diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index d2c029d..f525de2 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -1,6 +1,6 @@ add_executable(tfe src/key_keeper.cpp src/kni_acceptor.cpp src/ssl_stream.cpp - src/ssl_sess_cache.cpp src/ssl_trusted_cert_storage.cpp - src/ssl_utils.cpp src/tcp_stream.cpp src/main.cpp src/proxy.cpp) + src/ssl_sess_cache.cpp src/ssl_trusted_cert_storage.cpp src/ev_root_ca_metadata.cpp + src/ssl_utils.cpp src/tcp_stream.cpp src/main.cpp src/proxy.cpp) target_include_directories(tfe PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include/external) target_include_directories(tfe PRIVATE ${CMAKE_CURRENT_LIST_DIR}/include/internal) diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h index 8ad4598..11daeee 100644 --- a/platform/include/internal/ssl_trusted_cert_storage.h +++ b/platform/include/internal/ssl_trusted_cert_storage.h @@ -20,7 +20,14 @@ struct cert_verify_param char no_verify_issuer; char no_verify_expiry_date; }; -int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason); +struct cert_verify_result +{ + char is_hostmatched; + char is_ev; + char is_ct; + int error_code; +}; +int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason, struct cert_verify_result* result); int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename); int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename); void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage); diff --git a/platform/include/internal/ssl_utils.h b/platform/include/internal/ssl_utils.h index 3e7a7fc..cd6dcf7 100644 --- a/platform/include/internal/ssl_utils.h +++ b/platform/include/internal/ssl_utils.h @@ -164,6 +164,8 @@ int ssl_x509_is_valid(X509 *); char * ssl_x509_to_str(X509 *); char * ssl_x509_to_pem(X509 *); void ssl_x509_refcount_inc(X509 *); +char* ssl_x509_get_extension(X509 *cert, int ext_NID); +int ssl_x509_is_ev(const char* policy_oid); int ssl_x509chain_load(X509 **, STACK_OF(X509) **, const char *); void ssl_x509chain_use(SSL_CTX *, X509 *, STACK_OF(X509) *); diff --git a/platform/src/ev_root_ca_metadata.cpp b/platform/src/ev_root_ca_metadata.cpp new file mode 100644 index 0000000..59d2809 --- /dev/null +++ b/platform/src/ev_root_ca_metadata.cpp @@ -0,0 +1,749 @@ +#include +#include + +//Following code is from https://cs.chromium.org/chromium/src/net/cert/ev_root_ca_metadata.cc + + +// kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At +// least one CA has different EV policies for business vs government +// entities and, in the case of cross-signing, we might need to list another +// CA's policy OID under the cross-signing root. +static const size_t kMaxOIDsPerCA = 2; + +// Raw metadata. +struct EVMetadata { + // The SHA-256 fingerprint of the root CA certificate, used as a unique + // identifier for a root CA certificate. + unsigned char fingerprint[32]; + + // The EV policy OIDs of the root CA. + const char* policy_oids[kMaxOIDsPerCA]; +}; + +// These certificates may be found in net/data/ssl/ev_roots. +static const EVMetadata kEvRootCaMetadata[] = { + // AC Camerfirma S.A. Chambers of Commerce Root - 2008 + // https://www.camerfirma.com + { + {0x06, 0x3e, 0x4a, 0xfa, 0xc4, 0x91, 0xdf, 0xd3, 0x32, 0xf3, 0x08, + 0x9b, 0x85, 0x42, 0xe9, 0x46, 0x17, 0xd8, 0x93, 0xd7, 0xfe, 0x94, + 0x4e, 0x10, 0xa7, 0x93, 0x7e, 0xe2, 0x9d, 0x96, 0x93, 0xc0}, + { + // AC Camerfirma uses the last two arcs to track how the private key + // is managed - the effective verification policy is the same. + "1.3.6.1.4.1.17326.10.14.2.1.2", "1.3.6.1.4.1.17326.10.14.2.2.2", + }, + }, + // AC Camerfirma S.A. Global Chambersign Root - 2008 + // https://server2.camerfirma.com:8082 + { + {0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xa7, 0x69, 0x80, 0x16, 0xa0, + 0xd3, 0x24, 0xde, 0x72, 0x28, 0x4e, 0x07, 0x9d, 0x7b, 0x52, 0x20, + 0xbb, 0x8f, 0xbd, 0x74, 0x78, 0x16, 0xee, 0xbe, 0xba, 0xca}, + { + // AC Camerfirma uses the last two arcs to track how the private key + // is managed - the effective verification policy is the same. + "1.3.6.1.4.1.17326.10.8.12.1.2", "1.3.6.1.4.1.17326.10.8.12.2.2", + }, + }, + // AddTrust External CA Root + // https://addtrustexternalcaroot-ev.comodoca.com + { + {0x68, 0x7f, 0xa4, 0x51, 0x38, 0x22, 0x78, 0xff, 0xf0, 0xc8, 0xb1, + 0x1f, 0x8d, 0x43, 0xd5, 0x76, 0x67, 0x1c, 0x6e, 0xb2, 0xbc, 0xea, + 0xb4, 0x13, 0xfb, 0x83, 0xd9, 0x65, 0xd0, 0x6d, 0x2f, 0xf2}, + { + "1.3.6.1.4.1.6449.1.2.1.5.1", + // This is the Network Solutions EV OID. However, this root + // cross-certifies NetSol and so we need it here too. + "1.3.6.1.4.1.782.1.2.1.8.1", + }, + }, + // Actalis Authentication Root CA + // https://ssltest-a.actalis.it:8443 + { + {0x55, 0x92, 0x60, 0x84, 0xec, 0x96, 0x3a, 0x64, 0xb9, 0x6e, 0x2a, + 0xbe, 0x01, 0xce, 0x0b, 0xa8, 0x6a, 0x64, 0xfb, 0xfe, 0xbc, 0xc7, + 0xaa, 0xb5, 0xaf, 0xc1, 0x55, 0xb3, 0x7f, 0xd7, 0x60, 0x66}, + {"1.3.159.1.17.1", ""}, + }, + // AffirmTrust Commercial + // https://commercial.affirmtrust.com/ + { + {0x03, 0x76, 0xab, 0x1d, 0x54, 0xc5, 0xf9, 0x80, 0x3c, 0xe4, 0xb2, + 0xe2, 0x01, 0xa0, 0xee, 0x7e, 0xef, 0x7b, 0x57, 0xb6, 0x36, 0xe8, + 0xa9, 0x3c, 0x9b, 0x8d, 0x48, 0x60, 0xc9, 0x6f, 0x5f, 0xa7}, + {"1.3.6.1.4.1.34697.2.1", ""}, + }, + // AffirmTrust Networking + // https://networking.affirmtrust.com:4431 + { + {0x0a, 0x81, 0xec, 0x5a, 0x92, 0x97, 0x77, 0xf1, 0x45, 0x90, 0x4a, + 0xf3, 0x8d, 0x5d, 0x50, 0x9f, 0x66, 0xb5, 0xe2, 0xc5, 0x8f, 0xcd, + 0xb5, 0x31, 0x05, 0x8b, 0x0e, 0x17, 0xf3, 0xf0, 0xb4, 0x1b}, + {"1.3.6.1.4.1.34697.2.2", ""}, + }, + // AffirmTrust Premium + // https://premium.affirmtrust.com:4432/ + { + {0x70, 0xa7, 0x3f, 0x7f, 0x37, 0x6b, 0x60, 0x07, 0x42, 0x48, 0x90, + 0x45, 0x34, 0xb1, 0x14, 0x82, 0xd5, 0xbf, 0x0e, 0x69, 0x8e, 0xcc, + 0x49, 0x8d, 0xf5, 0x25, 0x77, 0xeb, 0xf2, 0xe9, 0x3b, 0x9a}, + {"1.3.6.1.4.1.34697.2.3", ""}, + }, + // AffirmTrust Premium ECC + // https://premiumecc.affirmtrust.com:4433/ + { + {0xbd, 0x71, 0xfd, 0xf6, 0xda, 0x97, 0xe4, 0xcf, 0x62, 0xd1, 0x64, + 0x7a, 0xdd, 0x25, 0x81, 0xb0, 0x7d, 0x79, 0xad, 0xf8, 0x39, 0x7e, + 0xb4, 0xec, 0xba, 0x9c, 0x5e, 0x84, 0x88, 0x82, 0x14, 0x23}, + {"1.3.6.1.4.1.34697.2.4", ""}, + }, + // Amazon Root CA 1 + // https://good.sca1a.amazontrust.com/ + { + {0x8e, 0xcd, 0xe6, 0x88, 0x4f, 0x3d, 0x87, 0xb1, 0x12, 0x5b, 0xa3, + 0x1a, 0xc3, 0xfc, 0xb1, 0x3d, 0x70, 0x16, 0xde, 0x7f, 0x57, 0xcc, + 0x90, 0x4f, 0xe1, 0xcb, 0x97, 0xc6, 0xae, 0x98, 0x19, 0x6e}, + {"2.23.140.1.1", ""}, + }, + // Amazon Root CA 2 + // https://good.sca2a.amazontrust.com/ + { + {0x1b, 0xa5, 0xb2, 0xaa, 0x8c, 0x65, 0x40, 0x1a, 0x82, 0x96, 0x01, + 0x18, 0xf8, 0x0b, 0xec, 0x4f, 0x62, 0x30, 0x4d, 0x83, 0xce, 0xc4, + 0x71, 0x3a, 0x19, 0xc3, 0x9c, 0x01, 0x1e, 0xa4, 0x6d, 0xb4}, + {"2.23.140.1.1", ""}, + }, + // Amazon Root CA 3 + // https://good.sca3a.amazontrust.com/ + { + {0x18, 0xce, 0x6c, 0xfe, 0x7b, 0xf1, 0x4e, 0x60, 0xb2, 0xe3, 0x47, + 0xb8, 0xdf, 0xe8, 0x68, 0xcb, 0x31, 0xd0, 0x2e, 0xbb, 0x3a, 0xda, + 0x27, 0x15, 0x69, 0xf5, 0x03, 0x43, 0xb4, 0x6d, 0xb3, 0xa4}, + {"2.23.140.1.1", ""}, + }, + // Amazon Root CA 4 + // https://good.sca4a.amazontrust.com/ + { + {0xe3, 0x5d, 0x28, 0x41, 0x9e, 0xd0, 0x20, 0x25, 0xcf, 0xa6, 0x90, + 0x38, 0xcd, 0x62, 0x39, 0x62, 0x45, 0x8d, 0xa5, 0xc6, 0x95, 0xfb, + 0xde, 0xa3, 0xc2, 0x2b, 0x0b, 0xfb, 0x25, 0x89, 0x70, 0x92}, + {"2.23.140.1.1", ""}, + }, + // Autoridad de Certificacion Firmaprofesional CIF A62634068 + // https://publifirma.firmaprofesional.com/ + { + {0x04, 0x04, 0x80, 0x28, 0xbf, 0x1f, 0x28, 0x64, 0xd4, 0x8f, 0x9a, + 0xd4, 0xd8, 0x32, 0x94, 0x36, 0x6a, 0x82, 0x88, 0x56, 0x55, 0x3f, + 0x3b, 0x14, 0x30, 0x3f, 0x90, 0x14, 0x7f, 0x5d, 0x40, 0xef}, + {"1.3.6.1.4.1.13177.10.1.3.10", ""}, + }, + // Baltimore CyberTrust Root + // https://secure.omniroot.com/repository/ + { + {0x16, 0xaf, 0x57, 0xa9, 0xf6, 0x76, 0xb0, 0xab, 0x12, 0x60, 0x95, + 0xaa, 0x5e, 0xba, 0xde, 0xf2, 0x2a, 0xb3, 0x11, 0x19, 0xd6, 0x44, + 0xac, 0x95, 0xcd, 0x4b, 0x93, 0xdb, 0xf3, 0xf2, 0x6a, 0xeb}, + {"1.3.6.1.4.1.6334.1.100.1", ""}, + }, + // Buypass Class 3 CA 1 + // https://valid.evident.ca13.ssl.buypass.no/ + { + {0xb7, 0xb1, 0x2b, 0x17, 0x1f, 0x82, 0x1d, 0xaa, 0x99, 0x0c, 0xd0, + 0xfe, 0x50, 0x87, 0xb1, 0x28, 0x44, 0x8b, 0xa8, 0xe5, 0x18, 0x4f, + 0x84, 0xc5, 0x1e, 0x02, 0xb5, 0xc8, 0xfb, 0x96, 0x2b, 0x24}, + {"2.16.578.1.26.1.3.3", ""}, + }, + // Buypass Class 3 Root CA + // https://valid.evident.ca23.ssl.buypass.no/ + { + {0xed, 0xf7, 0xeb, 0xbc, 0xa2, 0x7a, 0x2a, 0x38, 0x4d, 0x38, 0x7b, + 0x7d, 0x40, 0x10, 0xc6, 0x66, 0xe2, 0xed, 0xb4, 0x84, 0x3e, 0x4c, + 0x29, 0xb4, 0xae, 0x1d, 0x5b, 0x93, 0x32, 0xe6, 0xb2, 0x4d}, + {"2.16.578.1.26.1.3.3", ""}, + }, + // CertPlus Class 2 Primary CA (KEYNECTIS) + // https://www.keynectis.com/ + { + {0x0f, 0x99, 0x3c, 0x8a, 0xef, 0x97, 0xba, 0xaf, 0x56, 0x87, 0x14, + 0x0e, 0xd5, 0x9a, 0xd1, 0x82, 0x1b, 0xb4, 0xaf, 0xac, 0xf0, 0xaa, + 0x9a, 0x58, 0xb5, 0xd5, 0x7a, 0x33, 0x8a, 0x3a, 0xfb, 0xcb}, + {"1.3.6.1.4.1.22234.2.5.2.3.1", ""}, + }, + // Certum Trusted Network CA + // https://juice.certum.pl/ + { + {0x5c, 0x58, 0x46, 0x8d, 0x55, 0xf5, 0x8e, 0x49, 0x7e, 0x74, 0x39, + 0x82, 0xd2, 0xb5, 0x00, 0x10, 0xb6, 0xd1, 0x65, 0x37, 0x4a, 0xcf, + 0x83, 0xa7, 0xd4, 0xa3, 0x2d, 0xb7, 0x68, 0xc4, 0x40, 0x8e}, + {"1.2.616.1.113527.2.5.1.1", ""}, + }, + // CFCA EV ROOT + // https://www.erenepu.com/ + { + {0x5c, 0xc3, 0xd7, 0x8e, 0x4e, 0x1d, 0x5e, 0x45, 0x54, 0x7a, 0x04, + 0xe6, 0x87, 0x3e, 0x64, 0xf9, 0x0c, 0xf9, 0x53, 0x6d, 0x1c, 0xcc, + 0x2e, 0xf8, 0x00, 0xf3, 0x55, 0xc4, 0xc5, 0xfd, 0x70, 0xfd}, + {"2.16.156.112554.3", ""}, + }, + // China Internet Network Information Center EV Certificates Root + // https://evdemo.cnnic.cn/ + { + // Root + {0x1c, 0x01, 0xc6, 0xf4, 0xdb, 0xb2, 0xfe, 0xfc, 0x22, 0x55, 0x8b, + 0x2b, 0xca, 0x32, 0x56, 0x3f, 0x49, 0x84, 0x4a, 0xcf, 0xc3, 0x2b, + 0x7b, 0xe4, 0xb0, 0xff, 0x59, 0x9f, 0x9e, 0x8c, 0x7a, 0xf7}, + {"1.3.6.1.4.1.29836.1.10", ""}, + }, + // COMODO Certification Authority + // https://secure.comodo.com/ + { + {0x0c, 0x2c, 0xd6, 0x3d, 0xf7, 0x80, 0x6f, 0xa3, 0x99, 0xed, 0xe8, + 0x09, 0x11, 0x6b, 0x57, 0x5b, 0xf8, 0x79, 0x89, 0xf0, 0x65, 0x18, + 0xf9, 0x80, 0x8c, 0x86, 0x05, 0x03, 0x17, 0x8b, 0xaf, 0x66}, + {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, + }, + // COMODO Certification Authority (reissued certificate with NotBefore of + // Jan 1 00:00:00 2011 GMT) + // https://secure.comodo.com/ + { + {0x1a, 0x0d, 0x20, 0x44, 0x5d, 0xe5, 0xba, 0x18, 0x62, 0xd1, 0x9e, + 0xf8, 0x80, 0x85, 0x8c, 0xbc, 0xe5, 0x01, 0x02, 0xb3, 0x6e, 0x8f, + 0x0a, 0x04, 0x0c, 0x3c, 0x69, 0xe7, 0x45, 0x22, 0xfe, 0x6e}, + {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, + }, + // COMODO ECC Certification Authority + // https://comodoecccertificationauthority-ev.comodoca.com/ + { + {0x17, 0x93, 0x92, 0x7a, 0x06, 0x14, 0x54, 0x97, 0x89, 0xad, 0xce, + 0x2f, 0x8f, 0x34, 0xf7, 0xf0, 0xb6, 0x6d, 0x0f, 0x3a, 0xe3, 0xa3, + 0xb8, 0x4d, 0x21, 0xec, 0x15, 0xdb, 0xba, 0x4f, 0xad, 0xc7}, + {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, + }, + // COMODO RSA Certification Authority + // https://comodorsacertificationauthority-ev.comodoca.com/ + { + {0x52, 0xf0, 0xe1, 0xc4, 0xe5, 0x8e, 0xc6, 0x29, 0x29, 0x1b, 0x60, + 0x31, 0x7f, 0x07, 0x46, 0x71, 0xb8, 0x5d, 0x7e, 0xa8, 0x0d, 0x5b, + 0x07, 0x27, 0x34, 0x63, 0x53, 0x4b, 0x32, 0xb4, 0x02, 0x34}, + {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, + }, + // Cybertrust Global Root + // https://evup.cybertrust.ne.jp/ctj-ev-upgrader/evseal.gif + { + {0x96, 0x0a, 0xdf, 0x00, 0x63, 0xe9, 0x63, 0x56, 0x75, 0x0c, 0x29, + 0x65, 0xdd, 0x0a, 0x08, 0x67, 0xda, 0x0b, 0x9c, 0xbd, 0x6e, 0x77, + 0x71, 0x4a, 0xea, 0xfb, 0x23, 0x49, 0xab, 0x39, 0x3d, 0xa3}, + {"1.3.6.1.4.1.6334.1.100.1", ""}, + }, + // DigiCert Assured ID Root CA + // https://assured-id-root-ca.chain-demos.digicert.com/ + { + {0x3e, 0x90, 0x99, 0xb5, 0x01, 0x5e, 0x8f, 0x48, 0x6c, 0x00, 0xbc, + 0xea, 0x9d, 0x11, 0x1e, 0xe7, 0x21, 0xfa, 0xba, 0x35, 0x5a, 0x89, + 0xbc, 0xf1, 0xdf, 0x69, 0x56, 0x1e, 0x3d, 0xc6, 0x32, 0x5c}, + {"2.16.840.1.114412.2.1", ""}, + }, + // DigiCert Global Root CA + // https://global-root-ca.chain-demos.digicert.com/ + { + {0x43, 0x48, 0xa0, 0xe9, 0x44, 0x4c, 0x78, 0xcb, 0x26, 0x5e, 0x05, + 0x8d, 0x5e, 0x89, 0x44, 0xb4, 0xd8, 0x4f, 0x96, 0x62, 0xbd, 0x26, + 0xdb, 0x25, 0x7f, 0x89, 0x34, 0xa4, 0x43, 0xc7, 0x01, 0x61}, + {"2.16.840.1.114412.2.1", ""}, + }, + // DigiCert Global Root G2 + // https://global-root-g2.chain-demos.digicert.com/ + { + {0xcb, 0x3c, 0xcb, 0xb7, 0x60, 0x31, 0xe5, 0xe0, 0x13, 0x8f, 0x8d, + 0xd3, 0x9a, 0x23, 0xf9, 0xde, 0x47, 0xff, 0xc3, 0x5e, 0x43, 0xc1, + 0x14, 0x4c, 0xea, 0x27, 0xd4, 0x6a, 0x5a, 0xb1, 0xcb, 0x5f}, + {"2.16.840.1.114412.2.1", ""}, + }, + // DigiCert Global Root G3 + // https://global-root-g3.chain-demos.digicert.com/ + { + {0x31, 0xad, 0x66, 0x48, 0xf8, 0x10, 0x41, 0x38, 0xc7, 0x38, 0xf3, + 0x9e, 0xa4, 0x32, 0x01, 0x33, 0x39, 0x3e, 0x3a, 0x18, 0xcc, 0x02, + 0x29, 0x6e, 0xf9, 0x7c, 0x2a, 0xc9, 0xef, 0x67, 0x31, 0xd0}, + {"2.16.840.1.114412.2.1", ""}, + }, + // DigiCert High Assurance EV Root CA + // https://www.digicert.com + { + {0x74, 0x31, 0xe5, 0xf4, 0xc3, 0xc1, 0xce, 0x46, 0x90, 0x77, 0x4f, + 0x0b, 0x61, 0xe0, 0x54, 0x40, 0x88, 0x3b, 0xa9, 0xa0, 0x1e, 0xd0, + 0x0b, 0xa6, 0xab, 0xd7, 0x80, 0x6e, 0xd3, 0xb1, 0x18, 0xcf}, + {"2.16.840.1.114412.2.1", ""}, + }, + // DigiCert Trusted Root G4 + // https://trusted-root-g4.chain-demos.digicert.com/ + { + {0x55, 0x2f, 0x7b, 0xdc, 0xf1, 0xa7, 0xaf, 0x9e, 0x6c, 0xe6, 0x72, + 0x01, 0x7f, 0x4f, 0x12, 0xab, 0xf7, 0x72, 0x40, 0xc7, 0x8e, 0x76, + 0x1a, 0xc2, 0x03, 0xd1, 0xd9, 0xd2, 0x0a, 0xc8, 0x99, 0x88}, + {"2.16.840.1.114412.2.1", ""}, + }, + // D-TRUST Root Class 3 CA 2 EV 2009 + // https://certdemo-ev-valid.ssl.d-trust.net/ + { + {0xee, 0xc5, 0x49, 0x6b, 0x98, 0x8c, 0xe9, 0x86, 0x25, 0xb9, 0x34, + 0x09, 0x2e, 0xec, 0x29, 0x08, 0xbe, 0xd0, 0xb0, 0xf3, 0x16, 0xc2, + 0xd4, 0x73, 0x0c, 0x84, 0xea, 0xf1, 0xf3, 0xd3, 0x48, 0x81}, + {"1.3.6.1.4.1.4788.2.202.1", ""}, + }, + // Entrust.net Secure Server Certification Authority + // https://www.entrust.net/ + { + {0x62, 0xf2, 0x40, 0x27, 0x8c, 0x56, 0x4c, 0x4d, 0xd8, 0xbf, 0x7d, + 0x9d, 0x4f, 0x6f, 0x36, 0x6e, 0xa8, 0x94, 0xd2, 0x2f, 0x5f, 0x34, + 0xd9, 0x89, 0xa9, 0x83, 0xac, 0xec, 0x2f, 0xff, 0xed, 0x50}, + {"2.16.840.1.114028.10.1.2", ""}, + }, + // Entrust Root Certification Authority + // https://www.entrust.net/ + { + {0x73, 0xc1, 0x76, 0x43, 0x4f, 0x1b, 0xc6, 0xd5, 0xad, 0xf4, 0x5b, + 0x0e, 0x76, 0xe7, 0x27, 0x28, 0x7c, 0x8d, 0xe5, 0x76, 0x16, 0xc1, + 0xe6, 0xe6, 0x14, 0x1a, 0x2b, 0x2c, 0xbc, 0x7d, 0x8e, 0x4c}, + {"2.16.840.1.114028.10.1.2", ""}, + }, + // Entrust Root Certification Authority – G2 + // https://validg2.entrust.net + { + {0x43, 0xdf, 0x57, 0x74, 0xb0, 0x3e, 0x7f, 0xef, 0x5f, 0xe4, 0x0d, + 0x93, 0x1a, 0x7b, 0xed, 0xf1, 0xbb, 0x2e, 0x6b, 0x42, 0x73, 0x8c, + 0x4e, 0x6d, 0x38, 0x41, 0x10, 0x3d, 0x3a, 0xa7, 0xf3, 0x39}, + {"2.16.840.1.114028.10.1.2", ""}, + }, + // Entrust Root Certification Authority – EC1 + // https://validec.entrust.net + { + {0x02, 0xed, 0x0e, 0xb2, 0x8c, 0x14, 0xda, 0x45, 0x16, 0x5c, 0x56, + 0x67, 0x91, 0x70, 0x0d, 0x64, 0x51, 0xd7, 0xfb, 0x56, 0xf0, 0xb2, + 0xab, 0x1d, 0x3b, 0x8e, 0xb0, 0x70, 0xe5, 0x6e, 0xdf, 0xf5}, + {"2.16.840.1.114028.10.1.2", ""}, + }, + // Equifax Secure Certificate Authority (GeoTrust) + // https://www.geotrust.com/ + { + {0x08, 0x29, 0x7a, 0x40, 0x47, 0xdb, 0xa2, 0x36, 0x80, 0xc7, 0x31, + 0xdb, 0x6e, 0x31, 0x76, 0x53, 0xca, 0x78, 0x48, 0xe1, 0xbe, 0xbd, + 0x3a, 0x0b, 0x01, 0x79, 0xa7, 0x07, 0xf9, 0x2c, 0xf1, 0x78}, + {"1.3.6.1.4.1.14370.1.6", ""}, + }, + // E-Tugra Certification Authority + // https://sslev.e-tugra.com.tr + { + {0xb0, 0xbf, 0xd5, 0x2b, 0xb0, 0xd7, 0xd9, 0xbd, 0x92, 0xbf, 0x5d, + 0x4d, 0xc1, 0x3d, 0xa2, 0x55, 0xc0, 0x2c, 0x54, 0x2f, 0x37, 0x83, + 0x65, 0xea, 0x89, 0x39, 0x11, 0xf5, 0x5e, 0x55, 0xf2, 0x3c}, + {"2.16.792.3.0.4.1.1.4", ""}, + }, + // GeoTrust Primary Certification Authority + // https://www.geotrust.com/ + { + {0x37, 0xd5, 0x10, 0x06, 0xc5, 0x12, 0xea, 0xab, 0x62, 0x64, 0x21, + 0xf1, 0xec, 0x8c, 0x92, 0x01, 0x3f, 0xc5, 0xf8, 0x2a, 0xe9, 0x8e, + 0xe5, 0x33, 0xeb, 0x46, 0x19, 0xb8, 0xde, 0xb4, 0xd0, 0x6c}, + {"1.3.6.1.4.1.14370.1.6", ""}, + }, + // GeoTrust Primary Certification Authority - G2 + { + {0x5e, 0xdb, 0x7a, 0xc4, 0x3b, 0x82, 0xa0, 0x6a, 0x87, 0x61, 0xe8, + 0xd7, 0xbe, 0x49, 0x79, 0xeb, 0xf2, 0x61, 0x1f, 0x7d, 0xd7, 0x9b, + 0xf9, 0x1c, 0x1c, 0x6b, 0x56, 0x6a, 0x21, 0x9e, 0xd7, 0x66}, + {"1.3.6.1.4.1.14370.1.6", ""}, + }, + // GeoTrust Primary Certification Authority - G3 + { + {0xb4, 0x78, 0xb8, 0x12, 0x25, 0x0d, 0xf8, 0x78, 0x63, 0x5c, 0x2a, + 0xa7, 0xec, 0x7d, 0x15, 0x5e, 0xaa, 0x62, 0x5e, 0xe8, 0x29, 0x16, + 0xe2, 0xcd, 0x29, 0x43, 0x61, 0x88, 0x6c, 0xd1, 0xfb, 0xd4}, + {"1.3.6.1.4.1.14370.1.6", ""}, + }, + // GlobalSign Root CA - R2 + // https://www.globalsign.com/ + { + {0xca, 0x42, 0xdd, 0x41, 0x74, 0x5f, 0xd0, 0xb8, 0x1e, 0xb9, 0x02, + 0x36, 0x2c, 0xf9, 0xd8, 0xbf, 0x71, 0x9d, 0xa1, 0xbd, 0x1b, 0x1e, + 0xfc, 0x94, 0x6f, 0x5b, 0x4c, 0x99, 0xf4, 0x2c, 0x1b, 0x9e}, + {"1.3.6.1.4.1.4146.1.1", ""}, + }, + // GlobalSign Root CA + { + {0xeb, 0xd4, 0x10, 0x40, 0xe4, 0xbb, 0x3e, 0xc7, 0x42, 0xc9, 0xe3, + 0x81, 0xd3, 0x1e, 0xf2, 0xa4, 0x1a, 0x48, 0xb6, 0x68, 0x5c, 0x96, + 0xe7, 0xce, 0xf3, 0xc1, 0xdf, 0x6c, 0xd4, 0x33, 0x1c, 0x99}, + {"1.3.6.1.4.1.4146.1.1", ""}, + }, + // GlobalSign Root CA - R3 + // https://2029.globalsign.com/ + { + {0xcb, 0xb5, 0x22, 0xd7, 0xb7, 0xf1, 0x27, 0xad, 0x6a, 0x01, 0x13, + 0x86, 0x5b, 0xdf, 0x1c, 0xd4, 0x10, 0x2e, 0x7d, 0x07, 0x59, 0xaf, + 0x63, 0x5a, 0x7c, 0xf4, 0x72, 0x0d, 0xc9, 0x63, 0xc5, 0x3b}, + {"1.3.6.1.4.1.4146.1.1", ""}, + }, + // GlobalSign ECC Root CA - R4 + // https://2038r4.globalsign.com + { + {0xbe, 0xc9, 0x49, 0x11, 0xc2, 0x95, 0x56, 0x76, 0xdb, 0x6c, 0x0a, + 0x55, 0x09, 0x86, 0xd7, 0x6e, 0x3b, 0xa0, 0x05, 0x66, 0x7c, 0x44, + 0x2c, 0x97, 0x62, 0xb4, 0xfb, 0xb7, 0x73, 0xde, 0x22, 0x8c}, + {"1.3.6.1.4.1.4146.1.1", ""}, + }, + // GlobalSign ECC Root CA - R5 + // https://2038r5.globalsign.com/ + { + {0x17, 0x9f, 0xbc, 0x14, 0x8a, 0x3d, 0xd0, 0x0f, 0xd2, 0x4e, 0xa1, + 0x34, 0x58, 0xcc, 0x43, 0xbf, 0xa7, 0xf5, 0x9c, 0x81, 0x82, 0xd7, + 0x83, 0xa5, 0x13, 0xf6, 0xeb, 0xec, 0x10, 0x0c, 0x89, 0x24}, + {"1.3.6.1.4.1.4146.1.1", ""}, + }, + // Go Daddy Class 2 Certification Authority + // https://www.godaddy.com/ + { + {0xc3, 0x84, 0x6b, 0xf2, 0x4b, 0x9e, 0x93, 0xca, 0x64, 0x27, 0x4c, + 0x0e, 0xc6, 0x7c, 0x1e, 0xcc, 0x5e, 0x02, 0x4f, 0xfc, 0xac, 0xd2, + 0xd7, 0x40, 0x19, 0x35, 0x0e, 0x81, 0xfe, 0x54, 0x6a, 0xe4}, + {"2.16.840.1.114413.1.7.23.3", ""}, + }, + // Go Daddy Root Certificate Authority - G2 + // https://valid.gdig2.catest.godaddy.com/ + { + {0x45, 0x14, 0x0b, 0x32, 0x47, 0xeb, 0x9c, 0xc8, 0xc5, 0xb4, 0xf0, + 0xd7, 0xb5, 0x30, 0x91, 0xf7, 0x32, 0x92, 0x08, 0x9e, 0x6e, 0x5a, + 0x63, 0xe2, 0x74, 0x9d, 0xd3, 0xac, 0xa9, 0x19, 0x8e, 0xda}, + {"2.16.840.1.114413.1.7.23.3", ""}, + }, + // GTE CyberTrust Global Root + // https://www.cybertrust.ne.jp/ + { + {0xa5, 0x31, 0x25, 0x18, 0x8d, 0x21, 0x10, 0xaa, 0x96, 0x4b, 0x02, + 0xc7, 0xb7, 0xc6, 0xda, 0x32, 0x03, 0x17, 0x08, 0x94, 0xe5, 0xfb, + 0x71, 0xff, 0xfb, 0x66, 0x67, 0xd5, 0xe6, 0x81, 0x0a, 0x36}, + {"1.3.6.1.4.1.6334.1.100.1", ""}, + }, + // Izenpe.com - SHA256 root + // The first OID is for businesses and the second for government entities. + // These are the test sites, respectively: + // https://servicios.izenpe.com + // https://servicios1.izenpe.com + { + {0x25, 0x30, 0xcc, 0x8e, 0x98, 0x32, 0x15, 0x02, 0xba, 0xd9, 0x6f, + 0x9b, 0x1f, 0xba, 0x1b, 0x09, 0x9e, 0x2d, 0x29, 0x9e, 0x0f, 0x45, + 0x48, 0xbb, 0x91, 0x4f, 0x36, 0x3b, 0xc0, 0xd4, 0x53, 0x1f}, + {"1.3.6.1.4.1.14777.6.1.1", "1.3.6.1.4.1.14777.6.1.2"}, + }, + // Izenpe.com - SHA1 root + // Windows XP finds this, SHA1, root instead. The policy OIDs are the same + // as for the SHA256 root, above. + { + {0x23, 0x80, 0x42, 0x03, 0xca, 0x45, 0xd8, 0xcd, 0xe7, 0x16, 0xb8, + 0xc1, 0x3b, 0xf3, 0xb4, 0x48, 0x45, 0x7f, 0xa0, 0x6c, 0xc1, 0x02, + 0x50, 0x99, 0x7f, 0xa0, 0x14, 0x58, 0x31, 0x7c, 0x41, 0xe5}, + {"1.3.6.1.4.1.14777.6.1.1", "1.3.6.1.4.1.14777.6.1.2"}, + }, + // LuxTrust Global Root 2 + // https://ltsslca5.trustme.lu/ + { + {0x54, 0x45, 0x5f, 0x71, 0x29, 0xc2, 0x0b, 0x14, 0x47, 0xc4, 0x18, + 0xf9, 0x97, 0x16, 0x8f, 0x24, 0xc5, 0x8f, 0xc5, 0x02, 0x3b, 0xf5, + 0xda, 0x5b, 0xe2, 0xeb, 0x6e, 0x1d, 0xd8, 0x90, 0x2e, 0xd5}, + {"1.3.171.1.1.10.5.2", ""}, + }, + // Network Solutions Certificate Authority + // https://www.networksolutions.com/website-packages/index.jsp + { + {0x15, 0xf0, 0xba, 0x00, 0xa3, 0xac, 0x7a, 0xf3, 0xac, 0x88, 0x4c, + 0x07, 0x2b, 0x10, 0x11, 0xa0, 0x77, 0xbd, 0x77, 0xc0, 0x97, 0xf4, + 0x01, 0x64, 0xb2, 0xf8, 0x59, 0x8a, 0xbd, 0x83, 0x86, 0x0c}, + {"1.3.6.1.4.1.782.1.2.1.8.1", ""}, + }, + // Network Solutions Certificate Authority (reissued certificate with + // NotBefore of Jan 1 00:00:00 2011 GMT). + // https://www.networksolutions.com/website-packages/index.jsp + { + {0x00, 0x16, 0x86, 0xcd, 0x18, 0x1f, 0x83, 0xa1, 0xb1, 0x21, 0x7d, + 0x30, 0x5b, 0x36, 0x5c, 0x41, 0xe3, 0x47, 0x0a, 0x78, 0xa1, 0xd3, + 0x7b, 0x13, 0x4a, 0x98, 0xcd, 0x54, 0x7b, 0x92, 0xda, 0xb3}, + {"1.3.6.1.4.1.782.1.2.1.8.1", ""}, + }, + // OISTE WISeKey Global Root GB CA + // https://goodevssl.wisekey.com + { + {0x6b, 0x9c, 0x08, 0xe8, 0x6e, 0xb0, 0xf7, 0x67, 0xcf, 0xad, 0x65, + 0xcd, 0x98, 0xb6, 0x21, 0x49, 0xe5, 0x49, 0x4a, 0x67, 0xf5, 0x84, + 0x5e, 0x7b, 0xd1, 0xed, 0x01, 0x9f, 0x27, 0xb8, 0x6b, 0xd6}, + {"2.16.756.5.14.7.4.8", ""}, + }, + // QuoVadis Root CA 2 + // https://www.quovadis.bm/ + { + {0x85, 0xa0, 0xdd, 0x7d, 0xd7, 0x20, 0xad, 0xb7, 0xff, 0x05, 0xf8, + 0x3d, 0x54, 0x2b, 0x20, 0x9d, 0xc7, 0xff, 0x45, 0x28, 0xf7, 0xd6, + 0x77, 0xb1, 0x83, 0x89, 0xfe, 0xa5, 0xe5, 0xc4, 0x9e, 0x86}, + {"1.3.6.1.4.1.8024.0.2.100.1.2", ""}, + }, + // QuoVadis Root CA 2 G3 + // https://evsslicag3-v.quovadisglobal.com/ + { + {0x8f, 0xe4, 0xfb, 0x0a, 0xf9, 0x3a, 0x4d, 0x0d, 0x67, 0xdb, 0x0b, + 0xeb, 0xb2, 0x3e, 0x37, 0xc7, 0x1b, 0xf3, 0x25, 0xdc, 0xbc, 0xdd, + 0x24, 0x0e, 0xa0, 0x4d, 0xaf, 0x58, 0xb4, 0x7e, 0x18, 0x40}, + {"1.3.6.1.4.1.8024.0.2.100.1.2", ""}, + }, + // SecureTrust CA, SecureTrust Corporation + // https://www.securetrust.com + // https://www.trustwave.com/ + { + {0xf1, 0xc1, 0xb5, 0x0a, 0xe5, 0xa2, 0x0d, 0xd8, 0x03, 0x0e, 0xc9, + 0xf6, 0xbc, 0x24, 0x82, 0x3d, 0xd3, 0x67, 0xb5, 0x25, 0x57, 0x59, + 0xb4, 0xe7, 0x1b, 0x61, 0xfc, 0xe9, 0xf7, 0x37, 0x5d, 0x73}, + {"2.16.840.1.114404.1.1.2.4.1", ""}, + }, + // Secure Global CA, SecureTrust Corporation + { + {0x42, 0x00, 0xf5, 0x04, 0x3a, 0xc8, 0x59, 0x0e, 0xbb, 0x52, 0x7d, + 0x20, 0x9e, 0xd1, 0x50, 0x30, 0x29, 0xfb, 0xcb, 0xd4, 0x1c, 0xa1, + 0xb5, 0x06, 0xec, 0x27, 0xf1, 0x5a, 0xde, 0x7d, 0xac, 0x69}, + {"2.16.840.1.114404.1.1.2.4.1", ""}, + }, + // Security Communication RootCA1 + // https://www.secomtrust.net/contact/form.html + { + {0xe7, 0x5e, 0x72, 0xed, 0x9f, 0x56, 0x0e, 0xec, 0x6e, 0xb4, 0x80, + 0x00, 0x73, 0xa4, 0x3f, 0xc3, 0xad, 0x19, 0x19, 0x5a, 0x39, 0x22, + 0x82, 0x01, 0x78, 0x95, 0x97, 0x4a, 0x99, 0x02, 0x6b, 0x6c}, + {"1.2.392.200091.100.721.1", ""}, + }, + // Security Communication EV RootCA1 + // https://www.secomtrust.net/contact/form.html + { + {0xa2, 0x2d, 0xba, 0x68, 0x1e, 0x97, 0x37, 0x6e, 0x2d, 0x39, 0x7d, + 0x72, 0x8a, 0xae, 0x3a, 0x9b, 0x62, 0x96, 0xb9, 0xfd, 0xba, 0x60, + 0xbc, 0x2e, 0x11, 0xf6, 0x47, 0xf2, 0xc6, 0x75, 0xfb, 0x37}, + {"1.2.392.200091.100.721.1", ""}, + }, + // Security Communication EV RootCA2 + // https://www.secomtrust.net/contact/form.html + { + {0x51, 0x3b, 0x2c, 0xec, 0xb8, 0x10, 0xd4, 0xcd, 0xe5, 0xdd, 0x85, + 0x39, 0x1a, 0xdf, 0xc6, 0xc2, 0xdd, 0x60, 0xd8, 0x7b, 0xb7, 0x36, + 0xd2, 0xb5, 0x21, 0x48, 0x4a, 0xa4, 0x7a, 0x0e, 0xbe, 0xf6}, + {"1.2.392.200091.100.721.1", ""}, + }, + // Staat der Nederlanden EV Root CA + // https://pkioevssl-v.quovadisglobal.com/ + { + {0x4d, 0x24, 0x91, 0x41, 0x4c, 0xfe, 0x95, 0x67, 0x46, 0xec, 0x4c, + 0xef, 0xa6, 0xcf, 0x6f, 0x72, 0xe2, 0x8a, 0x13, 0x29, 0x43, 0x2f, + 0x9d, 0x8a, 0x90, 0x7a, 0xc4, 0xcb, 0x5d, 0xad, 0xc1, 0x5a}, + {"2.16.528.1.1003.1.2.7", ""}, + }, + // StartCom Certification Authority + // https://www.startssl.com/ + { + {0xc7, 0x66, 0xa9, 0xbe, 0xf2, 0xd4, 0x07, 0x1c, 0x86, 0x3a, 0x31, + 0xaa, 0x49, 0x20, 0xe8, 0x13, 0xb2, 0xd1, 0x98, 0x60, 0x8c, 0xb7, + 0xb7, 0xcf, 0xe2, 0x11, 0x43, 0xb8, 0x36, 0xdf, 0x09, 0xea}, + {"1.3.6.1.4.1.23223.1.1.1", ""}, + }, + // Starfield Class 2 Certification Authority + // https://www.starfieldtech.com/ + { + {0x14, 0x65, 0xfa, 0x20, 0x53, 0x97, 0xb8, 0x76, 0xfa, 0xa6, 0xf0, + 0xa9, 0x95, 0x8e, 0x55, 0x90, 0xe4, 0x0f, 0xcc, 0x7f, 0xaa, 0x4f, + 0xb7, 0xc2, 0xc8, 0x67, 0x75, 0x21, 0xfb, 0x5f, 0xb6, 0x58}, + {"2.16.840.1.114414.1.7.23.3", ""}, + }, + // Starfield Root Certificate Authority - G2 + // https://valid.sfig2.catest.starfieldtech.com/ + { + {0x2c, 0xe1, 0xcb, 0x0b, 0xf9, 0xd2, 0xf9, 0xe1, 0x02, 0x99, 0x3f, + 0xbe, 0x21, 0x51, 0x52, 0xc3, 0xb2, 0xdd, 0x0c, 0xab, 0xde, 0x1c, + 0x68, 0xe5, 0x31, 0x9b, 0x83, 0x91, 0x54, 0xdb, 0xb7, 0xf5}, + {"2.16.840.1.114414.1.7.23.3", ""}, + }, + // Starfield Services Root Certificate Authority - G2 + // https://valid.sfsg2.catest.starfieldtech.com/ + { + {0x56, 0x8d, 0x69, 0x05, 0xa2, 0xc8, 0x87, 0x08, 0xa4, 0xb3, 0x02, + 0x51, 0x90, 0xed, 0xcf, 0xed, 0xb1, 0x97, 0x4a, 0x60, 0x6a, 0x13, + 0xc6, 0xe5, 0x29, 0x0f, 0xcb, 0x2a, 0xe6, 0x3e, 0xda, 0xb5}, + {"2.16.840.1.114414.1.7.24.3", "2.23.140.1.1"}, + }, + // SwissSign Gold CA - G2 + // https://testevg2.swisssign.net/ + { + {0x62, 0xdd, 0x0b, 0xe9, 0xb9, 0xf5, 0x0a, 0x16, 0x3e, 0xa0, 0xf8, + 0xe7, 0x5c, 0x05, 0x3b, 0x1e, 0xca, 0x57, 0xea, 0x55, 0xc8, 0x68, + 0x8f, 0x64, 0x7c, 0x68, 0x81, 0xf2, 0xc8, 0x35, 0x7b, 0x95}, + {"2.16.756.1.89.1.2.1.1", ""}, + }, + // Swisscom Root EV CA 2 + // https://test-quarz-ev-ca-2.pre.swissdigicert.ch + { + {0xd9, 0x5f, 0xea, 0x3c, 0xa4, 0xee, 0xdc, 0xe7, 0x4c, 0xd7, 0x6e, + 0x75, 0xfc, 0x6d, 0x1f, 0xf6, 0x2c, 0x44, 0x1f, 0x0f, 0xa8, 0xbc, + 0x77, 0xf0, 0x34, 0xb1, 0x9e, 0x5d, 0xb2, 0x58, 0x01, 0x5d}, + {"2.16.756.1.83.21.0", ""}, + }, + // Thawte Premium Server CA + // https://www.thawte.com/ + { + {0xab, 0x70, 0x36, 0x36, 0x5c, 0x71, 0x54, 0xaa, 0x29, 0xc2, 0xc2, + 0x9f, 0x5d, 0x41, 0x91, 0x16, 0x3b, 0x16, 0x2a, 0x22, 0x25, 0x01, + 0x13, 0x57, 0xd5, 0x6d, 0x07, 0xff, 0xa7, 0xbc, 0x1f, 0x72}, + {"2.16.840.1.113733.1.7.48.1", ""}, + }, + // thawte Primary Root CA + // https://www.thawte.com/ + { + {0x8d, 0x72, 0x2f, 0x81, 0xa9, 0xc1, 0x13, 0xc0, 0x79, 0x1d, 0xf1, + 0x36, 0xa2, 0x96, 0x6d, 0xb2, 0x6c, 0x95, 0x0a, 0x97, 0x1d, 0xb4, + 0x6b, 0x41, 0x99, 0xf4, 0xea, 0x54, 0xb7, 0x8b, 0xfb, 0x9f}, + {"2.16.840.1.113733.1.7.48.1", ""}, + }, + // thawte Primary Root CA - G2 + { + {0xa4, 0x31, 0x0d, 0x50, 0xaf, 0x18, 0xa6, 0x44, 0x71, 0x90, 0x37, + 0x2a, 0x86, 0xaf, 0xaf, 0x8b, 0x95, 0x1f, 0xfb, 0x43, 0x1d, 0x83, + 0x7f, 0x1e, 0x56, 0x88, 0xb4, 0x59, 0x71, 0xed, 0x15, 0x57}, + {"2.16.840.1.113733.1.7.48.1", ""}, + }, + // thawte Primary Root CA - G3 + { + {0x4b, 0x03, 0xf4, 0x58, 0x07, 0xad, 0x70, 0xf2, 0x1b, 0xfc, 0x2c, + 0xae, 0x71, 0xc9, 0xfd, 0xe4, 0x60, 0x4c, 0x06, 0x4c, 0xf5, 0xff, + 0xb6, 0x86, 0xba, 0xe5, 0xdb, 0xaa, 0xd7, 0xfd, 0xd3, 0x4c}, + {"2.16.840.1.113733.1.7.48.1", ""}, + }, + // TWCA Global Root CA + // https://evssldemo3.twca.com.tw/index.html + { + {0x59, 0x76, 0x90, 0x07, 0xf7, 0x68, 0x5d, 0x0f, 0xcd, 0x50, 0x87, + 0x2f, 0x9f, 0x95, 0xd5, 0x75, 0x5a, 0x5b, 0x2b, 0x45, 0x7d, 0x81, + 0xf3, 0x69, 0x2b, 0x61, 0x0a, 0x98, 0x67, 0x2f, 0x0e, 0x1b}, + {"1.3.6.1.4.1.40869.1.1.22.3", ""}, + }, + // TWCA Root Certification Authority + // https://evssldemo.twca.com.tw/index.html + { + {0xbf, 0xd8, 0x8f, 0xe1, 0x10, 0x1c, 0x41, 0xae, 0x3e, 0x80, 0x1b, + 0xf8, 0xbe, 0x56, 0x35, 0x0e, 0xe9, 0xba, 0xd1, 0xa6, 0xb9, 0xbd, + 0x51, 0x5e, 0xdc, 0x5c, 0x6d, 0x5b, 0x87, 0x11, 0xac, 0x44}, + {"1.3.6.1.4.1.40869.1.1.22.3", ""}, + }, + // T-TeleSec GlobalRoot Class 3 + // http://www.telesec.de/ / https://root-class3.test.telesec.de/ + { + {0xfd, 0x73, 0xda, 0xd3, 0x1c, 0x64, 0x4f, 0xf1, 0xb4, 0x3b, 0xef, + 0x0c, 0xcd, 0xda, 0x96, 0x71, 0x0b, 0x9c, 0xd9, 0x87, 0x5e, 0xca, + 0x7e, 0x31, 0x70, 0x7a, 0xf3, 0xe9, 0x6d, 0x52, 0x2b, 0xbd}, + {"1.3.6.1.4.1.7879.13.24.1", ""}, + }, + // USERTrust ECC Certification Authority + // https://usertrustecccertificationauthority-ev.comodoca.com/ + { + {0x4f, 0xf4, 0x60, 0xd5, 0x4b, 0x9c, 0x86, 0xda, 0xbf, 0xbc, 0xfc, + 0x57, 0x12, 0xe0, 0x40, 0x0d, 0x2b, 0xed, 0x3f, 0xbc, 0x4d, 0x4f, + 0xbd, 0xaa, 0x86, 0xe0, 0x6a, 0xdc, 0xd2, 0xa9, 0xad, 0x7a}, + {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, + }, + // USERTrust RSA Certification Authority + // https://usertrustrsacertificationauthority-ev.comodoca.com/ + { + {0xe7, 0x93, 0xc9, 0xb0, 0x2f, 0xd8, 0xaa, 0x13, 0xe2, 0x1c, 0x31, + 0x22, 0x8a, 0xcc, 0xb0, 0x81, 0x19, 0x64, 0x3b, 0x74, 0x9c, 0x89, + 0x89, 0x64, 0xb1, 0x74, 0x6d, 0x46, 0xc3, 0xd4, 0xcb, 0xd2}, + {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, + }, + // UTN-USERFirst-Hardware + { + {0x6e, 0xa5, 0x47, 0x41, 0xd0, 0x04, 0x66, 0x7e, 0xed, 0x1b, 0x48, + 0x16, 0x63, 0x4a, 0xa3, 0xa7, 0x9e, 0x6e, 0x4b, 0x96, 0x95, 0x0f, + 0x82, 0x79, 0xda, 0xfc, 0x8d, 0x9b, 0xd8, 0x81, 0x21, 0x37}, + { + "1.3.6.1.4.1.6449.1.2.1.5.1", + // This is the Network Solutions EV OID. However, this root + // cross-certifies NetSol and so we need it here too. + "1.3.6.1.4.1.782.1.2.1.8.1", + }, + }, + // ValiCert Class 2 Policy Validation Authority + { + {0x58, 0xd0, 0x17, 0x27, 0x9c, 0xd4, 0xdc, 0x63, 0xab, 0xdd, 0xb1, + 0x96, 0xa6, 0xc9, 0x90, 0x6c, 0x30, 0xc4, 0xe0, 0x87, 0x83, 0xea, + 0xe8, 0xc1, 0x60, 0x99, 0x54, 0xd6, 0x93, 0x55, 0x59, 0x6b}, + {"2.16.840.1.114413.1.7.23.3", "2.16.840.1.114414.1.7.23.3"}, + }, + // VeriSign Class 3 Public Primary Certification Authority + // https://www.verisign.com/ + { + {0xe7, 0x68, 0x56, 0x34, 0xef, 0xac, 0xf6, 0x9a, 0xce, 0x93, 0x9a, + 0x6b, 0x25, 0x5b, 0x7b, 0x4f, 0xab, 0xef, 0x42, 0x93, 0x5b, 0x50, + 0xa2, 0x65, 0xac, 0xb5, 0xcb, 0x60, 0x27, 0xe4, 0x4e, 0x70}, + {"2.16.840.1.113733.1.7.23.6", ""}, + }, + // VeriSign Class 3 Public Primary Certification Authority - G4 + { + {0x69, 0xdd, 0xd7, 0xea, 0x90, 0xbb, 0x57, 0xc9, 0x3e, 0x13, 0x5d, + 0xc8, 0x5e, 0xa6, 0xfc, 0xd5, 0x48, 0x0b, 0x60, 0x32, 0x39, 0xbd, + 0xc4, 0x54, 0xfc, 0x75, 0x8b, 0x2a, 0x26, 0xcf, 0x7f, 0x79}, + {"2.16.840.1.113733.1.7.23.6", ""}, + }, + // VeriSign Class 3 Public Primary Certification Authority - G5 + // https://www.verisign.com/ + { + {0x9a, 0xcf, 0xab, 0x7e, 0x43, 0xc8, 0xd8, 0x80, 0xd0, 0x6b, 0x26, + 0x2a, 0x94, 0xde, 0xee, 0xe4, 0xb4, 0x65, 0x99, 0x89, 0xc3, 0xd0, + 0xca, 0xf1, 0x9b, 0xaf, 0x64, 0x05, 0xe4, 0x1a, 0xb7, 0xdf}, + {"2.16.840.1.113733.1.7.23.6", ""}, + }, + // VeriSign Universal Root Certification Authority + { + {0x23, 0x99, 0x56, 0x11, 0x27, 0xa5, 0x71, 0x25, 0xde, 0x8c, 0xef, + 0xea, 0x61, 0x0d, 0xdf, 0x2f, 0xa0, 0x78, 0xb5, 0xc8, 0x06, 0x7f, + 0x4e, 0x82, 0x82, 0x90, 0xbf, 0xb8, 0x60, 0xe8, 0x4b, 0x3c}, + {"2.16.840.1.113733.1.7.23.6", ""}, + }, + // Wells Fargo WellsSecure Public Root Certificate Authority + // https://nerys.wellsfargo.com/test.html + { + {0xa7, 0x12, 0x72, 0xae, 0xaa, 0xa3, 0xcf, 0xe8, 0x72, 0x7f, 0x7f, + 0xb3, 0x9f, 0x0f, 0xb3, 0xd1, 0xe5, 0x42, 0x6e, 0x90, 0x60, 0xb0, + 0x6e, 0xe6, 0xf1, 0x3e, 0x9a, 0x3c, 0x58, 0x33, 0xcd, 0x43}, + {"2.16.840.1.114171.500.9", ""}, + }, + // XRamp Global Certification Authority + { + {0xce, 0xcd, 0xdc, 0x90, 0x50, 0x99, 0xd8, 0xda, 0xdf, 0xc5, 0xb1, + 0xd2, 0x09, 0xb7, 0x37, 0xcb, 0xe2, 0xc1, 0x8c, 0xfb, 0x2c, 0x10, + 0xc0, 0xff, 0x0b, 0xcf, 0x0d, 0x32, 0x86, 0xfc, 0x1a, 0xa2}, + {"2.16.840.1.114404.1.1.2.4.1", ""}, + } +}; +int ssl_x509_is_ev(const char* policy_oid) +{ + size_t i=0, j=0; + if(!policy_oid||strlen(policy_oid)==0) + { + return 0; + } + for(i=0; i< sizeof(kEvRootCaMetadata)/sizeof(struct EVMetadata); i++) + { + for(j=0; j0 && + strstr(policy_oid, kEvRootCaMetadata[i].policy_oids[j])) + { + return 1; + } + } + } + return 0; +} + diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 2c5ba3f..1e6b3e0 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -173,6 +173,7 @@ struct ssl_upstream_parts { struct cert_verify_param verify_param; + struct cert_verify_result verify_result; char verify_failed_action; struct ssl_bypass bypass_condition; @@ -1077,7 +1078,13 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events, else { s_stream->up_parts.is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store, - s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param), error_str, sizeof(error_str)); + s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param), + error_str, sizeof(error_str), &(s_stream->up_parts.verify_result)); + TFE_LOG_DEBUG(mgr->logger, "SNI: %s hostmatch:%d, ct:%d, ev:%d", + s_upstream->client_hello->sni, + s_stream->up_parts.verify_result.is_hostmatched, + s_stream->up_parts.verify_result.is_ct, + s_stream->up_parts.verify_result.is_ev); } if(s_stream->up_parts.is_server_cert_verify_passed) { diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index 6b1384e..113ec16 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -321,9 +321,9 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) return ret; } -int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason) +int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason, struct cert_verify_result* result) { - int ret = 0, err_code=0, host_matched=1; + int ret = 0, err_code=0; char *subj=NULL, *issuer=NULL; STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl); if (cert_chain == NULL) @@ -332,47 +332,52 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag return 1; } X509 * cert = sk_X509_value(cert_chain, 0); + if(!param->no_verify_cn&&hostname) + { + result->is_hostmatched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL); + } + else + { + result->is_hostmatched=1; + } + char* oid=ssl_x509_get_extension(cert, NID_certificate_policies); + if(oid) + { + result->is_ev=ssl_x509_is_ev(oid); + } + free(oid); + oid=NULL; + + ASN1_OCTET_STRING *sct=NULL; + int crit = 0; + sct = (ASN1_OCTET_STRING*)X509_get_ext_d2i(cert, NID_ct_precert_scts, &crit, NULL); + if(sct) + { + result->is_ct=1; + } + ASN1_STRING_free(sct); X509_STORE_CTX * ctx = X509_STORE_CTX_new(); pthread_rwlock_rdlock(&(storage->rwlock)); ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain); assert(ret == 1); - - if(!param->no_verify_cn&&!hostname) - { - host_matched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL); - } - else - { - host_matched=1; - } - + X509_STORE_CTX_set_verify_cb(ctx, verify_callback); -// SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, &(s_stream->up_parts.verify_param)); X509_STORE_CTX_set_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM, param); //If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code. ret = X509_verify_cert(ctx); err_code=X509_STORE_CTX_get_error(ctx); - - if(ret!=1||host_matched!=1) + result->error_code=err_code; + if(ret!=1) { subj=ssl_x509_subject(cert); issuer=ssl_x509_issuer(cert); - if(host_matched!=1) - { - snprintf(reason, n_reason, "%s : subject - %s issuer - %s", - "hostname not matched", - subj, - issuer); - } - else - { - snprintf(reason, n_reason, "%s : subject - %s issuer - %s", + + snprintf(reason, n_reason, "%s : subject - %s issuer - %s", X509_verify_cert_error_string(err_code), subj, issuer); - } free(subj); free(issuer); ret=0; diff --git a/platform/src/ssl_utils.cpp b/platform/src/ssl_utils.cpp index 469fa22..3c25292 100644 --- a/platform/src/ssl_utils.cpp +++ b/platform/src/ssl_utils.cpp @@ -1607,6 +1607,52 @@ char * ssl_x509_to_pem(X509 * crt) BIO_free(bio); return ret; } +char* ssl_x509_get_extension(X509 *cert, int ext_NID) +{ + int loc=0; + X509_EXTENSION *ex=NULL; + ASN1_OBJECT *obj=NULL; + BUF_MEM *bptr = NULL; + char *buf = NULL; + BIO *bio=NULL; + char buff[1024]; + int ret=0; + + loc=X509_get_ext_by_NID(cert, ext_NID, -1); + if(loc<0) + { + goto leave; + } + ex = X509_get_ext(cert, loc); + if(ex==NULL) + { + goto leave; + } + obj = X509_EXTENSION_get_object(ex); + OBJ_obj2txt(buff, 1024, obj, 0); + + bio = BIO_new(BIO_s_mem()); + if (!X509V3_EXT_print(bio, ex, 0, 0)) + { + fprintf(stderr, "Error in reading extensions"); + goto leave; + } + ret=BIO_flush(bio); + if(ret!=1) + { + goto leave; + } + BIO_get_mem_ptr(bio, &bptr); + + //bptr->data is not NULL terminated - add null character + buf = (char *) malloc((bptr->length + 1) * sizeof(char)); + memcpy(buf, bptr->data, bptr->length); + buf[bptr->length] = '\0'; +leave: + BIO_free_all(bio); + return buf; +} + /* * Print SSL_SESSION data to a newly allocated string.