From dedbb2526cffcce6940a515b62217843bf9d2bd3 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Sat, 1 Feb 2025 01:04:52 +0000 Subject: [PATCH 01/22] ocsp: fix memory leaks in OpenSSL compat layer --- src/ocsp.c | 11 ++++++++--- wolfcrypt/src/asn.c | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index 69b9e0b53..0b9343dba 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -917,12 +917,17 @@ out: void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response) { + OcspEntry *s, *sNext; if (response == NULL) return; - if (response->single != NULL) { - FreeOcspEntry(response->single, NULL); - XFREE(response->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY); + + s = response->single; + while (s != NULL) { + sNext = s->next; + FreeOcspEntry(s, NULL); + XFREE(s, NULL, DYNAMIC_TYPE_OCSP_ENTRY); + s = sNext; } XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index daff303cc..08e11630e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -36967,6 +36967,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex, XMEMSET(single->next->status, 0, sizeof(CertStatus)); single->next->isDynamic = 1; + single->next->ownStatus = 1; single = single->next; } @@ -37056,6 +37057,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex, /* Entry to be freed. */ single->next->isDynamic = 1; + single->next->ownStatus = 1; /* used will be 0 (false) */ single = single->next; From d7711f04ab6b9236126fbbb00d585cc9dfd1c3ee Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Fri, 31 Jan 2025 17:53:25 +0000 Subject: [PATCH 02/22] openssl compat: skip OCSP response verification in statusCb This aligns with OpenSSL behavior --- configure.ac | 1 - src/internal.c | 75 ++++++++++++++++++++++++++++++++- src/ocsp.c | 25 ----------- src/ssl.c | 1 + src/tls.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 186 insertions(+), 28 deletions(-) diff --git a/configure.ac b/configure.ac index 57670efde..4f5ea6101 100644 --- a/configure.ac +++ b/configure.ac @@ -9163,7 +9163,6 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PRIORITIZE_PSK" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CHECK_ALERT_ON_ERR" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TICKET_HAVE_ID" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK" ENABLED_TRUSTED_PEER_CERT=yes else CFLAGS=$(printf "%s" "$CFLAGS" | sed 's/-DOPENSSL_COMPATIBLE_DEFAULTS//g') diff --git a/src/internal.c b/src/internal.c index 3082c757a..b95d97e04 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8689,6 +8689,13 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl) #endif #ifdef OPENSSL_EXTRA XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL); +#ifdef HAVE_OCSP + if (ssl->ocspResp) { + XFREE(ssl->ocspResp, NULL, 0); + ssl->ocspResp = NULL; + ssl->ocspRespSz = 0; + } +#endif #endif #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) while (ssl->certReqCtx != NULL) { @@ -9014,6 +9021,14 @@ void FreeHandshakeResources(WOLFSSL* ssl) * !WOLFSSL_POST_HANDSHAKE_AUTH */ #endif /* HAVE_TLS_EXTENSIONS && !NO_TLS */ +#if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA) + if (ssl->ocspResp != NULL) { + XFREE(ssl->ocspResp, NULL, 0); + ssl->ocspResp = NULL; + ssl->ocspRespSz = 0; + } +#endif /* HAVE_OCSP && OPENSSL_EXTRA */ + #ifdef WOLFSSL_STATIC_MEMORY /* when done with handshake decrement current handshake count */ if (ssl->heap != NULL) { @@ -24099,7 +24114,7 @@ int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request, ret = InitOcspRequest(request, cert, 0, ssl->heap); if (ret == 0) { /* make sure ctx OCSP request is updated */ - if (!ssl->buffers.weOwnCert) { + if (!ssl->buffers.weOwnCert && SSL_CM(ssl) != NULL) { wolfSSL_Mutex* ocspLock = &SSL_CM(ssl)->ocsp_stapling->ocspLock; if (wc_LockMutex(ocspLock) == 0) { if (ssl->ctx->certOcspRequest == NULL) { @@ -24840,6 +24855,50 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, return ret; } #endif + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) +static int BuildCertificateStatusWithStatusCB(WOLFSSL* ssl) +{ + WOLFSSL_OCSP *ocsp; + void *ioCtx = NULL; + buffer response; + int ret; + + ocsp = SSL_CM(ssl)->ocsp_stapling; + if (ocsp == NULL || ocsp->statusCb == NULL) + return BAD_FUNC_ARG; + ioCtx = (ssl && ssl->ocspIOCtx != NULL) ? + ssl->ocspIOCtx : ocsp->cm->ocspIOCtx; + XMEMSET(&response, 0, sizeof(response)); + WOLFSSL_MSG("Calling ocsp->statusCb"); + ret = ocsp->statusCb(ssl, ioCtx); + switch (ret) { + case SSL_TLSEXT_ERR_OK: + if (ssl->ocspResp == NULL || ssl->ocspRespSz == 0) { + ret = 0; + break; + } + response.buffer = ssl->ocspResp; + response.length = ssl->ocspRespSz; + ret = BuildCertificateStatus(ssl, WOLFSSL_CSR_OCSP, &response, 1); + break; + case SSL_TLSEXT_ERR_NOACK: + /* No OCSP response to send */ + ret = 0; + break; + case SSL_TLSEXT_ERR_ALERT_FATAL: + /* fall through */ + default: + ret = WOLFSSL_FATAL_ERROR; + break; + } + return ret; +} +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST && (defined(OPENSSL_ALL) || +defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) +*/ #endif /* NO_WOLFSSL_SERVER */ /* handle generation of certificate_status (22) */ @@ -24860,6 +24919,20 @@ int SendCertificateStatus(WOLFSSL* ssl) #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 status_type = status_type ? status_type : ssl->status_request_v2; #endif + if (ssl == NULL || SSL_CM(ssl) == NULL) { + WOLFSSL_MSG("SendCertificateStatus bad args"); + return BAD_FUNC_ARG; + } + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ +(defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) + if (SSL_CM(ssl)->ocsp_stapling != NULL && + SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { + if (ssl->status_request == WOLFSSL_CSR_OCSP) + return BuildCertificateStatusWithStatusCB(ssl); + } +#endif switch (status_type) { diff --git a/src/ocsp.c b/src/ocsp.c index 0b9343dba..1287a0048 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -480,31 +480,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, ioCtx = (ssl && ssl->ocspIOCtx != NULL) ? ssl->ocspIOCtx : ocsp->cm->ocspIOCtx; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - if (ocsp->statusCb != NULL && ssl != NULL) { - WOLFSSL_MSG("Calling ocsp->statusCb"); - ret = ocsp->statusCb(ssl, ioCtx); - switch (ret) { - case SSL_TLSEXT_ERR_OK: - ret = wolfSSL_get_ocsp_response(ssl, &response); - ret = CheckOcspResponse(ocsp, response, ret, responseBuffer, - status, entry, NULL, heap); - XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); - break; - case SSL_TLSEXT_ERR_NOACK: - ret = OCSP_LOOKUP_FAIL; - break; - case SSL_TLSEXT_ERR_ALERT_FATAL: - default: - WOLFSSL_LEAVE("CheckOcspRequest", ocsp->error); - ret = WOLFSSL_FATAL_ERROR; - break; - } - WOLFSSL_LEAVE("CheckOcspRequest", ret); - return ret; - } -#endif - if (ocsp->cm->ocspUseOverrideURL) { url = ocsp->cm->ocspOverrideURL; if (url != NULL && url[0] != '\0') diff --git a/src/ssl.c b/src/ssl.c index 33ce34a06..503fb1aaa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17371,6 +17371,7 @@ long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, if (s == NULL) return WOLFSSL_FAILURE; + XFREE(s->ocspResp, NULL, 0); s->ocspResp = resp; s->ocspRespSz = len; diff --git a/src/tls.c b/src/tls.c index c035092d1..13147686f 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3238,6 +3238,15 @@ word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest, #endif #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) { +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(OPENSSL_EXTRA) + if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL && + SSL_CM(csr->ssl)->ocsp_stapling != NULL && + SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL && + idx == 0) { + return OPAQUE8_LEN + OPAQUE24_LEN + csr->ssl->ocspRespSz; + } +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA */ return (word16)(OPAQUE8_LEN + OPAQUE24_LEN + csr->responses[idx].length); } @@ -3247,6 +3256,71 @@ word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest, return size; } +#if (defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)) && \ +(defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ +defined(OPENSSL_EXTRA)) +static int TLSX_CSR_SetResponseWithStatusCB(WOLFSSL *ssl) +{ + void *ioCtx = NULL; + WOLFSSL_OCSP *ocsp; + int ret; + + if (ssl == NULL || SSL_CM(ssl) == NULL) + return BAD_FUNC_ARG; + ocsp = SSL_CM(ssl)->ocsp_stapling; + if (ocsp == NULL || ocsp->statusCb == NULL) + return BAD_FUNC_ARG; + ioCtx = (ssl->ocspIOCtx != NULL) ? ssl->ocspIOCtx : ocsp->cm->ocspIOCtx; + ret = ocsp->statusCb(ssl, ioCtx); + switch (ret) { + case SSL_TLSEXT_ERR_OK: + if (ssl->ocspRespSz > 0) { + /* ack the extension, status cb provided the response in + * ssl->ocspResp */ + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); + ssl->status_request = WOLFSSL_CSR_OCSP; + } + ret = 0; + break; + case SSL_TLSEXT_ERR_NOACK: + /* suppressing as not critical */ + ret = 0; + break; + case SSL_TLSEXT_ERR_ALERT_FATAL: + default: + ret = WOLFSSL_FATAL_ERROR; + break; + } + return ret; +} + +static int TLSX_CSR_WriteWithStatusCB(CertificateStatusRequest* csr, + byte* output) +{ + WOLFSSL *ssl = csr->ssl; + WOLFSSL_OCSP *ocsp; + word16 offset = 0; + byte *response; + int respSz; + + if (ssl == NULL || SSL_CM(ssl) == NULL) + return BAD_FUNC_ARG; + ocsp = SSL_CM(ssl)->ocsp_stapling; + if (ocsp == NULL || ocsp->statusCb == NULL) + return BAD_FUNC_ARG; + response = ssl->ocspResp; + respSz = ssl->ocspRespSz; + if (response == NULL || respSz == 0) + return BAD_FUNC_ARG; + output[offset++] = WOLFSSL_CSR_OCSP; + c32to24(respSz, output + offset); + offset += OPAQUE24_LEN; + XMEMCPY(output + offset, response, respSz); + return offset + respSz; +} +#endif /* (TLS13 && !NO_WOLFSLL_SERVER) && (OPENSSL_ALL || WOLFSSL_NGINX || +WOLFSSL_HAPROXY || OPENSSL_EXTRA) */ + static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) { return TLSX_CSR_GetSize_ex(csr, isRequest, 0); @@ -3299,6 +3373,16 @@ int TLSX_CSR_Write_ex(CertificateStatusRequest* csr, byte* output, #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) { word16 offset = 0; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(OPENSSL_EXTRA) + if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL && + SSL_CM(csr->ssl)->ocsp_stapling != NULL && + SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL && + idx == 0) { + return TLSX_CSR_WriteWithStatusCB(csr, output); + } +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || +defined(OPENSSL_EXTRA) */ output[offset++] = csr->status_type; c32to24(csr->responses[idx].length, output + offset); offset += OPAQUE24_LEN; @@ -3574,7 +3658,24 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length, #if defined(WOLFSSL_TLS13) if (ssl->options.tls1_3) { - +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) + if (ssl != NULL && SSL_CM(ssl) != NULL && + SSL_CM(ssl)->ocsp_stapling != NULL && + SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { + return TLSX_CSR_SetResponseWithStatusCB(ssl); +} +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || \ + defined(OPENSSL_EXTRA) */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(OPENSSL_EXTRA) + if (ssl != NULL && SSL_CM(ssl) != NULL && + SSL_CM(ssl)->ocsp_stapling != NULL && + SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { + return TLSX_CSR_SetResponseWithStatusCB(ssl); + } +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || +defined(OPENSSL_EXTRA) */ if (ssl->buffers.certificate == NULL) { WOLFSSL_MSG("Certificate buffer not set!"); return BUFFER_ERROR; @@ -4071,6 +4172,15 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, const byte* input, word16 length, continue; } +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(OPENSSL_EXTRA) + /* OpenSSL status CB supports only CERTIFICATE STATUS REQ V1 */ + if (ssl != NULL && SSL_CM(ssl) != NULL && + SSL_CM(ssl)->ocsp_stapling != NULL && + SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { + return 0; + } +#endif /* if using status_request and already sending it, remove it * and prefer to use the v2 version */ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST From f526679ad59389feded1c9071832629170013f08 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Fri, 31 Jan 2025 18:01:55 +0000 Subject: [PATCH 03/22] ocsp: refactor OCSP response decoding and wolfSSL_OCSP_basic_verify - Search certificate based on responderId - Verify response signer is authorized for all single responses - Align with OpenSSL behavior - Separate wolfSSL_OCSP_basic_verify from verification done during decoding --- src/internal.c | 4 +- src/ocsp.c | 191 ++++++++++++++++++-------- tests/api.c | 6 +- wolfcrypt/src/asn.c | 290 ++++++++++++++++++++++++++++------------ wolfssl/wolfcrypt/asn.h | 27 +++- 5 files changed, 369 insertions(+), 149 deletions(-) diff --git a/src/internal.c b/src/internal.c index b95d97e04..630c634ab 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13876,7 +13876,7 @@ static int ProcessCSR_ex(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* InitOcspResponse sets single and status to response struct. */ InitOcspResponse(response, single, status, input +*inOutIdx, status_length, ssl->heap); - if (OcspResponseDecode(response, SSL_CM(ssl), ssl->heap, 0) != 0) + if (OcspResponseDecode(response, SSL_CM(ssl), ssl->heap, 0, 0) != 0) ret = BAD_CERTIFICATE_STATUS_ERROR; else if (CompareOcspReqResp(request, response) != 0) ret = BAD_CERTIFICATE_STATUS_ERROR; @@ -16982,7 +16982,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, status_length, ssl->heap); response->pendingCAs = pendingCAs; if ((OcspResponseDecode(response, SSL_CM(ssl), ssl->heap, - 0) != 0) + 0, 0) != 0) || (response->responseStatus != OCSP_SUCCESSFUL) || (response->single->status->status != CERT_GOOD)) ret = BAD_CERTIFICATE_STATUS_ERROR; diff --git a/src/ocsp.c b/src/ocsp.c index 1287a0048..0b94de353 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -333,7 +333,7 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, ocspResponse->pendingCAs = TLSX_CSR2_GetPendingSigners(((WOLFSSL*)ocspRequest->ssl)->extensions); } #endif - ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0); + ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0, 0); if (ret != 0) { ocsp->error = ret; WOLFSSL_LEAVE("OcspResponseDecode failed", ocsp->error); @@ -631,9 +631,6 @@ int CheckOcspResponder(OcspResponse *bs, DecodedCert *cert, void* vp) if (!passed) { WOLFSSL_MSG("\tOCSP Responder not authorized"); -#ifdef OPENSSL_EXTRA - bs->verifyError = OCSP_BAD_ISSUER; -#endif ret = BAD_OCSP_RESPONDER; break; } @@ -825,70 +822,156 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) wolfSSL_OCSP_RESPONSE_free(basicResponse); } -/* Signature verified in DecodeBasicOcspResponse. - * But no store available to verify certificate. */ -int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, - WOLF_STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags) +static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash, + const byte* keyHash) { - int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); -#ifdef WOLFSSL_SMALL_STACK - DecodedCert *cert; -#else - DecodedCert cert[1]; -#endif - byte certInit = 0; - int idx; + if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) + return (XMEMCMP(NameHash, resp->responderId.nameHash, + SIGNER_DIGEST_SIZE) == 0); + else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) + return (XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0); - (void)certs; + return 0; +} - if (flags & WOLFSSL_OCSP_NOVERIFY) - return WOLFSSL_SUCCESS; +static int OcspFindSigner(WOLFSSL_OCSP_BASICRESP *resp, + WOLF_STACK_OF(WOLFSSL_X509) *certs, DecodedCert **signer, int *embedded, + unsigned long flags) +{ + WOLFSSL_X509 *signer_x509 = NULL; + DecodedCert *certDecoded; + int i; -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert *) - XMALLOC(sizeof(*cert), (st && st->cm) ? st->cm->heap : NULL, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return WOLFSSL_FAILURE; -#endif + certDecoded = (DecodedCert *)XMALLOC(sizeof(*certDecoded), NULL, + DYNAMIC_TYPE_DCERT); + if (certDecoded == NULL) + return MEMORY_E; - if (bs->verifyError != OCSP_VERIFY_ERROR_NONE) - goto out; + for (i = 0; i < wolfSSL_sk_X509_num(certs); i++) { + signer_x509 = wolfSSL_sk_X509_value(certs, i); - if (flags & WOLFSSL_OCSP_TRUSTOTHER) { - for (idx = 0; idx < wolfSSL_sk_X509_num(certs); idx++) { - WOLFSSL_X509* x = wolfSSL_sk_X509_value(certs, idx); - int derSz = 0; - const byte* der = wolfSSL_X509_get_der(x, &derSz); - if (der != NULL && derSz == (int)bs->certSz && - XMEMCMP(bs->cert, der, (size_t)derSz) == 0) { - ret = WOLFSSL_SUCCESS; - goto out; - } + InitDecodedCert(certDecoded, signer_x509->derCert->buffer, + signer_x509->derCert->length, NULL); + if (ParseCertRelative(certDecoded, CERT_TYPE, NO_VERIFY, + NULL, NULL) == 0) { + if (OcspRespIdMatches(resp, certDecoded->subjectHash, + certDecoded->subjectKeyHash)) { + *signer = certDecoded; + *embedded = 0; + return 0; + } + } + FreeDecodedCert(certDecoded); + } + + if (flags & WOLFSSL_OCSP_NOINTERN) { + XFREE(certDecoded, NULL, DYNAMIC_TYPE_DCERT); + return ASN_NO_SIGNER_E; + } + + /* not found in certs, search the cert embedded in the response */ + InitDecodedCert(certDecoded, resp->cert, resp->certSz, NULL); + if (ParseCertRelative(certDecoded, CERT_TYPE, NO_VERIFY, NULL, NULL) == 0) { + if (OcspRespIdMatches(resp, certDecoded->subjectHash, + certDecoded->subjectKeyHash)) { + *signer = certDecoded; + *embedded = 1; + return 0; } } + FreeDecodedCert(certDecoded); - InitDecodedCert(cert, bs->cert, bs->certSz, NULL); - certInit = 1; - if (ParseCertRelative(cert, CERT_TYPE, VERIFY, st->cm, NULL) < 0) - goto out; - - if (!(flags & WOLFSSL_OCSP_NOCHECKS)) { - if (CheckOcspResponder(bs, cert, st->cm) != 0) - goto out; - } - - ret = WOLFSSL_SUCCESS; -out: - if (certInit) - FreeDecodedCert(cert); + XFREE(certDecoded, NULL, DYNAMIC_TYPE_DCERT); + return ASN_NO_SIGNER_E; +} +static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert, + WOLFSSL_X509_STORE *st, unsigned long flags) +{ #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, (st && st->cm) ? st->cm->heap : NULL, DYNAMIC_TYPE_DCERT); + DecodedCert *c = NULL; +#else + DecodedCert c[1]; #endif + int ret = -1; + if (st == NULL) + return ASN_OCSP_CONFIRM_E; + +#ifdef WOLFSSL_SMALL_STACK + c = (DecodedCert *)XMALLOC(sizeof(*c), NULL, DYNAMIC_TYPE_DCERT); + if (c == NULL) + return MEMORY_E; +#endif + + InitDecodedCert(c, cert->source, cert->maxIdx, NULL); + if (ParseCertRelative(c, CERT_TYPE, VERIFY, st->cm, NULL) != 0) { + ret = ASN_OCSP_CONFIRM_E; + goto out; + } +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK + if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) { + ret = CheckOcspResponder(resp, c, st->cm); + } + else { + ret = 0; + } +#else + (void)resp; + (void)flags; + ret = 0; +#endif + +out: + FreeDecodedCert(c); +#ifdef WOLFSSL_SMALL_STACK + XFREE(c, NULL, DYNAMIC_TYPE_DCERT); +#endif return ret; } +/* Signature verified in DecodeBasicOcspResponse. + * But no store available to verify certificate. */ +int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP* bs, + WOLF_STACK_OF(WOLFSSL_X509) * certs, WOLFSSL_X509_STORE* st, + unsigned long flags) +{ + int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); + int embedded; + DecodedCert *cert = NULL; + + ret = OcspFindSigner(bs, certs, &cert, &embedded, flags); + if (ret != 0) { + WOLFSSL_MSG("OCSP no signer found"); + return WOLFSSL_FAILURE; + } + + /* skip certificate verification if cert in certs and TRUST_OTHER is true */ + if (!embedded && (flags & WOLFSSL_OCSP_TRUSTOTHER) != 0) + flags |= WOLFSSL_OCSP_NOVERIFY; + + /* verify response signature */ + ret = ConfirmSignature( + &cert->sigCtx, + bs->response, bs->responseSz, + cert->publicKey, cert->pubKeySize, cert->keyOID, + bs->sig, bs->sigSz, bs->sigOID, bs->sigParams, bs->sigParamsSz, + NULL); + + if (ret != 0) { + WOLFSSL_MSG("OCSP signature verification failed"); + ret = -1; + goto out; + } + + if ((flags & WOLFSSL_OCSP_NOVERIFY) == 0) { + ret = OcspVerifySigner(bs, cert, st, flags); + } + +out: + FreeDecodedCert(cert); + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; +} void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response) { @@ -1025,7 +1108,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, XMEMCPY(resp->source, *data, (size_t)len); resp->maxIdx = (word32)len; - ret = OcspResponseDecode(resp, NULL, NULL, 1); + ret = OcspResponseDecode(resp, NULL, NULL, 1, 1); if (ret != 0 && ret != WC_NO_ERR_TRACE(ASN_OCSP_CONFIRM_E)) { /* for just converting from a DER to an internal structure the CA may * not yet be known to this function for signature verification */ diff --git a/tests/api.c b/tests/api.c index 75c319664..4ffe633a8 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4622,7 +4622,11 @@ static int test_wolfSSL_CheckOCSPResponse(void) wolfSSL_CertManagerFree(cm); } -#if defined(WC_RSA_PSS) +/* FIPS v2 and below don't support long salts. */ +#if defined(WC_RSA_PSS) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2))) && (!defined(HAVE_SELFTEST) || \ + (defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION > 2))) { const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 08e11630e..162979275 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -16822,7 +16822,7 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, #endif /* !NO_ASN_CRYPT && !NO_HASH_WRAPPER */ /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */ -static int ConfirmSignature(SignatureCtx* sigCtx, +int ConfirmSignature(SignatureCtx* sigCtx, const byte* buf, word32 bufSz, const byte* key, word32 keySz, word32 keyOID, const byte* sig, word32 sigSz, word32 sigOID, @@ -23634,6 +23634,19 @@ int wc_CertGetPubKey(const byte* cert, word32 certSz, return ret; } #endif +#ifdef HAVE_OCSP +Signer* findSignerByKeyHash(Signer *list, byte *hash) +{ + Signer *s; + for (s = list; s != NULL; s = s->next) { + if (XMEMCMP(s->subjectKeyHash, hash, KEYID_SIZE) == 0) { + return s; + } + } + return NULL; +} +#endif /* WOLFSSL_OCSP */ + Signer* findSignerByName(Signer *list, byte *hash) { Signer *s; @@ -36864,7 +36877,8 @@ static const ASNItem ocspRespDataASN[] = { /* byName */ /* BYNAME */ { 1, ASN_CONTEXT_SPECIFIC | 1, 1, 0, 2 }, /* byKey */ -/* BYKEY */ { 1, ASN_CONTEXT_SPECIFIC | 2, 1, 0, 2 }, +/* BYKEY */ { 1, ASN_CONTEXT_SPECIFIC | 2, 1, 1, 2 }, +/* BYKEY_OCT */ { 2, ASN_OCTET_STRING, 0, 0, 0 }, /* producedAt */ /* PA */ { 1, ASN_GENERALIZED_TIME, 0, 0, 0, }, /* responses */ @@ -36878,6 +36892,7 @@ enum { OCSPRESPDATAASN_IDX_VER, OCSPRESPDATAASN_IDX_BYNAME, OCSPRESPDATAASN_IDX_BYKEY, + OCSPRESPDATAASN_IDX_BYKEY_OCT, OCSPRESPDATAASN_IDX_PA, OCSPRESPDATAASN_IDX_RESP, OCSPRESPDATAASN_IDX_RESPEXT, @@ -36988,6 +37003,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex, int ret = 0; byte version; word32 dateSz = 0; + word32 responderByKeySz = KEYID_SIZE; word32 idx = *ioIndex; OcspEntry* single = NULL; @@ -37006,6 +37022,8 @@ static int DecodeResponseData(byte* source, word32* ioIndex, GetASN_Int8Bit(&dataASN[OCSPRESPDATAASN_IDX_VER], &version); GetASN_Buffer(&dataASN[OCSPRESPDATAASN_IDX_PA], resp->producedDate, &dateSz); + GetASN_Buffer(&dataASN[OCSPRESPDATAASN_IDX_BYKEY_OCT], + resp->responderId.keyHash, &responderByKeySz); /* Decode the ResponseData. */ ret = GetASN_Items(ocspRespDataASN, dataASN, ocspRespDataASN_Length, 1, source, ioIndex, size); @@ -37023,7 +37041,22 @@ static int DecodeResponseData(byte* source, word32* ioIndex, } } if (ret == 0) { - /* TODO: use byName/byKey fields. */ + if (dataASN[OCSPRESPDATAASN_IDX_BYNAME].tag != 0) { + resp->responderIdType = OCSP_RESPONDER_ID_NAME; + ret = CalcHashId_ex( + dataASN[OCSPRESPDATAASN_IDX_BYNAME].data.ref.data, + dataASN[OCSPRESPDATAASN_IDX_BYNAME].data.ref.length, + resp->responderId.nameHash, WC_SHA); + } else { + resp->responderIdType = OCSP_RESPONDER_ID_KEY; + if (dataASN[OCSPRESPDATAASN_IDX_BYKEY_OCT].length != KEYID_SIZE) { + ret = ASN_PARSE_E; + } else { + resp->responderIdType = OCSP_RESPONDER_ID_KEY; + } + } + } + if (ret == 0) { /* Store size of response. */ resp->responseSz = *ioIndex - idx; /* Store date format/tag. */ @@ -37166,8 +37199,133 @@ enum { #define ocspBasicRespASN_Length (sizeof(ocspBasicRespASN) / sizeof(ASNItem)) #endif /* WOLFSSL_ASN_TEMPLATE */ +static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash, + const byte *keyHash) +{ + if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) + return XMEMCMP(NameHash, resp->responderId.nameHash, + SIGNER_DIGEST_SIZE) == 0; + return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; +} + +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK +static int OcspRespCheck(OcspResponse *resp, Signer *responder) +{ + OcspEntry *s; + + s = resp->single; + if (s == NULL) + return -1; + + /* singles responses must have the same issuer */ + for (; s != NULL; s = s->next) { + if (XMEMCMP(s->issuerKeyHash, responder->subjectKeyHash, + KEYID_SIZE) != 0) + return -1; + } + + return 0; +} +#endif + +static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm) +{ + Signer *s; + + if (cm == NULL) + return NULL; + + if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) { +#ifndef NO_SKID + s = GetCAByName(cm, resp->responderId.nameHash); +#else + s = GetCA(cm, resp->responderId.nameHash); +#endif + if (s) + return s; + } + else { + s = GetCAByKeyHash(cm, resp->responderId.keyHash); + if (s) + return s; + } +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (resp->pendingCAs == NULL) + return NULL; + + if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) { + s = findSignerByName(resp->pendingCAs, resp->responderId.nameHash); + if (s) + return s; + } + else { + s = findSignerByKeyHash(resp->pendingCAs, resp->responderId.keyHash); + if (s) + return s; + } +#endif + return NULL; +} + +static int OcspCheckCert(OcspResponse *resp, int noVerify, + int noVerifySignature, WOLFSSL_CERT_MANAGER *cm, void *heap) +{ + int ret = 0; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; +#else + DecodedCert cert[1]; +#endif + + InitDecodedCert(cert, resp->cert, resp->certSz, heap); + ret = ParseCertRelative(cert, CERT_TYPE, + noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, + cm, resp->pendingCAs); + if (ret < 0) { + WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); + } + + if (ret == 0 && OcspRespIdMatch(resp, cert->subjectHash, cert->subjectKeyHash) == 0) { + WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n"); + ret = BAD_OCSP_RESPONDER; + goto out; + } + +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK + if (ret == 0 && !noVerify) { + ret = CheckOcspResponder(resp, cert, cm); + if (ret < 0) { + WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed"); + goto out; + } + } +#endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */ + if (ret == 0 && !noVerifySignature) { + ret = ConfirmSignature( + &cert->sigCtx, + resp->response, resp->responseSz, + cert->publicKey, cert->pubKeySize, cert->keyOID, + resp->sig, resp->sigSz, resp->sigOID, resp->sigParams, + resp->sigParamsSz, NULL); + } +out: + FreeDecodedCert(cert); + +#ifdef WOLFSSL_SMALL_STACK + if (cert != NULL) { + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } +#endif + + return ret; +} + static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, - OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify) + OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify, + int noVerifySignature) { #ifndef WOLFSSL_ASN_TEMPLATE int length; @@ -37267,12 +37425,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, } else { WOLFSSL_MSG("\tOCSP Responder key usage check failed"); - #ifdef OPENSSL_EXTRA - resp->verifyError = OCSP_BAD_ISSUER; - #else ret = BAD_OCSP_RESPONDER; break; - #endif } } #endif @@ -37341,8 +37495,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length); int ret = 0; word32 idx = *ioIndex; - const byte* sigParams = NULL; - word32 sigParamsSz = 0; #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -37375,10 +37527,10 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, } #ifdef WC_RSA_PSS if (ret == 0 && (dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS].tag != 0)) { - sigParams = GetASNItem_Addr( + resp->sigParams = GetASNItem_Addr( dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], source); - sigParamsSz = + resp->sigParamsSz = GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], source); } @@ -37389,6 +37541,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, GetASN_GetRef(&dataASN[OCSPBASICRESPASN_IDX_SIGNATURE], &resp->sig, &resp->sigSz); } + resp->certSz = 0; #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS if ((ret == 0) && (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL)) { @@ -37396,90 +37549,49 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Store reference to certificate BER data. */ GetASN_GetRef(&dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ], &resp->cert, &resp->certSz); - - /* Allocate a certificate object to decode cert into. */ - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) { - ret = MEMORY_E; - } } - if ((ret == 0) && - (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL)) { - #endif - /* Initialize the certificate object. */ - InitDecodedCert(cert, resp->cert, resp->certSz, heap); - certInit = 1; - /* Parse the certificate and don't verify if we don't have access to - * Cert Manager. */ - ret = ParseCertRelative(cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY, - cm, resp->pendingCAs); - if (ret < 0) { - WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); + + if ((ret == 0) && resp->certSz > 0) { + ret = OcspCheckCert(resp, noVerify, noVerifySignature, + (WOLFSSL_CERT_MANAGER*)cm, heap); + if (ret == 0) { + goto out; } + ret = 0; /* try to verify the OCSP response with CA certs */ + } +#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ + /* try to verify using cm certs */ + if (ret == 0 && !noVerifySignature) + { + ca = OcspFindSigner(resp, (WOLFSSL_CERT_MANAGER*)cm); + if (ca == NULL) + ret = ASN_NO_SIGNER_E; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK - if ((ret == 0) && - (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL) && - !noVerify) { - ret = CheckOcspResponder(resp, cert, cm); - } -#endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */ - if ((ret == 0) && - (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data != NULL)) { - /* TODO: ConfirmSignature is blocking here */ - /* Check the signature of the response. */ - ret = ConfirmSignature(&cert->sigCtx, resp->response, resp->responseSz, - cert->publicKey, cert->pubKeySize, cert->keyOID, resp->sig, - resp->sigSz, resp->sigOID, NULL, 0, NULL); - if (ret != 0) { - WOLFSSL_MSG("\tOCSP Confirm signature failed"); - ret = ASN_OCSP_CONFIRM_E; + if (ret == 0 && !noVerifySignature) { + if (OcspRespCheck(resp, ca) != 0) { + ret = BAD_OCSP_RESPONDER; } } - if ((ret == 0) && - (dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ].data.ref.data == NULL)) -#else - if (ret == 0) -#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ - { - Signer* ca; +#endif + if (ret == 0 && !noVerifySignature) { int sigValid = -1; + SignatureCtx sigCtx; + /* Initialize he signature context. */ + InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); - /* Response didn't have a certificate - lookup CA. */ - #ifndef NO_SKID - ca = GetCAByKeyHash(cm, resp->single->issuerKeyHash); - #else - ca = GetCA(cm, resp->single->issuerHash); - #endif - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - if (ca == NULL && resp->pendingCAs != NULL) { - ca = findSignerByName(resp->pendingCAs, resp->single->issuerHash); - } - #endif - - if (ca) { - SignatureCtx sigCtx; - - /* Initialize he signature context. */ - InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); - - /* TODO: ConfirmSignature is blocking here */ - /* Check the signature of the response CA public key. */ - sigValid = ConfirmSignature(&sigCtx, resp->response, - resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, - NULL); - } - if ((ca == NULL) || (sigValid != 0)) { - /* Didn't find certificate or signature verificate failed. */ + /* TODO: ConfirmSignature is blocking here */ + /* Check the signature of the response CA public key. */ + sigValid = ConfirmSignature(&sigCtx, resp->response, + resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, + resp->sig, resp->sigSz, resp->sigOID, resp->sigParams, + resp->sigParamsSz, NULL); + if (sigValid != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); ret = ASN_OCSP_CONFIRM_E; } } - +out: if (ret == 0) { /* Update the position to after response data. */ *ioIndex = idx; @@ -37518,6 +37630,9 @@ void InitOcspResponse(OcspResponse* resp, OcspEntry* single, CertStatus* status, resp->maxIdx = inSz; resp->heap = heap; resp->pendingCAs = NULL; + resp->sigParams = NULL; + resp->sigParamsSz = 0; + resp->responderIdType = OCSP_RESPONDER_ID_INVALID; } void FreeOcspResponse(OcspResponse* resp) @@ -37571,7 +37686,8 @@ enum { #define ocspResponseASN_Length (sizeof(ocspResponseASN) / sizeof(ASNItem)) #endif /* WOLFSSL_ASN_TEMPLATE */ -int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) +int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, + int noVerifyCert, int noVerifySignature) { #ifndef WOLFSSL_ASN_TEMPLATE int ret; @@ -37640,7 +37756,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) return ret; } - ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify); + ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify, 0); if (ret < 0) { WOLFSSL_LEAVE("OcspResponseDecode", ret); return ret; @@ -37680,7 +37796,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) idx = 0; /* Decode BasicOCSPResponse. */ ret = DecodeBasicOcspResponse(basic, &idx, resp, basicSz, cm, heap, - noVerify); + noVerifyCert, noVerifySignature); } /* Only support BasicOCSPResponse. */ else { diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 8d4e92092..3e9387e69 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2352,7 +2352,12 @@ WOLFSSL_LOCAL int CheckCertSignaturePubKey(const byte* cert, word32 certSz, WOLFSSL_LOCAL int wc_CertGetPubKey(const byte* cert, word32 certSz, const unsigned char** pubKey, word32* pubKeySz); #endif - +WOLFSSL_LOCAL int ConfirmSignature(SignatureCtx* sigCtx, + const byte* buf, word32 bufSz, + const byte* key, word32 keySz, word32 keyOID, + const byte* sig, word32 sigSz, word32 sigOID, + const byte* sigParams, word32 sigParamsSz, + byte* rsaKeyIdx); #ifdef WOLFSSL_CERT_REQ WOLFSSL_LOCAL int CheckCSRSignaturePubKey(const byte* cert, word32 certSz, void* heap, const byte* pubKey, word32 pubKeySz, int pubKeyOID); @@ -2369,6 +2374,7 @@ WOLFSSL_LOCAL int TryDecodeRPKToKey(DecodedCert* cert); WOLFSSL_LOCAL int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate); WOLFSSL_LOCAL const byte* OidFromId(word32 id, word32 type, word32* oidSz); +WOLFSSL_LOCAL Signer* findSignerByKeyHash(Signer *list, byte *hash); WOLFSSL_LOCAL Signer* findSignerByName(Signer *list, byte *hash); WOLFSSL_LOCAL int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der); WOLFSSL_LOCAL Signer* MakeSigner(void* heap); @@ -2726,6 +2732,11 @@ struct OcspEntry WC_BITFIELD used:1; /* entry used */ }; +enum responderIdType { + OCSP_RESPONDER_ID_INVALID = 0, + OCSP_RESPONDER_ID_NAME = 1, + OCSP_RESPONDER_ID_KEY = 2, +}; /* TODO: Long-term, it would be helpful if we made this struct and other OCSP structs conform to the ASN spec as described in RFC 6960. It will help with readability and with implementing OpenSSL compatibility API @@ -2737,6 +2748,12 @@ struct OcspResponse { byte* response; /* Pointer to beginning of OCSP Response */ word32 responseSz; /* length of the OCSP Response */ + enum responderIdType responderIdType; + union { + byte keyHash[KEYID_SIZE]; + byte nameHash[KEYID_SIZE]; + } responderId ; + byte producedDate[MAX_DATE_SIZE]; /* Date at which this response was signed */ byte producedDateFormat; /* format of the producedDate */ @@ -2748,6 +2765,9 @@ struct OcspResponse { word32 sigSz; /* Length in octets for the sig */ word32 sigOID; /* OID for hash used for sig */ + byte* sigParams; + word32 sigParamsSz; + OcspEntry* single; /* chain of OCSP single responses */ byte* nonce; /* pointer to nonce inside ASN.1 response */ @@ -2756,9 +2776,6 @@ struct OcspResponse { byte* source; /* pointer to source buffer, not owned */ word32 maxIdx; /* max offset based on init size */ Signer* pendingCAs; -#ifdef OPENSSL_EXTRA - int verifyError; -#endif void* heap; }; @@ -2788,7 +2805,7 @@ WOLFSSL_LOCAL void InitOcspResponse(OcspResponse* resp, OcspEntry* single, CertStatus* status, byte* source, word32 inSz, void* heap); WOLFSSL_LOCAL void FreeOcspResponse(OcspResponse* resp); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, - int noVerify); + int noVerifyCert, int noVerifySignature); WOLFSSL_LOCAL int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, void* heap); From b7f08b81a6b189f03416a2fae3ab3cd2207e64d0 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Fri, 31 Jan 2025 23:34:52 +0000 Subject: [PATCH 04/22] ocsp: adapt ASN original to new OCSP response refactor --- wolfcrypt/src/asn.c | 185 +++++++++++++++----------------------------- 1 file changed, 63 insertions(+), 122 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 162979275..e5887243a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -36937,16 +36937,40 @@ static int DecodeResponseData(byte* source, word32* ioIndex, version = 0; localIdx = idx; - if (GetASNTag(source, &localIdx, &tag, size) == 0 && - ( tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1) || - tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2) )) + if (GetASNTag(source, &localIdx, &tag, size) != 0) + return ASN_PARSE_E; + + resp->responderIdType = OCSP_RESPONDER_ID_INVALID; + /* parse byName */ + if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) { idx++; /* advance past ASN tag */ if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; + /* compute the hash of the name */ + resp->responderIdType = OCSP_RESPONDER_ID_NAME; + ret = CalcHashId_ex(source + idx, length, + resp->responderId.nameHash, WC_SHA); + if (ret != 0) + return ret; idx += length; } - else + else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)) + { + idx++; /* advance past ASN tag */ + if (GetLength(source, &idx, &length, size) < 0) + return ASN_PARSE_E; + + if (GetOctetString(source, &idx, &length, size) < 0) + return ASN_PARSE_E; + + if (length != KEYID_SIZE) + return ASN_PARSE_E; + resp->responderIdType = OCSP_RESPONDER_ID_KEY; + XMEMCPY(resp->responderId.keyHash, source + idx, length); + idx += length; + } + if (resp->responderIdType == OCSP_RESPONDER_ID_INVALID) return ASN_PARSE_E; /* save pointer to the producedAt time */ @@ -37335,8 +37359,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #endif int ret; int sigLength; - const byte* sigParams = NULL; - word32 sigParamsSz = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -37360,16 +37382,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, else if (resp->sigOID == CTC_RSASSAPSS) { word32 sz; int len; - const byte* params; + byte* params; sz = idx; params = source + idx; if (GetSequence(source, &idx, &len, size) < 0) - ret = ASN_PARSE_E; + return ASN_PARSE_E; if (ret == 0) { idx += len; - sigParams = params; - sigParamsSz = idx - sz; + resp->sigParams = params; + resp->sigParamsSz = idx - sz; } } #endif @@ -37389,103 +37411,40 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS if (idx < end_index) { - int cert_inited = 0; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert *cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; -#else - DecodedCert cert[1]; -#endif + if (DecodeCerts(source, &idx, resp, size) < 0) + return ASN_PARSE_E; - do { - if (DecodeCerts(source, &idx, resp, size) < 0) { - ret = ASN_PARSE_E; - break; - } - - InitDecodedCert(cert, resp->cert, resp->certSz, heap); - cert_inited = 1; - - /* Don't verify if we don't have access to Cert Manager. */ - ret = ParseCertRelative(cert, CERT_TYPE, - noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, - cm, resp->pendingCAs); - if (ret < 0) { - WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); - break; - } - -#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK - if ((cert->extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { - if (XMEMCMP(cert->subjectHash, - resp->single->issuerHash, OCSP_DIGEST_SIZE) == 0) { - WOLFSSL_MSG("\tOCSP Response signed by issuer"); - } - else { - WOLFSSL_MSG("\tOCSP Responder key usage check failed"); - ret = BAD_OCSP_RESPONDER; - break; - } - } -#endif - - /* ConfirmSignature is blocking here */ - ret = ConfirmSignature( - &cert->sigCtx, - resp->response, resp->responseSz, - cert->publicKey, cert->pubKeySize, cert->keyOID, - resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, - NULL); - - if (ret != 0) { - WOLFSSL_MSG("\tOCSP Confirm signature failed"); - ret = ASN_OCSP_CONFIRM_E; - break; - } - } while(0); - - if (cert_inited) - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - if (ret != 0) - return ret; - } - else -#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ - { - Signer* ca; - int sigValid = -1; - - #ifndef NO_SKID - ca = GetCAByKeyHash(cm, resp->single->issuerKeyHash); - #else - ca = GetCA(cm, resp->single->issuerHash); - #endif -#if defined(HAVE_CERTIFICATE_STATUS_V2) - if (ca == NULL && resp->pendingCAs != NULL) { - ca = findSignerByName(resp->pendingCAs, resp->single->issuerHash); - } -#endif - if (ca) { - SignatureCtx sigCtx; - InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); - - /* ConfirmSignature is blocking here */ - sigValid = ConfirmSignature(&sigCtx, resp->response, - resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, - NULL); - } - if (ca == NULL || sigValid != 0) { + ret = OcspCheckCert(resp, noVerify, noVerifySignature, cm, heap); + if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); return ASN_OCSP_CONFIRM_E; } + } + else +#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ + if (!noVerifySignature) { + Signer* ca; + int sigValid = -1; + SignatureCtx sigCtx; + ca = OcspFindSigner(resp, cm); + if (ca == NULL) + return ASN_NO_SIGNER_E; +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK + if (OcspRespCheck(resp, ca) != 0) + return BAD_OCSP_RESPONDER; +#endif + InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); + + /* ConfirmSignature is blocking here */ + sigValid = ConfirmSignature(&sigCtx, resp->response, + resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, + resp->sig, resp->sigSz, resp->sigOID, resp->sigParams, + resp->sigParamsSz, NULL); + if (sigValid != 0) { + WOLFSSL_MSG("\tOCSP Confirm signature failed"); + return ASN_OCSP_CONFIRM_E; + } (void)noVerify; } @@ -37495,14 +37454,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length); int ret = 0; word32 idx = *ioIndex; -#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif - int certInit = 0; -#endif WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -37597,17 +37548,6 @@ out: *ioIndex = idx; } -#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS - if (certInit) { - FreeDecodedCert(cert); - } - #ifdef WOLFSSL_SMALL_STACK - if (cert != NULL) { - /* Dispose of certificate object. */ - XFREE(cert, heap, DYNAMIC_TYPE_TMP_BUFFER); - } - #endif -#endif FREE_ASNGETDATA(dataASN, heap); return ret; #endif /* WOLFSSL_ASN_TEMPLATE */ @@ -37756,7 +37696,8 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, return ret; } - ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify, 0); + ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, + noVerifyCert, noVerifySignature); if (ret < 0) { WOLFSSL_LEAVE("OcspResponseDecode", ret); return ret; From 3a3238eb9fad3ac0fcd1272e6aa9a89897b560cd Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Sat, 1 Feb 2025 17:23:18 +0000 Subject: [PATCH 05/22] ocsp: refactor wolfSSL_OCSP_response_get1_basic The internal fields of OcspResponse refer to the resp->source buffer. Copying these fields is complex, so it's better to decode the response again. --- src/ocsp.c | 22 ++-------------------- wolfcrypt/src/asn.c | 1 + 2 files changed, 3 insertions(+), 20 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index 0b94de353..fd7dd5863 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1163,27 +1163,9 @@ const char *wolfSSL_OCSP_response_status_str(long s) WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response) { WOLFSSL_OCSP_BASICRESP* bs; + const unsigned char *ptr = response->source; - bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL, - DYNAMIC_TYPE_OCSP_REQUEST); - if (bs == NULL) - return NULL; - - XMEMCPY(bs, response, sizeof(OcspResponse)); - bs->single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), NULL, - DYNAMIC_TYPE_OCSP_ENTRY); - bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (bs->single == NULL || bs->source == NULL) { - XFREE(bs->single, NULL, DYNAMIC_TYPE_OCSP_ENTRY); - bs->single = NULL; - wolfSSL_OCSP_RESPONSE_free(bs); - bs = NULL; - } - else { - XMEMCPY(bs->single, response->single, sizeof(OcspEntry)); - XMEMCPY(bs->source, response->source, response->maxIdx); - bs->single->ownStatus = 0; - } + bs = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, response->maxIdx); return bs; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e5887243a..619888e52 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37454,6 +37454,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length); int ret = 0; word32 idx = *ioIndex; + Signer* ca = NULL; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; From 2fe413d80f1a17256d624ce74d5293ddbdf25f30 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Fri, 31 Jan 2025 18:33:34 +0000 Subject: [PATCH 06/22] ocsp: add tests --- CMakeLists.txt | 1 + certs/ocsp/include.am | 3 +- certs/ocsp/renewcerts.sh | 10 + certs/ocsp/test-leaf-response.der | Bin 0 -> 1860 bytes tests/api.c | 4 + tests/api/create_ocsp_test_blobs.py | 415 +++++++++++ tests/api/include.am | 4 + tests/api/test_ocsp.c | 568 +++++++++++++++ tests/api/test_ocsp.h | 29 + tests/api/test_ocsp_test_blobs.h | 1046 +++++++++++++++++++++++++++ 10 files changed, 2079 insertions(+), 1 deletion(-) create mode 100644 certs/ocsp/test-leaf-response.der create mode 100644 tests/api/create_ocsp_test_blobs.py create mode 100644 tests/api/test_ocsp.c create mode 100644 tests/api/test_ocsp.h create mode 100644 tests/api/test_ocsp_test_blobs.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 773922243..68655a5a7 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2511,6 +2511,7 @@ if(WOLFSSL_EXAMPLES) tests/api/test_ripemd.c tests/api/test_hash.c tests/api/test_ascon.c + tests/api/test_ocsp.c tests/hash.c tests/srp.c tests/suites.c diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 1b663075f..3f79753d2 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -36,4 +36,5 @@ EXTRA_DIST += \ certs/ocsp/test-response.der \ certs/ocsp/test-response-rsapss.der \ certs/ocsp/test-response-nointern.der \ - certs/ocsp/test-multi-response.der + certs/ocsp/test-multi-response.der \ + certs/ocsp/test-leaf-response.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index f377a1fdd..003aa1253 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -100,6 +100,16 @@ openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert kill $PID wait $PID +# Create a response DER buffer for testing leaf certificate +openssl ocsp -port 22221 -ndays 1000 -index \ +./index-intermediate1-ca-issued-certs.txt -rsigner ocsp-responder-cert.pem \ +-rkey ocsp-responder-key.pem -CA intermediate1-ca-cert.pem -partial_chain & +PID=$! +sleep 1 # Make sure server is ready + +openssl ocsp -issuer ./intermediate1-ca-cert.pem -cert ./server1-cert.pem -url http://localhost:22221/ -respout test-leaf-response.der -noverify +kill $PID +wait $PID # now start up a responder that signs using rsa-pss openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & diff --git a/certs/ocsp/test-leaf-response.der b/certs/ocsp/test-leaf-response.der new file mode 100644 index 0000000000000000000000000000000000000000..ec3443fa6a58fad3033646a80ea338fae71eb6fd GIT binary patch literal 1860 zcmXqLVt3$TWLVI|ZfVfOZpy}~&Bn;e%5K2O$kN2FX3)g0WYEOuu&{BVLE}6_ZUas> z=1>+kVW!YvLtz6!5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE< z4)!q=F%SZ&;pX9X%}dYBOHD1x%u6?vH;@I1GV_Q*)hYNp2L~twr4|?D=cS|;ffaCS zwRyCC=Vjz%6cfnIOUrivsVy$f(M!(HmEborFfuVTFfcSUGchqSk1|LxNHVZ8;ACUf z=3{1(Vr5_vDfDepc8EMMZK1jIFT>lrHabh(VqpFkl$DKoBfsZeV6)0kvhJvVo$3JR;nfScF&v+8Fj7O+NQLO{g>E{jW}$od&#Y zFsCzevobI@F)}jvMK5RlIa%#^@f7vNZUG6uGnN%SUwck+Wk~3n9XemnOkWf!*7eWM zwAp^n35oZ{@4xT4w{zKywLST-el8Q*uhFq$LG{u!?$((HAAPtRF6MJ$nvvnUnAsCM zL=N1Nh?LqYn?L=>O-9GdlP9;aJgX3x!LeZK(xwyMU)Rd^tn{D!K#>3SMG2ulA8x$R zEqtb{Jh}4ZM0rWx&iS5?*B#wc;P`EMTi&ZW_Of(YjS23jzQ><6vJvF6dDvri&qJ~7 zl*if+haR3u*jN13c4|+4pQg6U#A!CYD16O)UEinwXa@U}j=uVq#=L3oC=h z=`>Au5(Z+BbjJ@$OTocD3Pt((B?``t1QVQroH#F1f-{K{=QTp443nrqpJNP~7?qGi zn-QEc`56qF7`d20Np#09Mo*;a9ojovq3y0l7bF7Im?7UoDN%{hr)$ zk-h2_x2vi4Yx#{zTc$W#Jepf_t=m9JAn@qzQ}%A!|DHzKJC>xEPF*?W>fv`zKYCwJ zn)>i&>UQTN68FR!CY)0-RXh^9CMxiOp6+I@D1WbF!+>{QVtXyS*Rp!FZ=Cr^U^!b+ z`l*M!EW&l|E7PHdvQE=cDJCUkj?6*!ixXv z?2R^Y6mF94QC}mtC%u7dJ6-88k7nfy+KwVHPF>25?a&%f}+d zB4U*OaAW1A#y|6wc?ui?wz`GwFfcP{Ji^8tDyz)WxW}MzXM;%b2AL)LO{dShFSWS7 zfu+f+u1HjIVdLB-jk5-C;%;J0HV_8+LY0NbfQyX-QY|oZBBvKvNtR^uC3d=eqW=C_CP}Z}aaPxE1LX$be%j|B>3HCHR_wcA+oajD- z!=LAHPhEZ^(nzYZuebKhMAufyqT226HdWsKBqrs|#`0jsTd`?D7I6}ze^@lvw-W5N4cC7HAVyZ63w?m&}&K;by1A`mnh}kLC2gH5c@a{wr-2eX+|*J;r&%hu>GHZ0+aZ@V&h?^G)@uCzAk_ CS%i52 literal 0 HcmV?d00001 diff --git a/tests/api.c b/tests/api.c index 4ffe633a8..339e9a637 100644 --- a/tests/api.c +++ b/tests/api.c @@ -301,6 +301,7 @@ #include #include #include +#include #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ !defined(NO_RSA) && !defined(SINGLE_THREADED) && \ @@ -99372,6 +99373,9 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_SSLDisableRead), TEST_DECL(test_wolfSSL_inject), TEST_DECL(test_wolfSSL_dtls_cid_parse), + TEST_DECL(test_ocsp_status_callback), + TEST_DECL(test_ocsp_basic_verify), + TEST_DECL(test_ocsp_response_parsing), /* This test needs to stay at the end to clean up any caches allocated. */ TEST_DECL(test_wolfSSL_Cleanup) }; diff --git a/tests/api/create_ocsp_test_blobs.py b/tests/api/create_ocsp_test_blobs.py new file mode 100644 index 000000000..b77e9c582 --- /dev/null +++ b/tests/api/create_ocsp_test_blobs.py @@ -0,0 +1,415 @@ +#!/usr/bin/env python3 +""" + This is a simple generator of OCSP responses that will be used to test + wolfSSL OCSP implementation +""" +from pyasn1_modules import rfc6960 +from pyasn1.codec.der.encoder import encode +from pyasn1.codec.der.decoder import decode +from pyasn1.type import univ, tag, useful, namedtype +from base64 import b64decode +from hashlib import sha1, sha256 +from datetime import datetime +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.primitives.asymmetric import rsa, padding +from cryptography import x509 +from cryptography.hazmat.backends import default_backend + +WOLFSSL_OCSP_CERT_PATH = './certs/ocsp/' + +def response_status(value: int) -> rfc6960.OCSPResponseStatus: + return rfc6960.OCSPResponseStatus(value) + +def response_type() -> univ.ObjectIdentifier: + return rfc6960.id_pkix_ocsp_basic + +sha256WithRSAEncryption = (1, 2, 840, 113549, 1, 1, 11) +sha1_alg_id = (1, 3, 14, 3, 2, 26) +def cert_id_sha1_alg_id() -> rfc6960.AlgorithmIdentifier: + return algorithm(sha1_alg_id) + +def signature_algorithm() -> rfc6960.AlgorithmIdentifier: + return algorithm(sha256WithRSAEncryption) + +def algorithm(value) -> rfc6960.AlgorithmIdentifier: + ai = rfc6960.AlgorithmIdentifier() + ai['algorithm'] = univ.ObjectIdentifier(value=value) + return ai + +def cert_pem_to_der(cert_path: str) -> bytes: + beg_cert = '-----BEGIN CERTIFICATE-----' + end_cert = '-----END CERTIFICATE-----' + with open(cert_path, 'r') as f: + pem = f.read() + cert = pem.split(beg_cert)[1].split(end_cert)[0] + return b64decode(cert) + +def certs(cert_path: list[str]) -> univ.SequenceOf | None: + if len(cert_path) == 0: + return None + certs = rfc6960.BasicOCSPResponse()['certs'] + for cp in cert_path: + cert_der = cert_pem_to_der(cp) + cert, _ = decode(bytes(cert_der), asn1Spec=rfc6960.Certificate()) + certs.append(cert) + return certs + +def signature(bitstr: str) -> univ.BitString: + return univ.BitString(hexValue=bitstr) + +def resp_id_by_name(cert_path: str) -> rfc6960.ResponderID: + cert_der = cert_pem_to_der(cert_path) + cert, _ = decode(bytes(cert_der), asn1Spec=rfc6960.Certificate()) + subj = cert['tbsCertificate']['subject'] + rid = rfc6960.ResponderID() + rdi_name = rid['byName'] + rdi_name['rdnSequence'] = subj['rdnSequence'] + return rid + +def resp_id_by_key(cert_path: str) -> rfc6960.ResponderID: + cert_der = cert_pem_to_der(cert_path) + cert, _ = decode(bytes(cert_der), asn1Spec=rfc6960.Certificate()) + key = get_key(cert) + key_hash = sha1(key.asOctets()).digest() + rid = rfc6960.ResponderID() + rid['byKey'] = rfc6960.KeyHash(value=key_hash).subtype(explicitTag= + tag.Tag( + tag.tagClassContext, + tag.tagFormatSimple, + 2)) + return rid + +def get_key(cert: rfc6960.Certificate) -> univ.BitString: + return cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey'] + +def get_name(cert: rfc6960.Certificate) -> rfc6960.Name: + return cert['tbsCertificate']['subject'] + +def cert_id_from_hash(issuer_name_hash: bytes, issuer_key_hash: bytes, + serial: int) -> rfc6960.CertID: + cert_id = rfc6960.CertID() + cert_id['hashAlgorithm'] = cert_id_sha1_alg_id() + cert_id['issuerNameHash'] = univ.OctetString(value=issuer_name_hash) + cert_id['issuerKeyHash'] = univ.OctetString(value=issuer_key_hash) + cert_id['serialNumber'] = rfc6960.CertificateSerialNumber(serial) + return cert_id + +def cert_id(issuer_cert_path: str, serial: int) -> rfc6960.CertID: + issuer_cert = cert_pem_to_der(issuer_cert_path) + issuer, _ = decode(bytes(issuer_cert), asn1Spec=rfc6960.Certificate()) + issuer_name = get_name(issuer) + issuer_key = get_key(issuer) + issuer_name_hash = sha1(encode(issuer_name)).digest() + issuer_key_hash = sha1(issuer_key.asOctets()).digest() + cert_id = rfc6960.CertID() + cert_id['hashAlgorithm'] = cert_id_sha1_alg_id() + cert_id['issuerNameHash'] = univ.OctetString(value=issuer_name_hash) + cert_id['issuerKeyHash'] = univ.OctetString(value=issuer_key_hash) + cert_id['serialNumber'] = rfc6960.CertificateSerialNumber(serial) + + return cert_id + +CERT_GOOD = 0 +CERT_REVOKED = 1 +CERT_UNKNOWN = 2 +def cert_status(value: int) -> rfc6960.CertStatus: + cs = rfc6960.CertStatus() + + if value == CERT_GOOD: + good = univ.Null('').subtype(implicitTag=tag.Tag(tag.tagClassContext, + tag.tagFormatSimple, + 0)) + cs['good'] = good + elif value == CERT_REVOKED: + revoked = rfc6960.RevokedInfo().subtype(implicitTag=tag.Tag( + tag.tagClassContext, tag.tagFormatSimple, 1)) + revoked['revocationTime'] = useful.GeneralizedTime().fromDateTime( + datetime.now()) + cs['revoked'] = revoked + + return cs + +def single_response(issuer_cert_path: str, serial: int, + status: int) -> rfc6960.SingleResponse: + cid = cert_id(issuer_cert_path, serial) + cs = cert_status(status) + sr = rfc6960.SingleResponse().clone() + sr.setComponentByName('certID', cid) + sr['certStatus'] = cs + sr['thisUpdate'] = useful.GeneralizedTime().fromDateTime(datetime.now()) + return sr + +def response_data(rid: rfc6960.ResponderID | None, + responses: list[rfc6960.SingleResponse]) -> rfc6960.ResponseData: + rd = rfc6960.ResponseData() + rd['version'] = rfc6960.Version('v1').subtype(explicitTag=tag.Tag( + tag.tagClassContext, tag.tagFormatSimple, 0)) + if rid: + rd['responderID'] = rid + rd['producedAt'] = useful.GeneralizedTime().fromDateTime(datetime.now()) + rs = univ.SequenceOf(componentType=rfc6960.SingleResponse()) + rs.extend(responses) + rd['responses'] = rs + return rd + +def read_key_der_from_pem(key_path: str) -> bytes: + with open(key_path, 'r') as f: + pem = f.readlines() + pem_start = [i for i, line in enumerate(pem) if '-----BEGIN' in line][0] + pem_end = [i for i, line in enumerate(pem) if '-----END' in line][0] + key = ''.join(pem[pem_start+1:pem_end]) + return b64decode(key) + +def basic_ocsp_response(rd: rfc6960.ResponseData, sig_alg: + rfc6960.AlgorithmIdentifier, sig: univ.BitString, + certs: univ.SequenceOf|None = None) -> rfc6960.BasicOCSPResponse: + br = rfc6960.BasicOCSPResponse() + + br['tbsResponseData'] = rd + br['signatureAlgorithm'] = sig_alg + br['signature'] = sig + if certs is not None: + br['certs'] = certs + return br + +def response_bytes(br: rfc6960.BasicOCSPResponse) -> rfc6960.ResponseBytes: + rb = rfc6960.ResponseBytes().subtype(explicitTag=tag.Tag( + tag.tagClassContext, tag.tagFormatConstructed, 0)) + rb['responseType'] = response_type() + rb['response'] = encode(br) + return rb + +def ocsp_response(status: rfc6960.OCSPResponseStatus, + response_bytes: rfc6960.ResponseBytes) -> rfc6960.OCSPResponse: + orsp = rfc6960.OCSPResponse() + orsp['responseStatus'] = status + orsp['responseBytes'] = response_bytes + return orsp + +def get_priv_key(pem_path) -> rsa.RSAPrivateKey: + key_der = read_key_der_from_pem(pem_path) + private_key = serialization.load_der_private_key( + key_der, + password=None, + ) + return private_key + +def sign_repsonse_data(rd: rfc6960.ResponseData, + key: rsa.RSAPrivateKey) -> univ.BitString: + sig = key.sign(encode(rd), padding.PKCS1v15(), hashes.SHA256()) + return univ.BitString(hexValue=sig.hex()) + +def get_pub_key(cert_path: str) -> rsa.RSAPublicKey: + with open(cert_path, 'rb') as f: + cert = f.read() + cert = x509.load_pem_x509_certificate(cert, default_backend()) + return cert.public_key() + +def test_signature(ocsp_resp_path: str, key: rsa.RSAPublicKey): + with open(ocsp_resp_path, 'rb') as f: + ocsp_resp = f.read() + ocsp_resp, _ = decode(ocsp_resp, asn1Spec=rfc6960.OCSPResponse()) + response = ocsp_resp.getComponentByName( + 'responseBytes').getComponentByName('response') + br, _ = decode(response, asn1Spec=rfc6960.BasicOCSPResponse()) + rd = br.getComponentByName('tbsResponseData') + rd_hash = sha256(encode(rd)).digest() + di = rfc8017.DigestInfo() + di['digestAlgorithm'] = signature_algorithm() + di['digest'] = univ.OctetString(rd_hash) + sig = br.getComponentByName('signature') + key.verify(sig.asOctets(), encode(rd), padding.PKCS1v15(), hashes.SHA256()) + +def single_response_from_cert(cert_path: str, + status: int) -> rfc6960.SingleResponse: + cert_der = cert_pem_to_der(cert_path) + cert, _ = decode(bytes(cert_der), asn1Spec=rfc6960.Certificate()) + serial = cert['tbsCertificate']['serialNumber'] + issuer = cert['tbsCertificate']['issuer'] + serialHash = sha1(serial.asOctets()).digest() + issuerHash = sha1(encode(issuer)).digest() + cid = cert_id_from_hash(issuerHash, serialHash, serial) + cs = cert_status(status) + sr = rfc6960.SingleResponse().clone() + sr.setComponentByName('certID', cid) + sr['certStatus'] = cs + sr['thisUpdate'] = useful.GeneralizedTime().fromDateTime(datetime.now()) + return sr + +RESPONSE_STATUS_GOOD = 0 + +def write_buffer(name: str, data: bytes, f): + f.write(f"unsigned char {name}[] = {{\n") + for i in range(0, len(data), 12): + f.write(" " + ", ".join(f"0x{b:02x}" for b in data[i:i+12]) + ",\n") + f.write("};\n\n") + +def create_response(rd: dict) -> rfc6960.OCSPResponse: + """create a response using definition in rd""" + cs = response_status(rd.get('response_status', RESPONSE_STATUS_GOOD)) + sa = rd.get('signature_algorithm', signature_algorithm()) + c = certs(rd.get('certs_path', [])) + rid = None + if rd.get('responder_by_name') is not None: + rid = resp_id_by_name( + rd.get( + 'responder_cert', WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem')) + elif rd.get('responder_by_key', None) is not None: + rid = resp_id_by_key( + rd.get('responder_cert', WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem')) + # implement responder byhash + responses = [] + for entry in rd.get('responses', []): + if entry.get('certificate'): + sr = single_response_from_cert(entry['certificate'], entry['status']) + else: + sr = single_response(entry['issuer_cert'], entry['serial'], entry['status']) + responses.append(sr) + rd_data = response_data(rid, responses) + k = get_priv_key(rd.get('responder_key', WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem')) + s = sign_repsonse_data(rd_data, k) + br = basic_ocsp_response(rd_data, sa, s, c) + rb = response_bytes(br) + ocspr = ocsp_response(cs, rb) + return ocspr + +def create_and_write_response(rd: dict, f): + ocspr = create_response(rd) + encoded_response = encode(ocspr) + write_buffer(rd['name'].replace('-', '_').replace('.', '_'), encoded_response, f) + +def add_certificate(cert_path: str, f): + cert_der = cert_pem_to_der(cert_path) + write_buffer(cert_path.split('/')[-1].replace('-', '_').replace('.', '_'), cert_der, f) + +class badOCSPResponse(univ.Sequence): + componentType = namedtype.NamedTypes( + namedtype.OptionalNamedType('responseBytes', rfc6960.ResponseBytes().subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) + ) + +def create_bad_response(rd: dict) -> bytes: + """Creates a malformed OCSP response by removing the response status field""" + r = create_response(rd) + br = badOCSPResponse() + br['responseBytes'] = r['responseBytes'] + return encode(br) + +if __name__ == '__main__': + useful.GeneralizedTime._hasSubsecond = False + response_definitions = [ + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'certs_path': [WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem'], + 'responder_by_name': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + } + ], + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem', + 'name': 'resp' + }, + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'certs_path': [WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem'], + 'responder_by_key': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + } + ], + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem', + 'name': 'resp_rid_bykey', + }, + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'responder_by_name': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + } + ], + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem', + 'name': 'resp_nocert' + }, + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'responder_by_name': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + }, + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x02, + 'status': CERT_GOOD + } + ], + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'root-ca-key.pem', + 'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'name': 'resp_multi' + }, + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'responder_by_name': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + }, + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + } + ], + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'root-ca-key.pem', + 'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'name': 'resp_bad_noauth' + }, + ] + + with open('./tests/api/ocsp_test_blobs.h', 'w') as f: + f.write( +"""/* +* This file is generated automatically by running ./tests/api/create_ocsp_test_blobs.py. +*/ +""") + f.write("#ifndef OCSP_TEST_BLOBS_H\n") + f.write("#define OCSP_TEST_BLOBS_H\n\n") + for rd in response_definitions: + create_and_write_response(rd, f) + add_certificate(WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem', f) + add_certificate(WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', f) + add_certificate(WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem', f) + add_certificate(WOLFSSL_OCSP_CERT_PATH + '../server-cert.pem', f) + add_certificate(WOLFSSL_OCSP_CERT_PATH + 'intermediate1-ca-cert.pem', f) + br = create_bad_response({ + 'response_status': 0, + 'responder_by_key': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + } + ], + 'name': 'resp_bad' + }) + write_buffer('resp_bad', br, f) + f.write("#endif // OCSP_TEST_BLOBS_H\n") diff --git a/tests/api/include.am b/tests/api/include.am index 445f1207c..51ba3ac0c 100644 --- a/tests/api/include.am +++ b/tests/api/include.am @@ -14,6 +14,7 @@ tests_unit_test_SOURCES += tests/api/test_ripemd.c tests_unit_test_SOURCES += tests/api/test_hash.c tests_unit_test_SOURCES += tests/api/test_ascon.c tests_unit_test_SOURCES += tests/api/test_dtls.c +tests_unit_test_SOURCES += tests/api/test_ocsp.c endif EXTRA_DIST += tests/api/api.h EXTRA_DIST += tests/api/test_md5.h @@ -29,4 +30,7 @@ EXTRA_DIST += tests/api/test_ascon.h EXTRA_DIST += tests/api/test_ascon.h EXTRA_DIST += tests/api/test_ascon_kats.h EXTRA_DIST += tests/api/test_dtls.h +EXTRA_DIST += tests/api/test_ocsp.h +EXTRA_DIST += tests/api/test_ocsp_test_blobs.h +EXTRA_DIST += tests/api/create_ocsp_test_blobs.py diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c new file mode 100644 index 000000000..8f58c40e2 --- /dev/null +++ b/tests/api/test_ocsp.c @@ -0,0 +1,568 @@ +/* ocsp.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifdef HAVE_CONFIG_H + #include +#endif +#if !defined(WOLFSSL_USER_SETTINGS) && !defined(WOLFSSL_NO_OPTIONS_H) + #include +#endif +#include + +#include +#include +#include +#include +#include +#include + +#if defined(HAVE_OCSP) +struct ocsp_cb_ctx { + byte* response; + int responseSz; +}; + +struct test_conf { + unsigned char* resp; + int respSz; + unsigned char* ca0; + int ca0Sz; + unsigned char* ca1; + int ca1Sz; + unsigned char* targetCert; + int targetCertSz; +}; + +static int ocsp_cb(void* ctx, const char* url, int urlSz, unsigned char* req, + int reqSz, unsigned char** respBuf) +{ + struct ocsp_cb_ctx* cb_ctx = (struct ocsp_cb_ctx*)ctx; + (void)url; + (void)urlSz; + (void)req; + (void)reqSz; + + *respBuf = cb_ctx->response; + return cb_ctx->responseSz; +} + +static int test_ocsp_response_with_cm(struct test_conf* c) +{ + EXPECT_DECLS; + WOLFSSL_CERT_MANAGER* cm = NULL; + struct ocsp_cb_ctx cb_ctx; + int ret; + + cm = wolfSSL_CertManagerNew(); + ExpectPtrNE(cm, NULL); + ret = wolfSSL_CertManagerEnableOCSP(cm, + WOLFSSL_OCSP_URL_OVERRIDE | WOLFSSL_OCSP_NO_NONCE); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ret = wolfSSL_CertManagerSetOCSPOverrideURL(cm, "http://foo.com"); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + cb_ctx.response = (byte*)c->resp; + cb_ctx.responseSz = c->respSz; + ret = wolfSSL_CertManagerSetOCSP_Cb(cm, ocsp_cb, NULL, (void*)&cb_ctx); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + /* add ca in cm */ + if (c->ca0 != NULL) { + ret = wolfSSL_CertManagerLoadCABuffer(cm, c->ca0, c->ca0Sz, + WOLFSSL_FILETYPE_ASN1); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + } + if (c->ca1 != NULL) { + ret = wolfSSL_CertManagerLoadCABuffer(cm, c->ca1, c->ca1Sz, + WOLFSSL_FILETYPE_ASN1); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + } + /* check cert */ + ret = wolfSSL_CertManagerCheckOCSP(cm, c->targetCert, c->targetCertSz); + wolfSSL_CertManagerFree(cm); + return ret; +} + +int test_ocsp_response_parsing(void) +{ + struct test_conf conf; + int ret; + EXPECT_DECLS; + conf.resp = (unsigned char*)resp; + conf.respSz = sizeof(resp); + conf.ca0 = root_ca_cert_pem; + conf.ca0Sz = sizeof(root_ca_cert_pem); + conf.ca1 = NULL; + conf.ca1Sz = 0; + conf.targetCert = intermediate1_ca_cert_pem; + conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); + ret = test_ocsp_response_with_cm(&conf); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + + conf.resp = (unsigned char*)resp_multi; + conf.respSz = sizeof(resp_multi); + conf.ca0 = root_ca_cert_pem; + conf.ca0Sz = sizeof(root_ca_cert_pem); + conf.ca1 = NULL; + conf.ca1Sz = 0; + conf.targetCert = intermediate1_ca_cert_pem; + conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); + ret = test_ocsp_response_with_cm(&conf); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + + conf.resp = (unsigned char*)resp_bad_noauth; + conf.respSz = sizeof(resp_bad_noauth); + conf.ca0 = root_ca_cert_pem; + conf.ca0Sz = sizeof(root_ca_cert_pem); + conf.ca1 = ca_cert_pem; + conf.ca1Sz = sizeof(ca_cert_pem); + conf.targetCert = server_cert_pem; + conf.targetCertSz = sizeof(server_cert_pem); + ret = test_ocsp_response_with_cm(&conf); +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK + ExpectIntNE(ret, WOLFSSL_SUCCESS); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + return EXPECT_SUCCESS(); +} +#else /* HAVE_OCSP */ +int test_ocsp_response_parsing(void) { return TEST_SKIPPED; } +#endif /* HAVE_OCSP */ + +#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) +static int test_ocsp_create_x509store(WOLFSSL_X509_STORE** store, + unsigned char* ca, int caSz) +{ + EXPECT_DECLS; + WOLFSSL_X509* cert = NULL; + int ret; + + *store = wolfSSL_X509_STORE_new(); + ExpectPtrNE(*store, NULL); + cert = wolfSSL_X509_d2i(&cert, ca, caSz); + ExpectPtrNE(cert, NULL); + ret = wolfSSL_X509_STORE_add_cert(*store, cert); + wolfSSL_X509_free(cert); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + return EXPECT_RESULT(); +} + +static int test_create_stack_of_x509(WOLF_STACK_OF(WOLFSSL_X509) * *certs, + unsigned char* der, int derSz) +{ + EXPECT_DECLS; + WOLFSSL_X509* cert = NULL; + int ret; + + *certs = wolfSSL_sk_X509_new_null(); + ExpectPtrNE(*certs, NULL); + cert = wolfSSL_X509_d2i(&cert, der, derSz); + ExpectPtrNE(cert, NULL); + ret = wolfSSL_sk_X509_push(*certs, cert); + ExpectIntEQ(ret, 1); + return EXPECT_RESULT(); +} + +int test_ocsp_basic_verify(void) +{ + EXPECT_DECLS; + WOLF_STACK_OF(WOLFSSL_X509) * certs; + OcspResponse* response = NULL; + WOLFSSL_X509_STORE* store; + const unsigned char* ptr; + DecodedCert cert; + int ret; + + wc_InitDecodedCert(&cert, ocsp_responder_cert_pem, + sizeof(ocsp_responder_cert_pem), NULL); + ret = wc_ParseCert(&cert, CERT_TYPE, 0, NULL); + ExpectIntEQ(ret, 0); + + /* just decoding */ + ptr = (const unsigned char*)resp; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); + ExpectPtrNE(response, NULL); + ExpectIntEQ(response->responseStatus, 0); + ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_NAME); + ExpectBufEQ(response->responderId.nameHash, cert.subjectHash, + OCSP_DIGEST_SIZE); + wolfSSL_OCSP_RESPONSE_free(response); + + /* responder Id by key hash */ + ptr = (const unsigned char*)resp_rid_bykey; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_rid_bykey)); + ExpectPtrNE(response, NULL); + ExpectIntEQ(response->responseStatus, 0); + ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_KEY); + ExpectBufEQ(response->responderId.keyHash, cert.subjectKeyHash, + OCSP_DIGEST_SIZE); + wc_FreeDecodedCert(&cert); + wolfSSL_OCSP_RESPONSE_free(response); + + /* decoding with no embedded certificates */ + ptr = (const unsigned char*)resp_nocert; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); + ExpectPtrNE(response, NULL); + ExpectIntEQ(response->responseStatus, 0); + wolfSSL_OCSP_RESPONSE_free(response); + + /* decoding an invalid response */ + ptr = (const unsigned char*)resp_bad; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad)); + ExpectPtrEq(response, NULL); + + ptr = (const unsigned char*)resp; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); + ExpectPtrNE(response, NULL); + /* no verify signer certificate */ + ret = wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + /* verify that the signature is checked */ + response->sig[0] ^= 0xff; + ret = wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY); + ExpectIntEQ(ret, WOLFSSL_FAILURE); + wolfSSL_OCSP_RESPONSE_free(response); + + /* populate a store with root-ca-cert */ + ret = test_ocsp_create_x509store(&store, root_ca_cert_pem, + sizeof(root_ca_cert_pem)); + ExpectIntEQ(ret, TEST_SUCCESS); + + /* populate a WOLF_STACK_OF(WOLFSSL_X509) with responder certificate */ + ret = test_create_stack_of_x509(&certs, ocsp_responder_cert_pem, + sizeof(ocsp_responder_cert_pem)); + ExpectIntEQ(ret, TEST_SUCCESS); + + /* cert not embedded, cert in certs, validated using store */ + ptr = (const unsigned char*)resp_nocert; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); + ExpectPtrNE(response, NULL); + ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(response); + + /* cert embedded, verified using store */ + ptr = (const unsigned char*)resp; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); + ExpectPtrNE(response, NULL); + ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + /* make invalid signature */ + response->sig[0] ^= 0xff; + ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); + ExpectIntEQ(ret, WOLFSSL_FAILURE); + response->sig[0] ^= 0xff; + + /* cert embedded and in certs, no store needed bc OCSP_TRUSTOTHER */ + ret = wolfSSL_OCSP_basic_verify(response, certs, NULL, OCSP_TRUSTOTHER); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + /* this should also pass */ + ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOINTERN); + ; + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + /* this should not */ + ret = wolfSSL_OCSP_basic_verify(response, NULL, store, OCSP_NOINTERN); + ; + ExpectIntNE(ret, WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(response); + + /* cert not embedded, not certs */ + ptr = (const unsigned char*)resp_nocert; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); + ExpectPtrNE(response, NULL); + ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); + ExpectIntNE(ret, WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(response); + + wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free); + wolfSSL_X509_STORE_free(store); + + ret = test_ocsp_create_x509store(&store, root_ca_cert_pem, + sizeof(root_ca_cert_pem)); + ExpectIntEQ(ret, TEST_SUCCESS); + ret = test_create_stack_of_x509(&certs, root_ca_cert_pem, + sizeof(root_ca_cert_pem)); + ExpectIntEQ(ret, TEST_SUCCESS); + + /* multiple responses in a ocsp response */ + ptr = (const unsigned char*)resp_multi; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_multi)); + ExpectPtrNE(response, NULL); + ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(response); + + /* cert in certs, cert verified on store, not authorized to verify all + * responses */ + ptr = (const unsigned char*)resp_bad_noauth; + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad_noauth)); + ExpectPtrNE(response, NULL); + ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK + ExpectIntEQ(ret, WOLFSSL_FAILURE); +#else + ExpectIntEQ(ret, WOLFSSL_SUCCESS); +#endif + /* should pass with OCSP_NOCHECKS ...*/ + ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOCHECKS); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + /* or with OSCP_TRUSTOTHER */ + ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_TRUSTOTHER); + ExpectIntEQ(ret, WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(response); + + wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free); + wolfSSL_X509_STORE_free(store); + + return EXPECT_RESULT(); +} +#else +int test_ocsp_basic_verify(void) { return TEST_SKIPPED; } +#endif /* HAVE_OCSP && (OPENSSL_ALL || OPENSSL_EXTRA) */ + +#if defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \ + (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) + +struct _test_ocsp_status_callback_ctx { + byte* ocsp_resp; + int ocsp_resp_sz; + int invoked; +}; + +static int test_ocsp_status_callback_cb(WOLFSSL* ssl, void* ctx) +{ + struct _test_ocsp_status_callback_ctx* _ctx = + (struct _test_ocsp_status_callback_ctx*)ctx; + byte* allocated; + + _ctx->invoked++; + allocated = (byte*)XMALLOC(_ctx->ocsp_resp_sz, NULL, 0); + if (allocated == NULL) + return SSL_TLSEXT_ERR_ALERT_FATAL; + XMEMCPY(allocated, _ctx->ocsp_resp, _ctx->ocsp_resp_sz); + SSL_set_tlsext_status_ocsp_resp(ssl, allocated, _ctx->ocsp_resp_sz); + return SSL_TLSEXT_ERR_OK; +} + +static int test_ocsp_status_callback_cb_noack(WOLFSSL* ssl, void* ctx) +{ + struct _test_ocsp_status_callback_ctx* _ctx = + (struct _test_ocsp_status_callback_ctx*)ctx; + (void)ssl; + + _ctx->invoked++; + return SSL_TLSEXT_ERR_NOACK; +} + +static int test_ocsp_status_callback_cb_err(WOLFSSL* ssl, void* ctx) +{ + struct _test_ocsp_status_callback_ctx* _ctx = + (struct _test_ocsp_status_callback_ctx*)ctx; + (void)ssl; + + _ctx->invoked++; + return SSL_TLSEXT_ERR_ALERT_FATAL; +} + +static int test_ocsp_status_callback_test_setup( + struct _test_ocsp_status_callback_ctx* cb_ctx, + struct test_ssl_memio_ctx* test_ctx, method_provider cm, method_provider sm) +{ + int ret; + + cb_ctx->invoked = 0; + XMEMSET(test_ctx, 0, sizeof(*test_ctx)); + test_ctx->c_cb.caPemFile = "./certs/ocsp/root-ca-cert.pem"; + test_ctx->s_cb.certPemFile = "./certs/ocsp/server1-cert.pem"; + test_ctx->s_cb.keyPemFile = "./certs/ocsp/server1-key.pem"; + test_ctx->c_cb.method = cm; + test_ctx->s_cb.method = sm; + ret = test_ssl_memio_setup(test_ctx); + wolfSSL_set_verify(test_ctx->c_ssl, WOLFSSL_VERIFY_DEFAULT, NULL); + return ret; +} + +static int test_ocsp_status_callback(void) +{ + struct test_params { + method_provider c_method; + method_provider s_method; + }; + + const char* responseFile = "./certs/ocsp/test-leaf-response.der"; + struct _test_ocsp_status_callback_ctx cb_ctx; + struct test_ssl_memio_ctx test_ctx; + int enable_client_ocsp; + int enable_must_staple; + XFILE f = XBADFILE; + byte data[4096]; + unsigned int i; + EXPECT_DECLS; + + struct test_params params[] = { + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method}, +#if defined(WOLFSSL_TLS13) + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method}, +#endif +#if defined(WOLFSSL_DTLS) + {wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method}, +#endif +#if defined(WOLFSSL_DTLS13) + {wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method}, +#endif + }; + + XMEMSET(&cb_ctx, 0, sizeof(cb_ctx)); + f = XFOPEN(responseFile, "rb"); + if (f == XBADFILE) + return -1; + cb_ctx.ocsp_resp_sz = (word32)XFREAD(data, 1, 4096, f); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + cb_ctx.ocsp_resp = data; + + for (i = 0; i < sizeof(params) / sizeof(params[0]); i++) { + for (enable_client_ocsp = 0; enable_client_ocsp <= 1; + enable_client_ocsp++) { + ExpectIntEQ(test_ocsp_status_callback_test_setup(&cb_ctx, &test_ctx, + params[i].c_method, params[i].s_method), + TEST_SUCCESS); + ExpectIntEQ(SSL_CTX_set_tlsext_status_cb(test_ctx.s_ctx, + test_ocsp_status_callback_cb), + SSL_SUCCESS); + ExpectIntEQ( + SSL_CTX_set_tlsext_status_arg(test_ctx.s_ctx, (void*)&cb_ctx), + SSL_SUCCESS); + if (enable_client_ocsp) { + ExpectIntEQ(wolfSSL_UseOCSPStapling(test_ctx.c_ssl, + WOLFSSL_CSR_OCSP, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPMustStaple(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + } + ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), + TEST_SUCCESS); + ExpectIntEQ(cb_ctx.invoked, enable_client_ocsp ? 1 : 0); + test_ssl_memio_cleanup(&test_ctx); + if (!EXPECT_SUCCESS()) + return EXPECT_RESULT(); + } + } +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + /* test client sending both OCSPv1 and OCSPv2/MultiOCSP */ + /* StatusCb only supports OCSPv1 */ + ExpectIntEQ(test_ocsp_status_callback_test_setup(&cb_ctx, &test_ctx, + wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), + TEST_SUCCESS); + ExpectIntEQ(SSL_CTX_set_tlsext_status_cb(test_ctx.s_ctx, + test_ocsp_status_callback_cb), + SSL_SUCCESS); + ExpectIntEQ(SSL_CTX_set_tlsext_status_arg(test_ctx.s_ctx, (void*)&cb_ctx), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPMustStaple(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_UseOCSPStapling(test_ctx.c_ssl, WOLFSSL_CSR_OCSP, 0), + WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_UseOCSPStaplingV2(test_ctx.c_ssl, WOLFSSL_CSR2_OCSP_MULTI, 0), + WOLFSSL_SUCCESS); + wolfSSL_set_verify(test_ctx.c_ssl, WOLFSSL_VERIFY_DEFAULT, NULL); + ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS); + ExpectIntEQ(cb_ctx.invoked, 1); + test_ssl_memio_cleanup(&test_ctx); + + if (!EXPECT_SUCCESS()) + return EXPECT_RESULT(); +#endif /* defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) */ + /* test cb returning NO_ACK, not acking the OCSP */ + for (i = 0; i < sizeof(params) / sizeof(params[0]); i++) { + for (enable_must_staple = 0; enable_must_staple <= 1; + enable_must_staple++) { + ExpectIntEQ(test_ocsp_status_callback_test_setup(&cb_ctx, &test_ctx, + params[i].c_method, params[i].s_method), + TEST_SUCCESS); + ExpectIntEQ(SSL_CTX_set_tlsext_status_cb(test_ctx.s_ctx, + test_ocsp_status_callback_cb_noack), + SSL_SUCCESS); + ExpectIntEQ( + SSL_CTX_set_tlsext_status_arg(test_ctx.s_ctx, (void*)&cb_ctx), + SSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_UseOCSPStapling(test_ctx.c_ssl, WOLFSSL_CSR_OCSP, 0), + WOLFSSL_SUCCESS); + if (enable_must_staple) + ExpectIntEQ(wolfSSL_CTX_EnableOCSPMustStaple(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + wolfSSL_set_verify(test_ctx.c_ssl, WOLFSSL_VERIFY_DEFAULT, NULL); + ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), + enable_must_staple ? TEST_FAIL : TEST_SUCCESS); + ExpectIntEQ(cb_ctx.invoked, 1); + test_ssl_memio_cleanup(&test_ctx); + if (!EXPECT_SUCCESS()) + return EXPECT_RESULT(); + } + } + + /* test cb returning err aborting handshake */ + for (i = 0; i < sizeof(params) / sizeof(params[0]); i++) { + for (enable_client_ocsp = 0; enable_client_ocsp <= 1; + enable_client_ocsp++) { + ExpectIntEQ(test_ocsp_status_callback_test_setup(&cb_ctx, &test_ctx, + params[i].c_method, params[i].s_method), + TEST_SUCCESS); + ExpectIntEQ(SSL_CTX_set_tlsext_status_cb(test_ctx.s_ctx, + test_ocsp_status_callback_cb_err), + SSL_SUCCESS); + ExpectIntEQ( + SSL_CTX_set_tlsext_status_arg(test_ctx.s_ctx, (void*)&cb_ctx), + SSL_SUCCESS); + if (enable_client_ocsp) + ExpectIntEQ(wolfSSL_CTX_EnableOCSPStapling(test_ctx.c_ctx), + WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_UseOCSPStapling(test_ctx.c_ssl, WOLFSSL_CSR_OCSP, 0), + WOLFSSL_SUCCESS); + wolfSSL_set_verify(test_ctx.c_ssl, WOLFSSL_VERIFY_DEFAULT, NULL); + ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), + enable_client_ocsp ? TEST_FAIL : TEST_SUCCESS); + ExpectIntEQ(cb_ctx.invoked, enable_client_ocsp ? 1 : 0); + test_ssl_memio_cleanup(&test_ctx); + if (!EXPECT_SUCCESS()) + return EXPECT_RESULT(); + } + } + + return EXPECT_RESULT(); +} + +#else +int test_ocsp_status_callback(void) { return TEST_SKIPPED; } +#endif /* defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) \ + && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) \ + && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) */ diff --git a/tests/api/test_ocsp.h b/tests/api/test_ocsp.h new file mode 100644 index 000000000..a09642a0d --- /dev/null +++ b/tests/api/test_ocsp.h @@ -0,0 +1,29 @@ +/* ocsp.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFSSL_TEST_OCSP_H +#define WOLFSSL_TEST_OCSP_H + +int test_ocsp_status_callback(void); +int test_ocsp_basic_verify(void); +int test_ocsp_response_parsing(void); +#endif /* WOLFSSL_TEST_OCSP_H */ + diff --git a/tests/api/test_ocsp_test_blobs.h b/tests/api/test_ocsp_test_blobs.h new file mode 100644 index 000000000..1a4d96d34 --- /dev/null +++ b/tests/api/test_ocsp_test_blobs.h @@ -0,0 +1,1046 @@ +/* +* This file is generated automatically by running ./tests/api/create_ocsp_test_blobs.py. +*/ +#ifndef OCSP_TEST_BLOBS_H +#define OCSP_TEST_BLOBS_H + +unsigned char resp[] = { + 0x30, 0x82, 0x07, 0x04, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0xfd, 0x30, + 0x82, 0x06, 0xf9, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x06, 0xea, 0x30, 0x82, 0x06, 0xe6, 0x30, 0x82, + 0x01, 0x06, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, + 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, + 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, + 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, + 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, + 0x30, 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, + 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, + 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, + 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, + 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, + 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, + 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, + 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x07, 0x9b, 0xec, 0x6e, 0xb0, 0x3d, + 0x93, 0xc2, 0xc5, 0x92, 0x69, 0xe1, 0x53, 0xd1, 0xbb, 0x0a, 0x5e, 0x29, + 0x59, 0x0f, 0x3b, 0xe5, 0x59, 0x94, 0xfe, 0x76, 0x06, 0x3b, 0x66, 0x3d, + 0xdc, 0x1e, 0x1b, 0xab, 0xee, 0x3c, 0x88, 0xc4, 0xaa, 0xe3, 0x7f, 0xa0, + 0x0f, 0x35, 0x22, 0x74, 0xb3, 0x8b, 0xe4, 0x0b, 0x1a, 0x45, 0x97, 0xba, + 0xd0, 0xea, 0xa4, 0x38, 0x21, 0x35, 0xcc, 0xb0, 0x20, 0x8c, 0xef, 0xa8, + 0xd1, 0x84, 0x90, 0x13, 0xf6, 0x0c, 0x11, 0x8c, 0x5f, 0xda, 0x24, 0x09, + 0x88, 0x47, 0x79, 0x08, 0x72, 0xd1, 0x37, 0xad, 0x2f, 0x05, 0x91, 0x7d, + 0xb2, 0xc3, 0xbb, 0xdc, 0x4f, 0x97, 0xaa, 0x49, 0xbe, 0x97, 0xa7, 0x3b, + 0xb2, 0x4f, 0x9f, 0x05, 0x2e, 0xc9, 0x56, 0x82, 0xd5, 0x5e, 0x35, 0xb9, + 0xd0, 0x95, 0x4e, 0xd1, 0x13, 0x8b, 0x2f, 0x30, 0xe6, 0xdf, 0x8f, 0x57, + 0xbe, 0x8d, 0x34, 0x8b, 0x28, 0x76, 0x14, 0x86, 0xcb, 0x2d, 0xef, 0xa2, + 0x12, 0xbe, 0x2b, 0x9d, 0x0f, 0x32, 0x4f, 0x33, 0x77, 0xcd, 0xf7, 0xb2, + 0xaa, 0xce, 0xea, 0xe7, 0xa3, 0x1b, 0x2e, 0x59, 0xf6, 0x1a, 0xd5, 0xaf, + 0xcd, 0x61, 0x95, 0xc4, 0x88, 0x47, 0x30, 0xd9, 0xef, 0xf2, 0x52, 0xfd, + 0x50, 0xed, 0xcd, 0x8b, 0x54, 0x13, 0x00, 0xad, 0xb0, 0x2e, 0x61, 0x02, + 0xba, 0xf3, 0x73, 0xfd, 0x05, 0xc6, 0xf1, 0xd0, 0x3a, 0x00, 0xfa, 0x88, + 0xbb, 0xbc, 0xc4, 0xd6, 0xe6, 0xce, 0xd2, 0xcd, 0xd3, 0x1d, 0xc1, 0xe6, + 0x67, 0x0e, 0x9f, 0x1b, 0x4d, 0x1b, 0x28, 0x76, 0x3c, 0xd2, 0x8c, 0x82, + 0x22, 0xc7, 0xb5, 0xc9, 0xbf, 0xfd, 0x8c, 0x86, 0x93, 0x6c, 0x5c, 0xd4, + 0x20, 0x4a, 0x6e, 0xb4, 0xe7, 0x05, 0x4e, 0x66, 0x78, 0xc5, 0xfa, 0x74, + 0x13, 0xae, 0x3c, 0x1d, 0x81, 0x28, 0x32, 0xf4, 0x3e, 0x10, 0xa0, 0x82, + 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, + 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, + 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, + 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, + 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, 0x38, 0x32, 0x31, 0x32, + 0x35, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, + 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, + 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, + 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, + 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, + 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb8, 0xba, 0x23, + 0xb4, 0xf6, 0xc3, 0x7b, 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, + 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, 0xf8, 0x7c, 0xa2, 0x8a, + 0x04, 0x8b, 0xd5, 0x75, 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, + 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, 0x22, 0xb4, 0x94, 0x41, + 0x38, 0xe2, 0x9d, 0x74, 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, + 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, 0x41, 0x74, 0x67, 0x75, + 0x95, 0xa9, 0x94, 0xd5, 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, + 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, 0x16, 0x80, 0x90, 0xce, + 0x24, 0x35, 0x21, 0xc4, 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, + 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, 0x4a, 0x16, 0xbd, 0x39, + 0x8b, 0xad, 0x05, 0x48, 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, + 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, 0x76, 0xf8, 0xe0, 0x4a, + 0xec, 0xbc, 0x93, 0xf4, 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, + 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, 0xf5, 0x1e, 0xe8, 0xc7, + 0x5d, 0x9b, 0x8b, 0x11, 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, + 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, 0x8c, 0x27, 0xac, 0x11, + 0xb8, 0xd8, 0x43, 0x49, 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, + 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, 0x00, 0x76, 0x50, 0xef, + 0x15, 0x08, 0xd7, 0xb4, 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, + 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, 0x0a, 0x8b, 0x98, 0xf3, + 0xe3, 0xff, 0x4e, 0x44, 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, + 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x0a, 0x30, 0x82, + 0x01, 0x06, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, + 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, + 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, + 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x30, 0x81, 0xc4, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, + 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, + 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, + 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, + 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, + 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, + 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, + 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, + 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x82, 0x01, 0x63, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, + 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4d, 0xa2, 0xd8, 0x55, + 0xe0, 0x2b, 0xf4, 0xad, 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, + 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, 0xbd, 0x2e, 0x28, 0x6e, + 0x1c, 0x56, 0x2a, 0x35, 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, + 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, 0xaf, 0x9b, 0xef, 0x23, + 0x88, 0x56, 0x95, 0x73, 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, + 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, 0xfd, 0xe2, 0xa0, 0x81, + 0xa0, 0x4c, 0x0c, 0x2c, 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, + 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, 0xd6, 0x6a, 0x4c, 0x4c, + 0x78, 0x18, 0x3c, 0xca, 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, + 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, 0x6b, 0x25, 0xbd, 0x2f, + 0xae, 0x1b, 0xaa, 0xce, 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, + 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, 0xe6, 0x66, 0xbc, 0x84, + 0x63, 0x56, 0x50, 0x7d, 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, + 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, 0x4c, 0x7e, 0x4f, 0x93, + 0xeb, 0x5f, 0x8f, 0x9c, 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, + 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, 0x65, 0xbd, 0x0c, 0x71, + 0x3c, 0xbb, 0xa3, 0x07, 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, + 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, 0x28, 0xc1, 0x01, 0x31, + 0x73, 0x5c, 0x2b, 0xbd, 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, + 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, 0x55, 0xb9, 0x70, 0x87, + 0xd5, 0x02, 0x85, 0x13, 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57, +}; + +unsigned char resp_rid_bykey[] = { + 0x30, 0x82, 0x06, 0x76, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0x6f, 0x30, + 0x82, 0x06, 0x6b, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x06, 0x5c, 0x30, 0x82, 0x06, 0x58, 0x30, 0x7a, + 0xa2, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, + 0x9f, 0x23, 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, + 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, + 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, + 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, + 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, + 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, + 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, + 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, + 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, + 0x38, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x0b, 0x3d, 0x00, 0x91, + 0x35, 0xdb, 0x77, 0xa9, 0x98, 0x8f, 0x08, 0x08, 0x6e, 0x16, 0x32, 0x2b, + 0x87, 0xfd, 0x88, 0xa7, 0x99, 0x9a, 0xa6, 0xb4, 0x8f, 0xfb, 0xfc, 0x48, + 0x18, 0x86, 0x97, 0x78, 0x08, 0x9d, 0x7a, 0x8f, 0xf5, 0x0f, 0x78, 0xd7, + 0xf1, 0xdf, 0xe9, 0x1b, 0x06, 0x07, 0xc1, 0x89, 0x9e, 0xc4, 0xe3, 0xef, + 0xe0, 0xe3, 0x33, 0xb4, 0xd3, 0x95, 0x4d, 0xce, 0x19, 0xe8, 0xa8, 0x6b, + 0x12, 0x4b, 0xb9, 0x3a, 0x96, 0x6e, 0x1b, 0x5e, 0xd1, 0x23, 0x82, 0x0b, + 0x83, 0x70, 0x3d, 0x91, 0x54, 0x44, 0x28, 0x40, 0x21, 0x50, 0xdf, 0x4c, + 0xa9, 0x91, 0x3c, 0xdb, 0xc5, 0xa6, 0x2f, 0xa1, 0x2f, 0xe0, 0x60, 0x41, + 0x14, 0x1c, 0xd4, 0x5c, 0xcd, 0x79, 0xf1, 0x5f, 0xd5, 0x6a, 0x9e, 0x7f, + 0x96, 0xa9, 0xeb, 0x95, 0x08, 0x3e, 0xaf, 0x71, 0x40, 0x0a, 0xef, 0x5d, + 0x74, 0xb9, 0x2d, 0x66, 0xc5, 0x54, 0x3e, 0xf9, 0x6d, 0x4a, 0xb8, 0xad, + 0xc5, 0xd9, 0x85, 0xb8, 0x68, 0xe5, 0x2b, 0x96, 0xdc, 0xf8, 0xae, 0xf2, + 0xc1, 0x32, 0xf5, 0x18, 0x17, 0x58, 0x33, 0xa5, 0x6a, 0xe7, 0x23, 0x5b, + 0x40, 0x67, 0xdb, 0x5b, 0xf5, 0x69, 0x4a, 0x1f, 0x23, 0xd6, 0x41, 0x36, + 0x77, 0x3a, 0x61, 0xec, 0xa3, 0xf0, 0xed, 0xc1, 0xea, 0x9a, 0x72, 0x56, + 0xa8, 0x14, 0x96, 0x92, 0x60, 0x74, 0x41, 0x3d, 0x48, 0x9a, 0x57, 0x12, + 0xf6, 0xc8, 0x43, 0x1c, 0xd5, 0x98, 0x4e, 0xbe, 0x67, 0xe4, 0x3b, 0x07, + 0x4e, 0xcf, 0xa9, 0x69, 0x94, 0xd8, 0xeb, 0x10, 0x6e, 0xc5, 0x89, 0xbd, + 0xb3, 0x84, 0xff, 0xbc, 0xcd, 0x92, 0x26, 0x92, 0xbd, 0x10, 0x37, 0xc6, + 0xec, 0x2c, 0x31, 0xc9, 0x93, 0x81, 0x77, 0x4c, 0xaf, 0xc6, 0x8d, 0xf5, + 0x9d, 0x01, 0x24, 0xb2, 0x97, 0x51, 0x81, 0x2a, 0xa4, 0xb1, 0x04, 0x32, + 0xa0, 0x82, 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, + 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, + 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, + 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, + 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, + 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, + 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, 0x38, 0x32, + 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, + 0x31, 0x34, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, 0x81, 0x9e, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, + 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, + 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, + 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, + 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, + 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, + 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, + 0x53, 0x4c, 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb8, + 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, + 0xa1, 0xf5, 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, 0xf8, 0x7c, + 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, + 0x07, 0x7a, 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, 0x22, 0xb4, + 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, + 0xc5, 0xdb, 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, 0x41, 0x74, + 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, + 0x92, 0x95, 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, 0x16, 0x80, + 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, + 0x2d, 0xb3, 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, 0x4a, 0x16, + 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, + 0x06, 0x72, 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, 0x76, 0xf8, + 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, + 0x66, 0x03, 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, 0xf5, 0x1e, + 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, + 0x78, 0xff, 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, 0x8c, 0x27, + 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, + 0xae, 0xda, 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, 0x00, 0x76, + 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, + 0xc3, 0x5f, 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, 0x0a, 0x8b, + 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, + 0x65, 0xe5, 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x0a, + 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, + 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, + 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x30, 0x81, + 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, + 0x80, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, + 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, + 0x9d, 0xa4, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, + 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, + 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, + 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, + 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, + 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, + 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4d, 0xa2, + 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, + 0xa0, 0xa2, 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, 0xbd, 0x2e, + 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, + 0x21, 0x1a, 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, 0xaf, 0x9b, + 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, + 0x69, 0xf7, 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, 0xfd, 0xe2, + 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, + 0x32, 0xa6, 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, 0xd6, 0x6a, + 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, + 0x5b, 0x27, 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, 0x6b, 0x25, + 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, + 0x34, 0x6b, 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, 0xe6, 0x66, + 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, + 0xfd, 0x58, 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, 0x4c, 0x7e, + 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, + 0x77, 0x22, 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, 0x65, 0xbd, + 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, + 0xb4, 0xc4, 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, 0x28, 0xc1, + 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, + 0xd7, 0x83, 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, 0x55, 0xb9, + 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, + 0xaa, 0x57, +}; + +unsigned char resp_nocert[] = { + 0x30, 0x82, 0x02, 0x3a, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x02, 0x33, 0x30, + 0x82, 0x02, 0x2f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x20, 0x30, 0x82, 0x02, 0x1c, 0x30, 0x82, + 0x01, 0x06, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, + 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, + 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, + 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, + 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, + 0x30, 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, + 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, + 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, + 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, + 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, + 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, + 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, + 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x07, 0x9b, 0xec, 0x6e, 0xb0, 0x3d, + 0x93, 0xc2, 0xc5, 0x92, 0x69, 0xe1, 0x53, 0xd1, 0xbb, 0x0a, 0x5e, 0x29, + 0x59, 0x0f, 0x3b, 0xe5, 0x59, 0x94, 0xfe, 0x76, 0x06, 0x3b, 0x66, 0x3d, + 0xdc, 0x1e, 0x1b, 0xab, 0xee, 0x3c, 0x88, 0xc4, 0xaa, 0xe3, 0x7f, 0xa0, + 0x0f, 0x35, 0x22, 0x74, 0xb3, 0x8b, 0xe4, 0x0b, 0x1a, 0x45, 0x97, 0xba, + 0xd0, 0xea, 0xa4, 0x38, 0x21, 0x35, 0xcc, 0xb0, 0x20, 0x8c, 0xef, 0xa8, + 0xd1, 0x84, 0x90, 0x13, 0xf6, 0x0c, 0x11, 0x8c, 0x5f, 0xda, 0x24, 0x09, + 0x88, 0x47, 0x79, 0x08, 0x72, 0xd1, 0x37, 0xad, 0x2f, 0x05, 0x91, 0x7d, + 0xb2, 0xc3, 0xbb, 0xdc, 0x4f, 0x97, 0xaa, 0x49, 0xbe, 0x97, 0xa7, 0x3b, + 0xb2, 0x4f, 0x9f, 0x05, 0x2e, 0xc9, 0x56, 0x82, 0xd5, 0x5e, 0x35, 0xb9, + 0xd0, 0x95, 0x4e, 0xd1, 0x13, 0x8b, 0x2f, 0x30, 0xe6, 0xdf, 0x8f, 0x57, + 0xbe, 0x8d, 0x34, 0x8b, 0x28, 0x76, 0x14, 0x86, 0xcb, 0x2d, 0xef, 0xa2, + 0x12, 0xbe, 0x2b, 0x9d, 0x0f, 0x32, 0x4f, 0x33, 0x77, 0xcd, 0xf7, 0xb2, + 0xaa, 0xce, 0xea, 0xe7, 0xa3, 0x1b, 0x2e, 0x59, 0xf6, 0x1a, 0xd5, 0xaf, + 0xcd, 0x61, 0x95, 0xc4, 0x88, 0x47, 0x30, 0xd9, 0xef, 0xf2, 0x52, 0xfd, + 0x50, 0xed, 0xcd, 0x8b, 0x54, 0x13, 0x00, 0xad, 0xb0, 0x2e, 0x61, 0x02, + 0xba, 0xf3, 0x73, 0xfd, 0x05, 0xc6, 0xf1, 0xd0, 0x3a, 0x00, 0xfa, 0x88, + 0xbb, 0xbc, 0xc4, 0xd6, 0xe6, 0xce, 0xd2, 0xcd, 0xd3, 0x1d, 0xc1, 0xe6, + 0x67, 0x0e, 0x9f, 0x1b, 0x4d, 0x1b, 0x28, 0x76, 0x3c, 0xd2, 0x8c, 0x82, + 0x22, 0xc7, 0xb5, 0xc9, 0xbf, 0xfd, 0x8c, 0x86, 0x93, 0x6c, 0x5c, 0xd4, + 0x20, 0x4a, 0x6e, 0xb4, 0xe7, 0x05, 0x4e, 0x66, 0x78, 0xc5, 0xfa, 0x74, + 0x13, 0xae, 0x3c, 0x1d, 0x81, 0x28, 0x32, 0xf4, 0x3e, 0x10, +}; + +unsigned char resp_multi[] = { + 0x30, 0x82, 0x02, 0x83, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x02, 0x7c, 0x30, + 0x82, 0x02, 0x78, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x69, 0x30, 0x82, 0x02, 0x65, 0x30, 0x82, + 0x01, 0x4f, 0xa1, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, + 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, + 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, + 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x81, 0x9e, 0x30, + 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, + 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, + 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, + 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, + 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, + 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, + 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, + 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, + 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, + 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, + 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, + 0x72, 0x15, 0x21, 0x02, 0x01, 0x02, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, + 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, + 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0xa1, 0x28, 0xcf, 0xae, 0x4a, + 0x25, 0xc2, 0x0d, 0xca, 0x13, 0x61, 0xd1, 0x8c, 0x96, 0x9d, 0xf3, 0x19, + 0xc5, 0x24, 0x78, 0xc0, 0x93, 0x34, 0x44, 0x1b, 0x91, 0xe5, 0xd1, 0x67, + 0xd2, 0x22, 0xf0, 0x07, 0x08, 0x76, 0x96, 0x8c, 0x82, 0x31, 0xb2, 0x5d, + 0x2d, 0x39, 0x01, 0xf1, 0x03, 0x84, 0xaa, 0xfa, 0x80, 0x61, 0x37, 0xf7, + 0x55, 0xfb, 0x47, 0x2f, 0xce, 0x58, 0x38, 0xc5, 0x43, 0xf4, 0xb9, 0x15, + 0x1a, 0x0c, 0xa2, 0xe6, 0xe4, 0xc8, 0xa4, 0x8b, 0x21, 0x43, 0x32, 0xf8, + 0x4f, 0xa8, 0xce, 0xc0, 0x4c, 0x27, 0x4a, 0x54, 0x29, 0x31, 0x23, 0xd7, + 0xfd, 0xa4, 0x32, 0xfb, 0xe1, 0x09, 0x06, 0xee, 0x50, 0xe0, 0xcb, 0x80, + 0x1e, 0x41, 0xc4, 0x52, 0xe2, 0x71, 0xed, 0x4f, 0x49, 0xde, 0xad, 0xfb, + 0xc2, 0xde, 0xed, 0xbe, 0x03, 0xc6, 0xa3, 0x23, 0x57, 0x56, 0x71, 0x47, + 0x3a, 0xb6, 0x5a, 0xb9, 0x73, 0xa3, 0x8a, 0x1d, 0xa8, 0x7c, 0x78, 0x49, + 0x63, 0x31, 0xe5, 0xba, 0x1b, 0x93, 0x0a, 0x60, 0xa6, 0x11, 0x8d, 0x25, + 0x1c, 0x0f, 0x12, 0xc6, 0xc0, 0x85, 0x30, 0xc7, 0x45, 0xca, 0xf0, 0x21, + 0xb1, 0xf7, 0x9b, 0x6c, 0xfd, 0x6c, 0x0d, 0x71, 0xb3, 0x5b, 0x9b, 0x8c, + 0x45, 0xf5, 0x64, 0x4e, 0xc5, 0x61, 0x3d, 0xf1, 0x7e, 0xc3, 0x40, 0xdb, + 0x9b, 0x4e, 0x61, 0x3e, 0xb5, 0x82, 0xaa, 0xb0, 0xd7, 0x45, 0x20, 0x66, + 0x7f, 0xa7, 0x01, 0x6e, 0x0c, 0x88, 0xef, 0xf3, 0x6d, 0x32, 0x96, 0xd0, + 0x66, 0x11, 0x73, 0x4c, 0x28, 0x06, 0xb3, 0x3a, 0x47, 0x22, 0xa4, 0x1b, + 0x3c, 0x0c, 0x81, 0xaa, 0x54, 0x69, 0x81, 0x6c, 0x96, 0xc2, 0x5a, 0x9c, + 0xc2, 0x33, 0x86, 0x8f, 0x9c, 0x55, 0xb2, 0xcc, 0x13, 0x09, 0xb3, 0x2a, + 0x31, 0x07, 0x94, 0xfe, 0x73, 0x84, 0x18, 0xd1, 0x61, 0xcb, 0x12, +}; + +unsigned char resp_bad_noauth[] = { + 0x30, 0x82, 0x02, 0x83, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x02, 0x7c, 0x30, + 0x82, 0x02, 0x78, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x69, 0x30, 0x82, 0x02, 0x65, 0x30, 0x82, + 0x01, 0x4f, 0xa1, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, + 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, + 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, + 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x81, 0x9e, 0x30, + 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, + 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, + 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, + 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, + 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, + 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, + 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, + 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0xff, 0x66, 0x21, + 0x8a, 0x6e, 0xc5, 0x86, 0x61, 0x84, 0x25, 0x9a, 0xba, 0xd6, 0x55, 0x39, + 0xfb, 0x25, 0x51, 0x2c, 0xdd, 0x04, 0x14, 0x27, 0x8e, 0x67, 0x11, 0x74, + 0xc3, 0x26, 0x1d, 0x3f, 0xed, 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, 0x30, + 0xe5, 0xe8, 0xd5, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, + 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, + 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x24, 0x33, 0xd4, 0xe9, 0x7a, + 0xae, 0x7d, 0x32, 0x0e, 0xf9, 0x04, 0x6a, 0x99, 0xd9, 0x18, 0xc6, 0x50, + 0x3d, 0x16, 0x14, 0x56, 0xeb, 0x59, 0x86, 0xf5, 0x4c, 0x38, 0x82, 0x90, + 0x06, 0xa6, 0xd5, 0xb8, 0x2d, 0x0e, 0x62, 0x2b, 0xbe, 0x64, 0x75, 0xbb, + 0xc6, 0x9c, 0x0f, 0x9e, 0xc8, 0x14, 0xbf, 0xc6, 0x3c, 0xea, 0xb0, 0x0a, + 0x19, 0xb5, 0xbc, 0x91, 0x23, 0x2c, 0xfe, 0xe5, 0x3f, 0x7f, 0x2b, 0xdd, + 0xa9, 0xb6, 0x06, 0xae, 0x5d, 0x08, 0x5c, 0xa0, 0x77, 0x6a, 0x28, 0x4e, + 0x77, 0xb7, 0x85, 0xdd, 0xde, 0xcb, 0x16, 0x71, 0xee, 0x16, 0x81, 0x99, + 0x5c, 0x14, 0x52, 0x11, 0x39, 0x22, 0xc0, 0x24, 0x5e, 0x28, 0xcc, 0xf8, + 0x75, 0x32, 0x51, 0xe4, 0xc0, 0x4c, 0xc0, 0x63, 0xf7, 0x91, 0x47, 0x10, + 0x48, 0x52, 0xac, 0x51, 0xe4, 0xf2, 0x86, 0x06, 0x04, 0xb0, 0x04, 0x80, + 0xd9, 0x56, 0xda, 0xb0, 0x0f, 0xe7, 0x75, 0xc4, 0x38, 0xb5, 0x50, 0xe7, + 0x7f, 0xfa, 0x50, 0xe4, 0xee, 0x02, 0xe2, 0xd2, 0x13, 0xcd, 0xc0, 0xc9, + 0xc1, 0x57, 0xe2, 0xec, 0x18, 0x5c, 0xf2, 0x80, 0xc3, 0xf1, 0x94, 0x71, + 0x55, 0x75, 0x2a, 0xcf, 0x46, 0xef, 0xb5, 0xcf, 0x23, 0x4b, 0x7a, 0x25, + 0x37, 0xc3, 0x9e, 0xea, 0x76, 0xaa, 0x29, 0x74, 0xd5, 0xeb, 0x20, 0xcb, + 0x0b, 0x09, 0x11, 0x9f, 0xa9, 0x5f, 0x4e, 0x4b, 0xdc, 0x57, 0x92, 0xf8, + 0xa6, 0x32, 0x5d, 0xf7, 0x09, 0xa4, 0x32, 0x21, 0x23, 0xb8, 0xbf, 0x2c, + 0x3f, 0xed, 0x58, 0x46, 0x9b, 0x56, 0x62, 0xc9, 0xa2, 0xaf, 0x1e, 0x69, + 0xda, 0x7d, 0x54, 0xd7, 0x29, 0x05, 0x7c, 0xd7, 0x21, 0x3e, 0x55, 0x9e, + 0x4a, 0xa1, 0x12, 0xf2, 0x3a, 0xd4, 0x06, 0xc1, 0xca, 0x7c, 0x8e, 0x69, + 0xdb, 0x52, 0x0b, 0xdb, 0x7a, 0xad, 0x17, 0xe0, 0x09, 0x04, 0x27, +}; + +unsigned char ocsp_responder_cert_pem[] = { + 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, + 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, + 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, + 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, + 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, + 0x32, 0x31, 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x17, 0x0d, + 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, + 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, + 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, + 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, + 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, + 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, + 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xb8, 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, 0x14, 0xc3, + 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, + 0x50, 0x6d, 0xf8, 0x7c, 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, 0x5c, 0x2d, + 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, + 0x1f, 0xb1, 0x22, 0xb4, 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, 0xd6, 0x8b, + 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, + 0x5a, 0x3f, 0x41, 0x74, 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, 0xc3, 0xee, + 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, + 0x18, 0xde, 0x16, 0x80, 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, 0x55, 0xac, + 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, + 0x50, 0xee, 0x4a, 0x16, 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, 0x87, 0xb1, + 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, + 0xc8, 0xf1, 0x76, 0xf8, 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, 0x66, 0x4c, + 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, + 0xfe, 0x97, 0xf5, 0x1e, 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, 0x19, 0x12, + 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, + 0xb2, 0x1b, 0x8c, 0x27, 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, 0xcf, 0xb0, + 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, + 0x65, 0x6c, 0x00, 0x76, 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, 0x73, 0x68, + 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, + 0x80, 0x1a, 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, 0x1c, 0x65, + 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x82, 0x01, 0x0a, 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, + 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, + 0x30, 0x36, 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, + 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, + 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, + 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, + 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, + 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, + 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, + 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, + 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, + 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, + 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, + 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, + 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, + 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, + 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, 0x13, 0x06, + 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x4d, 0xa2, 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, 0x65, 0xe2, + 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, + 0x57, 0x37, 0xbd, 0x2e, 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, 0xde, 0xff, + 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, + 0x3e, 0xc6, 0xaf, 0x9b, 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, 0x2e, 0xb3, + 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, + 0xc9, 0x59, 0xfd, 0xe2, 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, 0xcb, 0x57, + 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, + 0x26, 0x69, 0xd6, 0x6a, 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, 0x19, 0xf1, + 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, + 0x78, 0x99, 0x6b, 0x25, 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, 0x84, 0xb9, + 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, + 0xf1, 0xef, 0xe6, 0x66, 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, 0xbb, 0x2c, + 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, + 0x72, 0x8e, 0x4c, 0x7e, 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, 0x1e, 0x59, + 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, + 0xe8, 0x9d, 0x65, 0xbd, 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, 0xbf, 0xfb, + 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, + 0x5b, 0x05, 0x28, 0xc1, 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, 0x60, 0x97, + 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, + 0x86, 0x41, 0x55, 0xb9, 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, 0x41, 0xf8, + 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57, +}; + +unsigned char root_ca_cert_pem[] = { + 0x30, 0x82, 0x04, 0xe6, 0x30, 0x82, 0x03, 0xce, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x01, 0x63, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, + 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, + 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, + 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, + 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, + 0x32, 0x31, 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x17, 0x0d, + 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, + 0x5a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, + 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, + 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, + 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, + 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, + 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xab, 0x2c, 0xb4, 0x2f, + 0x1d, 0x06, 0x09, 0xef, 0x4e, 0x29, 0x86, 0x84, 0x7e, 0xcc, 0xbf, 0xa6, + 0x79, 0x7c, 0xf0, 0xc0, 0xc1, 0x64, 0x25, 0x8c, 0x75, 0xb7, 0x10, 0x05, + 0xca, 0x48, 0x27, 0x0c, 0x0e, 0x32, 0x1c, 0xb0, 0xfe, 0x99, 0x85, 0x39, + 0xb6, 0xb9, 0xa2, 0xf7, 0x27, 0xff, 0x6d, 0x3c, 0x8c, 0x16, 0x73, 0x29, + 0x21, 0x7f, 0x8b, 0xa6, 0x54, 0x71, 0x90, 0xad, 0xcc, 0x05, 0xb9, 0x9f, + 0x15, 0xc7, 0x0a, 0x3f, 0x5f, 0x69, 0xf4, 0x0a, 0x5f, 0x8c, 0x71, 0xb5, + 0x2c, 0xbf, 0x66, 0xe2, 0x03, 0x9a, 0x32, 0xf4, 0xd2, 0xec, 0x2a, 0x89, + 0x4b, 0xf9, 0x35, 0x88, 0x14, 0x33, 0x47, 0x4e, 0x2e, 0x05, 0x79, 0x01, + 0xed, 0x64, 0x36, 0x76, 0xb9, 0xf8, 0x85, 0xcd, 0x01, 0x88, 0xac, 0xc5, + 0xb2, 0xb1, 0x59, 0xb8, 0xcd, 0x5a, 0xf4, 0x09, 0x09, 0x38, 0x9b, 0xda, + 0x5a, 0xcf, 0xce, 0x78, 0x99, 0x1f, 0x49, 0x3d, 0x41, 0xd6, 0x06, 0x7c, + 0x52, 0x99, 0xc8, 0x97, 0xd1, 0xb3, 0x80, 0x3a, 0xa2, 0x4f, 0x36, 0xc4, + 0xc5, 0x96, 0x30, 0x77, 0x31, 0x38, 0xc8, 0x70, 0xcc, 0xe1, 0x67, 0x06, + 0xb3, 0x2b, 0x2f, 0x93, 0xb5, 0x69, 0xcf, 0x83, 0x7e, 0x88, 0x53, 0x9b, + 0x0f, 0x46, 0x21, 0x4c, 0xd6, 0x05, 0x36, 0x44, 0x99, 0x60, 0x68, 0x47, + 0xe5, 0x32, 0x01, 0x12, 0xd4, 0x10, 0x73, 0xae, 0x9a, 0x34, 0x94, 0xfa, + 0x6e, 0xb8, 0x58, 0x4f, 0x7b, 0x5b, 0x8a, 0x92, 0x97, 0xad, 0xfd, 0x97, + 0xb9, 0x75, 0xca, 0xc2, 0xd4, 0x45, 0x7d, 0x17, 0x6b, 0xcd, 0x2f, 0xf3, + 0x63, 0x7a, 0x0e, 0x30, 0xb5, 0x0b, 0xa9, 0xd9, 0xa6, 0x7c, 0x74, 0x60, + 0x9d, 0xcc, 0x09, 0x03, 0x43, 0xf1, 0x0f, 0x90, 0xd3, 0xb7, 0xfe, 0x6c, + 0x9f, 0xd9, 0xcd, 0x78, 0x4b, 0x15, 0xae, 0x8c, 0x5b, 0xf9, 0x99, 0x81, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x39, 0x30, 0x82, 0x01, + 0x35, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, + 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, + 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x30, 0x81, + 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, + 0x80, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, + 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, + 0x9d, 0xa4, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, + 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, + 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, + 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, + 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, + 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x32, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22, + 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x16, + 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x31, 0x32, 0x37, 0x2e, 0x30, + 0x2e, 0x30, 0x2e, 0x31, 0x3a, 0x32, 0x32, 0x32, 0x32, 0x30, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x76, 0xe8, 0xfa, 0xf6, 0x1e, 0x5b, + 0x0e, 0xff, 0x24, 0x43, 0xe0, 0xcb, 0x19, 0x26, 0x38, 0xd9, 0xdf, 0x18, + 0x5d, 0x66, 0xe1, 0x4b, 0xac, 0xe4, 0x8e, 0xb0, 0x49, 0x2c, 0xd6, 0x04, + 0x20, 0xeb, 0x4a, 0xa8, 0x06, 0xd7, 0x55, 0xec, 0x6b, 0x38, 0xf8, 0x0f, + 0x8c, 0xe6, 0xc9, 0xec, 0x42, 0xf0, 0xca, 0x07, 0x9f, 0x88, 0x7a, 0xee, + 0xbf, 0xaf, 0x3f, 0x7d, 0xd3, 0x45, 0x67, 0x20, 0x84, 0xbb, 0xc7, 0xc5, + 0x32, 0x69, 0xab, 0x59, 0xe1, 0xe3, 0x38, 0x4b, 0xed, 0x18, 0x2e, 0xde, + 0xda, 0x88, 0xec, 0xa0, 0xb7, 0xff, 0xc1, 0x50, 0x96, 0x73, 0xe3, 0x03, + 0xdf, 0xa1, 0xe7, 0x47, 0x93, 0x13, 0x1d, 0xfb, 0xe6, 0x6b, 0x37, 0x3e, + 0x50, 0xa3, 0xeb, 0x5b, 0x24, 0x26, 0xd2, 0x43, 0x2e, 0x6e, 0x9c, 0x83, + 0x9c, 0xfb, 0x79, 0xba, 0xcd, 0xfd, 0x3b, 0xe5, 0x87, 0x87, 0xa7, 0x0f, + 0x5f, 0xf9, 0x64, 0x34, 0x56, 0x5e, 0x8b, 0x13, 0xe2, 0xc4, 0x41, 0xe3, + 0x9d, 0x3e, 0x36, 0x2d, 0xcb, 0xd3, 0x5f, 0xd3, 0x12, 0x90, 0xbf, 0x78, + 0xc1, 0x4c, 0xdf, 0xeb, 0x7b, 0x99, 0xe6, 0x1e, 0xee, 0x52, 0x78, 0x6f, + 0x0c, 0x82, 0xe1, 0x59, 0xd4, 0x25, 0x40, 0xe5, 0x24, 0x95, 0x3e, 0x0f, + 0xcc, 0x08, 0x60, 0xfe, 0xb4, 0x8c, 0x48, 0x42, 0xbf, 0x29, 0x74, 0x92, + 0x71, 0x1a, 0x85, 0x00, 0xa7, 0x4c, 0xf0, 0xc0, 0x32, 0x47, 0xf3, 0xbe, + 0xf4, 0x08, 0x5c, 0xf2, 0x43, 0xe0, 0xb9, 0x76, 0x86, 0x60, 0x9a, 0x3b, + 0xaf, 0xd6, 0x32, 0x41, 0x5f, 0xb0, 0x04, 0x12, 0x44, 0x2a, 0x44, 0x19, + 0xd4, 0x27, 0xd3, 0xce, 0x71, 0x7e, 0x5b, 0x16, 0x1a, 0xf5, 0x0c, 0xdb, + 0x43, 0xb0, 0xa6, 0xbb, 0x76, 0x02, 0xf6, 0xe0, 0x30, 0x4e, 0x04, 0xf4, + 0xf3, 0x9b, 0xcd, 0xd4, 0xae, 0x45, 0x94, 0xc5, 0x8c, 0xbb, +}; + +unsigned char ca_cert_pem[] = { + 0x30, 0x82, 0x04, 0xff, 0x30, 0x82, 0x03, 0xe7, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x14, 0x6b, 0x9b, 0x70, 0xc6, 0xf1, 0xa3, 0x94, 0x65, 0x19, + 0xa1, 0x08, 0x58, 0xef, 0xa7, 0x8d, 0x2b, 0x7a, 0x83, 0xc1, 0xda, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, + 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, + 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, 0x74, + 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0a, + 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, 0x77, + 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, + 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, + 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, 0x38, 0x32, 0x31, 0x32, 0x35, 0x32, + 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, 0x32, 0x31, + 0x32, 0x35, 0x32, 0x39, 0x5a, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, + 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, + 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, + 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, + 0x6f, 0x6f, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x0b, 0x0c, 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, + 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0x0c, 0xca, + 0x2d, 0x14, 0xb2, 0x1e, 0x84, 0x42, 0x5b, 0xcd, 0x38, 0x1f, 0x4a, 0xf2, + 0x4d, 0x75, 0x10, 0xf1, 0xb6, 0x35, 0x9f, 0xdf, 0xca, 0x7d, 0x03, 0x98, + 0xd3, 0xac, 0xde, 0x03, 0x66, 0xee, 0x2a, 0xf1, 0xd8, 0xb0, 0x7d, 0x6e, + 0x07, 0x54, 0x0b, 0x10, 0x98, 0x21, 0x4d, 0x80, 0xcb, 0x12, 0x20, 0xe7, + 0xcc, 0x4f, 0xde, 0x45, 0x7d, 0xc9, 0x72, 0x77, 0x32, 0xea, 0xca, 0x90, + 0xbb, 0x69, 0x52, 0x10, 0x03, 0x2f, 0xa8, 0xf3, 0x95, 0xc5, 0xf1, 0x8b, + 0x62, 0x56, 0x1b, 0xef, 0x67, 0x6f, 0xa4, 0x10, 0x41, 0x95, 0xad, 0x0a, + 0x9b, 0xe3, 0xa5, 0xc0, 0xb0, 0xd2, 0x70, 0x76, 0x50, 0x30, 0x5b, 0xa8, + 0xe8, 0x08, 0x2c, 0x7c, 0xed, 0xa7, 0xa2, 0x7a, 0x8d, 0x38, 0x29, 0x1c, + 0xac, 0xc7, 0xed, 0xf2, 0x7c, 0x95, 0xb0, 0x95, 0x82, 0x7d, 0x49, 0x5c, + 0x38, 0xcd, 0x77, 0x25, 0xef, 0xbd, 0x80, 0x75, 0x53, 0x94, 0x3c, 0x3d, + 0xca, 0x63, 0x5b, 0x9f, 0x15, 0xb5, 0xd3, 0x1d, 0x13, 0x2f, 0x19, 0xd1, + 0x3c, 0xdb, 0x76, 0x3a, 0xcc, 0xb8, 0x7d, 0xc9, 0xe5, 0xc2, 0xd7, 0xda, + 0x40, 0x6f, 0xd8, 0x21, 0xdc, 0x73, 0x1b, 0x42, 0x2d, 0x53, 0x9c, 0xfe, + 0x1a, 0xfc, 0x7d, 0xab, 0x7a, 0x36, 0x3f, 0x98, 0xde, 0x84, 0x7c, 0x05, + 0x67, 0xce, 0x6a, 0x14, 0x38, 0x87, 0xa9, 0xf1, 0x8c, 0xb5, 0x68, 0xcb, + 0x68, 0x7f, 0x71, 0x20, 0x2b, 0xf5, 0xa0, 0x63, 0xf5, 0x56, 0x2f, 0xa3, + 0x26, 0xd2, 0xb7, 0x6f, 0xb1, 0x5a, 0x17, 0xd7, 0x38, 0x99, 0x08, 0xfe, + 0x93, 0x58, 0x6f, 0xfe, 0xc3, 0x13, 0x49, 0x08, 0x16, 0x0b, 0xa7, 0x4d, + 0x67, 0x00, 0x52, 0x31, 0x67, 0x23, 0x4e, 0x98, 0xed, 0x51, 0x45, 0x1d, + 0xb9, 0x04, 0xd9, 0x0b, 0xec, 0xd8, 0x28, 0xb3, 0x4b, 0xbd, 0xed, 0x36, + 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x45, 0x30, 0x82, + 0x01, 0x41, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, + 0x14, 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, 0x3f, 0xed, 0x33, + 0x63, 0xb3, 0xa4, 0xd8, 0x1d, 0x30, 0xe5, 0xe8, 0xd5, 0x30, 0x81, 0xd4, + 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xcc, 0x30, 0x81, 0xc9, 0x80, + 0x14, 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, 0x3f, 0xed, 0x33, + 0x63, 0xb3, 0xa4, 0xd8, 0x1d, 0x30, 0xe5, 0xe8, 0xd5, 0xa1, 0x81, 0x9a, + 0xa4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, + 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, + 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x77, + 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x14, + 0x6b, 0x9b, 0x70, 0xc6, 0xf1, 0xa3, 0x94, 0x65, 0x19, 0xa1, 0x08, 0x58, + 0xef, 0xa7, 0x8d, 0x2b, 0x7a, 0x83, 0xc1, 0xda, 0x30, 0x0c, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1c, + 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0b, 0x65, + 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, 0x04, + 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, + 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, + 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x77, 0x3b, 0x3d, 0x66, 0x74, + 0xbc, 0x97, 0xfe, 0x40, 0x16, 0xe6, 0xba, 0xa5, 0xd5, 0xd1, 0x84, 0x08, + 0x89, 0x69, 0x4f, 0x88, 0x0d, 0x57, 0xa9, 0xef, 0x8c, 0xc3, 0x97, 0x52, + 0xc8, 0xbd, 0x8b, 0xa2, 0x49, 0x3b, 0xb7, 0xf7, 0x5d, 0x1e, 0xd6, 0x14, + 0x7f, 0xb2, 0x80, 0x33, 0xda, 0xa0, 0x8a, 0xd3, 0xe1, 0x2f, 0xd5, 0xbc, + 0x33, 0x9f, 0xea, 0x5a, 0x72, 0x24, 0xe5, 0xf8, 0xb8, 0x4b, 0xb3, 0xdf, + 0x62, 0x90, 0x3b, 0xa8, 0x21, 0xef, 0x27, 0x42, 0x75, 0xbc, 0x60, 0x02, + 0x8e, 0x37, 0x35, 0x99, 0xeb, 0xa3, 0x28, 0xf2, 0x65, 0x4c, 0xff, 0x7a, + 0xf8, 0x8e, 0xcc, 0x23, 0x6d, 0xe5, 0x6a, 0xfe, 0x22, 0x5a, 0xd9, 0xb2, + 0x4f, 0x47, 0xc7, 0xe0, 0xae, 0x98, 0xef, 0x94, 0xac, 0xb6, 0x4f, 0x61, + 0x81, 0x29, 0x8e, 0xe1, 0x79, 0x2c, 0x46, 0xfc, 0xe9, 0x1a, 0xc3, 0x96, + 0x1f, 0x19, 0x93, 0x64, 0x2e, 0x9f, 0x37, 0x72, 0xc5, 0xe4, 0x93, 0x4e, + 0x61, 0x5f, 0x38, 0x8e, 0xae, 0xe8, 0x39, 0x19, 0xe6, 0x97, 0xa8, 0x91, + 0xd4, 0x23, 0x7e, 0x1e, 0xd2, 0xd0, 0x53, 0xec, 0xcc, 0xac, 0xa0, 0x1d, + 0xd0, 0xb7, 0xdd, 0xb1, 0xb7, 0x01, 0x2e, 0x96, 0xcd, 0x85, 0x27, 0xe0, + 0xe7, 0x47, 0xe2, 0xc1, 0xc1, 0x00, 0xf6, 0x94, 0xdf, 0x77, 0xe7, 0xfa, + 0xc6, 0xef, 0x8a, 0xc0, 0x7c, 0x67, 0xbc, 0xff, 0xa0, 0x7c, 0x94, 0x3b, + 0x7d, 0x86, 0x42, 0xaf, 0x3d, 0x83, 0x31, 0xee, 0x2a, 0x3b, 0x7b, 0xf0, + 0x2c, 0x9e, 0x6f, 0xe9, 0xc4, 0x07, 0x81, 0x24, 0xda, 0x05, 0x70, 0x4d, + 0xdd, 0x09, 0xae, 0x9e, 0x72, 0xb8, 0x21, 0x0e, 0x8c, 0xb2, 0xab, 0xaa, + 0x4c, 0x49, 0x10, 0xf7, 0x76, 0xf9, 0xb5, 0x0d, 0x6c, 0x20, 0xd3, 0xdf, + 0x7a, 0x06, 0x32, 0x8d, 0x29, 0x1f, 0x28, 0x1d, 0x8d, 0x26, 0x33, +}; + +unsigned char server_cert_pem[] = { + 0x30, 0x82, 0x04, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, + 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, + 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, + 0x77, 0x74, 0x6f, 0x6f, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x0b, 0x0c, 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, + 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0c, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, + 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, 0x38, + 0x32, 0x31, 0x32, 0x35, 0x33, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x37, 0x30, + 0x39, 0x31, 0x34, 0x32, 0x31, 0x32, 0x35, 0x33, 0x30, 0x5a, 0x30, 0x81, + 0x90, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, + 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, + 0x61, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x53, 0x75, 0x70, 0x70, 0x6f, + 0x72, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, + 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, + 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, + 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc0, 0x95, + 0x08, 0xe1, 0x57, 0x41, 0xf2, 0x71, 0x6d, 0xb7, 0xd2, 0x45, 0x41, 0x27, + 0x01, 0x65, 0xc6, 0x45, 0xae, 0xf2, 0xbc, 0x24, 0x30, 0xb8, 0x95, 0xce, + 0x2f, 0x4e, 0xd6, 0xf6, 0x1c, 0x88, 0xbc, 0x7c, 0x9f, 0xfb, 0xa8, 0x67, + 0x7f, 0xfe, 0x5c, 0x9c, 0x51, 0x75, 0xf7, 0x8a, 0xca, 0x07, 0xe7, 0x35, + 0x2f, 0x8f, 0xe1, 0xbd, 0x7b, 0xc0, 0x2f, 0x7c, 0xab, 0x64, 0xa8, 0x17, + 0xfc, 0xca, 0x5d, 0x7b, 0xba, 0xe0, 0x21, 0xe5, 0x72, 0x2e, 0x6f, 0x2e, + 0x86, 0xd8, 0x95, 0x73, 0xda, 0xac, 0x1b, 0x53, 0xb9, 0x5f, 0x3f, 0xd7, + 0x19, 0x0d, 0x25, 0x4f, 0xe1, 0x63, 0x63, 0x51, 0x8b, 0x0b, 0x64, 0x3f, + 0xad, 0x43, 0xb8, 0xa5, 0x1c, 0x5c, 0x34, 0xb3, 0xae, 0x00, 0xa0, 0x63, + 0xc5, 0xf6, 0x7f, 0x0b, 0x59, 0x68, 0x78, 0x73, 0xa6, 0x8c, 0x18, 0xa9, + 0x02, 0x6d, 0xaf, 0xc3, 0x19, 0x01, 0x2e, 0xb8, 0x10, 0xe3, 0xc6, 0xcc, + 0x40, 0xb4, 0x69, 0xa3, 0x46, 0x33, 0x69, 0x87, 0x6e, 0xc4, 0xbb, 0x17, + 0xa6, 0xf3, 0xe8, 0xdd, 0xad, 0x73, 0xbc, 0x7b, 0x2f, 0x21, 0xb5, 0xfd, + 0x66, 0x51, 0x0c, 0xbd, 0x54, 0xb3, 0xe1, 0x6d, 0x5f, 0x1c, 0xbc, 0x23, + 0x73, 0xd1, 0x09, 0x03, 0x89, 0x14, 0xd2, 0x10, 0xb9, 0x64, 0xc3, 0x2a, + 0xd0, 0xa1, 0x96, 0x4a, 0xbc, 0xe1, 0xd4, 0x1a, 0x5b, 0xc7, 0xa0, 0xc0, + 0xc1, 0x63, 0x78, 0x0f, 0x44, 0x37, 0x30, 0x32, 0x96, 0x80, 0x32, 0x23, + 0x95, 0xa1, 0x77, 0xba, 0x13, 0xd2, 0x97, 0x73, 0xe2, 0x5d, 0x25, 0xc9, + 0x6a, 0x0d, 0xc3, 0x39, 0x60, 0xa4, 0xb4, 0xb0, 0x69, 0x42, 0x42, 0x09, + 0xe9, 0xd8, 0x08, 0xbc, 0x33, 0x20, 0xb3, 0x58, 0x22, 0xa7, 0xaa, 0xeb, + 0xc4, 0xe1, 0xe6, 0x61, 0x83, 0xc5, 0xd2, 0x96, 0xdf, 0xd9, 0xd0, 0x4f, + 0xad, 0xd7, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x45, 0x30, + 0x82, 0x01, 0x41, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, + 0x04, 0x14, 0xb3, 0x11, 0x32, 0xc9, 0x92, 0x98, 0x84, 0xe2, 0xc9, 0xf8, + 0xd0, 0x3b, 0x6e, 0x03, 0x42, 0xca, 0x1f, 0x0e, 0x8e, 0x3c, 0x30, 0x81, + 0xd4, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xcc, 0x30, 0x81, 0xc9, + 0x80, 0x14, 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, 0x3f, 0xed, + 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, 0x30, 0xe5, 0xe8, 0xd5, 0xa1, 0x81, + 0x9a, 0xa4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, 0x74, 0x61, + 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, + 0x07, 0x42, 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, 0x30, 0x0f, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, + 0x6f, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, + 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, + 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, + 0x14, 0x6b, 0x9b, 0x70, 0xc6, 0xf1, 0xa3, 0x94, 0x65, 0x19, 0xa1, 0x08, + 0x58, 0xef, 0xa7, 0x8d, 0x2b, 0x7a, 0x83, 0xc1, 0xda, 0x30, 0x0c, 0x06, + 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, + 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x15, 0x30, 0x13, 0x82, 0x0b, + 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, + 0x04, 0x7f, 0x00, 0x00, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, + 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, + 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8a, 0xf1, 0x4e, 0xe8, + 0x9f, 0x59, 0xb2, 0xd9, 0x13, 0xac, 0xfc, 0x42, 0xc4, 0x81, 0x34, 0x9f, + 0x6b, 0x39, 0x57, 0x9c, 0xe9, 0x92, 0x5d, 0x41, 0xac, 0x05, 0x35, 0xb1, + 0x26, 0x93, 0x4d, 0x4a, 0xda, 0xf8, 0x51, 0x82, 0xd2, 0x8d, 0x7f, 0xd3, + 0x5c, 0x6e, 0x29, 0x80, 0x8d, 0x9b, 0x02, 0x10, 0x2b, 0x64, 0xf5, 0xd1, + 0x31, 0x06, 0xfa, 0x85, 0x2b, 0x8f, 0x63, 0x32, 0x14, 0x76, 0x7a, 0x39, + 0x15, 0xf3, 0x4e, 0xdd, 0xfd, 0xe2, 0x2c, 0x90, 0x15, 0xd1, 0x6f, 0x73, + 0x87, 0xee, 0xe6, 0xc8, 0xeb, 0xad, 0x40, 0xd5, 0xe8, 0x94, 0x1f, 0xa6, + 0x7e, 0x26, 0x5b, 0x87, 0xba, 0x0f, 0x06, 0x5a, 0x4d, 0x55, 0x7a, 0xaa, + 0xc4, 0x09, 0x34, 0x8b, 0xf7, 0xe5, 0xcc, 0xd6, 0xb7, 0x6c, 0x46, 0x6d, + 0xa1, 0xe6, 0x66, 0x66, 0x4c, 0x4b, 0xe5, 0x12, 0x31, 0x37, 0x54, 0x49, + 0x64, 0xa5, 0x66, 0xeb, 0xe0, 0xc6, 0xa1, 0x49, 0xf8, 0x4d, 0xc3, 0xd3, + 0x55, 0xa4, 0x05, 0xd2, 0xac, 0xfb, 0xe1, 0xc8, 0x69, 0x30, 0x4b, 0x98, + 0xfd, 0x72, 0x1a, 0xab, 0x9f, 0x86, 0xeb, 0x0d, 0xbd, 0x7c, 0xa6, 0x3d, + 0x81, 0xd9, 0x01, 0xa7, 0x8a, 0x79, 0xab, 0x3c, 0xce, 0xe5, 0xb6, 0xc3, + 0x1b, 0xef, 0x7d, 0x5e, 0x37, 0x7b, 0x37, 0x7c, 0x91, 0x89, 0x59, 0x11, + 0x21, 0x11, 0x7c, 0x05, 0x80, 0xe1, 0xa8, 0xd6, 0xf9, 0x35, 0xda, 0x1b, + 0x86, 0x06, 0x5a, 0x32, 0x67, 0x6c, 0xa9, 0x2b, 0xe0, 0x31, 0x7b, 0x89, + 0x53, 0x37, 0x42, 0xaf, 0x34, 0xa4, 0x53, 0xd2, 0x7c, 0x91, 0x50, 0x63, + 0x3a, 0x8e, 0x4a, 0x1f, 0xa3, 0x90, 0x4e, 0x7c, 0x41, 0x59, 0x1d, 0xeb, + 0x7b, 0xa2, 0x14, 0x87, 0xba, 0x76, 0x36, 0xa4, 0x77, 0x46, 0x34, 0xf2, + 0x55, 0x50, 0xf0, 0x24, 0x9f, 0x83, 0x83, 0xda, 0xa6, 0xaa, 0x3c, 0xc8, +}; + +unsigned char intermediate1_ca_cert_pem[] = { + 0x30, 0x82, 0x04, 0xf0, 0x30, 0x82, 0x03, 0xd8, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, + 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, + 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, + 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, + 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, + 0x32, 0x31, 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x17, 0x0d, + 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, + 0x5a, 0x30, 0x81, 0xa1, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, + 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, + 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, + 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, + 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x72, + 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x20, 0x43, 0x41, 0x20, 0x31, + 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, + 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, + 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, + 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xde, 0xb4, 0xc8, 0x5c, 0x77, 0xe0, + 0x2d, 0xb1, 0xf5, 0xb9, 0xad, 0x16, 0x47, 0x35, 0xa0, 0x35, 0x65, 0x65, + 0xc6, 0xe1, 0x40, 0xab, 0x1e, 0xb4, 0xb9, 0x13, 0xb7, 0xcb, 0x8c, 0xbb, + 0x77, 0xa5, 0x76, 0xda, 0x6d, 0x87, 0x87, 0xf6, 0x4a, 0x4d, 0x13, 0xe4, + 0x26, 0x3e, 0x27, 0x87, 0xee, 0x5b, 0xc7, 0x6a, 0x3f, 0x45, 0x30, 0x61, + 0x55, 0x5c, 0xf6, 0x35, 0xd1, 0x65, 0xfa, 0x98, 0x11, 0xa3, 0xa7, 0x55, + 0xd5, 0xbe, 0x91, 0x82, 0x4b, 0xfc, 0xbe, 0x90, 0xd6, 0x50, 0x53, 0x63, + 0x9a, 0x2c, 0x22, 0xe1, 0x35, 0x11, 0xdc, 0x78, 0x02, 0x97, 0x8a, 0xe4, + 0x46, 0x92, 0x9c, 0x53, 0x08, 0x76, 0xde, 0x1f, 0x53, 0xb6, 0xb8, 0xca, + 0x77, 0x3e, 0x79, 0x6e, 0xbc, 0xd0, 0xe3, 0x0d, 0x30, 0x5b, 0x4c, 0xf6, + 0x94, 0x0d, 0x30, 0x29, 0x64, 0x9f, 0x04, 0xe5, 0xdb, 0xfb, 0x89, 0x60, + 0x67, 0xbb, 0xaf, 0x26, 0x83, 0x51, 0x77, 0x24, 0x2f, 0x2b, 0x0b, 0xa1, + 0x94, 0x81, 0x10, 0x98, 0xe8, 0xeb, 0x26, 0xa8, 0x1e, 0x7c, 0xe4, 0xc4, + 0x6c, 0x67, 0x06, 0x95, 0x55, 0x4a, 0xdd, 0x52, 0xf4, 0xf2, 0x60, 0x6d, + 0x01, 0x2b, 0x19, 0x91, 0x35, 0x6d, 0xa4, 0x08, 0x47, 0x06, 0x71, 0x24, + 0x00, 0xd9, 0xde, 0xc6, 0x56, 0xf3, 0x8b, 0x53, 0x2c, 0xe2, 0x9a, 0x96, + 0xa5, 0xf3, 0x62, 0xe5, 0xc4, 0xe3, 0x23, 0xf2, 0xd2, 0xfc, 0x21, 0xea, + 0x0f, 0x62, 0x76, 0x8d, 0xd5, 0x99, 0x48, 0xce, 0xdc, 0x58, 0xc4, 0xbb, + 0x7f, 0xda, 0x94, 0x2c, 0x80, 0x74, 0x83, 0xc5, 0xe0, 0xb0, 0x15, 0x7e, + 0x41, 0xfd, 0x0e, 0xf2, 0xf4, 0xf0, 0x78, 0x76, 0x7b, 0xad, 0x26, 0x0d, + 0xaa, 0x48, 0x96, 0x17, 0x2f, 0x21, 0xe3, 0x95, 0x2b, 0x26, 0x37, 0xf9, + 0xaa, 0x80, 0x2f, 0xfe, 0xde, 0xf6, 0x5e, 0xbc, 0x97, 0x7f, 0x02, 0x03, + 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x39, 0x30, 0x82, 0x01, 0x35, 0x30, + 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, + 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, + 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, 0xd7, 0x9d, 0x4c, 0xe2, + 0x2a, 0xc0, 0x71, 0x82, 0x64, 0x44, 0xda, 0x0e, 0x30, 0x81, 0xc4, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, + 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, + 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, + 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, + 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, + 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, + 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, + 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, + 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, + 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, + 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x82, 0x01, 0x63, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, + 0x03, 0x02, 0x01, 0x06, 0x30, 0x32, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, + 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, + 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, + 0x2e, 0x31, 0x3a, 0x32, 0x32, 0x32, 0x32, 0x30, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0x75, 0x57, 0xf1, 0x0c, 0x87, 0x8f, 0xa2, 0x70, + 0x3c, 0xce, 0xe4, 0x70, 0x0e, 0x99, 0x6a, 0xda, 0xc4, 0x80, 0x94, 0x2c, + 0x25, 0x0c, 0xde, 0x0d, 0x7b, 0xf3, 0x94, 0xf1, 0xe8, 0xad, 0x6f, 0xd0, + 0xde, 0x9a, 0x9d, 0xf5, 0x64, 0x31, 0x65, 0x3f, 0x18, 0xe6, 0xc3, 0xf5, + 0xb5, 0x1d, 0xa2, 0xbe, 0x5b, 0x97, 0x79, 0x41, 0x78, 0x15, 0x1c, 0xb3, + 0x83, 0xde, 0xd0, 0x00, 0xea, 0xd2, 0x70, 0x43, 0xc5, 0x60, 0x60, 0x07, + 0x72, 0xe5, 0x76, 0x59, 0xb8, 0x0e, 0x2f, 0x47, 0xc9, 0x8d, 0xa4, 0x4c, + 0xf1, 0x20, 0xb0, 0x40, 0x3b, 0xed, 0xe9, 0xde, 0xb2, 0x46, 0x10, 0x90, + 0x1b, 0x0f, 0x96, 0x16, 0xe6, 0x97, 0xbc, 0xd5, 0x9a, 0x93, 0xaa, 0x3c, + 0xe3, 0xb3, 0x6b, 0x5f, 0xdb, 0x2c, 0xaf, 0x2b, 0xda, 0x7c, 0x36, 0x36, + 0xaa, 0x86, 0xa1, 0x65, 0x70, 0xc8, 0xf1, 0x34, 0xd1, 0x1f, 0x10, 0x96, + 0x71, 0xe6, 0xcf, 0x69, 0x5c, 0xbf, 0x0e, 0x15, 0x33, 0x97, 0xfe, 0x40, + 0x42, 0xbe, 0x30, 0x48, 0xad, 0xfb, 0xd7, 0x0e, 0x7b, 0x73, 0xdd, 0x64, + 0x30, 0x7e, 0x10, 0x81, 0xac, 0x3b, 0x0b, 0x3c, 0xe4, 0x12, 0x9f, 0x31, + 0x8b, 0x3d, 0xf0, 0x9b, 0x84, 0xdc, 0x5b, 0x32, 0x33, 0x39, 0xde, 0xeb, + 0x1a, 0x17, 0x89, 0xd8, 0x1b, 0x00, 0x33, 0x2d, 0x50, 0xa4, 0x1a, 0x2c, + 0x11, 0xa2, 0x60, 0xac, 0xc1, 0x9a, 0x0f, 0x44, 0x90, 0x00, 0xcf, 0x8d, + 0x6c, 0xaf, 0x5b, 0x71, 0x23, 0x7a, 0xa7, 0x4f, 0xdf, 0xf5, 0x3f, 0x5c, + 0xae, 0x93, 0xca, 0x4e, 0xec, 0xf0, 0x1b, 0xf4, 0xfa, 0x53, 0x7d, 0xd9, + 0x36, 0xaf, 0x5e, 0x4c, 0x54, 0xc7, 0x3a, 0xd5, 0xe3, 0x68, 0xca, 0x78, + 0xe5, 0x1f, 0x55, 0x44, 0x65, 0xeb, 0x00, 0x2d, 0xc3, 0xc8, 0xba, 0x0e, + 0x1f, 0x47, 0x1c, 0x67, 0x2e, 0xa9, 0xc1, 0x6e, +}; + +unsigned char resp_bad[] = { + 0x30, 0x82, 0x01, 0xa9, 0xa0, 0x82, 0x01, 0xa5, 0x30, 0x82, 0x01, 0xa1, + 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, + 0x82, 0x01, 0x92, 0x30, 0x82, 0x01, 0x8e, 0x30, 0x7a, 0xa2, 0x16, 0x04, + 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, + 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x18, 0x0f, 0x32, + 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, + 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, + 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, + 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, + 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, + 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, + 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, + 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, + 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x0b, 0x3d, 0x00, 0x91, 0x35, 0xdb, 0x77, + 0xa9, 0x98, 0x8f, 0x08, 0x08, 0x6e, 0x16, 0x32, 0x2b, 0x87, 0xfd, 0x88, + 0xa7, 0x99, 0x9a, 0xa6, 0xb4, 0x8f, 0xfb, 0xfc, 0x48, 0x18, 0x86, 0x97, + 0x78, 0x08, 0x9d, 0x7a, 0x8f, 0xf5, 0x0f, 0x78, 0xd7, 0xf1, 0xdf, 0xe9, + 0x1b, 0x06, 0x07, 0xc1, 0x89, 0x9e, 0xc4, 0xe3, 0xef, 0xe0, 0xe3, 0x33, + 0xb4, 0xd3, 0x95, 0x4d, 0xce, 0x19, 0xe8, 0xa8, 0x6b, 0x12, 0x4b, 0xb9, + 0x3a, 0x96, 0x6e, 0x1b, 0x5e, 0xd1, 0x23, 0x82, 0x0b, 0x83, 0x70, 0x3d, + 0x91, 0x54, 0x44, 0x28, 0x40, 0x21, 0x50, 0xdf, 0x4c, 0xa9, 0x91, 0x3c, + 0xdb, 0xc5, 0xa6, 0x2f, 0xa1, 0x2f, 0xe0, 0x60, 0x41, 0x14, 0x1c, 0xd4, + 0x5c, 0xcd, 0x79, 0xf1, 0x5f, 0xd5, 0x6a, 0x9e, 0x7f, 0x96, 0xa9, 0xeb, + 0x95, 0x08, 0x3e, 0xaf, 0x71, 0x40, 0x0a, 0xef, 0x5d, 0x74, 0xb9, 0x2d, + 0x66, 0xc5, 0x54, 0x3e, 0xf9, 0x6d, 0x4a, 0xb8, 0xad, 0xc5, 0xd9, 0x85, + 0xb8, 0x68, 0xe5, 0x2b, 0x96, 0xdc, 0xf8, 0xae, 0xf2, 0xc1, 0x32, 0xf5, + 0x18, 0x17, 0x58, 0x33, 0xa5, 0x6a, 0xe7, 0x23, 0x5b, 0x40, 0x67, 0xdb, + 0x5b, 0xf5, 0x69, 0x4a, 0x1f, 0x23, 0xd6, 0x41, 0x36, 0x77, 0x3a, 0x61, + 0xec, 0xa3, 0xf0, 0xed, 0xc1, 0xea, 0x9a, 0x72, 0x56, 0xa8, 0x14, 0x96, + 0x92, 0x60, 0x74, 0x41, 0x3d, 0x48, 0x9a, 0x57, 0x12, 0xf6, 0xc8, 0x43, + 0x1c, 0xd5, 0x98, 0x4e, 0xbe, 0x67, 0xe4, 0x3b, 0x07, 0x4e, 0xcf, 0xa9, + 0x69, 0x94, 0xd8, 0xeb, 0x10, 0x6e, 0xc5, 0x89, 0xbd, 0xb3, 0x84, 0xff, + 0xbc, 0xcd, 0x92, 0x26, 0x92, 0xbd, 0x10, 0x37, 0xc6, 0xec, 0x2c, 0x31, + 0xc9, 0x93, 0x81, 0x77, 0x4c, 0xaf, 0xc6, 0x8d, 0xf5, 0x9d, 0x01, 0x24, + 0xb2, 0x97, 0x51, 0x81, 0x2a, 0xa4, 0xb1, 0x04, 0x32, +}; + +#endif // OCSP_TEST_BLOBS_H From f782614e1e28e5286d1ce628d596079371825ddb Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 4 Feb 2025 16:21:53 +0000 Subject: [PATCH 07/22] clang tidy fixes --- tests/api/create_ocsp_test_blobs.py | 2 +- tests/api/test_ocsp_test_blobs.h | 304 ++++++++++++++-------------- wolfcrypt/src/asn.c | 4 +- 3 files changed, 156 insertions(+), 154 deletions(-) diff --git a/tests/api/create_ocsp_test_blobs.py b/tests/api/create_ocsp_test_blobs.py index b77e9c582..82c2cfde9 100644 --- a/tests/api/create_ocsp_test_blobs.py +++ b/tests/api/create_ocsp_test_blobs.py @@ -412,4 +412,4 @@ if __name__ == '__main__': 'name': 'resp_bad' }) write_buffer('resp_bad', br, f) - f.write("#endif // OCSP_TEST_BLOBS_H\n") + f.write("#endif /* OCSP_TEST_BLOBS_H */\n") diff --git a/tests/api/test_ocsp_test_blobs.h b/tests/api/test_ocsp_test_blobs.h index 1a4d96d34..9386837ea 100644 --- a/tests/api/test_ocsp_test_blobs.h +++ b/tests/api/test_ocsp_test_blobs.h @@ -22,37 +22,37 @@ unsigned char resp[] = { 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, - 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, - 0x30, 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, + 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, + 0x33, 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, - 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, + 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x07, 0x9b, 0xec, 0x6e, 0xb0, 0x3d, - 0x93, 0xc2, 0xc5, 0x92, 0x69, 0xe1, 0x53, 0xd1, 0xbb, 0x0a, 0x5e, 0x29, - 0x59, 0x0f, 0x3b, 0xe5, 0x59, 0x94, 0xfe, 0x76, 0x06, 0x3b, 0x66, 0x3d, - 0xdc, 0x1e, 0x1b, 0xab, 0xee, 0x3c, 0x88, 0xc4, 0xaa, 0xe3, 0x7f, 0xa0, - 0x0f, 0x35, 0x22, 0x74, 0xb3, 0x8b, 0xe4, 0x0b, 0x1a, 0x45, 0x97, 0xba, - 0xd0, 0xea, 0xa4, 0x38, 0x21, 0x35, 0xcc, 0xb0, 0x20, 0x8c, 0xef, 0xa8, - 0xd1, 0x84, 0x90, 0x13, 0xf6, 0x0c, 0x11, 0x8c, 0x5f, 0xda, 0x24, 0x09, - 0x88, 0x47, 0x79, 0x08, 0x72, 0xd1, 0x37, 0xad, 0x2f, 0x05, 0x91, 0x7d, - 0xb2, 0xc3, 0xbb, 0xdc, 0x4f, 0x97, 0xaa, 0x49, 0xbe, 0x97, 0xa7, 0x3b, - 0xb2, 0x4f, 0x9f, 0x05, 0x2e, 0xc9, 0x56, 0x82, 0xd5, 0x5e, 0x35, 0xb9, - 0xd0, 0x95, 0x4e, 0xd1, 0x13, 0x8b, 0x2f, 0x30, 0xe6, 0xdf, 0x8f, 0x57, - 0xbe, 0x8d, 0x34, 0x8b, 0x28, 0x76, 0x14, 0x86, 0xcb, 0x2d, 0xef, 0xa2, - 0x12, 0xbe, 0x2b, 0x9d, 0x0f, 0x32, 0x4f, 0x33, 0x77, 0xcd, 0xf7, 0xb2, - 0xaa, 0xce, 0xea, 0xe7, 0xa3, 0x1b, 0x2e, 0x59, 0xf6, 0x1a, 0xd5, 0xaf, - 0xcd, 0x61, 0x95, 0xc4, 0x88, 0x47, 0x30, 0xd9, 0xef, 0xf2, 0x52, 0xfd, - 0x50, 0xed, 0xcd, 0x8b, 0x54, 0x13, 0x00, 0xad, 0xb0, 0x2e, 0x61, 0x02, - 0xba, 0xf3, 0x73, 0xfd, 0x05, 0xc6, 0xf1, 0xd0, 0x3a, 0x00, 0xfa, 0x88, - 0xbb, 0xbc, 0xc4, 0xd6, 0xe6, 0xce, 0xd2, 0xcd, 0xd3, 0x1d, 0xc1, 0xe6, - 0x67, 0x0e, 0x9f, 0x1b, 0x4d, 0x1b, 0x28, 0x76, 0x3c, 0xd2, 0x8c, 0x82, - 0x22, 0xc7, 0xb5, 0xc9, 0xbf, 0xfd, 0x8c, 0x86, 0x93, 0x6c, 0x5c, 0xd4, - 0x20, 0x4a, 0x6e, 0xb4, 0xe7, 0x05, 0x4e, 0x66, 0x78, 0xc5, 0xfa, 0x74, - 0x13, 0xae, 0x3c, 0x1d, 0x81, 0x28, 0x32, 0xf4, 0x3e, 0x10, 0xa0, 0x82, + 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6d, 0x4a, 0x57, 0xc9, 0xef, 0xa5, + 0x17, 0x87, 0xa9, 0xc3, 0x39, 0x44, 0x19, 0x70, 0x93, 0x16, 0x47, 0x0f, + 0x0a, 0x9d, 0xfb, 0x7e, 0x35, 0xda, 0x96, 0x84, 0x2d, 0x67, 0x20, 0x2c, + 0x41, 0xa6, 0xbf, 0xa3, 0x73, 0x8e, 0x4d, 0x02, 0xf9, 0x07, 0x5e, 0x06, + 0xd5, 0x8c, 0x70, 0x90, 0x71, 0x55, 0xaf, 0x8b, 0xad, 0xfd, 0xa9, 0xeb, + 0x83, 0xae, 0x4e, 0x6b, 0x69, 0x76, 0x01, 0xe1, 0x5a, 0xd5, 0x60, 0xa9, + 0x03, 0x09, 0xa6, 0x53, 0x6f, 0x30, 0x66, 0x9e, 0x99, 0x09, 0xe0, 0x3f, + 0xfa, 0x80, 0xc0, 0x54, 0x70, 0x59, 0xdc, 0xcd, 0xf8, 0xcf, 0x77, 0x25, + 0xcf, 0xf7, 0xb6, 0xfe, 0xe1, 0x17, 0xcf, 0x08, 0xb1, 0xb3, 0x24, 0x4a, + 0x5b, 0xdb, 0x3a, 0xbd, 0xae, 0xa8, 0xc3, 0x51, 0x5b, 0xfa, 0xf7, 0xbb, + 0xf5, 0x1e, 0xc3, 0x81, 0xa9, 0x94, 0xeb, 0x62, 0x97, 0xd6, 0xff, 0x91, + 0xcc, 0xc1, 0xd3, 0xea, 0x01, 0xa4, 0xe1, 0xa4, 0xf6, 0x4a, 0xa5, 0xbf, + 0x11, 0xd6, 0xbb, 0x3d, 0xde, 0x8c, 0xaa, 0x46, 0xa4, 0xe3, 0xc2, 0x47, + 0xb8, 0x13, 0x07, 0x2e, 0xbd, 0x6b, 0x81, 0xd6, 0x31, 0x73, 0xaa, 0x0c, + 0x7f, 0xf4, 0x8c, 0x4c, 0x70, 0x83, 0x12, 0xc8, 0xac, 0x37, 0xef, 0x79, + 0xae, 0xb3, 0xdf, 0xf0, 0x33, 0x53, 0x9a, 0x63, 0x3e, 0x19, 0x63, 0x62, + 0xea, 0x0d, 0x34, 0x4e, 0x09, 0x23, 0xeb, 0xd4, 0x89, 0x5e, 0x01, 0x91, + 0xe3, 0xbb, 0x04, 0x3a, 0x8e, 0xb5, 0x49, 0x17, 0x66, 0x77, 0xf7, 0x9e, + 0xf2, 0xc2, 0x50, 0x83, 0xc2, 0x8d, 0x27, 0xee, 0xa8, 0x1b, 0xc4, 0xad, + 0xb6, 0xc8, 0xfe, 0x47, 0x36, 0x2a, 0x49, 0xc9, 0x86, 0xef, 0x09, 0xb0, + 0x4d, 0x5f, 0xa2, 0x9c, 0x51, 0xcb, 0xe9, 0x18, 0x1c, 0xce, 0x46, 0x0c, + 0x55, 0xa4, 0xfd, 0x11, 0xcf, 0xaa, 0x6f, 0xae, 0x56, 0xc6, 0xa0, 0x82, 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, @@ -163,37 +163,37 @@ unsigned char resp_rid_bykey[] = { 0x01, 0x01, 0x04, 0x82, 0x06, 0x5c, 0x30, 0x82, 0x06, 0x58, 0x30, 0x7a, 0xa2, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, - 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, - 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, + 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, + 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, - 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, - 0x38, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x0b, 0x3d, 0x00, 0x91, - 0x35, 0xdb, 0x77, 0xa9, 0x98, 0x8f, 0x08, 0x08, 0x6e, 0x16, 0x32, 0x2b, - 0x87, 0xfd, 0x88, 0xa7, 0x99, 0x9a, 0xa6, 0xb4, 0x8f, 0xfb, 0xfc, 0x48, - 0x18, 0x86, 0x97, 0x78, 0x08, 0x9d, 0x7a, 0x8f, 0xf5, 0x0f, 0x78, 0xd7, - 0xf1, 0xdf, 0xe9, 0x1b, 0x06, 0x07, 0xc1, 0x89, 0x9e, 0xc4, 0xe3, 0xef, - 0xe0, 0xe3, 0x33, 0xb4, 0xd3, 0x95, 0x4d, 0xce, 0x19, 0xe8, 0xa8, 0x6b, - 0x12, 0x4b, 0xb9, 0x3a, 0x96, 0x6e, 0x1b, 0x5e, 0xd1, 0x23, 0x82, 0x0b, - 0x83, 0x70, 0x3d, 0x91, 0x54, 0x44, 0x28, 0x40, 0x21, 0x50, 0xdf, 0x4c, - 0xa9, 0x91, 0x3c, 0xdb, 0xc5, 0xa6, 0x2f, 0xa1, 0x2f, 0xe0, 0x60, 0x41, - 0x14, 0x1c, 0xd4, 0x5c, 0xcd, 0x79, 0xf1, 0x5f, 0xd5, 0x6a, 0x9e, 0x7f, - 0x96, 0xa9, 0xeb, 0x95, 0x08, 0x3e, 0xaf, 0x71, 0x40, 0x0a, 0xef, 0x5d, - 0x74, 0xb9, 0x2d, 0x66, 0xc5, 0x54, 0x3e, 0xf9, 0x6d, 0x4a, 0xb8, 0xad, - 0xc5, 0xd9, 0x85, 0xb8, 0x68, 0xe5, 0x2b, 0x96, 0xdc, 0xf8, 0xae, 0xf2, - 0xc1, 0x32, 0xf5, 0x18, 0x17, 0x58, 0x33, 0xa5, 0x6a, 0xe7, 0x23, 0x5b, - 0x40, 0x67, 0xdb, 0x5b, 0xf5, 0x69, 0x4a, 0x1f, 0x23, 0xd6, 0x41, 0x36, - 0x77, 0x3a, 0x61, 0xec, 0xa3, 0xf0, 0xed, 0xc1, 0xea, 0x9a, 0x72, 0x56, - 0xa8, 0x14, 0x96, 0x92, 0x60, 0x74, 0x41, 0x3d, 0x48, 0x9a, 0x57, 0x12, - 0xf6, 0xc8, 0x43, 0x1c, 0xd5, 0x98, 0x4e, 0xbe, 0x67, 0xe4, 0x3b, 0x07, - 0x4e, 0xcf, 0xa9, 0x69, 0x94, 0xd8, 0xeb, 0x10, 0x6e, 0xc5, 0x89, 0xbd, - 0xb3, 0x84, 0xff, 0xbc, 0xcd, 0x92, 0x26, 0x92, 0xbd, 0x10, 0x37, 0xc6, - 0xec, 0x2c, 0x31, 0xc9, 0x93, 0x81, 0x77, 0x4c, 0xaf, 0xc6, 0x8d, 0xf5, - 0x9d, 0x01, 0x24, 0xb2, 0x97, 0x51, 0x81, 0x2a, 0xa4, 0xb1, 0x04, 0x32, + 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, + 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x13, 0x5a, 0x5e, 0x74, + 0x4f, 0x2e, 0x7c, 0xa1, 0x7d, 0x89, 0x2a, 0x0c, 0x14, 0x1f, 0x13, 0xaf, + 0x17, 0x61, 0x87, 0xf8, 0xcc, 0x70, 0x82, 0x3e, 0x0e, 0x4f, 0xbe, 0x4f, + 0xc4, 0x95, 0xcc, 0x79, 0x2c, 0xe4, 0x87, 0x2c, 0x81, 0xc0, 0x5a, 0xfa, + 0x9f, 0xb4, 0xec, 0xdc, 0xae, 0x64, 0xca, 0xee, 0x35, 0xc3, 0x67, 0xd9, + 0xf5, 0x32, 0x6e, 0x2e, 0x2b, 0x71, 0x85, 0x24, 0xff, 0xfd, 0xe2, 0x6b, + 0x8f, 0xf6, 0xaa, 0xa5, 0x0a, 0xb3, 0x56, 0xb4, 0xa5, 0xb8, 0xf9, 0x7a, + 0x35, 0x6a, 0x8c, 0xe4, 0x58, 0x64, 0x04, 0xfe, 0x6f, 0x64, 0xf7, 0x26, + 0x07, 0xc0, 0xf5, 0x41, 0xf2, 0xba, 0x8b, 0x16, 0x51, 0x1f, 0xdd, 0xcc, + 0xf0, 0xc5, 0x5b, 0x38, 0xa6, 0xb8, 0xa7, 0xf4, 0x18, 0x92, 0xec, 0xab, + 0x71, 0xa2, 0x15, 0xed, 0x69, 0x6c, 0x9f, 0x8f, 0x2b, 0x88, 0x2f, 0x94, + 0x5b, 0x5d, 0x93, 0xb6, 0xa1, 0x4a, 0x04, 0x36, 0xd1, 0xb1, 0x41, 0x23, + 0x34, 0x21, 0x76, 0xa1, 0x22, 0x98, 0x88, 0xff, 0xbc, 0x07, 0xa6, 0x1e, + 0x6c, 0x63, 0x2f, 0x72, 0x9b, 0x9c, 0xa4, 0x70, 0x53, 0x9f, 0x6c, 0xbc, + 0xac, 0x8f, 0x6d, 0xfb, 0xfe, 0xaf, 0x72, 0x7c, 0x00, 0xe7, 0x66, 0xed, + 0x0f, 0xf5, 0x87, 0xac, 0xa4, 0x1f, 0x9b, 0x5a, 0x70, 0xb7, 0xda, 0x04, + 0xf1, 0xa6, 0x88, 0x36, 0xa1, 0xbb, 0xb8, 0xf4, 0xd5, 0x50, 0x56, 0x45, + 0xa8, 0xe1, 0xe5, 0x51, 0x0e, 0xbe, 0x86, 0x5b, 0xfb, 0x87, 0x46, 0x95, + 0xf4, 0x1c, 0x4b, 0x14, 0x17, 0xec, 0x14, 0xa6, 0xd5, 0xdc, 0xd5, 0x06, + 0xb8, 0xc8, 0x1b, 0x5c, 0xb8, 0xe8, 0x10, 0x13, 0x40, 0x1f, 0xc4, 0xd9, + 0x6b, 0xdd, 0xe1, 0x06, 0xa9, 0xcd, 0x0e, 0x97, 0x6e, 0x92, 0x2a, 0x87, + 0x00, 0xc4, 0x9b, 0xd2, 0x94, 0xfa, 0x4e, 0x7d, 0x34, 0x74, 0xfe, 0xf5, 0xa0, 0x82, 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, @@ -317,37 +317,37 @@ unsigned char resp_nocert[] = { 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, - 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, - 0x30, 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, + 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, + 0x33, 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, - 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, + 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x07, 0x9b, 0xec, 0x6e, 0xb0, 0x3d, - 0x93, 0xc2, 0xc5, 0x92, 0x69, 0xe1, 0x53, 0xd1, 0xbb, 0x0a, 0x5e, 0x29, - 0x59, 0x0f, 0x3b, 0xe5, 0x59, 0x94, 0xfe, 0x76, 0x06, 0x3b, 0x66, 0x3d, - 0xdc, 0x1e, 0x1b, 0xab, 0xee, 0x3c, 0x88, 0xc4, 0xaa, 0xe3, 0x7f, 0xa0, - 0x0f, 0x35, 0x22, 0x74, 0xb3, 0x8b, 0xe4, 0x0b, 0x1a, 0x45, 0x97, 0xba, - 0xd0, 0xea, 0xa4, 0x38, 0x21, 0x35, 0xcc, 0xb0, 0x20, 0x8c, 0xef, 0xa8, - 0xd1, 0x84, 0x90, 0x13, 0xf6, 0x0c, 0x11, 0x8c, 0x5f, 0xda, 0x24, 0x09, - 0x88, 0x47, 0x79, 0x08, 0x72, 0xd1, 0x37, 0xad, 0x2f, 0x05, 0x91, 0x7d, - 0xb2, 0xc3, 0xbb, 0xdc, 0x4f, 0x97, 0xaa, 0x49, 0xbe, 0x97, 0xa7, 0x3b, - 0xb2, 0x4f, 0x9f, 0x05, 0x2e, 0xc9, 0x56, 0x82, 0xd5, 0x5e, 0x35, 0xb9, - 0xd0, 0x95, 0x4e, 0xd1, 0x13, 0x8b, 0x2f, 0x30, 0xe6, 0xdf, 0x8f, 0x57, - 0xbe, 0x8d, 0x34, 0x8b, 0x28, 0x76, 0x14, 0x86, 0xcb, 0x2d, 0xef, 0xa2, - 0x12, 0xbe, 0x2b, 0x9d, 0x0f, 0x32, 0x4f, 0x33, 0x77, 0xcd, 0xf7, 0xb2, - 0xaa, 0xce, 0xea, 0xe7, 0xa3, 0x1b, 0x2e, 0x59, 0xf6, 0x1a, 0xd5, 0xaf, - 0xcd, 0x61, 0x95, 0xc4, 0x88, 0x47, 0x30, 0xd9, 0xef, 0xf2, 0x52, 0xfd, - 0x50, 0xed, 0xcd, 0x8b, 0x54, 0x13, 0x00, 0xad, 0xb0, 0x2e, 0x61, 0x02, - 0xba, 0xf3, 0x73, 0xfd, 0x05, 0xc6, 0xf1, 0xd0, 0x3a, 0x00, 0xfa, 0x88, - 0xbb, 0xbc, 0xc4, 0xd6, 0xe6, 0xce, 0xd2, 0xcd, 0xd3, 0x1d, 0xc1, 0xe6, - 0x67, 0x0e, 0x9f, 0x1b, 0x4d, 0x1b, 0x28, 0x76, 0x3c, 0xd2, 0x8c, 0x82, - 0x22, 0xc7, 0xb5, 0xc9, 0xbf, 0xfd, 0x8c, 0x86, 0x93, 0x6c, 0x5c, 0xd4, - 0x20, 0x4a, 0x6e, 0xb4, 0xe7, 0x05, 0x4e, 0x66, 0x78, 0xc5, 0xfa, 0x74, - 0x13, 0xae, 0x3c, 0x1d, 0x81, 0x28, 0x32, 0xf4, 0x3e, 0x10, + 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6d, 0x4a, 0x57, 0xc9, 0xef, 0xa5, + 0x17, 0x87, 0xa9, 0xc3, 0x39, 0x44, 0x19, 0x70, 0x93, 0x16, 0x47, 0x0f, + 0x0a, 0x9d, 0xfb, 0x7e, 0x35, 0xda, 0x96, 0x84, 0x2d, 0x67, 0x20, 0x2c, + 0x41, 0xa6, 0xbf, 0xa3, 0x73, 0x8e, 0x4d, 0x02, 0xf9, 0x07, 0x5e, 0x06, + 0xd5, 0x8c, 0x70, 0x90, 0x71, 0x55, 0xaf, 0x8b, 0xad, 0xfd, 0xa9, 0xeb, + 0x83, 0xae, 0x4e, 0x6b, 0x69, 0x76, 0x01, 0xe1, 0x5a, 0xd5, 0x60, 0xa9, + 0x03, 0x09, 0xa6, 0x53, 0x6f, 0x30, 0x66, 0x9e, 0x99, 0x09, 0xe0, 0x3f, + 0xfa, 0x80, 0xc0, 0x54, 0x70, 0x59, 0xdc, 0xcd, 0xf8, 0xcf, 0x77, 0x25, + 0xcf, 0xf7, 0xb6, 0xfe, 0xe1, 0x17, 0xcf, 0x08, 0xb1, 0xb3, 0x24, 0x4a, + 0x5b, 0xdb, 0x3a, 0xbd, 0xae, 0xa8, 0xc3, 0x51, 0x5b, 0xfa, 0xf7, 0xbb, + 0xf5, 0x1e, 0xc3, 0x81, 0xa9, 0x94, 0xeb, 0x62, 0x97, 0xd6, 0xff, 0x91, + 0xcc, 0xc1, 0xd3, 0xea, 0x01, 0xa4, 0xe1, 0xa4, 0xf6, 0x4a, 0xa5, 0xbf, + 0x11, 0xd6, 0xbb, 0x3d, 0xde, 0x8c, 0xaa, 0x46, 0xa4, 0xe3, 0xc2, 0x47, + 0xb8, 0x13, 0x07, 0x2e, 0xbd, 0x6b, 0x81, 0xd6, 0x31, 0x73, 0xaa, 0x0c, + 0x7f, 0xf4, 0x8c, 0x4c, 0x70, 0x83, 0x12, 0xc8, 0xac, 0x37, 0xef, 0x79, + 0xae, 0xb3, 0xdf, 0xf0, 0x33, 0x53, 0x9a, 0x63, 0x3e, 0x19, 0x63, 0x62, + 0xea, 0x0d, 0x34, 0x4e, 0x09, 0x23, 0xeb, 0xd4, 0x89, 0x5e, 0x01, 0x91, + 0xe3, 0xbb, 0x04, 0x3a, 0x8e, 0xb5, 0x49, 0x17, 0x66, 0x77, 0xf7, 0x9e, + 0xf2, 0xc2, 0x50, 0x83, 0xc2, 0x8d, 0x27, 0xee, 0xa8, 0x1b, 0xc4, 0xad, + 0xb6, 0xc8, 0xfe, 0x47, 0x36, 0x2a, 0x49, 0xc9, 0x86, 0xef, 0x09, 0xb0, + 0x4d, 0x5f, 0xa2, 0x9c, 0x51, 0xcb, 0xe9, 0x18, 0x1c, 0xce, 0x46, 0x0c, + 0x55, 0xa4, 0xfd, 0x11, 0xcf, 0xaa, 0x6f, 0xae, 0x56, 0xc6, }; unsigned char resp_multi[] = { @@ -368,43 +368,43 @@ unsigned char resp_multi[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, - 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x81, 0x9e, 0x30, + 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x81, 0x9e, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, - 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, + 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x02, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, - 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, + 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0xa1, 0x28, 0xcf, 0xae, 0x4a, - 0x25, 0xc2, 0x0d, 0xca, 0x13, 0x61, 0xd1, 0x8c, 0x96, 0x9d, 0xf3, 0x19, - 0xc5, 0x24, 0x78, 0xc0, 0x93, 0x34, 0x44, 0x1b, 0x91, 0xe5, 0xd1, 0x67, - 0xd2, 0x22, 0xf0, 0x07, 0x08, 0x76, 0x96, 0x8c, 0x82, 0x31, 0xb2, 0x5d, - 0x2d, 0x39, 0x01, 0xf1, 0x03, 0x84, 0xaa, 0xfa, 0x80, 0x61, 0x37, 0xf7, - 0x55, 0xfb, 0x47, 0x2f, 0xce, 0x58, 0x38, 0xc5, 0x43, 0xf4, 0xb9, 0x15, - 0x1a, 0x0c, 0xa2, 0xe6, 0xe4, 0xc8, 0xa4, 0x8b, 0x21, 0x43, 0x32, 0xf8, - 0x4f, 0xa8, 0xce, 0xc0, 0x4c, 0x27, 0x4a, 0x54, 0x29, 0x31, 0x23, 0xd7, - 0xfd, 0xa4, 0x32, 0xfb, 0xe1, 0x09, 0x06, 0xee, 0x50, 0xe0, 0xcb, 0x80, - 0x1e, 0x41, 0xc4, 0x52, 0xe2, 0x71, 0xed, 0x4f, 0x49, 0xde, 0xad, 0xfb, - 0xc2, 0xde, 0xed, 0xbe, 0x03, 0xc6, 0xa3, 0x23, 0x57, 0x56, 0x71, 0x47, - 0x3a, 0xb6, 0x5a, 0xb9, 0x73, 0xa3, 0x8a, 0x1d, 0xa8, 0x7c, 0x78, 0x49, - 0x63, 0x31, 0xe5, 0xba, 0x1b, 0x93, 0x0a, 0x60, 0xa6, 0x11, 0x8d, 0x25, - 0x1c, 0x0f, 0x12, 0xc6, 0xc0, 0x85, 0x30, 0xc7, 0x45, 0xca, 0xf0, 0x21, - 0xb1, 0xf7, 0x9b, 0x6c, 0xfd, 0x6c, 0x0d, 0x71, 0xb3, 0x5b, 0x9b, 0x8c, - 0x45, 0xf5, 0x64, 0x4e, 0xc5, 0x61, 0x3d, 0xf1, 0x7e, 0xc3, 0x40, 0xdb, - 0x9b, 0x4e, 0x61, 0x3e, 0xb5, 0x82, 0xaa, 0xb0, 0xd7, 0x45, 0x20, 0x66, - 0x7f, 0xa7, 0x01, 0x6e, 0x0c, 0x88, 0xef, 0xf3, 0x6d, 0x32, 0x96, 0xd0, - 0x66, 0x11, 0x73, 0x4c, 0x28, 0x06, 0xb3, 0x3a, 0x47, 0x22, 0xa4, 0x1b, - 0x3c, 0x0c, 0x81, 0xaa, 0x54, 0x69, 0x81, 0x6c, 0x96, 0xc2, 0x5a, 0x9c, - 0xc2, 0x33, 0x86, 0x8f, 0x9c, 0x55, 0xb2, 0xcc, 0x13, 0x09, 0xb3, 0x2a, - 0x31, 0x07, 0x94, 0xfe, 0x73, 0x84, 0x18, 0xd1, 0x61, 0xcb, 0x12, + 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6f, 0x6e, 0x22, 0x3a, 0x1d, + 0xa0, 0x71, 0xf0, 0x52, 0x0d, 0x6b, 0x4f, 0xc8, 0x3d, 0x7c, 0x14, 0x69, + 0x04, 0xe2, 0xcb, 0x42, 0x1d, 0xe0, 0xe2, 0x77, 0x9d, 0xb1, 0xa2, 0x61, + 0x41, 0x78, 0x21, 0x23, 0x98, 0x0c, 0xec, 0x2b, 0x59, 0x97, 0x42, 0x91, + 0x5e, 0x0f, 0x3a, 0x31, 0x0e, 0xe5, 0x66, 0xda, 0x2b, 0x24, 0xaf, 0x26, + 0x29, 0x75, 0x06, 0xba, 0x9f, 0x04, 0x29, 0x7c, 0x0b, 0x36, 0x38, 0x49, + 0xa9, 0x82, 0x17, 0x08, 0xfc, 0x08, 0x9f, 0x9a, 0xdb, 0x63, 0x69, 0x0d, + 0x7e, 0xe8, 0xd9, 0x04, 0x41, 0xee, 0x52, 0x34, 0x24, 0x86, 0xd7, 0xb3, + 0x45, 0x57, 0x05, 0xda, 0x39, 0x07, 0x7e, 0xb4, 0x73, 0x6b, 0x53, 0x1c, + 0xe5, 0x30, 0x0f, 0x07, 0xb6, 0xf6, 0xb1, 0xe1, 0x26, 0xd5, 0x64, 0xd8, + 0xa3, 0xaa, 0xb8, 0x91, 0x6a, 0x90, 0xa1, 0x8a, 0x2b, 0x4f, 0x98, 0x57, + 0xc6, 0x94, 0x5b, 0xab, 0x09, 0xb6, 0x31, 0x79, 0xfb, 0xf2, 0x23, 0x27, + 0x8d, 0x88, 0x59, 0xc3, 0x35, 0xd5, 0x46, 0x4a, 0xf6, 0x72, 0x76, 0x51, + 0x0d, 0x26, 0xf0, 0x19, 0x55, 0x5e, 0xa9, 0xe8, 0xad, 0xa0, 0x0f, 0xc8, + 0xc1, 0x35, 0x66, 0xab, 0x65, 0xdf, 0xe4, 0xb4, 0x03, 0xf4, 0xf3, 0xb8, + 0xde, 0x1c, 0x3c, 0xc5, 0xde, 0x6a, 0x28, 0x69, 0x21, 0x51, 0x5c, 0x09, + 0xfb, 0xc5, 0x6c, 0x4e, 0x74, 0x28, 0x96, 0xe2, 0xb9, 0xdd, 0xdc, 0xf9, + 0x36, 0xe3, 0xd6, 0xe5, 0x31, 0x6a, 0xff, 0xa5, 0x6d, 0xaa, 0x8b, 0xb4, + 0x62, 0xcd, 0xcd, 0x39, 0xd5, 0x0c, 0xfb, 0x4f, 0x84, 0x25, 0x5d, 0x5b, + 0x61, 0xa9, 0xce, 0x73, 0xe4, 0xc9, 0x97, 0x2a, 0x99, 0x59, 0xbb, 0xa6, + 0x21, 0x5f, 0x31, 0x59, 0x99, 0x5d, 0xae, 0x9a, 0xa9, 0x14, 0x19, 0x55, + 0x7b, 0x8f, 0xde, 0x69, 0xaa, 0x09, 0x8b, 0x12, 0x9a, 0xff, 0x1a, }; unsigned char resp_bad_noauth[] = { @@ -425,43 +425,43 @@ unsigned char resp_bad_noauth[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, - 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x81, 0x9e, 0x30, + 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x81, 0x9e, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, - 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, + 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0xff, 0x66, 0x21, 0x8a, 0x6e, 0xc5, 0x86, 0x61, 0x84, 0x25, 0x9a, 0xba, 0xd6, 0x55, 0x39, 0xfb, 0x25, 0x51, 0x2c, 0xdd, 0x04, 0x14, 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, 0x3f, 0xed, 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, 0x30, 0xe5, 0xe8, 0xd5, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, - 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, + 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x24, 0x33, 0xd4, 0xe9, 0x7a, - 0xae, 0x7d, 0x32, 0x0e, 0xf9, 0x04, 0x6a, 0x99, 0xd9, 0x18, 0xc6, 0x50, - 0x3d, 0x16, 0x14, 0x56, 0xeb, 0x59, 0x86, 0xf5, 0x4c, 0x38, 0x82, 0x90, - 0x06, 0xa6, 0xd5, 0xb8, 0x2d, 0x0e, 0x62, 0x2b, 0xbe, 0x64, 0x75, 0xbb, - 0xc6, 0x9c, 0x0f, 0x9e, 0xc8, 0x14, 0xbf, 0xc6, 0x3c, 0xea, 0xb0, 0x0a, - 0x19, 0xb5, 0xbc, 0x91, 0x23, 0x2c, 0xfe, 0xe5, 0x3f, 0x7f, 0x2b, 0xdd, - 0xa9, 0xb6, 0x06, 0xae, 0x5d, 0x08, 0x5c, 0xa0, 0x77, 0x6a, 0x28, 0x4e, - 0x77, 0xb7, 0x85, 0xdd, 0xde, 0xcb, 0x16, 0x71, 0xee, 0x16, 0x81, 0x99, - 0x5c, 0x14, 0x52, 0x11, 0x39, 0x22, 0xc0, 0x24, 0x5e, 0x28, 0xcc, 0xf8, - 0x75, 0x32, 0x51, 0xe4, 0xc0, 0x4c, 0xc0, 0x63, 0xf7, 0x91, 0x47, 0x10, - 0x48, 0x52, 0xac, 0x51, 0xe4, 0xf2, 0x86, 0x06, 0x04, 0xb0, 0x04, 0x80, - 0xd9, 0x56, 0xda, 0xb0, 0x0f, 0xe7, 0x75, 0xc4, 0x38, 0xb5, 0x50, 0xe7, - 0x7f, 0xfa, 0x50, 0xe4, 0xee, 0x02, 0xe2, 0xd2, 0x13, 0xcd, 0xc0, 0xc9, - 0xc1, 0x57, 0xe2, 0xec, 0x18, 0x5c, 0xf2, 0x80, 0xc3, 0xf1, 0x94, 0x71, - 0x55, 0x75, 0x2a, 0xcf, 0x46, 0xef, 0xb5, 0xcf, 0x23, 0x4b, 0x7a, 0x25, - 0x37, 0xc3, 0x9e, 0xea, 0x76, 0xaa, 0x29, 0x74, 0xd5, 0xeb, 0x20, 0xcb, - 0x0b, 0x09, 0x11, 0x9f, 0xa9, 0x5f, 0x4e, 0x4b, 0xdc, 0x57, 0x92, 0xf8, - 0xa6, 0x32, 0x5d, 0xf7, 0x09, 0xa4, 0x32, 0x21, 0x23, 0xb8, 0xbf, 0x2c, - 0x3f, 0xed, 0x58, 0x46, 0x9b, 0x56, 0x62, 0xc9, 0xa2, 0xaf, 0x1e, 0x69, - 0xda, 0x7d, 0x54, 0xd7, 0x29, 0x05, 0x7c, 0xd7, 0x21, 0x3e, 0x55, 0x9e, - 0x4a, 0xa1, 0x12, 0xf2, 0x3a, 0xd4, 0x06, 0xc1, 0xca, 0x7c, 0x8e, 0x69, - 0xdb, 0x52, 0x0b, 0xdb, 0x7a, 0xad, 0x17, 0xe0, 0x09, 0x04, 0x27, + 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x34, 0x4e, 0xce, 0xab, 0xf6, + 0xbc, 0xfc, 0xbe, 0x44, 0x18, 0x70, 0x8a, 0x2f, 0xf4, 0x1a, 0x6f, 0xa0, + 0x7c, 0x9f, 0xf7, 0x88, 0x9a, 0x52, 0xce, 0xd9, 0xea, 0x89, 0x43, 0xf3, + 0xff, 0x51, 0x45, 0x24, 0x64, 0xbd, 0xd6, 0x60, 0x46, 0x85, 0x57, 0x08, + 0xea, 0xb0, 0x3c, 0x1d, 0x7a, 0xf0, 0x53, 0xb3, 0x51, 0xdb, 0x9d, 0x12, + 0x77, 0x02, 0xa5, 0x82, 0x22, 0xa7, 0x0d, 0x33, 0xe0, 0x4f, 0x32, 0xf7, + 0xdf, 0x91, 0xd7, 0x9d, 0x5a, 0x9e, 0x00, 0x64, 0xab, 0xcc, 0x33, 0x9b, + 0x29, 0xff, 0xb4, 0xf4, 0x6b, 0x2d, 0xdb, 0xda, 0x1e, 0x4e, 0x04, 0xf8, + 0xde, 0x98, 0x1f, 0xee, 0xd5, 0xdd, 0x06, 0x68, 0xa9, 0xd8, 0x2e, 0x51, + 0xab, 0x23, 0xaa, 0x5c, 0xfd, 0x1f, 0x8d, 0x72, 0xb6, 0x06, 0x3b, 0xb5, + 0x5e, 0x4b, 0x10, 0x92, 0xd2, 0x18, 0x30, 0x75, 0xcf, 0xda, 0x37, 0x12, + 0x1b, 0x3f, 0xf4, 0xdc, 0x9e, 0xa0, 0xb5, 0xe7, 0x08, 0xfe, 0x35, 0x06, + 0x43, 0x73, 0xae, 0x0f, 0x63, 0xdd, 0xf3, 0xa0, 0xb1, 0x7b, 0xd0, 0xef, + 0xe3, 0xdb, 0x67, 0x7b, 0xcf, 0x04, 0x12, 0x0c, 0x14, 0xe0, 0x79, 0x2d, + 0xcc, 0xe4, 0x3b, 0x3a, 0x73, 0x0a, 0x4c, 0x67, 0xd2, 0x70, 0x3b, 0x76, + 0xcf, 0xd1, 0xca, 0x9b, 0x9f, 0x36, 0x04, 0x39, 0x4e, 0x6f, 0xe7, 0x57, + 0x13, 0xfc, 0xea, 0x97, 0x4f, 0xa4, 0x58, 0x27, 0x86, 0xad, 0xf1, 0x69, + 0x35, 0xf0, 0x36, 0xf7, 0xc7, 0x54, 0xe6, 0x9c, 0xec, 0x99, 0x33, 0x71, + 0xbf, 0xdf, 0x66, 0x20, 0xa7, 0x93, 0x7d, 0x57, 0xf6, 0xf4, 0x7e, 0xd1, + 0x6d, 0x8e, 0x25, 0x1b, 0xc4, 0xa3, 0x36, 0x45, 0xeb, 0xdc, 0x0a, 0xde, + 0xb4, 0x6e, 0xa7, 0x36, 0x5e, 0xba, 0x9a, 0x5f, 0xd2, 0x79, 0x08, 0x8b, + 0x8d, 0xdc, 0x82, 0x2c, 0x27, 0x90, 0xc7, 0xeb, 0xb7, 0xa1, 0x58, }; unsigned char ocsp_responder_cert_pem[] = { @@ -1010,37 +1010,37 @@ unsigned char resp_bad[] = { 0x82, 0x01, 0x92, 0x30, 0x82, 0x01, 0x8e, 0x30, 0x7a, 0xa2, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x18, 0x0f, 0x32, - 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, - 0x38, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, + 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, + 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, - 0x30, 0x32, 0x30, 0x34, 0x31, 0x35, 0x33, 0x39, 0x30, 0x38, 0x5a, 0x30, + 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x03, 0x82, 0x01, 0x01, 0x00, 0x0b, 0x3d, 0x00, 0x91, 0x35, 0xdb, 0x77, - 0xa9, 0x98, 0x8f, 0x08, 0x08, 0x6e, 0x16, 0x32, 0x2b, 0x87, 0xfd, 0x88, - 0xa7, 0x99, 0x9a, 0xa6, 0xb4, 0x8f, 0xfb, 0xfc, 0x48, 0x18, 0x86, 0x97, - 0x78, 0x08, 0x9d, 0x7a, 0x8f, 0xf5, 0x0f, 0x78, 0xd7, 0xf1, 0xdf, 0xe9, - 0x1b, 0x06, 0x07, 0xc1, 0x89, 0x9e, 0xc4, 0xe3, 0xef, 0xe0, 0xe3, 0x33, - 0xb4, 0xd3, 0x95, 0x4d, 0xce, 0x19, 0xe8, 0xa8, 0x6b, 0x12, 0x4b, 0xb9, - 0x3a, 0x96, 0x6e, 0x1b, 0x5e, 0xd1, 0x23, 0x82, 0x0b, 0x83, 0x70, 0x3d, - 0x91, 0x54, 0x44, 0x28, 0x40, 0x21, 0x50, 0xdf, 0x4c, 0xa9, 0x91, 0x3c, - 0xdb, 0xc5, 0xa6, 0x2f, 0xa1, 0x2f, 0xe0, 0x60, 0x41, 0x14, 0x1c, 0xd4, - 0x5c, 0xcd, 0x79, 0xf1, 0x5f, 0xd5, 0x6a, 0x9e, 0x7f, 0x96, 0xa9, 0xeb, - 0x95, 0x08, 0x3e, 0xaf, 0x71, 0x40, 0x0a, 0xef, 0x5d, 0x74, 0xb9, 0x2d, - 0x66, 0xc5, 0x54, 0x3e, 0xf9, 0x6d, 0x4a, 0xb8, 0xad, 0xc5, 0xd9, 0x85, - 0xb8, 0x68, 0xe5, 0x2b, 0x96, 0xdc, 0xf8, 0xae, 0xf2, 0xc1, 0x32, 0xf5, - 0x18, 0x17, 0x58, 0x33, 0xa5, 0x6a, 0xe7, 0x23, 0x5b, 0x40, 0x67, 0xdb, - 0x5b, 0xf5, 0x69, 0x4a, 0x1f, 0x23, 0xd6, 0x41, 0x36, 0x77, 0x3a, 0x61, - 0xec, 0xa3, 0xf0, 0xed, 0xc1, 0xea, 0x9a, 0x72, 0x56, 0xa8, 0x14, 0x96, - 0x92, 0x60, 0x74, 0x41, 0x3d, 0x48, 0x9a, 0x57, 0x12, 0xf6, 0xc8, 0x43, - 0x1c, 0xd5, 0x98, 0x4e, 0xbe, 0x67, 0xe4, 0x3b, 0x07, 0x4e, 0xcf, 0xa9, - 0x69, 0x94, 0xd8, 0xeb, 0x10, 0x6e, 0xc5, 0x89, 0xbd, 0xb3, 0x84, 0xff, - 0xbc, 0xcd, 0x92, 0x26, 0x92, 0xbd, 0x10, 0x37, 0xc6, 0xec, 0x2c, 0x31, - 0xc9, 0x93, 0x81, 0x77, 0x4c, 0xaf, 0xc6, 0x8d, 0xf5, 0x9d, 0x01, 0x24, - 0xb2, 0x97, 0x51, 0x81, 0x2a, 0xa4, 0xb1, 0x04, 0x32, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x13, 0x5a, 0x5e, 0x74, 0x4f, 0x2e, 0x7c, + 0xa1, 0x7d, 0x89, 0x2a, 0x0c, 0x14, 0x1f, 0x13, 0xaf, 0x17, 0x61, 0x87, + 0xf8, 0xcc, 0x70, 0x82, 0x3e, 0x0e, 0x4f, 0xbe, 0x4f, 0xc4, 0x95, 0xcc, + 0x79, 0x2c, 0xe4, 0x87, 0x2c, 0x81, 0xc0, 0x5a, 0xfa, 0x9f, 0xb4, 0xec, + 0xdc, 0xae, 0x64, 0xca, 0xee, 0x35, 0xc3, 0x67, 0xd9, 0xf5, 0x32, 0x6e, + 0x2e, 0x2b, 0x71, 0x85, 0x24, 0xff, 0xfd, 0xe2, 0x6b, 0x8f, 0xf6, 0xaa, + 0xa5, 0x0a, 0xb3, 0x56, 0xb4, 0xa5, 0xb8, 0xf9, 0x7a, 0x35, 0x6a, 0x8c, + 0xe4, 0x58, 0x64, 0x04, 0xfe, 0x6f, 0x64, 0xf7, 0x26, 0x07, 0xc0, 0xf5, + 0x41, 0xf2, 0xba, 0x8b, 0x16, 0x51, 0x1f, 0xdd, 0xcc, 0xf0, 0xc5, 0x5b, + 0x38, 0xa6, 0xb8, 0xa7, 0xf4, 0x18, 0x92, 0xec, 0xab, 0x71, 0xa2, 0x15, + 0xed, 0x69, 0x6c, 0x9f, 0x8f, 0x2b, 0x88, 0x2f, 0x94, 0x5b, 0x5d, 0x93, + 0xb6, 0xa1, 0x4a, 0x04, 0x36, 0xd1, 0xb1, 0x41, 0x23, 0x34, 0x21, 0x76, + 0xa1, 0x22, 0x98, 0x88, 0xff, 0xbc, 0x07, 0xa6, 0x1e, 0x6c, 0x63, 0x2f, + 0x72, 0x9b, 0x9c, 0xa4, 0x70, 0x53, 0x9f, 0x6c, 0xbc, 0xac, 0x8f, 0x6d, + 0xfb, 0xfe, 0xaf, 0x72, 0x7c, 0x00, 0xe7, 0x66, 0xed, 0x0f, 0xf5, 0x87, + 0xac, 0xa4, 0x1f, 0x9b, 0x5a, 0x70, 0xb7, 0xda, 0x04, 0xf1, 0xa6, 0x88, + 0x36, 0xa1, 0xbb, 0xb8, 0xf4, 0xd5, 0x50, 0x56, 0x45, 0xa8, 0xe1, 0xe5, + 0x51, 0x0e, 0xbe, 0x86, 0x5b, 0xfb, 0x87, 0x46, 0x95, 0xf4, 0x1c, 0x4b, + 0x14, 0x17, 0xec, 0x14, 0xa6, 0xd5, 0xdc, 0xd5, 0x06, 0xb8, 0xc8, 0x1b, + 0x5c, 0xb8, 0xe8, 0x10, 0x13, 0x40, 0x1f, 0xc4, 0xd9, 0x6b, 0xdd, 0xe1, + 0x06, 0xa9, 0xcd, 0x0e, 0x97, 0x6e, 0x92, 0x2a, 0x87, 0x00, 0xc4, 0x9b, + 0xd2, 0x94, 0xfa, 0x4e, 0x7d, 0x34, 0x74, 0xfe, 0xf5, }; -#endif // OCSP_TEST_BLOBS_H +#endif /* OCSP_TEST_BLOBS_H */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 619888e52..5703874fe 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37312,7 +37312,9 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); } - if (ret == 0 && OcspRespIdMatch(resp, cert->subjectHash, cert->subjectKeyHash) == 0) { + if (ret == 0 && + OcspRespIdMatch(resp, + cert->subjectHash, cert->subjectKeyHash) == 0) { WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n"); ret = BAD_OCSP_RESPONDER; goto out; From eb7904b5e5f6354df7d30756a6f04a9f6bcf43ed Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 4 Feb 2025 22:44:26 +0000 Subject: [PATCH 08/22] tests/api: expose test_ssl_memio functions --- tests/api.c | 62 +++------------------------------------------- tests/unit.h | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 59 deletions(-) diff --git a/tests/api.c b/tests/api.c index 339e9a637..3f284885b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -460,62 +460,6 @@ #endif #endif /* HAVE_PKCS7 */ -typedef int (*ctx_cb)(WOLFSSL_CTX* ctx); -typedef int (*ssl_cb)(WOLFSSL* ssl); -typedef int (*test_cbType)(WOLFSSL_CTX *ctx, WOLFSSL *ssl); -typedef int (*hs_cb)(WOLFSSL_CTX **ctx, WOLFSSL **ssl); - -typedef struct test_ssl_cbf { - method_provider method; - ctx_cb ctx_ready; - ssl_cb ssl_ready; - ssl_cb on_result; - ctx_cb on_ctx_cleanup; - ssl_cb on_cleanup; - hs_cb on_handshake; - WOLFSSL_CTX* ctx; - const char* caPemFile; - const char* certPemFile; - const char* keyPemFile; - const char* crlPemFile; -#ifdef WOLFSSL_STATIC_MEMORY - byte* mem; - word32 memSz; - wolfSSL_method_func method_ex; -#endif - int devId; - int return_code; - int last_err; - unsigned char isSharedCtx:1; - unsigned char loadToSSL:1; - unsigned char ticNoInit:1; - unsigned char doUdp:1; -} test_ssl_cbf; - -#define TEST_SSL_MEMIO_BUF_SZ (64 * 1024) -typedef struct test_ssl_memio_ctx { - WOLFSSL_CTX* s_ctx; - WOLFSSL_CTX* c_ctx; - WOLFSSL* s_ssl; - WOLFSSL* c_ssl; - - const char* c_ciphers; - const char* s_ciphers; - - char* c_msg; - int c_msglen; - char* s_msg; - int s_msglen; - - test_ssl_cbf s_cb; - test_ssl_cbf c_cb; - - byte c_buff[TEST_SSL_MEMIO_BUF_SZ]; - int c_len; - byte s_buff[TEST_SSL_MEMIO_BUF_SZ]; - int s_len; -} test_ssl_memio_ctx; - int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb, test_ssl_cbf* server_cb, test_cbType client_on_handshake); @@ -7266,7 +7210,7 @@ static WC_INLINE int test_ssl_memio_read_cb(WOLFSSL *ssl, char *data, int sz, return read_sz; } -static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) +int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) { EXPECT_DECLS_NO_MSGS(-2000); #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) @@ -7466,7 +7410,7 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) return EXPECT_RESULT(); } -static int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds, +int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds, int* rounds) { int handshake_complete = 0; @@ -7586,7 +7530,7 @@ static int test_ssl_memio_read_write(test_ssl_memio_ctx* ctx) return EXPECT_RESULT(); } -static void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx) +void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx) { ctx->c_cb.last_err = wolfSSL_get_error(ctx->c_ssl, 0); ctx->s_cb.last_err = wolfSSL_get_error(ctx->s_ssl, 0); diff --git a/tests/unit.h b/tests/unit.h index fcbb343f9..20664afd7 100644 --- a/tests/unit.h +++ b/tests/unit.h @@ -340,6 +340,76 @@ #define DoExpectBufEQ(x, y, z) DoExpectBuf(x, y, z, ==, !=) #define DoExpectBufNE(x, y, z) DoExpectBuf(x, y, z, !=, ==) +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \ + !defined(NO_RSA) && \ + !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(WOLFSSL_TIRTOS) + #define HAVE_SSL_MEMIO_TESTS_DEPENDENCIES +#endif +#ifdef HAVE_SSL_MEMIO_TESTS_DEPENDENCIES + +typedef int (*ctx_cb)(WOLFSSL_CTX* ctx); +typedef int (*ssl_cb)(WOLFSSL* ssl); +typedef int (*test_cbType)(WOLFSSL_CTX *ctx, WOLFSSL *ssl); +typedef int (*hs_cb)(WOLFSSL_CTX **ctx, WOLFSSL **ssl); + +typedef struct test_ssl_cbf { + method_provider method; + ctx_cb ctx_ready; + ssl_cb ssl_ready; + ssl_cb on_result; + ctx_cb on_ctx_cleanup; + ssl_cb on_cleanup; + hs_cb on_handshake; + WOLFSSL_CTX* ctx; + const char* caPemFile; + const char* certPemFile; + const char* keyPemFile; + const char* crlPemFile; +#ifdef WOLFSSL_STATIC_MEMORY + byte* mem; + word32 memSz; + wolfSSL_method_func method_ex; +#endif + int devId; + int return_code; + int last_err; + unsigned char isSharedCtx:1; + unsigned char loadToSSL:1; + unsigned char ticNoInit:1; + unsigned char doUdp:1; +} test_ssl_cbf; + +#define TEST_SSL_MEMIO_BUF_SZ (64 * 1024) +typedef struct test_ssl_memio_ctx { + WOLFSSL_CTX* s_ctx; + WOLFSSL_CTX* c_ctx; + WOLFSSL* s_ssl; + WOLFSSL* c_ssl; + + const char* c_ciphers; + const char* s_ciphers; + + char* c_msg; + int c_msglen; + char* s_msg; + int s_msglen; + + test_ssl_cbf s_cb; + test_ssl_cbf c_cb; + + byte c_buff[TEST_SSL_MEMIO_BUF_SZ]; + int c_len; + byte s_buff[TEST_SSL_MEMIO_BUF_SZ]; + int s_len; +} test_ssl_memio_ctx; + +int test_ssl_memio_setup(test_ssl_memio_ctx *ctx); +int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds, + int* rounds); +void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx); +#endif + void ApiTest_PrintTestCases(void); int ApiTest_RunIdx(int idx); int ApiTest_RunName(char* name); From 851d74fd6913b5d412ac521b7e72f6898360e0fb Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 4 Feb 2025 22:52:41 +0000 Subject: [PATCH 09/22] ocsp-resp-refactor: address reviewer's comments --- src/ocsp.c | 20 +++++++++++--------- wolfcrypt/src/asn.c | 9 ++++----- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index fd7dd5863..9d1569fd9 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -825,11 +825,13 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash, const byte* keyHash) { - if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) - return (XMEMCMP(NameHash, resp->responderId.nameHash, - SIGNER_DIGEST_SIZE) == 0); - else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) - return (XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0); + if (resp->responderIdType == OCSP_RESPONDER_ID_NAME) { + return XMEMCMP(NameHash, resp->responderId.nameHash, + SIGNER_DIGEST_SIZE) == 0; + } + else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) { + return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; + } return 0; } @@ -907,7 +909,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert, InitDecodedCert(c, cert->source, cert->maxIdx, NULL); if (ParseCertRelative(c, CERT_TYPE, VERIFY, st->cm, NULL) != 0) { ret = ASN_OCSP_CONFIRM_E; - goto out; + goto err; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) { @@ -922,7 +924,7 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert, ret = 0; #endif -out: +err: FreeDecodedCert(c); #ifdef WOLFSSL_SMALL_STACK XFREE(c, NULL, DYNAMIC_TYPE_DCERT); @@ -960,14 +962,14 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP* bs, if (ret != 0) { WOLFSSL_MSG("OCSP signature verification failed"); ret = -1; - goto out; + goto err; } if ((flags & WOLFSSL_OCSP_NOVERIFY) == 0) { ret = OcspVerifySigner(bs, cert, st, flags); } -out: +err: FreeDecodedCert(cert); XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5703874fe..3b7c623da 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37317,7 +37317,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, cert->subjectHash, cert->subjectKeyHash) == 0) { WOLFSSL_MSG("\tInternal check doesn't match responder ID, ignoring\n"); ret = BAD_OCSP_RESPONDER; - goto out; + goto err; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK @@ -37325,7 +37325,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, ret = CheckOcspResponder(resp, cert, cm); if (ret < 0) { WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed"); - goto out; + goto err; } } #endif /* WOLFSSL_NO_OCSP_ISSUER_CHECK */ @@ -37337,7 +37337,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, resp->sig, resp->sigSz, resp->sigOID, resp->sigParams, resp->sigParamsSz, NULL); } -out: +err: FreeDecodedCert(cert); #ifdef WOLFSSL_SMALL_STACK @@ -37509,7 +37509,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = OcspCheckCert(resp, noVerify, noVerifySignature, (WOLFSSL_CERT_MANAGER*)cm, heap); if (ret == 0) { - goto out; + noVerifySignature = 1; } ret = 0; /* try to verify the OCSP response with CA certs */ } @@ -37545,7 +37545,6 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = ASN_OCSP_CONFIRM_E; } } -out: if (ret == 0) { /* Update the position to after response data. */ *ioIndex = idx; From ae3177c439c037b3be41af5475ff01d8f848a921 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 4 Feb 2025 22:53:19 +0000 Subject: [PATCH 10/22] ocsp-resp-refactor: fix tests --- tests/api/test_ocsp.c | 79 +++++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 37 deletions(-) diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 8f58c40e2..299b45265 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -64,7 +64,7 @@ static int ocsp_cb(void* ctx, const char* url, int urlSz, unsigned char* req, return cb_ctx->responseSz; } -static int test_ocsp_response_with_cm(struct test_conf* c) +static int test_ocsp_response_with_cm(struct test_conf* c, int expectedRet) { EXPECT_DECLS; WOLFSSL_CERT_MANAGER* cm = NULL; @@ -72,7 +72,7 @@ static int test_ocsp_response_with_cm(struct test_conf* c) int ret; cm = wolfSSL_CertManagerNew(); - ExpectPtrNE(cm, NULL); + ExpectNotNull(cm); ret = wolfSSL_CertManagerEnableOCSP(cm, WOLFSSL_OCSP_URL_OVERRIDE | WOLFSSL_OCSP_NO_NONCE); ExpectIntEQ(ret, WOLFSSL_SUCCESS); @@ -95,14 +95,15 @@ static int test_ocsp_response_with_cm(struct test_conf* c) } /* check cert */ ret = wolfSSL_CertManagerCheckOCSP(cm, c->targetCert, c->targetCertSz); + ExpectIntEQ(ret, expectedRet); wolfSSL_CertManagerFree(cm); - return ret; + return EXPECT_RESULT(); } int test_ocsp_response_parsing(void) { struct test_conf conf; - int ret; + int ret, expectedRet; EXPECT_DECLS; conf.resp = (unsigned char*)resp; conf.respSz = sizeof(resp); @@ -112,8 +113,8 @@ int test_ocsp_response_parsing(void) conf.ca1Sz = 0; conf.targetCert = intermediate1_ca_cert_pem; conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); - ret = test_ocsp_response_with_cm(&conf); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ret = test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS); + ExpectIntEQ(ret, TEST_SUCCESS); conf.resp = (unsigned char*)resp_multi; conf.respSz = sizeof(resp_multi); @@ -123,8 +124,8 @@ int test_ocsp_response_parsing(void) conf.ca1Sz = 0; conf.targetCert = intermediate1_ca_cert_pem; conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); - ret = test_ocsp_response_with_cm(&conf); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ret = test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS); + ExpectIntEQ(ret, TEST_SUCCESS); conf.resp = (unsigned char*)resp_bad_noauth; conf.respSz = sizeof(resp_bad_noauth); @@ -134,16 +135,18 @@ int test_ocsp_response_parsing(void) conf.ca1Sz = sizeof(ca_cert_pem); conf.targetCert = server_cert_pem; conf.targetCertSz = sizeof(server_cert_pem); - ret = test_ocsp_response_with_cm(&conf); -#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK - ExpectIntNE(ret, WOLFSSL_SUCCESS); -#else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + expectedRet = OCSP_LOOKUP_FAIL; +#ifdef WOLFSSL_NO_OCSP_ISSUER_CHECK + expectedRet = WOLFSSL_SUCCESS; #endif + ret = test_ocsp_response_with_cm(&conf, expectedRet); + ExpectIntEQ(ret, TEST_SUCCESS); return EXPECT_SUCCESS(); } #else /* HAVE_OCSP */ -int test_ocsp_response_parsing(void) { return TEST_SKIPPED; } +int test_ocsp_response_parsing(void) { + return TEST_SKIPPED; +} #endif /* HAVE_OCSP */ #if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) @@ -155,9 +158,9 @@ static int test_ocsp_create_x509store(WOLFSSL_X509_STORE** store, int ret; *store = wolfSSL_X509_STORE_new(); - ExpectPtrNE(*store, NULL); + ExpectNotNull(*store); cert = wolfSSL_X509_d2i(&cert, ca, caSz); - ExpectPtrNE(cert, NULL); + ExpectNotNull(cert); ret = wolfSSL_X509_STORE_add_cert(*store, cert); wolfSSL_X509_free(cert); ExpectIntEQ(ret, WOLFSSL_SUCCESS); @@ -172,9 +175,9 @@ static int test_create_stack_of_x509(WOLF_STACK_OF(WOLFSSL_X509) * *certs, int ret; *certs = wolfSSL_sk_X509_new_null(); - ExpectPtrNE(*certs, NULL); + ExpectNotNull(*certs); cert = wolfSSL_X509_d2i(&cert, der, derSz); - ExpectPtrNE(cert, NULL); + ExpectNotNull(cert); ret = wolfSSL_sk_X509_push(*certs, cert); ExpectIntEQ(ret, 1); return EXPECT_RESULT(); @@ -184,9 +187,9 @@ int test_ocsp_basic_verify(void) { EXPECT_DECLS; WOLF_STACK_OF(WOLFSSL_X509) * certs; + WOLFSSL_X509_STORE* store = NULL; + const unsigned char* ptr = NULL; OcspResponse* response = NULL; - WOLFSSL_X509_STORE* store; - const unsigned char* ptr; DecodedCert cert; int ret; @@ -198,7 +201,7 @@ int test_ocsp_basic_verify(void) /* just decoding */ ptr = (const unsigned char*)resp; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ExpectIntEQ(response->responseStatus, 0); ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_NAME); ExpectBufEQ(response->responderId.nameHash, cert.subjectHash, @@ -208,29 +211,28 @@ int test_ocsp_basic_verify(void) /* responder Id by key hash */ ptr = (const unsigned char*)resp_rid_bykey; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_rid_bykey)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ExpectIntEQ(response->responseStatus, 0); ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_KEY); ExpectBufEQ(response->responderId.keyHash, cert.subjectKeyHash, OCSP_DIGEST_SIZE); - wc_FreeDecodedCert(&cert); wolfSSL_OCSP_RESPONSE_free(response); /* decoding with no embedded certificates */ ptr = (const unsigned char*)resp_nocert; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ExpectIntEQ(response->responseStatus, 0); wolfSSL_OCSP_RESPONSE_free(response); /* decoding an invalid response */ ptr = (const unsigned char*)resp_bad; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad)); - ExpectPtrEq(response, NULL); + ExpectNull(response); ptr = (const unsigned char*)resp; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); /* no verify signer certificate */ ret = wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY); ExpectIntEQ(ret, WOLFSSL_SUCCESS); @@ -253,7 +255,7 @@ int test_ocsp_basic_verify(void) /* cert not embedded, cert in certs, validated using store */ ptr = (const unsigned char*)resp_nocert; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); ExpectIntEQ(ret, WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); @@ -261,7 +263,7 @@ int test_ocsp_basic_verify(void) /* cert embedded, verified using store */ ptr = (const unsigned char*)resp; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); ExpectIntEQ(ret, WOLFSSL_SUCCESS); /* make invalid signature */ @@ -275,18 +277,16 @@ int test_ocsp_basic_verify(void) ExpectIntEQ(ret, WOLFSSL_SUCCESS); /* this should also pass */ ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOINTERN); - ; ExpectIntEQ(ret, WOLFSSL_SUCCESS); /* this should not */ ret = wolfSSL_OCSP_basic_verify(response, NULL, store, OCSP_NOINTERN); - ; ExpectIntNE(ret, WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); /* cert not embedded, not certs */ ptr = (const unsigned char*)resp_nocert; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); ExpectIntNE(ret, WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); @@ -304,7 +304,7 @@ int test_ocsp_basic_verify(void) /* multiple responses in a ocsp response */ ptr = (const unsigned char*)resp_multi; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_multi)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); ExpectIntEQ(ret, WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); @@ -313,7 +313,7 @@ int test_ocsp_basic_verify(void) * responses */ ptr = (const unsigned char*)resp_bad_noauth; response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad_noauth)); - ExpectPtrNE(response, NULL); + ExpectNotNull(response); ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK ExpectIntEQ(ret, WOLFSSL_FAILURE); @@ -328,16 +328,19 @@ int test_ocsp_basic_verify(void) ExpectIntEQ(ret, WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); + wc_FreeDecodedCert(&cert); wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free); wolfSSL_X509_STORE_free(store); return EXPECT_RESULT(); } #else -int test_ocsp_basic_verify(void) { return TEST_SKIPPED; } +int test_ocsp_basic_verify(void) { + return TEST_SKIPPED; +} #endif /* HAVE_OCSP && (OPENSSL_ALL || OPENSSL_EXTRA) */ -#if defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \ +#if defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \ (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) @@ -400,7 +403,7 @@ static int test_ocsp_status_callback_test_setup( return ret; } -static int test_ocsp_status_callback(void) +int test_ocsp_status_callback(void) { struct test_params { method_provider c_method; @@ -562,7 +565,9 @@ static int test_ocsp_status_callback(void) } #else -int test_ocsp_status_callback(void) { return TEST_SKIPPED; } +int test_ocsp_status_callback(void) { + return TEST_SKIPPED; +} #endif /* defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) \ && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) \ && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) */ From 3e50c79c3b2811a4af169dd817306cc648a36a10 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 4 Feb 2025 23:34:53 +0000 Subject: [PATCH 11/22] tests: bind test_wolfSSL_client_server_nofail_memio HAVE_SSL_MEMIO_TESTS_DEP --- tests/api.c | 3 --- tests/unit.h | 4 +++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/api.c b/tests/api.c index 3f284885b..0b2c7fca3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -460,9 +460,6 @@ #endif #endif /* HAVE_PKCS7 */ -int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb, - test_ssl_cbf* server_cb, test_cbType client_on_handshake); - #ifdef WOLFSSL_DUMP_MEMIO_STREAM const char* currentTestName; char tmpDirName[16]; diff --git a/tests/unit.h b/tests/unit.h index 20664afd7..3c0ec63fd 100644 --- a/tests/unit.h +++ b/tests/unit.h @@ -408,7 +408,9 @@ int test_ssl_memio_setup(test_ssl_memio_ctx *ctx); int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds, int* rounds); void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx); -#endif +int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb, + test_ssl_cbf* server_cb, test_cbType client_on_handshake); +#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ void ApiTest_PrintTestCases(void); int ApiTest_RunIdx(int idx); From 2c2eb2a2854daadcc76d0ed7ba261fe1ac2f040c Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 5 Feb 2025 16:35:20 +0000 Subject: [PATCH 12/22] ocsp: improve OCSP response signature validation - search for the signer in the CertificateManager if the embedded cert verification fails in original asn template. --- wolfcrypt/src/asn.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3b7c623da..e67685167 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37361,6 +37361,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #endif int ret; int sigLength; + int sigValid = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -37417,16 +37418,19 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ASN_PARSE_E; ret = OcspCheckCert(resp, noVerify, noVerifySignature, cm, heap); - if (ret != 0) { - WOLFSSL_MSG("\tOCSP Confirm signature failed"); - return ASN_OCSP_CONFIRM_E; + if (ret == 0) { + sigValid = 1; + } + else { + WOLFSSL_MSG("OCSP Internal certificate can't verify the response\n"); + /* try to verify the OCSP response with CA certs */ + ret = 0; } } else #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ - if (!noVerifySignature) { + if (!noVerifySignature && !sigValid) { Signer* ca; - int sigValid = -1; SignatureCtx sigCtx; ca = OcspFindSigner(resp, cm); if (ca == NULL) @@ -37457,6 +37461,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, int ret = 0; word32 idx = *ioIndex; Signer* ca = NULL; + int sigValid = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -37509,29 +37514,28 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = OcspCheckCert(resp, noVerify, noVerifySignature, (WOLFSSL_CERT_MANAGER*)cm, heap); if (ret == 0) { - noVerifySignature = 1; + sigValid = 1; } ret = 0; /* try to verify the OCSP response with CA certs */ } #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ /* try to verify using cm certs */ - if (ret == 0 && !noVerifySignature) + if (ret == 0 && !noVerifySignature && !sigValid) { ca = OcspFindSigner(resp, (WOLFSSL_CERT_MANAGER*)cm); if (ca == NULL) ret = ASN_NO_SIGNER_E; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK - if (ret == 0 && !noVerifySignature) { + if (ret == 0 && !noVerifySignature && !sigValid) { if (OcspRespCheck(resp, ca) != 0) { ret = BAD_OCSP_RESPONDER; } } #endif - if (ret == 0 && !noVerifySignature) { - int sigValid = -1; + if (ret == 0 && !noVerifySignature && !sigValid) { SignatureCtx sigCtx; - /* Initialize he signature context. */ + /* Initialize the signature context. */ InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); /* TODO: ConfirmSignature is blocking here */ From 3724094ce287f0986a5ee5ab224202486920a910 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 5 Feb 2025 16:36:52 +0000 Subject: [PATCH 13/22] ocsp: add test for response with unusable internal cert - Added a new test case `resp_bad_embedded_cert` in `create_ocsp_test_blobs.py` to test OCSP response with an unusable internal cert that can be verified in Cert Manager. - Updated `test_ocsp_response_parsing` in `ocsp.c` to include the new test case. - Ensured the new test case checks for proper handling of OCSP responses with incorrect internal certificates. --- tests/api/create_ocsp_test_blobs.py | 17 +++++++++++++++++ tests/api/test_ocsp.c | 12 ++++++++++++ 2 files changed, 29 insertions(+) diff --git a/tests/api/create_ocsp_test_blobs.py b/tests/api/create_ocsp_test_blobs.py index 82c2cfde9..f86547081 100644 --- a/tests/api/create_ocsp_test_blobs.py +++ b/tests/api/create_ocsp_test_blobs.py @@ -382,6 +382,23 @@ if __name__ == '__main__': 'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', 'name': 'resp_bad_noauth' }, + { + 'response_status': 0, + 'signature_algorithm': signature_algorithm(), + 'responder_by_name': True, + 'responses': [ + { + 'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'serial': 0x01, + 'status': CERT_GOOD + }, + ], + # unrelated cert + 'certs_path' : [WOLFSSL_OCSP_CERT_PATH + 'intermediate2-ca-cert.pem'], + 'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem', + 'responder_key': WOLFSSL_OCSP_CERT_PATH + 'root-ca-key.pem', + 'name': 'resp_bad_embedded_cert' + }, ] with open('./tests/api/ocsp_test_blobs.h', 'w') as f: diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 299b45265..d17711a0c 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -141,6 +141,18 @@ int test_ocsp_response_parsing(void) #endif ret = test_ocsp_response_with_cm(&conf, expectedRet); ExpectIntEQ(ret, TEST_SUCCESS); + + /* Test response with unusable internal cert but that can be verified in CM */ + conf.resp = (unsigned char*)resp_bad_embedded_cert; // Response with wrong internal cert + conf.respSz = sizeof(resp_bad_embedded_cert); + conf.ca0 = root_ca_cert_pem; // Root CA cert + conf.ca0Sz = sizeof(root_ca_cert_pem); + conf.ca1 = NULL; + conf.ca1Sz = 0; + conf.targetCert = intermediate1_ca_cert_pem; + conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); + ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), TEST_SUCCESS); + return EXPECT_SUCCESS(); } #else /* HAVE_OCSP */ From c1c9af5cb6cfda5da8bbb35fee8374cfe4523016 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 5 Feb 2025 16:40:40 +0000 Subject: [PATCH 14/22] minor: improve indentation of guards --- src/internal.c | 10 +++++----- wolfcrypt/src/asn.c | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index 630c634ab..02b3785b5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -24896,9 +24896,9 @@ static int BuildCertificateStatusWithStatusCB(WOLFSSL* ssl) } return ret; } -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST && (defined(OPENSSL_ALL) || -defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) -*/ +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) */ #endif /* NO_WOLFSSL_SERVER */ /* handle generation of certificate_status (22) */ @@ -24925,8 +24925,8 @@ int SendCertificateStatus(WOLFSSL* ssl) } #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ -(defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) + (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) if (SSL_CM(ssl)->ocsp_stapling != NULL && SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { if (ssl->status_request == WOLFSSL_CSR_OCSP) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e67685167..ecb284562 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37323,7 +37323,7 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify, #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK if (ret == 0 && !noVerify) { ret = CheckOcspResponder(resp, cert, cm); - if (ret < 0) { + if (ret != 0) { WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed"); goto err; } From 69116eb05d7961d76568abad5ddee40c04edc049 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 5 Feb 2025 16:45:20 +0000 Subject: [PATCH 15/22] ocsp/tests: update blobs and add license header --- tests/api/create_ocsp_test_blobs.py | 21 ++ tests/api/test_ocsp_test_blobs.h | 484 +++++++++++++++++++--------- 2 files changed, 352 insertions(+), 153 deletions(-) diff --git a/tests/api/create_ocsp_test_blobs.py b/tests/api/create_ocsp_test_blobs.py index f86547081..435d625cb 100644 --- a/tests/api/create_ocsp_test_blobs.py +++ b/tests/api/create_ocsp_test_blobs.py @@ -405,6 +405,27 @@ if __name__ == '__main__': f.write( """/* * This file is generated automatically by running ./tests/api/create_ocsp_test_blobs.py. +* +* ocsp_test_blobs.h +* +* Copyright (C) 2006-2025 wolfSSL Inc. +* +* This file is part of wolfSSL. +* +* wolfSSL is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* wolfSSL is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +* */ """) f.write("#ifndef OCSP_TEST_BLOBS_H\n") diff --git a/tests/api/test_ocsp_test_blobs.h b/tests/api/test_ocsp_test_blobs.h index 9386837ea..04a667ec1 100644 --- a/tests/api/test_ocsp_test_blobs.h +++ b/tests/api/test_ocsp_test_blobs.h @@ -1,5 +1,26 @@ /* * This file is generated automatically by running ./tests/api/create_ocsp_test_blobs.py. +* +* ocsp_test_blobs.h +* +* Copyright (C) 2006-2025 wolfSSL Inc. +* +* This file is part of wolfSSL. +* +* wolfSSL is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* wolfSSL is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +* */ #ifndef OCSP_TEST_BLOBS_H #define OCSP_TEST_BLOBS_H @@ -22,37 +43,37 @@ unsigned char resp[] = { 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, - 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, - 0x33, 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, + 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, + 0x30, 0x39, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, - 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, + 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6d, 0x4a, 0x57, 0xc9, 0xef, 0xa5, - 0x17, 0x87, 0xa9, 0xc3, 0x39, 0x44, 0x19, 0x70, 0x93, 0x16, 0x47, 0x0f, - 0x0a, 0x9d, 0xfb, 0x7e, 0x35, 0xda, 0x96, 0x84, 0x2d, 0x67, 0x20, 0x2c, - 0x41, 0xa6, 0xbf, 0xa3, 0x73, 0x8e, 0x4d, 0x02, 0xf9, 0x07, 0x5e, 0x06, - 0xd5, 0x8c, 0x70, 0x90, 0x71, 0x55, 0xaf, 0x8b, 0xad, 0xfd, 0xa9, 0xeb, - 0x83, 0xae, 0x4e, 0x6b, 0x69, 0x76, 0x01, 0xe1, 0x5a, 0xd5, 0x60, 0xa9, - 0x03, 0x09, 0xa6, 0x53, 0x6f, 0x30, 0x66, 0x9e, 0x99, 0x09, 0xe0, 0x3f, - 0xfa, 0x80, 0xc0, 0x54, 0x70, 0x59, 0xdc, 0xcd, 0xf8, 0xcf, 0x77, 0x25, - 0xcf, 0xf7, 0xb6, 0xfe, 0xe1, 0x17, 0xcf, 0x08, 0xb1, 0xb3, 0x24, 0x4a, - 0x5b, 0xdb, 0x3a, 0xbd, 0xae, 0xa8, 0xc3, 0x51, 0x5b, 0xfa, 0xf7, 0xbb, - 0xf5, 0x1e, 0xc3, 0x81, 0xa9, 0x94, 0xeb, 0x62, 0x97, 0xd6, 0xff, 0x91, - 0xcc, 0xc1, 0xd3, 0xea, 0x01, 0xa4, 0xe1, 0xa4, 0xf6, 0x4a, 0xa5, 0xbf, - 0x11, 0xd6, 0xbb, 0x3d, 0xde, 0x8c, 0xaa, 0x46, 0xa4, 0xe3, 0xc2, 0x47, - 0xb8, 0x13, 0x07, 0x2e, 0xbd, 0x6b, 0x81, 0xd6, 0x31, 0x73, 0xaa, 0x0c, - 0x7f, 0xf4, 0x8c, 0x4c, 0x70, 0x83, 0x12, 0xc8, 0xac, 0x37, 0xef, 0x79, - 0xae, 0xb3, 0xdf, 0xf0, 0x33, 0x53, 0x9a, 0x63, 0x3e, 0x19, 0x63, 0x62, - 0xea, 0x0d, 0x34, 0x4e, 0x09, 0x23, 0xeb, 0xd4, 0x89, 0x5e, 0x01, 0x91, - 0xe3, 0xbb, 0x04, 0x3a, 0x8e, 0xb5, 0x49, 0x17, 0x66, 0x77, 0xf7, 0x9e, - 0xf2, 0xc2, 0x50, 0x83, 0xc2, 0x8d, 0x27, 0xee, 0xa8, 0x1b, 0xc4, 0xad, - 0xb6, 0xc8, 0xfe, 0x47, 0x36, 0x2a, 0x49, 0xc9, 0x86, 0xef, 0x09, 0xb0, - 0x4d, 0x5f, 0xa2, 0x9c, 0x51, 0xcb, 0xe9, 0x18, 0x1c, 0xce, 0x46, 0x0c, - 0x55, 0xa4, 0xfd, 0x11, 0xcf, 0xaa, 0x6f, 0xae, 0x56, 0xc6, 0xa0, 0x82, + 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x31, 0xb2, 0x07, 0x71, 0xa6, 0x8e, + 0xd7, 0x32, 0xf5, 0x8d, 0x38, 0xd5, 0xbd, 0xe8, 0x6a, 0xba, 0x50, 0x79, + 0x0d, 0x60, 0x14, 0xc4, 0xdc, 0x3a, 0xb2, 0xd3, 0x47, 0x21, 0x83, 0x2f, + 0xb8, 0xa8, 0x91, 0x12, 0x58, 0x43, 0xd4, 0x27, 0x03, 0x10, 0x7c, 0x67, + 0x65, 0xfc, 0x7c, 0xb9, 0xe9, 0x07, 0x76, 0xa3, 0x68, 0x1a, 0x2b, 0x56, + 0xe0, 0x72, 0x5f, 0xb6, 0x6a, 0x2d, 0x52, 0x52, 0xf4, 0xf3, 0x4b, 0x91, + 0x6b, 0x65, 0xe2, 0xd3, 0x03, 0x9b, 0xaf, 0x11, 0x43, 0x97, 0x94, 0x63, + 0xff, 0x0d, 0x71, 0xf5, 0x4f, 0xef, 0x61, 0x4f, 0x55, 0xd3, 0x5b, 0x5f, + 0x61, 0x1f, 0x2c, 0x03, 0xbd, 0x3f, 0xde, 0x62, 0xb5, 0x36, 0xb0, 0x3a, + 0x52, 0xf3, 0x35, 0x26, 0x41, 0x2d, 0xa3, 0x1b, 0x1b, 0x07, 0x2c, 0x0a, + 0x6b, 0x2b, 0x36, 0x87, 0x0c, 0xec, 0x5a, 0x9b, 0x72, 0xc2, 0x04, 0x79, + 0x4a, 0x68, 0xba, 0xde, 0x6d, 0x65, 0x37, 0x37, 0x4f, 0x0a, 0xa8, 0x5b, + 0x06, 0x45, 0xc0, 0x59, 0x39, 0x11, 0xd4, 0xcc, 0x28, 0x0c, 0x5d, 0x76, + 0x11, 0xeb, 0x71, 0x0a, 0xf7, 0x72, 0x06, 0x2f, 0x50, 0x98, 0xe1, 0xfc, + 0x86, 0x00, 0xaa, 0x9f, 0x45, 0xc5, 0x81, 0x8b, 0x73, 0xe9, 0x8c, 0xef, + 0x31, 0xd9, 0x9b, 0xde, 0xe7, 0x57, 0xd0, 0x14, 0x8f, 0xfe, 0xec, 0xed, + 0xc2, 0xfc, 0x18, 0x35, 0x4e, 0x24, 0xd0, 0x46, 0x36, 0x86, 0xdb, 0x6f, + 0xa7, 0x06, 0x85, 0xef, 0x70, 0x2c, 0xce, 0xbb, 0xcc, 0x44, 0x3e, 0x82, + 0x2f, 0xfa, 0xc2, 0x12, 0x6d, 0x40, 0x71, 0xc4, 0xac, 0xd9, 0x48, 0x72, + 0xff, 0xec, 0x65, 0x89, 0x29, 0x81, 0x5f, 0x92, 0x98, 0x9f, 0xfb, 0xd0, + 0x73, 0xcf, 0xb1, 0x80, 0x37, 0x33, 0x37, 0xb1, 0x95, 0x7e, 0xba, 0xb2, + 0x6f, 0xee, 0x7b, 0x16, 0x09, 0x04, 0x9b, 0x01, 0x4b, 0x1e, 0xa0, 0x82, 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, @@ -163,37 +184,37 @@ unsigned char resp_rid_bykey[] = { 0x01, 0x01, 0x04, 0x82, 0x06, 0x5c, 0x30, 0x82, 0x06, 0x58, 0x30, 0x7a, 0xa2, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, - 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, - 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, + 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, + 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, - 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, - 0x34, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x13, 0x5a, 0x5e, 0x74, - 0x4f, 0x2e, 0x7c, 0xa1, 0x7d, 0x89, 0x2a, 0x0c, 0x14, 0x1f, 0x13, 0xaf, - 0x17, 0x61, 0x87, 0xf8, 0xcc, 0x70, 0x82, 0x3e, 0x0e, 0x4f, 0xbe, 0x4f, - 0xc4, 0x95, 0xcc, 0x79, 0x2c, 0xe4, 0x87, 0x2c, 0x81, 0xc0, 0x5a, 0xfa, - 0x9f, 0xb4, 0xec, 0xdc, 0xae, 0x64, 0xca, 0xee, 0x35, 0xc3, 0x67, 0xd9, - 0xf5, 0x32, 0x6e, 0x2e, 0x2b, 0x71, 0x85, 0x24, 0xff, 0xfd, 0xe2, 0x6b, - 0x8f, 0xf6, 0xaa, 0xa5, 0x0a, 0xb3, 0x56, 0xb4, 0xa5, 0xb8, 0xf9, 0x7a, - 0x35, 0x6a, 0x8c, 0xe4, 0x58, 0x64, 0x04, 0xfe, 0x6f, 0x64, 0xf7, 0x26, - 0x07, 0xc0, 0xf5, 0x41, 0xf2, 0xba, 0x8b, 0x16, 0x51, 0x1f, 0xdd, 0xcc, - 0xf0, 0xc5, 0x5b, 0x38, 0xa6, 0xb8, 0xa7, 0xf4, 0x18, 0x92, 0xec, 0xab, - 0x71, 0xa2, 0x15, 0xed, 0x69, 0x6c, 0x9f, 0x8f, 0x2b, 0x88, 0x2f, 0x94, - 0x5b, 0x5d, 0x93, 0xb6, 0xa1, 0x4a, 0x04, 0x36, 0xd1, 0xb1, 0x41, 0x23, - 0x34, 0x21, 0x76, 0xa1, 0x22, 0x98, 0x88, 0xff, 0xbc, 0x07, 0xa6, 0x1e, - 0x6c, 0x63, 0x2f, 0x72, 0x9b, 0x9c, 0xa4, 0x70, 0x53, 0x9f, 0x6c, 0xbc, - 0xac, 0x8f, 0x6d, 0xfb, 0xfe, 0xaf, 0x72, 0x7c, 0x00, 0xe7, 0x66, 0xed, - 0x0f, 0xf5, 0x87, 0xac, 0xa4, 0x1f, 0x9b, 0x5a, 0x70, 0xb7, 0xda, 0x04, - 0xf1, 0xa6, 0x88, 0x36, 0xa1, 0xbb, 0xb8, 0xf4, 0xd5, 0x50, 0x56, 0x45, - 0xa8, 0xe1, 0xe5, 0x51, 0x0e, 0xbe, 0x86, 0x5b, 0xfb, 0x87, 0x46, 0x95, - 0xf4, 0x1c, 0x4b, 0x14, 0x17, 0xec, 0x14, 0xa6, 0xd5, 0xdc, 0xd5, 0x06, - 0xb8, 0xc8, 0x1b, 0x5c, 0xb8, 0xe8, 0x10, 0x13, 0x40, 0x1f, 0xc4, 0xd9, - 0x6b, 0xdd, 0xe1, 0x06, 0xa9, 0xcd, 0x0e, 0x97, 0x6e, 0x92, 0x2a, 0x87, - 0x00, 0xc4, 0x9b, 0xd2, 0x94, 0xfa, 0x4e, 0x7d, 0x34, 0x74, 0xfe, 0xf5, + 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, + 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x18, 0x8b, 0xc4, 0x9c, + 0x4e, 0x93, 0x4c, 0x91, 0x99, 0x32, 0x43, 0x3d, 0x03, 0xa0, 0x18, 0x7c, + 0x20, 0x03, 0x2d, 0x29, 0x4a, 0xf8, 0x48, 0x43, 0xe5, 0x86, 0x27, 0x3f, + 0x35, 0x99, 0x0e, 0x7f, 0xed, 0x7c, 0x1a, 0xd6, 0xfe, 0x2d, 0xed, 0xf8, + 0x42, 0xda, 0xf3, 0xc0, 0x28, 0x8c, 0x7a, 0xf7, 0x4a, 0xbc, 0x9d, 0x54, + 0xf0, 0x27, 0x89, 0xf3, 0xb9, 0x08, 0x9a, 0x8c, 0xf9, 0x4b, 0x75, 0x47, + 0x39, 0x68, 0x64, 0xea, 0x2b, 0x16, 0x8d, 0xe6, 0x30, 0x4e, 0xb8, 0x97, + 0xcd, 0x2d, 0x87, 0xc2, 0x5a, 0xb7, 0x10, 0xfa, 0xb9, 0x94, 0xad, 0xfe, + 0xe4, 0x4e, 0xeb, 0x40, 0xe6, 0x56, 0xa0, 0x79, 0x88, 0x84, 0x51, 0x38, + 0x79, 0xc6, 0x00, 0xc8, 0x94, 0xc8, 0x06, 0x45, 0x0d, 0x16, 0x51, 0xa1, + 0xa0, 0xb5, 0xee, 0xa0, 0x91, 0xee, 0x35, 0x4a, 0xec, 0x60, 0xfb, 0x5a, + 0x38, 0x40, 0x72, 0xf9, 0xc8, 0x54, 0x26, 0x58, 0xed, 0x6a, 0x7e, 0x4e, + 0xca, 0xd8, 0xae, 0xb5, 0xf0, 0xe8, 0xed, 0x3a, 0xff, 0x51, 0xf9, 0x6e, + 0x3d, 0x09, 0x4a, 0xb2, 0x68, 0x48, 0x33, 0xc0, 0xe8, 0x48, 0x77, 0xc9, + 0xe3, 0x06, 0x0c, 0xc8, 0x92, 0x70, 0x54, 0x70, 0x33, 0x1b, 0x7c, 0xb8, + 0x50, 0x67, 0xa7, 0xb4, 0x2d, 0x98, 0x77, 0x0e, 0x90, 0x0a, 0x55, 0xb7, + 0xde, 0x06, 0x2a, 0x14, 0x51, 0x9d, 0xb1, 0x79, 0x2e, 0x8e, 0x3d, 0xef, + 0x4c, 0x9b, 0x86, 0x22, 0x95, 0x2b, 0x1e, 0xa4, 0xf4, 0x09, 0x4c, 0xca, + 0xe9, 0x5e, 0x0c, 0x87, 0x2c, 0x74, 0x1d, 0x78, 0x50, 0xa6, 0x9e, 0x36, + 0x3b, 0xeb, 0x4e, 0x24, 0x00, 0xa2, 0x25, 0x2a, 0x63, 0xd8, 0x2e, 0xfe, + 0xd2, 0xf1, 0x3b, 0x9d, 0x36, 0x80, 0x00, 0x67, 0xe4, 0x1d, 0xf9, 0x83, + 0xd1, 0x65, 0x73, 0x3e, 0xe1, 0xbc, 0x16, 0x54, 0xa8, 0x0d, 0x21, 0xc0, 0xa0, 0x82, 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, @@ -317,37 +338,37 @@ unsigned char resp_nocert[] = { 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, - 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, - 0x33, 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, + 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, + 0x30, 0x39, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, - 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, + 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6d, 0x4a, 0x57, 0xc9, 0xef, 0xa5, - 0x17, 0x87, 0xa9, 0xc3, 0x39, 0x44, 0x19, 0x70, 0x93, 0x16, 0x47, 0x0f, - 0x0a, 0x9d, 0xfb, 0x7e, 0x35, 0xda, 0x96, 0x84, 0x2d, 0x67, 0x20, 0x2c, - 0x41, 0xa6, 0xbf, 0xa3, 0x73, 0x8e, 0x4d, 0x02, 0xf9, 0x07, 0x5e, 0x06, - 0xd5, 0x8c, 0x70, 0x90, 0x71, 0x55, 0xaf, 0x8b, 0xad, 0xfd, 0xa9, 0xeb, - 0x83, 0xae, 0x4e, 0x6b, 0x69, 0x76, 0x01, 0xe1, 0x5a, 0xd5, 0x60, 0xa9, - 0x03, 0x09, 0xa6, 0x53, 0x6f, 0x30, 0x66, 0x9e, 0x99, 0x09, 0xe0, 0x3f, - 0xfa, 0x80, 0xc0, 0x54, 0x70, 0x59, 0xdc, 0xcd, 0xf8, 0xcf, 0x77, 0x25, - 0xcf, 0xf7, 0xb6, 0xfe, 0xe1, 0x17, 0xcf, 0x08, 0xb1, 0xb3, 0x24, 0x4a, - 0x5b, 0xdb, 0x3a, 0xbd, 0xae, 0xa8, 0xc3, 0x51, 0x5b, 0xfa, 0xf7, 0xbb, - 0xf5, 0x1e, 0xc3, 0x81, 0xa9, 0x94, 0xeb, 0x62, 0x97, 0xd6, 0xff, 0x91, - 0xcc, 0xc1, 0xd3, 0xea, 0x01, 0xa4, 0xe1, 0xa4, 0xf6, 0x4a, 0xa5, 0xbf, - 0x11, 0xd6, 0xbb, 0x3d, 0xde, 0x8c, 0xaa, 0x46, 0xa4, 0xe3, 0xc2, 0x47, - 0xb8, 0x13, 0x07, 0x2e, 0xbd, 0x6b, 0x81, 0xd6, 0x31, 0x73, 0xaa, 0x0c, - 0x7f, 0xf4, 0x8c, 0x4c, 0x70, 0x83, 0x12, 0xc8, 0xac, 0x37, 0xef, 0x79, - 0xae, 0xb3, 0xdf, 0xf0, 0x33, 0x53, 0x9a, 0x63, 0x3e, 0x19, 0x63, 0x62, - 0xea, 0x0d, 0x34, 0x4e, 0x09, 0x23, 0xeb, 0xd4, 0x89, 0x5e, 0x01, 0x91, - 0xe3, 0xbb, 0x04, 0x3a, 0x8e, 0xb5, 0x49, 0x17, 0x66, 0x77, 0xf7, 0x9e, - 0xf2, 0xc2, 0x50, 0x83, 0xc2, 0x8d, 0x27, 0xee, 0xa8, 0x1b, 0xc4, 0xad, - 0xb6, 0xc8, 0xfe, 0x47, 0x36, 0x2a, 0x49, 0xc9, 0x86, 0xef, 0x09, 0xb0, - 0x4d, 0x5f, 0xa2, 0x9c, 0x51, 0xcb, 0xe9, 0x18, 0x1c, 0xce, 0x46, 0x0c, - 0x55, 0xa4, 0xfd, 0x11, 0xcf, 0xaa, 0x6f, 0xae, 0x56, 0xc6, + 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x31, 0xb2, 0x07, 0x71, 0xa6, 0x8e, + 0xd7, 0x32, 0xf5, 0x8d, 0x38, 0xd5, 0xbd, 0xe8, 0x6a, 0xba, 0x50, 0x79, + 0x0d, 0x60, 0x14, 0xc4, 0xdc, 0x3a, 0xb2, 0xd3, 0x47, 0x21, 0x83, 0x2f, + 0xb8, 0xa8, 0x91, 0x12, 0x58, 0x43, 0xd4, 0x27, 0x03, 0x10, 0x7c, 0x67, + 0x65, 0xfc, 0x7c, 0xb9, 0xe9, 0x07, 0x76, 0xa3, 0x68, 0x1a, 0x2b, 0x56, + 0xe0, 0x72, 0x5f, 0xb6, 0x6a, 0x2d, 0x52, 0x52, 0xf4, 0xf3, 0x4b, 0x91, + 0x6b, 0x65, 0xe2, 0xd3, 0x03, 0x9b, 0xaf, 0x11, 0x43, 0x97, 0x94, 0x63, + 0xff, 0x0d, 0x71, 0xf5, 0x4f, 0xef, 0x61, 0x4f, 0x55, 0xd3, 0x5b, 0x5f, + 0x61, 0x1f, 0x2c, 0x03, 0xbd, 0x3f, 0xde, 0x62, 0xb5, 0x36, 0xb0, 0x3a, + 0x52, 0xf3, 0x35, 0x26, 0x41, 0x2d, 0xa3, 0x1b, 0x1b, 0x07, 0x2c, 0x0a, + 0x6b, 0x2b, 0x36, 0x87, 0x0c, 0xec, 0x5a, 0x9b, 0x72, 0xc2, 0x04, 0x79, + 0x4a, 0x68, 0xba, 0xde, 0x6d, 0x65, 0x37, 0x37, 0x4f, 0x0a, 0xa8, 0x5b, + 0x06, 0x45, 0xc0, 0x59, 0x39, 0x11, 0xd4, 0xcc, 0x28, 0x0c, 0x5d, 0x76, + 0x11, 0xeb, 0x71, 0x0a, 0xf7, 0x72, 0x06, 0x2f, 0x50, 0x98, 0xe1, 0xfc, + 0x86, 0x00, 0xaa, 0x9f, 0x45, 0xc5, 0x81, 0x8b, 0x73, 0xe9, 0x8c, 0xef, + 0x31, 0xd9, 0x9b, 0xde, 0xe7, 0x57, 0xd0, 0x14, 0x8f, 0xfe, 0xec, 0xed, + 0xc2, 0xfc, 0x18, 0x35, 0x4e, 0x24, 0xd0, 0x46, 0x36, 0x86, 0xdb, 0x6f, + 0xa7, 0x06, 0x85, 0xef, 0x70, 0x2c, 0xce, 0xbb, 0xcc, 0x44, 0x3e, 0x82, + 0x2f, 0xfa, 0xc2, 0x12, 0x6d, 0x40, 0x71, 0xc4, 0xac, 0xd9, 0x48, 0x72, + 0xff, 0xec, 0x65, 0x89, 0x29, 0x81, 0x5f, 0x92, 0x98, 0x9f, 0xfb, 0xd0, + 0x73, 0xcf, 0xb1, 0x80, 0x37, 0x33, 0x37, 0xb1, 0x95, 0x7e, 0xba, 0xb2, + 0x6f, 0xee, 0x7b, 0x16, 0x09, 0x04, 0x9b, 0x01, 0x4b, 0x1e, }; unsigned char resp_multi[] = { @@ -368,43 +389,43 @@ unsigned char resp_multi[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, - 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x81, 0x9e, 0x30, + 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x81, 0x9e, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, - 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, - 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, + 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, + 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x02, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, - 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, + 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6f, 0x6e, 0x22, 0x3a, 0x1d, - 0xa0, 0x71, 0xf0, 0x52, 0x0d, 0x6b, 0x4f, 0xc8, 0x3d, 0x7c, 0x14, 0x69, - 0x04, 0xe2, 0xcb, 0x42, 0x1d, 0xe0, 0xe2, 0x77, 0x9d, 0xb1, 0xa2, 0x61, - 0x41, 0x78, 0x21, 0x23, 0x98, 0x0c, 0xec, 0x2b, 0x59, 0x97, 0x42, 0x91, - 0x5e, 0x0f, 0x3a, 0x31, 0x0e, 0xe5, 0x66, 0xda, 0x2b, 0x24, 0xaf, 0x26, - 0x29, 0x75, 0x06, 0xba, 0x9f, 0x04, 0x29, 0x7c, 0x0b, 0x36, 0x38, 0x49, - 0xa9, 0x82, 0x17, 0x08, 0xfc, 0x08, 0x9f, 0x9a, 0xdb, 0x63, 0x69, 0x0d, - 0x7e, 0xe8, 0xd9, 0x04, 0x41, 0xee, 0x52, 0x34, 0x24, 0x86, 0xd7, 0xb3, - 0x45, 0x57, 0x05, 0xda, 0x39, 0x07, 0x7e, 0xb4, 0x73, 0x6b, 0x53, 0x1c, - 0xe5, 0x30, 0x0f, 0x07, 0xb6, 0xf6, 0xb1, 0xe1, 0x26, 0xd5, 0x64, 0xd8, - 0xa3, 0xaa, 0xb8, 0x91, 0x6a, 0x90, 0xa1, 0x8a, 0x2b, 0x4f, 0x98, 0x57, - 0xc6, 0x94, 0x5b, 0xab, 0x09, 0xb6, 0x31, 0x79, 0xfb, 0xf2, 0x23, 0x27, - 0x8d, 0x88, 0x59, 0xc3, 0x35, 0xd5, 0x46, 0x4a, 0xf6, 0x72, 0x76, 0x51, - 0x0d, 0x26, 0xf0, 0x19, 0x55, 0x5e, 0xa9, 0xe8, 0xad, 0xa0, 0x0f, 0xc8, - 0xc1, 0x35, 0x66, 0xab, 0x65, 0xdf, 0xe4, 0xb4, 0x03, 0xf4, 0xf3, 0xb8, - 0xde, 0x1c, 0x3c, 0xc5, 0xde, 0x6a, 0x28, 0x69, 0x21, 0x51, 0x5c, 0x09, - 0xfb, 0xc5, 0x6c, 0x4e, 0x74, 0x28, 0x96, 0xe2, 0xb9, 0xdd, 0xdc, 0xf9, - 0x36, 0xe3, 0xd6, 0xe5, 0x31, 0x6a, 0xff, 0xa5, 0x6d, 0xaa, 0x8b, 0xb4, - 0x62, 0xcd, 0xcd, 0x39, 0xd5, 0x0c, 0xfb, 0x4f, 0x84, 0x25, 0x5d, 0x5b, - 0x61, 0xa9, 0xce, 0x73, 0xe4, 0xc9, 0x97, 0x2a, 0x99, 0x59, 0xbb, 0xa6, - 0x21, 0x5f, 0x31, 0x59, 0x99, 0x5d, 0xae, 0x9a, 0xa9, 0x14, 0x19, 0x55, - 0x7b, 0x8f, 0xde, 0x69, 0xaa, 0x09, 0x8b, 0x12, 0x9a, 0xff, 0x1a, + 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x0a, 0xc7, 0xfd, 0xa9, 0x1f, + 0x76, 0x19, 0xc8, 0xbd, 0xa2, 0x67, 0x24, 0xd1, 0x68, 0xe3, 0x8b, 0x27, + 0xf2, 0x67, 0x24, 0x87, 0xe3, 0x10, 0xba, 0x8d, 0x8d, 0x6f, 0xe2, 0xfa, + 0xc1, 0xa6, 0x5a, 0x4c, 0xb1, 0x79, 0x56, 0x50, 0x2b, 0xb7, 0xdf, 0x20, + 0x89, 0xda, 0x02, 0x3d, 0xef, 0xd3, 0xf9, 0x86, 0x6b, 0x0d, 0xd4, 0x92, + 0x7e, 0x90, 0x04, 0x6c, 0xfd, 0x7b, 0x6d, 0xde, 0x02, 0x37, 0xec, 0x09, + 0x2f, 0x6e, 0xf2, 0x69, 0xf8, 0x44, 0x82, 0xa9, 0x98, 0xca, 0xf4, 0x69, + 0xa1, 0xe5, 0x68, 0xa3, 0xa9, 0x5c, 0xea, 0x07, 0xdd, 0x62, 0x2f, 0xb1, + 0xd1, 0x55, 0x44, 0x82, 0x1a, 0xc3, 0x9f, 0x39, 0xec, 0xb9, 0x24, 0xfe, + 0xea, 0x50, 0x28, 0x6c, 0x79, 0x3a, 0x6b, 0xfd, 0xbc, 0x3f, 0x81, 0xd3, + 0x7c, 0xab, 0x13, 0x54, 0x1b, 0x0d, 0xd7, 0xa9, 0x31, 0x97, 0x0f, 0x53, + 0x7a, 0xca, 0x49, 0x51, 0x03, 0xa9, 0xdc, 0x89, 0x00, 0x80, 0x69, 0xb6, + 0x52, 0x0a, 0x10, 0xfe, 0xe1, 0x7e, 0x5f, 0x73, 0x8a, 0xd9, 0xbf, 0x3f, + 0x02, 0x00, 0xf0, 0xb3, 0xb5, 0x04, 0xb8, 0x59, 0x07, 0xc9, 0x9b, 0x41, + 0x12, 0x8d, 0x12, 0xed, 0x58, 0x3d, 0xcf, 0xa0, 0x1c, 0x7d, 0x45, 0x5d, + 0x7c, 0x06, 0x0d, 0x8c, 0x98, 0xc9, 0x4e, 0xe9, 0x26, 0xa3, 0xc8, 0x70, + 0x18, 0xe8, 0xff, 0x9b, 0x88, 0x0d, 0x3f, 0x47, 0xb3, 0x24, 0x43, 0x8c, + 0x23, 0xa1, 0x3b, 0x64, 0x3d, 0x85, 0x34, 0x87, 0xae, 0x24, 0x76, 0x0f, + 0x1e, 0x20, 0x6b, 0xf8, 0x5e, 0x4b, 0xea, 0x8c, 0x2a, 0xb1, 0xfb, 0xf2, + 0xbc, 0xf7, 0x1d, 0x8f, 0x77, 0x69, 0x46, 0x4c, 0xff, 0x49, 0xd7, 0x47, + 0x07, 0xa2, 0x04, 0x18, 0x14, 0xa9, 0x59, 0x53, 0x18, 0x5c, 0x0d, 0xbf, + 0x04, 0xd9, 0xc8, 0xeb, 0xd2, 0xe7, 0x7b, 0xf1, 0x51, 0x8f, 0xca, }; unsigned char resp_bad_noauth[] = { @@ -425,43 +446,200 @@ unsigned char resp_bad_noauth[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, - 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x81, 0x9e, 0x30, + 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x81, 0x9e, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, - 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, - 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, + 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, + 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0xff, 0x66, 0x21, 0x8a, 0x6e, 0xc5, 0x86, 0x61, 0x84, 0x25, 0x9a, 0xba, 0xd6, 0x55, 0x39, 0xfb, 0x25, 0x51, 0x2c, 0xdd, 0x04, 0x14, 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, 0x3f, 0xed, 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, 0x30, 0xe5, 0xe8, 0xd5, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, - 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, + 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x34, 0x4e, 0xce, 0xab, 0xf6, - 0xbc, 0xfc, 0xbe, 0x44, 0x18, 0x70, 0x8a, 0x2f, 0xf4, 0x1a, 0x6f, 0xa0, - 0x7c, 0x9f, 0xf7, 0x88, 0x9a, 0x52, 0xce, 0xd9, 0xea, 0x89, 0x43, 0xf3, - 0xff, 0x51, 0x45, 0x24, 0x64, 0xbd, 0xd6, 0x60, 0x46, 0x85, 0x57, 0x08, - 0xea, 0xb0, 0x3c, 0x1d, 0x7a, 0xf0, 0x53, 0xb3, 0x51, 0xdb, 0x9d, 0x12, - 0x77, 0x02, 0xa5, 0x82, 0x22, 0xa7, 0x0d, 0x33, 0xe0, 0x4f, 0x32, 0xf7, - 0xdf, 0x91, 0xd7, 0x9d, 0x5a, 0x9e, 0x00, 0x64, 0xab, 0xcc, 0x33, 0x9b, - 0x29, 0xff, 0xb4, 0xf4, 0x6b, 0x2d, 0xdb, 0xda, 0x1e, 0x4e, 0x04, 0xf8, - 0xde, 0x98, 0x1f, 0xee, 0xd5, 0xdd, 0x06, 0x68, 0xa9, 0xd8, 0x2e, 0x51, - 0xab, 0x23, 0xaa, 0x5c, 0xfd, 0x1f, 0x8d, 0x72, 0xb6, 0x06, 0x3b, 0xb5, - 0x5e, 0x4b, 0x10, 0x92, 0xd2, 0x18, 0x30, 0x75, 0xcf, 0xda, 0x37, 0x12, - 0x1b, 0x3f, 0xf4, 0xdc, 0x9e, 0xa0, 0xb5, 0xe7, 0x08, 0xfe, 0x35, 0x06, - 0x43, 0x73, 0xae, 0x0f, 0x63, 0xdd, 0xf3, 0xa0, 0xb1, 0x7b, 0xd0, 0xef, - 0xe3, 0xdb, 0x67, 0x7b, 0xcf, 0x04, 0x12, 0x0c, 0x14, 0xe0, 0x79, 0x2d, - 0xcc, 0xe4, 0x3b, 0x3a, 0x73, 0x0a, 0x4c, 0x67, 0xd2, 0x70, 0x3b, 0x76, - 0xcf, 0xd1, 0xca, 0x9b, 0x9f, 0x36, 0x04, 0x39, 0x4e, 0x6f, 0xe7, 0x57, - 0x13, 0xfc, 0xea, 0x97, 0x4f, 0xa4, 0x58, 0x27, 0x86, 0xad, 0xf1, 0x69, - 0x35, 0xf0, 0x36, 0xf7, 0xc7, 0x54, 0xe6, 0x9c, 0xec, 0x99, 0x33, 0x71, - 0xbf, 0xdf, 0x66, 0x20, 0xa7, 0x93, 0x7d, 0x57, 0xf6, 0xf4, 0x7e, 0xd1, - 0x6d, 0x8e, 0x25, 0x1b, 0xc4, 0xa3, 0x36, 0x45, 0xeb, 0xdc, 0x0a, 0xde, - 0xb4, 0x6e, 0xa7, 0x36, 0x5e, 0xba, 0x9a, 0x5f, 0xd2, 0x79, 0x08, 0x8b, - 0x8d, 0xdc, 0x82, 0x2c, 0x27, 0x90, 0xc7, 0xeb, 0xb7, 0xa1, 0x58, + 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x16, 0xe7, 0xf6, 0x64, 0x59, + 0x3a, 0x69, 0x64, 0x73, 0x5f, 0x9d, 0xdf, 0x91, 0xd8, 0xca, 0xc4, 0x99, + 0xa5, 0x21, 0xdf, 0x49, 0x49, 0x84, 0xb9, 0xbe, 0x34, 0xaf, 0xf1, 0xf8, + 0x6f, 0x8d, 0xea, 0x0d, 0x43, 0x1f, 0xcf, 0xe1, 0xd0, 0xda, 0x3e, 0x41, + 0x3d, 0xab, 0x27, 0x19, 0x62, 0x03, 0x95, 0x1d, 0xc4, 0x09, 0xa2, 0xfb, + 0x86, 0xfb, 0x19, 0x58, 0x32, 0x23, 0xc7, 0xb8, 0x96, 0xc1, 0xa4, 0x13, + 0xc5, 0xe5, 0x61, 0x33, 0xb6, 0xbf, 0x34, 0x6f, 0x06, 0xaf, 0xcf, 0x9f, + 0xaf, 0x84, 0x82, 0xa0, 0x9d, 0x00, 0x2a, 0x40, 0x9a, 0x77, 0x7f, 0xdd, + 0x20, 0xc0, 0x3f, 0xa4, 0x84, 0x16, 0xef, 0x42, 0x32, 0x56, 0x66, 0xba, + 0x9a, 0xb4, 0xf3, 0x79, 0x33, 0x3c, 0x5b, 0xa2, 0x40, 0xe9, 0x8b, 0xdc, + 0x0d, 0x1d, 0x7a, 0x26, 0x25, 0x9f, 0xe8, 0x09, 0x74, 0x8a, 0x77, 0x6a, + 0x82, 0x9b, 0xa1, 0x57, 0xd2, 0xa3, 0xb7, 0x40, 0x06, 0x62, 0x35, 0x15, + 0x31, 0x54, 0xd4, 0x68, 0x75, 0x76, 0x56, 0xe3, 0xd6, 0x0b, 0x38, 0x99, + 0x06, 0xf9, 0x75, 0xb0, 0x81, 0x3f, 0xa4, 0x97, 0xec, 0xee, 0x28, 0x0b, + 0xcd, 0xe8, 0x23, 0xb1, 0x21, 0xe3, 0xd0, 0x88, 0xe0, 0x57, 0x97, 0x40, + 0x54, 0x62, 0x7c, 0x9a, 0xbd, 0x07, 0xe1, 0x5c, 0x71, 0xe0, 0xfb, 0xcd, + 0xc5, 0x03, 0xf5, 0x90, 0xc1, 0x2b, 0xc4, 0x5a, 0x09, 0x55, 0x17, 0x80, + 0x41, 0xa6, 0xdc, 0xaf, 0x42, 0x41, 0x3c, 0xbf, 0xe8, 0xef, 0xa7, 0xf4, + 0x7b, 0x9d, 0xa1, 0xfe, 0x80, 0xa1, 0xab, 0x0f, 0x8b, 0x4e, 0x4f, 0x0a, + 0x10, 0x8b, 0xf2, 0x10, 0xeb, 0xf7, 0x73, 0xe3, 0xa7, 0x03, 0x9f, 0x0e, + 0x33, 0x03, 0x42, 0x4e, 0xbe, 0xdd, 0x11, 0x2f, 0x9a, 0x06, 0xf7, 0x22, + 0x7d, 0xfd, 0xb5, 0xa4, 0x89, 0xf8, 0x06, 0x2c, 0x41, 0xcf, 0x8a, +}; + +unsigned char resp_bad_embedded_cert[] = { + 0x30, 0x82, 0x07, 0x2e, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x07, 0x27, 0x30, + 0x82, 0x07, 0x23, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x07, 0x14, 0x30, 0x82, 0x07, 0x10, 0x30, 0x81, + 0xff, 0xa1, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, + 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, + 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, + 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, + 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, + 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, + 0x6f, 0x6d, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, + 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, + 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, + 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, + 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, + 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, + 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, + 0x0f, 0x32, 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, + 0x34, 0x30, 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x3f, 0x34, + 0x62, 0xfc, 0xd3, 0xf8, 0x95, 0x00, 0xc1, 0x3e, 0x4a, 0x18, 0x68, 0xf2, + 0x6a, 0x71, 0xe8, 0xdf, 0x99, 0x42, 0xef, 0x2a, 0x2a, 0xcf, 0xa7, 0x43, + 0xca, 0xd0, 0x93, 0x6b, 0x51, 0x05, 0xbf, 0xf9, 0xbb, 0xdb, 0x10, 0xc0, + 0xb4, 0x02, 0xc7, 0x78, 0x07, 0x96, 0xf7, 0x02, 0x12, 0xa0, 0x9f, 0x68, + 0x6f, 0xfc, 0x35, 0x6d, 0x9f, 0x90, 0x84, 0x1c, 0x6e, 0x57, 0x7b, 0x45, + 0x37, 0xb8, 0xe3, 0x9d, 0x65, 0x22, 0x56, 0x24, 0xf6, 0xce, 0xb0, 0x79, + 0xd6, 0xfa, 0xec, 0xc1, 0xe6, 0xbe, 0x97, 0xf7, 0xd5, 0x6e, 0xcd, 0xbb, + 0xf9, 0x0c, 0xf8, 0x26, 0x0b, 0xf1, 0x20, 0x93, 0x11, 0x40, 0x61, 0x18, + 0x5b, 0x24, 0xdf, 0x62, 0x39, 0xe1, 0x3d, 0xf2, 0x35, 0x3f, 0xbe, 0xa8, + 0xc5, 0x99, 0xe7, 0x67, 0xbe, 0xaa, 0xc0, 0x0b, 0x53, 0xe9, 0xb6, 0x16, + 0x55, 0x7f, 0xc6, 0x0d, 0xe4, 0x43, 0x96, 0xa6, 0xf7, 0x48, 0x21, 0xab, + 0xf3, 0x0a, 0x17, 0x77, 0x87, 0x54, 0x7a, 0x35, 0x87, 0xfb, 0x7b, 0x7a, + 0xcb, 0x87, 0x9f, 0x80, 0x8c, 0xe9, 0xcf, 0x04, 0x8d, 0xc0, 0xa5, 0x8c, + 0xd7, 0xc6, 0x37, 0xcd, 0x28, 0x83, 0x6c, 0x68, 0x32, 0x97, 0xa7, 0x2e, + 0x9d, 0x1c, 0x5b, 0x20, 0x77, 0x63, 0x55, 0x1b, 0x8b, 0x0b, 0xed, 0x1d, + 0x25, 0x65, 0xaf, 0xf8, 0x3e, 0xcf, 0x5f, 0x43, 0x7f, 0xf8, 0xe3, 0x03, + 0x13, 0x4f, 0x7a, 0x8a, 0x0d, 0x6b, 0xdd, 0xd6, 0xee, 0xd9, 0x97, 0xfe, + 0xc1, 0x6a, 0x5b, 0x20, 0x39, 0x4f, 0x8f, 0x0c, 0x8c, 0x62, 0x33, 0x17, + 0x9a, 0xa8, 0x25, 0x20, 0xa4, 0x7b, 0x20, 0x98, 0x7d, 0x64, 0xc8, 0x7d, + 0xf4, 0xae, 0x77, 0xcb, 0x4a, 0xb7, 0xa0, 0xdf, 0x5e, 0x08, 0x83, 0xc5, + 0x85, 0xdf, 0x71, 0xb1, 0x4f, 0x68, 0x1a, 0x34, 0x6f, 0xf5, 0xc1, 0xd0, + 0x0d, 0x97, 0xa0, 0x82, 0x04, 0xf8, 0x30, 0x82, 0x04, 0xf4, 0x30, 0x82, + 0x04, 0xf0, 0x30, 0x82, 0x03, 0xd8, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, + 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, + 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, + 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, + 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, + 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, + 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, + 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, + 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x37, + 0x30, 0x39, 0x31, 0x34, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, + 0x81, 0xa1, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, + 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, + 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, + 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, + 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x22, + 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 0x77, 0x6f, 0x6c, + 0x66, 0x53, 0x53, 0x4c, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, + 0x64, 0x69, 0x61, 0x74, 0x65, 0x20, 0x43, 0x41, 0x20, 0x32, 0x31, 0x1f, + 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, + 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, + 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, + 0x82, 0x01, 0x01, 0x00, 0xd0, 0x20, 0x3c, 0x35, 0x19, 0x6f, 0x2c, 0x44, + 0xb4, 0x7e, 0x42, 0xc7, 0x75, 0xb4, 0x6a, 0x2b, 0xa9, 0x23, 0x85, 0xbf, + 0x87, 0xb4, 0xee, 0xca, 0xd7, 0x4b, 0x1f, 0x31, 0xd7, 0x11, 0x02, 0xa1, + 0xab, 0x58, 0x3d, 0xfb, 0xdc, 0x51, 0xca, 0x3a, 0x1d, 0x1f, 0x95, 0xa6, + 0x56, 0x82, 0xf7, 0x8f, 0xff, 0x6b, 0x50, 0xbb, 0xea, 0x10, 0xe1, 0x47, + 0x1d, 0x35, 0x77, 0x2e, 0x4b, 0x28, 0xc5, 0x53, 0x46, 0x23, 0x2b, 0x82, + 0xfd, 0x5a, 0xd3, 0xf4, 0x21, 0xdb, 0x0e, 0xe0, 0xf2, 0x76, 0x33, 0x47, + 0xb3, 0x00, 0xbe, 0x3a, 0xb1, 0x23, 0x98, 0x53, 0xeb, 0xea, 0xa0, 0xde, + 0x1b, 0xcc, 0x05, 0x4e, 0xee, 0x63, 0xa8, 0x2c, 0x93, 0x24, 0xd6, 0x98, + 0x78, 0x74, 0x03, 0xe4, 0xc8, 0x89, 0x43, 0x61, 0xf1, 0x25, 0xb8, 0xcd, + 0x3b, 0x87, 0xc1, 0x31, 0x25, 0xfd, 0xba, 0x4c, 0xfc, 0x29, 0x94, 0x45, + 0x9e, 0x69, 0xd7, 0x67, 0x0a, 0x8a, 0x8e, 0xd5, 0x52, 0x93, 0x30, 0xa2, + 0x0e, 0xdd, 0x6a, 0x1c, 0xb0, 0x94, 0x77, 0xdb, 0x52, 0x52, 0xb7, 0x89, + 0x21, 0xbe, 0x96, 0x75, 0x24, 0xcb, 0xe9, 0x49, 0xdf, 0x81, 0x9d, 0x9d, + 0xf8, 0x55, 0x7d, 0x01, 0x2a, 0xeb, 0x78, 0x03, 0x12, 0xe2, 0x20, 0x6e, + 0xdb, 0x63, 0x35, 0xcd, 0xa1, 0x96, 0xf0, 0xf8, 0x8c, 0x20, 0x35, 0x69, + 0x87, 0x01, 0xca, 0xb4, 0x54, 0x36, 0xa0, 0x15, 0xe0, 0x23, 0x7d, 0xb9, + 0xfb, 0xbe, 0x99, 0x05, 0x50, 0xf0, 0xbf, 0xec, 0x7f, 0x12, 0xe1, 0x3d, + 0x75, 0x15, 0x4e, 0xc8, 0xc2, 0x30, 0xe6, 0x8b, 0xfe, 0xe5, 0x8b, 0x55, + 0xf8, 0x44, 0x5e, 0xe5, 0xe3, 0x56, 0xe0, 0x66, 0x2d, 0x6f, 0x42, 0x5a, + 0x45, 0x6b, 0x96, 0xaa, 0xc7, 0x5d, 0x41, 0x08, 0x5f, 0xce, 0xd7, 0xdc, + 0x9f, 0x20, 0xe4, 0x46, 0x78, 0xff, 0xd9, 0x99, 0x02, 0x03, 0x01, 0x00, + 0x01, 0xa3, 0x82, 0x01, 0x39, 0x30, 0x82, 0x01, 0x35, 0x30, 0x0c, 0x06, + 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, + 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x05, 0xd1, + 0xba, 0x86, 0x00, 0xa2, 0xee, 0x2a, 0x05, 0x24, 0xb7, 0x11, 0xad, 0x2d, + 0x60, 0xf1, 0x90, 0x14, 0x8f, 0x17, 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, + 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, 0x73, 0xb0, + 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, + 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, 0x81, 0x9a, + 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, + 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, + 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, + 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, + 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, + 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, + 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, + 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, + 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, + 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, + 0x63, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, + 0x01, 0x06, 0x30, 0x32, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, + 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, + 0x3a, 0x2f, 0x2f, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, + 0x3a, 0x32, 0x32, 0x32, 0x32, 0x30, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x01, 0x00, 0x1f, 0x0a, 0xd4, 0x04, 0xb7, 0x38, 0x42, 0xe7, 0xfa, 0x85, + 0xee, 0x3a, 0xf7, 0x11, 0x98, 0x5a, 0x79, 0xd2, 0x43, 0x8b, 0xf0, 0x2b, + 0xd2, 0xfc, 0xad, 0x7b, 0x33, 0xa0, 0x25, 0xa5, 0xb5, 0x3f, 0x29, 0x13, + 0x94, 0x9c, 0xda, 0xb6, 0xe6, 0x41, 0x8c, 0x9a, 0x92, 0x3b, 0xcc, 0x44, + 0x6e, 0x0e, 0x8e, 0x8b, 0x79, 0x09, 0x96, 0xed, 0x39, 0x57, 0xc4, 0xd6, + 0xb1, 0x7f, 0xdd, 0xbf, 0xf1, 0x26, 0x75, 0x89, 0x7d, 0x28, 0x54, 0xc5, + 0xe8, 0xda, 0x12, 0x28, 0x02, 0x5d, 0xbe, 0x91, 0x98, 0x95, 0xbf, 0xca, + 0xe8, 0x20, 0xd6, 0xc6, 0x6c, 0xb2, 0xaf, 0x09, 0xab, 0x3a, 0xc2, 0xc2, + 0xe5, 0xb1, 0xcf, 0xab, 0x79, 0x54, 0xf1, 0x44, 0xde, 0x77, 0xe4, 0xcb, + 0x18, 0xf5, 0x7a, 0xd9, 0x5f, 0xe9, 0x88, 0xcd, 0x50, 0x54, 0x59, 0x01, + 0xa0, 0x83, 0x1c, 0xb2, 0xad, 0x92, 0xea, 0xdf, 0xb1, 0x24, 0x84, 0xc7, + 0xb5, 0x17, 0xe5, 0xc3, 0xb4, 0x26, 0x5f, 0x24, 0x90, 0xda, 0xe1, 0xd4, + 0xac, 0xb8, 0xc7, 0xe0, 0x89, 0x1c, 0x56, 0x20, 0xaa, 0x53, 0x2d, 0x51, + 0x55, 0x0a, 0x01, 0xe2, 0x4c, 0xbc, 0x8c, 0x74, 0x59, 0x9d, 0xf5, 0xf1, + 0x74, 0xe7, 0x8b, 0xd8, 0x71, 0x12, 0x01, 0x2e, 0x6e, 0x4a, 0x01, 0xd7, + 0xfb, 0x8d, 0xa8, 0x2e, 0x42, 0x63, 0xab, 0x11, 0x57, 0x1f, 0x4a, 0x1e, + 0xc0, 0x43, 0x3b, 0x77, 0x32, 0x0d, 0xfe, 0x1f, 0xec, 0x62, 0x47, 0x27, + 0xa7, 0x74, 0x84, 0x0a, 0x82, 0x3c, 0x0f, 0x5f, 0x83, 0x91, 0xe1, 0x78, + 0x35, 0x88, 0x9d, 0xe1, 0xda, 0xb1, 0x00, 0xcb, 0x77, 0xc7, 0xfc, 0xf2, + 0xa1, 0x3d, 0xc3, 0x7a, 0xde, 0xab, 0x81, 0xe4, 0x1b, 0xee, 0x75, 0xc9, + 0xb9, 0xea, 0xf8, 0xc1, 0x5f, 0xe6, 0x15, 0x6a, 0x1f, 0x96, 0xba, 0x30, + 0x05, 0x0f, 0x43, 0x7c, 0x21, 0xb6, }; unsigned char ocsp_responder_cert_pem[] = { @@ -1010,37 +1188,37 @@ unsigned char resp_bad[] = { 0x82, 0x01, 0x92, 0x30, 0x82, 0x01, 0x8e, 0x30, 0x7a, 0xa2, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x18, 0x0f, 0x32, - 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, - 0x34, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, + 0x30, 0x32, 0x35, 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, + 0x39, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1, 0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52, 0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x35, - 0x30, 0x32, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x33, 0x34, 0x5a, 0x30, + 0x30, 0x32, 0x30, 0x35, 0x31, 0x36, 0x34, 0x34, 0x30, 0x39, 0x5a, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, - 0x03, 0x82, 0x01, 0x01, 0x00, 0x13, 0x5a, 0x5e, 0x74, 0x4f, 0x2e, 0x7c, - 0xa1, 0x7d, 0x89, 0x2a, 0x0c, 0x14, 0x1f, 0x13, 0xaf, 0x17, 0x61, 0x87, - 0xf8, 0xcc, 0x70, 0x82, 0x3e, 0x0e, 0x4f, 0xbe, 0x4f, 0xc4, 0x95, 0xcc, - 0x79, 0x2c, 0xe4, 0x87, 0x2c, 0x81, 0xc0, 0x5a, 0xfa, 0x9f, 0xb4, 0xec, - 0xdc, 0xae, 0x64, 0xca, 0xee, 0x35, 0xc3, 0x67, 0xd9, 0xf5, 0x32, 0x6e, - 0x2e, 0x2b, 0x71, 0x85, 0x24, 0xff, 0xfd, 0xe2, 0x6b, 0x8f, 0xf6, 0xaa, - 0xa5, 0x0a, 0xb3, 0x56, 0xb4, 0xa5, 0xb8, 0xf9, 0x7a, 0x35, 0x6a, 0x8c, - 0xe4, 0x58, 0x64, 0x04, 0xfe, 0x6f, 0x64, 0xf7, 0x26, 0x07, 0xc0, 0xf5, - 0x41, 0xf2, 0xba, 0x8b, 0x16, 0x51, 0x1f, 0xdd, 0xcc, 0xf0, 0xc5, 0x5b, - 0x38, 0xa6, 0xb8, 0xa7, 0xf4, 0x18, 0x92, 0xec, 0xab, 0x71, 0xa2, 0x15, - 0xed, 0x69, 0x6c, 0x9f, 0x8f, 0x2b, 0x88, 0x2f, 0x94, 0x5b, 0x5d, 0x93, - 0xb6, 0xa1, 0x4a, 0x04, 0x36, 0xd1, 0xb1, 0x41, 0x23, 0x34, 0x21, 0x76, - 0xa1, 0x22, 0x98, 0x88, 0xff, 0xbc, 0x07, 0xa6, 0x1e, 0x6c, 0x63, 0x2f, - 0x72, 0x9b, 0x9c, 0xa4, 0x70, 0x53, 0x9f, 0x6c, 0xbc, 0xac, 0x8f, 0x6d, - 0xfb, 0xfe, 0xaf, 0x72, 0x7c, 0x00, 0xe7, 0x66, 0xed, 0x0f, 0xf5, 0x87, - 0xac, 0xa4, 0x1f, 0x9b, 0x5a, 0x70, 0xb7, 0xda, 0x04, 0xf1, 0xa6, 0x88, - 0x36, 0xa1, 0xbb, 0xb8, 0xf4, 0xd5, 0x50, 0x56, 0x45, 0xa8, 0xe1, 0xe5, - 0x51, 0x0e, 0xbe, 0x86, 0x5b, 0xfb, 0x87, 0x46, 0x95, 0xf4, 0x1c, 0x4b, - 0x14, 0x17, 0xec, 0x14, 0xa6, 0xd5, 0xdc, 0xd5, 0x06, 0xb8, 0xc8, 0x1b, - 0x5c, 0xb8, 0xe8, 0x10, 0x13, 0x40, 0x1f, 0xc4, 0xd9, 0x6b, 0xdd, 0xe1, - 0x06, 0xa9, 0xcd, 0x0e, 0x97, 0x6e, 0x92, 0x2a, 0x87, 0x00, 0xc4, 0x9b, - 0xd2, 0x94, 0xfa, 0x4e, 0x7d, 0x34, 0x74, 0xfe, 0xf5, + 0x03, 0x82, 0x01, 0x01, 0x00, 0x18, 0x8b, 0xc4, 0x9c, 0x4e, 0x93, 0x4c, + 0x91, 0x99, 0x32, 0x43, 0x3d, 0x03, 0xa0, 0x18, 0x7c, 0x20, 0x03, 0x2d, + 0x29, 0x4a, 0xf8, 0x48, 0x43, 0xe5, 0x86, 0x27, 0x3f, 0x35, 0x99, 0x0e, + 0x7f, 0xed, 0x7c, 0x1a, 0xd6, 0xfe, 0x2d, 0xed, 0xf8, 0x42, 0xda, 0xf3, + 0xc0, 0x28, 0x8c, 0x7a, 0xf7, 0x4a, 0xbc, 0x9d, 0x54, 0xf0, 0x27, 0x89, + 0xf3, 0xb9, 0x08, 0x9a, 0x8c, 0xf9, 0x4b, 0x75, 0x47, 0x39, 0x68, 0x64, + 0xea, 0x2b, 0x16, 0x8d, 0xe6, 0x30, 0x4e, 0xb8, 0x97, 0xcd, 0x2d, 0x87, + 0xc2, 0x5a, 0xb7, 0x10, 0xfa, 0xb9, 0x94, 0xad, 0xfe, 0xe4, 0x4e, 0xeb, + 0x40, 0xe6, 0x56, 0xa0, 0x79, 0x88, 0x84, 0x51, 0x38, 0x79, 0xc6, 0x00, + 0xc8, 0x94, 0xc8, 0x06, 0x45, 0x0d, 0x16, 0x51, 0xa1, 0xa0, 0xb5, 0xee, + 0xa0, 0x91, 0xee, 0x35, 0x4a, 0xec, 0x60, 0xfb, 0x5a, 0x38, 0x40, 0x72, + 0xf9, 0xc8, 0x54, 0x26, 0x58, 0xed, 0x6a, 0x7e, 0x4e, 0xca, 0xd8, 0xae, + 0xb5, 0xf0, 0xe8, 0xed, 0x3a, 0xff, 0x51, 0xf9, 0x6e, 0x3d, 0x09, 0x4a, + 0xb2, 0x68, 0x48, 0x33, 0xc0, 0xe8, 0x48, 0x77, 0xc9, 0xe3, 0x06, 0x0c, + 0xc8, 0x92, 0x70, 0x54, 0x70, 0x33, 0x1b, 0x7c, 0xb8, 0x50, 0x67, 0xa7, + 0xb4, 0x2d, 0x98, 0x77, 0x0e, 0x90, 0x0a, 0x55, 0xb7, 0xde, 0x06, 0x2a, + 0x14, 0x51, 0x9d, 0xb1, 0x79, 0x2e, 0x8e, 0x3d, 0xef, 0x4c, 0x9b, 0x86, + 0x22, 0x95, 0x2b, 0x1e, 0xa4, 0xf4, 0x09, 0x4c, 0xca, 0xe9, 0x5e, 0x0c, + 0x87, 0x2c, 0x74, 0x1d, 0x78, 0x50, 0xa6, 0x9e, 0x36, 0x3b, 0xeb, 0x4e, + 0x24, 0x00, 0xa2, 0x25, 0x2a, 0x63, 0xd8, 0x2e, 0xfe, 0xd2, 0xf1, 0x3b, + 0x9d, 0x36, 0x80, 0x00, 0x67, 0xe4, 0x1d, 0xf9, 0x83, 0xd1, 0x65, 0x73, + 0x3e, 0xe1, 0xbc, 0x16, 0x54, 0xa8, 0x0d, 0x21, 0xc0, }; #endif /* OCSP_TEST_BLOBS_H */ From 4351a5dd702e7b5cb3829ae7014923017c2e4192 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 5 Feb 2025 17:14:06 +0000 Subject: [PATCH 16/22] ocsp/test: better test assertions --- tests/api/test_ocsp.c | 234 ++++++++++++++++++++++-------------------- 1 file changed, 120 insertions(+), 114 deletions(-) diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index d17711a0c..328a1551d 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -69,42 +69,44 @@ static int test_ocsp_response_with_cm(struct test_conf* c, int expectedRet) EXPECT_DECLS; WOLFSSL_CERT_MANAGER* cm = NULL; struct ocsp_cb_ctx cb_ctx; - int ret; - cm = wolfSSL_CertManagerNew(); - ExpectNotNull(cm); - ret = wolfSSL_CertManagerEnableOCSP(cm, - WOLFSSL_OCSP_URL_OVERRIDE | WOLFSSL_OCSP_NO_NONCE); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - ret = wolfSSL_CertManagerSetOCSPOverrideURL(cm, "http://foo.com"); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, + WOLFSSL_OCSP_URL_OVERRIDE | WOLFSSL_OCSP_NO_NONCE), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, "http://foo.com"), + WOLFSSL_SUCCESS); cb_ctx.response = (byte*)c->resp; cb_ctx.responseSz = c->respSz; - ret = wolfSSL_CertManagerSetOCSP_Cb(cm, ocsp_cb, NULL, (void*)&cb_ctx); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_CertManagerSetOCSP_Cb(cm, ocsp_cb, NULL, (void*)&cb_ctx), + WOLFSSL_SUCCESS); /* add ca in cm */ if (c->ca0 != NULL) { - ret = wolfSSL_CertManagerLoadCABuffer(cm, c->ca0, c->ca0Sz, - WOLFSSL_FILETYPE_ASN1); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, c->ca0, c->ca0Sz, + WOLFSSL_FILETYPE_ASN1), + WOLFSSL_SUCCESS); } if (c->ca1 != NULL) { - ret = wolfSSL_CertManagerLoadCABuffer(cm, c->ca1, c->ca1Sz, - WOLFSSL_FILETYPE_ASN1); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, c->ca1, c->ca1Sz, + WOLFSSL_FILETYPE_ASN1), + WOLFSSL_SUCCESS); } /* check cert */ - ret = wolfSSL_CertManagerCheckOCSP(cm, c->targetCert, c->targetCertSz); - ExpectIntEQ(ret, expectedRet); - wolfSSL_CertManagerFree(cm); + ExpectIntEQ( + wolfSSL_CertManagerCheckOCSP(cm, c->targetCert, c->targetCertSz), + expectedRet); + if (cm != NULL) + wolfSSL_CertManagerFree(cm); return EXPECT_RESULT(); } int test_ocsp_response_parsing(void) { - struct test_conf conf; - int ret, expectedRet; EXPECT_DECLS; + struct test_conf conf; + int expectedRet; + conf.resp = (unsigned char*)resp; conf.respSz = sizeof(resp); conf.ca0 = root_ca_cert_pem; @@ -113,8 +115,8 @@ int test_ocsp_response_parsing(void) conf.ca1Sz = 0; conf.targetCert = intermediate1_ca_cert_pem; conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); - ret = test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS); - ExpectIntEQ(ret, TEST_SUCCESS); + ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), + TEST_SUCCESS); conf.resp = (unsigned char*)resp_multi; conf.respSz = sizeof(resp_multi); @@ -124,8 +126,8 @@ int test_ocsp_response_parsing(void) conf.ca1Sz = 0; conf.targetCert = intermediate1_ca_cert_pem; conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); - ret = test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS); - ExpectIntEQ(ret, TEST_SUCCESS); + ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), + TEST_SUCCESS); conf.resp = (unsigned char*)resp_bad_noauth; conf.respSz = sizeof(resp_bad_noauth); @@ -139,24 +141,27 @@ int test_ocsp_response_parsing(void) #ifdef WOLFSSL_NO_OCSP_ISSUER_CHECK expectedRet = WOLFSSL_SUCCESS; #endif - ret = test_ocsp_response_with_cm(&conf, expectedRet); - ExpectIntEQ(ret, TEST_SUCCESS); + ExpectIntEQ(test_ocsp_response_with_cm(&conf, expectedRet), TEST_SUCCESS); - /* Test response with unusable internal cert but that can be verified in CM */ - conf.resp = (unsigned char*)resp_bad_embedded_cert; // Response with wrong internal cert + /* Test response with unusable internal cert but that can be verified in CM + */ + conf.resp = (unsigned char*) + resp_bad_embedded_cert; // Response with wrong internal cert conf.respSz = sizeof(resp_bad_embedded_cert); - conf.ca0 = root_ca_cert_pem; // Root CA cert + conf.ca0 = root_ca_cert_pem; // Root CA cert conf.ca0Sz = sizeof(root_ca_cert_pem); conf.ca1 = NULL; conf.ca1Sz = 0; conf.targetCert = intermediate1_ca_cert_pem; conf.targetCertSz = sizeof(intermediate1_ca_cert_pem); - ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), TEST_SUCCESS); + ExpectIntEQ(test_ocsp_response_with_cm(&conf, WOLFSSL_SUCCESS), + TEST_SUCCESS); return EXPECT_SUCCESS(); } #else /* HAVE_OCSP */ -int test_ocsp_response_parsing(void) { +int test_ocsp_response_parsing(void) +{ return TEST_SKIPPED; } #endif /* HAVE_OCSP */ @@ -167,15 +172,11 @@ static int test_ocsp_create_x509store(WOLFSSL_X509_STORE** store, { EXPECT_DECLS; WOLFSSL_X509* cert = NULL; - int ret; - *store = wolfSSL_X509_STORE_new(); - ExpectNotNull(*store); - cert = wolfSSL_X509_d2i(&cert, ca, caSz); - ExpectNotNull(cert); - ret = wolfSSL_X509_STORE_add_cert(*store, cert); + ExpectNotNull(*store = wolfSSL_X509_STORE_new()); + ExpectNotNull(cert = wolfSSL_X509_d2i(&cert, ca, caSz)); + ExpectIntEQ(wolfSSL_X509_STORE_add_cert(*store, cert), WOLFSSL_SUCCESS); wolfSSL_X509_free(cert); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); return EXPECT_RESULT(); } @@ -184,36 +185,30 @@ static int test_create_stack_of_x509(WOLF_STACK_OF(WOLFSSL_X509) * *certs, { EXPECT_DECLS; WOLFSSL_X509* cert = NULL; - int ret; - *certs = wolfSSL_sk_X509_new_null(); - ExpectNotNull(*certs); - cert = wolfSSL_X509_d2i(&cert, der, derSz); - ExpectNotNull(cert); - ret = wolfSSL_sk_X509_push(*certs, cert); - ExpectIntEQ(ret, 1); + ExpectNotNull(*certs = wolfSSL_sk_X509_new_null()); + ExpectNotNull(cert = wolfSSL_X509_d2i(&cert, der, derSz)); + ExpectIntEQ(wolfSSL_sk_X509_push(*certs, cert), 1); return EXPECT_RESULT(); } int test_ocsp_basic_verify(void) { EXPECT_DECLS; - WOLF_STACK_OF(WOLFSSL_X509) * certs; + WOLF_STACK_OF(WOLFSSL_X509)* certs = NULL; WOLFSSL_X509_STORE* store = NULL; const unsigned char* ptr = NULL; OcspResponse* response = NULL; DecodedCert cert; - int ret; wc_InitDecodedCert(&cert, ocsp_responder_cert_pem, sizeof(ocsp_responder_cert_pem), NULL); - ret = wc_ParseCert(&cert, CERT_TYPE, 0, NULL); - ExpectIntEQ(ret, 0); + ExpectIntEQ(wc_ParseCert(&cert, CERT_TYPE, 0, NULL), 0); /* just decoding */ ptr = (const unsigned char*)resp; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); - ExpectNotNull(response); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp))); ExpectIntEQ(response->responseStatus, 0); ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_NAME); ExpectBufEQ(response->responderId.nameHash, cert.subjectHash, @@ -222,8 +217,8 @@ int test_ocsp_basic_verify(void) /* responder Id by key hash */ ptr = (const unsigned char*)resp_rid_bykey; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_rid_bykey)); - ExpectNotNull(response); + ExpectNotNull(response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, + sizeof(resp_rid_bykey))); ExpectIntEQ(response->responseStatus, 0); ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_KEY); ExpectBufEQ(response->responderId.keyHash, cert.subjectKeyHash, @@ -232,112 +227,122 @@ int test_ocsp_basic_verify(void) /* decoding with no embedded certificates */ ptr = (const unsigned char*)resp_nocert; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); - ExpectNotNull(response); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert))); ExpectIntEQ(response->responseStatus, 0); wolfSSL_OCSP_RESPONSE_free(response); /* decoding an invalid response */ ptr = (const unsigned char*)resp_bad; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad)); - ExpectNull(response); + ExpectNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad))); ptr = (const unsigned char*)resp; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); - ExpectNotNull(response); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp))); /* no verify signer certificate */ - ret = wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY), + WOLFSSL_SUCCESS); /* verify that the signature is checked */ - response->sig[0] ^= 0xff; - ret = wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY); - ExpectIntEQ(ret, WOLFSSL_FAILURE); + if (EXPECT_SUCCESS()) { + response->sig[0] ^= 0xff; + } + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY), + WOLFSSL_FAILURE); wolfSSL_OCSP_RESPONSE_free(response); /* populate a store with root-ca-cert */ - ret = test_ocsp_create_x509store(&store, root_ca_cert_pem, - sizeof(root_ca_cert_pem)); - ExpectIntEQ(ret, TEST_SUCCESS); + ExpectIntEQ(test_ocsp_create_x509store(&store, root_ca_cert_pem, + sizeof(root_ca_cert_pem)), + TEST_SUCCESS); /* populate a WOLF_STACK_OF(WOLFSSL_X509) with responder certificate */ - ret = test_create_stack_of_x509(&certs, ocsp_responder_cert_pem, - sizeof(ocsp_responder_cert_pem)); - ExpectIntEQ(ret, TEST_SUCCESS); + ExpectIntEQ(test_create_stack_of_x509(&certs, ocsp_responder_cert_pem, + sizeof(ocsp_responder_cert_pem)), + TEST_SUCCESS); /* cert not embedded, cert in certs, validated using store */ ptr = (const unsigned char*)resp_nocert; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); - ExpectNotNull(response); - ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert))); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, certs, store, 0), + WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); /* cert embedded, verified using store */ ptr = (const unsigned char*)resp; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp)); - ExpectNotNull(response); - ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp))); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, NULL, store, 0), + WOLFSSL_SUCCESS); /* make invalid signature */ - response->sig[0] ^= 0xff; - ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); - ExpectIntEQ(ret, WOLFSSL_FAILURE); - response->sig[0] ^= 0xff; + if (EXPECT_SUCCESS()) { + response->sig[0] ^= 0xff; + } + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, NULL, store, 0), + WOLFSSL_FAILURE); + if (EXPECT_SUCCESS()) { + response->sig[0] ^= 0xff; + } /* cert embedded and in certs, no store needed bc OCSP_TRUSTOTHER */ - ret = wolfSSL_OCSP_basic_verify(response, certs, NULL, OCSP_TRUSTOTHER); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_OCSP_basic_verify(response, certs, NULL, OCSP_TRUSTOTHER), + WOLFSSL_SUCCESS); /* this should also pass */ - ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOINTERN); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOINTERN), + WOLFSSL_SUCCESS); /* this should not */ - ret = wolfSSL_OCSP_basic_verify(response, NULL, store, OCSP_NOINTERN); - ExpectIntNE(ret, WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_OCSP_basic_verify(response, NULL, store, OCSP_NOINTERN), + WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); /* cert not embedded, not certs */ ptr = (const unsigned char*)resp_nocert; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert)); - ExpectNotNull(response); - ret = wolfSSL_OCSP_basic_verify(response, NULL, store, 0); - ExpectIntNE(ret, WOLFSSL_SUCCESS); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_nocert))); + ExpectIntNE(wolfSSL_OCSP_basic_verify(response, NULL, store, 0), + WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free); wolfSSL_X509_STORE_free(store); - ret = test_ocsp_create_x509store(&store, root_ca_cert_pem, - sizeof(root_ca_cert_pem)); - ExpectIntEQ(ret, TEST_SUCCESS); - ret = test_create_stack_of_x509(&certs, root_ca_cert_pem, - sizeof(root_ca_cert_pem)); - ExpectIntEQ(ret, TEST_SUCCESS); + ExpectIntEQ(test_ocsp_create_x509store(&store, root_ca_cert_pem, + sizeof(root_ca_cert_pem)), + TEST_SUCCESS); + ExpectIntEQ(test_create_stack_of_x509(&certs, root_ca_cert_pem, + sizeof(root_ca_cert_pem)), + TEST_SUCCESS); /* multiple responses in a ocsp response */ ptr = (const unsigned char*)resp_multi; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_multi)); - ExpectNotNull(response); - ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectNotNull( + response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_multi))); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, certs, store, 0), + WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); /* cert in certs, cert verified on store, not authorized to verify all * responses */ ptr = (const unsigned char*)resp_bad_noauth; - response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad_noauth)); - ExpectNotNull(response); - ret = wolfSSL_OCSP_basic_verify(response, certs, store, 0); + ExpectNotNull(response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, + sizeof(resp_bad_noauth))); + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, certs, store, 0), #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK - ExpectIntEQ(ret, WOLFSSL_FAILURE); + WOLFSSL_FAILURE); #else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + WOLFSSL_SUCCESS); #endif /* should pass with OCSP_NOCHECKS ...*/ - ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOCHECKS); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOCHECKS), + WOLFSSL_SUCCESS); /* or with OSCP_TRUSTOTHER */ - ret = wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_TRUSTOTHER); - ExpectIntEQ(ret, WOLFSSL_SUCCESS); + ExpectIntEQ( + wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_TRUSTOTHER), + WOLFSSL_SUCCESS); wolfSSL_OCSP_RESPONSE_free(response); wc_FreeDecodedCert(&cert); @@ -347,7 +352,8 @@ int test_ocsp_basic_verify(void) return EXPECT_RESULT(); } #else -int test_ocsp_basic_verify(void) { +int test_ocsp_basic_verify(void) +{ return TEST_SKIPPED; } #endif /* HAVE_OCSP && (OPENSSL_ALL || OPENSSL_EXTRA) */ @@ -581,5 +587,5 @@ int test_ocsp_status_callback(void) { return TEST_SKIPPED; } #endif /* defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) \ - && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) \ + && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) \ && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) */ From a06a8b589c057cf565056c2d3c42bdb03c5d4322 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 5 Feb 2025 18:56:36 +0000 Subject: [PATCH 17/22] ocsp: minors --- tests/api/test_ocsp.c | 17 +++++++++-------- wolfcrypt/src/asn.c | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 328a1551d..edff37ae9 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -145,10 +145,9 @@ int test_ocsp_response_parsing(void) /* Test response with unusable internal cert but that can be verified in CM */ - conf.resp = (unsigned char*) - resp_bad_embedded_cert; // Response with wrong internal cert + conf.resp = (unsigned char*)resp_bad_embedded_cert; conf.respSz = sizeof(resp_bad_embedded_cert); - conf.ca0 = root_ca_cert_pem; // Root CA cert + conf.ca0 = root_ca_cert_pem; conf.ca0Sz = sizeof(root_ca_cert_pem); conf.ca1 = NULL; conf.ca1Sz = 0; @@ -200,6 +199,7 @@ int test_ocsp_basic_verify(void) const unsigned char* ptr = NULL; OcspResponse* response = NULL; DecodedCert cert; + int expectedRet; wc_InitDecodedCert(&cert, ocsp_responder_cert_pem, sizeof(ocsp_responder_cert_pem), NULL); @@ -329,12 +329,13 @@ int test_ocsp_basic_verify(void) ptr = (const unsigned char*)resp_bad_noauth; ExpectNotNull(response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr, sizeof(resp_bad_noauth))); - ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, certs, store, 0), -#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK - WOLFSSL_FAILURE); -#else - WOLFSSL_SUCCESS); + + expectedRet = WOLFSSL_FAILURE; +#ifdef WOLFSSL_NO_OCSP_ISSUER_CHECK + expectedRet = WOLFSSL_SUCCESS; #endif + ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, certs, store, 0), + expectedRet); /* should pass with OCSP_NOCHECKS ...*/ ExpectIntEQ( wolfSSL_OCSP_basic_verify(response, certs, store, OCSP_NOCHECKS), diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index ecb284562..3bfaeded2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -37422,7 +37422,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, sigValid = 1; } else { - WOLFSSL_MSG("OCSP Internal certificate can't verify the response\n"); + WOLFSSL_MSG("OCSP Internal cert can't verify the response\n"); /* try to verify the OCSP response with CA certs */ ret = 0; } From 0af092ec7937524995649f11c87ed015abf7eab8 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 6 Feb 2025 11:51:15 +0000 Subject: [PATCH 18/22] ocsp: minors --- tests/api/test_ocsp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index edff37ae9..51addd66c 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -584,9 +584,10 @@ int test_ocsp_status_callback(void) } #else -int test_ocsp_status_callback(void) { +int test_ocsp_status_callback(void) +{ return TEST_SKIPPED; } -#endif /* defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) \ - && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) \ - && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) */ +#endif /* defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \ + (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) */ From 1eecf326fdd0dd277746b6c4df79e453ff8f1f5b Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 17 Feb 2025 08:39:06 +0000 Subject: [PATCH 19/22] ocsp: use ocspReponse->heap in OcspFindSigner + minors --- src/ocsp.c | 12 +++++++----- tests/api/test_ocsp.c | 2 +- tests/api/test_ocsp.h | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index 9d1569fd9..45780ecbd 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -844,16 +844,18 @@ static int OcspFindSigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *certDecoded; int i; - certDecoded = (DecodedCert *)XMALLOC(sizeof(*certDecoded), NULL, + certDecoded = (DecodedCert *)XMALLOC(sizeof(*certDecoded), resp->heap, DYNAMIC_TYPE_DCERT); if (certDecoded == NULL) return MEMORY_E; for (i = 0; i < wolfSSL_sk_X509_num(certs); i++) { signer_x509 = wolfSSL_sk_X509_value(certs, i); + if (signer_x509 == NULL) + continue; InitDecodedCert(certDecoded, signer_x509->derCert->buffer, - signer_x509->derCert->length, NULL); + signer_x509->derCert->length, resp->heap); if (ParseCertRelative(certDecoded, CERT_TYPE, NO_VERIFY, NULL, NULL) == 0) { if (OcspRespIdMatches(resp, certDecoded->subjectHash, @@ -867,12 +869,12 @@ static int OcspFindSigner(WOLFSSL_OCSP_BASICRESP *resp, } if (flags & WOLFSSL_OCSP_NOINTERN) { - XFREE(certDecoded, NULL, DYNAMIC_TYPE_DCERT); + XFREE(certDecoded, resp->heap, DYNAMIC_TYPE_DCERT); return ASN_NO_SIGNER_E; } /* not found in certs, search the cert embedded in the response */ - InitDecodedCert(certDecoded, resp->cert, resp->certSz, NULL); + InitDecodedCert(certDecoded, resp->cert, resp->certSz, resp->heap); if (ParseCertRelative(certDecoded, CERT_TYPE, NO_VERIFY, NULL, NULL) == 0) { if (OcspRespIdMatches(resp, certDecoded->subjectHash, certDecoded->subjectKeyHash)) { @@ -883,7 +885,7 @@ static int OcspFindSigner(WOLFSSL_OCSP_BASICRESP *resp, } FreeDecodedCert(certDecoded); - XFREE(certDecoded, NULL, DYNAMIC_TYPE_DCERT); + XFREE(certDecoded, resp->heap, DYNAMIC_TYPE_DCERT); return ASN_NO_SIGNER_E; } diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 51addd66c..192271284 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -1,4 +1,4 @@ -/* ocsp.c +/* test_ocsp.c * * Copyright (C) 2006-2025 wolfSSL Inc. * diff --git a/tests/api/test_ocsp.h b/tests/api/test_ocsp.h index a09642a0d..8ba5a634c 100644 --- a/tests/api/test_ocsp.h +++ b/tests/api/test_ocsp.h @@ -1,4 +1,4 @@ -/* ocsp.h +/* test_ocsp.h * * Copyright (C) 2006-2025 wolfSSL Inc. * From 09451019484c6b634214e8849dc80a2eb22f7886 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 17 Feb 2025 11:25:24 +0000 Subject: [PATCH 20/22] ocsp: fix: remove duplicated code --- src/tls.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/tls.c b/src/tls.c index 13147686f..af48764b0 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3667,15 +3667,6 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length, } #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || \ defined(OPENSSL_EXTRA) */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) - if (ssl != NULL && SSL_CM(ssl) != NULL && - SSL_CM(ssl)->ocsp_stapling != NULL && - SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { - return TLSX_CSR_SetResponseWithStatusCB(ssl); - } -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || -defined(OPENSSL_EXTRA) */ if (ssl->buffers.certificate == NULL) { WOLFSSL_MSG("Certificate buffer not set!"); return BUFFER_ERROR; From a1d1f0ddf13d69cc941f7b8891212b645a965e5c Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 17 Feb 2025 11:29:09 +0000 Subject: [PATCH 21/22] ocsp: enable SSL_CTX_set_tlsext_status_cb only in OPENSSL_ALL --- src/internal.c | 19 +++++++++---------- src/tls.c | 25 +++++++++---------------- tests/api/test_ocsp.c | 9 +++++---- 3 files changed, 23 insertions(+), 30 deletions(-) diff --git a/src/internal.c b/src/internal.c index 02b3785b5..f7c73bcbe 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8689,14 +8689,14 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl) #endif #ifdef OPENSSL_EXTRA XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL); -#ifdef HAVE_OCSP +#endif +#if defined(HAVE_OCSP) && defined(OPENSSL_ALL) if (ssl->ocspResp) { XFREE(ssl->ocspResp, NULL, 0); ssl->ocspResp = NULL; ssl->ocspRespSz = 0; } -#endif -#endif +#endif /* defined(HAVE_OCSP) && defined(OPENSSL_ALL) */ #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) while (ssl->certReqCtx != NULL) { CertReqCtx* curr = ssl->certReqCtx; @@ -9021,13 +9021,13 @@ void FreeHandshakeResources(WOLFSSL* ssl) * !WOLFSSL_POST_HANDSHAKE_AUTH */ #endif /* HAVE_TLS_EXTENSIONS && !NO_TLS */ -#if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA) +#if defined(HAVE_OCSP) && defined(OPENSSL_ALL) if (ssl->ocspResp != NULL) { XFREE(ssl->ocspResp, NULL, 0); ssl->ocspResp = NULL; ssl->ocspRespSz = 0; } -#endif /* HAVE_OCSP && OPENSSL_EXTRA */ +#endif /* HAVE_OCSP && OPENSSL_ALL */ #ifdef WOLFSSL_STATIC_MEMORY /* when done with handshake decrement current handshake count */ @@ -24858,7 +24858,7 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) + defined(WOLFSSL_HAPROXY)) static int BuildCertificateStatusWithStatusCB(WOLFSSL* ssl) { WOLFSSL_OCSP *ocsp; @@ -24896,9 +24896,8 @@ static int BuildCertificateStatusWithStatusCB(WOLFSSL* ssl) } return ret; } -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) */ +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST && (defined(OPENSSL_ALL) || + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) */ #endif /* NO_WOLFSSL_SERVER */ /* handle generation of certificate_status (22) */ @@ -24926,7 +24925,7 @@ int SendCertificateStatus(WOLFSSL* ssl) #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)) + defined(WOLFSSL_HAPROXY)) if (SSL_CM(ssl)->ocsp_stapling != NULL && SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { if (ssl->status_request == WOLFSSL_CSR_OCSP) diff --git a/src/tls.c b/src/tls.c index af48764b0..ba5cbe258 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3238,15 +3238,14 @@ word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest, #endif #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) { -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL && SSL_CM(csr->ssl)->ocsp_stapling != NULL && SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL && idx == 0) { return OPAQUE8_LEN + OPAQUE24_LEN + csr->ssl->ocspRespSz; } -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA */ +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ return (word16)(OPAQUE8_LEN + OPAQUE24_LEN + csr->responses[idx].length); } @@ -3257,8 +3256,7 @@ word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest, } #if (defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)) && \ -(defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ -defined(OPENSSL_EXTRA)) +(defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) static int TLSX_CSR_SetResponseWithStatusCB(WOLFSSL *ssl) { void *ioCtx = NULL; @@ -3319,7 +3317,7 @@ static int TLSX_CSR_WriteWithStatusCB(CertificateStatusRequest* csr, return offset + respSz; } #endif /* (TLS13 && !NO_WOLFSLL_SERVER) && (OPENSSL_ALL || WOLFSSL_NGINX || -WOLFSSL_HAPROXY || OPENSSL_EXTRA) */ +WOLFSSL_HAPROXY) */ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) { @@ -3373,16 +3371,14 @@ int TLSX_CSR_Write_ex(CertificateStatusRequest* csr, byte* output, #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) { word16 offset = 0; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL && SSL_CM(csr->ssl)->ocsp_stapling != NULL && SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL && idx == 0) { return TLSX_CSR_WriteWithStatusCB(csr, output); } -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || -defined(OPENSSL_EXTRA) */ +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ output[offset++] = csr->status_type; c32to24(csr->responses[idx].length, output + offset); offset += OPAQUE24_LEN; @@ -3658,15 +3654,13 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length, #if defined(WOLFSSL_TLS13) if (ssl->options.tls1_3) { -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) if (ssl != NULL && SSL_CM(ssl) != NULL && SSL_CM(ssl)->ocsp_stapling != NULL && SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { return TLSX_CSR_SetResponseWithStatusCB(ssl); } -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || \ - defined(OPENSSL_EXTRA) */ +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ if (ssl->buffers.certificate == NULL) { WOLFSSL_MSG("Certificate buffer not set!"); return BUFFER_ERROR; @@ -4163,8 +4157,7 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, const byte* input, word16 length, continue; } -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) /* OpenSSL status CB supports only CERTIFICATE STATUS REQ V1 */ if (ssl != NULL && SSL_CM(ssl) != NULL && SSL_CM(ssl)->ocsp_stapling != NULL && diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 192271284..a32e604de 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -361,7 +361,7 @@ int test_ocsp_basic_verify(void) #if defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \ - (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) + defined(OPENSSL_ALL) struct _test_ocsp_status_callback_ctx { byte* ocsp_resp; @@ -588,6 +588,7 @@ int test_ocsp_status_callback(void) { return TEST_SKIPPED; } -#endif /* defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ - defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \ - (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) */ +#endif /* defined(HAVE_OCSP) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) \ + && defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ + !defined(WOLFSSL_NO_TLS12) \ + && defined(OPENSSL_ALL) */ From 7db3c34e2b50674a6233a00267d27759b4c2f672 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 17 Feb 2025 14:53:49 +0000 Subject: [PATCH 22/22] ocsp: enable OPENSSL tlsext status cb for NGINX and HAPROXY --- src/internal.c | 8 ++++---- src/ssl.c | 4 ++-- wolfssl/internal.h | 6 ++---- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/internal.c b/src/internal.c index f7c73bcbe..99da9a3c9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8690,13 +8690,13 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL); #endif -#if defined(HAVE_OCSP) && defined(OPENSSL_ALL) +#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) if (ssl->ocspResp) { XFREE(ssl->ocspResp, NULL, 0); ssl->ocspResp = NULL; ssl->ocspRespSz = 0; } -#endif /* defined(HAVE_OCSP) && defined(OPENSSL_ALL) */ +#endif /* defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) */ #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) while (ssl->certReqCtx != NULL) { CertReqCtx* curr = ssl->certReqCtx; @@ -9021,13 +9021,13 @@ void FreeHandshakeResources(WOLFSSL* ssl) * !WOLFSSL_POST_HANDSHAKE_AUTH */ #endif /* HAVE_TLS_EXTENSIONS && !NO_TLS */ -#if defined(HAVE_OCSP) && defined(OPENSSL_ALL) +#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) if (ssl->ocspResp != NULL) { XFREE(ssl->ocspResp, NULL, 0); ssl->ocspResp = NULL; ssl->ocspRespSz = 0; } -#endif /* HAVE_OCSP && OPENSSL_ALL */ +#endif /* defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) */ #ifdef WOLFSSL_STATIC_MEMORY /* when done with handshake decrement current handshake count */ diff --git a/src/ssl.c b/src/ssl.c index 503fb1aaa..fca23c9b8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17355,7 +17355,7 @@ void wolfSSL_ERR_load_SSL_strings(void) } #endif -#ifdef HAVE_OCSP +#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) { if (s == NULL || resp == NULL) @@ -17377,7 +17377,7 @@ long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, return WOLFSSL_SUCCESS; } -#endif /* HAVE_OCSP */ +#endif /* defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) */ #ifdef HAVE_MAX_FRAGMENT #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_TLS) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 5ce7890c2..8ce9aac4e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6133,12 +6133,10 @@ struct WOLFSSL { void* ocspIOCtx; byte ocspProducedDate[MAX_DATE_SZ]; int ocspProducedDateFormat; - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) byte* ocspResp; int ocspRespSz; - #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - char* url; - #endif + char* url; #endif #if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) word32 response_idx;