aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xconfigure22
-rw-r--r--crypto/tlscredsx509.c546
-rw-r--r--include/crypto/tlscredsx509.h1
-rw-r--r--tests/.gitignore3
-rw-r--r--tests/Makefile5
-rw-r--r--tests/crypto-tls-x509-helpers.c485
-rw-r--r--tests/crypto-tls-x509-helpers.h133
-rw-r--r--tests/pkix_asn1_tab.c1104
-rw-r--r--tests/test-crypto-tlscredsx509.c731
-rw-r--r--trace-events5
10 files changed, 3035 insertions, 0 deletions
diff --git a/configure b/configure
index d7c24cd..bdd302c 100755
--- a/configure
+++ b/configure
@@ -416,6 +416,9 @@ if test "$debug_info" = "yes"; then
LDFLAGS="-g $LDFLAGS"
fi
+test_cflags=""
+test_libs=""
+
# make source path absolute
source_path=`cd "$source_path"; pwd`
@@ -2249,6 +2252,19 @@ if test "$gnutls_nettle" != "no"; then
fi
fi
+##########################################
+# libtasn1 - only for the TLS creds/session test suite
+
+tasn1=yes
+if $pkg_config --exists "libtasn1"; then
+ tasn1_cflags=`$pkg_config --cflags libtasn1`
+ tasn1_libs=`$pkg_config --libs libtasn1`
+ test_cflags="$test_cflags $tasn1_cflags"
+ test_libs="$test_libs $tasn1_libs"
+else
+ tasn1=no
+fi
+
##########################################
# VTE probe
@@ -4574,6 +4590,7 @@ echo "GNUTLS support $gnutls"
echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS gcrypt $gnutls_gcrypt"
echo "GNUTLS nettle $gnutls_nettle ${gnutls_nettle+($nettle_version)}"
+echo "libtasn1 $tasn1"
echo "VTE support $vte"
echo "curses support $curses"
echo "curl support $curl"
@@ -4945,6 +4962,9 @@ if test "$gnutls_nettle" = "yes" ; then
echo "CONFIG_GNUTLS_NETTLE=y" >> $config_host_mak
echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
fi
+if test "$tasn1" = "yes" ; then
+ echo "CONFIG_TASN1=y" >> $config_host_mak
+fi
if test "$vte" = "yes" ; then
echo "CONFIG_VTE=y" >> $config_host_mak
echo "VTE_CFLAGS=$vte_cflags" >> $config_host_mak
@@ -5268,6 +5288,8 @@ echo "EXESUF=$EXESUF" >> $config_host_mak
echo "DSOSUF=$DSOSUF" >> $config_host_mak
echo "LDFLAGS_SHARED=$LDFLAGS_SHARED" >> $config_host_mak
echo "LIBS_QGA+=$libs_qga" >> $config_host_mak
+echo "TEST_LIBS=$test_libs" >> $config_host_mak
+echo "TEST_CFLAGS=$test_cflags" >> $config_host_mak
echo "POD2MAN=$POD2MAN" >> $config_host_mak
echo "TRANSLATE_OPT_CFLAGS=$TRANSLATE_OPT_CFLAGS" >> $config_host_mak
if test "$gcov" = "yes" ; then
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index 6cc7b53..dc46bc4 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -26,6 +26,516 @@
#ifdef CONFIG_GNUTLS
+#include <gnutls/x509.h>
+
+
+static int
+qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
+ const char *certFile,
+ bool isServer,
+ bool isCA,
+ Error **errp)
+{
+ time_t now = time(NULL);
+
+ if (now == ((time_t)-1)) {
+ error_setg_errno(errp, errno, "cannot get current time");
+ return -1;
+ }
+
+ if (gnutls_x509_crt_get_expiration_time(cert) < now) {
+ error_setg(errp,
+ (isCA ?
+ "The CA certificate %s has expired" :
+ (isServer ?
+ "The server certificate %s has expired" :
+ "The client certificate %s has expired")),
+ certFile);
+ return -1;
+ }
+
+ if (gnutls_x509_crt_get_activation_time(cert) > now) {
+ error_setg(errp,
+ (isCA ?
+ "The CA certificate %s is not yet active" :
+ (isServer ?
+ "The server certificate %s is not yet active" :
+ "The client certificate %s is not yet active")),
+ certFile);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+#if LIBGNUTLS_VERSION_NUMBER >= 2
+/*
+ * The gnutls_x509_crt_get_basic_constraints function isn't
+ * available in GNUTLS 1.0.x branches. This isn't critical
+ * though, since gnutls_certificate_verify_peers2 will do
+ * pretty much the same check at runtime, so we can just
+ * disable this code
+ */
+static int
+qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
+ gnutls_x509_crt_t cert,
+ const char *certFile,
+ bool isServer,
+ bool isCA,
+ Error **errp)
+{
+ int status;
+
+ status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
+ trace_qcrypto_tls_creds_x509_check_basic_constraints(
+ creds, certFile, status);
+
+ if (status > 0) { /* It is a CA cert */
+ if (!isCA) {
+ error_setg(errp, isServer ?
+ "The certificate %s basic constraints show a CA, "
+ "but we need one for a server" :
+ "The certificate %s basic constraints show a CA, "
+ "but we need one for a client",
+ certFile);
+ return -1;
+ }
+ } else if (status == 0) { /* It is not a CA cert */
+ if (isCA) {
+ error_setg(errp,
+ "The certificate %s basic constraints do not "
+ "show a CA",
+ certFile);
+ return -1;
+ }
+ } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ /* Missing basicConstraints */
+ if (isCA) {
+ error_setg(errp,
+ "The certificate %s is missing basic constraints "
+ "for a CA",
+ certFile);
+ return -1;
+ }
+ } else { /* General error */
+ error_setg(errp,
+ "Unable to query certificate %s basic constraints: %s",
+ certFile, gnutls_strerror(status));
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
+
+static int
+qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
+ gnutls_x509_crt_t cert,
+ const char *certFile,
+ bool isCA,
+ Error **errp)
+{
+ int status;
+ unsigned int usage = 0;
+ unsigned int critical = 0;
+
+ status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
+ trace_qcrypto_tls_creds_x509_check_key_usage(
+ creds, certFile, status, usage, critical);
+
+ if (status < 0) {
+ if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
+ GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
+ } else {
+ error_setg(errp,
+ "Unable to query certificate %s key usage: %s",
+ certFile, gnutls_strerror(status));
+ return -1;
+ }
+ }
+
+ if (isCA) {
+ if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
+ if (critical) {
+ error_setg(errp,
+ "Certificate %s usage does not permit "
+ "certificate signing", certFile);
+ return -1;
+ }
+ }
+ } else {
+ if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
+ if (critical) {
+ error_setg(errp,
+ "Certificate %s usage does not permit digital "
+ "signature", certFile);
+ return -1;
+ }
+ }
+ if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
+ if (critical) {
+ error_setg(errp,
+ "Certificate %s usage does not permit key "
+ "encipherment", certFile);
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+static int
+qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds,
+ gnutls_x509_crt_t cert,
+ const char *certFile,
+ bool isServer,
+ Error **errp)
+{
+ int status;
+ size_t i;
+ unsigned int purposeCritical;
+ unsigned int critical;
+ char *buffer = NULL;
+ size_t size;
+ bool allowClient = false, allowServer = false;
+
+ critical = 0;
+ for (i = 0; ; i++) {
+ size = 0;
+ status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
+ &size, NULL);
+
+ if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+
+ /* If there is no data at all, then we must allow
+ client/server to pass */
+ if (i == 0) {
+ allowServer = allowClient = true;
+ }
+ break;
+ }
+ if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ error_setg(errp,
+ "Unable to query certificate %s key purpose: %s",
+ certFile, gnutls_strerror(status));
+ return -1;
+ }
+
+ buffer = g_new0(char, size);
+
+ status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
+ &size, &purposeCritical);
+
+ if (status < 0) {
+ trace_qcrypto_tls_creds_x509_check_key_purpose(
+ creds, certFile, status, "<none>", purposeCritical);
+ g_free(buffer);
+ error_setg(errp,
+ "Unable to query certificate %s key purpose: %s",
+ certFile, gnutls_strerror(status));
+ return -1;
+ }
+ trace_qcrypto_tls_creds_x509_check_key_purpose(
+ creds, certFile, status, buffer, purposeCritical);
+ if (purposeCritical) {
+ critical = true;
+ }
+
+ if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
+ allowServer = true;
+ } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
+ allowClient = true;
+ } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) {
+ allowServer = allowClient = true;
+ }
+
+ g_free(buffer);
+ }
+
+ if (isServer) {
+ if (!allowServer) {
+ if (critical) {
+ error_setg(errp,
+ "Certificate %s purpose does not allow "
+ "use with a TLS server", certFile);
+ return -1;
+ }
+ }
+ } else {
+ if (!allowClient) {
+ if (critical) {
+ error_setg(errp,
+ "Certificate %s purpose does not allow use "
+ "with a TLS client", certFile);
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+static int
+qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
+ gnutls_x509_crt_t cert,
+ const char *certFile,
+ bool isServer,
+ bool isCA,
+ Error **errp)
+{
+ if (qcrypto_tls_creds_check_cert_times(cert, certFile,
+ isServer, isCA,
+ errp) < 0) {
+ return -1;
+ }
+
+#if LIBGNUTLS_VERSION_NUMBER >= 2
+ if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
+ cert, certFile,
+ isServer, isCA,
+ errp) < 0) {
+ return -1;
+ }
+#endif
+
+ if (qcrypto_tls_creds_check_cert_key_usage(creds,
+ cert, certFile,
+ isCA, errp) < 0) {
+ return -1;
+ }
+
+ if (!isCA &&
+ qcrypto_tls_creds_check_cert_key_purpose(creds,
+ cert, certFile,
+ isServer, errp) < 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
+qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,
+ const char *certFile,
+ gnutls_x509_crt_t *cacerts,
+ size_t ncacerts,
+ const char *cacertFile,
+ bool isServer,
+ Error **errp)
+{
+ unsigned int status;
+
+ if (gnutls_x509_crt_list_verify(&cert, 1,
+ cacerts, ncacerts,
+ NULL, 0,
+ 0, &status) < 0) {
+ error_setg(errp, isServer ?
+ "Unable to verify server certificate %s against "
+ "CA certificate %s" :
+ "Unable to verify client certificate %s against "
+ "CA certificate %s",
+ certFile, cacertFile);
+ return -1;
+ }
+
+ if (status != 0) {
+ const char *reason = "Invalid certificate";
+
+ if (status & GNUTLS_CERT_INVALID) {
+ reason = "The certificate is not trusted";
+ }
+
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+ reason = "The certificate hasn't got a known issuer";
+ }
+
+ if (status & GNUTLS_CERT_REVOKED) {
+ reason = "The certificate has been revoked";
+ }
+
+#ifndef GNUTLS_1_0_COMPAT
+ if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+ reason = "The certificate uses an insecure algorithm";
+ }
+#endif
+
+ error_setg(errp,
+ "Our own certificate %s failed validation against %s: %s",
+ certFile, cacertFile, reason);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static gnutls_x509_crt_t
+qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
+ const char *certFile,
+ bool isServer,
+ Error **errp)
+{
+ gnutls_datum_t data;
+ gnutls_x509_crt_t cert = NULL;
+ char *buf = NULL;
+ gsize buflen;
+ GError *gerr;
+ int ret = -1;
+
+ trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
+
+ if (gnutls_x509_crt_init(&cert) < 0) {
+ error_setg(errp, "Unable to initialize certificate");
+ goto cleanup;
+ }
+
+ if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
+ error_setg(errp, "Cannot load CA cert list %s: %s",
+ certFile, gerr->message);
+ g_error_free(gerr);
+ goto cleanup;
+ }
+
+ data.data = (unsigned char *)buf;
+ data.size = strlen(buf);
+
+ if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
+ error_setg(errp, isServer ?
+ "Unable to import server certificate %s" :
+ "Unable to import client certificate %s",
+ certFile);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ if (ret != 0) {
+ gnutls_x509_crt_deinit(cert);
+ cert = NULL;
+ }
+ g_free(buf);
+ return cert;
+}
+
+
+static int
+qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
+ const char *certFile,
+ gnutls_x509_crt_t *certs,
+ unsigned int certMax,
+ size_t *ncerts,
+ Error **errp)
+{
+ gnutls_datum_t data;
+ char *buf = NULL;
+ gsize buflen;
+ int ret = -1;
+ GError *gerr = NULL;
+
+ *ncerts = 0;
+ trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
+
+ if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
+ error_setg(errp, "Cannot load CA cert list %s: %s",
+ certFile, gerr->message);
+ g_error_free(gerr);
+ goto cleanup;
+ }
+
+ data.data = (unsigned char *)buf;
+ data.size = strlen(buf);
+
+ if (gnutls_x509_crt_list_import(certs, &certMax, &data,
+ GNUTLS_X509_FMT_PEM, 0) < 0) {
+ error_setg(errp,
+ "Unable to import CA certificate list %s",
+ certFile);
+ goto cleanup;
+ }
+ *ncerts = certMax;
+
+ ret = 0;
+
+ cleanup:
+ g_free(buf);
+ return ret;
+}
+
+
+#define MAX_CERTS 16
+static int
+qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
+ bool isServer,
+ const char *cacertFile,
+ const char *certFile,
+ Error **errp)
+{
+ gnutls_x509_crt_t cert = NULL;
+ gnutls_x509_crt_t cacerts[MAX_CERTS];
+ size_t ncacerts = 0;
+ size_t i;
+ int ret = -1;
+
+ memset(cacerts, 0, sizeof(cacerts));
+ if (access(certFile, R_OK) == 0) {
+ cert = qcrypto_tls_creds_load_cert(creds,
+ certFile, isServer,
+ errp);
+ if (!cert) {
+ goto cleanup;
+ }
+ }
+ if (access(cacertFile, R_OK) == 0) {
+ if (qcrypto_tls_creds_load_ca_cert_list(creds,
+ cacertFile, cacerts,
+ MAX_CERTS, &ncacerts,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ if (cert &&
+ qcrypto_tls_creds_check_cert(creds,
+ cert, certFile, isServer,
+ false, errp) < 0) {
+ goto cleanup;
+ }
+
+ for (i = 0; i < ncacerts; i++) {
+ if (qcrypto_tls_creds_check_cert(creds,
+ cacerts[i], cacertFile,
+ isServer, true, errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ if (cert && ncacerts &&
+ qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts,
+ ncacerts, cacertFile,
+ isServer, errp) < 0) {
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ if (cert) {
+ gnutls_x509_crt_deinit(cert);
+ }
+ for (i = 0; i < ncacerts; i++) {
+ gnutls_x509_crt_deinit(cacerts[i]);
+ }
+ return ret;
+}
+
static int
qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
@@ -71,6 +581,13 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
}
}
+ if (creds->sanityCheck &&
+ qcrypto_tls_creds_x509_sanity_check(creds,
+ creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+ cacert, cert, errp) < 0) {
+ goto cleanup;
+ }
+
ret = gnutls_certificate_allocate_credentials(&creds->data);
if (ret < 0) {
error_setg(errp, "Cannot allocate credentials: '%s'",
@@ -204,6 +721,27 @@ qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED,
static void
+qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
+ bool value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ creds->sanityCheck = value;
+}
+
+
+static bool
+qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ return creds->sanityCheck;
+}
+
+
+static void
qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
{
object_property_set_bool(OBJECT(uc), true, "loaded", errp);
@@ -213,10 +751,18 @@ qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
static void
qcrypto_tls_creds_x509_init(Object *obj)
{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ creds->sanityCheck = true;
+
object_property_add_bool(obj, "loaded",
qcrypto_tls_creds_x509_prop_get_loaded,
qcrypto_tls_creds_x509_prop_set_loaded,
NULL);
+ object_property_add_bool(obj, "sanity-check",
+ qcrypto_tls_creds_x509_prop_get_sanity,
+ qcrypto_tls_creds_x509_prop_set_sanity,
+ NULL);
}
diff --git a/include/crypto/tlscredsx509.h b/include/crypto/tlscredsx509.h
index abdb128..b9785fd 100644
--- a/include/crypto/tlscredsx509.h
+++ b/include/crypto/tlscredsx509.h
@@ -100,6 +100,7 @@ struct QCryptoTLSCredsX509 {
#ifdef CONFIG_GNUTLS
gnutls_certificate_credentials_t data;
#endif
+ bool sanityCheck;
};
diff --git a/tests/.gitignore b/tests/.gitignore
index ccc92e4..7b4ee23 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -12,6 +12,9 @@ test-bitops
test-coroutine
test-crypto-cipher
test-crypto-hash
+test-crypto-tlscredsx509
+test-crypto-tlscredsx509-work/
+test-crypto-tlscredsx509-certs/
test-cutils
test-hbitmap
test-int128
diff --git a/tests/Makefile b/tests/Makefile
index 827e732..c4d803a 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -78,6 +78,7 @@ check-unit-y += tests/test-write-threshold$(EXESUF)
gcov-files-test-write-threshold-y = block/write-threshold.c
check-unit-$(CONFIG_GNUTLS_HASH) += tests/test-crypto-hash$(EXESUF)
check-unit-y += tests/test-crypto-cipher$(EXESUF)
+check-unit-$(CONFIG_GNUTLS) += tests/test-crypto-tlscredsx509$(EXESUF)
check-block-$(CONFIG_POSIX) += tests/qemu-iotests-quick.sh
@@ -358,6 +359,8 @@ tests/test-mul64$(EXESUF): tests/test-mul64.o $(test-util-obj-y)
tests/test-bitops$(EXESUF): tests/test-bitops.o $(test-util-obj-y)
tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o $(test-crypto-obj-y)
tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o $(test-crypto-obj-y)
+tests/test-crypto-tlscredsx509$(EXESUF): tests/test-crypto-tlscredsx509.o \
+ tests/crypto-tls-x509-helpers.o tests/pkix_asn1_tab.o $(test-crypto-obj-y)
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
@@ -426,6 +429,8 @@ tests/test-write-threshold$(EXESUF): tests/test-write-threshold.o $(test-block-o
ifeq ($(CONFIG_POSIX),y)
LIBS += -lutil
endif
+LIBS += $(TEST_LIBS)
+CFLAGS += $(TEST_CFLAGS)
# QTest rules
diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
new file mode 100644
index 0000000..c5de67b
--- /dev/null
+++ b/tests/crypto-tls-x509-helpers.c
@@ -0,0 +1,485 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ */
+
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "config-host.h"
+#include "crypto-tls-x509-helpers.h"
+#include "qemu/sockets.h"
+
+#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
+
+/*
+ * This stores some static data that is needed when
+ * encoding extensions in the x509 certs
+ */
+ASN1_TYPE pkix_asn1;
+
+/*
+ * To avoid consuming random entropy to generate keys,
+ * here's one we prepared earlier :-)
+ */
+gnutls_x509_privkey_t privkey;
+# define PRIVATE_KEY \
+ "-----BEGIN PRIVATE KEY-----\n" \
+ "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \
+ "BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE\n" \
+ "Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9\n" \
+ "rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc\n" \
+ "kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL\n" \
+ "IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H\n" \
+ "myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn\n" \
+ "2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO\n" \
+ "m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J\n" \
+ "bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK\n" \
+ "mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA\n" \
+ "Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa\n" \
+ "L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd\n" \
+ "a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W\n" \
+ "nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp\n" \
+ "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \
+ "-----END PRIVATE KEY-----\n"
+
+/*
+ * This loads the private key we defined earlier
+ */
+static gnutls_x509_privkey_t test_tls_load_key(void)
+{
+ gnutls_x509_privkey_t key;
+ const gnutls_datum_t data = { (unsigned char *)PRIVATE_KEY,
+ strlen(PRIVATE_KEY) };
+ int err;
+
+ err = gnutls_x509_privkey_init(&key);
+ if (err < 0) {
+ g_critical("Failed to init key %s", gnutls_strerror(err));
+ abort();
+ }
+
+ err = gnutls_x509_privkey_import(key, &data,
+ GNUTLS_X509_FMT_PEM);
+ if (err < 0) {
+ if (err != GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR &&
+ err != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ g_critical("Failed to import key %s", gnutls_strerror(err));
+ abort();
+ }
+
+ err = gnutls_x509_privkey_import_pkcs8(
+ key, &data, GNUTLS_X509_FMT_PEM, NULL, 0);
+ if (err < 0) {
+ g_critical("Failed to import PKCS8 key %s", gnutls_strerror(err));
+ abort();
+ }
+ }
+
+ return key;
+}
+
+
+void test_tls_init(const char *keyfile)
+{
+ gnutls_global_init();
+
+ if (asn1_array2tree(pkix_asn1_tab, &pkix_asn1, NULL) != ASN1_SUCCESS) {
+ abort();
+ }
+
+ privkey = test_tls_load_key();
+ if (!g_file_set_contents(keyfile, PRIVATE_KEY, -1, NULL)) {
+ abort();
+ }
+}
+
+
+void test_tls_cleanup(const char *keyfile)
+{
+ asn1_delete_structure(&pkix_asn1);
+ unlink(keyfile);
+}
+
+/*
+ * Turns an ASN1 object into a DER encoded byte array
+ */
+static void test_tls_der_encode(ASN1_TYPE src,
+ const char *src_name,
+ gnutls_datum_t *res)
+{
+ int size;
+ char *data = NULL;
+
+ size = 0;
+ asn1_der_coding(src, src_name, NULL, &size, NULL);
+
+ data = g_new0(char, size);
+
+ asn1_der_coding(src, src_name, data, &size, NULL);
+
+ res->data = (unsigned char *)data;
+ res->size = size;
+}
+
+
+static void
+test_tls_get_ipaddr(const char *addrstr,
+ char **data,
+ int *datalen)
+{
+ struct addrinfo *res;
+ struct addrinfo hints;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_flags = AI_NUMERICHOST;
+ g_assert(getaddrinfo(addrstr, NULL, &hints, &res) == 0);
+
+ *datalen = res->ai_addrlen;
+ *data = g_new(char, *datalen);
+ memcpy(*data, res->ai_addr, *datalen);
+}
+
+/*
+ * This is a fairly lame x509 certificate generator.
+ *
+ * Do not copy/use this code for generating real certificates
+ * since it leaves out many things that you would want in
+ * certificates for real world usage.
+ *
+ * This is good enough only for doing tests of the QEMU
+ * TLS certificate code
+ */
+void
+test_tls_generate_cert(QCryptoTLSTestCertReq *req,
+ gnutls_x509_crt_t ca)
+{
+ gnutls_x509_crt_t crt;
+ int err;
+ static char buffer[1024 * 1024];
+ size_t size = sizeof(buffer);
+ char serial[5] = { 1, 2, 3, 4, 0 };
+ gnutls_datum_t der;
+ time_t start = time(NULL) + (60 * 60 * req->start_offset);
+ time_t expire = time(NULL) + (60 * 60 * (req->expire_offset
+ ? req->expire_offset : 24));
+
+ /*
+ * Prepare our new certificate object
+ */
+ err = gnutls_x509_crt_init(&crt);
+ if (err < 0) {
+ g_critical("Failed to initialize certificate %s", gnutls_strerror(err));
+ abort();
+ }
+ err = gnutls_x509_crt_set_key(crt, privkey);
+ if (err < 0) {
+ g_critical("Failed to set certificate key %s", gnutls_strerror(err));
+ abort();
+ }
+
+ /*
+ * A v3 certificate is required in order to be able
+ * set any of the basic constraints, key purpose and
+ * key usage data
+ */
+ gnutls_x509_crt_set_version(crt, 3);
+
+ if (req->country) {
+ err = gnutls_x509_crt_set_dn_by_oid(
+ crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
+ req->country, strlen(req->country));
+ if (err < 0) {
+ g_critical("Failed to set certificate country name %s",
+ gnutls_strerror(err));
+ abort();
+ }
+ }
+ if (req->cn) {
+ err = gnutls_x509_crt_set_dn_by_oid(
+ crt, GNUTLS_OID_X520_COMMON_NAME, 0,
+ req->cn, strlen(req->cn));
+ if (err < 0) {
+ g_critical("Failed to set certificate common name %s",
+ gnutls_strerror(err));
+ abort();
+ }
+ }
+
+ /*
+ * Setup the subject altnames, which are used
+ * for hostname checks in live sessions
+ */
+ if (req->altname1) {
+ err = gnutls_x509_crt_set_subject_alt_name(
+ crt, GNUTLS_SAN_DNSNAME,
+ req->altname1,
+ strlen(req->altname1),
+ GNUTLS_FSAN_APPEND);
+ if (err < 0) {
+ g_critical("Failed to set certificate alt name %s",
+ gnutls_strerror(err));
+ abort();
+ }
+ }
+ if (req->altname2) {
+ err = gnutls_x509_crt_set_subject_alt_name(
+ crt, GNUTLS_SAN_DNSNAME,
+ req->altname2,
+ strlen(req->altname2),
+ GNUTLS_FSAN_APPEND);
+ if (err < 0) {
+ g_critical("Failed to set certificate %s alt name",
+ gnutls_strerror(err));
+ abort();
+ }
+ }
+
+ /*
+ * IP address need to be put into the cert in their
+ * raw byte form, not strings, hence this is a little
+ * more complicated
+ */
+ if (req->ipaddr1) {
+ char *data;
+ int len;
+
+ test_tls_get_ipaddr(req->ipaddr1, &data, &len);
+
+ err = gnutls_x509_crt_set_subject_alt_name(
+ crt, GNUTLS_SAN_IPADDRESS,
+ data, len, GNUTLS_FSAN_APPEND);
+ if (err < 0) {
+ g_critical("Failed to set certificate alt name %s",
+ gnutls_strerror(err));
+ abort();
+ }
+ g_free(data);
+ }
+ if (req->ipaddr2) {
+ char *data;
+ int len;
+
+ test_tls_get_ipaddr(req->ipaddr2, &data, &len);
+
+ err = gnutls_x509_crt_set_subject_alt_name(
+ crt, GNUTLS_SAN_IPADDRESS,
+ data, len, GNUTLS_FSAN_APPEND);
+ if (err < 0) {
+ g_critical("Failed to set certificate alt name %s",
+ gnutls_strerror(err));
+ abort();
+ }
+ g_free(data);
+ }
+
+
+ /*
+ * Basic constraints are used to decide if the cert
+ * is for a CA or not. We can't use the convenient
+ * gnutls API for setting this, since it hardcodes
+ * the 'critical' field which we want control over
+ */
+ if (req->basicConstraintsEnable) {
+ ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+
+ asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext);
+ asn1_write_value(ext, "cA",
+ req->basicConstraintsIsCA ? "TRUE" : "FALSE", 1);
+ asn1_write_value(ext, "pathLenConstraint", NULL, 0);
+ test_tls_der_encode(ext, "", &der);
+ err = gnutls_x509_crt_set_extension_by_oid(
+ crt, "2.5.29.19",
+ der.data, der.size,
+ req->basicConstraintsCritical);
+ if (err < 0) {
+ g_critical("Failed to set certificate basic constraints %s",
+ gnutls_strerror(err));
+ g_free(der.data);
+ abort();
+ }
+ asn1_delete_structure(&ext);
+ g_free(der.data);
+ }
+
+ /*
+ * Next up the key usage extension. Again we can't
+ * use the gnutls API since it hardcodes the extension
+ * to be 'critical'
+ */
+ if (req->keyUsageEnable) {
+ ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ char str[2];
+
+ str[0] = req->keyUsageValue & 0xff;
+ str[1] = (req->keyUsageValue >> 8) & 0xff;
+
+ asn1_create_element(pkix_asn1, "PKIX1.KeyUsage", &ext);
+ asn1_write_value(ext, "", str, 9);
+ test_tls_der_encode(ext, "", &der);
+ err = gnutls_x509_crt_set_extension_by_oid(
+ crt, "2.5.29.15",
+ der.data, der.size,
+ req->keyUsageCritical);
+ if (err < 0) {
+ g_critical("Failed to set certificate key usage %s",
+ gnutls_strerror(err));
+ g_free(der.data);
+ abort();
+ }
+ asn1_delete_structure(&ext);
+ g_free(der.data);
+ }
+
+ /*
+ * Finally the key purpose extension. This time
+ * gnutls has the opposite problem, always hardcoding
+ * it to be non-critical. So once again we have to
+ * set this the hard way building up ASN1 data ourselves
+ */
+ if (req->keyPurposeEnable) {
+ ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+
+ asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext);
+ if (req->keyPurposeOID1) {
+ asn1_write_value(ext, "", "NEW", 1);
+ asn1_write_value(ext, "?LAST", req->keyPurposeOID1, 1);
+ }
+ if (req->keyPurposeOID2) {
+ asn1_write_value(ext, "", "NEW", 1);
+ asn1_write_value(ext, "?LAST", req->keyPurposeOID2, 1);
+ }
+ test_tls_der_encode(ext, "", &der);
+ err = gnutls_x509_crt_set_extension_by_oid(
+ crt, "2.5.29.37",
+ der.data, der.size,
+ req->keyPurposeCritical);
+ if (err < 0) {
+ g_critical("Failed to set certificate key purpose %s",
+ gnutls_strerror(err));
+ g_free(der.data);
+ abort();
+ }
+ asn1_delete_structure(&ext);
+ g_free(der.data);
+ }
+
+ /*
+ * Any old serial number will do, so lets pick 5
+ */
+ err = gnutls_x509_crt_set_serial(crt, serial, 5);
+ if (err < 0) {
+ g_critical("Failed to set certificate serial %s",
+ gnutls_strerror(err));
+ abort();
+ }
+
+ err = gnutls_x509_crt_set_activation_time(crt, start);
+ if (err < 0) {
+ g_critical("Failed to set certificate activation %s",
+ gnutls_strerror(err));
+ abort();
+ }
+ err = gnutls_x509_crt_set_expiration_time(crt, expire);
+ if (err < 0) {
+ g_critical("Failed to set certificate expiration %s",
+ gnutls_strerror(err));
+ abort();
+ }
+
+
+ /*
+ * If no 'ca' is set then we are self signing
+ * the cert. This is done for the root CA certs
+ */
+ err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);
+ if (err < 0) {
+ g_critical("Failed to sign certificate %s",
+ gnutls_strerror(err));
+ abort();
+ }
+
+ /*
+ * Finally write the new cert out to disk
+ */
+ err = gnutls_x509_crt_export(
+ crt, GNUTLS_X509_FMT_PEM, buffer, &size);
+ if (err < 0) {
+ g_critical("Failed to export certificate %s: %d",
+ gnutls_strerror(err), err);
+ abort();
+ }
+
+ if (!g_file_set_contents(req->filename, buffer, -1, NULL)) {
+ g_critical("Failed to write certificate %s",
+ req->filename);
+ abort();
+ }
+
+ req->crt = crt;
+}
+
+
+void test_tls_write_cert_chain(const char *filename,
+ gnutls_x509_crt_t *certs,
+ size_t ncerts)
+{
+ size_t i;
+ size_t capacity = 1024, offset = 0;
+ char *buffer = g_new0(char, capacity);
+ int err;
+
+ for (i = 0; i < ncerts; i++) {
+ size_t len = capacity - offset;
+ retry:
+ err = gnutls_x509_crt_export(certs[i], GNUTLS_X509_FMT_PEM,
+ buffer + offset, &len);
+ if (err < 0) {
+ if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ buffer = g_renew(char, buffer, offset + len);
+ capacity = offset + len;
+ goto retry;
+ }
+ g_critical("Failed to export certificate chain %s: %d",
+ gnutls_strerror(err), err);
+ abort();
+ }
+ offset += len;
+ }
+
+ if (!g_file_set_contents(filename, buffer, offset, NULL)) {
+ abort();
+ }
+}
+
+
+void test_tls_discard_cert(QCryptoTLSTestCertReq *req)
+{
+ if (!req->crt) {
+ return;
+ }
+
+ gnutls_x509_crt_deinit(req->crt);
+ req->crt = NULL;
+
+ if (getenv("QEMU_TEST_DEBUG_CERTS") == NULL) {
+ unlink(req->filename);
+ }
+}
+
+#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
new file mode 100644
index 0000000..356b49c
--- /dev/null
+++ b/tests/crypto-tls-x509-helpers.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ */
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#if !(defined WIN32) && \
+ defined(CONFIG_TASN1) && \
+ defined(LIBGNUTLS_VERSION_NUMBER) && \
+ (LIBGNUTLS_VERSION_NUMBER >= 0x020600)
+# define QCRYPTO_HAVE_TLS_TEST_SUPPORT
+#endif
+
+#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
+# include <libtasn1.h>
+
+# include "qemu-common.h"
+
+/*
+ * This contains parameter about how to generate
+ * certificates.
+ */
+typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq;
+struct QCryptoTLSTestCertReq {
+ gnutls_x509_crt_t crt;
+
+ const char *filename;
+
+ /* Identifying information */
+ const char *country;
+ const char *cn;
+ const char *altname1;
+ const char *altname2;
+ const char *ipaddr1;
+ const char *ipaddr2;
+
+ /* Basic constraints */
+ bool basicConstraintsEnable;
+ bool basicConstraintsCritical;
+ bool basicConstraintsIsCA;
+
+ /* Key usage */
+ bool keyUsageEnable;
+ bool keyUsageCritical;
+ int keyUsageValue;
+
+ /* Key purpose (aka Extended key usage) */
+ bool keyPurposeEnable;
+ bool keyPurposeCritical;
+ const char *keyPurposeOID1;
+ const char *keyPurposeOID2;
+
+ /* zero for current time, or non-zero for hours from now */
+ int start_offset;
+ /* zero for 24 hours from now, or non-zero for hours from now */
+ int expire_offset;
+};
+
+void test_tls_generate_cert(QCryptoTLSTestCertReq *req,
+ gnutls_x509_crt_t ca);
+void test_tls_write_cert_chain(const char *filename,
+ gnutls_x509_crt_t *certs,
+ size_t ncerts);
+void test_tls_discard_cert(QCryptoTLSTestCertReq *req);
+
+void test_tls_init(const char *keyfile);
+void test_tls_cleanup(const char *keyfile);
+
+# define TLS_CERT_REQ(varname, cavarname, \
+ country, commonname, \
+ altname1, altname2, \
+ ipaddr1, ipaddr2, \
+ basicconsenable, basicconscritical, basicconsca, \
+ keyusageenable, keyusagecritical, keyusagevalue, \
+ keypurposeenable, keypurposecritical, \
+ keypurposeoid1, keypurposeoid2, \
+ startoffset, endoffset) \
+ static QCryptoTLSTestCertReq varname = { \
+ NULL, WORKDIR #varname "-ctx.pem", \
+ country, commonname, altname1, altname2, \
+ ipaddr1, ipaddr2, \
+ basicconsenable, basicconscritical, basicconsca, \
+ keyusageenable, keyusagecritical, keyusagevalue, \
+ keypurposeenable, keypurposecritical, \
+ keypurposeoid1, keypurposeoid2, \
+ startoffset, endoffset \
+ }; \
+ test_tls_generate_cert(&varname, cavarname.crt)
+
+# define TLS_ROOT_REQ(varname, \
+ country, commonname, \
+ altname1, altname2, \
+ ipaddr1, ipaddr2, \
+ basicconsenable, basicconscritical, basicconsca, \
+ keyusageenable, keyusagecritical, keyusagevalue, \
+ keypurposeenable, keypurposecritical, \
+ keypurposeoid1, keypurposeoid2, \
+ startoffset, endoffset) \
+ static QCryptoTLSTestCertReq varname = { \
+ NULL, WORKDIR #varname "-ctx.pem", \
+ country, commonname, altname1, altname2, \
+ ipaddr1, ipaddr2, \
+ basicconsenable, basicconscritical, basicconsca, \
+ keyusageenable, keyusagecritical, keyusagevalue, \
+ keypurposeenable, keypurposecritical, \
+ keypurposeoid1, keypurposeoid2, \
+ startoffset, endoffset \
+ }; \
+ test_tls_generate_cert(&varname, NULL)
+
+extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
+
+#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */
diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c
new file mode 100644
index 0000000..5b4e6b9
--- /dev/null
+++ b/tests/pkix_asn1_tab.c
@@ -0,0 +1,1104 @@
+/*
+ * This file is taken from gnutls 1.6.3 under the GPLv2+
+ * and is under copyright of various GNUTLS contributors.
+ */
+
+#include <libtasn1.h>
+
+const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
+ {"PKIX1", 536875024, 0},
+ {0, 1073741836, 0},
+ {"id-ce", 1879048204, 0},
+ {"joint-iso-ccitt", 1073741825, "2"},
+ {"ds", 1073741825, "5"},
+ {0, 1, "29"},
+ {"id-ce-authorityKeyIdentifier", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "35"},
+ {"AuthorityKeyIdentifier", 1610612741, 0},
+ {"keyIdentifier", 1610637314, "KeyIdentifier"},
+ {0, 4104, "0"},
+ {"authorityCertIssuer", 1610637314, "GeneralNames"},
+ {0, 4104, "1"},
+ {"authorityCertSerialNumber", 536895490, "CertificateSerialNumber"},
+ {0, 4104, "2"},
+ {"KeyIdentifier", 1073741831, 0},
+ {"id-ce-subjectKeyIdentifier", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "14"},
+ {"SubjectKeyIdentifier", 1073741826, "KeyIdentifier"},
+ {"id-ce-keyUsage", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "15"},
+ {"KeyUsage", 1610874886, 0},
+ {"digitalSignature", 1073741825, "0"},
+ {"nonRepudiation", 1073741825, "1"},
+ {"keyEncipherment", 1073741825, "2"},
+ {"dataEncipherment", 1073741825, "3"},
+ {"keyAgreement", 1073741825, "4"},
+ {"keyCertSign", 1073741825, "5"},
+ {"cRLSign", 1073741825, "6"},
+ {"encipherOnly", 1073741825, "7"},
+ {"decipherOnly", 1, "8"},
+ {"id-ce-privateKeyUsagePeriod", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "16"},
+ {"PrivateKeyUsagePeriod", 1610612741, 0},
+ {"notBefore", 1619025937, 0},
+ {0, 4104, "0"},
+ {"notAfter", 545284113, 0},
+ {0, 4104, "1"},
+ {"id-ce-certificatePolicies", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "32"},
+ {"CertificatePolicies", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "PolicyInformation"},
+ {"PolicyInformation", 1610612741, 0},
+ {"policyIdentifier", 1073741826, "CertPolicyId"},
+ {"policyQualifiers", 538984459, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "PolicyQualifierInfo"},
+ {"CertPolicyId", 1073741836, 0},
+ {"PolicyQualifierInfo", 1610612741, 0},
+ {"policyQualifierId", 1073741826, "PolicyQualifierId"},
+ {"qualifier", 541065229, 0},
+ {"policyQualifierId", 1, 0},
+ {"PolicyQualifierId", 1073741836, 0},
+ {"CPSuri", 1073741826, "IA5String"},
+ {"UserNotice", 1610612741, 0},
+ {"noticeRef", 1073758210, "NoticeReference"},
+ {"explicitText", 16386, "DisplayText"},
+ {"NoticeReference", 1610612741, 0},
+ {"organization", 1073741826, "DisplayText"},
+ {"noticeNumbers", 536870923, 0},
+ {0, 3, 0},
+ {"DisplayText", 1610612754, 0},
+ {"visibleString", 1612709890, "VisibleString"},
+ {"200", 524298, "1"},
+ {"bmpString", 1612709890, "BMPString"},
+ {"200", 524298, "1"},
+ {"utf8String", 538968066, "UTF8String"},
+ {"200", 524298, "1"},
+ {"id-ce-policyMappings", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "33"},
+ {"PolicyMappings", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 536870917, 0},
+ {"issuerDomainPolicy", 1073741826, "CertPolicyId"},
+ {"subjectDomainPolicy", 2, "CertPolicyId"},
+ {"DirectoryString", 1610612754, 0},
+ {"teletexString", 1612709890, "TeletexString"},
+ {"MAX", 524298, "1"},
+ {"printableString", 1612709890, "PrintableString"},
+ {"MAX", 524298, "1"},
+ {"universalString", 1612709890, "UniversalString"},
+ {"MAX", 524298, "1"},
+ {"utf8String", 1612709890, "UTF8String"},
+ {"MAX", 524298, "1"},
+ {"bmpString", 1612709890, "BMPString"},
+ {"MAX", 524298, "1"},
+ {"ia5String", 538968066, "IA5String"},
+ {"MAX", 524298, "1"},
+ {"id-ce-subjectAltName", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "17"},
+ {"SubjectAltName", 1073741826, "GeneralNames"},
+ {"GeneralNames", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "GeneralName"},
+ {"GeneralName", 1610612754, 0},
+ {"otherName", 1610620930, "AnotherName"},
+ {0, 4104, "0"},
+ {"rfc822Name", 1610620930, "IA5String"},
+ {0, 4104, "1"},
+ {"dNSName", 1610620930, "IA5String"},
+ {0, 4104, "2"},
+ {"x400Address", 1610620930, "ORAddress"},
+ {0, 4104, "3"},
+ {"directoryName", 1610620930, "RDNSequence"},
+ {0, 2056, "4"},
+ {"ediPartyName", 1610620930, "EDIPartyName"},
+ {0, 4104, "5"},
+ {"uniformResourceIdentifier", 1610620930, "IA5String"},
+ {0, 4104, "6"},
+ {"iPAddress", 1610620935, 0},
+ {0, 4104, "7"},
+ {"registeredID", 536879116, 0},
+ {0, 4104, "8"},
+ {"AnotherName", 1610612741, 0},
+ {"type-id", 1073741836, 0},
+ {"value", 541073421, 0},
+ {0, 1073743880, "0"},
+ {"type-id", 1, 0},
+ {"EDIPartyName", 1610612741, 0},
+ {"nameAssigner", 1610637314, "DirectoryString"},
+ {0, 4104, "0"},
+ {"partyName", 536879106, "DirectoryString"},
+ {0, 4104, "1"},
+ {"id-ce-issuerAltName", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "18"},
+ {"IssuerAltName", 1073741826, "GeneralNames"},
+ {"id-ce-subjectDirectoryAttributes", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "9"},
+ {"SubjectDirectoryAttributes", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "Attribute"},
+ {"id-ce-basicConstraints", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "19"},
+ {"BasicConstraints", 1610612741, 0},
+ {"cA", 1610645508, 0},
+ {0, 131081, 0},
+ {"pathLenConstraint", 537411587, 0},
+ {"0", 10, "MAX"},
+ {"id-ce-nameConstraints", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "30"},
+ {"NameConstraints", 1610612741, 0},
+ {"permittedSubtrees", 1610637314, "GeneralSubtrees"},
+ {0, 4104, "0"},
+ {"excludedSubtrees", 536895490, "GeneralSubtrees"},
+ {0, 4104, "1"},
+ {"GeneralSubtrees", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "GeneralSubtree"},
+ {"GeneralSubtree", 1610612741, 0},
+ {"base", 1073741826, "GeneralName"},
+ {"minimum", 1610653698, "BaseDistance"},
+ {0, 1073741833, "0"},
+ {0, 4104, "0"},
+ {"maximum", 536895490, "BaseDistance"},
+ {0, 4104, "1"},
+ {"BaseDistance", 1611137027, 0},
+ {"0", 10, "MAX"},
+ {"id-ce-policyConstraints", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "36"},
+ {"PolicyConstraints", 1610612741, 0},
+ {"requireExplicitPolicy", 1610637314, "SkipCerts"},
+ {0, 4104, "0"},
+ {"inhibitPolicyMapping", 536895490, "SkipCerts"},
+ {0, 4104, "1"},
+ {"SkipCerts", 1611137027, 0},
+ {"0", 10, "MAX"},
+ {"id-ce-cRLDistributionPoints", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "31"},
+ {"CRLDistributionPoints", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "DistributionPoint"},
+ {"DistributionPoint", 1610612741, 0},
+ {"distributionPoint", 1610637314, "DistributionPointName"},
+ {0, 2056, "0"},
+ {"reasons", 1610637314, "ReasonFlags"},
+ {0, 4104, "1"},
+ {"cRLIssuer", 536895490, "GeneralNames"},
+ {0, 4104, "2"},
+ {"DistributionPointName", 1610612754, 0},
+ {"fullName", 1610620930, "GeneralNames"},
+ {0, 4104, "0"},
+ {"nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"},
+ {0, 4104, "1"},
+ {"ReasonFlags", 1610874886, 0},
+ {"unused", 1073741825, "0"},
+ {"keyCompromise", 1073741825, "1"},
+ {"cACompromise", 1073741825, "2"},
+ {"affiliationChanged", 1073741825, "3"},
+ {"superseded", 1073741825, "4"},
+ {"cessationOfOperation", 1073741825, "5"},
+ {"certificateHold", 1073741825, "6"},
+ {"privilegeWithdrawn", 1073741825, "7"},
+ {"aACompromise", 1, "8"},
+ {"id-ce-extKeyUsage", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "37"},
+ {"ExtKeyUsageSyntax", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "KeyPurposeId"},
+ {"KeyPurposeId", 1073741836, 0},
+ {"id-kp-serverAuth", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "1"},
+ {"id-kp-clientAuth", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "2"},
+ {"id-kp-codeSigning", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "3"},
+ {"id-kp-emailProtection", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "4"},
+ {"id-kp-ipsecEndSystem", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "5"},
+ {"id-kp-ipsecTunnel", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "6"},
+ {"id-kp-ipsecUser", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "7"},
+ {"id-kp-timeStamping", 1879048204, 0},
+ {0, 1073741825, "id-kp"},
+ {0, 1, "8"},
+ {"id-pe-authorityInfoAccess", 1879048204, 0},
+ {0, 1073741825, "id-pe"},
+ {0, 1, "1"},
+ {"AuthorityInfoAccessSyntax", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "AccessDescription"},
+ {"AccessDescription", 1610612741, 0},
+ {"accessMethod", 1073741836, 0},
+ {"accessLocation", 2, "GeneralName"},
+ {"id-ce-cRLNumber", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "20"},
+ {"CRLNumber", 1611137027, 0},
+ {"0", 10, "MAX"},
+ {"id-ce-issuingDistributionPoint", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "28"},
+ {"IssuingDistributionPoint", 1610612741, 0},
+ {"distributionPoint", 1610637314, "DistributionPointName"},
+ {0, 4104, "0"},
+ {"onlyContainsUserCerts", 1610653700, 0},
+ {0, 1073872905, 0},
+ {0, 4104, "1"},
+ {"onlyContainsCACerts", 1610653700, 0},
+ {0, 1073872905, 0},
+ {0, 4104, "2"},
+ {"onlySomeReasons", 1610637314, "ReasonFlags"},
+ {0, 4104, "3"},
+ {"indirectCRL", 536911876, 0},
+ {0, 1073872905, 0},
+ {0, 4104, "4"},
+ {"id-ce-deltaCRLIndicator", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "27"},
+ {"BaseCRLNumber", 1073741826, "CRLNumber"},
+ {"id-ce-cRLReasons", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "21"},
+ {"CRLReason", 1610874901, 0},
+ {"unspecified", 1073741825, "0"},
+ {"keyCompromise", 1073741825, "1"},
+ {"cACompromise", 1073741825, "2"},
+ {"affiliationChanged", 1073741825, "3"},
+ {"superseded", 1073741825, "4"},
+ {"cessationOfOperation", 1073741825, "5"},
+ {"certificateHold", 1073741825, "6"},
+ {"removeFromCRL", 1, "8"},
+ {"id-ce-certificateIssuer", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "29"},
+ {"CertificateIssuer", 1073741826, "GeneralNames"},
+ {"id-ce-holdInstructionCode", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "23"},
+ {"HoldInstructionCode", 1073741836, 0},
+ {"holdInstruction", 1879048204, 0},
+ {"joint-iso-itu-t", 1073741825, "2"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"x9cm", 1073741825, "10040"},
+ {0, 1, "2"},
+ {"id-holdinstruction-none", 1879048204, 0},
+ {0, 1073741825, "holdInstruction"},
+ {0, 1, "1"},
+ {"id-holdinstruction-callissuer", 1879048204, 0},
+ {0, 1073741825, "holdInstruction"},
+ {0, 1, "2"},
+ {"id-holdinstruction-reject", 1879048204, 0},
+ {0, 1073741825, "holdInstruction"},
+ {0, 1, "3"},
+ {"id-ce-invalidityDate", 1879048204, 0},
+ {0, 1073741825, "id-ce"},
+ {0, 1, "24"},
+ {"InvalidityDate", 1082130449, 0},
+ {"VisibleString", 1610620935, 0},
+ {0, 4360, "26"},
+ {"NumericString", 1610620935, 0},
+ {0, 4360, "18"},
+ {"IA5String", 1610620935, 0},
+ {0, 4360, "22"},
+ {"TeletexString", 1610620935, 0},
+ {0, 4360, "20"},
+ {"PrintableString", 1610620935, 0},
+ {0, 4360, "19"},
+ {"UniversalString", 1610620935, 0},
+ {0, 4360, "28"},
+ {"BMPString", 1610620935, 0},
+ {0, 4360, "30"},
+ {"UTF8String", 1610620935, 0},
+ {0, 4360, "12"},
+ {"id-pkix", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"identified-organization", 1073741825, "3"},
+ {"dod", 1073741825, "6"},
+ {"internet", 1073741825, "1"},
+ {"security", 1073741825, "5"},
+ {"mechanisms", 1073741825, "5"},
+ {"pkix", 1, "7"},
+ {"id-pe", 1879048204, 0},
+ {0, 1073741825, "id-pkix"},
+ {0, 1, "1"},
+ {"id-qt", 1879048204, 0},
+ {0, 1073741825, "id-pkix"},
+ {0, 1, "2"},
+ {"id-kp", 1879048204, 0},
+ {0, 1073741825, "id-pkix"},
+ {0, 1, "3"},
+ {"id-ad", 1879048204, 0},
+ {0, 1073741825, "id-pkix"},
+ {0, 1, "48"},
+ {"id-qt-cps", 1879048204, 0},
+ {0, 1073741825, "id-qt"},
+ {0, 1, "1"},
+ {"id-qt-unotice", 1879048204, 0},
+ {0, 1073741825, "id-qt"},
+ {0, 1, "2"},
+ {"id-ad-ocsp", 1879048204, 0},
+ {0, 1073741825, "id-ad"},
+ {0, 1, "1"},
+ {"id-ad-caIssuers", 1879048204, 0},
+ {0, 1073741825, "id-ad"},
+ {0, 1, "2"},
+ {"Attribute", 1610612741, 0},
+ {"type", 1073741826, "AttributeType"},
+ {"values", 536870927, 0},
+ {0, 2, "AttributeValue"},
+ {"AttributeType", 1073741836, 0},
+ {"AttributeValue", 1614807053, 0},
+ {"type", 1, 0},
+ {"AttributeTypeAndValue", 1610612741, 0},
+ {"type", 1073741826, "AttributeType"},
+ {"value", 2, "AttributeValue"},
+ {"id-at", 1879048204, 0},
+ {"joint-iso-ccitt", 1073741825, "2"},
+ {"ds", 1073741825, "5"},
+ {0, 1, "4"},
+ {"id-at-initials", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "43"},
+ {"X520initials", 1073741826, "DirectoryString"},
+ {"id-at-generationQualifier", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "44"},
+ {"X520generationQualifier", 1073741826, "DirectoryString"},
+ {"id-at-surname", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "4"},
+ {"X520surName", 1073741826, "DirectoryString"},
+ {"id-at-givenName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "42"},
+ {"X520givenName", 1073741826, "DirectoryString"},
+ {"id-at-name", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "41"},
+ {"X520name", 1073741826, "DirectoryString"},
+ {"id-at-commonName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "3"},
+ {"X520CommonName", 1073741826, "DirectoryString"},
+ {"id-at-localityName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "7"},
+ {"X520LocalityName", 1073741826, "DirectoryString"},
+ {"id-at-stateOrProvinceName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "8"},
+ {"X520StateOrProvinceName", 1073741826, "DirectoryString"},
+ {"id-at-organizationName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "10"},
+ {"X520OrganizationName", 1073741826, "DirectoryString"},
+ {"id-at-organizationalUnitName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "11"},
+ {"X520OrganizationalUnitName", 1073741826, "DirectoryString"},
+ {"id-at-title", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "12"},
+ {"X520Title", 1073741826, "DirectoryString"},
+ {"id-at-description", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "13"},
+ {"X520Description", 1073741826, "DirectoryString"},
+ {"id-at-dnQualifier", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "46"},
+ {"X520dnQualifier", 1073741826, "PrintableString"},
+ {"id-at-countryName", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "6"},
+ {"X520countryName", 1612709890, "PrintableString"},
+ {0, 1048586, "2"},
+ {"id-at-serialNumber", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "5"},
+ {"X520serialNumber", 1073741826, "PrintableString"},
+ {"id-at-telephoneNumber", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "20"},
+ {"X520telephoneNumber", 1073741826, "PrintableString"},
+ {"id-at-facsimileTelephoneNumber", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "23"},
+ {"X520facsimileTelephoneNumber", 1073741826, "PrintableString"},
+ {"id-at-pseudonym", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "65"},
+ {"X520pseudonym", 1073741826, "DirectoryString"},
+ {"id-at-name", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "41"},
+ {"X520name", 1073741826, "DirectoryString"},
+ {"id-at-streetAddress", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "9"},
+ {"X520streetAddress", 1073741826, "DirectoryString"},
+ {"id-at-postalAddress", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-at"},
+ {0, 1, "16"},
+ {"X520postalAddress", 1073741826, "PostalAddress"},
+ {"PostalAddress", 1610612747, 0},
+ {0, 2, "DirectoryString"},
+ {"pkcs", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"rsadsi", 1073741825, "113549"},
+ {"pkcs", 1, "1"},
+ {"pkcs-9", 1879048204, 0},
+ {0, 1073741825, "pkcs"},
+ {0, 1, "9"},
+ {"emailAddress", 1880096780, "AttributeType"},
+ {0, 1073741825, "pkcs-9"},
+ {0, 1, "1"},
+ {"Pkcs9email", 1612709890, "IA5String"},
+ {"ub-emailaddress-length", 524298, "1"},
+ {"Name", 1610612754, 0},
+ {"rdnSequence", 2, "RDNSequence"},
+ {"RDNSequence", 1610612747, 0},
+ {0, 2, "RelativeDistinguishedName"},
+ {"DistinguishedName", 1073741826, "RDNSequence"},
+ {"RelativeDistinguishedName", 1612709903, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "AttributeTypeAndValue"},
+ {"Certificate", 1610612741, 0},
+ {"tbsCertificate", 1073741826, "TBSCertificate"},
+ {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ {"signature", 6, 0},
+ {"TBSCertificate", 1610612741, 0},
+ {"version", 1610653698, "Version"},
+ {0, 1073741833, "v1"},
+ {0, 2056, "0"},
+ {"serialNumber", 1073741826, "CertificateSerialNumber"},
+ {"signature", 1073741826, "AlgorithmIdentifier"},
+ {"issuer", 1073741826, "Name"},
+ {"validity", 1073741826, "Validity"},
+ {"subject", 1073741826, "Name"},
+ {"subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"},
+ {"issuerUniqueID", 1610637314, "UniqueIdentifier"},
+ {0, 4104, "1"},
+ {"subjectUniqueID", 1610637314, "UniqueIdentifier"},
+ {0, 4104, "2"},
+ {"extensions", 536895490, "Extensions"},
+ {0, 2056, "3"},
+ {"Version", 1610874883, 0},
+ {"v1", 1073741825, "0"},
+ {"v2", 1073741825, "1"},
+ {"v3", 1, "2"},
+ {"CertificateSerialNumber", 1073741827, 0},
+ {"Validity", 1610612741, 0},
+ {"notBefore", 1073741826, "Time"},
+ {"notAfter", 2, "Time"},
+ {"Time", 1610612754, 0},
+ {"utcTime", 1090519057, 0},
+ {"generalTime", 8388625, 0},
+ {"UniqueIdentifier", 1073741830, 0},
+ {"SubjectPublicKeyInfo", 1610612741, 0},
+ {"algorithm", 1073741826, "AlgorithmIdentifier"},
+ {"subjectPublicKey", 6, 0},
+ {"Extensions", 1612709899, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "Extension"},
+ {"Extension", 1610612741, 0},
+ {"extnID", 1073741836, 0},
+ {"critical", 1610645508, 0},
+ {0, 131081, 0},
+ {"extnValue", 7, 0},
+ {"CertificateList", 1610612741, 0},
+ {"tbsCertList", 1073741826, "TBSCertList"},
+ {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ {"signature", 6, 0},
+ {"TBSCertList", 1610612741, 0},
+ {"version", 1073758210, "Version"},
+ {"signature", 1073741826, "AlgorithmIdentifier"},
+ {"issuer", 1073741826, "Name"},
+ {"thisUpdate", 1073741826, "Time"},
+ {"nextUpdate", 1073758210, "Time"},
+ {"revokedCertificates", 1610629131, 0},
+ {0, 536870917, 0},
+ {"userCertificate", 1073741826, "CertificateSerialNumber"},
+ {"revocationDate", 1073741826, "Time"},
+ {"crlEntryExtensions", 16386, "Extensions"},
+ {"crlExtensions", 536895490, "Extensions"},
+ {0, 2056, "0"},
+ {"AlgorithmIdentifier", 1610612741, 0},
+ {"algorithm", 1073741836, 0},
+ {"parameters", 541081613, 0},
+ {"algorithm", 1, 0},
+ {"pkcs-1", 1879048204, 0},
+ {0, 1073741825, "pkcs"},
+ {0, 1, "1"},
+ {"rsaEncryption", 1879048204, 0},
+ {0, 1073741825, "pkcs-1"},
+ {0, 1, "1"},
+ {"md2WithRSAEncryption", 1879048204, 0},
+ {0, 1073741825, "pkcs-1"},
+ {0, 1, "2"},
+ {"md5WithRSAEncryption", 1879048204, 0},
+ {0, 1073741825, "pkcs-1"},
+ {0, 1, "4"},
+ {"sha1WithRSAEncryption", 1879048204, 0},
+ {0, 1073741825, "pkcs-1"},
+ {0, 1, "5"},
+ {"id-dsa-with-sha1", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"x9-57", 1073741825, "10040"},
+ {"x9algorithm", 1073741825, "4"},
+ {0, 1, "3"},
+ {"Dss-Sig-Value", 1610612741, 0},
+ {"r", 1073741827, 0},
+ {"s", 3, 0},
+ {"dhpublicnumber", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"ansi-x942", 1073741825, "10046"},
+ {"number-type", 1073741825, "2"},
+ {0, 1, "1"},
+ {"DomainParameters", 1610612741, 0},
+ {"p", 1073741827, 0},
+ {"g", 1073741827, 0},
+ {"q", 1073741827, 0},
+ {"j", 1073758211, 0},
+ {"validationParms", 16386, "ValidationParms"},
+ {"ValidationParms", 1610612741, 0},
+ {"seed", 1073741830, 0},
+ {"pgenCounter", 3, 0},
+ {"id-dsa", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"x9-57", 1073741825, "10040"},
+ {"x9algorithm", 1073741825, "4"},
+ {0, 1, "1"},
+ {"Dss-Parms", 1610612741, 0},
+ {"p", 1073741827, 0},
+ {"q", 1073741827, 0},
+ {"g", 3, 0},
+ {"ORAddress", 1610612741, 0},
+ {"built-in-standard-attributes", 1073741826, "BuiltInStandardAttributes"},
+ {"built-in-domain-defined-attributes", 1073758210,
+ "BuiltInDomainDefinedAttributes"},
+ {"extension-attributes", 16386, "ExtensionAttributes"},
+ {"BuiltInStandardAttributes", 1610612741, 0},
+ {"country-name", 1073758210, "CountryName"},
+ {"administration-domain-name", 1073758210, "AdministrationDomainName"},
+ {"network-address", 1610637314, "NetworkAddress"},
+ {0, 2056, "0"},
+ {"terminal-identifier", 1610637314, "TerminalIdentifier"},
+ {0, 2056, "1"},
+ {"private-domain-name", 1610637314, "PrivateDomainName"},
+ {0, 2056, "2"},
+ {"organization-name", 1610637314, "OrganizationName"},
+ {0, 2056, "3"},
+ {"numeric-user-identifier", 1610637314, "NumericUserIdentifier"},
+ {0, 2056, "4"},
+ {"personal-name", 1610637314, "PersonalName"},
+ {0, 2056, "5"},
+ {"organizational-unit-names", 536895490, "OrganizationalUnitNames"},
+ {0, 2056, "6"},
+ {"CountryName", 1610620946, 0},
+ {0, 1073746952, "1"},
+ {"x121-dcc-code", 1612709890, "NumericString"},
+ {0, 1048586, "ub-country-name-numeric-length"},
+ {"iso-3166-alpha2-code", 538968066, "PrintableString"},
+ {0, 1048586, "ub-country-name-alpha-length"},
+ {"AdministrationDomainName", 1610620946, 0},
+ {0, 1073744904, "2"},
+ {"numeric", 1612709890, "NumericString"},
+ {"ub-domain-name-length", 524298, "0"},
+ {"printable", 538968066, "PrintableString"},
+ {"ub-domain-name-length", 524298, "0"},
+ {"NetworkAddress", 1073741826, "X121Address"},
+ {"X121Address", 1612709890, "NumericString"},
+ {"ub-x121-address-length", 524298, "1"},
+ {"TerminalIdentifier", 1612709890, "PrintableString"},
+ {"ub-terminal-id-length", 524298, "1"},
+ {"PrivateDomainName", 1610612754, 0},
+ {"numeric", 1612709890, "NumericString"},
+ {"ub-domain-name-length", 524298, "1"},
+ {"printable", 538968066, "PrintableString"},
+ {"ub-domain-name-length", 524298, "1"},
+ {"OrganizationName", 1612709890, "PrintableString"},
+ {"ub-organization-name-length", 524298, "1"},
+ {"NumericUserIdentifier", 1612709890, "NumericString"},
+ {"ub-numeric-user-id-length", 524298, "1"},
+ {"PersonalName", 1610612750, 0},
+ {"surname", 1814044674, "PrintableString"},
+ {0, 1073745928, "0"},
+ {"ub-surname-length", 524298, "1"},
+ {"given-name", 1814061058, "PrintableString"},
+ {0, 1073745928, "1"},
+ {"ub-given-name-length", 524298, "1"},
+ {"initials", 1814061058, "PrintableString"},
+ {0, 1073745928, "2"},
+ {"ub-initials-length", 524298, "1"},
+ {"generation-qualifier", 740319234, "PrintableString"},
+ {0, 1073745928, "3"},
+ {"ub-generation-qualifier-length", 524298, "1"},
+ {"OrganizationalUnitNames", 1612709899, 0},
+ {"ub-organizational-units", 1074266122, "1"},
+ {0, 2, "OrganizationalUnitName"},
+ {"OrganizationalUnitName", 1612709890, "PrintableString"},
+ {"ub-organizational-unit-name-length", 524298, "1"},
+ {"BuiltInDomainDefinedAttributes", 1612709899, 0},
+ {"ub-domain-defined-attributes", 1074266122, "1"},
+ {0, 2, "BuiltInDomainDefinedAttribute"},
+ {"BuiltInDomainDefinedAttribute", 1610612741, 0},
+ {"type", 1612709890, "PrintableString"},
+ {"ub-domain-defined-attribute-type-length", 524298, "1"},
+ {"value", 538968066, "PrintableString"},
+ {"ub-domain-defined-attribute-value-length", 524298, "1"},
+ {"ExtensionAttributes", 1612709903, 0},
+ {"ub-extension-attributes", 1074266122, "1"},
+ {0, 2, "ExtensionAttribute"},
+ {"ExtensionAttribute", 1610612741, 0},
+ {"extension-attribute-type", 1611145219, 0},
+ {0, 1073743880, "0"},
+ {"0", 10, "ub-extension-attributes"},
+ {"extension-attribute-value", 541073421, 0},
+ {0, 1073743880, "1"},
+ {"extension-attribute-type", 1, 0},
+ {"common-name", 1342177283, "1"},
+ {"CommonName", 1612709890, "PrintableString"},
+ {"ub-common-name-length", 524298, "1"},
+ {"teletex-common-name", 1342177283, "2"},
+ {"TeletexCommonName", 1612709890, "TeletexString"},
+ {"ub-common-name-length", 524298, "1"},
+ {"teletex-organization-name", 1342177283, "3"},
+ {"TeletexOrganizationName", 1612709890, "TeletexString"},
+ {"ub-organization-name-length", 524298, "1"},
+ {"teletex-personal-name", 1342177283, "4"},
+ {"TeletexPersonalName", 1610612750, 0},
+ {"surname", 1814044674, "TeletexString"},
+ {0, 1073743880, "0"},
+ {"ub-surname-length", 524298, "1"},
+ {"given-name", 1814061058, "TeletexString"},
+ {0, 1073743880, "1"},
+ {"ub-given-name-length", 524298, "1"},
+ {"initials", 1814061058, "TeletexString"},
+ {0, 1073743880, "2"},
+ {"ub-initials-length", 524298, "1"},
+ {"generation-qualifier", 740319234, "TeletexString"},
+ {0, 1073743880, "3"},
+ {"ub-generation-qualifier-length", 524298, "1"},
+ {"teletex-organizational-unit-names", 1342177283, "5"},
+ {"TeletexOrganizationalUnitNames", 1612709899, 0},
+ {"ub-organizational-units", 1074266122, "1"},
+ {0, 2, "TeletexOrganizationalUnitName"},
+ {"TeletexOrganizationalUnitName", 1612709890, "TeletexString"},
+ {"ub-organizational-unit-name-length", 524298, "1"},
+ {"pds-name", 1342177283, "7"},
+ {"PDSName", 1612709890, "PrintableString"},
+ {"ub-pds-name-length", 524298, "1"},
+ {"physical-delivery-country-name", 1342177283, "8"},
+ {"PhysicalDeliveryCountryName", 1610612754, 0},
+ {"x121-dcc-code", 1612709890, "NumericString"},
+ {0, 1048586, "ub-country-name-numeric-length"},
+ {"iso-3166-alpha2-code", 538968066, "PrintableString"},
+ {0, 1048586, "ub-country-name-alpha-length"},
+ {"postal-code", 1342177283, "9"},
+ {"PostalCode", 1610612754, 0},
+ {"numeric-code", 1612709890, "NumericString"},
+ {"ub-postal-code-length", 524298, "1"},
+ {"printable-code", 538968066, "PrintableString"},
+ {"ub-postal-code-length", 524298, "1"},
+ {"physical-delivery-office-name", 1342177283, "10"},
+ {"PhysicalDeliveryOfficeName", 1073741826, "PDSParameter"},
+ {"physical-delivery-office-number", 1342177283, "11"},
+ {"PhysicalDeliveryOfficeNumber", 1073741826, "PDSParameter"},
+ {"extension-OR-address-components", 1342177283, "12"},
+ {"ExtensionORAddressComponents", 1073741826, "PDSParameter"},
+ {"physical-delivery-personal-name", 1342177283, "13"},
+ {"PhysicalDeliveryPersonalName", 1073741826, "PDSParameter"},
+ {"physical-delivery-organization-name", 1342177283, "14"},
+ {"PhysicalDeliveryOrganizationName", 1073741826, "PDSParameter"},
+ {"extension-physical-delivery-address-components", 1342177283, "15"},
+ {"ExtensionPhysicalDeliveryAddressComponents", 1073741826, "PDSParameter"},
+ {"unformatted-postal-address", 1342177283, "16"},
+ {"UnformattedPostalAddress", 1610612750, 0},
+ {"printable-address", 1814052875, 0},
+ {"ub-pds-physical-address-lines", 1074266122, "1"},
+ {0, 538968066, "PrintableString"},
+ {"ub-pds-parameter-length", 524298, "1"},
+ {"teletex-string", 740311042, "TeletexString"},
+ {"ub-unformatted-address-length", 524298, "1"},
+ {"street-address", 1342177283, "17"},
+ {"StreetAddress", 1073741826, "PDSParameter"},
+ {"post-office-box-address", 1342177283, "18"},
+ {"PostOfficeBoxAddress", 1073741826, "PDSParameter"},
+ {"poste-restante-address", 1342177283, "19"},
+ {"PosteRestanteAddress", 1073741826, "PDSParameter"},
+ {"unique-postal-name", 1342177283, "20"},
+ {"UniquePostalName", 1073741826, "PDSParameter"},
+ {"local-postal-attributes", 1342177283, "21"},
+ {"LocalPostalAttributes", 1073741826, "PDSParameter"},
+ {"PDSParameter", 1610612750, 0},
+ {"printable-string", 1814052866, "PrintableString"},
+ {"ub-pds-parameter-length", 524298, "1"},
+ {"teletex-string", 740311042, "TeletexString"},
+ {"ub-pds-parameter-length", 524298, "1"},
+ {"extended-network-address", 1342177283, "22"},
+ {"ExtendedNetworkAddress", 1610612754, 0},
+ {"e163-4-address", 1610612741, 0},
+ {"number", 1612718082, "NumericString"},
+ {0, 1073743880, "0"},
+ {"ub-e163-4-number-length", 524298, "1"},
+ {"sub-address", 538992642, "NumericString"},
+ {0, 1073743880, "1"},
+ {"ub-e163-4-sub-address-length", 524298, "1"},
+ {"psap-address", 536879106, "PresentationAddress"},
+ {0, 2056, "0"},
+ {"PresentationAddress", 1610612741, 0},
+ {"pSelector", 1610637319, 0},
+ {0, 2056, "0"},
+ {"sSelector", 1610637319, 0},
+ {0, 2056, "1"},
+ {"tSelector", 1610637319, 0},
+ {0, 2056, "2"},
+ {"nAddresses", 538976271, 0},
+ {0, 1073743880, "3"},
+ {"MAX", 1074266122, "1"},
+ {0, 7, 0},
+ {"terminal-type", 1342177283, "23"},
+ {"TerminalType", 1610874883, 0},
+ {"telex", 1073741825, "3"},
+ {"teletex", 1073741825, "4"},
+ {"g3-facsimile", 1073741825, "5"},
+ {"g4-facsimile", 1073741825, "6"},
+ {"ia5-terminal", 1073741825, "7"},
+ {"videotex", 1, "8"},
+ {"teletex-domain-defined-attributes", 1342177283, "6"},
+ {"TeletexDomainDefinedAttributes", 1612709899, 0},
+ {"ub-domain-defined-attributes", 1074266122, "1"},
+ {0, 2, "TeletexDomainDefinedAttribute"},
+ {"TeletexDomainDefinedAttribute", 1610612741, 0},
+ {"type", 1612709890, "TeletexString"},
+ {"ub-domain-defined-attribute-type-length", 524298, "1"},
+ {"value", 538968066, "TeletexString"},
+ {"ub-domain-defined-attribute-value-length", 524298, "1"},
+ {"ub-name", 1342177283, "32768"},
+ {"ub-common-name", 1342177283, "64"},
+ {"ub-locality-name", 1342177283, "128"},
+ {"ub-state-name", 1342177283, "128"},
+ {"ub-organization-name", 1342177283, "64"},
+ {"ub-organizational-unit-name", 1342177283, "64"},
+ {"ub-title", 1342177283, "64"},
+ {"ub-match", 1342177283, "128"},
+ {"ub-emailaddress-length", 1342177283, "128"},
+ {"ub-common-name-length", 1342177283, "64"},
+ {"ub-country-name-alpha-length", 1342177283, "2"},
+ {"ub-country-name-numeric-length", 1342177283, "3"},
+ {"ub-domain-defined-attributes", 1342177283, "4"},
+ {"ub-domain-defined-attribute-type-length", 1342177283, "8"},
+ {"ub-domain-defined-attribute-value-length", 1342177283, "128"},
+ {"ub-domain-name-length", 1342177283, "16"},
+ {"ub-extension-attributes", 1342177283, "256"},
+ {"ub-e163-4-number-length", 1342177283, "15"},
+ {"ub-e163-4-sub-address-length", 1342177283, "40"},
+ {"ub-generation-qualifier-length", 1342177283, "3"},
+ {"ub-given-name-length", 1342177283, "16"},
+ {"ub-initials-length", 1342177283, "5"},
+ {"ub-integer-options", 1342177283, "256"},
+ {"ub-numeric-user-id-length", 1342177283, "32"},
+ {"ub-organization-name-length", 1342177283, "64"},
+ {"ub-organizational-unit-name-length", 1342177283, "32"},
+ {"ub-organizational-units", 1342177283, "4"},
+ {"ub-pds-name-length", 1342177283, "16"},
+ {"ub-pds-parameter-length", 1342177283, "30"},
+ {"ub-pds-physical-address-lines", 1342177283, "6"},
+ {"ub-postal-code-length", 1342177283, "16"},
+ {"ub-surname-length", 1342177283, "40"},
+ {"ub-terminal-id-length", 1342177283, "24"},
+ {"ub-unformatted-address-length", 1342177283, "180"},
+ {"ub-x121-address-length", 1342177283, "16"},
+ {"pkcs-7-ContentInfo", 1610612741, 0},
+ {"contentType", 1073741826, "pkcs-7-ContentType"},
+ {"content", 541073421, 0},
+ {0, 1073743880, "0"},
+ {"contentType", 1, 0},
+ {"pkcs-7-DigestInfo", 1610612741, 0},
+ {"digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"},
+ {"digest", 2, "pkcs-7-Digest"},
+ {"pkcs-7-Digest", 1073741831, 0},
+ {"pkcs-7-ContentType", 1073741836, 0},
+ {"pkcs-7-SignedData", 1610612741, 0},
+ {"version", 1073741826, "pkcs-7-CMSVersion"},
+ {"digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"},
+ {"encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"},
+ {"certificates", 1610637314, "pkcs-7-CertificateSet"},
+ {0, 4104, "0"},
+ {"crls", 1610637314, "pkcs-7-CertificateRevocationLists"},
+ {0, 4104, "1"},
+ {"signerInfos", 2, "pkcs-7-SignerInfos"},
+ {"pkcs-7-CMSVersion", 1610874883, 0},
+ {"v0", 1073741825, "0"},
+ {"v1", 1073741825, "1"},
+ {"v2", 1073741825, "2"},
+ {"v3", 1073741825, "3"},
+ {"v4", 1, "4"},
+ {"pkcs-7-DigestAlgorithmIdentifiers", 1610612751, 0},
+ {0, 2, "pkcs-7-DigestAlgorithmIdentifier"},
+ {"pkcs-7-DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
+ {"pkcs-7-EncapsulatedContentInfo", 1610612741, 0},
+ {"eContentType", 1073741826, "pkcs-7-ContentType"},
+ {"eContent", 536895495, 0},
+ {0, 2056, "0"},
+ {"pkcs-7-CertificateRevocationLists", 1610612751, 0},
+ {0, 13, 0},
+ {"pkcs-7-CertificateChoices", 1610612754, 0},
+ {"certificate", 13, 0},
+ {"pkcs-7-CertificateSet", 1610612751, 0},
+ {0, 2, "pkcs-7-CertificateChoices"},
+ {"pkcs-7-SignerInfos", 1610612751, 0},
+ {0, 13, 0},
+ {"pkcs-10-CertificationRequestInfo", 1610612741, 0},
+ {"version", 1610874883, 0},
+ {"v1", 1, "0"},
+ {"subject", 1073741826, "Name"},
+ {"subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"},
+ {"attributes", 536879106, "Attributes"},
+ {0, 4104, "0"},
+ {"Attributes", 1610612751, 0},
+ {0, 2, "Attribute"},
+ {"pkcs-10-CertificationRequest", 1610612741, 0},
+ {"certificationRequestInfo", 1073741826, "pkcs-10-CertificationRequestInfo"},
+ {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ {"signature", 6, 0},
+ {"pkcs-9-ub-challengePassword", 1342177283, "255"},
+ {"pkcs-9-certTypes", 1879048204, 0},
+ {0, 1073741825, "pkcs-9"},
+ {0, 1, "22"},
+ {"pkcs-9-crlTypes", 1879048204, 0},
+ {0, 1073741825, "pkcs-9"},
+ {0, 1, "23"},
+ {"pkcs-9-at-challengePassword", 1879048204, 0},
+ {0, 1073741825, "pkcs-9"},
+ {0, 1, "7"},
+ {"pkcs-9-challengePassword", 1610612754, 0},
+ {"printableString", 1612709890, "PrintableString"},
+ {"pkcs-9-ub-challengePassword", 524298, "1"},
+ {"utf8String", 538968066, "UTF8String"},
+ {"pkcs-9-ub-challengePassword", 524298, "1"},
+ {"pkcs-9-at-localKeyId", 1879048204, 0},
+ {0, 1073741825, "pkcs-9"},
+ {0, 1, "21"},
+ {"pkcs-9-localKeyId", 1073741831, 0},
+ {"pkcs-9-at-friendlyName", 1879048204, 0},
+ {0, 1073741825, "pkcs-9"},
+ {0, 1, "20"},
+ {"pkcs-9-friendlyName", 1612709890, "BMPString"},
+ {"255", 524298, "1"},
+ {"pkcs-8-PrivateKeyInfo", 1610612741, 0},
+ {"version", 1073741826, "pkcs-8-Version"},
+ {"privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ {"privateKey", 1073741826, "pkcs-8-PrivateKey"},
+ {"attributes", 536895490, "Attributes"},
+ {0, 4104, "0"},
+ {"pkcs-8-Version", 1610874883, 0},
+ {"v1", 1, "0"},
+ {"pkcs-8-PrivateKey", 1073741831, 0},
+ {"pkcs-8-Attributes", 1610612751, 0},
+ {0, 2, "Attribute"},
+ {"pkcs-8-EncryptedPrivateKeyInfo", 1610612741, 0},
+ {"encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"},
+ {"encryptedData", 2, "pkcs-8-EncryptedData"},
+ {"pkcs-8-EncryptedData", 1073741831, 0},
+ {"pkcs-5", 1879048204, 0},
+ {0, 1073741825, "pkcs"},
+ {0, 1, "5"},
+ {"pkcs-5-encryptionAlgorithm", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"rsadsi", 1073741825, "113549"},
+ {0, 1, "3"},
+ {"pkcs-5-des-EDE3-CBC", 1879048204, 0},
+ {0, 1073741825, "pkcs-5-encryptionAlgorithm"},
+ {0, 1, "7"},
+ {"pkcs-5-des-EDE3-CBC-params", 1612709895, 0},
+ {0, 1048586, "8"},
+ {"pkcs-5-id-PBES2", 1879048204, 0},
+ {0, 1073741825, "pkcs-5"},
+ {0, 1, "13"},
+ {"pkcs-5-PBES2-params", 1610612741, 0},
+ {"keyDerivationFunc", 1073741826, "AlgorithmIdentifier"},
+ {"encryptionScheme", 2, "AlgorithmIdentifier"},
+ {"pkcs-5-id-PBKDF2", 1879048204, 0},
+ {0, 1073741825, "pkcs-5"},
+ {0, 1, "12"},
+ {"pkcs-5-PBKDF2-params", 1610612741, 0},
+ {"salt", 1610612754, 0},
+ {"specified", 1073741831, 0},
+ {"otherSource", 2, "AlgorithmIdentifier"},
+ {"iterationCount", 1611137027, 0},
+ {"1", 10, "MAX"},
+ {"keyLength", 1611153411, 0},
+ {"1", 10, "MAX"},
+ {"prf", 16386, "AlgorithmIdentifier"},
+ {"pkcs-12", 1879048204, 0},
+ {0, 1073741825, "pkcs"},
+ {0, 1, "12"},
+ {"pkcs-12-PFX", 1610612741, 0},
+ {"version", 1610874883, 0},
+ {"v3", 1, "3"},
+ {"authSafe", 1073741826, "pkcs-7-ContentInfo"},
+ {"macData", 16386, "pkcs-12-MacData"},
+ {"pkcs-12-PbeParams", 1610612741, 0},
+ {"salt", 1073741831, 0},
+ {"iterations", 3, 0},
+ {"pkcs-12-MacData", 1610612741, 0},
+ {"mac", 1073741826, "pkcs-7-DigestInfo"},
+ {"macSalt", 1073741831, 0},
+ {"iterations", 536903683, 0},
+ {0, 9, "1"},
+ {"pkcs-12-AuthenticatedSafe", 1610612747, 0},
+ {0, 2, "pkcs-7-ContentInfo"},
+ {"pkcs-12-SafeContents", 1610612747, 0},
+ {0, 2, "pkcs-12-SafeBag"},
+ {"pkcs-12-SafeBag", 1610612741, 0},
+ {"bagId", 1073741836, 0},
+ {"bagValue", 1614815245, 0},
+ {0, 1073743880, "0"},
+ {"badId", 1, 0},
+ {"bagAttributes", 536887311, 0},
+ {0, 2, "pkcs-12-PKCS12Attribute"},
+ {"pkcs-12-bagtypes", 1879048204, 0},
+ {0, 1073741825, "pkcs-12"},
+ {0, 1073741825, "10"},
+ {0, 1, "1"},
+ {"pkcs-12-keyBag", 1879048204, 0},
+ {0, 1073741825, "pkcs-12-bagtypes"},
+ {0, 1, "1"},
+ {"pkcs-12-pkcs8ShroudedKeyBag", 1879048204, 0},
+ {0, 1073741825, "pkcs-12-bagtypes"},
+ {0, 1, "2"},
+ {"pkcs-12-certBag", 1879048204, 0},
+ {0, 1073741825, "pkcs-12-bagtypes"},
+ {0, 1, "3"},
+ {"pkcs-12-crlBag", 1879048204, 0},
+ {0, 1073741825, "pkcs-12-bagtypes"},
+ {0, 1, "4"},
+ {"pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"},
+ {"pkcs-12-PKCS8ShroudedKeyBag", 1073741826, "pkcs-8-EncryptedPrivateKeyInfo"},
+ {"pkcs-12-CertBag", 1610612741, 0},
+ {"certId", 1073741836, 0},
+ {"certValue", 541073421, 0},
+ {0, 1073743880, "0"},
+ {"certId", 1, 0},
+ {"pkcs-12-CRLBag", 1610612741, 0},
+ {"crlId", 1073741836, 0},
+ {"crlValue", 541073421, 0},
+ {0, 1073743880, "0"},
+ {"crlId", 1, 0},
+ {"pkcs-12-PKCS12Attribute", 1073741826, "Attribute"},
+ {"pkcs-7-data", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"rsadsi", 1073741825, "113549"},
+ {"pkcs", 1073741825, "1"},
+ {"pkcs7", 1073741825, "7"},
+ {0, 1, "1"},
+ {"pkcs-7-encryptedData", 1879048204, 0},
+ {"iso", 1073741825, "1"},
+ {"member-body", 1073741825, "2"},
+ {"us", 1073741825, "840"},
+ {"rsadsi", 1073741825, "113549"},
+ {"pkcs", 1073741825, "1"},
+ {"pkcs7", 1073741825, "7"},
+ {0, 1, "6"},
+ {"pkcs-7-Data", 1073741831, 0},
+ {"pkcs-7-EncryptedData", 1610612741, 0},
+ {"version", 1073741826, "pkcs-7-CMSVersion"},
+ {"encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"},
+ {"unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"},
+ {0, 4104, "1"},
+ {"pkcs-7-EncryptedContentInfo", 1610612741, 0},
+ {"contentType", 1073741826, "pkcs-7-ContentType"},
+ {"contentEncryptionAlgorithm", 1073741826,
+ "pkcs-7-ContentEncryptionAlgorithmIdentifier"},
+ {"encryptedContent", 536895490, "pkcs-7-EncryptedContent"},
+ {0, 4104, "0"},
+ {"pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826,
+ "AlgorithmIdentifier"},
+ {"pkcs-7-EncryptedContent", 1073741831, 0},
+ {"pkcs-7-UnprotectedAttributes", 1612709903, 0},
+ {"MAX", 1074266122, "1"},
+ {0, 2, "Attribute"},
+ {"id-at-ldap-DC", 1880096780, "AttributeType"},
+ {0, 1073741825, "0"},
+ {0, 1073741825, "9"},
+ {0, 1073741825, "2342"},
+ {0, 1073741825, "19200300"},
+ {0, 1073741825, "100"},
+ {0, 1073741825, "1"},
+ {0, 1, "25"},
+ {"ldap-DC", 1073741826, "IA5String"},
+ {"id-at-ldap-UID", 1880096780, "AttributeType"},
+ {0, 1073741825, "0"},
+ {0, 1073741825, "9"},
+ {0, 1073741825, "2342"},
+ {0, 1073741825, "19200300"},
+ {0, 1073741825, "100"},
+ {0, 1073741825, "1"},
+ {0, 1, "1"},
+ {"ldap-UID", 1073741826, "DirectoryString"},
+ {"id-pda", 1879048204, 0},
+ {0, 1073741825, "id-pkix"},
+ {0, 1, "9"},
+ {"id-pda-dateOfBirth", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-pda"},
+ {0, 1, "1"},
+ {"DateOfBirth", 1082130449, 0},
+ {"id-pda-placeOfBirth", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-pda"},
+ {0, 1, "2"},
+ {"PlaceOfBirth", 1073741826, "DirectoryString"},
+ {"id-pda-gender", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-pda"},
+ {0, 1, "3"},
+ {"Gender", 1612709890, "PrintableString"},
+ {0, 1048586, "1"},
+ {"id-pda-countryOfCitizenship", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-pda"},
+ {0, 1, "4"},
+ {"CountryOfCitizenship", 1612709890, "PrintableString"},
+ {0, 1048586, "2"},
+ {"id-pda-countryOfResidence", 1880096780, "AttributeType"},
+ {0, 1073741825, "id-pda"},
+ {0, 1, "5"},
+ {"CountryOfResidence", 538968066, "PrintableString"},
+ {0, 1048586, "2"},
+ {0, 0, 0}
+};
diff --git a/tests/test-crypto-tlscredsx509.c b/tests/test-crypto-tlscredsx509.c
new file mode 100644
index 0000000..c70aa55
--- /dev/null
+++ b/tests/test-crypto-tlscredsx509.c
@@ -0,0 +1,731 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ */
+
+#include <stdlib.h>
+#include <fcntl.h>
+
+#include "config-host.h"
+#include "crypto-tls-x509-helpers.h"
+#include "crypto/tlscredsx509.h"
+
+#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
+
+#define WORKDIR "tests/test-crypto-tlscredsx509-work/"
+#define KEYFILE WORKDIR "key-ctx.pem"
+
+struct QCryptoTLSCredsTestData {
+ bool isServer;
+ const char *cacrt;
+ const char *crt;
+ bool expectFail;
+};
+
+
+static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
+ const char *certdir,
+ Error **errp)
+{
+ Object *parent = object_get_objects_root();
+ Object *creds = object_new_with_props(
+ TYPE_QCRYPTO_TLS_CREDS_X509,
+ parent,
+ "testtlscreds",
+ errp,
+ "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
+ "server" : "client"),
+ "dir", certdir,
+ "verify-peer", "yes",
+ "sanity-check", "yes",
+ NULL);
+
+ if (*errp) {
+ return NULL;
+ }
+ return QCRYPTO_TLS_CREDS(creds);
+}
+
+/*
+ * This tests sanity checking of our own certificates
+ *
+ * The code being tested is used when TLS creds are created,
+ * and aim to ensure QMEU has been configured with sane
+ * certificates. This allows us to give much much much
+ * clearer error messages to the admin when they misconfigure
+ * things.
+ */
+static void test_tls_creds(const void *opaque)
+{
+ struct QCryptoTLSCredsTestData *data =
+ (struct QCryptoTLSCredsTestData *)opaque;
+ QCryptoTLSCreds *creds;
+ Error *err = NULL;
+
+#define CERT_DIR "tests/test-crypto-tlscredsx509-certs/"
+ mkdir(CERT_DIR, 0700);
+
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
+ if (data->isServer) {
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
+ } else {
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
+ }
+
+ if (access(data->cacrt, R_OK) == 0) {
+ g_assert(link(data->cacrt,
+ CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
+ }
+ if (data->isServer) {
+ if (access(data->crt, R_OK) == 0) {
+ g_assert(link(data->crt,
+ CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
+ }
+ g_assert(link(KEYFILE,
+ CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
+ } else {
+ if (access(data->crt, R_OK) == 0) {
+ g_assert(link(data->crt,
+ CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
+ }
+ g_assert(link(KEYFILE,
+ CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
+ }
+
+ creds = test_tls_creds_create(
+ (data->isServer ?
+ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER :
+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT),
+ CERT_DIR,
+ &err);
+
+ if (data->expectFail) {
+ error_free(err);
+ g_assert(creds == NULL);
+ } else {
+ if (err) {
+ g_printerr("Failed to generate creds: %s\n",
+ error_get_pretty(err));
+ error_free(err);
+ }
+ g_assert(creds != NULL);
+ }
+
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
+ if (data->isServer) {
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
+ } else {
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
+ unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
+ }
+ rmdir(CERT_DIR);
+ if (creds) {
+ object_unparent(OBJECT(creds));
+ }
+}
+
+int main(int argc, char **argv)
+{
+ int ret;
+
+ module_call_init(MODULE_INIT_QOM);
+ g_test_init(&argc, &argv, NULL);
+ setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
+
+ mkdir(WORKDIR, 0700);
+
+ test_tls_init(KEYFILE);
+
+# define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail) \
+ struct QCryptoTLSCredsTestData name = { \
+ isServer, caCrt, crt, expectFail \
+ }; \
+ g_test_add_data_func("/qcrypto/tlscredsx509/" # name, \
+ &name, test_tls_creds); \
+
+ /* A perfect CA, perfect client & perfect server */
+
+ /* Basic:CA:critical */
+ TLS_ROOT_REQ(cacertreq,
+ "UK", "qemu CA", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+
+ TLS_CERT_REQ(servercertreq, cacertreq,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(clientcertreq, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
+ TLS_TEST_REG(perfectserver, true,
+ cacertreq.filename, servercertreq.filename, false);
+ TLS_TEST_REG(perfectclient, false,
+ cacertreq.filename, clientcertreq.filename, false);
+
+
+ /* Some other CAs which are good */
+
+ /* Basic:CA:critical */
+ TLS_ROOT_REQ(cacert1req,
+ "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
+ true, true, true,
+ false, false, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercert1req, cacert1req,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+ /* Basic:CA:not-critical */
+ TLS_ROOT_REQ(cacert2req,
+ "UK", "qemu CA 2", NULL, NULL, NULL, NULL,
+ true, false, true,
+ false, false, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercert2req, cacert2req,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+ /* Key usage:cert-sign:critical */
+ TLS_ROOT_REQ(cacert3req,
+ "UK", "qemu CA 3", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercert3req, cacert3req,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+ TLS_TEST_REG(goodca1, true,
+ cacert1req.filename, servercert1req.filename, false);
+ TLS_TEST_REG(goodca2, true,
+ cacert2req.filename, servercert2req.filename, false);
+ TLS_TEST_REG(goodca3, true,
+ cacert3req.filename, servercert3req.filename, false);
+
+ /* Now some bad certs */
+
+ /* Key usage:dig-sig:not-critical */
+ TLS_ROOT_REQ(cacert4req,
+ "UK", "qemu CA 4", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercert4req, cacert4req,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* no-basic */
+ TLS_ROOT_REQ(cacert5req,
+ "UK", "qemu CA 5", NULL, NULL, NULL, NULL,
+ false, false, false,
+ false, false, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercert5req, cacert5req,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* Key usage:dig-sig:critical */
+ TLS_ROOT_REQ(cacert6req,
+ "UK", "qemu CA 6", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercert6req, cacert6req,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+
+ /* Technically a CA cert with basic constraints
+ * key purpose == key signing + non-critical should
+ * be rejected. GNUTLS < 3.1 does not reject it and
+ * we don't anticipate them changing this behaviour
+ */
+ TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
+ (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
+ GNUTLS_VERSION_MAJOR > 3);
+ TLS_TEST_REG(badca2, true,
+ cacert5req.filename, servercert5req.filename, true);
+ TLS_TEST_REG(badca3, true,
+ cacert6req.filename, servercert6req.filename, true);
+
+
+ /* Various good servers */
+ /* no usage or purpose */
+ TLS_CERT_REQ(servercert7req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* usage:cert-sign+dig-sig+encipher:critical */
+ TLS_CERT_REQ(servercert8req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
+ GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* usage:cert-sign:not-critical */
+ TLS_CERT_REQ(servercert9req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, false, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* purpose:server:critical */
+ TLS_CERT_REQ(servercert10req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* purpose:server:not-critical */
+ TLS_CERT_REQ(servercert11req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* purpose:client+server:critical */
+ TLS_CERT_REQ(servercert12req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, true,
+ GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
+ 0, 0);
+ /* purpose:client+server:not-critical */
+ TLS_CERT_REQ(servercert13req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, false,
+ GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
+ 0, 0);
+
+ TLS_TEST_REG(goodserver1, true,
+ cacertreq.filename, servercert7req.filename, false);
+ TLS_TEST_REG(goodserver2, true,
+ cacertreq.filename, servercert8req.filename, false);
+ TLS_TEST_REG(goodserver3, true,
+ cacertreq.filename, servercert9req.filename, false);
+ TLS_TEST_REG(goodserver4, true,
+ cacertreq.filename, servercert10req.filename, false);
+ TLS_TEST_REG(goodserver5, true,
+ cacertreq.filename, servercert11req.filename, false);
+ TLS_TEST_REG(goodserver6, true,
+ cacertreq.filename, servercert12req.filename, false);
+ TLS_TEST_REG(goodserver7, true,
+ cacertreq.filename, servercert13req.filename, false);
+
+ /* Bad servers */
+
+ /* usage:cert-sign:critical */
+ TLS_CERT_REQ(servercert14req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* purpose:client:critical */
+ TLS_CERT_REQ(servercert15req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+ /* usage: none:critical */
+ TLS_CERT_REQ(servercert16req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+
+ TLS_TEST_REG(badserver1, true,
+ cacertreq.filename, servercert14req.filename, true);
+ TLS_TEST_REG(badserver2, true,
+ cacertreq.filename, servercert15req.filename, true);
+ TLS_TEST_REG(badserver3, true,
+ cacertreq.filename, servercert16req.filename, true);
+
+
+
+ /* Various good clients */
+ /* no usage or purpose */
+ TLS_CERT_REQ(clientcert1req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* usage:cert-sign+dig-sig+encipher:critical */
+ TLS_CERT_REQ(clientcert2req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
+ GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* usage:cert-sign:not-critical */
+ TLS_CERT_REQ(clientcert3req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, false, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* purpose:client:critical */
+ TLS_CERT_REQ(clientcert4req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+ /* purpose:client:not-critical */
+ TLS_CERT_REQ(clientcert5req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+ /* purpose:client+client:critical */
+ TLS_CERT_REQ(clientcert6req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, true,
+ GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
+ 0, 0);
+ /* purpose:client+client:not-critical */
+ TLS_CERT_REQ(clientcert7req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, false,
+ GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
+ 0, 0);
+
+ TLS_TEST_REG(goodclient1, false,
+ cacertreq.filename, clientcert1req.filename, false);
+ TLS_TEST_REG(goodclient2, false,
+ cacertreq.filename, clientcert2req.filename, false);
+ TLS_TEST_REG(goodclient3, false,
+ cacertreq.filename, clientcert3req.filename, false);
+ TLS_TEST_REG(goodclient4, false,
+ cacertreq.filename, clientcert4req.filename, false);
+ TLS_TEST_REG(goodclient5, false,
+ cacertreq.filename, clientcert5req.filename, false);
+ TLS_TEST_REG(goodclient6, false,
+ cacertreq.filename, clientcert6req.filename, false);
+ TLS_TEST_REG(goodclient7, false,
+ cacertreq.filename, clientcert7req.filename, false);
+
+ /* Bad clients */
+
+ /* usage:cert-sign:critical */
+ TLS_CERT_REQ(clientcert8req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ /* purpose:client:critical */
+ TLS_CERT_REQ(clientcert9req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ false, false, 0,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ /* usage: none:critical */
+ TLS_CERT_REQ(clientcert10req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true, 0,
+ false, false, NULL, NULL,
+ 0, 0);
+
+ TLS_TEST_REG(badclient1, false,
+ cacertreq.filename, clientcert8req.filename, true);
+ TLS_TEST_REG(badclient2, false,
+ cacertreq.filename, clientcert9req.filename, true);
+ TLS_TEST_REG(badclient3, false,
+ cacertreq.filename, clientcert10req.filename, true);
+
+
+
+ /* Expired stuff */
+
+ TLS_ROOT_REQ(cacertexpreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, -1);
+ TLS_CERT_REQ(servercertexpreq, cacertexpreq,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercertexp1req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, -1);
+ TLS_CERT_REQ(clientcertexp1req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, -1);
+
+ TLS_TEST_REG(expired1, true,
+ cacertexpreq.filename, servercertexpreq.filename, true);
+ TLS_TEST_REG(expired2, true,
+ cacertreq.filename, servercertexp1req.filename, true);
+ TLS_TEST_REG(expired3, false,
+ cacertreq.filename, clientcertexp1req.filename, true);
+
+
+ /* Not activated stuff */
+
+ TLS_ROOT_REQ(cacertnewreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 1, 2);
+ TLS_CERT_REQ(servercertnewreq, cacertnewreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercertnew1req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 1, 2);
+ TLS_CERT_REQ(clientcertnew1req, cacertreq,
+ "UK", "qemu", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 1, 2);
+
+ TLS_TEST_REG(inactive1, true,
+ cacertnewreq.filename, servercertnewreq.filename, true);
+ TLS_TEST_REG(inactive2, true,
+ cacertreq.filename, servercertnew1req.filename, true);
+ TLS_TEST_REG(inactive3, false,
+ cacertreq.filename, clientcertnew1req.filename, true);
+
+ TLS_ROOT_REQ(cacertrootreq,
+ "UK", "qemu root", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
+ "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
+ "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
+ "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
+ TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
+ "UK", "qemu.org", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
+ 0, 0);
+ TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
+ "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
+ true, true, false,
+ true, true,
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
+ 0, 0);
+
+ gnutls_x509_crt_t certchain[] = {
+ cacertrootreq.crt,
+ cacertlevel1areq.crt,
+ cacertlevel1breq.crt,
+ cacertlevel2areq.crt,
+ };
+
+ test_tls_write_cert_chain(WORKDIR "cacertchain-ctx.pem",
+ certchain,
+ G_N_ELEMENTS(certchain));
+
+ TLS_TEST_REG(chain1, true,
+ WORKDIR "cacertchain-ctx.pem",
+ servercertlevel3areq.filename, false);
+ TLS_TEST_REG(chain2, false,
+ WORKDIR "cacertchain-ctx.pem",
+ clientcertlevel2breq.filename, false);
+
+ /* Some missing certs - first two are fatal, the last
+ * is ok
+ */
+ TLS_TEST_REG(missingca, true,
+ "cacertdoesnotexist.pem",
+ servercert1req.filename, true);
+ TLS_TEST_REG(missingserver, true,
+ cacert1req.filename,
+ "servercertdoesnotexist.pem", true);
+ TLS_TEST_REG(missingclient, false,
+ cacert1req.filename,
+ "clientcertdoesnotexist.pem", false);
+
+ ret = g_test_run();
+
+ test_tls_discard_cert(&cacertreq);
+ test_tls_discard_cert(&cacert1req);
+ test_tls_discard_cert(&cacert2req);
+ test_tls_discard_cert(&cacert3req);
+ test_tls_discard_cert(&cacert4req);
+ test_tls_discard_cert(&cacert5req);
+ test_tls_discard_cert(&cacert6req);
+
+ test_tls_discard_cert(&servercertreq);
+ test_tls_discard_cert(&servercert1req);
+ test_tls_discard_cert(&servercert2req);
+ test_tls_discard_cert(&servercert3req);
+ test_tls_discard_cert(&servercert4req);
+ test_tls_discard_cert(&servercert5req);
+ test_tls_discard_cert(&servercert6req);
+ test_tls_discard_cert(&servercert7req);
+ test_tls_discard_cert(&servercert8req);
+ test_tls_discard_cert(&servercert9req);
+ test_tls_discard_cert(&servercert10req);
+ test_tls_discard_cert(&servercert11req);
+ test_tls_discard_cert(&servercert12req);
+ test_tls_discard_cert(&servercert13req);
+ test_tls_discard_cert(&servercert14req);
+ test_tls_discard_cert(&servercert15req);
+ test_tls_discard_cert(&servercert16req);
+
+ test_tls_discard_cert(&clientcertreq);
+ test_tls_discard_cert(&clientcert1req);
+ test_tls_discard_cert(&clientcert2req);
+ test_tls_discard_cert(&clientcert3req);
+ test_tls_discard_cert(&clientcert4req);
+ test_tls_discard_cert(&clientcert5req);
+ test_tls_discard_cert(&clientcert6req);
+ test_tls_discard_cert(&clientcert7req);
+ test_tls_discard_cert(&clientcert8req);
+ test_tls_discard_cert(&clientcert9req);
+ test_tls_discard_cert(&clientcert10req);
+
+ test_tls_discard_cert(&cacertexpreq);
+ test_tls_discard_cert(&servercertexpreq);
+ test_tls_discard_cert(&servercertexp1req);
+ test_tls_discard_cert(&clientcertexp1req);
+
+ test_tls_discard_cert(&cacertnewreq);
+ test_tls_discard_cert(&servercertnewreq);
+ test_tls_discard_cert(&servercertnew1req);
+ test_tls_discard_cert(&clientcertnew1req);
+
+ test_tls_discard_cert(&cacertrootreq);
+ test_tls_discard_cert(&cacertlevel1areq);
+ test_tls_discard_cert(&cacertlevel1breq);
+ test_tls_discard_cert(&cacertlevel2areq);
+ test_tls_discard_cert(&servercertlevel3areq);
+ test_tls_discard_cert(&clientcertlevel2breq);
+ unlink(WORKDIR "cacertchain-ctx.pem");
+
+ test_tls_cleanup(KEYFILE);
+ rmdir(WORKDIR);
+
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
+
+int
+main(void)
+{
+ return EXIT_SUCCESS;
+}
+
+#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
diff --git a/trace-events b/trace-events
index b1de160..207821d 100644
--- a/trace-events
+++ b/trace-events
@@ -1676,3 +1676,8 @@ qcrypto_tls_creds_anon_load(void *creds, const char *dir) "TLS creds anon load c
# crypto/tlscredsx509.c
qcrypto_tls_creds_x509_load(void *creds, const char *dir) "TLS creds x509 load creds=%p dir=%s"
+qcrypto_tls_creds_x509_check_basic_constraints(void *creds, const char *file, int status) "TLS creds x509 check basic constraints creds=%p file=%s status=%d"
+qcrypto_tls_creds_x509_check_key_usage(void *creds, const char *file, int status, int usage, int critical) "TLS creds x509 check key usage creds=%p file=%s status=%d usage=%d critical=%d"
+qcrypto_tls_creds_x509_check_key_purpose(void *creds, const char *file, int status, const char *usage, int critical) "TLS creds x509 check key usage creds=%p file=%s status=%d usage=%s critical=%d"
+qcrypto_tls_creds_x509_load_cert(void *creds, int isServer, const char *file) "TLS creds x509 load cert creds=%p isServer=%d file=%s"
+qcrypto_tls_creds_x509_load_cert_list(void *creds, const char *file) "TLS creds x509 load cert list creds=%p file=%s"