x43, 0x4B, 0x9A, 0xD6, 0x0A, 0xAF, 0xBB, 0x9E, 765 0x7C, 0xF3, 0x36, 0x54, 0xF1, 0x44, 0xCC, 0x1B, 0xA1, 0x43 }, 766 "ME4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xJTAjBgNV" 767 "BAMMHFNTTC5jb20gVExTIEVDQyBSb290IENBIDIwMjI=", 768 "FAP1q/s3ixdAW+JDsqXRxA==", 769 }, 770 { 771 // CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US 772 "2.23.140.1.1", 773 "CA/Browser Forum EV OID", 774 { 0x8F, 0xAF, 0x7D, 0x2E, 0x2C, 0xB4, 0x70, 0x9B, 0xB8, 0xE0, 0xB3, 775 0x36, 0x66, 0xBF, 0x75, 0xA5, 0xDD, 0x45, 0xB5, 0xDE, 0x48, 0x0F, 776 0x8E, 0xA8, 0xD4, 0xBF, 0xE6, 0xBE, 0xBC, 0x17, 0xF2, 0xED }, 777 "ME4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xJTAjBgNV" 778 "BAMMHFNTTC5jb20gVExTIFJTQSBSb290IENBIDIwMjI=", 779 "b77arXO9CEDii02+1PdbkQ==", 780 }, 781 { 782 // CN=UCA Extended Validation Root,O=UniTrust,C=CN 783 "2.23.140.1.1", 784 "CA/Browser Forum EV OID", 785 { 0xD4, 0x3A, 0xF9, 0xB3, 0x54, 0x73, 0x75, 0x5C, 0x96, 0x84, 0xFC, 786 0x06, 0xD7, 0xD8, 0xCB, 0x70, 0xEE, 0x5C, 0x28, 0xE7, 0x73, 0xFB, 787 0x29, 0x4E, 0xB4, 0x1E, 0xE7, 0x17, 0x22, 0x92, 0x4D, 0x24 }, 788 "MEcxCzAJBgNVBAYTAkNOMREwDwYDVQQKDAhVbmlUcnVzdDElMCMGA1UEAwwcVUNB" 789 "IEV4dGVuZGVkIFZhbGlkYXRpb24gUm9vdA==", 790 "T9Irj/VkyDOeTzRYZiNwYA==", 791 }, 792 { 793 // CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK 794 "2.23.140.1.1", 795 "CA/Browser Forum EV OID", 796 { 0x5A, 0x2F, 0xC0, 0x3F, 0x0C, 0x83, 0xB0, 0x90, 0xBB, 0xFA, 0x40, 797 0x60, 0x4B, 0x09, 0x88, 0x44, 0x6C, 0x76, 0x36, 0x18, 0x3D, 0xF9, 798 0x84, 0x6E, 0x17, 0x10, 0x1A, 0x44, 0x7F, 0xB8, 0xEF, 0xD6 }, 799 "MG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtvbmcxEjAQBgNVBAcTCUhv" 800 "bmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UEAxMXSG9uZ2tv" 801 "bmcgUG9zdCBSb290IENBIDM=", 802 "CBZfikyl7ADJk0DfxMauI7gcWqQ=", 803 }, 804 { 805 // CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN 806 "2.23.140.1.1", 807 "CA/Browser Forum EV OID", 808 { 0x40, 0xF6, 0xAF, 0x03, 0x46, 0xA9, 0x9A, 0xA1, 0xCD, 0x1D, 0x55, 809 0x5A, 0x4E, 0x9C, 0xCE, 0x62, 0xC7, 0xF9, 0x63, 0x46, 0x03, 0xEE, 810 0x40, 0x66, 0x15, 0x83, 0x3D, 0xC8, 0xC8, 0xD0, 0x03, 0x67 }, 811 "MGcxCzAJBgNVBAYTAklOMRMwEQYDVQQLEwplbVNpZ24gUEtJMSUwIwYDVQQKExxl" 812 "TXVkaHJhIFRlY2hub2xvZ2llcyBMaW1pdGVkMRwwGgYDVQQDExNlbVNpZ24gUm9v" 813 "dCBDQSAtIEcx", 814 "MfXkYgxsWO3W2A==", 815 }, 816 { 817 // CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN 818 "2.23.140.1.1", 819 "CA/Browser Forum EV OID", 820 { 0x86, 0xA1, 0xEC, 0xBA, 0x08, 0x9C, 0x4A, 0x8D, 0x3B, 0xBE, 0x27, 821 0x34, 0xC6, 0x12, 0xBA, 0x34, 0x1D, 0x81, 0x3E, 0x04, 0x3C, 0xF9, 822 0xE8, 0xA8, 0x62, 0xCD, 0x5C, 0x57, 0xA3, 0x6B, 0xBE, 0x6B }, 823 "MGsxCzAJBgNVBAYTAklOMRMwEQYDVQQLEwplbVNpZ24gUEtJMSUwIwYDVQQKExxl" 824 "TXVkaHJhIFRlY2hub2xvZ2llcyBMaW1pdGVkMSAwHgYDVQQDExdlbVNpZ24gRUND" 825 "IFJvb3QgQ0EgLSBHMw==", 826 "PPYHqWhwDtqLhA==", 827 }, 828 { 829 // CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US 830 "2.23.140.1.1", 831 "CA/Browser Forum EV OID", 832 { 0x12, 0x56, 0x09, 0xAA, 0x30, 0x1D, 0xA0, 0xA2, 0x49, 0xB9, 0x7A, 833 0x82, 0x39, 0xCB, 0x6A, 0x34, 0x21, 0x6F, 0x44, 0xDC, 0xAC, 0x9F, 834 0x39, 0x54, 0xB1, 0x42, 0x92, 0xF2, 0xE8, 0xC8, 0x60, 0x8F }, 835 "MFYxCzAJBgNVBAYTAlVTMRMwEQYDVQQLEwplbVNpZ24gUEtJMRQwEgYDVQQKEwtl" 836 "TXVkaHJhIEluYzEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBDMQ==", 837 "AK7PALrEzzL4Q7I=", 838 }, 839 { 840 // CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US 841 "2.23.140.1.1", 842 "CA/Browser Forum EV OID", 843 { 0xBC, 0x4D, 0x80, 0x9B, 0x15, 0x18, 0x9D, 0x78, 0xDB, 0x3E, 0x1D, 844 0x8C, 0xF4, 0xF9, 0x72, 0x6A, 0x79, 0x5D, 0xA1, 0x64, 0x3C, 0xA5, 845 0xF1, 0x35, 0x8E, 0x1D, 0xDB, 0x0E, 0xDC, 0x0D, 0x7E, 0xB3 }, 846 "MFoxCzAJBgNVBAYTAlVTMRMwEQYDVQQLEwplbVNpZ24gUEtJMRQwEgYDVQQKEwtl" 847 "TXVkaHJhIEluYzEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gQzM=", 848 "e3G2gla4EnycqA==", 849 }, 850 { 851 // OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO 852 "2.23.140.1.1", 853 "CA/Browser Forum EV OID", 854 { 0x65, 0x7C, 0xFE, 0x2F, 0xA7, 0x3F, 0xAA, 0x38, 0x46, 0x25, 0x71, 855 0xF3, 0x32, 0xA2, 0x36, 0x3A, 0x46, 0xFC, 0xE7, 0x02, 0x09, 0x51, 856 0x71, 0x07, 0x02, 0xCD, 0xFB, 0xB6, 0xEE, 0xDA, 0x33, 0x05 }, 857 "MEExCzAJBgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMT" 858 "Y2VydFNJR04gUk9PVCBDQSBHMg==", 859 "EQA0tk7GNi02", 860 }, 861 { 862 // CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US 863 "2.23.140.1.1", 864 "CA/Browser Forum EV OID", 865 { 0x5D, 0x56, 0x49, 0x9B, 0xE4, 0xD2, 0xE0, 0x8B, 0xCF, 0xCA, 0xD0, 866 0x8A, 0x3E, 0x38, 0x72, 0x3D, 0x50, 0x50, 0x3B, 0xDE, 0x70, 0x69, 867 0x48, 0xE4, 0x2F, 0x55, 0x60, 0x30, 0x19, 0xE5, 0x28, 0xAE }, 868 "MEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxJzAlBgNVBAMTHklk" 869 "ZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMQ==", 870 "CgFCgAAAAUUjyES1AAAAAg==", 871 }, 872 { 873 // CN=Trustwave Global Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US 874 "2.23.140.1.1", 875 "CA/Browser Forum EV OID", 876 { 0x97, 0x55, 0x20, 0x15, 0xF5, 0xDD, 0xFC, 0x3C, 0x87, 0x88, 0xC0, 0x06, 0x94, 0x45, 0x55, 0x40, 0x88, 0x94, 0x45, 0x00, 0x84, 0xF1, 0x00, 0x86, 0x70, 0x86, 0xBC, 0x1A, 0x2B, 0xB5, 0x8D, 0xC8 }, 877 "MIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No" 878 "aWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UE" 879 "AwwoVHJ1c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==", 880 "BfcOhtpJ80Y1Lrqy", 881 }, 882 { 883 // CN=Trustwave Global ECC P256 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US 884 "2.23.140.1.1", 885 "CA/Browser Forum EV OID", 886 { 0x94, 0x5B, 0xBC, 0x82, 0x5E, 0xA5, 0x54, 0xF4, 0x89, 0xD1, 0xFD, 0x51, 0xA7, 0x3D, 0xDF, 0x2E, 0xA6, 0x24, 0xAC, 0x70, 0x19, 0xA0, 0x52, 0x05, 0x22, 0x5C, 0x22, 0xA7, 0x8C, 0xCF, 0xA8, 0xB4 }, 887 "MIGRMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0No" 888 "aWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UE" 889 "AxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhv" 890 "cml0eQ==", 891 "DWpfCD8oXD5Rld9d", 892 }, 893 { 894 // CN=Trustwave Global ECC P384 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US 895 "2.23.140.1.1", 896 "CA/Browser Forum EV OID", 897 { 0x55, 0x90, 0x38, 0x59, 0xC8, 0xC0, 0xC3, 0xEB, 0xB8, 0x75, 0x9E, 0xCE, 0x4E, 0x25, 0x57, 0x22, 0x5F, 0xF5, 0x75, 0x8B, 0xBD, 0x38, 0xEB, 0xD4, 0x82, 0x76, 0x60, 0x1E, 0x1B, 0xD5, 0x80, 0x97 }, 898 "MIGRMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0No" 899 "aWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UE" 900 "AxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhv" 901 "cml0eQ==", 902 "CL2Fl2yZJ6SAaEc7", 903 }, 904 { 905 // CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE 906 "2.23.140.1.1", 907 "CA/Browser Forum EV OID", 908 { 0x4F, 0xA3, 0x12, 0x6D, 0x8D, 0x3A, 0x11, 0xD1, 0xC4, 0x85, 0x5A, 0x4F, 0x80, 0x7C, 0xBA, 0xD6, 0xCF, 0x91, 0x9D, 0x3A, 0x5A, 0x88, 0xB0, 0x3B, 0xEA, 0x2C, 0x63, 0x72, 0xD9, 0x3C, 0x40, 0xC9 }, 909 "MEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYD" 910 "VQQDExNHbG9iYWxTaWduIFJvb3QgUjQ2", 911 "EdK7udcjGJ5AXwqdLdDfJWfR", 912 }, 913 { 914 // CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE 915 "2.23.140.1.1", 916 "CA/Browser Forum EV OID", 917 { 0xCB, 0xB9, 0xC4, 0x4D, 0x84, 0xB8, 0x04, 0x3E, 0x10, 0x50, 0xEA, 0x31, 0xA6, 0x9F, 0x51, 0x49, 0x55, 0xD7, 0xBF, 0xD2, 0xE2, 0xC6, 0xB4, 0x93, 0x01, 0x01, 0x9A, 0xD6, 0x1D, 0x9F, 0x50, 0x58 }, 918 "MEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYD" 919 "VQQDExNHbG9iYWxTaWduIFJvb3QgRTQ2", 920 "EdK7ujNu1LzmJGjFDYQdmOhD", 921 }, 922 { 923 // "CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OID.2.5.4.97=VATES-Q2826004J,OU=Ceres,O=FNMT-RCM,C=E 924 "2.23.140.1.1", 925 "CA/Browser Forum EV OID", 926 { 0x55, 0x41, 0x53, 0xB1, 0x3D, 0x2C, 0xF9, 0xDD, 0xB7, 0x53, 0xBF, 0xBE, 0x1A, 0x4E, 0x0A, 0xE0, 0x8D, 0x0A, 0xA4, 0x18, 0x70, 0x58, 0xFE, 0x60, 0xA2, 0xB8, 0x62, 0xB2, 0xE4, 0xB8, 0x7B, 0xCB }, 927 "MHgxCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEOMAwGA1UECwwFQ2Vy" 928 "ZXMxGDAWBgNVBGEMD1ZBVEVTLVEyODI2MDA0SjEsMCoGA1UEAwwjQUMgUkFJWiBG" 929 "Tk1ULVJDTSBTRVJWSURPUkVTIFNFR1VST1M=", 930 "YvYybOXE42hcG2LdnC6dlQ==", 931 }, 932 { 933 // CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT 934 "2.23.140.1.1", 935 "CA/Browser Forum EV OID", 936 { 0x9A, 0x29, 0x6A, 0x51, 0x82, 0xD1, 0xD4, 0x51, 0xA2, 0xE3, 0x7F, 0x43, 0x9B, 0x74, 0xDA, 0xAF, 0xA2, 0x67, 0x52, 0x33, 0x29, 0xF9, 0x0F, 0x9A, 0x0D, 0x20, 0x07, 0xC3, 0x34, 0xE2, 0x3C, 0x9A }, 937 "ME0xCzAJBgNVBAYTAkFUMSMwIQYDVQQKExplLWNvbW1lcmNlIG1vbml0b3Jpbmcg" 938 "R21iSDEZMBcGA1UEAxMQR0xPQkFMVFJVU1QgMjAyMA==", 939 "Wku9WvtPilv6ZeU=", 940 }, 941 { 942 // CN=Certum Extended Validation ECC CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL 943 "2.23.140.1.1", 944 "CA/Browser Forum EV OID", 945 { 0x6B, 0x32, 0x80, 0x85, 0x62, 0x53, 0x18, 0xAA, 0x50, 0xD1, 0x73, 0xC9, 0x8D, 0x8B, 0xDA, 0x09, 0xD5, 0x7E, 0x27, 0x41, 0x3D, 0x11, 0x4C, 0xF7, 0x87, 0xA0, 0xF5, 0xD0, 0x6C, 0x03, 0x0C, 0xF6 }, 946 "MHQxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhBc3NlY28gRGF0YSBTeXN0ZW1zIFMu" 947 "QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEZMBcG" 948 "A1UEAxMQQ2VydHVtIEVDLTM4NCBDQQ==", 949 "eI8nXIESUiClBNAt3bpz9A==", 950 }, 951 { 952 // CN=Certum Extended Validation RSA CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL 953 "2.23.140.1.1", 954 "CA/Browser Forum EV OID", 955 { 0xFE, 0x76, 0x96, 0x57, 0x38, 0x55, 0x77, 0x3E, 0x37, 0xA9, 0x5E, 0x7A, 0xD4, 0xD9, 0xCC, 0x96, 0xC3, 0x01, 0x57, 0xC1, 0x5D, 0x31, 0x76, 0x5B, 0xA9, 0xB1, 0x57, 0x04, 0xE1, 0xAE, 0x78, 0xFD }, 956 "MHoxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhBc3NlY28gRGF0YSBTeXN0ZW1zIFMu" 957 "QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEfMB0G" 958 "A1UEAxMWQ2VydHVtIFRydXN0ZWQgUm9vdCBDQQ==", 959 "Hr9ZULjJgDdMBvfrVU+17Q==", 960 }, 961 { 962 // CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES,serialNumber=G63287510 963 "2.23.140.1.1", 964 "CA/Browser Forum EV OID", 965 { 0xFB, 0x8F, 0xEC, 0x75, 0x91, 0x69, 0xB9, 0x10, 0x6B, 0x1E, 0x51, 0x16, 0x44, 0xC6, 0x18, 0xC5, 0x13, 0x04, 0x37, 0x3F, 0x6C, 0x06, 0x43, 0x08, 0x8D, 0x8B, 0xEF, 0xFD, 0x1B, 0x99, 0x75, 0x99 }, 966 "MIGEMRIwEAYDVQQFEwlHNjMyODc1MTAxCzAJBgNVBAYTAkVTMScwJQYDVQQKEx5B" 967 "TkYgQXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24xFDASBgNVBAsTC0FORiBDQSBS" 968 "YWl6MSIwIAYDVQQDExlBTkYgU2VjdXJlIFNlcnZlciBSb290IENB", 969 "DdPjvGz5a7E=", 970 }, 971 { 972 // CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR 973 "2.23.140.1.1", 974 "CA/Browser Forum EV OID", 975 { 0xD9, 0x5D, 0x0E, 0x8E, 0xDA, 0x79, 0x52, 0x5B, 0xF9, 0xBE, 0xB1, 976 0x1B, 0x14, 0xD2, 0x10, 0x0D, 0x32, 0x94, 0x98, 0x5F, 0x0C, 0x62, 977 0xD9, 0xFA, 0xBD, 0x9C, 0xD9, 0x99, 0xEC, 0xCB, 0x7B, 0x1D }, 978 "MGwxCzAJBgNVBAYTAkdSMTcwNQYDVQQKDC5IZWxsZW5pYyBBY2FkZW1pYyBhbmQg" 979 "UmVzZWFyY2ggSW5zdGl0dXRpb25zIENBMSQwIgYDVQQDDBtIQVJJQ0EgVExTIFJT" 980 "QSBSb290IENBIDIwMjE=", 981 "OcqTHO9D88aOk8f0ZIk4fg==", 982 }, 983 { 984 // CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR 985 "2.23.140.1.1", 986 "CA/Browser Forum EV OID", 987 { 0x3F, 0x99, 0xCC, 0x47, 0x4A, 0xCF, 0xCE, 0x4D, 0xFE, 0xD5, 0x87, 988 0x94, 0x66, 0x5E, 0x47, 0x8D, 0x15, 0x47, 0x73, 0x9F, 0x2E, 0x78, 989 0x0F, 0x1B, 0xB4, 0xCA, 0x9B, 0x13, 0x30, 0x97, 0xD4, 0x01 }, 990 "MGwxCzAJBgNVBAYTAkdSMTcwNQYDVQQKDC5IZWxsZW5pYyBBY2FkZW1pYyBhbmQg" 991 "UmVzZWFyY2ggSW5zdGl0dXRpb25zIENBMSQwIgYDVQQDDBtIQVJJQ0EgVExTIEVD" 992 "QyBSb290IENBIDIwMjE=", 993 "Z3SdjXfYO2rbIvT/WeK/zg==", 994 }, 995 { 996 // CN=vTrus Root CA,O="iTrusChina Co.,Ltd.",C=CN 997 "2.23.140.1.1", 998 "CA/Browser Forum EV OID", 999 { 0x8A, 0x71, 0xDE, 0x65, 0x59, 0x33, 0x6F, 0x42, 0x6C, 0x26, 0xE5, 1000 0x38, 0x80, 0xD0, 0x0D, 0x88, 0xA1, 0x8D, 0xA4, 0xC6, 0xA9, 0x1F, 1001 0x0D, 0xCB, 0x61, 0x94, 0xE2, 0x06, 0xC5, 0xC9, 0x63, 0x87 }, 1002 "MEMxCzAJBgNVBAYTAkNOMRwwGgYDVQQKExNpVHJ1c0NoaW5hIENvLixMdGQuMRYw" 1003 "FAYDVQQDEw12VHJ1cyBSb290IENB", 1004 "Q+NxE9izWRRdt86M/TX9b7wFjUU=", 1005 }, 1006 { 1007 // CN=vTrus ECC Root CA,O="iTrusChina Co.,Ltd.",C=CN 1008 "2.23.140.1.1", 1009 "CA/Browser Forum EV OID", 1010 { 0x30, 0xFB, 0xBA, 0x2C, 0x32, 0x23, 0x8E, 0x2A, 0x98, 0x54, 0x7A, 1011 0xF9, 0x79, 0x31, 0xE5, 0x50, 0x42, 0x8B, 0x9B, 0x3F, 0x1C, 0x8E, 1012 0xEB, 0x66, 0x33, 0xDC, 0xFA, 0x86, 0xC5, 0xB2, 0x7D, 0xD3 }, 1013 "MEcxCzAJBgNVBAYTAkNOMRwwGgYDVQQKExNpVHJ1c0NoaW5hIENvLixMdGQuMRow" 1014 "GAYDVQQDExF2VHJ1cyBFQ0MgUm9vdCBDQQ==", 1015 "bmq8WapTvpg5Z6LSa6Q75m0c1to=", 1016 }, 1017 { 1018 // CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES 1019 "2.23.140.1.1", 1020 "CA/Browser Forum EV OID", 1021 { 0x57, 0xDE, 0x05, 0x83, 0xEF, 0xD2, 0xB2, 0x6E, 0x03, 0x61, 0xDA, 1022 0x99, 0xDA, 0x9D, 0xF4, 0x64, 0x8D, 0xEF, 0x7E, 0xE8, 0x44, 0x1C, 1023 0x3B, 0x72, 0x8A, 0xFA, 0x9B, 0xCD, 0xE0, 0xF9, 0xB2, 0x6A }, 1024 "MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh" 1025 "Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=", 1026 "G3Dp0v+ubHE=", 1027 }, 1028 { 1029 // CN=NetLock Arany (Class Gold) FÅ‘tanúsÃtvány,OU=TanúsÃtványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU 1030 "2.23.140.1.1", 1031 "CA/Browser Forum EV OID", 1032 { 0x6C, 0x61, 0xDA, 0xC3, 0xA2, 0xDE, 0xF0, 0x31, 0x50, 0x6B, 0xE0, 1033 0x36, 0xD2, 0xA6, 0xFE, 0x40, 0x19, 0x94, 0xFB, 0xD1, 0x3D, 0xF9, 1034 0xC8, 0xD4, 0x66, 0x59, 0x92, 0x74, 0xC4, 0x46, 0xEC, 0x98 }, 1035 "MIGnMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5l" 1036 "dExvY2sgS2Z0LjE3MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0" 1037 "aWZpY2F0aW9uIFNlcnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xh" 1038 "c3MgR29sZCkgRsWRdGFuw7pzw610dsOhbnk=", 1039 "SUEs5AAQ", 1040 }, 1041 { 1042 // CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE 1043 "2.23.140.1.1", 1044 "CA/Browser Forum EV OID", 1045 { 0x08, 0x17, 0x0D, 0x1A, 0xA3, 0x64, 0x53, 0x90, 0x1A, 0x2F, 0x95, 1046 0x92, 0x45, 0xE3, 0x47, 0xDB, 0x0C, 0x8D, 0x37, 0xAB, 0xAA, 0xBC, 1047 0x56, 0xB8, 0x1A, 0xA1, 0x00, 0xDC, 0x95, 0x89, 0x70, 0xDB }, 1048 "MEgxCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxIjAgBgNVBAMT" 1049 "GUQtVFJVU1QgRVYgUm9vdCBDQSAxIDIwMjA=", 1050 "XwJB13qHfEwDo6yWjfv/0A==", 1051 }, 1052 { 1053 // CN=BJCA Global Root CA1,O=BEIJING CERTIFICATE AUTHORITY,C=CN 1054 "2.23.140.1.1", 1055 "CA/Browser Forum EV OID", 1056 { 0xF3, 0x89, 0x6F, 0x88, 0xFE, 0x7C, 0x0A, 0x88, 0x27, 0x66, 0xA7, 1057 0xFA, 0x6A, 0xD2, 0x74, 0x9F, 0xB5, 0x7A, 0x7F, 0x3E, 0x98, 0xFB, 1058 0x76, 0x9C, 0x1F, 0xA7, 0xB0, 0x9C, 0x2C, 0x44, 0xD5, 0xAE }, 1059 "MFQxCzAJBgNVBAYTAkNOMSYwJAYDVQQKDB1CRUlKSU5HIENFUlRJRklDQVRFIEFV" 1060 "VEhPUklUWTEdMBsGA1UEAwwUQkpDQSBHbG9iYWwgUm9vdCBDQTE=", 1061 "VW9l47TZkGobCdFsPsBsIA==", 1062 }, 1063 { 1064 // CN=BJCA Global Root CA2,O=BEIJING CERTIFICATE AUTHORITY,C=CN 1065 "2.23.140.1.1", 1066 "CA/Browser Forum EV OID", 1067 { 0x57, 0x4D, 0xF6, 0x93, 0x1E, 0x27, 0x80, 0x39, 0x66, 0x7B, 0x72, 1068 0x0A, 0xFD, 0xC1, 0x60, 0x0F, 0xC2, 0x7E, 0xB6, 0x6D, 0xD3, 0x09, 1069 0x29, 0x79, 0xFB, 0x73, 0x85, 0x64, 0x87, 0x21, 0x28, 0x82 }, 1070 "MFQxCzAJBgNVBAYTAkNOMSYwJAYDVQQKDB1CRUlKSU5HIENFUlRJRklDQVRFIEFV" 1071 "VEhPUklUWTEdMBsGA1UEAwwUQkpDQSBHbG9iYWwgUm9vdCBDQTI=", 1072 "LBcIfWQqwP6FGFkGz7RK6w==", 1073 }, 1074 { 1075 // CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB 1076 "2.23.140.1.1", 1077 "CA/Browser Forum EV OID", 1078 { 0xC9, 0x0F, 0x26, 0xF0, 0xFB, 0x1B, 0x40, 0x18, 0xB2, 0x22, 0x27, 1079 0x51, 0x9B, 0x5C, 0xA2, 0xB5, 0x3E, 0x2C, 0xA5, 0xB3, 0xBE, 0x5C, 1080 0xF1, 0x8E, 0xFE, 0x1B, 0xEF, 0x47, 0x38, 0x0C, 0x53, 0x83 }, 1081 "MF8xCzAJBgNVBAYTAkdCMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxNjA0BgNV" 1082 "BAMTLVNlY3RpZ28gUHVibGljIFNlcnZlciBBdXRoZW50aWNhdGlvbiBSb290IEU0" 1083 "Ng==", 1084 "QvLM2htpN0RfFf51KBC49A==", 1085 }, 1086 { 1087 // CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GB 1088 "2.23.140.1.1", 1089 "CA/Browser Forum EV OID", 1090 { 0x7B, 0xB6, 0x47, 0xA6, 0x2A, 0xEE, 0xAC, 0x88, 0xBF, 0x25, 0x7A, 1091 0xA5, 0x22, 0xD0, 0x1F, 0xFE, 0xA3, 0x95, 0xE0, 0xAB, 0x45, 0xC7, 1092 0x3F, 0x93, 0xF6, 0x56, 0x54, 0xEC, 0x38, 0xF2, 0x5A, 0x06 }, 1093 "MF8xCzAJBgNVBAYTAkdCMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxNjA0BgNV" 1094 "BAMTLVNlY3RpZ28gUHVibGljIFNlcnZlciBBdXRoZW50aWNhdGlvbiBSb290IFI0" 1095 "Ng==", 1096 "dY39i658BwD6qSWn4cetFA==", 1097 }, 1098 { 1099 // CN=TrustAsia Global Root CA G3,O="TrustAsia Technologies, Inc.",C=CN 1100 "2.23.140.1.1", 1101 "CA/Browser Forum EV OID", 1102 { 0xE0, 0xD3, 0x22, 0x6A, 0xEB, 0x11, 0x63, 0xC2, 0xE4, 0x8F, 0xF9, 1103 0xBE, 0x3B, 0x50, 0xB4, 0xC6, 0x43, 0x1B, 0xE7, 0xBB, 0x1E, 0xAC, 1104 0xC5, 0xC3, 0x6B, 0x5D, 0x5E, 0xC5, 0x09, 0x03, 0x9A, 0x08 }, 1105 "MFoxCzAJBgNVBAYTAkNOMSUwIwYDVQQKDBxUcnVzdEFzaWEgVGVjaG5vbG9naWVz" 1106 "LCBJbmMuMSQwIgYDVQQDDBtUcnVzdEFzaWEgR2xvYmFsIFJvb3QgQ0EgRzM=", 1107 "ZPYOZXdhaqs7tOqFhLuxibhxkw8=", 1108 }, 1109 { 1110 // CN=TrustAsia Global Root CA G4,O="TrustAsia Technologies, Inc.",C=CN 1111 "2.23.140.1.1", 1112 "CA/Browser Forum EV OID", 1113 { 0xBE, 0x4B, 0x56, 0xCB, 0x50, 0x56, 0xC0, 0x13, 0x6A, 0x52, 0x6D, 1114 0xF4, 0x44, 0x50, 0x8D, 0xAA, 0x36, 0xA0, 0xB5, 0x4F, 0x42, 0xE4, 1115 0xAC, 0x38, 0xF7, 0x2A, 0xF4, 0x70, 0xE4, 0x79, 0x65, 0x4C }, 1116 "MFoxCzAJBgNVBAYTAkNOMSUwIwYDVQQKDBxUcnVzdEFzaWEgVGVjaG5vbG9naWVz" 1117 "LCBJbmMuMSQwIgYDVQQDDBtUcnVzdEFzaWEgR2xvYmFsIFJvb3QgQ0EgRzQ=", 1118 "TyNkuI6XY57GU4HBdk7LKnQV1tc=", 1119 }, 1120 { 1121 // CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE 1122 "2.23.140.1.1", 1123 "CA/Browser Forum EV OID", 1124 { 0x57, 0x8A, 0xF4, 0xDE, 0xD0, 0x85, 0x3F, 0x4E, 0x59, 0x98, 0xDB, 1125 0x4A, 0xEA, 0xF9, 0xCB, 0xEA, 0x8D, 0x94, 0x5F, 0x60, 0xB6, 0x20, 1126 0xA3, 0x8D, 0x1A, 0x3C, 0x13, 0xB2, 0xBC, 0x7B, 0xA8, 0xE1 }, 1127 "MGMxCzAJBgNVBAYTAkRFMScwJQYDVQQKDB5EZXV0c2NoZSBUZWxla29tIFNlY3Vy" 1128 "aXR5IEdtYkgxKzApBgNVBAMMIlRlbGVrb20gU2VjdXJpdHkgVExTIEVDQyBSb290" 1129 "IDIwMjA=", 1130 "NjqWjMlcsljN0AFdxeVXAA==", 1131 }, 1132 { 1133 // CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE 1134 "2.23.140.1.1", 1135 "CA/Browser Forum EV OID", 1136 { 0xEF, 0xC6, 0x5C, 0xAD, 0xBB, 0x59, 0xAD, 0xB6, 0xEF, 0xE8, 0x4D, 1137 0xA2, 0x23, 0x11, 0xB3, 0x56, 0x24, 0xB7, 0x1B, 0x3B, 0x1E, 0xA0, 1138 0xDA, 0x8B, 0x66, 0x55, 0x17, 0x4E, 0xC8, 0x97, 0x86, 0x46 }, 1139 "MGMxCzAJBgNVBAYTAkRFMScwJQYDVQQKDB5EZXV0c2NoZSBUZWxla29tIFNlY3Vy" 1140 "aXR5IEdtYkgxKzApBgNVBAMMIlRlbGVrb20gU2VjdXJpdHkgVExTIFJTQSBSb290" 1141 "IDIwMjM=", 1142 "IZxULej27HF3+k7ow3BXlw==", 1143 }, 1144 { 1145 // CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES 1146 "2.23.140.1.1", 1147 "CA/Browser Forum EV OID", 1148 { 0xBE, 0xF2, 0x56, 0xDA, 0xF2, 0x6E, 0x9C, 0x69, 0xBD, 0xEC, 0x16, 1149 0x02, 0x35, 0x97, 0x98, 0xF3, 0xCA, 0xF7, 0x18, 0x21, 0xA0, 0x3E, 1150 0x01, 0x82, 0x57, 0xC5, 0x3C, 0x65, 0x61, 0x7F, 0x3D, 0x4A }, 1151 "MG4xCzAJBgNVBAYTAkVTMRwwGgYDVQQKDBNGaXJtYXByb2Zlc2lvbmFsIFNBMRgw" 1152 "FgYDVQRhDA9WQVRFUy1BNjI2MzQwNjgxJzAlBgNVBAMMHkZJUk1BUFJPRkVTSU9O" 1153 "QUwgQ0EgUk9PVC1BIFdFQg==", 1154 "MZch7a+JQn81QYehZ1ZMbQ==", 1155 }, 1156 { 1157 // CN=SecureSign Root CA12,O="Cybertrust Japan Co., Ltd.",C=JP 1158 "2.23.140.1.1", 1159 "CA/Browser Forum EV OID", 1160 { 0x3F, 0x03, 0x4B, 0xB5, 0x70, 0x4D, 0x44, 0xB2, 0xD0, 0x85, 0x45, 1161 0xA0, 0x20, 0x57, 0xDE, 0x93, 0xEB, 0xF3, 0x90, 0x5F, 0xCE, 0x72, 1162 0x1A, 0xCB, 0xC7, 0x30, 0xC0, 0x6D, 0xDA, 0xEE, 0x90, 0x4E }, 1163 "MFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJlcnRydXN0IEphcGFuIENvLiwg" 1164 "THRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290IENBMTI=", 1165 "ZvnHwa/swlG07VOX5uaCwysckBY=", 1166 }, 1167 { 1168 // CN=SecureSign Root CA14,O="Cybertrust Japan Co., Ltd.",C=JP 1169 "2.23.140.1.1", 1170 "CA/Browser Forum EV OID", 1171 { 0x4B, 0x00, 0x9C, 0x10, 0x34, 0x49, 0x4F, 0x9A, 0xB5, 0x6B, 0xBA, 1172 0x3B, 0xA1, 0xD6, 0x27, 0x31, 0xFC, 0x4D, 0x20, 0xD8, 0x95, 0x5A, 1173 0xDC, 0xEC, 0x10, 0xA9, 0x25, 0x60, 0x72, 0x61, 0xE3, 0x38 }, 1174 "MFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJlcnRydXN0IEphcGFuIENvLiwg" 1175 "THRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290IENBMTQ=", 1176 "ZNtaDCBO6Ncpd8hQJ6JaJ90t8ss=", 1177 }, 1178 { 1179 // CN=SecureSign Root CA15,O="Cybertrust Japan Co., Ltd.",C=JP 1180 "2.23.140.1.1", 1181 "CA/Browser Forum EV OID", 1182 { 0xE7, 0x78, 0xF0, 0xF0, 0x95, 0xFE, 0x84, 0x37, 0x29, 0xCD, 0x1A, 1183 0x00, 0x82, 0x17, 0x9E, 0x53, 0x14, 0xA9, 0xC2, 0x91, 0x44, 0x28, 1184 0x05, 0xE1, 0xFB, 0x1D, 0x8F, 0xB6, 0xB8, 0x88, 0x6C, 0x3A }, 1185 "MFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJlcnRydXN0IEphcGFuIENvLiwg" 1186 "THRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290IENBMTU=", 1187 "FhXHw9hJp75pDIqI7fBw+d23Poc=", 1188 }, 1189 { 1190 // CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW 1191 "2.23.140.1.1", 1192 "CA/Browser Forum EV OID", 1193 { 0x3F, 0x63, 0xBB, 0x28, 0x14, 0xBE, 0x17, 0x4E, 0xC8, 0xB6, 0x43, 1194 0x9C, 0xF0, 0x8D, 0x6D, 0x56, 0xF0, 0xB7, 0xC4, 0x05, 0x88, 0x3A, 1195 0x56, 0x48, 0xA3, 0x34, 0x42, 0x4D, 0x6B, 0x3E, 0xC5, 0x58 }, 1196 "MFAxCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv" 1197 "b3QgQ0ExGzAZBgNVBAMTElRXQ0EgQ1lCRVIgUm9vdCBDQQ==", 1198 "QAE0jMIAAAAAAAAAATzyxg==", 1199 }, 1200 { 1201 // "CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE" 1202 "2.23.140.1.1", 1203 "CA/Browser Forum EV OID", 1204 { 0x8E, 0x82, 0x21, 0xB2, 0xE7, 0xD4, 0x00, 0x78, 0x36, 0xA1, 0x67, 1205 0x2F, 0x0D, 0xCC, 0x29, 0x9C, 0x33, 0xBC, 0x07, 0xD3, 0x16, 0xF1, 1206 0x32, 0xFA, 0x1A, 0x20, 0x6D, 0x58, 0x71, 0x50, 0xF1, 0xCE }, 1207 "MEgxCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxIjAgBgNVBAMT" 1208 "GUQtVFJVU1QgRVYgUm9vdCBDQSAyIDIwMjM=", 1209 "aSYJfoBLTKCnjHhiU19abw==", 1210 }, 1211 { 1212 // CN=TrustAsia TLS ECC Root CA,O="TrustAsia Technologies, Inc.",C=CN 1213 "2.23.140.1.1", 1214 "CA/Browser Forum EV OID", 1215 { 0xC0, 0x07, 0x6B, 0x9E, 0xF0, 0x53, 0x1F, 0xB1, 0xA6, 0x56, 0xD6, 1216 0x7C, 0x4E, 0xBE, 0x97, 0xCD, 0x5D, 0xBA, 0xA4, 0x1E, 0xF4, 0x45, 1217 0x98, 0xAC, 0xC2, 0x48, 0x98, 0x78, 0xC9, 0x2D, 0x87, 0x11 }, 1218 "MFgxCzAJBgNVBAYTAkNOMSUwIwYDVQQKExxUcnVzdEFzaWEgVGVjaG5vbG9naWVz" 1219 "LCBJbmMuMSIwIAYDVQQDExlUcnVzdEFzaWEgVExTIEVDQyBSb290IENB", 1220 "NnThTXxlE8msg1UloD5Sfi9QaMc=", 1221 }, 1222 { 1223 // CN=TrustAsia TLS RSA Root CA,O="TrustAsia Technologies, Inc.",C=CN 1224 "2.23.140.1.1", 1225 "CA/Browser Forum EV OID", 1226 { 0x06, 0xC0, 0x8D, 0x7D, 0xAF, 0xD8, 0x76, 0x97, 0x1E, 0xB1, 0x12, 1227 0x4F, 0xE6, 0x7F, 0x84, 0x7E, 0xC0, 0xC7, 0xA1, 0x58, 0xD3, 0xEA, 1228 0x53, 0xCB, 0xE9, 0x40, 0xE2, 0xEA, 0x97, 0x91, 0xF4, 0xC3 }, 1229 "MFgxCzAJBgNVBAYTAkNOMSUwIwYDVQQKExxUcnVzdEFzaWEgVGVjaG5vbG9naWVz" 1230 "LCBJbmMuMSIwIAYDVQQDExlUcnVzdEFzaWEgVExTIFJTQSBSb290IENB", 1231 "HBjYz+VTPyI1RlNUJDxsR9FcSpw=", 1232 }, 1233 { 1234 // "CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH" 1235 "2.23.140.1.1", 1236 "CA/Browser Forum EV OID", 1237 { 0xee,0xc9,0x97,0xc0,0xc3,0x0f,0x21,0x6f,0x7e,0x3b,0x8b,0x30,0x7d, 1238 0x2b,0xae,0x42,0x41,0x2d,0x75,0x3f,0xc8,0x21,0x9d,0xaf,0xd1,0x52, 1239 0x0b,0x25,0x72,0x85,0x0f,0x49 }, 1240 "MEsxCzAJBgNVBAYTAkNIMRkwFwYDVQQKDBBPSVNURSBGb3VuZGF0aW9uMSEwHwYD" 1241 "VQQDDBhPSVNURSBTZXJ2ZXIgUm9vdCBFQ0MgRzE=", 1242 "I/nD1jWvjyhLH/BU6n6XnQ==", 1243 }, 1244 { 1245 // "CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH" 1246 "2.23.140.1.1", 1247 "CA/Browser Forum EV OID", 1248 { 0x9a,0xe3,0x62,0x32,0xa5,0x18,0x9f,0xfd,0xdb,0x35,0x3d,0xfd,0x26, 1249 0x52,0x0c,0x01,0x53,0x95,0xd2,0x27,0x77,0xda,0xc5,0x9d,0xb5,0x7b, 1250 0x98,0xc0,0x89,0xa6,0x51,0xe6 }, 1251 "MEsxCzAJBgNVBAYTAkNIMRkwFwYDVQQKDBBPSVNURSBGb3VuZGF0aW9uMSEwHwYD" 1252 "VQQDDBhPSVNURSBTZXJ2ZXIgUm9vdCBSU0EgRzE=", 1253 "VaXZZ5Qoxu0M+ifdWwFNGA==", 1254 } 1255 // clang-format on 1256 }; 1257 1258 static pkix::CertPolicyId sEVInfoIds[std::size(kEVInfos)]; 1259 static_assert( 1260 std::size(sEVInfoIds) == std::size(kEVInfos), 1261 "These arrays are used in parallel and must have the same length."); 1262 static pkix::CertPolicyId sCABForumEVId = {}; 1263 1264 bool CertIsAuthoritativeForEVPolicy(const nsTArray<uint8_t>& certBytes, 1265 const pkix::CertPolicyId& policy) { 1266 nsTArray<uint8_t> fingerprint; 1267 nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, certBytes.Elements(), 1268 certBytes.Length(), fingerprint); 1269 if (NS_FAILED(rv)) { 1270 return false; 1271 } 1272 if (fingerprint.Length() != SHA256_LENGTH) { 1273 return false; 1274 } 1275 1276 for (size_t i = 0; i < std::size(kEVInfos); ++i) { 1277 const EVInfo& entry = kEVInfos[i]; 1278 1279 // This check ensures that only the specific roots we approve for EV get 1280 // that status, and not certs (roots or otherwise) that happen to have an 1281 // OID that's already been approved for EV. 1282 if (!ArrayEqual(&fingerprint[0], &entry.sha256Fingerprint[0], 1283 SHA256_LENGTH)) { 1284 continue; 1285 } 1286 1287 if (policy == sCABForumEVId || policy == sEVInfoIds[i]) { 1288 return true; 1289 } 1290 } 1291 1292 return false; 1293 } 1294 1295 nsresult LoadExtendedValidationInfo() { 1296 static const char* sCABForumOIDString = "2.23.140.1.1"; 1297 1298 ScopedAutoSECItem cabforumOIDItem; 1299 if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0) != 1300 SECSuccess) { 1301 return NS_ERROR_FAILURE; 1302 } 1303 if (cabforumOIDItem.len > pkix::CertPolicyId::MAX_BYTES) { 1304 return NS_ERROR_UNEXPECTED; 1305 } 1306 1307 sCABForumEVId.numBytes = cabforumOIDItem.len; 1308 PodCopy(sCABForumEVId.bytes, cabforumOIDItem.data, sCABForumEVId.numBytes); 1309 1310 for (size_t i = 0; i < std::size(kEVInfos); ++i) { 1311 const EVInfo& entry = kEVInfos[i]; 1312 1313 SECStatus srv; 1314 #ifdef DEBUG 1315 // This section of code double-checks that we calculated the correct 1316 // certificate hash given the issuer and serial number and that it is 1317 // actually present in our loaded root certificates module. It is 1318 // unnecessary to check this in non-debug builds since we will safely fall 1319 // back to DV if the EV information is incorrect. 1320 nsAutoCString derIssuer; 1321 nsresult rv = 1322 Base64Decode(nsDependentCString(entry.issuerBase64), derIssuer); 1323 MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV issuer"); 1324 if (NS_FAILED(rv)) { 1325 return rv; 1326 } 1327 1328 nsAutoCString serialNumber; 1329 rv = Base64Decode(nsDependentCString(entry.serialBase64), serialNumber); 1330 MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV serial"); 1331 if (NS_FAILED(rv)) { 1332 return rv; 1333 } 1334 1335 CERTIssuerAndSN ias; 1336 ias.derIssuer.data = 1337 BitwiseCast<unsigned char*, const char*>(derIssuer.get()); 1338 ias.derIssuer.len = derIssuer.Length(); 1339 ias.serialNumber.data = 1340 BitwiseCast<unsigned char*, const char*>(serialNumber.get()); 1341 ias.serialNumber.len = serialNumber.Length(); 1342 ias.serialNumber.type = siUnsignedInteger; 1343 1344 UniqueCERTCertificate cert(CERT_FindCertByIssuerAndSN(nullptr, &ias)); 1345 1346 // If an entry is missing in the NSS root database, it may be because the 1347 // root database is out of sync with what we expect (e.g. a different 1348 // version of system NSS is installed). 1349 if (!cert) { 1350 // The entries for the debug EV roots are at indices 0 through 1351 // NUM_TEST_EV_ROOTS - 1. Since they're not built-in, they probably 1352 // haven't been loaded yet. 1353 MOZ_ASSERT(i < NUM_TEST_EV_ROOTS, "Could not find built-in EV root"); 1354 } else { 1355 unsigned char certFingerprint[SHA256_LENGTH]; 1356 srv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint, cert->derCert.data, 1357 AssertedCast<int32_t>(cert->derCert.len)); 1358 MOZ_ASSERT(srv == SECSuccess, "Could not hash EV root"); 1359 if (srv != SECSuccess) { 1360 return NS_ERROR_FAILURE; 1361 } 1362 bool same = ArrayEqual(certFingerprint, entry.sha256Fingerprint); 1363 MOZ_ASSERT(same, "EV root fingerprint mismatch"); 1364 if (!same) { 1365 return NS_ERROR_FAILURE; 1366 } 1367 } 1368 #endif 1369 // This is the code that actually enables these roots for EV. 1370 ScopedAutoSECItem evOIDItem; 1371 srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dottedOid, 0); 1372 MOZ_ASSERT(srv == SECSuccess, "SEC_StringToOID failed"); 1373 if (srv != SECSuccess) { 1374 return NS_ERROR_FAILURE; 1375 } 1376 if (evOIDItem.len > pkix::CertPolicyId::MAX_BYTES) { 1377 return NS_ERROR_UNEXPECTED; 1378 } 1379 sEVInfoIds[i].numBytes = evOIDItem.len; 1380 PodCopy(sEVInfoIds[i].bytes, evOIDItem.data, sEVInfoIds[i].numBytes); 1381 } 1382 1383 return NS_OK; 1384 } 1385 1386 // Helper function for GetKnownEVPolicies(): reads an EV Policy if there is one, 1387 // and appends it to the given list of CertPolicyIds. 1388 void FindMatchingEVPolicy(pkix::Reader& idReader, 1389 nsTArray<pkix::CertPolicyId>& policies) { 1390 pkix::Input cabForumEVIdBytes; 1391 pkix::Result rv = 1392 cabForumEVIdBytes.Init(sCABForumEVId.bytes, sCABForumEVId.numBytes); 1393 if (rv == pkix::Success && idReader.MatchRest(cabForumEVIdBytes)) { 1394 policies.AppendElement(sCABForumEVId); 1395 return; 1396 } 1397 1398 for (const pkix::CertPolicyId& id : sEVInfoIds) { 1399 pkix::Input idBytes; 1400 rv = idBytes.Init(id.bytes, id.numBytes); 1401 if (rv == pkix::Success && idReader.MatchRest(idBytes)) { 1402 policies.AppendElement(id); 1403 return; 1404 } 1405 } 1406 } 1407 1408 void GetKnownEVPolicies(const nsTArray<uint8_t>& certBytes, 1409 /*out*/ nsTArray<pkix::CertPolicyId>& policies) { 1410 pkix::Input certInput; 1411 pkix::Result rv = certInput.Init(certBytes.Elements(), certBytes.Length()); 1412 if (rv != pkix::Success) { 1413 return; 1414 } 1415 // we don't use the certificate for path building, so this parameter 1416 // doesn't matter 1417 pkix::EndEntityOrCA notUsedForPaths = pkix::EndEntityOrCA::MustBeEndEntity; 1418 pkix::BackCert cert(certInput, notUsedForPaths, nullptr); 1419 rv = cert.Init(); 1420 if (rv != pkix::Success) { 1421 return; 1422 } 1423 1424 const pkix::Input* extensionInput = cert.GetCertificatePolicies(); 1425 if (!extensionInput) { 1426 return; 1427 } 1428 1429 pkix::Reader extension(*extensionInput); 1430 pkix::Reader certificatePolicies; 1431 // certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 1432 // PolicyInformation ::= SEQUENCE { 1433 // policyIdentifier CertPolicyId, 1434 // ... 1435 // } 1436 // CertPolicyId ::= OBJECT IDENTIFIER 1437 rv = pkix::der::ExpectTagAndGetValue(extension, pkix::der::SEQUENCE, 1438 certificatePolicies); 1439 if (rv != pkix::Success || !extension.AtEnd()) { 1440 return; 1441 } 1442 1443 do { 1444 pkix::Reader policyInformation; 1445 rv = pkix::der::ExpectTagAndGetValue( 1446 certificatePolicies, pkix::der::SEQUENCE, policyInformation); 1447 if (rv != pkix::Success) { 1448 return; 1449 } 1450 1451 pkix::Reader policyOid; 1452 rv = pkix::der::ExpectTagAndGetValue(policyInformation, pkix::der::OIDTag, 1453 policyOid); 1454 if (rv != pkix::Success) { 1455 return; 1456 } 1457 1458 // we don't validate policy qualifiers here 1459 FindMatchingEVPolicy(policyOid, policies); 1460 } while (!certificatePolicies.AtEnd()); 1461 } 1462 1463 } // namespace psm 1464 } // namespace mozilla