Sync pki to chromium 8049b24a3fa617e66c5d3fc0e9322bb07c500f49
Change-Id: Ib65febca30ce312f2c8fd6d6dbc85f24987b50d8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62245
Auto-Submit: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/pki/cert_net_fetcher.h b/pki/cert_net_fetcher.h
deleted file mode 100644
index 27341ae..0000000
--- a/pki/cert_net_fetcher.h
+++ /dev/null
@@ -1,98 +0,0 @@
-// Copyright 2015 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BSSL_PKI_CERT_NET_FETCHER_H_
-#define BSSL_PKI_CERT_NET_FETCHER_H_
-
-#include "webutil/url/url.h"
-#include "fillins/openssl_util.h"
-#include <stdint.h>
-
-#include <memory>
-#include <vector>
-
-#include <memory>
-#include "fillins/log.h"
-#include "fillins/net_errors.h"
-
-
-
-class URL;
-
-namespace bssl {
-
-// CertNetFetcher is a synchronous interface for fetching AIA URLs and CRL
-// URLs. It is shared between a caller thread (which starts and waits for
-// fetches), and a network thread (which does the actual fetches). It can be
-// shutdown from the network thread to cancel outstanding requests.
-//
-// A Request object is returned when starting a fetch. The consumer can
-// use this as a handle for aborting the request (by freeing it), or reading
-// the result of the request (WaitForResult)
-class OPENSSL_EXPORT CertNetFetcher
- {
- public:
- class Request {
- public:
- virtual ~Request() = default;
-
- // WaitForResult() can be called at most once.
- //
- // It will block and wait for the (network) request to complete, and
- // then write the result into the provided out-parameters.
- virtual void WaitForResult(Error* error, std::vector<uint8_t>* bytes) = 0;
- };
-
- // This value can be used in place of timeout or max size limits.
- enum { DEFAULT = -1 };
-
- CertNetFetcher() = default;
-
- CertNetFetcher(const CertNetFetcher&) = delete;
- CertNetFetcher& operator=(const CertNetFetcher&) = delete;
-
- // Shuts down the CertNetFetcher and cancels outstanding network requests. It
- // is not guaranteed that any outstanding or subsequent
- // Request::WaitForResult() calls will be completed. Shutdown() must be called
- // from the network thread. It can be called more than once, but must be
- // called before the CertNetFetcher is destroyed.
- virtual void Shutdown() = 0;
-
- // The Fetch*() methods start a request which can be cancelled by
- // deleting the returned Request. Here is the meaning of the common
- // parameters:
- //
- // * url -- The http:// URL to fetch.
- // * timeout_seconds -- The maximum allowed duration for the fetch job. If
- // this delay is exceeded then the request will fail. To use a default
- // timeout pass DEFAULT.
- // * max_response_bytes -- The maximum size of the response body. If this
- // size is exceeded then the request will fail. To use a default timeout
- // pass DEFAULT.
-
- [[nodiscard]] virtual std::unique_ptr<Request> FetchCaIssuers(
- const URL& url,
- int timeout_milliseconds,
- int max_response_bytes) = 0;
-
- [[nodiscard]] virtual std::unique_ptr<Request> FetchCrl(
- const URL& url,
- int timeout_milliseconds,
- int max_response_bytes) = 0;
-
- [[nodiscard]] virtual std::unique_ptr<Request> FetchOcsp(
- const URL& url,
- int timeout_milliseconds,
- int max_response_bytes) = 0;
-
- protected:
- virtual ~CertNetFetcher() = default;
-
- private:
-
-};
-
-} // namespace net
-
-#endif // BSSL_PKI_CERT_NET_FETCHER_H_
diff --git a/pki/certificate_policies_unittest.cc b/pki/certificate_policies_unittest.cc
index af9332c..fcf10b8 100644
--- a/pki/certificate_policies_unittest.cc
+++ b/pki/certificate_policies_unittest.cc
@@ -44,7 +44,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -54,7 +54,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -64,7 +64,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]);
@@ -76,7 +76,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(kAnyPolicyOid), policies[0]);
@@ -90,7 +90,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -100,7 +100,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@@ -112,7 +112,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(1U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@@ -125,7 +125,7 @@
std::vector<der::Input> policies;
CertErrors errors;
bool result = ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors);
if (fail_parsing_unknown_qualifier_oids()) {
@@ -144,7 +144,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -156,7 +156,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -168,7 +168,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -180,7 +180,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_FALSE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
}
@@ -190,7 +190,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(2U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@@ -203,7 +203,7 @@
std::vector<der::Input> policies;
CertErrors errors;
EXPECT_TRUE(ParseCertificatePoliciesExtensionOids(
- der::Input(&der), fail_parsing_unknown_qualifier_oids(), &policies,
+ der::Input(der), fail_parsing_unknown_qualifier_oids(), &policies,
&errors));
ASSERT_EQ(2U, policies.size());
EXPECT_EQ(der::Input(policy_1_2_3_der), policies[0]);
@@ -216,7 +216,7 @@
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_FALSE(
- ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+ ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
}
TEST(ParseCertificatePoliciesExtensionTest,
@@ -226,7 +226,7 @@
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_FALSE(
- ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+ ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
}
TEST(ParseCertificatePoliciesExtensionTest, OnePolicyWithCustomQualifier) {
@@ -235,7 +235,7 @@
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_TRUE(
- ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+ ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(1U, policies.size());
PolicyInformation& policy = policies[0];
EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid);
@@ -256,7 +256,7 @@
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_TRUE(
- ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+ ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(2U, policies.size());
{
PolicyInformation& policy = policies[0];
@@ -276,7 +276,7 @@
std::vector<PolicyInformation> policies;
CertErrors errors;
EXPECT_TRUE(
- ParseCertificatePoliciesExtension(der::Input(&der), &policies, &errors));
+ ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(2U, policies.size());
{
PolicyInformation& policy = policies[0];
diff --git a/pki/crl.cc b/pki/crl.cc
index ff3e704..99eb359 100644
--- a/pki/crl.cc
+++ b/pki/crl.cc
@@ -467,8 +467,9 @@
std::string normalized_crl_issuer;
if (!NormalizeNameTLV(tbs_cert_list.issuer_tlv, &normalized_crl_issuer))
return CRLRevocationStatus::UNKNOWN;
- if (der::Input(&normalized_crl_issuer) != target_cert->normalized_issuer())
+ if (der::Input(normalized_crl_issuer) != target_cert->normalized_issuer()) {
return CRLRevocationStatus::UNKNOWN;
+ }
if (tbs_cert_list.crl_extensions_tlv.has_value()) {
std::map<der::Input, ParsedExtension> extensions;
@@ -584,8 +585,10 @@
//
// As the |issuer_cert| is from the already validated chain, it is already
// known to chain to the same trust anchor as the target certificate.
- if (der::Input(&normalized_crl_issuer) != issuer_cert->normalized_subject())
+ if (der::Input(normalized_crl_issuer) !=
+ issuer_cert->normalized_subject()) {
continue;
+ }
// 6.3.3 (f) If a key usage extension is present in the CRL issuer's
// certificate, verify that the cRLSign bit is set.
diff --git a/pki/fillins/log.h b/pki/fillins/log.h
index 74007ec..f0bbe61 100644
--- a/pki/fillins/log.h
+++ b/pki/fillins/log.h
@@ -17,8 +17,10 @@
#if defined(_BORINGSSL_LIBPKI_VERBOSE_)
#define DVLOG(l) std::cerr
+#define LOG(l) std::cerr
#else
#define DVLOG(l) 0 && std::cerr
+#define LOG(l) 0 && std::cerr
#endif // _BORINGSSL_LIBPKI_VERBOSE_
#endif // BSSL_FILLINS_LOG_H_
diff --git a/pki/general_names_unittest.cc b/pki/general_names_unittest.cc
index 0f7754d..2c04e7b 100644
--- a/pki/general_names_unittest.cc
+++ b/pki/general_names_unittest.cc
@@ -44,7 +44,7 @@
ASSERT_TRUE(
LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der));
CertErrors errors;
- EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors));
+ EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors));
}
TEST(GeneralNames, OtherName) {
@@ -53,7 +53,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_OTHER_NAME, general_names->present_name_types);
const uint8_t expected_der[] = {0x06, 0x04, 0x2a, 0x03, 0x04, 0x05,
@@ -68,7 +68,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->rfc822_names.size());
@@ -80,7 +80,7 @@
ASSERT_TRUE(LoadTestSubjectAltNameData("san-rfc822name.pem", &san_der));
ReplaceFirstSubstring(&san_der, "foo@example.com", "f\xF6\xF6@example.com");
CertErrors errors;
- EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
+ EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
}
TEST(GeneralNames, DnsName) {
@@ -89,7 +89,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_DNS_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->dns_names.size());
@@ -101,7 +101,7 @@
ASSERT_TRUE(LoadTestSubjectAltNameData("san-dnsname.pem", &san_der));
ReplaceFirstSubstring(&san_der, "foo.example.com", "f\xF6\xF6.example.com");
CertErrors errors;
- EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
+ EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
}
TEST(GeneralNames, X400Address) {
@@ -110,7 +110,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->x400_addresses.size());
@@ -125,7 +125,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->directory_names.size());
@@ -140,7 +140,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, general_names->present_name_types);
ASSERT_EQ(1U, general_names->edi_party_names.size());
@@ -154,7 +154,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
general_names->present_name_types);
@@ -169,7 +169,7 @@
ReplaceFirstSubstring(&san_der, "http://example.com",
"http://ex\xE4mple.com");
CertErrors errors;
- EXPECT_FALSE(GeneralNames::Create(der::Input(&san_der), &errors));
+ EXPECT_FALSE(GeneralNames::Create(der::Input(san_der), &errors));
}
TEST(GeneralNames, IPAddress_v4) {
@@ -178,7 +178,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
@@ -192,7 +192,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
@@ -207,7 +207,7 @@
ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem",
&invalid_san_der));
CertErrors errors;
- EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der), &errors));
+ EXPECT_FALSE(GeneralNames::Create(der::Input(invalid_san_der), &errors));
}
TEST(GeneralNames, RegisteredIDs) {
@@ -216,7 +216,7 @@
CertErrors errors;
std::unique_ptr<GeneralNames> general_names =
- GeneralNames::Create(der::Input(&san_der), &errors);
+ GeneralNames::Create(der::Input(san_der), &errors);
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, general_names->present_name_types);
ASSERT_EQ(1U, general_names->registered_ids.size());
diff --git a/pki/import_spec.json b/pki/import_spec.json
index f81c87a..f6617cd 100644
--- a/pki/import_spec.json
+++ b/pki/import_spec.json
@@ -244,7 +244,6 @@
"files": [
"net/cert/asn1_util.h",
"net/cert/asn1_util.cc",
- "net/cert/cert_net_fetcher.h",
"net/cert/cert_status_flags.h",
"net/cert/cert_status_flags_list.h",
"net/cert/cert_verify_proc_blocklist.inc",
diff --git a/pki/input.cc b/pki/input.cc
index cf83201..d8e9391 100644
--- a/pki/input.cc
+++ b/pki/input.cc
@@ -10,21 +10,17 @@
namespace bssl::der {
-Input::Input(std::string_view in)
- : data_(reinterpret_cast<const uint8_t*>(in.data())), len_(in.length()) {}
-
-Input::Input(const std::string* s) : Input(std::string_view(*s)) {}
-
std::string Input::AsString() const {
- return std::string(reinterpret_cast<const char*>(data_), len_);
+ return std::string(reinterpret_cast<const char*>(data_.data()), data_.size());
}
std::string_view Input::AsStringView() const {
- return std::string_view(reinterpret_cast<const char*>(data_), len_);
+ return std::string_view(reinterpret_cast<const char*>(data_.data()),
+ data_.size());
}
bssl::Span<const uint8_t> Input::AsSpan() const {
- return bssl::MakeSpan(data_, len_);
+ return data_;
}
bool operator==(const Input& lhs, const Input& rhs) {
diff --git a/pki/input.h b/pki/input.h
index 14a1fef..e0dff1f 100644
--- a/pki/input.h
+++ b/pki/input.h
@@ -10,10 +10,11 @@
#include <stdint.h>
#include <string>
+#include <string_view>
+
#include <openssl/span.h>
-
namespace bssl::der {
// An opaque class that represents a fixed buffer of data of a fixed length,
@@ -31,30 +32,30 @@
// Creates an empty Input, one from which no data can be read.
constexpr Input() = default;
- // Creates an Input from a constant array |data|.
- template <size_t N>
- constexpr explicit Input(const uint8_t (&data)[N]) : data_(data), len_(N) {}
+ // Creates an Input from a span. The constructed Input is only valid as long
+ // as |data| points to live memory. If constructed from, say, a
+ // |std::vector<uint8_t>|, mutating the vector will invalidate the Input.
+ constexpr explicit Input(bssl::Span<const uint8_t> data) : data_(data) {}
// Creates an Input from the given |data| and |len|.
constexpr explicit Input(const uint8_t* data, size_t len)
- : data_(data), len_(len) {}
+ : data_(bssl::MakeConstSpan(data, len)) {}
- // Creates an Input from a std::string_view
- explicit Input(std::string_view sp);
-
- // Creates an Input from a std::string. The lifetimes are a bit subtle when
- // using this function: The constructed Input is only valid so long as |s| is
- // still alive and not mutated.
- explicit Input(const std::string* s);
+ // Creates an Input from a std::string_view. The constructed Input is only
+ // valid as long as |data| points to live memory. If constructed from, say, a
+ // |std::string|, mutating the vector will invalidate the Input.
+ explicit Input(std::string_view str)
+ : data_(bssl::MakeConstSpan(reinterpret_cast<const uint8_t*>(str.data()),
+ str.size())) {}
// Returns the length in bytes of an Input's data.
- constexpr size_t Length() const { return len_; }
+ constexpr size_t Length() const { return data_.size(); }
// Returns a pointer to the Input's data. This method is marked as "unsafe"
// because access to the Input's data should be done through ByteReader
// instead. This method should only be used where using a ByteReader truly
// is not an option.
- constexpr const uint8_t* UnsafeData() const { return data_; }
+ constexpr const uint8_t* UnsafeData() const { return data_.data(); }
// Returns a copy of the data represented by this object as a std::string.
std::string AsString() const;
@@ -64,21 +65,13 @@
// this Input.
std::string_view AsStringView() const;
- // Returns a bssl::Span pointing to the same data as the Input. The resulting
- // bssl::Span must not outlive the data that was used to construct this
- // Input.
+ // Returns a span pointing to the same data as the Input. The resulting span
+ // must not outlive the data that was used to construct this Input.
bssl::Span<const uint8_t> AsSpan() const;
private:
- // This constructor is deleted to prevent constructing an Input from a
- // std::string r-value. Since the Input points to memory owned by another
- // object, such an Input would point to invalid memory. Without this deleted
- // constructor, a std::string could be passed in to the std::string_view
- // constructor because of std::string_view's implicit constructor.
- Input(std::string) = delete;
-
- const uint8_t* data_ = nullptr;
- size_t len_ = 0;
+ // TODO(crbug.com/770501): Replace this type with span altogether.
+ bssl::Span<const uint8_t> data_;
};
// Return true if |lhs|'s data and |rhs|'s data are byte-wise equal.
diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc
index 6dbe2fb..eba142d 100644
--- a/pki/name_constraints.cc
+++ b/pki/name_constraints.cc
@@ -653,19 +653,26 @@
}
bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const {
+ // fillins::IPAddressMatchesPrefix internally maps v4 addresses to/from v6 on type
+ // mismatch. We don't wish to do this, so check the sizes match first.
for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
- if (fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second))
+ if (ip.size() == excluded_ip.first.size() &&
+ fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) {
return false;
+ }
}
// If permitted subtrees are not constrained, any name that is not excluded is
// allowed.
- if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS))
+ if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_IP_ADDRESS)) {
return true;
+ }
for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
- if (fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second))
+ if (ip.size() == permitted_ip.first.size() &&
+ fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) {
return true;
+ }
}
return false;
diff --git a/pki/name_constraints_unittest.cc b/pki/name_constraints_unittest.cc
index 6d6a121..1fe58ed 100644
--- a/pki/name_constraints_unittest.cc
+++ b/pki/name_constraints_unittest.cc
@@ -10,7 +10,6 @@
#include "common_cert_errors.h"
#include "test_helpers.h"
#include <gtest/gtest.h>
-#include <gtest/gtest.h>
namespace bssl {
namespace {
@@ -49,12 +48,14 @@
std::string* result_der) {
::testing::AssertionResult load_result =
LoadTestSubjectAltNameData(basename, result_der);
- if (!load_result)
+ if (!load_result) {
return load_result;
+ }
CertErrors errors;
- *result = GeneralNames::Create(der::Input(result_der), &errors);
- if (!*result)
+ *result = GeneralNames::Create(der::Input(*result_der), &errors);
+ if (!*result) {
return ::testing::AssertionFailure() << "Create failed";
+ }
return ::testing::AssertionSuccess();
}
@@ -92,7 +93,7 @@
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
@@ -181,7 +182,7 @@
ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Matches permitted exactly.
@@ -212,7 +213,7 @@
LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// A permitted dNSName constraint of ".bar.com" should only match subdomains
@@ -230,7 +231,7 @@
LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// An excluded dNSName constraint of ".bar.com" should only match subdomains
@@ -247,7 +248,7 @@
ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
@@ -263,7 +264,7 @@
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Only "excluded.permitted.example.com" is excluded, and since permitted is
@@ -283,7 +284,7 @@
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// "permitted.example.com" is in the permitted section, but since "" is
@@ -301,7 +302,7 @@
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// "." is excluded, which should match nothing.
@@ -320,7 +321,7 @@
a.replace(replace_location, 1, 1, -1);
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
}
TEST_P(ParseNameConstraints, DirectoryNames) {
@@ -347,49 +348,49 @@
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Not in any permitted subtree.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_ca)));
+ SequenceValueFromString(name_ca)));
// Within the permitted C=US subtree.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us)));
+ SequenceValueFromString(name_us)));
// Within the permitted C=US subtree.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us_az)));
+ SequenceValueFromString(name_us_az)));
// Within the permitted C=US subtree, however the excluded C=US,ST=California
// subtree takes priority.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us_ca)));
+ SequenceValueFromString(name_us_ca)));
// Within the permitted C=US subtree as well as the permitted
// C=US,ST=California,L=Mountain View subtree, however the excluded
// C=US,ST=California subtree still takes priority.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us_ca_mountain_view)));
+ SequenceValueFromString(name_us_ca_mountain_view)));
// Not in any permitted subtree, and also inside the extraneous excluded C=DE
// subtree.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_de)));
+ SequenceValueFromString(name_de)));
// Not in any permitted subtree.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_jp)));
+ SequenceValueFromString(name_jp)));
// Within the permitted C=JP,ST=Tokyo subtree.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_jp_tokyo)));
+ SequenceValueFromString(name_jp_tokyo)));
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
name_constraints->constrained_name_types());
// Within the permitted C=US subtree.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us),
+ SequenceValueFromString(name_us),
nullptr /* subject_alt_names */));
// Within the permitted C=US subtree, however the excluded C=US,ST=California
// subtree takes priority.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_ca),
+ SequenceValueFromString(name_us_ca),
nullptr /* subject_alt_names */));
std::string san_der;
@@ -417,7 +418,7 @@
LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_empty;
@@ -433,13 +434,13 @@
// Only "C=US,ST=California" is excluded, and since permitted is empty,
// any directoryName outside that is allowed.
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_empty)));
+ SequenceValueFromString(name_empty)));
EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us)));
+ SequenceValueFromString(name_us)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us_ca)));
+ SequenceValueFromString(name_us_ca)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us_ca_mountain_view)));
+ SequenceValueFromString(name_us_ca_mountain_view)));
}
TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
@@ -448,7 +449,7 @@
LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_empty;
@@ -466,22 +467,22 @@
// "C=US" is in the permitted section, but since an empty
// directoryName is excluded, nothing is permitted.
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_empty)));
+ SequenceValueFromString(name_empty)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us)));
+ SequenceValueFromString(name_us)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_us_ca)));
+ SequenceValueFromString(name_us_ca)));
EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
- SequenceValueFromString(&name_jp)));
+ SequenceValueFromString(name_jp)));
}
-TEST_P(ParseNameConstraints, IPAdresses) {
+TEST_P(ParseNameConstraints, IPAddresses) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// IPv4 tests:
@@ -597,13 +598,13 @@
IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
}
-TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
+TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
@@ -614,13 +615,13 @@
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
}
-TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
+TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
// 192.168.0.0/255.255.0.0 and
@@ -634,13 +635,13 @@
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
}
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@@ -651,13 +652,13 @@
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
}
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@@ -669,13 +670,13 @@
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
}
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@@ -686,13 +687,13 @@
name_constraints->IsPermittedIP(fillins::IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
}
-TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
+TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(
- NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
@@ -700,32 +701,65 @@
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
}
-TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
+TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
}
-TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
+TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) {
std::string a;
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_1.pem", &a));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_2.pem", &a));
- EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_3.pem", &a));
- EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(LoadTestNameConstraint(
"ipaddress-invalid_mask_not_contiguous_4.pem", &a));
- EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
+ EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
+}
+
+// Test that v4/v6 mapping is not applied when evaluating name constraints.
+TEST_P(ParseNameConstraints, IPAddressesMapped) {
+ std::string a;
+ ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a));
+
+ CertErrors errors;
+ std::unique_ptr<NameConstraints> name_constraints(
+ NameConstraints::Create(der::Input(a), is_critical(), &errors));
+ ASSERT_TRUE(name_constraints);
+
+ // 192.168.1.0/24 is a permitted subtree.
+ EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 0)));
+ // This does not cover ::ffff:192.168.1.0.
+ EXPECT_FALSE(name_constraints->IsPermittedIP(
+ fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0)));
+ // 192.168.1.1 is excluded.
+ EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
+ // ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
+ EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
+
+ // ::ffff:192.168.2.0/120 is a permitted subtree.
+ EXPECT_TRUE(name_constraints->IsPermittedIP(
+ fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0)));
+ // This does not cover 192.168.2.0.
+ EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 2, 0)));
+ // ::ffff:192.168.2.1 is excluded.
+ EXPECT_FALSE(name_constraints->IsPermittedIP(
+ fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1)));
+ // 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
+ EXPECT_TRUE(name_constraints->IsPermittedIP(
+ fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2)));
}
TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
@@ -734,7 +768,7 @@
LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -757,7 +791,7 @@
LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -780,7 +814,7 @@
LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -842,7 +876,7 @@
LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -892,7 +926,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -951,7 +985,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1000,7 +1034,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1050,7 +1084,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1100,7 +1134,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1138,7 +1172,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1177,7 +1211,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1202,7 +1236,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1227,7 +1261,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1257,7 +1291,7 @@
LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
@@ -1288,7 +1322,7 @@
LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string san_der;
@@ -1306,7 +1340,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string san_der;
@@ -1325,7 +1359,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string san_der;
@@ -1345,7 +1379,7 @@
LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1368,7 +1402,7 @@
LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1391,7 +1425,7 @@
LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1414,7 +1448,7 @@
LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1436,7 +1470,7 @@
ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1458,7 +1492,7 @@
ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1481,7 +1515,7 @@
LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1504,7 +1538,7 @@
LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
if (is_critical()) {
@@ -1530,7 +1564,7 @@
// could be changed to allowed if there are buggy encoders out there that
// include it anyway.
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1539,7 +1573,7 @@
ASSERT_TRUE(
LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1549,7 +1583,7 @@
ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
&constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1558,7 +1592,7 @@
ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
&constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1566,14 +1600,14 @@
std::string constraints_der;
ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
std::string constraints_der = "";
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1582,7 +1616,7 @@
ASSERT_TRUE(
LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1591,7 +1625,7 @@
ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
&constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1600,7 +1634,7 @@
ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
&constraints_der));
CertErrors errors;
- EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
+ EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
is_critical(), &errors));
}
@@ -1610,7 +1644,7 @@
ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@@ -1618,14 +1652,14 @@
// Name constraints don't contain rfc822Name, so emailAddress in subject is
// allowed regardless.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
// Name constraints don't contain rfc822Name, so emailAddress in subject is
// allowed regardless.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@@ -1635,7 +1669,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@@ -1644,21 +1678,21 @@
// Name constraints contain rfc822Name, and the address matches the
// constraint (which is all addresses on the hostname.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
// The bytes of the name string match, but the string type is VISIBLESTRING
// which is not supported, so this should fail.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
// Subject contains multiple rfc822Names, and they all match the constraint
// (which is all addresses on the hostname.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@@ -1668,7 +1702,7 @@
LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@@ -1677,21 +1711,21 @@
// Name constraints contain rfc822Name, and the address does not match the
// constraint.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
// Address is a case-insensitive match, but name constraints (permitted) are
// case-sensitive, so this fails.
ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
// Subject contains multiple rfc822Names, and only the first one matches the
// constraint.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@@ -1701,7 +1735,7 @@
LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name;
@@ -1710,21 +1744,21 @@
// Name constraints contain excluded rfc822Name, and the address does not
// match the constraint.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
// Name constraints for excluded are done case-insensitive in the local part,
// so this is not allowed.
ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
// Subject contains multiple rfc822Names, and one of them is excluded by the
// constraint.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name),
+ SequenceValueFromString(name),
/*subject_alt_names=*/nullptr));
}
@@ -1737,7 +1771,7 @@
&constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_us_az_foocom;
@@ -1746,7 +1780,7 @@
// (The commonName hostname is not within permitted dNSName constraints, so
// this would not be permitted if hostnames in commonName were checked.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_az_foocom),
+ SequenceValueFromString(name_us_az_foocom),
nullptr /* subject_alt_names */));
std::string name_us_az_permitted;
@@ -1756,7 +1790,7 @@
// permitted dNSName constraints, so this should be permitted regardless if
// hostnames in commonName are checked or not.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_az_permitted),
+ SequenceValueFromString(name_us_az_permitted),
nullptr /* subject_alt_names */));
std::string name_us_ca_permitted;
@@ -1766,7 +1800,7 @@
// this should not be allowed, regardless of checking the
// permitted.example.com in commonName.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_ca_permitted),
+ SequenceValueFromString(name_us_ca_permitted),
nullptr /* subject_alt_names */));
}
@@ -1779,7 +1813,7 @@
"directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
CertErrors errors;
std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
- der::Input(&constraints_der), is_critical(), &errors));
+ der::Input(constraints_der), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
std::string name_us_az_1_1_1_1;
@@ -1788,7 +1822,7 @@
// (The commonName IP address is not within permitted iPAddresses constraints,
// so this would not be permitted if IP addresses in commonName were checked.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_az_1_1_1_1),
+ SequenceValueFromString(name_us_az_1_1_1_1),
nullptr /* subject_alt_names */));
std::string name_us_az_192_168_1_1;
@@ -1798,7 +1832,7 @@
// permitted iPAddress constraints, so this should be permitted regardless if
// IP addresses in commonName are checked or not.
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_az_192_168_1_1),
+ SequenceValueFromString(name_us_az_192_168_1_1),
nullptr /* subject_alt_names */));
std::string name_us_ca_192_168_1_1;
@@ -1808,7 +1842,7 @@
// this should not be allowed, regardless of checking the
// IP address in commonName.
EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_ca_192_168_1_1),
+ SequenceValueFromString(name_us_ca_192_168_1_1),
nullptr /* subject_alt_names */));
std::string name_us_az_ipv6;
@@ -1817,7 +1851,7 @@
// (The commonName is an ipv6 address which wasn't supported in the past, but
// since commonName checking is ignored entirely, this is permitted.)
EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
- SequenceValueFromString(&name_us_az_ipv6),
+ SequenceValueFromString(name_us_az_ipv6),
nullptr /* subject_alt_names */));
}
diff --git a/pki/ocsp.h b/pki/ocsp.h
index c5bbd89..496378b 100644
--- a/pki/ocsp.h
+++ b/pki/ocsp.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_OCSP_H_
#define BSSL_PKI_OCSP_H_
-#include "webutil/url/url.h"
#include "fillins/openssl_util.h"
+#include "webutil/url/url.h"
#include <memory>
#include <vector>
diff --git a/pki/ocsp_unittest.cc b/pki/ocsp_unittest.cc
index 80137ff..32fc1f3 100644
--- a/pki/ocsp_unittest.cc
+++ b/pki/ocsp_unittest.cc
@@ -175,8 +175,7 @@
std::vector<uint8_t> encoded_request;
ASSERT_TRUE(CreateOCSPRequest(cert.get(), issuer.get(), &encoded_request));
- EXPECT_EQ(der::Input(encoded_request.data(), encoded_request.size()),
- der::Input(&request_data));
+ EXPECT_EQ(der::Input(encoded_request), der::Input(request_data));
}
std::string_view kGetURLTestParams[] = {
diff --git a/pki/parse_certificate_unittest.cc b/pki/parse_certificate_unittest.cc
index 196d401..fc79ca3 100644
--- a/pki/parse_certificate_unittest.cc
+++ b/pki/parse_certificate_unittest.cc
@@ -63,7 +63,7 @@
der::BitString signature_value;
CertErrors errors;
bool actual_result =
- ParseCertificate(der::Input(&data), &tbs_certificate_tlv,
+ ParseCertificate(der::Input(data), &tbs_certificate_tlv,
&signature_algorithm_tlv, &signature_value, &errors);
EXPECT_EQ(expected_result, actual_result);
@@ -72,10 +72,10 @@
// Ensure that the parsed certificate matches expectations.
if (expected_result && actual_result) {
EXPECT_EQ(0, signature_value.unused_bits());
- EXPECT_EQ(der::Input(&expected_signature), signature_value.bytes());
- EXPECT_EQ(der::Input(&expected_signature_algorithm),
+ EXPECT_EQ(der::Input(expected_signature), signature_value.bytes());
+ EXPECT_EQ(der::Input(expected_signature_algorithm),
signature_algorithm_tlv);
- EXPECT_EQ(der::Input(&expected_tbs_certificate), tbs_certificate_tlv);
+ EXPECT_EQ(der::Input(expected_tbs_certificate), tbs_certificate_tlv);
}
}
@@ -167,7 +167,7 @@
ParsedTbsCertificate parsed;
CertErrors errors;
bool actual_result =
- ParseTbsCertificate(der::Input(&data), {}, &parsed, &errors);
+ ParseTbsCertificate(der::Input(data), {}, &parsed, &errors);
EXPECT_EQ(expected_result, actual_result);
VerifyCertErrors(expected_errors, errors, test_file_path);
@@ -178,36 +178,36 @@
// Ensure that the ParsedTbsCertificate matches expectations.
EXPECT_EQ(expected_version, parsed.version);
- EXPECT_EQ(der::Input(&expected_serial_number), parsed.serial_number);
- EXPECT_EQ(der::Input(&expected_signature_algorithm),
+ EXPECT_EQ(der::Input(expected_serial_number), parsed.serial_number);
+ EXPECT_EQ(der::Input(expected_signature_algorithm),
parsed.signature_algorithm_tlv);
- EXPECT_EQ(der::Input(&expected_issuer), parsed.issuer_tlv);
+ EXPECT_EQ(der::Input(expected_issuer), parsed.issuer_tlv);
// In the test expectations PEM file, validity is described as a
// textual string of the parsed value (rather than as DER).
EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before));
EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after));
- EXPECT_EQ(der::Input(&expected_subject), parsed.subject_tlv);
- EXPECT_EQ(der::Input(&expected_spki), parsed.spki_tlv);
+ EXPECT_EQ(der::Input(expected_subject), parsed.subject_tlv);
+ EXPECT_EQ(der::Input(expected_spki), parsed.spki_tlv);
EXPECT_EQ(!expected_issuer_unique_id.empty(),
parsed.issuer_unique_id.has_value());
if (parsed.issuer_unique_id.has_value()) {
- EXPECT_EQ(der::Input(&expected_issuer_unique_id),
+ EXPECT_EQ(der::Input(expected_issuer_unique_id),
parsed.issuer_unique_id->bytes());
}
EXPECT_EQ(!expected_subject_unique_id.empty(),
parsed.subject_unique_id.has_value());
if (parsed.subject_unique_id.has_value()) {
- EXPECT_EQ(der::Input(&expected_subject_unique_id),
+ EXPECT_EQ(der::Input(expected_subject_unique_id),
parsed.subject_unique_id->bytes());
}
EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value());
if (parsed.extensions_tlv) {
- EXPECT_EQ(der::Input(&expected_extensions), parsed.extensions_tlv.value());
+ EXPECT_EQ(der::Input(expected_extensions), parsed.extensions_tlv.value());
}
}
@@ -1008,7 +1008,7 @@
file_name;
EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
- return ParseAuthorityKeyIdentifier(der::Input(backing_bytes),
+ return ParseAuthorityKeyIdentifier(der::Input(*backing_bytes),
authority_key_identifier);
}
diff --git a/pki/parse_name_unittest.cc b/pki/parse_name_unittest.cc
index a3585bb..fec2e07 100644
--- a/pki/parse_name_unittest.cc
+++ b/pki/parse_name_unittest.cc
@@ -201,7 +201,7 @@
ASSERT_TRUE(
LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid));
RDNSequence atv;
- ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+ ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameEmpty) {
@@ -209,7 +209,7 @@
ASSERT_TRUE(
LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid));
RDNSequence atv;
- ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+ ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameBadType) {
@@ -217,7 +217,7 @@
ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue",
"badAttributeType", &invalid));
RDNSequence atv;
- ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+ ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameNotSequence) {
@@ -225,21 +225,21 @@
ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue", "setNotSequence",
&invalid));
RDNSequence atv;
- ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+ ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameNotSet) {
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid));
RDNSequence atv;
- ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+ ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, InvalidNameEmptyRdn) {
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
RDNSequence atv;
- ASSERT_FALSE(ParseName(SequenceValueFromString(&invalid), &atv));
+ ASSERT_FALSE(ParseName(SequenceValueFromString(invalid), &atv));
}
TEST(ParseNameTest, RFC2253FormatBasic) {
diff --git a/pki/parsed_certificate.h b/pki/parsed_certificate.h
index 20fd895..5fbef82 100644
--- a/pki/parsed_certificate.h
+++ b/pki/parsed_certificate.h
@@ -110,7 +110,7 @@
// Sequence tag). This is guaranteed to be valid DER, though the contents of
// unhandled string types are treated as raw bytes.
der::Input normalized_subject() const {
- return der::Input(&normalized_subject_);
+ return der::Input(normalized_subject_);
}
// Returns the DER-encoded raw issuer value (including the outer sequence
// tag). This is guaranteed to be valid DER, though the contents of unhandled
@@ -120,7 +120,7 @@
// Sequence tag). This is guaranteed to be valid DER, though the contents of
// unhandled string types are treated as raw bytes.
der::Input normalized_issuer() const {
- return der::Input(&normalized_issuer_);
+ return der::Input(normalized_issuer_);
}
// Returns true if the certificate has a BasicConstraints extension.
diff --git a/pki/path_builder_pkits_unittest.cc b/pki/path_builder_pkits_unittest.cc
index b49a34d..620205c 100644
--- a/pki/path_builder_pkits_unittest.cc
+++ b/pki/path_builder_pkits_unittest.cc
@@ -5,7 +5,6 @@
#include "path_builder.h"
#include <cstdint>
-#include <iostream>
#include "fillins/log.h"
#include "fillins/net_errors.h"
@@ -237,7 +236,7 @@
for (size_t i = 0; i < result.paths.size(); ++i) {
const CertPathBuilderResultPath* result_path =
result.paths[i].get();
- std::cerr << "path " << i << " errors:\n"
+ LOG(ERROR) << "path " << i << " errors:\n"
<< result_path->errors.ToDebugString(result_path->certs);
}
}
diff --git a/pki/signature_algorithm_unittest.cc b/pki/signature_algorithm_unittest.cc
index 1c420a3..9673ab2 100644
--- a/pki/signature_algorithm_unittest.cc
+++ b/pki/signature_algorithm_unittest.cc
@@ -1155,8 +1155,7 @@
0x04, 0x02, 0x03, 0xa2, 0x03, 0x02, 0x01, 0x40},
SignatureAlgorithm::kRsaPssSha512}};
for (const auto& t : kValidTests) {
- EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())),
- t.expected);
+ EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data)), t.expected);
}
struct {
@@ -1346,8 +1345,7 @@
0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x41}},
};
for (const auto& t : kInvalidTests) {
- EXPECT_FALSE(
- ParseSignatureAlgorithm(der::Input(t.data.data(), t.data.size())));
+ EXPECT_FALSE(ParseSignatureAlgorithm(der::Input(t.data)));
}
}
diff --git a/pki/simple_path_builder_delegate_unittest.cc b/pki/simple_path_builder_delegate_unittest.cc
index 7d47406..7b6206c 100644
--- a/pki/simple_path_builder_delegate_unittest.cc
+++ b/pki/simple_path_builder_delegate_unittest.cc
@@ -38,11 +38,11 @@
ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings));
std::optional<SignatureAlgorithm> sigalg_opt =
- ParseSignatureAlgorithm(der::Input(&algorithm_str));
+ ParseSignatureAlgorithm(der::Input(algorithm_str));
ASSERT_TRUE(sigalg_opt);
*signature_algorithm = *sigalg_opt;
- ASSERT_TRUE(ParsePublicKey(der::Input(&public_key_str), public_key));
+ ASSERT_TRUE(ParsePublicKey(der::Input(public_key_str), public_key));
}
class SimplePathBuilderDelegate1024SuccessTest
diff --git a/pki/test_helpers.cc b/pki/test_helpers.cc
index 98487d7..36f0ffb 100644
--- a/pki/test_helpers.cc
+++ b/pki/test_helpers.cc
@@ -110,7 +110,7 @@
} // namespace der
-der::Input SequenceValueFromString(const std::string* s) {
+der::Input SequenceValueFromString(std::string_view s) {
der::Parser parser((der::Input(s)));
der::Input data;
if (!parser.ReadTag(der::kSequence, &data)) {
@@ -284,7 +284,7 @@
if (value == "DEFAULT") {
value = "211005120000Z";
}
- if (!der::ParseUTCTime(der::Input(&value), &test->time)) {
+ if (!der::ParseUTCTime(der::Input(value), &test->time)) {
ADD_FAILURE() << "Failed parsing UTC time";
return false;
}
diff --git a/pki/test_helpers.h b/pki/test_helpers.h
index 73e8afd..6857dd3 100644
--- a/pki/test_helpers.h
+++ b/pki/test_helpers.h
@@ -9,6 +9,7 @@
#include <ostream>
#include <string>
+#include <string_view>
#include <vector>
#include "parsed_certificate.h"
@@ -33,7 +34,7 @@
//
// The returned der::Input() is only valid so long as the input string is alive
// and is not mutated.
-der::Input SequenceValueFromString(const std::string* s);
+der::Input SequenceValueFromString(std::string_view s);
// Helper structure that maps a PEM block header (for instance "CERTIFICATE") to
// the destination where the value for that block should be written.
diff --git a/pki/testdata/name_constraints_unittest/generate_name_constraints.py b/pki/testdata/name_constraints_unittest/generate_name_constraints.py
index bf7e89b..0c474a7 100755
--- a/pki/testdata/name_constraints_unittest/generate_name_constraints.py
+++ b/pki/testdata/name_constraints_unittest/generate_name_constraints.py
@@ -317,6 +317,23 @@
enforce_length=False))
generate(c, "ipaddress-invalid_addr.pem")
+ v4_mapped_prefix = (0, ) * 10 + (255, ) * 2
+ v4_mapped_mask = (255, ) * 12
+ c = NameConstraintsGenerator()
+ c.add_permitted(ip_address_range((192, 168, 1, 0), (255, 255, 255, 0)))
+ c.add_excluded(ip_address_range((192, 168, 1, 1), (255, 255, 255, 255)))
+ c.add_excluded(
+ ip_address_range(v4_mapped_prefix + (192, 168, 1, 2),
+ v4_mapped_mask + (255, 255, 255, 255)))
+ c.add_permitted(
+ ip_address_range(v4_mapped_prefix + (192, 168, 2, 0),
+ v4_mapped_mask + (255, 255, 255, 0)))
+ c.add_excluded(
+ ip_address_range(v4_mapped_prefix + (192, 168, 2, 1),
+ v4_mapped_mask + (255, 255, 255, 255)))
+ c.add_excluded(ip_address_range((192, 168, 2, 2), (255, 255, 255, 255)))
+ generate(c, "ipaddress-mapped_addrs.pem")
+
n_us = generate_names.NameGenerator()
n_us.add_rdn().add_attr('countryName', 'PRINTABLESTRING', 'US')
generate(n_us, "name-us.pem")
diff --git a/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem b/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem
new file mode 100644
index 0000000..62dc085
--- /dev/null
+++ b/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem
@@ -0,0 +1,29 @@
+SEQUENCE {
+ [0] {
+ SEQUENCE {
+ [7 PRIMITIVE] { `c0a80100ffffff00` }
+ }
+ SEQUENCE {
+ [7 PRIMITIVE] { `00000000000000000000ffffc0a80200ffffffffffffffffffffffffffffff00` }
+ }
+ }
+ [1] {
+ SEQUENCE {
+ [7 PRIMITIVE] { `c0a80101ffffffff` }
+ }
+ SEQUENCE {
+ [7 PRIMITIVE] { `00000000000000000000ffffc0a80102ffffffffffffffffffffffffffffffff` }
+ }
+ SEQUENCE {
+ [7 PRIMITIVE] { `00000000000000000000ffffc0a80201ffffffffffffffffffffffffffffffff` }
+ }
+ SEQUENCE {
+ [7 PRIMITIVE] { `c0a80202ffffffff` }
+ }
+ }
+}
+-----BEGIN NAME CONSTRAINTS-----
+MIGUoDAwCocIwKgBAP///wAwIocgAAAAAAAAAAAAAP//wKgCAP///////////////////wChYDAK
+hwjAqAEB/////zAihyAAAAAAAAAAAAAA///AqAEC/////////////////////zAihyAAAAAAAAAA
+AAAA///AqAIB/////////////////////zAKhwjAqAIC/////w==
+-----END NAME CONSTRAINTS-----
diff --git a/pki/testdata/ssl/certificates/README b/pki/testdata/ssl/certificates/README
index c56b7e1..6e3db64 100644
--- a/pki/testdata/ssl/certificates/README
+++ b/pki/testdata/ssl/certificates/README
@@ -46,10 +46,6 @@
purposes is not recommended. This needs to be updated periodically so the
server name the cert is valid for may change.
-- treadclimber.pem: A chain where the leaf does not contain embedded SCTs,
- and which has a notBefore date after 2018/10/15. Expires 2020/02/07.
-- treadclimber.sctlist: The TLS encoded SignedCertificateTimestampList for the
- treadclimber.pem leaf certificate.
- lets-encrypt-dst-x3-root.pem: A chain that ends in the Lets encrypt DST X3
root (https://crt.sh/?id=8395). Has the same leaf as
lets-encrypt-isrg-x1-root.pem.
@@ -193,18 +189,15 @@
Certificates for testing EV display (including regression test for
https://crbug.com/1069113).
-===== From net/data/ssl/scripts/generate-weak-test-chains.sh
-- 2048-rsa-root.pem
-- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
-- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
- {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
- Test certificates used to ensure that weak keys are detected and rejected
-
-===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
-- cross-signed-leaf.pem
-- cross-signed-root-md5.pem
-- cross-signed-root-sha256.pem
- A certificate chain for regression testing http://crbug.com/108514
+===== From net/data/ssl/scripts/generate-test-keys.sh
+- rsa-{768,1024,2048}-{1..3}.key
+- ec-prime256v1-{1..3}.key
+ Pre-generated keys of various types/sizes.
+ Useful for tests that generate RSA certificates with CertBuilder without
+ having to pay the cost of generating RSA keys at runtime. Multiple keys
+ of each size are provided. (EC keys are cheap to generate at runtime, but
+ having some as files simplifies test logic in cases where the test is
+ reading both RSA and EC keys from files.)
===== From net/data/ssl/scripts/generate-redundant-test-chains.sh
- redundant-validated-chain.pem
diff --git a/pki/testdata/ssl/certificates/ec-prime256v1-1.key b/pki/testdata/ssl/certificates/ec-prime256v1-1.key
new file mode 100644
index 0000000..43ba034
--- /dev/null
+++ b/pki/testdata/ssl/certificates/ec-prime256v1-1.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8YeFfq6kLtUZziTV
+eBxKf4sdzWhBIrmoa7R6IQ/L0g2hRANCAATwrGqIPnPdqDreHFlZqECUQ0AjHbyi
+NWFYmGc3FkPsCS1MWu2WhMYdw7UuLDdMKge7Q6IWMsHum/4G04hRdTYL
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/ec-prime256v1-2.key b/pki/testdata/ssl/certificates/ec-prime256v1-2.key
new file mode 100644
index 0000000..bfdcc94
--- /dev/null
+++ b/pki/testdata/ssl/certificates/ec-prime256v1-2.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSCf4GodSLqPExkQ0
+Ik8+89ysmrauzOM+YOw7a6XXxpOhRANCAASTFjEdz9MMLzVvqiKJ6hiEmG7+tfn1
+6r5Odwu8dkIr69J5RljzPLAbHXN4kXF/ohZbBvKnX+1cEUDO+kBtAHMB
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/ec-prime256v1-3.key b/pki/testdata/ssl/certificates/ec-prime256v1-3.key
new file mode 100644
index 0000000..de0b671
--- /dev/null
+++ b/pki/testdata/ssl/certificates/ec-prime256v1-3.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSFwCrUE0q+J8WdaB
+wuQtvtQuvSVy4xrVUVKbg/b8qmShRANCAAQ0MQNe+C3m+ZxRjUC2VHut66EhAqDQ
+EXOCJ3se7ctMpdmVa2ml/4cjz3lnrfbSYe/mM5v3hDN8u8dYmk7zDoL3
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/leaf_from_known_root.pem b/pki/testdata/ssl/certificates/leaf_from_known_root.pem
index 0594ff8..a3d6120 100644
--- a/pki/testdata/ssl/certificates/leaf_from_known_root.pem
+++ b/pki/testdata/ssl/certificates/leaf_from_known_root.pem
@@ -1,274 +1,666 @@
===========================================
-Certificate0: c74f724a594ff8156228aa8d5b06c2335c45bcc0381cf16deb7ec0330cb454a0
+Certificate0: 43a7c7f7b28f92beac4b5e7e002c69801fd82c8656d9cb2993dba2bab0c4ec1e
===========================================
Certificate:
Data:
Version: 3 (0x2)
- Serial Number:
- 13:00:0f:ee:63:1b:df:c3:25:02:e3:e0:7e:a6:39:50
+ Serial Number: 5475531677529648189 (0x4bfcff0cd38dac3d)
Signature Algorithm: sha256WithRSAEncryption
- Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
+ Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
- Not Before: Apr 10 00:00:00 2023 GMT
- Not After : May 10 23:59:59 2024 GMT
- Subject: CN = horseweather.com
+ Not Before: Jul 25 02:05:05 2023 GMT
+ Not After : Aug 24 00:14:22 2024 GMT
+ Subject: CN = tntpowerwashservices.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
- 00:b5:4f:7d:c0:1a:22:1c:a6:88:a0:85:01:3e:4a:
- 56:e3:3e:2a:f9:9c:f8:15:ce:6f:f7:44:74:00:41:
- 0f:d9:54:ce:7b:51:70:95:0c:9b:35:b1:68:b9:a6:
- 75:1a:28:93:4b:c9:64:9c:7e:ea:30:d4:4b:73:44:
- 62:fa:97:0d:5b:19:f6:6e:a3:44:b1:ea:67:7b:c6:
- 86:c6:1f:b8:1b:9b:ce:b1:9d:f7:f1:63:f4:63:03:
- 6b:07:72:f8:9c:f7:62:89:5d:15:2f:eb:ea:f8:18:
- 8f:55:1d:33:e7:2c:76:fd:3e:1a:16:fb:42:c1:02:
- 3a:03:82:f8:92:9a:a2:de:f1:8b:06:8e:cc:f9:ca:
- 1e:29:1c:48:7e:dc:0f:c1:5e:81:91:5c:36:eb:41:
- 1f:55:23:67:f2:b3:3b:10:73:fc:f0:48:2c:9e:8e:
- 1b:66:1e:52:38:09:0b:53:10:47:96:39:47:bb:81:
- 67:c4:4f:33:f2:74:19:c8:b5:16:0b:27:1e:d2:0e:
- 09:c7:4e:c5:e3:a8:8f:aa:00:1a:3c:9a:19:45:09:
- c8:aa:74:e0:7e:a0:7f:e2:46:8e:27:42:d4:ee:80:
- 60:5d:e1:b4:fc:23:9d:cb:70:be:d6:5b:88:ee:15:
- 61:1d:f5:4b:8d:02:ae:2f:19:5c:20:fc:17:9f:fc:
- 5d:b9
+ 00:af:a6:20:2e:e2:8f:f6:61:ba:78:bd:8c:c9:b4:
+ 84:6a:38:53:33:4a:28:e1:f6:9a:f8:be:45:14:18:
+ ef:0c:57:6c:ae:89:7b:8d:06:89:58:b4:76:21:2c:
+ 43:1f:b9:5d:e0:8d:4b:83:ad:3d:04:fb:e1:bf:76:
+ f2:e9:1a:80:42:f7:24:65:6d:c9:90:fc:fd:8e:82:
+ 0a:0e:5e:22:78:09:68:59:2a:4b:58:10:99:2d:f8:
+ 57:56:d9:92:a6:58:7e:89:c2:12:ea:c6:e2:43:86:
+ 07:6f:84:e2:c2:cd:1e:9d:4f:ee:62:58:35:a2:13:
+ d5:bc:20:cf:69:65:c4:74:2a:4d:b1:c2:7b:03:85:
+ b2:fc:dd:c7:36:30:c2:d6:59:02:e8:7c:41:26:ce:
+ 6b:f0:7a:55:1f:90:42:07:53:2e:a1:47:2e:53:42:
+ a6:48:1c:d0:d2:bb:9c:76:bf:89:4b:39:9d:69:f5:
+ 80:a4:38:b3:bd:e7:cd:41:0c:69:d7:3d:c1:78:27:
+ 88:05:ee:c7:f3:87:9d:01:e1:fd:70:e4:be:4d:97:
+ d3:2b:61:f3:0a:d3:2f:63:a9:ce:61:22:08:2e:a3:
+ d6:ba:de:fe:6b:df:69:ed:2f:50:dd:b8:72:c4:d6:
+ 6b:00:5e:a4:8b:9b:58:c0:43:32:ab:cc:44:55:d7:
+ 70:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
- X509v3 Authority Key Identifier:
- 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
- X509v3 Subject Key Identifier:
- DE:B8:1F:8D:E5:9F:B7:B7:F7:B6:96:56:D3:F4:2F:58:30:4C:36:0D
- X509v3 Key Usage: critical
- Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 CRL Distribution Points:
+ Full Name:
+ URI:http://crl.godaddy.com/gdig2s1-7257.crl
X509v3 Certificate Policies:
- Policy: 1.3.6.1.4.1.6449.1.2.2.7
- CPS: https://sectigo.com/CPS
+ Policy: 2.16.840.1.114413.1.7.23.1
+ CPS: http://certificates.godaddy.com/repository/
Policy: 2.23.140.1.2.1
Authority Information Access:
- CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
- OCSP - URI:http://ocsp.sectigo.com
+ OCSP - URI:http://ocsp.godaddy.com/
+ CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
+ X509v3 Authority Key Identifier:
+ 40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Subject Alternative Name:
- DNS:horseweather.com, DNS:www.horseweather.com
+ DNS:tntpowerwashservices.com, DNS:www.tntpowerwashservices.com
+ X509v3 Subject Key Identifier:
+ 15:BE:40:63:3C:B1:6A:3C:27:52:B1:1E:43:06:A1:1C:0B:09:C7:C8
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
- Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
- B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
- Timestamp : Apr 10 14:57:58.554 2023 GMT
- Extensions: none
- Signature : ecdsa-with-SHA256
- 30:44:02:20:2C:72:0F:4C:A5:E0:DE:BA:0F:50:D6:79:
- 57:BB:1E:4C:57:63:08:41:3E:CE:92:04:AF:1D:8B:43:
- AC:D3:E0:A9:02:20:73:BD:5A:86:55:76:F4:84:E5:71:
- CE:D4:3B:D4:2F:7F:9F:7F:E9:DB:10:8B:97:0B:A5:EC:
- FB:B3:99:03:5A:DF
- Signed Certificate Timestamp:
- Version : v1 (0x0)
- Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
- 91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
- Timestamp : Apr 10 14:57:58.648 2023 GMT
- Extensions: none
- Signature : ecdsa-with-SHA256
- 30:45:02:20:6A:FD:3F:78:6C:23:EE:5E:6D:6F:4C:67:
- D5:22:B0:9A:CB:78:01:D2:24:79:DF:56:44:40:23:4E:
- 8B:CE:B9:10:02:21:00:E7:15:11:84:48:04:FC:2C:CD:
- F1:88:4E:79:31:19:4B:DC:E0:B3:74:12:49:3C:DD:4E:
- DB:E5:6D:D9:1B:B9:60
- Signed Certificate Timestamp:
- Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
- Timestamp : Apr 10 14:57:58.679 2023 GMT
+ Timestamp : Jul 25 02:05:06.473 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
- 30:46:02:21:00:AF:8C:27:AC:66:5E:08:AC:BA:19:1D:
- 5A:CF:9A:F5:B8:28:A6:CC:9F:C4:99:45:59:10:2E:80:
- 17:BA:BA:B0:5E:02:21:00:CD:4E:51:2B:C6:12:73:4D:
- 7E:23:61:15:22:CB:08:CA:19:62:81:95:7E:31:08:B9:
- 64:F7:96:71:B0:1E:D2:A8
+ 30:45:02:21:00:B6:D5:26:94:10:7C:69:75:D5:83:A6:
+ 4A:7F:4D:87:A3:86:3D:C6:AD:47:17:B7:04:9F:83:0B:
+ 51:7E:41:C5:06:02:20:1E:2C:1C:2F:03:D1:1B:AB:E2:
+ F5:A0:65:BC:EC:BE:15:D2:05:ED:CC:AC:1A:44:70:DC:
+ 19:B6:87:58:4E:DF:EA
+ Signed Certificate Timestamp:
+ Version : v1 (0x0)
+ Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
+ 1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
+ Timestamp : Jul 25 02:05:06.771 2023 GMT
+ Extensions: none
+ Signature : ecdsa-with-SHA256
+ 30:45:02:20:6F:76:37:49:56:F0:9D:7F:F7:94:58:C9:
+ 9E:D3:D6:36:7D:BD:56:F4:92:41:0B:3E:97:0B:95:84:
+ 53:C6:68:24:02:21:00:87:45:7A:45:89:8E:C0:D9:44:
+ 82:56:24:C1:0D:A3:C4:FC:F8:C8:8E:1D:71:CC:0C:B5:
+ 6E:03:40:8D:3C:34:3A
+ Signed Certificate Timestamp:
+ Version : v1 (0x0)
+ Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
+ 91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
+ Timestamp : Jul 25 02:05:06.882 2023 GMT
+ Extensions: none
+ Signature : ecdsa-with-SHA256
+ 30:46:02:21:00:A1:1F:15:0A:5A:5A:E7:ED:6D:61:5F:
+ 9C:13:0B:66:70:62:95:31:C8:ED:D0:8A:B9:58:B1:90:
+ 97:63:21:C8:2B:02:21:00:F9:67:A5:79:88:32:96:48:
+ CB:6C:B9:27:76:0D:B6:7C:3A:AE:CB:65:40:87:E3:A5:
+ A9:FA:03:CA:61:F3:C7:9D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
- 3b:67:4e:46:c0:7f:d6:2f:4e:64:63:80:21:e4:ea:af:46:06:
- e3:83:47:99:88:73:27:6c:96:ae:5e:eb:d3:36:60:4a:1d:b4:
- 28:57:7d:07:df:40:e2:87:54:d3:dd:bc:5a:e4:e7:9b:f7:72:
- 4b:c7:5f:5d:50:da:c6:c0:6a:0d:36:c3:f9:ff:db:b5:d2:71:
- 84:b6:66:0a:15:31:46:79:39:0f:b2:bc:c0:91:8f:d6:03:ab:
- 10:7d:ea:7e:59:16:13:6c:3a:47:55:12:8b:c5:4a:1f:21:bc:
- 00:f1:a1:0a:0e:e5:e8:b5:af:38:47:78:44:e9:ab:d9:0c:94:
- a1:af:a1:2c:18:5a:15:00:e1:4e:9f:c5:06:88:87:41:25:e7:
- 92:bf:9e:ee:66:93:88:4d:15:ae:c5:d8:1b:c4:58:e1:3c:fd:
- 12:bc:8e:44:fa:74:4b:a3:37:bd:7d:49:f9:3e:90:a7:bd:2e:
- dc:3d:24:5d:5b:9f:47:3e:6c:3a:7d:17:ab:dc:3b:3c:53:f1:
- ac:39:1b:74:51:a9:47:08:d2:af:c1:0c:5b:d3:4c:ed:85:97:
- 5a:d6:75:1e:d7:d5:69:50:e3:1e:bd:26:cf:b9:94:1a:fb:74:
- 0b:ac:18:48:6b:61:10:6a:4e:89:6e:b5:c6:eb:c3:90:64:ee:
- 38:5d:18:17
+ 26:c1:ee:ce:fb:7c:3d:bd:15:19:f7:6e:bc:f2:b0:d3:8b:a0:
+ d0:26:84:83:2c:06:65:50:68:0e:9a:1e:96:9e:2b:64:ae:7a:
+ 0a:05:e9:78:0a:cc:d5:0d:44:7a:d5:ae:4b:25:0c:a1:5d:a0:
+ b4:3a:1b:60:6c:6a:e2:30:7e:30:23:2e:eb:74:85:80:84:0f:
+ e6:cb:89:ee:b8:a9:9d:79:8a:da:dc:13:e1:6d:77:4f:81:7e:
+ 55:b4:0f:4f:41:6d:02:89:bf:73:95:7c:7f:b2:d8:9b:50:4a:
+ f8:60:36:11:e2:13:32:1f:e5:0f:3a:7d:0e:42:1e:b0:90:eb:
+ dd:41:57:0c:52:72:28:31:87:13:cb:39:9a:2f:23:66:9f:ca:
+ a9:4a:d3:26:30:71:ad:72:e2:83:b7:00:29:92:2c:b9:9f:c9:
+ a2:85:b2:90:29:c0:10:41:e4:6f:6e:d7:3c:ad:96:06:81:75:
+ 09:ff:7e:47:ff:3d:93:18:f5:e8:62:44:f9:8a:6c:37:db:5a:
+ a6:66:78:ae:3a:84:9b:7c:d0:f0:c9:9d:99:ce:8d:4a:9f:ab:
+ d6:e1:bd:7c:bc:9c:9d:f2:00:c9:17:aa:7d:97:9f:3f:27:9c:
+ 6c:91:16:a6:8e:39:c8:86:db:0c:14:ea:20:3d:f7:aa:7d:a3:
+ e2:67:9d:9a
+
+SEQUENCE {
+ SEQUENCE {
+ [0] {
+ INTEGER { 2 }
+ }
+ INTEGER { `4bfcff0cd38dac3d` }
+ SEQUENCE {
+ # sha256WithRSAEncryption
+ OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+ NULL {}
+ }
+ SEQUENCE {
+ SET {
+ SEQUENCE {
+ # countryName
+ OBJECT_IDENTIFIER { 2.5.4.6 }
+ PrintableString { "US" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # stateOrProvinceName
+ OBJECT_IDENTIFIER { 2.5.4.8 }
+ PrintableString { "Arizona" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # localityName
+ OBJECT_IDENTIFIER { 2.5.4.7 }
+ PrintableString { "Scottsdale" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # organizationName
+ OBJECT_IDENTIFIER { 2.5.4.10 }
+ PrintableString { "GoDaddy.com, Inc." }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # organizationUnitName
+ OBJECT_IDENTIFIER { 2.5.4.11 }
+ PrintableString { "http://certs.godaddy.com/repository/" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # commonName
+ OBJECT_IDENTIFIER { 2.5.4.3 }
+ PrintableString { "Go Daddy Secure Certificate Authority - G2" }
+ }
+ }
+ }
+ SEQUENCE {
+ UTCTime { "230725020505Z" }
+ UTCTime { "240824001422Z" }
+ }
+ SEQUENCE {
+ SET {
+ SEQUENCE {
+ # commonName
+ OBJECT_IDENTIFIER { 2.5.4.3 }
+ PrintableString { "tntpowerwashservices.com" }
+ }
+ }
+ }
+ SEQUENCE {
+ SEQUENCE {
+ # rsaEncryption
+ OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+ NULL {}
+ }
+ BIT_STRING {
+ `00`
+ SEQUENCE {
+ INTEGER { `00afa6202ee28ff661ba78bd8cc9b4846a3853334a28e1f69af8be451418ef0c576cae897b8d068958b476212c431fb95de08d4b83ad3d04fbe1bf76f2e91a8042f724656dc990fcfd8e820a0e5e22780968592a4b5810992df85756d992a6587e89c212eac6e24386076f84e2c2cd1e9d4fee625835a213d5bc20cf6965c4742a4db1c27b0385b2fcddc73630c2d65902e87c4126ce6bf07a551f904207532ea1472e5342a6481cd0d2bb9c76bf894b399d69f580a438b3bde7cd410c69d73dc178278805eec7f3879d01e1fd70e4be4d97d32b61f30ad32f63a9ce6122082ea3d6badefe6bdf69ed2f50ddb872c4d66b005ea48b9b58c04332abcc4455d7702f` }
+ INTEGER { 65537 }
+ }
+ }
+ }
+ [3] {
+ SEQUENCE {
+ SEQUENCE {
+ # basicConstraints
+ OBJECT_IDENTIFIER { 2.5.29.19 }
+ BOOLEAN { TRUE }
+ OCTET_STRING {
+ SEQUENCE {}
+ }
+ }
+ SEQUENCE {
+ # extKeyUsage
+ OBJECT_IDENTIFIER { 2.5.29.37 }
+ OCTET_STRING {
+ SEQUENCE {
+ # serverAuth
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.1 }
+ # clientAuth
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.3.2 }
+ }
+ }
+ }
+ SEQUENCE {
+ # keyUsage
+ OBJECT_IDENTIFIER { 2.5.29.15 }
+ BOOLEAN { TRUE }
+ OCTET_STRING {
+ BIT_STRING { b`101` }
+ }
+ }
+ SEQUENCE {
+ # cRLDistributionPoints
+ OBJECT_IDENTIFIER { 2.5.29.31 }
+ OCTET_STRING {
+ SEQUENCE {
+ SEQUENCE {
+ [0] {
+ [0] {
+ [6 PRIMITIVE] { "http://crl.godaddy.com/gdig2s1-7257.crl" }
+ }
+ }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # certificatePolicies
+ OBJECT_IDENTIFIER { 2.5.29.32 }
+ OCTET_STRING {
+ SEQUENCE {
+ SEQUENCE {
+ OBJECT_IDENTIFIER { 2.16.840.1.114413.1.7.23.1 }
+ SEQUENCE {
+ SEQUENCE {
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 }
+ IA5String { "http://certificates.godaddy.com/repository/" }
+ }
+ }
+ }
+ SEQUENCE {
+ # domain-validated
+ OBJECT_IDENTIFIER { 2.23.140.1.2.1 }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # authorityInfoAccess
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 }
+ OCTET_STRING {
+ SEQUENCE {
+ SEQUENCE {
+ # ocsp
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
+ [6 PRIMITIVE] { "http://ocsp.godaddy.com/" }
+ }
+ SEQUENCE {
+ # caIssuers
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
+ [6 PRIMITIVE] { "http://certificates.godaddy.com/repository/gdig2.crt" }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # authorityKeyIdentifier
+ OBJECT_IDENTIFIER { 2.5.29.35 }
+ OCTET_STRING {
+ SEQUENCE {
+ [0 PRIMITIVE] { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` }
+ }
+ }
+ }
+ SEQUENCE {
+ # subjectAltName
+ OBJECT_IDENTIFIER { 2.5.29.17 }
+ OCTET_STRING {
+ SEQUENCE {
+ [2 PRIMITIVE] { "tntpowerwashservices.com" }
+ [2 PRIMITIVE] { "www.tntpowerwashservices.com" }
+ }
+ }
+ }
+ SEQUENCE {
+ # subjectKeyIdentifier
+ OBJECT_IDENTIFIER { 2.5.29.14 }
+ OCTET_STRING {
+ OCTET_STRING { `15be40633cb16a3c2752b11e4306a11c0b09c7c8` }
+ }
+ }
+ SEQUENCE {
+ # embeddedSCTList
+ OBJECT_IDENTIFIER { 1.3.6.1.4.1.11129.2.4.2 }
+ OCTET_STRING {
+ OCTET_STRING { `0169007600eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b000001898acafe290000040300473045022100b6d52694107c6975d583a64a7f4d87a3863dc6ad4717b7049f830b517e41c50602201e2c1c2f03d11babe2f5a065bcecbe15d205edccac1a4470dc19b687584edfea00760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d88473000001898acaff53000004030047304502206f76374956f09d7ff79458c99ed3d6367dbd56f492410b3e970b958453c6682402210087457a45898ec0d944825624c10da3c4fcf8c88e1d71cc0cb56e03408d3c343a007700dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab000001898acaffc20000040300483046022100a11f150a5a5ae7ed6d615f9c130b6670629531c8edd08ab958b190976321c82b022100f967a57988329648cb6cb927760db67c3aaecb654087e3a5a9fa03ca61f3c79d` }
+ }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # sha256WithRSAEncryption
+ OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+ NULL {}
+ }
+ BIT_STRING { `00` `26c1eecefb7c3dbd1519f76ebcf2b0d38ba0d02684832c066550680e9a1e969e2b64ae7a0a05e9780accd50d447ad5ae4b250ca15da0b43a1b606c6ae2307e30232eeb748580840fe6cb89eeb8a99d798adadc13e16d774f817e55b40f4f416d0289bf73957c7fb2d89b504af8603611e213321fe50f3a7d0e421eb090ebdd41570c527228318713cb399a2f23669fcaa94ad3263071ad72e283b70029922cb99fc9a285b29029c01041e46f6ed73cad9606817509ff7e47ff3d9318f5e86244f98a6c37db5aa66678ae3a849b7cd0f0c99d99ce8d4a9fabd6e1bd7cbc9c9df200c917aa7d979f3f279c6c9116a68e39c886db0c14ea203df7aa7da3e2679d9a` }
+}
-----BEGIN CERTIFICATE-----
-MIIGPzCCBSegAwIBAgIQEwAP7mMb38MlAuPgfqY5UDANBgkqhkiG9w0BAQsFADCB
-jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
-Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
-MB4XDTIzMDQxMDAwMDAwMFoXDTI0MDUxMDIzNTk1OVowGzEZMBcGA1UEAxMQaG9y
-c2V3ZWF0aGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVP
-fcAaIhymiKCFAT5KVuM+Kvmc+BXOb/dEdABBD9lUzntRcJUMmzWxaLmmdRook0vJ
-ZJx+6jDUS3NEYvqXDVsZ9m6jRLHqZ3vGhsYfuBubzrGd9/Fj9GMDawdy+Jz3Yold
-FS/r6vgYj1UdM+csdv0+Ghb7QsECOgOC+JKaot7xiwaOzPnKHikcSH7cD8FegZFc
-NutBH1UjZ/KzOxBz/PBILJ6OG2YeUjgJC1MQR5Y5R7uBZ8RPM/J0Gci1FgsnHtIO
-CcdOxeOoj6oAGjyaGUUJyKp04H6gf+JGjidC1O6AYF3htPwjnctwvtZbiO4VYR31
-S40Cri8ZXCD8F5/8XbkCAwEAAaOCAwgwggMEMB8GA1UdIwQYMBaAFI2MXsRUrYrh
-d+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBTeuB+N5Z+3t/e2llbT9C9YMEw2DTAOBgNV
-HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
-KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIB
-FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEB
-BHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdv
-UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcw
-AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wMQYDVR0RBCowKIIQaG9yc2V3ZWF0
-aGVyLmNvbYIUd3d3LmhvcnNld2VhdGhlci5jb20wggF+BgorBgEEAdZ5AgQCBIIB
-bgSCAWoBaAB1AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABh2us
-exoAAAQDAEYwRAIgLHIPTKXg3roPUNZ5V7seTFdjCEE+zpIErx2LQ6zT4KkCIHO9
-WoZVdvSE5XHO1DvUL3+ff+nbEIuXC6Xs+7OZA1rfAHYA2ra/az+1tiKfm8K7XGvo
-cJFxbLtRhIU0vaQ9MEjX+6sAAAGHa6x7eAAABAMARzBFAiBq/T94bCPuXm1vTGfV
-IrCay3gB0iR531ZEQCNOi865EAIhAOcVEYRIBPwszfGITnkxGUvc4LN0Ekk83U7b
-5W3ZG7lgAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGHa6x7
-lwAABAMASDBGAiEAr4wnrGZeCKy6GR1az5r1uCimzJ/EmUVZEC6AF7q6sF4CIQDN
-TlErxhJzTX4jYRUiywjKGWKBlX4xCLlk95ZxsB7SqDANBgkqhkiG9w0BAQsFAAOC
-AQEAO2dORsB/1i9OZGOAIeTqr0YG44NHmYhzJ2yWrl7r0zZgSh20KFd9B99A4odU
-0928WuTnm/dyS8dfXVDaxsBqDTbD+f/btdJxhLZmChUxRnk5D7K8wJGP1gOrEH3q
-flkWE2w6R1USi8VKHyG8APGhCg7l6LWvOEd4ROmr2QyUoa+hLBhaFQDhTp/FBoiH
-QSXnkr+e7maTiE0VrsXYG8RY4Tz9EryORPp0S6M3vX1J+T6Qp70u3D0kXVufRz5s
-On0Xq9w7PFPxrDkbdFGpRwjSr8EMW9NM7YWXWtZ1HtfVaVDjHr0mz7mUGvt0C6wY
-SGthEGpOiW61xuvDkGTuOF0YFw==
+MIIGtDCCBZygAwIBAgIIS/z/DNONrD0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjMwNzI1MDIwNTA1WhcN
+MjQwODI0MDAxNDIyWjAjMSEwHwYDVQQDExh0bnRwb3dlcndhc2hzZXJ2aWNlcy5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvpiAu4o/2Ybp4vYzJ
+tIRqOFMzSijh9pr4vkUUGO8MV2yuiXuNBolYtHYhLEMfuV3gjUuDrT0E++G/dvLp
+GoBC9yRlbcmQ/P2OggoOXiJ4CWhZKktYEJkt+FdW2ZKmWH6JwhLqxuJDhgdvhOLC
+zR6dT+5iWDWiE9W8IM9pZcR0Kk2xwnsDhbL83cc2MMLWWQLofEEmzmvwelUfkEIH
+Uy6hRy5TQqZIHNDSu5x2v4lLOZ1p9YCkOLO9581BDGnXPcF4J4gF7sfzh50B4f1w
+5L5Nl9MrYfMK0y9jqc5hIgguo9a63v5r32ntL1DduHLE1msAXqSLm1jAQzKrzERV
+13AvAgMBAAGjggNYMIIDVDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn
+aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTcyNTcuY3JsMF0GA1UdIARW
+MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj
+YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH
+AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI
+KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
+dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w
+QQYDVR0RBDowOIIYdG50cG93ZXJ3YXNoc2VydmljZXMuY29tghx3d3cudG50cG93
+ZXJ3YXNoc2VydmljZXMuY29tMB0GA1UdDgQWBBQVvkBjPLFqPCdSsR5DBqEcCwnH
+yDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA7s3QZNXbGs7FXLedtM0TojKH
+Rny87N7DUUhZRnEftZsAAAGJisr+KQAABAMARzBFAiEAttUmlBB8aXXVg6ZKf02H
+o4Y9xq1HF7cEn4MLUX5BxQYCIB4sHC8D0Rur4vWgZbzsvhXSBe3MrBpEcNwZtodY
+Tt/qAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGJisr/UwAA
+BAMARzBFAiBvdjdJVvCdf/eUWMme09Y2fb1W9JJBCz6XC5WEU8ZoJAIhAIdFekWJ
+jsDZRIJWJMENo8T8+MiOHXHMDLVuA0CNPDQ6AHcA2ra/az+1tiKfm8K7XGvocJFx
+bLtRhIU0vaQ9MEjX+6sAAAGJisr/wgAABAMASDBGAiEAoR8VClpa5+1tYV+cEwtm
+cGKVMcjt0Iq5WLGQl2MhyCsCIQD5Z6V5iDKWSMtsuSd2DbZ8Oq7LZUCH46Wp+gPK
+YfPHnTANBgkqhkiG9w0BAQsFAAOCAQEAJsHuzvt8Pb0VGfduvPKw04ug0CaEgywG
+ZVBoDpoelp4rZK56CgXpeArM1Q1EetWuSyUMoV2gtDobYGxq4jB+MCMu63SFgIQP
+5suJ7ripnXmK2twT4W13T4F+VbQPT0FtAom/c5V8f7LYm1BK+GA2EeITMh/lDzp9
+DkIesJDr3UFXDFJyKDGHE8s5mi8jZp/KqUrTJjBxrXLig7cAKZIsuZ/JooWykCnA
+EEHkb27XPK2WBoF1Cf9+R/89kxj16GJE+YpsN9tapmZ4rjqEm3zQ8Mmdmc6NSp+r
+1uG9fLycnfIAyReqfZefPyecbJEWpo45yIbbDBTqID33qn2j4medmg==
-----END CERTIFICATE-----
===========================================
-Certificate1: 7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
+Certificate1: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
===========================================
Certificate:
Data:
Version: 3 (0x2)
- Serial Number:
- 7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
- Signature Algorithm: sha384WithRSAEncryption
- Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Validity
- Not Before: Nov 2 00:00:00 2018 GMT
- Not After : Dec 31 23:59:59 2030 GMT
- Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
+ Not Before: May 3 07:00:00 2011 GMT
+ Not After : May 3 07:00:00 2031 GMT
+ Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
- 00:d6:73:33:d6:d7:3c:20:d0:00:d2:17:45:b8:d6:
- 3e:07:a2:3f:c7:41:ee:32:30:c9:b0:6c:fd:f4:9f:
- cb:12:98:0f:2d:3f:8d:4d:01:0c:82:0f:17:7f:62:
- 2e:e9:b8:48:79:fb:16:83:4e:ad:d7:32:25:93:b7:
- 07:bf:b9:50:3f:a9:4c:c3:40:2a:e9:39:ff:d9:81:
- ca:1f:16:32:41:da:80:26:b9:23:7a:87:20:1e:e3:
- ff:20:9a:3c:95:44:6f:87:75:06:90:40:b4:32:93:
- 16:09:10:08:23:3e:d2:dd:87:0f:6f:5d:51:14:6a:
- 0a:69:c5:4f:01:72:69:cf:d3:93:4c:6d:04:a0:a3:
- 1b:82:7e:b1:9a:b9:ed:c5:9e:c5:37:78:9f:9a:08:
- 34:fb:56:2e:58:c4:09:0e:06:64:5b:bc:37:dc:f1:
- 9f:28:68:a8:56:b0:92:a3:5c:9f:bb:88:98:08:1b:
- 24:1d:ab:30:85:ae:af:b0:2e:9e:7a:9d:c1:c0:42:
- 1c:e2:02:f0:ea:e0:4a:d2:ef:90:0e:b4:c1:40:16:
- f0:6f:85:42:4a:64:f7:a4:30:a0:fe:bf:2e:a3:27:
- 5a:8e:8b:58:b8:ad:c3:19:17:84:63:ed:6f:56:fd:
- 83:cb:60:34:c4:74:be:e6:9d:db:e1:e4:e5:ca:0c:
- 5f:15
+ 00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
+ b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
+ 8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
+ 63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
+ 45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
+ c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
+ 96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
+ 38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
+ 38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
+ 71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
+ f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
+ 33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
+ a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
+ f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
+ ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
+ 02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
+ 50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
+ 52:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
- X509v3 Authority Key Identifier:
- 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
- X509v3 Subject Key Identifier:
- 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
- X509v3 Key Usage: critical
- Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
- CA:TRUE, pathlen:0
- X509v3 Extended Key Usage:
- TLS Web Server Authentication, TLS Web Client Authentication
- X509v3 Certificate Policies:
- Policy: X509v3 Any Policy
- Policy: 2.23.140.1.2.1
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ 40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
+ X509v3 Authority Key Identifier:
+ 3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
+ Authority Information Access:
+ OCSP - URI:http://ocsp.godaddy.com/
X509v3 CRL Distribution Points:
Full Name:
- URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
- Authority Information Access:
- CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
- OCSP - URI:http://ocsp.usertrust.com
- Signature Algorithm: sha384WithRSAEncryption
+ URI:http://crl.godaddy.com/gdroot-g2.crl
+ X509v3 Certificate Policies:
+ Policy: X509v3 Any Policy
+ CPS: https://certs.godaddy.com/repository/
+ Signature Algorithm: sha256WithRSAEncryption
Signature Value:
- 32:bf:61:bd:0e:48:c3:4f:c7:ba:47:4d:f8:9c:78:19:01:dc:
- 13:1d:80:6f:fc:c3:70:b4:52:9a:31:33:9a:57:52:fb:31:9e:
- 6b:a4:ef:54:aa:89:8d:40:17:68:f8:11:10:7c:d2:ca:b1:f1:
- 55:86:c7:ee:b3:36:91:86:f6:39:51:bf:46:bf:0f:a0:ba:b4:
- f7:7e:49:c4:2a:36:17:9e:e4:68:39:7a:af:94:4e:56:6f:b2:
- 7b:3b:bf:0a:86:bd:cd:c5:77:1c:03:b8:38:b1:a2:1f:5f:7e:
- db:8a:dc:46:48:b6:68:0a:cf:b2:b5:b4:e2:34:e4:67:a9:38:
- 66:09:5e:d2:b8:fc:9d:28:3a:17:40:27:c2:72:4e:29:fd:21:
- 3c:7c:cf:13:fb:96:2c:c5:31:44:fd:13:ed:d5:9b:a9:69:68:
- 77:7c:ee:e1:ff:a4:f9:36:38:08:53:39:a2:84:34:9c:19:f3:
- be:0e:ac:d5:24:37:eb:23:a8:78:d0:d3:e7:ef:92:47:64:62:
- 39:22:ef:c6:f7:11:be:22:85:c6:66:44:24:26:8e:10:32:8d:
- c8:93:ae:07:9e:83:3e:2f:d9:f9:f5:46:8e:63:be:c1:e6:b4:
- dc:a6:cd:21:a8:86:0a:95:d9:2e:85:26:1a:fd:fc:b1:b6:57:
- 42:6d:95:d1:33:f6:39:14:06:82:41:38:f5:8f:58:dc:80:5b:
- a4:d5:7d:95:78:fd:a7:9b:ff:fd:c5:a8:69:ab:26:e7:a7:a4:
- 05:87:5b:a9:b7:b8:a3:20:0b:97:a9:45:85:dd:b3:8b:e5:89:
- 37:8e:29:0d:fc:06:17:f6:38:40:0e:42:e4:12:06:fb:7b:f3:
- c6:11:68:62:df:e3:98:f4:13:d8:15:4f:8b:b1:69:d9:10:60:
- bc:64:2a:ea:31:b7:e4:b5:a3:3a:14:9b:26:e3:0b:7b:fd:02:
- 8e:b6:99:c1:38:97:59:36:f6:a8:74:a2:86:b6:5e:eb:c6:64:
- ea:cf:a0:a3:f9:6e:9e:ba:2d:11:b6:86:98:08:58:2d:c9:ac:
- 25:64:f2:5e:75:b4:38:c1:ae:7f:5a:46:83:ea:51:ca:b6:f1:
- 99:11:35:6b:a5:6a:7b:c6:00:b0:e7:f8:be:64:b2:ad:c8:c2:
- f1:ac:e3:51:ea:a4:93:e0:79:c8:e1:81:40:c9:0a:5b:e1:12:
- 3c:c1:60:2a:e3:97:c0:89:42:ca:94:cf:46:98:12:69:bb:98:
- d0:c2:d3:0d:72:4b:47:6e:e5:93:c4:32:28:63:87:43:e4:b0:
- 32:3e:0a:d3:4b:bf:23:9b:14:29:41:2b:9a:04:1f:93:2d:f1:
- c7:39:48:3c:ad:5a:12:7f
+ 08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
+ 6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
+ db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
+ 31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
+ 56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
+ 2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
+ f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
+ 17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
+ b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
+ ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
+ 5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
+ c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
+ 8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
+ 6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
+ bc:04:30:01
+
+SEQUENCE {
+ SEQUENCE {
+ [0] {
+ INTEGER { 2 }
+ }
+ INTEGER { 7 }
+ SEQUENCE {
+ # sha256WithRSAEncryption
+ OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+ NULL {}
+ }
+ SEQUENCE {
+ SET {
+ SEQUENCE {
+ # countryName
+ OBJECT_IDENTIFIER { 2.5.4.6 }
+ PrintableString { "US" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # stateOrProvinceName
+ OBJECT_IDENTIFIER { 2.5.4.8 }
+ PrintableString { "Arizona" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # localityName
+ OBJECT_IDENTIFIER { 2.5.4.7 }
+ PrintableString { "Scottsdale" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # organizationName
+ OBJECT_IDENTIFIER { 2.5.4.10 }
+ PrintableString { "GoDaddy.com, Inc." }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # commonName
+ OBJECT_IDENTIFIER { 2.5.4.3 }
+ PrintableString { "Go Daddy Root Certificate Authority - G2" }
+ }
+ }
+ }
+ SEQUENCE {
+ UTCTime { "110503070000Z" }
+ UTCTime { "310503070000Z" }
+ }
+ SEQUENCE {
+ SET {
+ SEQUENCE {
+ # countryName
+ OBJECT_IDENTIFIER { 2.5.4.6 }
+ PrintableString { "US" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # stateOrProvinceName
+ OBJECT_IDENTIFIER { 2.5.4.8 }
+ PrintableString { "Arizona" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # localityName
+ OBJECT_IDENTIFIER { 2.5.4.7 }
+ PrintableString { "Scottsdale" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # organizationName
+ OBJECT_IDENTIFIER { 2.5.4.10 }
+ PrintableString { "GoDaddy.com, Inc." }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # organizationUnitName
+ OBJECT_IDENTIFIER { 2.5.4.11 }
+ PrintableString { "http://certs.godaddy.com/repository/" }
+ }
+ }
+ SET {
+ SEQUENCE {
+ # commonName
+ OBJECT_IDENTIFIER { 2.5.4.3 }
+ PrintableString { "Go Daddy Secure Certificate Authority - G2" }
+ }
+ }
+ }
+ SEQUENCE {
+ SEQUENCE {
+ # rsaEncryption
+ OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+ NULL {}
+ }
+ BIT_STRING {
+ `00`
+ SEQUENCE {
+ INTEGER { `00b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb` }
+ INTEGER { 65537 }
+ }
+ }
+ }
+ [3] {
+ SEQUENCE {
+ SEQUENCE {
+ # basicConstraints
+ OBJECT_IDENTIFIER { 2.5.29.19 }
+ BOOLEAN { TRUE }
+ OCTET_STRING {
+ SEQUENCE {
+ BOOLEAN { TRUE }
+ }
+ }
+ }
+ SEQUENCE {
+ # keyUsage
+ OBJECT_IDENTIFIER { 2.5.29.15 }
+ BOOLEAN { TRUE }
+ OCTET_STRING {
+ BIT_STRING { b`0000011` }
+ }
+ }
+ SEQUENCE {
+ # subjectKeyIdentifier
+ OBJECT_IDENTIFIER { 2.5.29.14 }
+ OCTET_STRING {
+ OCTET_STRING { `40c2bd278ecc348330a233d7fb6cb3f0b42c80ce` }
+ }
+ }
+ SEQUENCE {
+ # authorityKeyIdentifier
+ OBJECT_IDENTIFIER { 2.5.29.35 }
+ OCTET_STRING {
+ SEQUENCE {
+ [0 PRIMITIVE] { `3a9a8507106728b6eff6bd05416e20c194da0fde` }
+ }
+ }
+ }
+ SEQUENCE {
+ # authorityInfoAccess
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.1.1 }
+ OCTET_STRING {
+ SEQUENCE {
+ SEQUENCE {
+ # ocsp
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
+ [6 PRIMITIVE] { "http://ocsp.godaddy.com/" }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # cRLDistributionPoints
+ OBJECT_IDENTIFIER { 2.5.29.31 }
+ OCTET_STRING {
+ SEQUENCE {
+ SEQUENCE {
+ [0] {
+ [0] {
+ [6 PRIMITIVE] { "http://crl.godaddy.com/gdroot-g2.crl" }
+ }
+ }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # certificatePolicies
+ OBJECT_IDENTIFIER { 2.5.29.32 }
+ OCTET_STRING {
+ SEQUENCE {
+ SEQUENCE {
+ # anyPolicy
+ OBJECT_IDENTIFIER { 2.5.29.32.0 }
+ SEQUENCE {
+ SEQUENCE {
+ OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.2.1 }
+ IA5String { "https://certs.godaddy.com/repository/" }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ SEQUENCE {
+ # sha256WithRSAEncryption
+ OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+ NULL {}
+ }
+ BIT_STRING { `00` `087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001` }
+}
-----BEGIN CERTIFICATE-----
-MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
-MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
-BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
-ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
-VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
-TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
-eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
-oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
-Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
-uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
-BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
-+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
-A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
-CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
-LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
-BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
-bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
-L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
-ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
-7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
-H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
-RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
-xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
-sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
-l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
-6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
-LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
-yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
-00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
diff --git a/pki/testdata/ssl/certificates/rsa-1024-1.key b/pki/testdata/ssl/certificates/rsa-1024-1.key
new file mode 100644
index 0000000..5355480
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-1024-1.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBAL7mb78RnGZpGth3
+z5ilQTmz77Cc6YOqZPulE83+Vnjy39YzK0csTluvbWqVMUHtYGsRF8h+gYvywt8l
+zITocpE0UyeXlzsoOI8h7SgUCrYPAl9l6VydsUQ3F14uJ4LWaQcz/R601LhYrvQc
+XgpDr4U1rp108EAFG01BVFFiInCVAgMBAAECgYEAtGnxuCC7r+mrTmNE1d1wHEma
+wE47Po0d7NlhMzAopxvaQYSQZS5RS8MqZC1lpQnjMqyvznMImauvUddWR1GrWz6T
+jU7YJiq/NJZ26qzACKCJWj9UG37fzC3L7JDMz4Yz3K/iISH7iDLIrh4JWw8A6xQL
++cq8/u4ZhjtODbxYHu0CQQDuPMkrqPolGpy6mo18jP8QuNooZmpZ5z5C72GtqqRz
+AMcfIOtluBBcFef7iZoKa+YcEldjpdiCK0I3qy86G9JLAkEAzSIg3A8qta3o/U2d
+TwUq5BMGUotHmG/A1MwEK5GnRHj3L0nu/HpE3tjrKrkMC4i+zVTYBop90XFBPdy6
+d+v8nwJBAM6Qdf0dLoctY+eISlVMC3x8SuvsoRoCnsF6vb7OznfInN4otPIlfknZ
+1KMM1DtlAsgkPxFvoyJ6T5flHbXMmbECQQCaKR/QwYUzbDNAyeeCzztgk/uYZRu1
+L6cXRQuNQrUV/GKno0R7cdf4McTqIo8uy+G4ph6DK+lKUXbaatun7C25AkEAsr/A
+yOyChfU16iQMa45LhT9FoplbNbDvczJ3EUUsf8i1I/8FG/GM4AaUMUshdwCf7hdh
+ZBHFE6S2PIUV9iZVbA==
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-1024-2.key b/pki/testdata/ssl/certificates/rsa-1024-2.key
new file mode 100644
index 0000000..14feba2
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-1024-2.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM3oM+IGvDDamzE+
+5cZRkeoH8PBYH5HSChJOcRepGpPMxsOjR3aomPCi0eI3cR4IOqaakpxDJswp+ioA
+H4hEMDMoVZijvpXEto0QAy/2O7K7QzhQ1ylFNM8k6WD4xfM8W6PlrlxFHjH47QDq
+k/njjASgxTfj6zHCwauQG4FYTmZNAgMBAAECgYBuds82yDQ35V9yuPKeRW6JZj89
+QZmWKl+a2JhVgDQw7KAJntQc9XAvULpWqTW3TeThMnXK/T+YMkDyPWStPx+3q9PR
+AQS65Bz8BltepO5sdy2QWGnOss97fLG5DJgTHrAZYDKLxJah9hDOf5Tjq4d9GYka
+D6cOgWErS3wv+ERZhQJBAOuVmTnEywk0TIGjIOWud+Yv2TUIc3IqBZnyF1RN8y1y
+NFVGwpCb8aKLRawfDta/kNkQVOkYZCtZRdYb1NHqBJMCQQDfwDel33a3OnVdQNoB
+GbfEJYqmgY7JCzFfH9EVzqB45x6yYvwAHStp1r5dYmwMUSIVs5B8SFA4bUN6cAMr
+BJWfAkEA4xGOXuAP0w9Vrp5NVxSS/IuiEDvVCnT2cSum0NtRSLyLNKa/YiLtBH64
+6O4Gn3aFZrMXJJUd96pUZcrtlma5gQJAaUR0qdxNbPza1Km7JwNjequy5I1VkO5s
+JvXAF8Njqh4KSiDZsHAIyb2XSDYS4WSWZaFaW65l13ZIZeUnCGkavwJAMn0mC5e4
+idlSe3QqaOa3haxAXquQkImH6pSI4jRPzTJxPd8BlShlZeVC4IyCwfz/o6Azce+W
+w+5b/8VIMO2s9g==
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-1024-3.key b/pki/testdata/ssl/certificates/rsa-1024-3.key
new file mode 100644
index 0000000..4a8af8f
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-1024-3.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMqUxHtJfHQ6709j
+T1yMqY/JH/dg0Kl3DaddDScaVRiv2X+0mhxkFu4/rWEYslj1aSS8CgcdVxSdHsI0
+dXEsumoRFJl/EmfBAwQkukgpkjuE5uUORuxt2vzT1zGPutX0UlMiLINdZ1AB45D6
+c78SBTiIoXai7FZ+SayOf/3MQsYpAgMBAAECgYB7nbITpTD7X+cd43TO/cqOQeVu
+t7Y8YriDMyXOgaQBr3SiF9uejXjsoxCyWjaiUAZ78v6PftjfbE0Tpp0vlWKeNo0q
+iJ0rjbxf04bIpU7+Q+/I4hkXngu7WvmXS8ZjmamEvT1a9XN8bZ1QD+lglYAkZKj5
+iwlVpZfYokj+4sMIgQJBAOnkLBrmlaXhh3KbzLcKPMtmOlm8y2PuSziJN7JTdkb7
+gwaQAa1+5ToOEjAS64qP+BRp9uLTnPuVnbyd27nDElkCQQDduu9KbS2o9IazrVeR
+FMqAitIWb9v/k98IfOc7/LKeyA7oVCzqAsq0nlYM4unGYSiIdlJLLnQCtbVABB4D
+6rhRAkEApM49cbsWqWsQCObVSgixq9Tdusu4OTL4196AW2xKBFxHCAHC3OB0XwL5
+N9ytEda+RIwiBdR8Yh4bpoNJB0z4CQJBAI9yo+LztUmMQSU3LOK4n7X/maFYZuz3
+HqDgJb0iY/Djnvlhk9klSz0E/sjBeNqV+uImImFvQTCLnCI5R63jCbECQQDpeDiP
+DcKOL773vayJixOvvSqruHGvM87KMkpW2zsLbxrlN2gKyf3iMkQX1Kat945qPD98
+kpnDpyVRVRxIc6Sg
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-2048-1.key b/pki/testdata/ssl/certificates/rsa-2048-1.key
new file mode 100644
index 0000000..384bf68
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-2048-1.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvBAyWDWogcaoH
+kjhp9fmm7OognM/SNfIuEKMiqmFLz4GsiNa1I4By8kPqcI8u0KRBvX0F/DDfBvDy
+8nm7gbfMliILkPTKlDqAKY51kV1qBkSQhhiQ7Tl3KXjB4tbdjJemv9TrXfwfr+k4
+9dP8oYLmVmyYRWMGybW7tA6MJewLYeAIBZpbcz0okrKD7izMEi7eCWvQ9O6PdVMG
+atBfUbGrZ0oX0XzsJQgI6iJNq88WQCbfybQLDvXleneem8NHVYO8fCmgVzgsiVw5
+fgaeYWBfCVOGUHsoVwxTDThAfoIGHX1ldQ+3YP+pyph43h5e9jWHHwAjg45SFqkI
+XRTu4I/HAgMBAAECggEASmt63J10qLocdl63TVtSXqg0QEzd1AGrauoZLGbtu3pP
+pimDvv+LIZWhyoE1aU8/4VJtZMuhjlyZvXzcxZ45pS2b6XYomTGhlJjXImf/JFPo
++NmEfa/Z9TE1z6AhBJFBdR7yL2lGCcVX8ygZDb4x9rb+M1uh6aOA+wFsBC0l64pt
+YNGaOtgR1DCqn6mtxFcUOMt6gWEbgu2gwieo4qSGPmGOwNxhEbMWPL+0CPemW+li
+K+fB2RrYpGdSD8kyWHWqZTUT7SegcT2mO3F+eNwwy69srb/R/MAUfbYXbQhTrPuI
+vavor2vT7++Ha2Z7FV+715Jsn2f8OkW0UyFzb7PQsQKBgQDUG5H0XR34wqAfNgaZ
+lzJqDeh6Tg0v991t4imNd/yFBJEa4PyonM9m9ka9o13ySPyIuUyqvUDm0/geVH1g
+dn7o3rTVCKbfeCeDWaU00elMjtCezeDUlnsTgcHpLEpb/5uxJhAL2/KcMlOvHzGv
+ima5zj2tB0dvUfkCtzLthb/etwKBgQDTO4hNrTcNQBTg/XUG2TSERo6WslVOZjJ5
+70AlE9PYgqmoNUONg8XxGwj8n7lx+AY2BB0kfM9ANVc+BNjI2fqFLba2DYDGMpsq
+XrxR2SiRe8UCjftFgHSElIx/mGplgAbElGrSd+pkONwnxtE3E0JD/+y+/dKQeg9z
+iVraymnHcQKBgQC8/9gdU3/qcpo1VXGqGGTuxXfay4PKs2WWjUkTatATQw99UO8x
+25CfoWFFh7Wlt812kw6ysTKMvGJBvG1/r/bDz/Z4QV5Yj/s9enrQRx9IfZV9e9wT
+8ga3Sg8ck7+qnGgCAPWZa6KR9fJFgFlInt2MQS8J6AuKMRPejJmPtndSnwKBgFPP
+dCZ1yrkMKvyWNB+ygL7XC+5I9cX0kKSGxCmx80UdmtktwQ7eMOSYOHmbmkXZBgXa
+ngGDL+wm/eWSoL0Yl+jNmYgkVWrOW3h1PD0xb4JB3IpF8WPDMvgDxLc/rz90i7rl
+tHirsalwUhHKNeqnToySd8nUBf7jH0xVPGJBG7VRAoGBAIty6nRYERJkdWgzrrU+
+TmSxTAFi4hqc/RXMa7kda40SBp3339+/KxaNCQ5YUJjDI/cggEc/Tnm2MjkheH5W
+nBC1iP1A1g9wlk6Ak/RQIq8FRiQFdVwGU2Xa+dRQAyEj8Xq2KudmKkj1M630/kSg
+3qCwc3kKPf2N5fjAtHUwLLHP
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-2048-2.key b/pki/testdata/ssl/certificates/rsa-2048-2.key
new file mode 100644
index 0000000..3336ce7
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-2048-2.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCncOKXlHiC4cH7
+YiXsOMc3Vh3OBN26dK/c9tiVG7zQU9EbXbUWz9NNI8+wUDwyBtrR54zH+5R9+cj/
+9QOPd2Vsv3wfaSIaR3qfsag/TK2rooYAis11F17lUHx02KZlZodagEuLCMgdlyIL
+F0RTW4+Nt9ZklEFMXHYxZW2odDiimaUl0tJ3//jGNEBQwHSS7BbA88vKBknjRP4d
+0lFZGJPM7VyEkYElp4qcTBvn4VY89lbgUdVcZjaMOtoUnK6DUZN7GAsWr222y7kc
+BEH5fFOWB2PrgKY//tb41fujm16u2r4jjHngZ8FSs5md3A7z1CP4ChpNF33k9z6s
+AzWb+GNhAgMBAAECggEAFFJdDeyVG71un6Xv2FWjyBGJmIF6r7CNz5GeA6rUJaym
+il27JsOeb5RTFqEGTUQLtsIVkgf0o713KamA/x6MjsBGvkEyRGI8fblAJD6YLWaS
+QOqXuQhXGhnEoSHSQChLcS50/LDaKM048oOmZT+NkrOnL5nWuv/V0HTw9Cr23LT6
+wMuefBrN9cr8ZMmlOMNvJaoTKbCxr6bg4bKjfGr40QX05GnLXaOhg74wWPWMCFZQ
+CfyFhCJvBcXk9Xifb2pMTk9GezfSd28JKy3XKjd2bUTD8KGStgnKvIB7FXVqaQb/
+QOTE0USkYn3l6g53fXWdgk9i87ZRHmMarTv4K8wvaQKBgQDbe6v0CS6ui5A4bliC
+z8EoZVmxxT+vgOf56ZOE65lGcPHOtTMDDL2u8MxqyjnWc7dXrw8FvfpurIe/TEU9
+Y5kCj9NUA08940RKX/5u5RDaW9X2cGVlv7yJSDbA1JxpUjSzc98VFWQJrFkhHBfI
+3eLdVLp+dHBBpGCgZuVQD2ymGwKBgQDDTJwspscuh9q9SWWgcyJv5ke+4MwosgkP
+g8IC2dFFHr3j3GoFnVrrVP6w8zzezNb2ba+9xGaohNgHjmwC203ZcdDCUxem3t/L
+GUM4+dCUC87nB/bGd772pu1jbZZ9bRUBvgf4x1zhlShQNnD+UL2/p/stzWl6SE47
+Yva2416kMwKBgCBZ7lKeN99KewuWWD2P2ezWY44sgOKhoY/YugHRqFoVs87ALrC4
+ZA0xOTBUdooBrHikORajlhJSJAAygdI2qAsUoBW2FywMH7jGxX4bDYziFHuqvYdt
+56BkoI1zyUpM76+z2KIG8SPr34dd2LOm4RW2s3aIOzOxwvxhrlNKsr0ZAoGBALTH
+4LUweKYo2aFoJKueiB0fBAC75CAzlVGIPHoZGK8r4sjfCkFCRJwcpFo1/n2bDc01
+AX3fJMwPlE2CV5dZW7nRslV/RyCPpIdDTkeab6nrOE4BwDw9MkbthEcKdUiLRevD
+9WsjWGX0hUmi63tuUAbuPwNJ5r5r2gb897WZyMyjAoGAYcNgSL1udQE7pEqrAl0t
+ffTbbTJQ487sZm3qhFNXtuitC3h6eXpJecsWRoB/Jnhi4cpSjWgYJzjV4rkZSF79
+es031jtdnPf6G94ZzjTKnkr4z34reDQusukuuD1SSsbURBGVacgZxkq0UaRAROfT
+BTPraf9GfA9BnUEIFdjeKwI=
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-2048-3.key b/pki/testdata/ssl/certificates/rsa-2048-3.key
new file mode 100644
index 0000000..9a6f499
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-2048-3.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDW8jowfwvUgEye
+CyzXw4rrlw1+liz+s9nWucRN5t8dia9L9dQhT0aBg7mUKOQ7L1wcRwzPMVoyFF3G
+KsJw829iMm65P4fy+L9/C1XFfJ9x4rMeya9bHZuKxr29Ieia9KFAaWtASSngF6Uc
+zwvGJ4AZQzUIiE6Ku/ZpGBjki9k36LsufQIeOaEaoHlSPS1K6pMh9Br40xQ+FkB4
+OwFt7zNQygiSJt6NHvET4ib2i+0lZXRa32yl/dEJyf3aWT3iMxm4wLslLOI7Bud+
+y04bVYi6hw+JFUFmFCLkrMW/iZ69S3lUPoUO9xz8fuCR64KjwjSR4FFawZ7ZQUKf
+OUOu3dcXAgMBAAECggEAMss1AwbSxdm3wVVEuIwmBPxCHRrh8SKRJNPrVrlrGjDS
+MvIZufFg6PQ245MyM+ZCLxB/L2srNFBpxI2QO17bgGoIjlA8ESfFIQGNuEh16VS4
+HVtty+tYOVgzuEEOFagffvgqdxuTALi1tPQchSwKcm3WV3jWjqRSW41tPHzrzPEM
+gNw6mlLIUxgaxJ31SytDPfLcCxhjyY1cLOseAtD37x8HZVw52cojmjn0Uy2+TeLu
+6e34KqWzTcO8U7w4mBu6KyQYS5Q2GxR4eMfrja2nmQEJjjtL/MjPCr1RavzRmeO8
+j2w0GbTZaM2otzI21VbNpM+OmX3OkGmKiPNIm0HVKQKBgQDufzscdRfcJSng9Wb/
+kB1mr+AYZubzhHIVgN50UWnzqiLsVBWRGT6+y49z7dN3+4aGHXKjmV0Ceimi/6uC
+nNsZ1kfJrHWXmTbTslQlBxOwyMuBsolWBSZdaqoX3dhDNu7EbUPgWqWjrv412EhH
+UIH/mpmu8TgyA/SPT7BiHjuDcwKBgQDmuIkAYWseZ5iEWXPX2rH1XTtvKAHuzjf7
+yPk5QX+ZeTZiPZPzvn4I6x4kMjnpn5wrVkm5QMQVK2NKpaQwMtdkQcevVybXVJ/u
+0SMRHgXiesF6pG4YgREEJjbHdwmRgAaLffOPVSOvEGPc8ha1tEE7ZwgpKfjnCStC
+2VkmWpcczQKBgQDsn3MIUuxvULfyJ8ge+t8QyKIv07iEFv4Rc6BCC5xxUnX/v5T+
+NuvX5KLZRDaxLe5UFddtlXWARbAVtlB18CY5xi3HW8H3vN12v9FYQ2M33KB8d6Rm
+oglkWbWUpFgyp8fRPw8/AvCgK7ivt3xOtQOlk7+yoEU+6kmz/j5jutcVHQKBgQDP
++ocdPbP3C4GzxIMlkHGc8fcyo0jiwSg8IxVuJHnmmhqJAmNNdGlelrtr+46y53s6
+oaUBhr17K8psrtZL0HjTWmyrxY8wyosFF6dZtcuuNeQVLwZDtozlRaFZuxd3/oVn
+1xjoGuJ42/h5Yg1QrHWlG6KCoOBLO7uwnga8CStw/QKBgQDSzUAJaak3XFAfdou3
+GxWLQJcOXB/WxrZA7gq6K2aWvkY80AOPMGLhVFXA8k1fLI7jn2f9x7Ff6PNrzclf
+mvvN6g6YH0vH9k+W6aHBnen8oGjW3XU4MHn7dPxfxPJ/MDT3toVAvD+6QnKFdd7o
+xCDad5+lKr6f0yyPije/ZDkSSA==
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-768-1.key b/pki/testdata/ssl/certificates/rsa-768-1.key
new file mode 100644
index 0000000..2ccd987
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-768-1.key
@@ -0,0 +1,13 @@
+-----BEGIN PRIVATE KEY-----
+MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAn8Be4Q88Bif6duPK
+vG+iyt96BFtCTUgjuNEwhcWoeSO6BeZPeu1VRqOHI7/GE4jHO6iVRCnhw9DJg5eb
++p6zX1IWytyhke/psWBl3RNGXOvLucVWUJctS5pgKN1FNsILAgMBAAECYQCDjRaU
+nsb/CszmOo8ovYWBKqaAD+Z5XX6NIzah8jLaDuGRGic5Q1eF5APVHIcwbuDU2Fyv
+NIJqf768Gx/lUzmAlcGjF9hIRh5vrE4zfeCa2wSUjWNZPmqdTzjkM3r0NYECMQDM
+1ORCXgP/DYHQbCTRFvNA/jYaIXRjUs+HXefXe27jJD32W3Mf+lyIcBV/mR7lRkUC
+MQDHqJMkx3TiRsP2cYmG8citPrEjEA0TwPg181Kvi3N6aE5QzNHHLvl2nVJi7VPl
+VA8CMQCayYKY2J0if52K2D5WN4appbFSu9dNO4YSYJdT0jYwtfGRGvh7wOFuRW0p
+mJetYRUCMQCN9fiZoBAli3duVRAaGPQ86mR8r778mqphgd763kZ/dIaqwNcvruDF
+S9r2aBTM7FUCMD46f/dAx2EfxsAfn3lYQWVpuxFQpK+tIqYzjeKsu/zRaqEkcog5
+BOq06OV3qPYsVA==
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-768-2.key b/pki/testdata/ssl/certificates/rsa-768-2.key
new file mode 100644
index 0000000..6c834c4
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-768-2.key
@@ -0,0 +1,13 @@
+-----BEGIN PRIVATE KEY-----
+MIIB5wIBADANBgkqhkiG9w0BAQEFAASCAdEwggHNAgEAAmEA4SDrD2C751/n+lHQ
+UBn5YynSU9hrO9ttTcnvMgqiL0gv2lAsx0N9QM0dg8rHsQodUYZotUQ0qbzCxzEw
+pRVTHcEYHSnjaO7OfsqpGke+66jK0VhsQBkGbU2RznY3at3fAgMBAAECYQCRzs4v
+QYmxy03ltENk/c2lyhptL4gUVoOulBEVqgls8iX8EV1PGYjwBWkOSLGZGmC3u4KI
+le1z9L9iZxO5GGO0SJ/bLW/pGofgHCikBjLmhhyLuV0oFsY6te/q21fWu2ECMQD0
+nbX+qhNgXYsZ96cb71ZfD80yGtu7dCVEYL/iC30P3BEztLabEIdVwmoUyBFfCDkC
+MQDrmwnyqGx431YH3uyBrlwbJhRvAFfwACMy+6sY54BZdaPni9hHcQoKrAiQOe92
+ptcCMQDcS5AUefybQ4M7bpIbkU7aq7NjVVbgGbhaPTtximElwE3pn+z390m6TS0V
+7Bvg1tkCMQCDkPdUJ1MziFvtV0IxBKHwkyoz9jglEJ6XWMxpwtT8n+HgakpjUq9t
+2DWL/J5JXs8CMQDsP+WjN9GzsQtuUMXEUxc1wgMVRFwvQ55hmXfeWaT2bgX+jpAn
++SreMT1bErrH2M8=
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-768-3.key b/pki/testdata/ssl/certificates/rsa-768-3.key
new file mode 100644
index 0000000..fcf0680
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-768-3.key
@@ -0,0 +1,13 @@
+-----BEGIN PRIVATE KEY-----
+MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEAtngFrnpogJ4DAPMt
+Jvxxl3vSNFdnNMlpRGlHpPqhtOHTzYzXvRvSmSGzpYhvzVCFujjTvtszd86yehxr
++081ZtQbhHGhPKnudoPfqfYGUB6djJX4+I1pm2cWTOIXiGL7AgMBAAECYE7lbId5
+tA/Qwrm5a8+Mnc0DI+uv0xc280Y6Q1kpaZwdfQhGms3Q5umBcfzkFntvEfgMJstC
+KDWgH5Vo6v7oR/Hk8D0NzOyFNfEU10g72EG47PF2qFMlCZ3dTV5U3lPtOQIxAOfC
+NB/LuHFiMA5LeFlfbV0Fyj4Kr+lqtGdwClmX3+KgfTUj9RcEMs+34z+UpYXt3wIx
+AMmN/LkrZpwktp/iZuaKDvkA5foN660LguOt87/NdIN4l2hn8auEhwmh0Vno5gu2
+ZQIwf6kWFT2eh7ZSSk2AKZrLHyaFVM+GPsksPp4U1W03QhqtXYxFATyq0Ii2gNtc
+of15AjEAvCh2HnM61lebuYTE5UFLGv/QsfBe7GvLpDsXSx5FQBrK1ef7f1A4NDDB
+XLsETzjVAjAegTa8Fk65Qc3YODZhIcDRbJ195DLUaw7ETgpT0utLPH7Kkn1GNyZf
+wzlUtrz3r58=
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/ssl/certificates/rsa-8200-1.key b/pki/testdata/ssl/certificates/rsa-8200-1.key
new file mode 100644
index 0000000..74cf0d9
--- /dev/null
+++ b/pki/testdata/ssl/certificates/rsa-8200-1.key
@@ -0,0 +1,100 @@
+-----BEGIN PRIVATE KEY-----
+MIISRQIBADANBgkqhkiG9w0BAQEFAASCEi8wghIrAgEAAoIEAgCryOGbBSSQ/E53
+duYJ8JpWms7zJk8+FpvZGW8CwGH2Qjs9UQmqMhGKTNySND6Gfk+tAGxd8zWGayyJ
+rVhi5Sigr3+lPieGLt3TLke8LKysm0sSJU+xUUdZUTRjE3eff9Qb2NmgJ0uQIYic
+jSUDznRiOpblzEhX4Rw1Kiw+fkqqsnXRg1+gonL9EmWl28zoeQFvcGRyknZCDpyR
+K4Z667TuPoLk6F8S1IxyIEQPZciFbUnUTABbZTHQWZ33y7HmB3vc/P98PFilXsXH
+41h4AdxzN/5pTI7flRP/bu+4NiVHE/rM1h+ag29R1McxzxoOi9ToYgVRenjSSkgs
+/kjOELvBtIyivHNCwJjRrSXZi9fpZjgGTCqOg2mebU3qWDe0zL97jt9wGG612oFu
+pqCBFnBSn6L/dc03K9Ckx9xuRYv3upc4xOMQnOXKLb9/k/TPpTmSQEk1qhEGOoKw
+NC769IiTo69IxhJbB67gBVQzgJ5CVHfEzFid2SM1g59N3gNezjPb3y44ESlPJSfm
+I/S9Yg/divrE7F4BvFGDP5TIaN3sYZf0IEN6140bz3gNhCP5vD64xFt+Mn3sUfWo
+pAmUpKWY7u7YCn2B3XWg65jHelgzC+itLKHRMt0nSlKCLmIKS/UC/PnmRdNIekBh
+46tS29d3vC9cbeTpeZwneOEP789KO0yqeckGmZyktw6VvF7bFKDyrFQONeYz85No
++dw3L54jnv4BV0bTwuv3CoU6MQI+DSfqaGxv5kmVxMDlLGpGJsezarUyrTseJBSE
+DxungNAGktEawqkyk7ZRWdAUSZlgX/qanVenJ3pwrWWagqkyW5BKmzh+EhnGXnoM
+t23+a2FjyoQRKYFhKL8pJ1QLBYJMNvqK+j2tUWHzgwwYV5YlOdDYz+U3+mQH7xOC
+d0Egg61ci0RmRBRTwLqHWvKhMpOD6JEFhuCEALSe6b73faNkaTvUFV6y7SDkkAea
+fLpBFosHCtGoC5ZwklD9rCKKxcdjJJESMi5RutOMYzA4Y9dayUBN7k1LVx0dw8ei
+ZbWBvETGT3qIbMI9hjvRnJ3x35KyoKbvFXDtbKCQ58HbfO5kk4BAEoFhete+UsFO
+KgMQoKue4Ps9sPNWVWwg7ZxrTKsHMje3dpklMNHdqtgHt69eio88z7zX4ZQPUEN6
+PVUPosX0qWtW/sHVet0iDt0BANKD9T8/iwrns9HbPd2d/LwAOyU0kywdNkplCFOP
+vNHaeSjbrIQq5/SEszLSmbh1kaNOimVBFwjie5Ju5q+4n2FahMtKkEqBajj1f4eT
+dR8hs4evuZaKkzs6jGvQyuI28lBfkz3M9cfumHAShfXoihZcwrb53CBmjN+UBe8l
+LaV0kGIknQIDAQABAoIEAR7kr337fMn+NfZSEaiz9m2gxZsAxrt5wWlXo5kxE+z/
+mDu8uSo8et8OV5SLhLsXOCj6rIJw3K1h1M6luAGBCL9tEF2dQeplv0rdRdVXi243
+N1b6Eszmuxga/Hrc42Rxzql7ZBfjOTmgbjsJPyDiHhgURVLqXBBB0ZrWDMLoX3E3
+Suz03Vu8G0Xb6x/a2YztRg7OfaIFKPNUQV/yHes5PH6kC1IzX/W499EGcHb8bQVh
+1Cczy9Sj7EN1+my32zRtIB9r+F5VU/PZiWQbRKvAWe72oPA67m7TFpeXUdElG6se
+srnnwCM/g+OJipEwl5UKHK32AtLWXagj57r/uAQnCj0ZxTj2/xuAG3uJ0ga/mYLF
++UlYpUaf53ywV5TPbKU9NSp5VUGJg099Dk3h9XeBm42gW+XpP5CudoVL1B6Yr0VL
+7yosblFshf7IH2pIJ3y4UBQ3L3NRNGKUXzBlEhXbqDw08a76wA5S4WY0TyI7/Toc
+irV/smggxq43D40nYh/IoZbnGh7HJ1Cuc/B1guwUGJpVBigoAff58AbUhmNMSKzc
+GEG1E62h2iSoOQTlQLsG2ZjM509YsUCwtKcxaO+sdIN+ZMHBkTSrqR3ZgM5O+FGl
+0KBkKG3A4fjQ6umygbssUdHJwP9ii067fZydHxB1rNhBpZrPwJ0kW6rVmFQPYo4M
++1ENsX0AIz8hLx+10G602hcWu8MVgqO+E1Yoo5n6eNxCbKootZwSRQSwcUXgE9m0
+Q1NHKHsK+pvjR/QyvoEr7SRmcox4PHcYID7EMfPMu2UtsIdRKi4NkIvmzE9a52s1
+MPoanT+t9a4Zte4nQ+htFFFQFt10ue8Vqm16wPJ97gnpEM8keQhVYrttIKDVr2vs
+QEcHJ/PgDeIihy44AbPTQKUYzZ4YEMAkDgoVsBq3Ktk8DTjxOZrZw7xq9xJPS9N3
+5oLaTcUX2670SZUpRAg4/wArQncuE2pfsYP+beaGnUATiYRd8GoDSYtPOSa7BcyN
+Eexo8tB5Kzmvgcypk5N5jefLaVdUdczroIlSDlUcdAQb35Yvnd7F3HLWXJtUIPbh
+LZTJwJWooQVJLDt2lzrg/HQnD+UaYNI1Z8/oMaZ+zUBvQ8gBzArO3SRGfRI7lzvk
+wcJM4LqBO0pIO67NzhVCyhJn7Ua3P++W9d7LULb5fqy/O64W2J2o2Xd9hZEdA47A
+6JidJ2yNsv0p3AUgtVebEhBRQs6bPX4/siYif3xgT1ZZb8fTtQBYWsW8LS4Itdf9
+WaJuUlfI7xdHpQnMVd5qiEjrDk02/x4JI4DmveO/pLyQAJ3qQpvGxXUZ70ecfSAk
+ASn2OADu76TclVlQ4hvZ5913jxx8PWHFykK3w7N82xGZAoICAQ4FzISY+EaKydn8
+jOfOirjfct+0x0PYeDZ3XFEq1CcW7nHARMxlGBe9IwEgoAn/RtLmHtSrscPLpN+8
+mXS8ucPZwxIrbg2tCTZ2FktxAHldz3Fr7aGGeT4F7jE3e0gwYgU1h+CIMyDZZY/H
+j/hANx1a+mAkDr7jafEuOe6nOfnWSuCaTPbyYcyGQ4pIe2Z5A0A6MFATT2Z2YOC6
+tW98BNtw9ucOFNo9ZNakB8ZZ4WOG4vpFSSoSO3xJ2STn5HwuO+j2UF0ptmt5H6Pc
+LzYnbbengq5H0dsnyw/sKbTO4jzXfORjxPhwpvrwNlNvs9hmLB6IKzfiN1PXKITS
+updr+Ts72zD1I95dF3F0TsefncBSY9qq8D0Nq08zF4yYanxPLOmqjc1iCoSWyx95
+RjNTiAoTWqmXvbtd4Z6OBU3M2m5QQYLu1mGcfKveRvW6KdueBhZwXEcY7Vb+pU3q
+1J+Omh4wCQiyuuwsGu6QXmfkcVBOhLDoKxzAQJlch1l3zJdAQoul3iCYnptz6weR
+47Ceg4cdP50KLvgboq4N1VJgI7ivMB9gfP+J/J7JogjUigoQNOLqb/X7Zwmv5ZIX
+ZaKIB39HtKFvo1b/zpZagnx4y1K39pUFY8Nm3v0xZNU+keT3FCjOk44L+sXhdu5F
+tbA81qb+7kBhZn9LMfz9sDTIUXq3OwKCAgEMQCGtq+7q0Scml0Ds5ORrymYX/zhh
+xrkc/jbEHefvq50cCE7Sxmvm+NdFDz3JEpenWR4zPR0+39j8lNCWUK6azUhvqSK/
+HYLLI2EDeUyeCQyULoNT4qva6wnJNuufjaNsOOmwwuBAIgurFKYaTEMD+m+1hYG9
+Pe4drKMm3e3Xdg9IlJdKmY7MY+chxeCuiPfGO/MAm0Rz8pcKo1/cd308HuDL+CnE
+LAFDYc7fa7oaj8i698m6QGeadltIPoggOTntoto659SK8ZLWOHsD3E2YC4Iq6dtQ
+U8p8qWqn2kdWbLPnRhy5BXFcxeVFAbJOvgFMlSw1cCpoOySczBDlSpRjZV3ZP0R3
+gCG6Hjh5N8S+N7aLtQQvurMa/9qz6e1p54LCkXqevDp52wwM2DnjC05J+FaevvWW
+FjIaE8SU+Que77xakQYu7Vk1T2MoTimDAjduqtSTIvDb4uX1WNjgkX66AWUCzbEt
+Gp67cMYh0DjwaLgos6t9XdRp5964m4YPewhAcpVppFV45MOKcBWD99d3nYgOGYs1
+D8+4wXHpEJoU7r0pdz0buljZ1+bPmOiViShWmQgxIrKOCpOMuLKQJl2zJyVam8MN
+dy8xYm3RZF3hCNyROeHp8lEt5dSOpw82LchW2f5ErVYatYzJu/opdu9ToczNuvdU
+/U0liMxSEBr3RgcCggIBBHQzEarEsSNEGcjtuHMR/MZ8ZjG1WQdYp3QiDmXcHM5b
+ziWTtJgnnuKkS6dhLcu3YyVUhZhDTj1QkQAGfd2z41E3dH325sEfO/0l97Bcxi/V
+w+DUCYn82IZpsZg9wCAeAimOjvKzyqtCZvir8d3zo49SF1dcl6UD8WcNX5AeCgzW
+m6Bm8cjq51t9+F4tU878CVpyHf0EKzdObhLfrhlmMY0f3yPJ28fET6iqD4Zc4I/n
+aDa5lnNUEZYjMmW1XPwSa1xRCkZFer1uH03AcSL05nB+QXzuWv24scYBOTy8/zYy
+pRhLZ93gK7RAjR/dr85EFS6LC6T+jdK5O/by7UWOVBIe/N3gFrDa0V5v51f7cyq4
+LKw+wiWlU/KWeEGxEOrVCSLzB1ksnhCHU+fhNExD2W9sTJG14d1f3EyfwqZeestj
+A4N49GgP8UcYotQOl4MJy/bEWJDCUe9v8d+0yTkyGoSHWgvq8zjPFRcl5TnaA/fs
+jYQwrWEjI5MQKoqyoRf4CwMUGqZfOmEHNdBQ0biHblML8YVahdPBSCd8qj1/GxoJ
+3u12xnO9mXHR1ZwsfCXJpolwJmFDyP/lmxFzZrxuJS9RYDVlXCzEIV1+NKrpacyk
+tZCQr2/tQ958eH73OBKChLOYinWjoVaLwALEQsYQJ9qxMiG9vJDVv9WUMi+uMZwh
+AoICAQeazA1OfPrBqWcYX9Ju6KlNNIFTCsIPpZws5vxpgDBUvSvIsH3BdPwlnySc
+qIMoioH1HX07Q+ti9AUfsDiPj0RDiOLgANTY0feeV7vbUceM4IUgNqAdRweX/jQt
+ZqleOIOW9OKopqLJP6sNH2uVycgvb6ckYHyEdEtxfrpC7EFjZWtt6lkB6BZTMgjS
+GH7gQceKMXg/6od7oW2WK4zllBV9KZkUzYCcvJACqHQjIJ0agsYlydFX57iIHnRD
+dSdjvuUYwhXtEhDKk5dt6ldkK7rl8gEHuQAtc7ZdSPs30i8BPdCkwnHMwimQI5np
+yrF827uZop7tqTWY+Upol1hvKpxlMZQJ5Uu1e7pYxj/hcb2PQj+JuDaU1Fg/WZlz
+7tBeSdrUimT9feNlKh7TH2QlAY2Dnuneqv9neeScPt0nmKIqOieSfV8mMcmZJXnA
+w54zAwws+db4ysIFITFj3QXS6/M1qGnMHF9edgjvod8drir3JtMFbcBePd0cdjLt
+QJRdkKrJNp0kyXZJtGU83O5WLShw3yO5kaP307/iPf8rMisqZLzX61RKIpvgncRj
+LIafZS4Uw3QVEPiB8kRZ52b6mhH7jAGqTbQPN3mVm4xvnKN0Z8+zOd2Lcf9m+8Mu
+S5AbbZEUs/YYECp2ZxZYHZwd28Vz3HodxSm6MGjLeeK7YrH7gwKCAgBm0zD2DvKK
+EfDQOk2DpnScdNkuYlRD7WADQfgKg6GheSWIvAi9Dh/Ks3ZIcVAcpQgWQoMlhTie
+ZudfSjWxfFwlTAYKfF1kUnlrOACz04ZqsFMzx7Ks1HkvG1KEBTenAetcDPcL1b79
+U01tql7T6NIkxwtOR/nr1CvxgJa2wuuLYiUIAyIQYY0c18FkyFii1nJuneGb/Zvf
+ctf+S5O+GuSOc+LjDSGIa8RZf5ScxRmKGj6OSrYRGrM7ZoS/psvGQSOJeITN5SNJ
+umAA89mfpz8V87HHn520Vo7G9vmm5pQr27Nu1RBQJBXgrhC5fWXBXk/zmnyqskDM
+Bcb1h3nppB6dr5263iy+HHMxS/L0m6kCUfxfj6A4d1/fTGbv1tRCtlR9Rq4EJxWr
+8n49pbluSvL5XZoJJH2PGjjxNurSpnXVRFFOjpvl73wE/X/bH/Gs8AMtIrpnBRmM
+viaX/AOym3DFU2RTgNIt8zmNtqq/NhAuQmYEhodODXtnzzquh4Z4EZmhfzq/do5e
+nGTfN4hN7a9ODtP9Gt+w2CBCnE+7OnWo6Asj+wK0H59c2wfSD68d5n+V7U+BHHkN
+E8uwIjFNZ+n3LRdH/iY7w4ujgIdZRcQuOMf00a3950mcJM0hz278FuDIipbMFCxG
+qrLjqBtCTH9vu/Df2F0JNICD6Ro21WM/YQ==
+-----END PRIVATE KEY-----
diff --git a/pki/verify_name_match_fuzzer.cc b/pki/verify_name_match_fuzzer.cc
index d76abc6..5b2b159 100644
--- a/pki/verify_name_match_fuzzer.cc
+++ b/pki/verify_name_match_fuzzer.cc
@@ -6,6 +6,7 @@
#include <stddef.h>
#include <stdint.h>
+#include <stdlib.h>
#include <fuzzer/FuzzedDataProvider.h>
@@ -24,11 +25,13 @@
std::vector<uint8_t> second_part =
fuzzed_data.ConsumeRemainingBytes<uint8_t>();
- bssl::der::Input in1(first_part.data(), first_part.size());
- bssl::der::Input in2(second_part.data(), second_part.size());
+ bssl::der::Input in1(first_part);
+ bssl::der::Input in2(second_part);
bool match = net::VerifyNameMatch(in1, in2);
bool reverse_order_match = net::VerifyNameMatch(in2, in1);
// Result should be the same regardless of argument order.
- CHECK_EQ(match, reverse_order_match);
+ if (match != reverse_order_match) {
+ abort();
+ }
return 0;
}
diff --git a/pki/verify_name_match_normalizename_fuzzer.cc b/pki/verify_name_match_normalizename_fuzzer.cc
index 96f4608..0bf31bb 100644
--- a/pki/verify_name_match_normalizename_fuzzer.cc
+++ b/pki/verify_name_match_normalizename_fuzzer.cc
@@ -18,9 +18,13 @@
// produce the same output again.
std::string renormalized_der;
bool renormalize_success = net::NormalizeName(
- bssl::der::Input(&normalized_der), &renormalized_der, &errors);
- CHECK(renormalize_success);
- CHECK_EQ(normalized_der, renormalized_der);
+ bssl::der::Input(normalized_der), &renormalized_der, &errors);
+ if (!renormalize_success) {
+ abort();
+ }
+ if (normalized_der != renormalized_der) {
+ abort();
+ }
}
return 0;
}
diff --git a/pki/verify_name_match_unittest.cc b/pki/verify_name_match_unittest.cc
index 7bdacb2..4e57250 100644
--- a/pki/verify_name_match_unittest.cc
+++ b/pki/verify_name_match_unittest.cc
@@ -71,20 +71,20 @@
TEST_P(VerifyNameMatchSimpleTest, ExactEquality) {
std::string der;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix(), &der));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der),
- SequenceValueFromString(&der)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der),
+ SequenceValueFromString(der)));
std::string der_extra_attr;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
&der_extra_attr));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
- SequenceValueFromString(&der_extra_attr)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
+ SequenceValueFromString(der_extra_attr)));
std::string der_extra_rdn;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn",
&der_extra_rdn));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn),
- SequenceValueFromString(&der_extra_rdn)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn),
+ SequenceValueFromString(der_extra_rdn)));
}
// Ensure that a Name does not match another Name which is exactly the same but
@@ -95,10 +95,10 @@
std::string der_extra_attr;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
&der_extra_attr));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
- SequenceValueFromString(&der_extra_attr)));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
- SequenceValueFromString(&der)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
+ SequenceValueFromString(der_extra_attr)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
+ SequenceValueFromString(der)));
}
// Ensure that a Name does not match another Name which has the same number of
@@ -111,13 +111,13 @@
std::string der_extra_attr;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_attr",
&der_extra_attr));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr),
- SequenceValueFromString(&der_extra_attr)));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_attr),
- SequenceValueFromString(&der_dupe_attr)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr),
+ SequenceValueFromString(der_extra_attr)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_attr),
+ SequenceValueFromString(der_dupe_attr)));
// However, the name with a dupe attribute should match itself.
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_dupe_attr),
- SequenceValueFromString(&der_dupe_attr)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_dupe_attr),
+ SequenceValueFromString(der_dupe_attr)));
}
// Ensure that a Name does not match another Name which is exactly the same but
@@ -128,10 +128,10 @@
std::string der_extra_rdn;
ASSERT_TRUE(LoadTestData("ascii", value_type(), suffix() + "-extra_rdn",
&der_extra_rdn));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
- SequenceValueFromString(&der_extra_rdn)));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_extra_rdn),
- SequenceValueFromString(&der)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
+ SequenceValueFromString(der_extra_rdn)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_extra_rdn),
+ SequenceValueFromString(der)));
}
// Runs VerifyNameMatchSimpleTest for all combinations of value_type and and
@@ -156,11 +156,11 @@
std::string case_swap;
ASSERT_TRUE(LoadTestData("ascii", value_type(), "case_swap", &case_swap));
EXPECT_EQ(expected_result(),
- VerifyNameMatch(SequenceValueFromString(&normal),
- SequenceValueFromString(&case_swap)));
+ VerifyNameMatch(SequenceValueFromString(normal),
+ SequenceValueFromString(case_swap)));
EXPECT_EQ(expected_result(),
- VerifyNameMatch(SequenceValueFromString(&case_swap),
- SequenceValueFromString(&normal)));
+ VerifyNameMatch(SequenceValueFromString(case_swap),
+ SequenceValueFromString(normal)));
}
// Verify matching folds whitespace (for the types which currently support
@@ -172,11 +172,11 @@
ASSERT_TRUE(
LoadTestData("ascii", value_type(), "extra_whitespace", &whitespace));
EXPECT_EQ(expected_result(),
- VerifyNameMatch(SequenceValueFromString(&normal),
- SequenceValueFromString(&whitespace)));
+ VerifyNameMatch(SequenceValueFromString(normal),
+ SequenceValueFromString(whitespace)));
EXPECT_EQ(expected_result(),
- VerifyNameMatch(SequenceValueFromString(&whitespace),
- SequenceValueFromString(&normal)));
+ VerifyNameMatch(SequenceValueFromString(whitespace),
+ SequenceValueFromString(normal)));
}
// Runs VerifyNameMatchNormalizationTest for each (expected_result, value_type)
@@ -207,11 +207,11 @@
std::string der_2;
ASSERT_TRUE(LoadTestData("ascii", value_type_2(), "unmangled", &der_2));
if (TypesAreComparable(value_type_1(), value_type_2())) {
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2)));
} else {
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2)));
}
}
@@ -234,37 +234,37 @@
&der_2_extra_attr));
if (TypesAreComparable(value_type_1(), value_type_2())) {
- EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2)));
- EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
- SequenceValueFromString(&der_1)));
- EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn),
- SequenceValueFromString(&der_2)));
- EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn),
- SequenceValueFromString(&der_1)));
+ EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2)));
+ EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2),
+ SequenceValueFromString(der_1)));
+ EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn),
+ SequenceValueFromString(der_2)));
+ EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn),
+ SequenceValueFromString(der_1)));
} else {
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
- SequenceValueFromString(&der_1)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_rdn),
- SequenceValueFromString(&der_2)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_rdn),
- SequenceValueFromString(&der_1)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
+ SequenceValueFromString(der_1)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_rdn),
+ SequenceValueFromString(der_2)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_rdn),
+ SequenceValueFromString(der_1)));
}
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2_extra_rdn)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
- SequenceValueFromString(&der_1_extra_rdn)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1_extra_attr),
- SequenceValueFromString(&der_2)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2_extra_attr),
- SequenceValueFromString(&der_1)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2_extra_attr)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&der_2),
- SequenceValueFromString(&der_1_extra_attr)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2_extra_rdn)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
+ SequenceValueFromString(der_1_extra_rdn)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1_extra_attr),
+ SequenceValueFromString(der_2)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2_extra_attr),
+ SequenceValueFromString(der_1)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2_extra_attr)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(der_2),
+ SequenceValueFromString(der_1_extra_attr)));
}
// Runs VerifyNameMatchDifferingTypesTest for all combinations of value types in
@@ -293,8 +293,8 @@
ASSERT_TRUE(LoadTestData(prefix(), value_type_1(), "unmangled", &der_1));
std::string der_2;
ASSERT_TRUE(LoadTestData(prefix(), value_type_2(), "unmangled", &der_2));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&der_1),
- SequenceValueFromString(&der_2)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(der_1),
+ SequenceValueFromString(der_2)));
}
// Runs VerifyNameMatchUnicodeConversionTest with prefix="unicode_bmp" for all
@@ -351,12 +351,12 @@
}
der.replace(replace_location, 1, 1, c);
// Verification should fail due to the invalid character.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&der),
- SequenceValueFromString(&der)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(der),
+ SequenceValueFromString(der)));
std::string normalized_der;
CertErrors errors;
EXPECT_FALSE(
- NormalizeName(SequenceValueFromString(&der), &normalized_der, &errors));
+ NormalizeName(SequenceValueFromString(der), &normalized_der, &errors));
}
}
@@ -371,11 +371,11 @@
SCOPED_TRACE(c);
der.replace(replace_location, 1, 1, c);
bool expected_result = (c <= 127);
- EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(&der),
- SequenceValueFromString(&der)));
+ EXPECT_EQ(expected_result, VerifyNameMatch(SequenceValueFromString(der),
+ SequenceValueFromString(der)));
std::string normalized_der;
CertErrors errors;
- EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(&der),
+ EXPECT_EQ(expected_result, NormalizeName(SequenceValueFromString(der),
&normalized_der, &errors));
}
}
@@ -386,11 +386,11 @@
LoadTestData("invalid", "AttributeTypeAndValue", "extradata", &invalid));
// Verification should fail due to extra element in AttributeTypeAndValue
// sequence.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -400,11 +400,11 @@
&invalid));
// Verification should fail due to AttributeTypeAndValue sequence having only
// one element.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -413,11 +413,11 @@
ASSERT_TRUE(
LoadTestData("invalid", "AttributeTypeAndValue", "empty", &invalid));
// Verification should fail due to empty AttributeTypeAndValue sequence.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -426,11 +426,11 @@
ASSERT_TRUE(LoadTestData("invalid", "AttributeTypeAndValue",
"badAttributeType", &invalid));
// Verification should fail due to Attribute Type not being an OID.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -440,11 +440,11 @@
&invalid));
// Verification should fail due to AttributeTypeAndValue being a Set instead
// of a Sequence.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -452,11 +452,11 @@
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "sequenceInsteadOfSet", &invalid));
// Verification should fail due to RDN being a Sequence instead of a Set.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -464,11 +464,11 @@
std::string invalid;
ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
// Verification should fail due to RDN having zero AttributeTypeAndValues.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -484,11 +484,11 @@
std::string invalid =
normal.replace(replace_location, 4, std::string("\xd8\x35\xdc\x00", 4));
// Verification should fail due to the invalid codepoints.
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
std::string normalized_der;
CertErrors errors;
- EXPECT_FALSE(NormalizeName(SequenceValueFromString(&invalid), &normalized_der,
+ EXPECT_FALSE(NormalizeName(SequenceValueFromString(invalid), &normalized_der,
&errors));
}
@@ -496,23 +496,23 @@
std::string empty;
ASSERT_TRUE(LoadTestData("valid", "Name", "empty", &empty));
// Empty names are equal.
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&empty),
- SequenceValueFromString(&empty)));
+ EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(empty),
+ SequenceValueFromString(empty)));
// An empty name normalized is unchanged.
std::string normalized_empty_der;
CertErrors errors;
- EXPECT_TRUE(NormalizeName(SequenceValueFromString(&empty),
+ EXPECT_TRUE(NormalizeName(SequenceValueFromString(empty),
&normalized_empty_der, &errors));
- EXPECT_EQ(SequenceValueFromString(&empty), der::Input(&normalized_empty_der));
+ EXPECT_EQ(SequenceValueFromString(empty), der::Input(normalized_empty_der));
// An empty name is not equal to non-empty name.
std::string non_empty;
ASSERT_TRUE(
LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&empty),
- SequenceValueFromString(&non_empty)));
- EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(&non_empty),
- SequenceValueFromString(&empty)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(empty),
+ SequenceValueFromString(non_empty)));
+ EXPECT_FALSE(VerifyNameMatch(SequenceValueFromString(non_empty),
+ SequenceValueFromString(empty)));
}
// Matching should succeed when the RDNs are sorted differently but are still
@@ -522,10 +522,10 @@
ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_1", &a));
std::string b;
ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "rdn_sorting_2", &b));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a),
- SequenceValueFromString(&b)));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b),
- SequenceValueFromString(&a)));
+ EXPECT_TRUE(
+ VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b)));
+ EXPECT_TRUE(
+ VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a)));
}
// Matching should succeed when the RDNs are sorted differently but are still
@@ -536,10 +536,10 @@
ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_1", &a));
std::string b;
ASSERT_TRUE(LoadTestData("ascii", "mixed", "rdn_dupetype_sorting_2", &b));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&a),
- SequenceValueFromString(&b)));
- EXPECT_TRUE(VerifyNameMatch(SequenceValueFromString(&b),
- SequenceValueFromString(&a)));
+ EXPECT_TRUE(
+ VerifyNameMatch(SequenceValueFromString(a), SequenceValueFromString(b)));
+ EXPECT_TRUE(
+ VerifyNameMatch(SequenceValueFromString(b), SequenceValueFromString(a)));
}
TEST(VerifyNameInSubtreeInvalidDataTest, FailOnEmptyRdn) {
@@ -549,12 +549,12 @@
ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid));
// For both |name| and |parent|, a RelativeDistinguishedName must have at
// least one AttributeTypeAndValue.
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&valid),
- SequenceValueFromString(&invalid)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid),
- SequenceValueFromString(&valid)));
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&invalid),
- SequenceValueFromString(&invalid)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(valid),
+ SequenceValueFromString(invalid)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid),
+ SequenceValueFromString(valid)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(invalid),
+ SequenceValueFromString(invalid)));
}
TEST(VerifyNameInSubtreeTest, EmptyNameMatching) {
@@ -564,14 +564,14 @@
ASSERT_TRUE(
LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &non_empty));
// Empty name is in the subtree defined by empty name.
- EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&empty),
- SequenceValueFromString(&empty)));
+ EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(empty),
+ SequenceValueFromString(empty)));
// Any non-empty name is in the subtree defined by empty name.
- EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(&non_empty),
- SequenceValueFromString(&empty)));
+ EXPECT_TRUE(VerifyNameInSubtree(SequenceValueFromString(non_empty),
+ SequenceValueFromString(empty)));
// Empty name is not in the subtree defined by non-empty name.
- EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(&empty),
- SequenceValueFromString(&non_empty)));
+ EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(empty),
+ SequenceValueFromString(non_empty)));
}
// Verify that the normalized output matches the pre-generated expected value
@@ -587,14 +587,14 @@
ASSERT_TRUE(LoadTestData("unicode", "mixed", "unnormalized", &raw_der));
std::string normalized_der;
CertErrors errors;
- ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der,
+ ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der,
&errors));
- EXPECT_EQ(SequenceValueFromString(&expected_normalized_der),
- der::Input(&normalized_der));
+ EXPECT_EQ(SequenceValueFromString(expected_normalized_der),
+ der::Input(normalized_der));
// Re-normalizing an already normalized Name should not change it.
std::string renormalized_der;
ASSERT_TRUE(
- NormalizeName(der::Input(&normalized_der), &renormalized_der, &errors));
+ NormalizeName(der::Input(normalized_der), &renormalized_der, &errors));
EXPECT_EQ(normalized_der, renormalized_der);
}
@@ -605,9 +605,9 @@
std::string normalized_der;
CertErrors errors;
- ASSERT_TRUE(NormalizeName(SequenceValueFromString(&raw_der), &normalized_der,
+ ASSERT_TRUE(NormalizeName(SequenceValueFromString(raw_der), &normalized_der,
&errors));
- EXPECT_EQ(SequenceValueFromString(&raw_der), der::Input(&normalized_der));
+ EXPECT_EQ(SequenceValueFromString(raw_der), der::Input(normalized_der));
}
} // namespace net
diff --git a/pki/verify_name_match_verifynameinsubtree_fuzzer.cc b/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
index 94cc3bf..bfc70d3 100644
--- a/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
+++ b/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
@@ -24,12 +24,15 @@
std::vector<uint8_t> second_part =
fuzzed_data.ConsumeRemainingBytes<uint8_t>();
- bssl::der::Input in1(first_part.data(), first_part.size());
- bssl::der::Input in2(second_part.data(), second_part.size());
+ bssl::der::Input in1(first_part);
+ bssl::der::Input in2(second_part);
bool match = net::VerifyNameInSubtree(in1, in2);
bool reverse_order_match = net::VerifyNameInSubtree(in2, in1);
// If both InSubtree matches are true, then in1 == in2 (modulo normalization).
- if (match && reverse_order_match)
- CHECK(net::VerifyNameMatch(in1, in2));
+ if (match && reverse_order_match) {
+ if (!net::VerifyNameMatch(in1, in2)) {
+ abort();
+ }
+ }
return 0;
}
diff --git a/pki/verify_signed_data_unittest.cc b/pki/verify_signed_data_unittest.cc
index 3dd5702..6ab0878 100644
--- a/pki/verify_signed_data_unittest.cc
+++ b/pki/verify_signed_data_unittest.cc
@@ -55,10 +55,10 @@
ASSERT_TRUE(ReadTestDataFromPemFile(path, mappings));
std::optional<SignatureAlgorithm> signature_algorithm =
- ParseSignatureAlgorithm(der::Input(&algorithm));
+ ParseSignatureAlgorithm(der::Input(algorithm));
ASSERT_TRUE(signature_algorithm);
- der::Parser signature_value_parser((der::Input(&signature_value)));
+ der::Parser signature_value_parser((der::Input(signature_value)));
std::optional<der::BitString> signature_value_bit_string =
signature_value_parser.ReadBitString();
ASSERT_TRUE(signature_value_bit_string.has_value())
@@ -66,9 +66,9 @@
bool expected_result_bool = expected_result == SUCCESS;
- bool result = VerifySignedData(*signature_algorithm, der::Input(&signed_data),
+ bool result = VerifySignedData(*signature_algorithm, der::Input(signed_data),
signature_value_bit_string.value(),
- der::Input(&public_key), cache);
+ der::Input(public_key), cache);
EXPECT_EQ(expected_result_bool, result);
}
