SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync

Browse source
This commit is contained in:
purplerain 2023-05-13 14:25:18 +00:00
parent f609457dcf
commit 62073e0295
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
318 changed files with 8112 additions and 4346 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/libcrypto/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.125 2023/04/28 16:30:14 tb Exp $
# $OpenBSD: Makefile,v 1.129 2023/05/07 14:39:55 tb Exp $
LIB= crypto
LIBREBUILD=y
@ -16,7 +16,7 @@ LCRYPTO_SRC= ${.CURDIR}
CFLAGS+= -Wall -Wundef
.if ${COMPILER_VERSION:L} == "clang"
CFLAGS+= -Werror
CFLAGS+= -Werror -Wshadow
.endif
CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL
.ifdef NAMESPACE
@ -606,6 +606,7 @@ SRCS+= rsa_prn.c
SRCS+= rsa_pss.c
SRCS+= rsa_saos.c
SRCS+= rsa_sign.c
SRCS+= rsa_x931.c
# sha/
SRCS+= sha1.c

178
lib/libcrypto/bn/bn_bpsw.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_bpsw.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */
/* $OpenBSD: bn_bpsw.c,v 1.10 2023/05/10 21:05:24 tb Exp $ */
/*
* Copyright (c) 2022 Martin Grenouilloux <martin.grenouilloux@lse.epita.fr>
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@ -156,7 +156,7 @@ bn_lucas(BIGNUM *U, BIGNUM *V, const BIGNUM *k, const BIGNUM *D,
*/
static int
bn_strong_lucas_test(int *is_prime, const BIGNUM *n, const BIGNUM *D,
bn_strong_lucas_test(int *is_pseudoprime, const BIGNUM *n, const BIGNUM *D,
BN_CTX *ctx)
{
BIGNUM *k, *U, *V;
@ -194,7 +194,7 @@ bn_strong_lucas_test(int *is_prime, const BIGNUM *n, const BIGNUM *D,
goto err;
if (BN_is_zero(U) || BN_is_zero(V)) {
*is_prime = 1;
*is_pseudoprime = 1;
goto done;
}
@ -208,7 +208,7 @@ bn_strong_lucas_test(int *is_prime, const BIGNUM *n, const BIGNUM *D,
goto err;
if (BN_is_zero(V)) {
*is_prime = 1;
*is_pseudoprime = 1;
goto done;
}
}
@ -217,7 +217,7 @@ bn_strong_lucas_test(int *is_prime, const BIGNUM *n, const BIGNUM *D,
* If we got here, n is definitely composite.
*/
*is_prime = 0;
*is_pseudoprime = 0;
done:
ret = 1;
@ -235,7 +235,7 @@ bn_strong_lucas_test(int *is_prime, const BIGNUM *n, const BIGNUM *D,
*/
static int
bn_strong_lucas_selfridge(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
bn_strong_lucas_selfridge(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx)
{
BIGNUM *D, *two;
int is_perfect_square, jacobi_symbol, sign;
@ -247,7 +247,7 @@ bn_strong_lucas_selfridge(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
if (!bn_is_perfect_square(&is_perfect_square, n, ctx))
goto err;
if (is_perfect_square) {
*is_prime = 0;
*is_pseudoprime = 0;
goto done;
}
@ -278,7 +278,7 @@ bn_strong_lucas_selfridge(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
/* n and D have prime factors in common. */
if (jacobi_symbol == 0) {
*is_prime = 0;
*is_pseudoprime = 0;
goto done;
}
@ -288,7 +288,7 @@ bn_strong_lucas_selfridge(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
BN_set_negative(D, sign == -1);
}
if (!bn_strong_lucas_test(is_prime, n, D, ctx))
if (!bn_strong_lucas_test(is_pseudoprime, n, D, ctx))
goto err;
done:
@ -301,32 +301,113 @@ bn_strong_lucas_selfridge(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
}
/*
* Miller-Rabin primality test for base 2.
* Fermat criterion in Miller-Rabin test.
*
* Check whether 1 < base < n - 1 witnesses that n is composite. For prime n:
*
* * Fermat's little theorem: base^(n-1) = 1 (mod n).
* * The only square roots of 1 (mod n) are 1 and -1.
*
* Calculate base^((n-1)/2) by writing n - 1 = k * 2^s with odd k. Iteratively
* compute power = (base^k)^(2^(s-1)) by successive squaring of base^k.
*
* If power ever reaches -1, base^(n-1) is equal to 1 and n is a pseudoprime
* for base. If power reaches 1 before -1 during successive squaring, we have
* an unexpected square root of 1 and n is composite. Otherwise base^(n-1) != 1,
* and n is composite.
*/
static int
bn_miller_rabin_base_2(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
bn_fermat(int *is_pseudoprime, const BIGNUM *n, const BIGNUM *n_minus_one,
const BIGNUM *k, int s, const BIGNUM *base, BN_CTX *ctx, BN_MONT_CTX *mctx)
{
BIGNUM *n_minus_one, *k, *x;
int i, s;
BIGNUM *power;
int ret = 0;
int i;
BN_CTX_start(ctx);
if ((power = BN_CTX_get(ctx)) == NULL)
goto err;
/* Sanity check: ensure that 1 < base < n - 1. */
if (BN_cmp(base, BN_value_one()) <= 0 || BN_cmp(base, n_minus_one) >= 0)
goto err;
if (!BN_mod_exp_mont_ct(power, base, k, n, ctx, mctx))
goto err;
if (BN_is_one(power) || BN_cmp(power, n_minus_one) == 0) {
*is_pseudoprime = 1;
goto done;
}
/* Loop invariant: power is neither 1 nor -1 (mod n). */
for (i = 1; i < s; i++) {
if (!BN_mod_sqr(power, power, n, ctx))
goto err;
/* n is a pseudoprime for base. */
if (BN_cmp(power, n_minus_one) == 0) {
*is_pseudoprime = 1;
goto done;
}
/* n is composite: there's a square root of unity != 1 or -1. */
if (BN_is_one(power)) {
*is_pseudoprime = 0;
goto done;
}
}
/*
* If we get here, n is definitely composite: base^(n-1) != 1.
*/
*is_pseudoprime = 0;
done:
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
/*
* Miller-Rabin primality test for base 2 and for |rounds| of random bases.
* On success: is_pseudoprime == 0 implies that n is composite.
*/
static int
bn_miller_rabin(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx,
size_t rounds)
{
BN_MONT_CTX *mctx = NULL;
BIGNUM *base, *k, *n_minus_one, *three;
size_t i;
int s;
int ret = 0;
BN_CTX_start(ctx);
if ((n_minus_one = BN_CTX_get(ctx)) == NULL)
if ((base = BN_CTX_get(ctx)) == NULL)
goto err;
if ((k = BN_CTX_get(ctx)) == NULL)
goto err;
if ((x = BN_CTX_get(ctx)) == NULL)
if ((n_minus_one = BN_CTX_get(ctx)) == NULL)
goto err;
if ((three = BN_CTX_get(ctx)) == NULL)
goto err;
if (BN_is_word(n, 2) || BN_is_word(n, 3)) {
*is_prime = 1;
*is_pseudoprime = 1;
goto done;
}
if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) {
*is_prime = 0;
*is_pseudoprime = 0;
goto done;
}
@ -344,43 +425,57 @@ bn_miller_rabin_base_2(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
goto err;
/*
* If 2^k is 1 or -1 (mod n) then n is a 2-pseudoprime.
* Montgomery setup for n.
*/
if (!BN_set_word(x, 2))
goto err;
if (!BN_mod_exp_ct(x, x, k, n, ctx))
if ((mctx = BN_MONT_CTX_new()) == NULL)
goto err;
if (BN_is_one(x) || BN_cmp(x, n_minus_one) == 0) {
*is_prime = 1;
if (!BN_MONT_CTX_set(mctx, n, ctx))
goto err;
/*
* Perform a Miller-Rabin test for base 2 as required by BPSW.
*/
if (!BN_set_word(base, 2))
goto err;
if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx, mctx))
goto err;
if (!*is_pseudoprime)
goto done;
}
/*
* If 2^{2^i k} == -1 (mod n) for some 1 <= i < s, then n is a
* 2-pseudoprime.
* Perform Miller-Rabin tests with random 3 <= base < n - 1 to reduce
* risk of false positives in BPSW.
*/
for (i = 1; i < s; i++) {
if (!BN_mod_sqr(x, x, n, ctx))
if (!BN_set_word(three, 3))
goto err;
for (i = 0; i < rounds; i++) {
if (!bn_rand_interval(base, three, n_minus_one))
goto err;
if (BN_cmp(x, n_minus_one) == 0) {
*is_prime = 1;
if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx,
mctx))
goto err;
if (!*is_pseudoprime)
goto done;
}
}
/*
* If we got here, n is definitely composite.
* If we got here, we have a Miller-Rabin pseudoprime.
*/
*is_prime = 0;
*is_pseudoprime = 1;
done:
ret = 1;
err:
BN_MONT_CTX_free(mctx);
BN_CTX_end(ctx);
return ret;
@ -392,7 +487,8 @@ bn_miller_rabin_base_2(int *is_prime, const BIGNUM *n, BN_CTX *ctx)
*/
int
bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *in_ctx)
bn_is_prime_bpsw(int *is_pseudoprime, const BIGNUM *n, BN_CTX *in_ctx,
size_t rounds)
{
BN_CTX *ctx = NULL;
BN_ULONG mod;
@ -400,12 +496,12 @@ bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *in_ctx)
int ret = 0;
if (BN_is_word(n, 2)) {
*is_prime = 1;
*is_pseudoprime = 1;
goto done;
}
if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) {
*is_prime = 0;
*is_pseudoprime = 0;
goto done;
}
@ -414,7 +510,7 @@ bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *in_ctx)
if ((mod = BN_mod_word(n, primes[i])) == (BN_ULONG)-1)
goto err;
if (mod == 0) {
*is_prime = BN_is_word(n, primes[i]);
*is_pseudoprime = BN_is_word(n, primes[i]);
goto done;
}
}
@ -424,14 +520,12 @@ bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *in_ctx)
if (ctx == NULL)
goto err;
if (!bn_miller_rabin_base_2(is_prime, n, ctx))
if (!bn_miller_rabin(is_pseudoprime, n, ctx, rounds))
goto err;
if (!*is_prime)
if (!*is_pseudoprime)
goto done;
/* XXX - Miller-Rabin for random bases? See FIPS 186-4, Table C.1. */
if (!bn_strong_lucas_selfridge(is_prime, n, ctx))
if (!bn_strong_lucas_selfridge(is_pseudoprime, n, ctx))
goto err;
done:

190
lib/libcrypto/bn/bn_convert.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_convert.c,v 1.6 2023/04/19 11:14:04 jsing Exp $ */
/* $OpenBSD: bn_convert.c,v 1.8 2023/05/09 05:15:55 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -68,6 +68,7 @@
#include <openssl/err.h>
#include "bn_local.h"
#include "bytestring.h"
static const char hex_digits[] = "0123456789ABCDEF";
@ -270,85 +271,82 @@ BN_asc2bn(BIGNUM **bn, const char *a)
return 1;
}
/* Must 'free' the returned data */
char *
BN_bn2dec(const BIGNUM *a)
BN_bn2dec(const BIGNUM *bn)
{
int i = 0, num, bn_data_num, ok = 0;
char *buf = NULL;
char *p;
BIGNUM *t = NULL;
BN_ULONG *bn_data = NULL, *lp;
int started = 0;
BIGNUM *tmp = NULL;
uint8_t *data = NULL;
size_t data_len = 0;
uint8_t *s = NULL;
size_t s_len;
BN_ULONG v, w;
uint8_t c;
CBB cbb;
CBS cbs;
int i;
if (BN_is_zero(a)) {
buf = malloc(BN_is_negative(a) + 2);
if (buf == NULL) {
BNerror(ERR_R_MALLOC_FAILURE);
goto err;
}
p = buf;
if (BN_is_negative(a))
*p++ = '-';
*p++ = '0';
*p++ = '\0';
return (buf);
}
if (!CBB_init(&cbb, 0))
goto err;
/* get an upper bound for the length of the decimal integer
* num <= (BN_num_bits(a) + 1) * log(2)
* <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1 (rounding error)
* <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1
if ((tmp = BN_dup(bn)) == NULL)
goto err;
/*
* Divide the BIGNUM by a large multiple of 10, then break the remainder
* into decimal digits. This produces a reversed string of digits,
* potentially with leading zeroes.
*/
i = BN_num_bits(a) * 3;
num = (i / 10 + i / 1000 + 1) + 1;
bn_data_num = num / BN_DEC_NUM + 1;
bn_data = reallocarray(NULL, bn_data_num, sizeof(BN_ULONG));
buf = malloc(num + 3);
if ((buf == NULL) || (bn_data == NULL)) {
BNerror(ERR_R_MALLOC_FAILURE);
goto err;
while (!BN_is_zero(tmp)) {
if ((w = BN_div_word(tmp, BN_DEC_CONV)) == -1)
goto err;
for (i = 0; i < BN_DEC_NUM; i++) {
v = w % 10;
if (!CBB_add_u8(&cbb, '0' + v))
goto err;
w /= 10;
}
}
if ((t = BN_dup(a)) == NULL)
if (!CBB_finish(&cbb, &data, &data_len))
goto err;
#define BUF_REMAIN (num+3 - (size_t)(p - buf))
p = buf;
lp = bn_data;
if (BN_is_negative(t))
*p++ = '-';
if (data_len > SIZE_MAX - 3)
goto err;
if (!CBB_init(&cbb, data_len + 3))
goto err;
while (!BN_is_zero(t)) {
if (lp - bn_data >= bn_data_num)
if (BN_is_negative(bn)) {
if (!CBB_add_u8(&cbb, '-'))
goto err;
*lp = BN_div_word(t, BN_DEC_CONV);
if (*lp == (BN_ULONG)-1)
}
/* Reverse digits and trim leading zeroes. */
CBS_init(&cbs, data, data_len);
while (CBS_len(&cbs) > 0) {
if (!CBS_get_last_u8(&cbs, &c))
goto err;
lp++;
}
lp--;
/* We now have a series of blocks, BN_DEC_NUM chars
* in length, where the last one needs truncation.
* The blocks need to be reversed in order. */
snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
while (*p)
p++;
while (lp != bn_data) {
lp--;
snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
while (*p)
p++;
}
ok = 1;
err:
free(bn_data);
BN_free(t);
if (!ok && buf) {
free(buf);
buf = NULL;
if (!started && c == '0')
continue;
if (!CBB_add_u8(&cbb, c))
goto err;
started = 1;
}
return (buf);
if (!started) {
if (!CBB_add_u8(&cbb, '0'))
goto err;
}
if (!CBB_add_u8(&cbb, '\0'))
goto err;
if (!CBB_finish(&cbb, &s, &s_len))
goto err;
err:
BN_free(tmp);
CBB_cleanup(&cbb);
freezero(data, data_len);
return s;
}
int
@ -420,39 +418,49 @@ err:
return (0);
}
/* Must 'free' the returned data */
char *
BN_bn2hex(const BIGNUM *a)
BN_bn2hex(const BIGNUM *bn)
{
int i, j, v, z = 0;
char *buf;
char *p;
int started = 0;
uint8_t *s = NULL;
size_t s_len;
BN_ULONG v, w;
int i, j;
CBB cbb;
buf = malloc(BN_is_negative(a) + a->top * BN_BYTES * 2 + 2);
if (buf == NULL) {
BNerror(ERR_R_MALLOC_FAILURE);
if (!CBB_init(&cbb, 0))
goto err;
if (BN_is_negative(bn)) {
if (!CBB_add_u8(&cbb, '-'))
goto err;
}
p = buf;
if (BN_is_negative(a))
*p++ = '-';
if (BN_is_zero(a))
*p++ = '0';
for (i = a->top - 1; i >=0; i--) {
if (BN_is_zero(bn)) {
if (!CBB_add_u8(&cbb, '0'))
goto err;
}
for (i = bn->top - 1; i >= 0; i--) {
w = bn->d[i];
for (j = BN_BITS2 - 8; j >= 0; j -= 8) {
/* strip leading zeros */
v = ((int)(a->d[i] >> (long)j)) & 0xff;
if (z || (v != 0)) {
*p++ = hex_digits[v >> 4];
*p++ = hex_digits[v & 0x0f];
z = 1;
}
v = (w >> j) & 0xff;
if (!started && v == 0)
continue;
if (!CBB_add_u8(&cbb, hex_digits[v >> 4]))
goto err;
if (!CBB_add_u8(&cbb, hex_digits[v & 0xf]))
goto err;
started = 1;
}
}
*p = '\0';
if (!CBB_add_u8(&cbb, '\0'))
goto err;
if (!CBB_finish(&cbb, &s, &s_len))
goto err;
err:
return (buf);
err:
CBB_cleanup(&cbb);
return s;
}
int

12
lib/libcrypto/bn/bn_exp.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_exp.c,v 1.45 2023/03/30 14:21:10 tb Exp $ */
/* $OpenBSD: bn_exp.c,v 1.46 2023/05/09 05:38:11 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -194,7 +194,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
bits = BN_num_bits(p);
if (bits == 0) {
/* x**0 mod 1 is still zero. */
if (BN_is_one(m)) {
if (BN_abs_is_word(m, 1)) {
ret = 1;
BN_zero(r);
} else
@ -402,7 +402,7 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
bits = BN_num_bits(p);
if (bits == 0) {
/* x**0 mod 1 is still zero. */
if (BN_is_one(m)) {
if (BN_abs_is_word(m, 1)) {
ret = 1;
BN_zero(rr);
} else
@ -658,7 +658,7 @@ BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIG
bits = BN_num_bits(p);
if (bits == 0) {
/* x**0 mod 1 is still zero. */
if (BN_is_one(m)) {
if (BN_abs_is_word(m, 1)) {
ret = 1;
BN_zero(rr);
} else
@ -843,7 +843,7 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m,
bits = BN_num_bits(p);
if (bits == 0) {
/* x**0 mod 1 is still zero. */
if (BN_is_one(m)) {
if (BN_abs_is_word(m, 1)) {
ret = 1;
BN_zero(rr);
} else
@ -968,7 +968,7 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
bits = BN_num_bits(p);
if (bits == 0) {
/* x**0 mod 1 is still zero. */
if (BN_is_one(m)) {
if (BN_abs_is_word(m, 1)) {
ret = 1;
BN_zero(r);
} else

4
lib/libcrypto/bn/bn_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_local.h,v 1.21 2023/04/25 17:59:41 tb Exp $ */
/* $OpenBSD: bn_local.h,v 1.22 2023/05/10 12:21:55 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -324,7 +324,7 @@ int bn_copy(BIGNUM *dst, const BIGNUM *src);
int bn_isqrt(BIGNUM *out_sqrt, int *out_perfect, const BIGNUM *n, BN_CTX *ctx);
int bn_is_perfect_square(int *out_perfect, const BIGNUM *n, BN_CTX *ctx);
int bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *in_ctx);
int bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *ctx, size_t rounds);
__END_HIDDEN_DECLS
#endif /* !HEADER_BN_LOCAL_H */

16
lib/libcrypto/bn/bn_prime.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_prime.c,v 1.31 2023/04/25 19:57:59 tb Exp $ */
/* $OpenBSD: bn_prime.c,v 1.32 2023/05/10 12:21:55 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -195,12 +195,12 @@ BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
goto err;
if (!safe) {
if (!bn_is_prime_bpsw(&is_prime, ret, ctx))
if (!bn_is_prime_bpsw(&is_prime, ret, ctx, 1))
goto err;
if (!is_prime)
goto loop;
} else {
if (!bn_is_prime_bpsw(&is_prime, ret, ctx))
if (!bn_is_prime_bpsw(&is_prime, ret, ctx, 1))
goto err;
if (!is_prime)
goto loop;
@ -213,7 +213,7 @@ BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
if (!BN_rshift1(p, ret))
goto err;
if (!bn_is_prime_bpsw(&is_prime, p, ctx))
if (!bn_is_prime_bpsw(&is_prime, p, ctx, 1))
goto err;
if (!is_prime)
goto loop;
@ -243,8 +243,14 @@ BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
{
int is_prime;
if (checks < 0)
return -1;
if (checks == BN_prime_checks)
checks = BN_prime_checks_for_size(BN_num_bits(a));
/* XXX - tickle BN_GENCB in bn_is_prime_bpsw(). */
if (!bn_is_prime_bpsw(&is_prime, a, ctx_passed))
if (!bn_is_prime_bpsw(&is_prime, a, ctx_passed, checks))
return -1;
return is_prime;

821
lib/libcrypto/cert.pem
View file

@ -1,4 +1,4 @@
# $OpenBSD: cert.pem,v 1.25 2022/07/11 09:05:16 sthen Exp $
# $OpenBSD: cert.pem,v 1.26 2023/05/06 17:55:38 tb Exp $
### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
=== /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
@ -932,6 +932,93 @@ u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq
4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc=
-----END CERTIFICATE-----
### Certainly
=== /C=US/O=Certainly/CN=Certainly Root E1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:25:33:b1:47:03:33:27:5c:f9:8d:9a:b9:bf:cc:f8
Signature Algorithm: ecdsa-with-SHA384
Validity
Not Before: Apr 1 00:00:00 2021 GMT
Not After : Apr 1 00:00:00 2046 GMT
Subject: C=US, O=Certainly, CN=Certainly Root E1
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
F3:28:18:CB:64:75:EE:29:2A:EB:ED:AE:23:58:38:85:EB:C8:22:07
SHA1 Fingerprint=F9:E1:6D:DC:01:89:CF:D5:82:45:63:3E:C5:37:7D:C2:EB:93:6F:2B
SHA256 Fingerprint=B4:58:5F:22:E4:AC:75:6A:4E:86:12:A1:36:1C:5D:9D:03:1A:93:FD:84:FE:BB:77:8F:A3:06:8B:0F:C4:2D:C2
-----BEGIN CERTIFICATE-----
MIIB9zCCAX2gAwIBAgIQBiUzsUcDMydc+Y2aub/M+DAKBggqhkjOPQQDAzA9MQsw
CQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0YWlu
bHkgUm9vdCBFMTAeFw0yMTA0MDEwMDAwMDBaFw00NjA0MDEwMDAwMDBaMD0xCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlDZXJ0YWlubHkxGjAYBgNVBAMTEUNlcnRhaW5s
eSBSb290IEUxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3m/4fxzf7flHh4axpMCK
+IKXgOqPyEpeKn2IaKcBYhSRJHpcnqMXfYqGITQYUBsQ3tA3SybHGWCA6TS9YBk2
QNYphwk8kXr2vBMj3VlOBF7PyAIcGFPBMdjaIOlEjeR2o0IwQDAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ygYy2R17ikq6+2uI1g4
hevIIgcwCgYIKoZIzj0EAwMDaAAwZQIxALGOWiDDshliTd6wT99u0nCK8Z9+aozm
ut6Dacpps6kFtZaSF4fC0urQe87YQVt8rgIwRt7qy12a7DLCZRawTDBcMPPaTnOG
BtjOiQRINzf43TNRnXCve1XYAS59BWQOhriR
-----END CERTIFICATE-----
=== /C=US/O=Certainly/CN=Certainly Root R1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8e:0f:f9:4b:90:71:68:65:33:54:f4:d4:44:39:b7:e0
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Apr 1 00:00:00 2021 GMT
Not After : Apr 1 00:00:00 2046 GMT
Subject: C=US, O=Certainly, CN=Certainly Root R1
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
E0:AA:3F:25:8D:9F:44:5C:C1:3A:E8:2E:AE:77:4C:84:3E:67:0C:F4
SHA1 Fingerprint=A0:50:EE:0F:28:71:F4:27:B2:12:6D:6F:50:96:25:BA:CC:86:42:AF
SHA256 Fingerprint=77:B8:2C:D8:64:4C:43:05:F7:AC:C5:CB:15:6B:45:67:50:04:03:3D:51:C6:0C:62:02:A8:E0:C3:34:67:D3:A0
-----BEGIN CERTIFICATE-----
MIIFRzCCAy+gAwIBAgIRAI4P+UuQcWhlM1T01EQ5t+AwDQYJKoZIhvcNAQELBQAw
PTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUNlcnRhaW5seTEaMBgGA1UEAxMRQ2Vy
dGFpbmx5IFJvb3QgUjEwHhcNMjEwNDAxMDAwMDAwWhcNNDYwNDAxMDAwMDAwWjA9
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0
YWlubHkgUm9vdCBSMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANA2
1B/q3avk0bbm+yLA3RMNansiExyXPGhjZjKcA7WNpIGD2ngwEc/csiu+kr+O5MQT
vqRoTNoCaBZ0vrLdBORrKt03H2As2/X3oXyVtwxwhi7xOu9S98zTm/mLvg7fMbed
aFySpvXl8wo0tf97ouSHocavFwDvA5HtqRxOcT3Si2yJ9HiG5mpJoM610rCrm/b0
1C7jcvk2xusVtyWMOvwlDbMicyF0yEqWYZL1LwsYpfSt4u5BvQF5+paMjRcCMLT5
r3gajLQ2EBAHBXDQ9DGQilHFhiZ5shGIXsXwClTNSaa/ApzSRKft43jvRl5tcdF5
cBxGX1HpyTfcX35pe0HfNEXgO4T0oYoKNp43zGJS4YkNKPl6I7ENPT2a/Z2B7yyQ
wHtETrtJ4A5KVpK8y7XdeReJkd5hiXSSqOMyhb5OhaRLWcsrxXiOcVTQAjeZjOVJ
6uBUcqQRBi8LjMFbvrWhsFNunLhgkR9Za/kt9JQKl7XsxXYDVBtlUrpMklZRNaBA
2CnbrlJ2Oy0wQJuK0EJWtLeIAaSHO1OWzaMWj/Nmqhexx2DgwUMFDO6bW2BvBlyH
Wyf5QBGenDPBt+U1VwV/J84XIIwc/PH72jEpSe31C4SnT8H2TsIonPru4K8H+zMR
eiFPCyEQtkA6qyI6BJyLm4SGcprSp6XEtHWRqSsjAgMBAAGjQjBAMA4GA1UdDwEB
/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTgqj8ljZ9EXME66C6u
d0yEPmcM9DANBgkqhkiG9w0BAQsFAAOCAgEAuVevuBLaV4OPaAszHQNTVfSVcOQr
PbA56/qJYv331hgELyE03fFo8NWWWt7CgKPBjcZq91l3rhVkz1t5BXdm6ozTaw3d
8VkswTOlMIAVRQdFGjEitpIAq5lNOo93r6kiyi9jyhXWx8bwPWz8HA2YEGGeEaIi
1wrykXprOQ4vMMM2SZ/g6Q8CRFA3lFV96p/2O7qUpUzpvD5RtOjKkjZUbVwlKNrd
rRT90+7iIgXr0PK3aBLXWopBGsaSpVo7Y0VPv+E6dyIvXL9G+VoDhRNCX8reU9di
taY1BMJH/5n9hN9czulegChB8n3nHpDYT3Y+gjwN/KUD+nsa2UUeYNrEjvn8K8l7
lcUq/6qJ34IxD3L/DCfXCh5WAFAeDJDBlrXYFIW7pw0WwfgHJBu6haEaBQmAupVj
yTrsJZ9/nbqkRxWbRHDxakvWOF5D8xh+UG7pWijmZeZ3Gzr9Hb4DJqPb1OG7fpYn
Kx3upPvaJVQTA945xsMfTZDsjxtK0hzthZU4UHlG1sGQUDGpXJpuHfUzVounmdLy
yCwzk5Iwx06MZTMQZBf9JBeW0Y3COmor6xOLRPIh80oat3df1+2IpHLlOR+Vnb5n
wXARPbv0+Em34yaXOp/SX3z7wJl8OSngex2/DaeP0ik0biQVy96QXr8axGbqwua6
OV+KmalBWQewLK8=
-----END CERTIFICATE-----
### certSIGN
=== /C=RO/O=certSIGN/OU=certSIGN ROOT CA
@ -1193,6 +1280,61 @@ W9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+D
hNQ+IIX3Sj0rnP0qCglN6oH4EZw=
-----END CERTIFICATE-----
### Comodo CA Limited
=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Validity
Not Before: Jan 1 00:00:00 2004 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
X509v3 extensions:
X509v3 Subject Key Identifier:
A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/AAACertificateServices.crl
Full Name:
URI:http://crl.comodo.net/AAACertificateServices.crl
SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
### COMODO CA Limited
=== /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
@ -1336,61 +1478,6 @@ QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
NVOFBkpdn627G190
-----END CERTIFICATE-----
### Comodo CA Limited
=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Validity
Not Before: Jan 1 00:00:00 2004 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
X509v3 extensions:
X509v3 Subject Key Identifier:
A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/AAACertificateServices.crl
Full Name:
URI:http://crl.comodo.net/AAACertificateServices.crl
SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
### D-Trust GmbH
=== /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020
@ -2058,6 +2145,94 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
-----END CERTIFICATE-----
### DigiCert, Inc.
=== /C=US/O=DigiCert, Inc./CN=DigiCert TLS ECC P384 Root G5
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:e0:93:65:ac:f7:d9:c8:b9:3e:1c:0b:04:2a:2e:f3
Signature Algorithm: ecdsa-with-SHA384
Validity
Not Before: Jan 15 00:00:00 2021 GMT
Not After : Jan 14 23:59:59 2046 GMT
Subject: C=US, O=DigiCert, Inc., CN=DigiCert TLS ECC P384 Root G5
X509v3 extensions:
X509v3 Subject Key Identifier:
C1:51:45:50:59:AB:3E:E7:2C:5A:FA:20:22:12:07:80:88:7C:11:6A
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
SHA1 Fingerprint=17:F3:DE:5E:9F:0F:19:E9:8E:F6:1F:32:26:6E:20:C4:07:AE:30:EE
SHA256 Fingerprint=01:8E:13:F0:77:25:32:CF:80:9B:D1:B1:72:81:86:72:83:FC:48:C6:E1:3B:E9:C6:98:12:85:4A:49:0C:1B:05
-----BEGIN CERTIFICATE-----
MIICGTCCAZ+gAwIBAgIQCeCTZaz32ci5PhwLBCou8zAKBggqhkjOPQQDAzBOMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp
Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDExNTAwMDAwMFoXDTQ2
MDExNDIzNTk1OVowTjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ
bmMuMSYwJAYDVQQDEx1EaWdpQ2VydCBUTFMgRUNDIFAzODQgUm9vdCBHNTB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABMFEoc8Rl1Ca3iOCNQfN0MsYndLxf3c1TzvdlHJS
7cI7+Oz6e2tYIOyZrsn8aLN1udsJ7MgT9U7GCh1mMEy7H0cKPGEQQil8pQgO4CLp
0zVozptjn4S1mU1YoI71VOeVyaNCMEAwHQYDVR0OBBYEFMFRRVBZqz7nLFr6ICIS
B4CIfBFqMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
BAMDA2gAMGUCMQCJao1H5+z8blUD2WdsJk6Dxv3J+ysTvLd6jLRl0mlpYxNjOyZQ
LgGheQaRnUi/wr4CMEfDFXuxoJGZSZOoPHzoRgaLLPIxAJSdYsiJvRmEFOml+wG4
DXZDjC5Ty3zfDBeWUA==
-----END CERTIFICATE-----
=== /C=US/O=DigiCert, Inc./CN=DigiCert TLS RSA4096 Root G5
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:f9:b4:78:a8:fa:7e:da:6a:33:37:89:de:7c:cf:8a
Signature Algorithm: sha384WithRSAEncryption
Validity
Not Before: Jan 15 00:00:00 2021 GMT
Not After : Jan 14 23:59:59 2046 GMT
Subject: C=US, O=DigiCert, Inc., CN=DigiCert TLS RSA4096 Root G5
X509v3 extensions:
X509v3 Subject Key Identifier:
51:33:1C:ED:36:40:AF:17:D3:25:CD:69:68:F2:AF:4E:23:3E:B3:41
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
SHA1 Fingerprint=A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256 Fingerprint=37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75
-----BEGIN CERTIFICATE-----
MIIFZjCCA06gAwIBAgIQCPm0eKj6ftpqMzeJ3nzPijANBgkqhkiG9w0BAQwFADBN
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJTAjBgNVBAMT
HERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwHhcNMjEwMTE1MDAwMDAwWhcN
NDYwMTE0MjM1OTU5WjBNMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQs
IEluYy4xJTAjBgNVBAMTHERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCz0PTJeRGd/fxmgefM1eS87IE+
ajWOLrfn3q/5B03PMJ3qCQuZvWxX2hhKuHisOjmopkisLnLlvevxGs3npAOpPxG0
2C+JFvuUAT27L/gTBaF4HI4o4EXgg/RZG5Wzrn4DReW+wkL+7vI8toUTmDKdFqgp
wgscONyfMXdcvyej/Cestyu9dJsXLfKB2l2w4SMXPohKEiPQ6s+d3gMXsUJKoBZM
pG2T6T867jp8nVid9E6P/DsjyG244gXazOvswzH016cpVIDPRFtMbzCe88zdH5RD
nU1/cHAN1DrRN/BsnZvAFJNY781BOHW8EwOVfH/jXOnVDdXifBBiqmvwPXbzP6Po
sMH976pXTayGpxi0KcEsDr9kvimM2AItzVwv8n/vFfQMFawKsPHTDU9qTXeXAaDx
Zre3zu/O7Oyldcqs4+Fj97ihBMi8ez9dLRYiVu1ISf6nL3kwJZu6ay0/nTvEF+cd
Lvvyz6b84xQslpghjLSR6Rlgg/IwKwZzUNWYOwbpx4oMYIwo+FKbbuH2TbsGJJvX
KyY//SovcfXWJL5/MZ4PbeiPT02jP/816t9JXkGPhvnxd3lLG7SjXi/7RgLQZhNe
XoVPzthwiHvOAbWWl9fNff2C+MIkwcoBOU+NosEUQB+cZtUMCUbW8tDRSHZWOkPL
tgoRObqME2wGtZ7P6wIDAQABo0IwQDAdBgNVHQ4EFgQUUTMc7TZArxfTJc1paPKv
TiM+s0EwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
AQEMBQADggIBAGCmr1tfV9qJ20tQqcQjNSH/0GEwhJG3PxDPJY7Jv0Y02cEhJhxw
GXIeo8mH/qlDZJY6yFMECrZBu8RHANmfGBg7sg7zNOok992vIGCukihfNudd5N7H
PNtQOa27PShNlnx2xlv0wdsUpasZYgcYQF+Xkdycx6u1UQ3maVNVzDl92sURVXLF
O4uJ+DQtpBflF+aZfTCIITfNMBc9uPK8qHWgQ9w+iUuQrm0D4ByjoJYJu32jtyoQ
REtGBzRj7TG5BO6jm5qu5jF49OokYTurWGT/u4cnYiWB39yhL/btp/96j1EuMPik
AdKFOV8BmZZvWltwGUb+hmA+rYAQCd05JS9Yf7vSdPD3Rh9GOUrYU9DzLjtxpdRv
/PNn5AeP3SYZ4Y1b+qOTEZvpyDrDVWiakuFSdjjo4bq9+0/V77PnSIMx8IIh47a+
p6tv75/fTM8BuGJqIz3nCU2AG3swpMPdB380vqQmsvZB6Akd4yCYqjdP//fx4ilw
MUc/dNAUFvohigLVigmUdy7yWSiLfFCSCmZ4OIN1xLVaqBHG5cGdZlXPU8Sv13WF
qUITVuwhd4GTWgzqltlJyqEI8pc7bZsEGCREjnwB8twl2F6GmrE52/WRMmrRpnCK
ovfepEWFJqgejF0pW8hL2JpqA15w8oVPbEtoL8pU9ozaMv7Da4M/OMZ+
-----END CERTIFICATE-----
### Disig a.s.
=== /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
@ -2170,65 +2345,104 @@ aFvowdlxfv1k7/9nR4hYJS8+hge9+6jlgqispdNpQ80xiEmEU5LAsTkbOYMBMMTy
qfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
-----END CERTIFICATE-----
### E-Tu\U011Fra EBG Bili\U015Fim Teknolojileri ve Hizmetleri A.\U015E.
### E-Tugra EBG A.S.
=== /C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority
=== /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7667447206703254355 (0x6a683e9c519bcb53)
Signature Algorithm: sha256WithRSAEncryption
Serial Number:
26:46:19:77:31:e1:4f:6f:28:36:de:39:51:86:e6:d4:97:88:22:c1
Signature Algorithm: ecdsa-with-SHA384
Validity
Not Before: Mar 5 12:09:48 2013 GMT
Not After : Mar 3 12:09:48 2023 GMT
Subject: C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
Not Before: Mar 18 09:46:58 2020 GMT
Not After : Mar 12 09:46:58 2045 GMT
Subject: C=TR, L=Ankara, O=E-Tugra EBG A.S., OU=E-Tugra Trust Center, CN=E-Tugra Global Root CA ECC v3
X509v3 extensions:
X509v3 Subject Key Identifier:
2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54
keyid:FF:82:31:72:3E:F9:C4:66:6C:AD:38:9E:D1:B0:51:88:A5:90:CC:F5
X509v3 Subject Key Identifier:
FF:82:31:72:3E:F9:C4:66:6C:AD:38:9E:D1:B0:51:88:A5:90:CC:F5
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39
SHA256 Fingerprint=B0:BF:D5:2B:B0:D7:D9:BD:92:BF:5D:4D:C1:3D:A2:55:C0:2C:54:2F:37:83:65:EA:89:39:11:F5:5E:55:F2:3C
SHA1 Fingerprint=8A:2F:AF:57:53:B1:B0:E6:A1:04:EC:5B:6A:69:71:6D:F6:1C:E2:84
SHA256 Fingerprint=87:3F:46:85:FA:7F:56:36:25:25:2E:6D:36:BC:D7:F1:6F:C2:49:51:F2:64:E4:7E:1B:95:4F:49:08:CD:CA:13
-----BEGIN CERTIFICATE-----
MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV
BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC
aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV
BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1
Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz
MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+
BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp
em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN
ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY
B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH
D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF
Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo
q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D
k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH
fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut
dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM
ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8
zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn
rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX
U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6
Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5
XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF
Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR
HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY
GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c
77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3
+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK
vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6
FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl
yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P
AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD
y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d
NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==
MIICpTCCAiqgAwIBAgIUJkYZdzHhT28oNt45UYbm1JeIIsEwCgYIKoZIzj0EAwMw
gYAxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUtVHVn
cmEgRUJHIEEuUy4xHTAbBgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYwJAYD
VQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENBIEVDQyB2MzAeFw0yMDAzMTgwOTQ2
NThaFw00NTAzMTIwOTQ2NThaMIGAMQswCQYDVQQGEwJUUjEPMA0GA1UEBxMGQW5r
YXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1Z3Jh
IFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBDQSBF
Q0MgdjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASOmCm/xxAeJ9urA8woLNheSBkQ
KczLWYHMjLiSF4mDKpL2w6QdTGLVn9agRtwcvHbB40fQWxPa56WzZkjnIZpKT4YK
fWzqTTKACrJ6CZtpS5iB4i7sAnCWH/31Rs7K3IKjYzBhMA8GA1UdEwEB/wQFMAMB
Af8wHwYDVR0jBBgwFoAU/4Ixcj75xGZsrTie0bBRiKWQzPUwHQYDVR0OBBYEFP+C
MXI++cRmbK04ntGwUYilkMz1MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNp
ADBmAjEA5gVYaWHlLcoNy/EZCL3W/VGSGn5jVASQkZo1kTmZ+gepZpO6yGjUij/6
7W4WAie3AjEA3VoXK3YdZUKWpqxdinlW2Iob35reX8dQj7FbcQwm32pAAOwzkSFx
vmjkI6TZraE3
-----END CERTIFICATE-----
=== /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:4d:c5:cd:16:22:95:96:08:7e:b8:0b:7f:15:06:34:fb:79:10:34
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Mar 18 09:07:17 2020 GMT
Not After : Mar 12 09:07:17 2045 GMT
Subject: C=TR, L=Ankara, O=E-Tugra EBG A.S., OU=E-Tugra Trust Center, CN=E-Tugra Global Root CA RSA v3
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:B2:B4:AE:E6:2D:F7:26:D5:AA:75:2D:76:4B:C0:1B:53:21:D0:48:EF
X509v3 Subject Key Identifier:
B2:B4:AE:E6:2D:F7:26:D5:AA:75:2D:76:4B:C0:1B:53:21:D0:48:EF
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
SHA1 Fingerprint=E9:A8:5D:22:14:52:1C:5B:AA:0A:B4:BE:24:6A:23:8A:C9:BA:E2:A9
SHA256 Fingerprint=EF:66:B0:B1:0A:3C:DB:9F:2E:36:48:C7:6B:D2:AF:18:EA:D2:BF:E6:F1:17:65:5E:28:C4:06:0D:A1:A3:F4:C2
-----BEGIN CERTIFICATE-----
MIIF8zCCA9ugAwIBAgIUDU3FzRYilZYIfrgLfxUGNPt5EDQwDQYJKoZIhvcNAQEL
BQAwgYAxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUt
VHVncmEgRUJHIEEuUy4xHTAbBgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYw
JAYDVQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENBIFJTQSB2MzAeFw0yMDAzMTgw
OTA3MTdaFw00NTAzMTIwOTA3MTdaMIGAMQswCQYDVQQGEwJUUjEPMA0GA1UEBxMG
QW5rYXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1
Z3JhIFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBD
QSBSU0EgdjMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiZvCJt3J7
7gnJY9LTQ91ew6aEOErxjYG7FL1H6EAX8z3DeEVypi6Q3po61CBxyryfHUuXCscx
uj7X/iWpKo429NEvx7epXTPcMHD4QGxLsqYxYdE0PD0xesevxKenhOGXpOhL9hd8
7jwH7eKKV9y2+/hDJVDqJ4GohryPUkqWOmAalrv9c/SF/YP9f4RtNGx/ardLAQO/
rWm31zLZ9Vdq6YaCPqVmMbMWPcLzJmAy01IesGykNz709a/r4d+ABs8qQedmCeFL
l+d3vSFtKbZnwy1+7dZ5ZdHPOrbRsV5WYVB6Ws5OUDGAA5hH5+QYfERaxqSzO8bG
wzrwbMOLyKSRBfP12baqBqG3q+Sx6iEUXIOk/P+2UNOMEiaZdnDpwA+mdPy70Bt4
znKS4iicvObpCdg604nmvi533wEKb5b25Y08TVJ2Glbhc34XrD2tbKNSEhhw5oBO
M/J+JjKsBY04pOZ2PJ8QaQ5tndLBeSBrW88zjdGUdjXnXVXHt6woq0bM5zshtQoK
5EpZ3IE1S0SVEgpnpaH/WwAH0sDM+T/8nzPyAPiMbIedBi3x7+PmBvrFZhNb/FAH
nnGGstpvdDDPk1Po3CLW3iAfYY2jLqN4MpBs3KwytQXk9TwzDdbgh3cXTJ2w2Amo
DVf3RIXwyAS+XF1a4xeOVGNpf0l0ZAWMowIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
AQH/MB8GA1UdIwQYMBaAFLK0ruYt9ybVqnUtdkvAG1Mh0EjvMB0GA1UdDgQWBBSy
tK7mLfcm1ap1LXZLwBtTIdBI7zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL
BQADggIBAImocn+M684uGMQQgC0QDP/7FM0E4BQ8Tpr7nym/Ip5XuYJzEmMmtcyQ
6dIqKe6cLcwsmb5FJ+Sxce3kOJUxQfJ9emN438o2Fi+CiJ+8EUdPdk3ILY7r3y18
Tjvarvbj2l0Upq7ohUSdBm6O++96SmotKygY/r+QLHUWnw/qln0F7psTpURs+APQ
3SPh/QMSEgj0GDSz4DcLdxEBSL9htLX4GdnLTeqjjO/98Aa1bZL0SmFQhO3sSdPk
vmjmLuMxC1QLGpLWgti2omU8ZgT5Vdps+9u1FGZNlIM7zR6mK7L+d0CGq+ffCsn9
9t2HVhjYsCxVYJb6CH5SkPVLpi6HfMsg2wY+oF0Dd32iPBMbKaITVaA9FCKvb7jQ
mhty3QUBjYZgv6Rn7rWlDdF/5horYmbDB7rnoEgcOMPpRfunf/ztAmgayncSd6YA
VSgU7NbHEqIbZULpkejLPoeJVF3Zr52XnGnnCv8PWniLYypMfUeUP95L6VPQMPHF
9p5J3zugkaOj/s1YzOrfr28oO6Bpm4/srK4rVJ2bBLFHIK+WEj5jlB0E5y67hscM
moi/dkfv97ALl2bSRM9gUgfh1SxKOidhd8rXj+eHDjD/DLsE4mHDosiXYY60MGo8
bcIHX0pzLz/5FooBZu+6kcpSV3uu1OYP3Qt6f4ueJiDPO++BcYNZ
-----END CERTIFICATE-----
### eMudhra Inc
@ -3471,61 +3685,6 @@ pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK
e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0
vm9qp/UsQu0yrbYhnr68
-----END CERTIFICATE-----
=== /C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Validity
Not Before: Dec 6 13:49:52 2011 GMT
Not After : Dec 1 13:49:52 2031 GMT
Subject: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
A6:91:42:FD:13:61:4A:23:9E:08:A4:29:E5:D8:13:04:23:EE:41:25
X509v3 Name Constraints:
Permitted:
DNS:.gr
DNS:.eu
DNS:.edu
DNS:.org
email:.gr
email:.eu
email:.edu
email:.org
SHA1 Fingerprint=FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
SHA256 Fingerprint=BC:10:4F:15:A4:8B:E7:09:DC:A5:42:A7:E1:D4:B9:DF:6F:05:45:27:E8:02:EA:A9:2D:59:54:44:25:8A:FE:71
-----BEGIN CERTIFICATE-----
MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix
RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1
dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p
YyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIFJvb3RDQSAyMDExMB4XDTExMTIw
NjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYTAkdSMUQwQgYDVQQK
EztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENl
cnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
c2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPz
dYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJ
fel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEns
bgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD
75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSP
FEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNV
HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp
5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQu
b3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA
A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p
6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8
TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7
dIsXRSZMFpGD/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8Acys
Nnq/onN694/BtZqhFLKPM58N7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXI
l7WdmplNsDz4SgCbZN2fOUvRJ9e4
-----END CERTIFICATE-----
### Hongkong Post
@ -4338,57 +4497,6 @@ uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2
XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
-----END CERTIFICATE-----
### Network Solutions L.L.C.
=== /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
Signature Algorithm: sha1WithRSAEncryption
Validity
Not Before: Dec 1 00:00:00 2006 GMT
Not After : Dec 31 23:59:59 2029 GMT
Subject: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
X509v3 extensions:
X509v3 Subject Key Identifier:
21:30:C9:FB:00:D7:4E:98:DA:87:AA:2A:D0:A7:2E:B1:40:31:A7:4C
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
SHA1 Fingerprint=74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE
SHA256 Fingerprint=15:F0:BA:00:A3:AC:7A:F3:AC:88:4C:07:2B:10:11:A0:77:BD:77:C0:97:F4:01:64:B2:F8:59:8A:BD:83:86:0C
-----BEGIN CERTIFICATE-----
MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV
UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO
ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz
c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP
OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl
mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF
BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4
qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw
gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB
BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu
bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp
dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8
6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/
h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH
/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv
wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN
pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey
-----END CERTIFICATE-----
### QuoVadis Limited
=== /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3
@ -4672,6 +4780,92 @@ ywaZWWDYWGWVjUTR939+J399roD1B0y2PpxxVJkES/1Y+Zj0
### SECOM Trust Systems CO.,LTD.
=== /C=JP/O=SECOM Trust Systems CO.,LTD./CN=Security Communication ECC RootCA1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d6:5d:9b:b3:78:81:2e:eb
Signature Algorithm: ecdsa-with-SHA384
Validity
Not Before: Jun 16 05:15:28 2016 GMT
Not After : Jan 18 05:15:28 2038 GMT
Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication ECC RootCA1
X509v3 extensions:
X509v3 Subject Key Identifier:
86:1C:E7:FE:2D:A5:4A:8B:08:FE:28:11:FA:BE:A3:66:F8:60:59:2F
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
SHA1 Fingerprint=B8:0E:26:A9:BF:D2:B2:3B:C0:EF:46:C9:BA:C7:BB:F6:1D:0D:41:41
SHA256 Fingerprint=E7:4F:BD:A5:5B:D5:64:C4:73:A3:6B:44:1A:A7:99:C8:A6:8E:07:74:40:E8:28:8B:9F:A1:E5:0E:4B:BA:CA:11
-----BEGIN CERTIFICATE-----
MIICODCCAb6gAwIBAgIJANZdm7N4gS7rMAoGCCqGSM49BAMDMGExCzAJBgNVBAYT
AkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMSswKQYD
VQQDEyJTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVDQyBSb290Q0ExMB4XDTE2MDYx
NjA1MTUyOFoXDTM4MDExODA1MTUyOFowYTELMAkGA1UEBhMCSlAxJTAjBgNVBAoT
HFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xKzApBgNVBAMTIlNlY3VyaXR5
IENvbW11bmljYXRpb24gRUNDIFJvb3RDQTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
AASkpW9gAwPDvTH00xecK4R1rOX9PVdu12O/5gSJko6BnOPpR27KkBLIE+Cnnfdl
dB9sELLo5OnvbYUymUSxXv3MdhDYW72ixvnWQuRXdtyQwjWpS4g8EkdtXP9JTxpK
ULGjQjBAMB0GA1UdDgQWBBSGHOf+LaVKiwj+KBH6vqNm+GBZLzAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjAVXUI9/Lbu
9zuxNuie9sRGKEkz0FhDKmMpzE2xtHqiuQ04pV1IKv3LsnNdo4gIxwwCMQDAqy0O
be0YottT6SXbVQjgUMzfRGEWgqtJsLKB7HOHeLRMsmIbEvoWTSVLY70eN9k=
-----END CERTIFICATE-----
=== /C=JP/O=SECOM Trust Systems CO.,LTD./CN=Security Communication RootCA3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e1:7c:37:40:fd:1b:fe:67
Signature Algorithm: sha384WithRSAEncryption
Validity
Not Before: Jun 16 06:17:16 2016 GMT
Not After : Jan 18 06:17:16 2038 GMT
Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA3
X509v3 extensions:
X509v3 Subject Key Identifier:
64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A
SHA256 Fingerprint=24:A5:5C:2A:B0:51:44:2D:06:17:76:65:41:23:9A:4A:D0:32:D7:C5:51:75:AA:34:FF:DE:2F:BC:4F:5C:52:94
-----BEGIN CERTIFICATE-----
MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV
BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2
MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc
U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg
Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r
CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA
lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG
TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7
9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7
8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4
g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we
GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst
+3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M
0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ
T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw
HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS
YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA
FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd
9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI
UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+
OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke
gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf
iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV
nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD
2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI//
1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad
TdJ0MN1kURXbg4NR16/9M51NZg==
-----END CERTIFICATE-----
=== /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
Certificate:
Data:
@ -5051,60 +5245,6 @@ oYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA8ShY
Ic2wBlX7Jz9TkHCpBB5XJ7k=
-----END CERTIFICATE-----
### Staat der Nederlanden
=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10000013 (0x98968d)
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Dec 8 11:19:29 2010 GMT
Not After : Dec 8 11:10:28 2022 GMT
Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B
SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
SHA256 Fingerprint=4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
-----BEGIN CERTIFICATE-----
MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO
TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh
dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y
MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg
TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS
b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS
M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC
UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d
Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p
rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l
pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb
j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC
KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS
/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X
cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH
1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP
px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7
MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI
eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u
2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS
v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC
wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy
CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e
vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6
Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa
Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL
eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8
FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc
7uzXLg==
-----END CERTIFICATE-----
### Starfield Technologies, Inc.
=== /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
@ -5792,163 +5932,6 @@ L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
### TrustCor Systems S. de R.L.
=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor ECA-1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
84:82:2c:5f:1c:62:d0:40
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Feb 4 12:32:33 2016 GMT
Not After : Dec 31 17:28:07 2029 GMT
Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1
X509v3 extensions:
X509v3 Subject Key Identifier:
44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86
X509v3 Authority Key Identifier:
keyid:44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
SHA1 Fingerprint=58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD
SHA256 Fingerprint=5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk
MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U
cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y
IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV
BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw
IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy
dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig
RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb
3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA
BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5
3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou
owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/
wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF
ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf
BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/
MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv
civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2
AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F
hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50
soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI
WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi
tJ/X5g==
-----END CERTIFICATE-----
=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
da:9b:ec:71:f3:03:b0:19
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Feb 4 12:32:16 2016 GMT
Not After : Dec 31 17:23:16 2029 GMT
Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1
X509v3 extensions:
X509v3 Subject Key Identifier:
EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7
X509v3 Authority Key Identifier:
keyid:EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
SHA1 Fingerprint=FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A
SHA256 Fingerprint=D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
-----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD
VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk
MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U
cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y
IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB
pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h
IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG
A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU
cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid
RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V
seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme
9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV
EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW
hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/
DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD
ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I
/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf
ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ
yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts
L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN
zl/HHk484IkzlQsPpTLWPFp5LBk=
-----END CERTIFICATE-----
=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-2
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2711694510199101698 (0x25a1dfca33cb5902)
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Feb 4 12:32:23 2016 GMT
Not After : Dec 31 17:26:39 2034 GMT
Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2
X509v3 extensions:
X509v3 Subject Key Identifier:
D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2
X509v3 Authority Key Identifier:
keyid:D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
SHA1 Fingerprint=B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0
SHA256 Fingerprint=07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
-----BEGIN CERTIFICATE-----
MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV
BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw
IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy
dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig
Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk
MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg
Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD
VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy
dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+
QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq
1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp
2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK
DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape
az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF
3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88
oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM
g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3
mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh
8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd
BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U
nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw
DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX
dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+
MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL
/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX
CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa
ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW
2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7
N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3
Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB
As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp
5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu
1uwJ
-----END CERTIFICATE-----
### Trustwave Holdings, Inc.
=== /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority

1
lib/libcrypto/crypto_init.c
View file

@ -1,3 +1,4 @@
/* $OpenBSD: crypto_init.c,v 1.8 2023/05/08 13:53:26 tb Exp $ */
/*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
*

20
lib/libcrypto/ec/ec_asn1.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_asn1.c,v 1.42 2023/04/25 19:53:30 tb Exp $ */
/* $OpenBSD: ec_asn1.c,v 1.45 2023/05/04 05:59:38 tb Exp $ */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
@ -225,7 +225,6 @@ static const ASN1_ADB_TABLE X9_62_CHARACTERISTIC_TWO_adbtbl[] = {
.field_name = "p.onBasis",
.item = &ASN1_NULL_it,
},
},
{
.value = NID_X9_62_tpBasis,
@ -236,7 +235,6 @@ static const ASN1_ADB_TABLE X9_62_CHARACTERISTIC_TWO_adbtbl[] = {
.field_name = "p.tpBasis",
.item = &ASN1_INTEGER_it,
},
},
{
.value = NID_X9_62_ppBasis,
@ -327,7 +325,6 @@ static const ASN1_ADB_TABLE X9_62_FIELDID_adbtbl[] = {
.field_name = "p.prime",
.item = &ASN1_INTEGER_it,
},
},
{
.value = NID_X9_62_characteristic_two_field,
@ -338,7 +335,6 @@ static const ASN1_ADB_TABLE X9_62_FIELDID_adbtbl[] = {
.field_name = "p.char_two",
.item = &X9_62_CHARACTERISTIC_TWO_it,
},
},
};
@ -619,7 +615,7 @@ EC_PRIVATEKEY_free(EC_PRIVATEKEY *a)
/* some declarations of internal function */
/* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */
/* ec_asn1_group2fieldid() sets the values in a X9_62_FIELDID object */
static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *);
/* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */
static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *);
@ -912,8 +908,8 @@ ec_asn1_group2pkparameters(const EC_GROUP *group, ECPKPARAMETERS *params)
} else {
/* use the ECPARAMETERS structure */
ret->type = 1;
if ((ret->value.parameters = ec_asn1_group2parameters(
group, NULL)) == NULL)
if ((ret->value.parameters = ec_asn1_group2parameters(group,
NULL)) == NULL)
ok = 0;
}
@ -1098,7 +1094,7 @@ ec_asn1_pkparameters2group(const ECPKPARAMETERS *params)
/* EC_GROUP <-> DER encoding of ECPKPARAMETERS */
EC_GROUP *
d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len)
d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
{
EC_GROUP *group = NULL;
ECPKPARAMETERS *params;
@ -1143,7 +1139,7 @@ i2d_ECPKParameters(const EC_GROUP *a, unsigned char **out)
/* some EC_KEY functions */
EC_KEY *
d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
{
EC_KEY *ret = NULL;
EC_PRIVATEKEY *priv_key = NULL;
@ -1329,7 +1325,7 @@ i2d_ECParameters(EC_KEY *a, unsigned char **out)
}
EC_KEY *
d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len)
d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
{
EC_KEY *ret;
@ -1358,7 +1354,7 @@ d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len)
}
EC_KEY *
o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len)
o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len)
{
EC_KEY *ret = NULL;

19
lib/libcrypto/ec/ec_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_lib.c,v 1.56 2023/04/25 19:53:30 tb Exp $ */
/* $OpenBSD: ec_lib.c,v 1.57 2023/05/04 13:51:59 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@ -1459,15 +1459,20 @@ ec_group_simple_order_bits(const EC_GROUP *group)
EC_KEY *
ECParameters_dup(EC_KEY *key)
{
unsigned char *p = NULL;
EC_KEY *k = NULL;
const unsigned char *p;
unsigned char *der = NULL;
EC_KEY *dup = NULL;
int len;
if (key == NULL)
return (NULL);
return NULL;
if ((len = i2d_ECParameters(key, &p)) > 0)
k = d2i_ECParameters(NULL, (const unsigned char **)&p, len);
if ((len = i2d_ECParameters(key, &der)) <= 0)
return NULL;
return (k);
p = der;
dup = d2i_ECParameters(NULL, &p, len);
freezero(der, len);
return dup;
}

4
lib/libcrypto/ec/ec_oct.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_oct.c,v 1.13 2023/05/01 21:15:26 tb Exp $ */
/* $OpenBSD: ec_oct.c,v 1.14 2023/05/04 06:45:51 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@ -113,7 +113,7 @@ EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
BN_CTX *ctx_in)
{
BN_CTX *ctx;
int ret = 0;
size_t ret = 0;
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();

31
lib/libcrypto/man/BN_generate_prime.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: BN_generate_prime.3,v 1.22 2023/04/30 20:17:59 tb Exp $
.\" $OpenBSD: BN_generate_prime.3,v 1.24 2023/05/12 08:18:13 jsg Exp $
.\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
.\"
.\" This file is a derived work.
@ -67,7 +67,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: April 30 2023 $
.Dd $Mdocdate: May 12 2023 $
.Dt BN_GENERATE_PRIME 3
.Os
.Sh NAME
@ -81,7 +81,7 @@
.Nm BN_GENCB_get_arg ,
.Nm BN_GENCB_set_old
.\" Nm BN_prime_checks_for_size is intentionally undocumented
.\" because it is no longer used by LibreSSL.
.\" because it should not be used outside of libcrypto.
.Nd generate primes and test for primality
.Sh SYNOPSIS
.In openssl/bn.h
@ -147,13 +147,14 @@ and
test whether the number
.Fa a
is prime.
In LibreSSL, both functions behave identically,
use the Baillie-Pomerance-Selfridge-Wagstaff algorithm,
and ignore the
In LibreSSL, both functions behave identically
and use the Baillie-Pomerance-Selfridge-Wagstaff algorithm
combined with
.Fa checks
and
Miller-Rabin rounds.
The
.Fa do_trial_division
arguments.
argument is ignored.
.Pp
It is unknown whether any composite number exists that the
Baillie-PSW algorithm misclassifies as a prime.
@ -161,6 +162,20 @@ Some suspect that there may be infinitely many such numbers,
but not a single one is currently known.
It is known that no such number exists below 2\(ha64.
.Pp
In order to reduce the likelihood of a composite number
passing the primality tests
.Fn BN_is_prime_fasttest_ex
and
.Fn BN_is_prime_ex ,
a number of rounds of the probabilistic Miller-Rabin test is performed.
If
.Fa checks
is positive, it is used as the number of rounds;
if it is zero or the special value
.Dv BN_prime_checks ,
a suitable number of rounds is calculated from the bit length of
.Fa a .
.Pp
If
.Dv NULL
is passed for the

13
lib/libcrypto/man/EVP_AEAD_CTX_init.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.10 2022/01/10 22:44:22 tb Exp $
.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.11 2023/05/09 07:19:24 tb Exp $
.\"
.\" Copyright (c) 2014, Google Inc.
.\" Parts of the text were written by Adam Langley and David Benjamin.
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: January 10 2022 $
.Dd $Mdocdate: May 9 2023 $
.Dt EVP_AEAD_CTX_INIT 3
.Os
.Sh NAME
@ -266,9 +266,14 @@ It is also safer to use as it prevents common mistakes with the native APIs.
.Fn EVP_AEAD_CTX_new
returns the new
.Vt EVP_AEAD_CTX
object or
object on success;
otherwise
.Dv NULL
on failure.
is returned and
.Va errno
is set to
.Er ENOMEM .
.Pp
.Fn EVP_AEAD_CTX_init ,
.Fn EVP_AEAD_CTX_open ,
and

13
lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.6 2023/04/16 23:19:28 tb Exp $
.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.7 2023/05/05 12:22:21 tb Exp $
.\" full merge up to:
.\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod 99d63d46 Oct 26 13:56:48 2016 -0400
.\" OpenSSL man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod
@ -55,7 +55,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: April 16 2023 $
.Dd $Mdocdate: May 5 2023 $
.Dt RSA_PKEY_CTX_CTRL 3
.Os
.Sh NAME
@ -189,15 +189,12 @@ for PKCS#1 padding,
for no padding,
.Dv RSA_PKCS1_OAEP_PADDING
for OAEP padding (encrypt and decrypt only),
and
.Dv RSA_X931_PADDING
for X9.31 padding (signature operations only) and
.Dv RSA_PKCS1_PSS_PADDING
(sign and verify only).
Only the last one can be used with keys of the type
.Dv EVP_PKEY_RSA_PSS .
X9.31 padding mode is unsupported.
.Dv RSA_X931_PADDING
is provided for backward compatibility with some existing
application software.
.Pp
Two RSA padding modes behave differently if
.Xr EVP_PKEY_CTX_set_signature_md 3
@ -209,6 +206,8 @@ structure according to PKCS#1 when signing and this structure is
expected (and stripped off) when verifying.
If this control is not used with RSA and PKCS#1 padding then the
supplied data is used directly and not encapsulated.
In the case of X9.31 padding for RSA the algorithm identifier byte is
added or checked and removed if this control is called.
If it is not called then the first byte of the plaintext buffer is
expected to be the algorithm identifier byte.
.Pp

30
lib/libcrypto/man/X509_NAME_get_index_by_NID.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.14 2023/05/02 14:13:05 beck Exp $
.\" $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.15 2023/05/03 08:10:23 beck Exp $
.\" OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
.\"
.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@ -49,7 +49,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: May 2 2023 $
.Dd $Mdocdate: May 3 2023 $
.Dt X509_NAME_GET_INDEX_BY_NID 3
.Os
.Sh NAME
@ -136,32 +136,22 @@ run from 0 to
.Fn X509_NAME_get_text_by_NID
and
.Fn X509_NAME_get_text_by_OBJ
retrieve the bytes encoded as UTF-8 from the first entry in
retrieve the "text" from the first entry in
.Fa name
which matches
.Fa nid
or
.Fa obj .
At most
.Fa len
bytes will be written and the text written to
.Fa buf
will be NUL terminated.
If
.Fa buf
is
.Dv NULL ,
nothing is written, but the return value is calculated as usual.
If
.Fa buf
is not
.Dv NULL ,
no more than
.Fa len
bytes will be written and the text written to
.Fa buf
will be NUL terminated.
.Pp
Nothing is written and it is a failure if
.Fa len
is not large enough to hold the NUL byte terminated UTF-8 encoding of
the text, or if the UTF-8 encoding ot the text would contins a NUL
byte.
.Pp
All relevant
.Dv NID_*
@ -199,8 +189,8 @@ if the index is invalid.
.Fn X509_NAME_get_text_by_NID
and
.Fn X509_NAME_get_text_by_OBJ
return the length of the output UTF-8 string written, not counting the
terminating NUL, or -1 in the case of an error or no match being found.
return the length of the output string written, not counting the
terminating NUL, or -1 if no match is found.
.Pp
In some cases of failure of
.Fn X509_NAME_get_index_by_NID

11
lib/libcrypto/man/s2i_ASN1_INTEGER.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.4 2023/04/21 13:08:16 tb Exp $
.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.5 2023/05/12 08:12:09 tb Exp $
.\"
.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: April 21 2023 $
.Dd $Mdocdate: May 12 2023 $
.Dt I2S_ASN1_INTEGER 3
.Os
.Sh NAME
@ -135,8 +135,9 @@ The
and
.Fa ctx
arguments are ignored.
Every pair of hexadecimal digits is converted into an octet, while
any number of colons separating two pairs are ignored.
Every pair of hexadecimal digits is converted into an octet.
Colons are ignored if they are at the start, the end or
if they separate two pairs of digits.
.Pp
.Fn i2s_ASN1_ENUMERATED_TABLE
uses strings provided in the usr_data field of the non-NULL
@ -187,7 +188,7 @@ or NULL on error.
Error conditions are memory allocation failure or if
.Fa value
contains an odd number of hexadecimal digits or anything except
colons between pairs of hexadecimal digits.
colons at the start, the end or between pairs of hexadecimal digits.
.Pp
Error codes can sometimes be obtained by
.Xr ERR_get_error 3 .

10
lib/libcrypto/modes/xts128.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: xts128.c,v 1.9 2022/11/26 16:08:53 tb Exp $ */
/* $OpenBSD: xts128.c,v 1.10 2023/05/07 14:38:04 tb Exp $ */
/* ====================================================================
* Copyright (c) 2011 The OpenSSL Project. All rights reserved.
*
@ -120,9 +120,9 @@ int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
}
if (enc) {
for (i=0;i<len;++i) {
u8 c = inp[i];
u8 ch = inp[i];
out[i] = scratch.c[i];
scratch.c[i] = c;
scratch.c[i] = ch;
}
scratch.u[0] ^= tweak.u[0];
scratch.u[1] ^= tweak.u[1];
@ -165,9 +165,9 @@ int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
scratch.u[1] ^= tweak1.u[1];
for (i=0;i<len;++i) {
u8 c = inp[16+i];
u8 ch = inp[16+i];
out[16+i] = scratch.c[i];
scratch.c[i] = c;
scratch.c[i] = ch;
}
scratch.u[0] ^= tweak.u[0];
scratch.u[1] ^= tweak.u[1];

4
lib/libcrypto/rsa/rsa.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa.h,v 1.63 2023/04/25 16:50:33 tb Exp $ */
/* $OpenBSD: rsa.h,v 1.64 2023/05/05 12:30:40 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -225,7 +225,7 @@ typedef struct rsa_oaep_params_st {
#define RSA_SSLV23_PADDING 2
#define RSA_NO_PADDING 3
#define RSA_PKCS1_OAEP_PADDING 4
/* Leave this for now as rust-openssl and erlang expose it. */
/* rust-openssl and erlang expose this and salt even uses it. */
#define RSA_X931_PADDING 5
/* EVP_PKEY_ only */
#define RSA_PKCS1_PSS_PADDING 6

30
lib/libcrypto/rsa/rsa_eay.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_eay.c,v 1.59 2023/04/15 18:48:52 tb Exp $ */
/* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -382,11 +382,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
case RSA_PKCS1_PADDING:
i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
break;
case RSA_X931_PADDING:
i = RSA_padding_add_X931(buf, num, from, flen);
break;
case RSA_NO_PADDING:
i = RSA_padding_add_none(buf, num, from, flen);
break;
default:
RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
RSAerror(RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
if (i <= 0)
@ -446,11 +449,14 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
goto err;
if (padding == RSA_X931_PADDING) {
RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
goto err;
}
res = ret;
if (!BN_sub(f, rsa->n, ret))
goto err;
if (BN_cmp(ret, f) > 0)
res = f;
else
res = ret;
} else
res = ret;
/* put in leading 0 bytes if the number is less than the
* length of the modulus */
@ -661,10 +667,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
rsa->_method_mod_n))
goto err;
if (padding == RSA_X931_PADDING) {
RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
goto err;
}
if (padding == RSA_X931_PADDING && (ret->d[0] & 0xf) != 12)
if (!BN_sub(ret, rsa->n, ret))
goto err;
p = buf;
i = BN_bn2bin(ret, p);
@ -673,6 +678,9 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
case RSA_PKCS1_PADDING:
r = RSA_padding_check_PKCS1_type_1(to, num, buf, i, num);
break;
case RSA_X931_PADDING:
r = RSA_padding_check_X931(to, num, buf, i, num);
break;
case RSA_NO_PADDING:
r = RSA_padding_check_none(to, num, buf, i, num);
break;

8
lib/libcrypto/rsa/rsa_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */
/* $OpenBSD: rsa_local.h,v 1.2 2023/05/05 12:21:44 tb Exp $ */
__BEGIN_HIDDEN_DECLS
@ -91,4 +91,10 @@ extern int int_rsa_verify(int dtype, const unsigned char *m,
unsigned int m_len, unsigned char *rm, size_t *prm_len,
const unsigned char *sigbuf, size_t siglen, RSA *rsa);
int RSA_padding_add_X931(unsigned char *to, int tlen,
const unsigned char *f, int fl);
int RSA_padding_check_X931(unsigned char *to, int tlen,
const unsigned char *f, int fl, int rsa_len);
int RSA_X931_hash_id(int nid);
__END_HIDDEN_DECLS

154
lib/libcrypto/rsa/rsa_pmeth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_pmeth.c,v 1.37 2023/04/25 15:48:48 tb Exp $ */
/* $OpenBSD: rsa_pmeth.c,v 1.38 2023/05/05 12:21:44 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -187,7 +187,7 @@ static int
pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
const unsigned char *tbs, size_t tbslen)
{
int ret = -1;
int ret;
RSA_PKEY_CTX *rctx = ctx->data;
RSA *rsa = ctx->pkey->pkey.rsa;
@ -197,11 +197,21 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
return -1;
}
if (rctx->pad_mode != RSA_PKCS1_PADDING &&
rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
return -1;
if (rctx->pad_mode == RSA_PKCS1_PADDING) {
if (rctx->pad_mode == RSA_X931_PADDING) {
if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
return -1;
}
if (!setup_tbuf(rctx, ctx)) {
RSAerror(ERR_R_MALLOC_FAILURE);
return -1;
}
memcpy(rctx->tbuf, tbs, tbslen);
rctx->tbuf[tbslen] =
RSA_X931_hash_id(EVP_MD_type(rctx->md));
ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, sig,
rsa, RSA_X931_PADDING);
} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
unsigned int sltmp;
ret = RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig,
@ -217,6 +227,8 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
return -1;
ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
sig, rsa, RSA_NO_PADDING);
} else {
return -1;
}
} else {
ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
@ -236,16 +248,36 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen,
RSA_PKEY_CTX *rctx = ctx->data;
if (rctx->md) {
size_t sltmp;
if (rctx->pad_mode == RSA_X931_PADDING) {
if (!setup_tbuf(rctx, ctx))
return -1;
ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
ctx->pkey->pkey.rsa, RSA_X931_PADDING);
if (ret < 1)
return 0;
ret--;
if (rctx->tbuf[ret] !=
RSA_X931_hash_id(EVP_MD_type(rctx->md))) {
RSAerror(RSA_R_ALGORITHM_MISMATCH);
return 0;
}
if (ret != EVP_MD_size(rctx->md)) {
RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
return 0;
}
if (rout)
memcpy(rout, rctx->tbuf, ret);
} else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
size_t sltmp;
if (rctx->pad_mode != RSA_PKCS1_PADDING)
ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
if (ret <= 0)
return 0;
ret = sltmp;
} else {
return -1;
ret = int_rsa_verify(EVP_MD_type(rctx->md), NULL, 0,
rout, &sltmp, sig, siglen, ctx->pkey->pkey.rsa);
if (ret <= 0)
return 0;
ret = sltmp;
}
} else {
ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa,
rctx->pad_mode);
@ -263,7 +295,6 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
RSA_PKEY_CTX *rctx = ctx->data;
RSA *rsa = ctx->pkey->pkey.rsa;
size_t rslen;
int ret;
if (rctx->md) {
if (rctx->pad_mode == RSA_PKCS1_PADDING)
@ -273,22 +304,30 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen,
RSAerror(RSA_R_INVALID_DIGEST_LENGTH);
return -1;
}
if (rctx->pad_mode == RSA_X931_PADDING) {
if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig,
siglen) <= 0)
return 0;
} else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
int ret;
if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
if (!setup_tbuf(rctx, ctx))
return -1;
ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
rsa, RSA_NO_PADDING);
if (ret <= 0)
return 0;
ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
rctx->mgf1md, rctx->tbuf, rctx->saltlen);
if (ret <= 0)
return 0;
return 1;
} else {
return -1;
if (!setup_tbuf(rctx, ctx))
return -1;
ret = RSA_public_decrypt(siglen, sig, rctx->tbuf,
rsa, RSA_NO_PADDING);
if (ret <= 0)
return 0;
ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md,
rctx->mgf1md, rctx->tbuf, rctx->saltlen);
if (ret <= 0)
return 0;
return 1;
}
} else {
int ret;
if (!setup_tbuf(rctx, ctx))
return -1;
@ -365,34 +404,41 @@ check_padding_md(const EVP_MD *md, int padding)
if (md == NULL)
return 1;
if (padding == RSA_NO_PADDING || padding == RSA_X931_PADDING) {
RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
if (padding == RSA_NO_PADDING) {
RSAerror(RSA_R_INVALID_PADDING_MODE);
return 0;
}
/* List of all supported RSA digests. */
/* RFC 8017 and NIST CSOR. */
switch(EVP_MD_type(md)) {
case NID_sha1:
case NID_sha224:
case NID_sha256:
case NID_sha384:
case NID_sha512:
case NID_sha512_224:
case NID_sha512_256:
case NID_sha3_224:
case NID_sha3_256:
case NID_sha3_384:
case NID_sha3_512:
case NID_md5:
case NID_md5_sha1:
case NID_md4:
case NID_ripemd160:
return 1;
if (padding == RSA_X931_PADDING) {
if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
RSAerror(RSA_R_INVALID_X931_DIGEST);
return 0;
}
} else {
/* List of all supported RSA digests. */
/* RFC 8017 and NIST CSOR. */
switch(EVP_MD_type(md)) {
case NID_sha1:
case NID_sha224:
case NID_sha256:
case NID_sha384:
case NID_sha512:
case NID_sha512_224:
case NID_sha512_256:
case NID_sha3_224:
case NID_sha3_256:
case NID_sha3_384:
case NID_sha3_512:
case NID_md5:
case NID_md5_sha1:
case NID_md4:
case NID_ripemd160:
return 1;
default:
RSAerror(RSA_R_INVALID_DIGEST);
return 0;
default:
RSAerror(RSA_R_INVALID_DIGEST);
return 0;
}
}
return 1;
@ -598,6 +644,8 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
pm = RSA_PKCS1_OAEP_PADDING;
else if (!strcmp(value, "oaep"))
pm = RSA_PKCS1_OAEP_PADDING;
else if (!strcmp(value, "x931"))
pm = RSA_X931_PADDING;
else if (!strcmp(value, "pss"))
pm = RSA_PKCS1_PSS_PADDING;
else {

164
lib/libcrypto/rsa/rsa_x931.c Normal file
View file

@ -0,0 +1,164 @@
/* $OpenBSD: rsa_x931.c,v 1.12 2023/05/05 12:19:37 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2005.
*/
/* ====================================================================
* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
int
RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
int flen)
{
int j;
unsigned char *p;
/*
* Absolute minimum amount of padding is 1 header nibble, 1 padding
* nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
*/
j = tlen - flen - 2;
if (j < 0) {
RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return -1;
}
p = (unsigned char *)to;
/* If no padding start and end nibbles are in one byte */
if (j == 0)
*p++ = 0x6A;
else {
*p++ = 0x6B;
if (j > 1) {
memset(p, 0xBB, j - 1);
p += j - 1;
}
*p++ = 0xBA;
}
memcpy(p, from, flen);
p += flen;
*p = 0xCC;
return 1;
}
int
RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *from,
int flen, int num)
{
int i = 0, j;
const unsigned char *p = from;
if (num != flen || (*p != 0x6A && *p != 0x6B)) {
RSAerror(RSA_R_INVALID_HEADER);
return -1;
}
if (*p++ == 0x6B) {
j = flen - 3;
for (i = 0; i < j; i++) {
unsigned char c = *p++;
if (c == 0xBA)
break;
if (c != 0xBB) {
RSAerror(RSA_R_INVALID_PADDING);
return -1;
}
}
if (i == 0) {
RSAerror(RSA_R_INVALID_PADDING);
return -1;
}
j -= i;
} else
j = flen - 2;
if (j < 0 || p[j] != 0xCC) {
RSAerror(RSA_R_INVALID_TRAILER);
return -1;
}
memcpy(to, p, j);
return j;
}
/* Translate between X931 hash ids and NIDs */
int
RSA_X931_hash_id(int nid)
{
switch (nid) {
case NID_sha1:
return 0x33;
case NID_sha256:
return 0x34;
case NID_sha384:
return 0x36;
case NID_sha512:
return 0x35;
}
return -1;
}

135
lib/libcrypto/sha/sha512.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sha512.c,v 1.34 2023/04/14 10:45:15 jsing Exp $ */
/* $OpenBSD: sha512.c,v 1.35 2023/05/12 10:10:55 jsing Exp $ */
/* ====================================================================
* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
*
@ -153,137 +153,6 @@ static const SHA_LONG64 K512[80] = {
#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#if defined(__i386) || defined(__i386__) || defined(_M_IX86)
/*
* This code should give better results on 32-bit CPU with less than
* ~24 registers, both size and performance wise...
*/
static void
sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num)
{
const SHA_LONG64 *W = in;
SHA_LONG64 A, E, T;
SHA_LONG64 X[9 + 80], *F;
int i;
while (num--) {
F = X + 80;
A = ctx->h[0];
F[1] = ctx->h[1];
F[2] = ctx->h[2];
F[3] = ctx->h[3];
E = ctx->h[4];
F[5] = ctx->h[5];
F[6] = ctx->h[6];
F[7] = ctx->h[7];
for (i = 0; i < 16; i++, F--) {
T = PULL64(W[i]);
F[0] = A;
F[4] = E;
F[8] = T;
T += F[7] + Sigma1(E) + Ch(E, F[5], F[6]) + K512[i];
E = F[3] + T;
A = T + Sigma0(A) + Maj(A, F[1], F[2]);
}
for (; i < 80; i++, F--) {
T = sigma0(F[8 + 16 - 1]);
T += sigma1(F[8 + 16 - 14]);
T += F[8 + 16] + F[8 + 16 - 9];
F[0] = A;
F[4] = E;
F[8] = T;
T += F[7] + Sigma1(E) + Ch(E, F[5], F[6]) + K512[i];
E = F[3] + T;
A = T + Sigma0(A) + Maj(A, F[1], F[2]);
}
ctx->h[0] += A;
ctx->h[1] += F[1];
ctx->h[2] += F[2];
ctx->h[3] += F[3];
ctx->h[4] += E;
ctx->h[5] += F[5];
ctx->h[6] += F[6];
ctx->h[7] += F[7];
W += SHA_LBLOCK;
}
}
#elif defined(OPENSSL_SMALL_FOOTPRINT)
static void
sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num)
{
const SHA_LONG64 *W = in;
SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2;
SHA_LONG64 X[16];
int i;
while (num--) {
a = ctx->h[0];
b = ctx->h[1];
c = ctx->h[2];
d = ctx->h[3];
e = ctx->h[4];
f = ctx->h[5];
g = ctx->h[6];
h = ctx->h[7];
for (i = 0; i < 16; i++) {
T1 = X[i] = PULL64(W[i]);
T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i];
T2 = Sigma0(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
}
for (; i < 80; i++) {
s0 = X[(i + 1)&0x0f];
s0 = sigma0(s0);
s1 = X[(i + 14)&0x0f];
s1 = sigma1(s1);
T1 = X[i&0xf] += s0 + s1 + X[(i + 9)&0xf];
T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i];
T2 = Sigma0(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
}
ctx->h[0] += a;
ctx->h[1] += b;
ctx->h[2] += c;
ctx->h[3] += d;
ctx->h[4] += e;
ctx->h[5] += f;
ctx->h[6] += g;
ctx->h[7] += h;
W += SHA_LBLOCK;
}
}
#else
#define ROUND_00_15(i, a, b, c, d, e, f, g, h) do { \
T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i]; \
h = Sigma0(a) + Maj(a, b, c); \
@ -379,8 +248,6 @@ sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num)
}
}
#endif
#endif /* SHA512_ASM */
int

4
lib/libcrypto/x509/x509_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_local.h,v 1.7 2023/04/28 16:30:14 tb Exp $ */
/* $OpenBSD: x509_local.h,v 1.8 2023/05/08 14:51:00 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2013.
*/
@ -327,10 +327,10 @@ struct x509_store_ctx_st {
/* The following are set by the caller */
X509 *cert; /* The cert to check */
STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
STACK_OF(X509) *trusted; /* trusted stack for use with get_issuer() */
STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
X509_VERIFY_PARAM *param;
void *other_ctx; /* Other info for use with get_issuer() */
/* Callbacks for various operations */
int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */

4
lib/libcrypto/x509/x509_prn.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_prn.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */
/* $OpenBSD: x509_prn.c,v 1.6 2023/05/08 05:30:38 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -178,7 +178,7 @@ X509V3_extensions_print(BIO *bp, const char *title,
obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp, obj);
j = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
if (BIO_printf(bp, ":%s\n", j ? " critical" : "") <= 0)
return 0;
if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
BIO_printf(bp, "%*s", indent + 4, "");

195
lib/libcrypto/x509/x509_utl.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_utl.c,v 1.14 2023/04/23 11:52:14 tb Exp $ */
/* $OpenBSD: x509_utl.c,v 1.17 2023/05/12 19:02:10 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
@ -55,9 +55,9 @@
* Hudson (tjh@cryptsoft.com).
*
*/
/* X509 v3 extension utilities */
#include <ctype.h>
#include <limits.h>
#include <stdio.h>
#include <string.h>
@ -67,6 +67,8 @@
#include <openssl/err.h>
#include <openssl/x509v3.h>
#include "bytestring.h"
static char *bn_to_string(const BIGNUM *bn);
static char *strip_spaces(char *name);
static int sk_strcmp(const char * const *a, const char * const *b);
@ -459,97 +461,148 @@ strip_spaces(char *name)
return p;
}
/* hex string utilities */
static const char hex_digits[] = "0123456789ABCDEF";
/* Given a buffer of length 'len' return a malloc'ed string with its
* hex representation
*/
char *
hex_to_string(const unsigned char *buffer, long len)
{
char *tmp, *q;
const unsigned char *p;
int i;
static const char hexdig[] = "0123456789ABCDEF";
CBB cbb;
CBS cbs;
uint8_t *out = NULL;
uint8_t c;
size_t out_len;
if (!CBB_init(&cbb, 0))
goto err;
if (len < 0)
return NULL;
if (len == 0)
return calloc(1, 1);
if ((tmp = calloc(len, 3)) == NULL) {
X509V3error(ERR_R_MALLOC_FAILURE);
return NULL;
goto err;
CBS_init(&cbs, buffer, len);
while (CBS_len(&cbs) > 0) {
if (!CBS_get_u8(&cbs, &c))
goto err;
if (!CBB_add_u8(&cbb, hex_digits[c >> 4]))
goto err;
if (!CBB_add_u8(&cbb, hex_digits[c & 0xf]))
goto err;
if (CBS_len(&cbs) > 0) {
if (!CBB_add_u8(&cbb, ':'))
goto err;
}
}
q = tmp;
for (i = 0, p = buffer; i < len; i++, p++) {
*q++ = hexdig[(*p >> 4) & 0xf];
*q++ = hexdig[*p & 0xf];
*q++ = ':';
}
q[-1] = 0;
return tmp;
if (!CBB_add_u8(&cbb, '\0'))
goto err;
if (!CBB_finish(&cbb, &out, &out_len))
goto err;
err:
CBB_cleanup(&cbb);
return out;
}
LCRYPTO_ALIAS(hex_to_string);
/* Give a string of hex digits convert to
* a buffer
*/
static int
x509_skip_colons_cbs(CBS *cbs)
{
uint8_t c;
while (CBS_len(cbs) > 0) {
if (!CBS_peek_u8(cbs, &c))
return 0;
if (c != ':')
return 1;
if (!CBS_get_u8(cbs, &c))
return 0;
}
return 1;
}
static int
x509_get_xdigit_nibble_cbs(CBS *cbs, uint8_t *out_nibble)
{
uint8_t c;
if (!CBS_get_u8(cbs, &c))
return 0;
if (c >= '0' && c <= '9') {
*out_nibble = c - '0';
return 1;
}
if (c >= 'a' && c <= 'f') {
*out_nibble = c - 'a' + 10;
return 1;
}
if (c >= 'A' && c <= 'F') {
*out_nibble = c - 'A' + 10;
return 1;
}
X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
return 0;
}
unsigned char *
string_to_hex(const char *str, long *len)
{
unsigned char *hexbuf, *q;
unsigned char ch, cl, *p;
if (!str) {
X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
return NULL;
}
if (!(hexbuf = malloc(strlen(str) >> 1)))
CBB cbb;
CBS cbs;
uint8_t *out = NULL;
size_t out_len;
uint8_t hi, lo;
*len = 0;
if (!CBB_init(&cbb, 0))
goto err;
for (p = (unsigned char *)str, q = hexbuf; *p; ) {
ch = *p++;
if (ch == ':')
continue;
cl = *p++;
if (!cl) {
X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS);
free(hexbuf);
return NULL;
}
ch = tolower(ch);
cl = tolower(cl);
if ((ch >= '0') && (ch <= '9'))
ch -= '0';
else if ((ch >= 'a') && (ch <= 'f'))
ch -= 'a' - 10;
else
goto badhex;
if ((cl >= '0') && (cl <= '9'))
cl -= '0';
else if ((cl >= 'a') && (cl <= 'f'))
cl -= 'a' - 10;
else
goto badhex;
*q++ = (ch << 4) | cl;
if (str == NULL) {
X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
goto err;
}
if (len)
*len = q - hexbuf;
CBS_init(&cbs, str, strlen(str));
while (CBS_len(&cbs) > 0) {
/*
* Skipping only a single colon between two pairs of digits
* would make more sense - history...
*/
if (!x509_skip_colons_cbs(&cbs))
goto err;
/* Another historic idiocy. */
if (CBS_len(&cbs) == 0)
break;
if (!x509_get_xdigit_nibble_cbs(&cbs, &hi))
goto err;
if (CBS_len(&cbs) == 0) {
X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS);
goto err;
}
if (!x509_get_xdigit_nibble_cbs(&cbs, &lo))
goto err;
if (!CBB_add_u8(&cbb, hi << 4 | lo))
goto err;
}
return hexbuf;
if (!CBB_finish(&cbb, &out, &out_len))
goto err;
if (out_len > LONG_MAX) {
freezero(out, out_len);
out = NULL;
goto err;
}
*len = out_len;
err:
free(hexbuf);
X509V3error(ERR_R_MALLOC_FAILURE);
return NULL;
CBB_cleanup(&cbb);
badhex:
free(hexbuf);
X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
return NULL;
return out;
}
LCRYPTO_ALIAS(string_to_hex);

3
lib/libcrypto/x509/x509_verify.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */
/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
@ -275,7 +275,6 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
cert)) != NULL) {
X509_free(match);
return x509_verify_check_chain_end(cert, full_chain);
}
} else {
/* Check the provided roots */

23
lib/libcrypto/x509/x509_vfy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_vfy.c,v 1.120 2023/04/30 14:59:52 tb Exp $ */
/* $OpenBSD: x509_vfy.c,v 1.122 2023/05/08 14:51:00 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -144,7 +144,7 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time,
int clamp_notafter);
static int internal_verify(X509_STORE_CTX *ctx);
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err);
@ -592,7 +592,6 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
int
X509_verify_cert(X509_STORE_CTX *ctx)
{
STACK_OF(X509) *roots = NULL;
struct x509_verify_ctx *vctx = NULL;
int chain_count = 0;
@ -656,8 +655,6 @@ X509_verify_cert(X509_STORE_CTX *ctx)
}
x509_verify_ctx_free(vctx);
sk_X509_pop_free(roots, X509_free);
/* if we succeed we have a chain in ctx->chain */
return (chain_count > 0 && ctx->chain != NULL);
}
@ -697,12 +694,12 @@ check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer)
return X509_check_issued(issuer, subject) == X509_V_OK;
}
/* Alternative lookup method: look from a STACK stored in other_ctx */
/* Alternative lookup method: look from a STACK stored in ctx->trusted */
static int
get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x, 1);
*issuer = find_issuer(ctx, ctx->trusted, x, 1);
if (*issuer) {
CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
return 1;
@ -2437,17 +2434,17 @@ LCRYPTO_ALIAS(X509_STORE_CTX_init);
*/
void
X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted)
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
X509_STORE_CTX_set0_trusted_stack(ctx, trusted);
}
LCRYPTO_ALIAS(X509_STORE_CTX_trusted_stack);
void
X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted)
{
X509_STORE_CTX_trusted_stack(ctx, sk);
ctx->trusted = trusted;
ctx->get_issuer = get_trusted_issuer;
}
LCRYPTO_ALIAS(X509_STORE_CTX_set0_trusted_stack);

37
lib/libcrypto/x509/x509name.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509name.c,v 1.32 2023/05/02 14:13:05 beck Exp $ */
/* $OpenBSD: x509name.c,v 1.34 2023/05/03 08:10:23 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -66,7 +66,6 @@
#include <openssl/stack.h>
#include <openssl/x509.h>
#include "bytestring.h"
#include "x509_local.h"
int
@ -85,37 +84,21 @@ int
X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf,
int len)
{
unsigned char *text = NULL;
int i;
ASN1_STRING *data;
int i, text_len;
int ret = -1;
CBS cbs;
i = X509_NAME_get_index_by_OBJ(name, obj, -1);
if (i < 0)
goto err;
return (-1);
data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
/*
* Fail if we cannot encode as UTF-8, or if the UTF-8 encoding of the
* string contains a 0 byte, because mortal callers seldom handle the
* length difference correctly
*/
if ((text_len = ASN1_STRING_to_UTF8(&text, data)) < 0)
goto err;
CBS_init(&cbs, text, text_len);
if (CBS_contains_zero_byte(&cbs))
goto err;
/* We still support the "pass NULL to find out how much" API */
if (buf != NULL) {
if (!CBS_write_bytes(&cbs, buf, len - 1, NULL))
goto err;
/* It must be a C string */
buf[text_len] = '\0';
i = (data->length > (len - 1)) ? (len - 1) : data->length;
if (buf == NULL)
return (data->length);
if (i >= 0) {
memcpy(buf, data->data, i);
buf[i] = '\0';
}
ret = text_len;
err:
free(text);
return (ret);
return (i);
}
LCRYPTO_ALIAS(X509_NAME_get_text_by_OBJ);