gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1. 可以获取x509证书的ct和ev状态。2. hostname不匹配,不认为是非法证书。

Browse Source
This commit is contained in:
zhengchao
2019-05-15 20:09:12 +08:00
parent ae678d5128
commit ea0292f1b4
7 changed files with 846 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
platform/CMakeLists.txt
View File

@@ -1,6 +1,6 @@
add_executable(tfe src/key_keeper.cpp src/kni_acceptor.cpp src/ssl_stream.cpp
src/ssl_sess_cache.cpp src/ssl_trusted_cert_storage.cpp
src/ssl_utils.cpp src/tcp_stream.cpp src/main.cpp src/proxy.cpp)
src/ssl_sess_cache.cpp src/ssl_trusted_cert_storage.cpp src/ev_root_ca_metadata.cpp
src/ssl_utils.cpp src/tcp_stream.cpp src/main.cpp src/proxy.cpp)
target_include_directories(tfe PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include/external)
target_include_directories(tfe PRIVATE ${CMAKE_CURRENT_LIST_DIR}/include/internal)

9
platform/include/internal/ssl_trusted_cert_storage.h
View File

@@ -20,7 +20,14 @@ struct cert_verify_param
char no_verify_issuer;
char no_verify_expiry_date;
};
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason);
struct cert_verify_result
{
char is_hostmatched;
char is_ev;
char is_ct;
int error_code;
};
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason, struct cert_verify_result* result);
int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename);
int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename);
void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage);

2
platform/include/internal/ssl_utils.h
View File

@@ -164,6 +164,8 @@ int ssl_x509_is_valid(X509 *);
char * ssl_x509_to_str(X509 *);
char * ssl_x509_to_pem(X509 *);
void ssl_x509_refcount_inc(X509 *);
char* ssl_x509_get_extension(X509 *cert, int ext_NID);
int ssl_x509_is_ev(const char* policy_oid);
int ssl_x509chain_load(X509 **, STACK_OF(X509) **, const char *);
void ssl_x509chain_use(SSL_CTX *, X509 *, STACK_OF(X509) *);

749
platform/src/ev_root_ca_metadata.cpp Normal file
View File

@@ -0,0 +1,749 @@
#include <stdlib.h>
#include <string.h>
//Following code is from https://cs.chromium.org/chromium/src/net/cert/ev_root_ca_metadata.cc
// kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At
// least one CA has different EV policies for business vs government
// entities and, in the case of cross-signing, we might need to list another
// CA's policy OID under the cross-signing root.
static const size_t kMaxOIDsPerCA = 2;
// Raw metadata.
struct EVMetadata {
// The SHA-256 fingerprint of the root CA certificate, used as a unique
// identifier for a root CA certificate.
unsigned char fingerprint[32];
// The EV policy OIDs of the root CA.
const char* policy_oids[kMaxOIDsPerCA];
};
// These certificates may be found in net/data/ssl/ev_roots.
static const EVMetadata kEvRootCaMetadata[] = {
// AC Camerfirma S.A. Chambers of Commerce Root - 2008
// https://www.camerfirma.com
{
{0x06, 0x3e, 0x4a, 0xfa, 0xc4, 0x91, 0xdf, 0xd3, 0x32, 0xf3, 0x08,
0x9b, 0x85, 0x42, 0xe9, 0x46, 0x17, 0xd8, 0x93, 0xd7, 0xfe, 0x94,
0x4e, 0x10, 0xa7, 0x93, 0x7e, 0xe2, 0x9d, 0x96, 0x93, 0xc0},
{
// AC Camerfirma uses the last two arcs to track how the private key
// is managed - the effective verification policy is the same.
"1.3.6.1.4.1.17326.10.14.2.1.2", "1.3.6.1.4.1.17326.10.14.2.2.2",
},
},
// AC Camerfirma S.A. Global Chambersign Root - 2008
// https://server2.camerfirma.com:8082
{
{0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xa7, 0x69, 0x80, 0x16, 0xa0,
0xd3, 0x24, 0xde, 0x72, 0x28, 0x4e, 0x07, 0x9d, 0x7b, 0x52, 0x20,
0xbb, 0x8f, 0xbd, 0x74, 0x78, 0x16, 0xee, 0xbe, 0xba, 0xca},
{
// AC Camerfirma uses the last two arcs to track how the private key
// is managed - the effective verification policy is the same.
"1.3.6.1.4.1.17326.10.8.12.1.2", "1.3.6.1.4.1.17326.10.8.12.2.2",
},
},
// AddTrust External CA Root
// https://addtrustexternalcaroot-ev.comodoca.com
{
{0x68, 0x7f, 0xa4, 0x51, 0x38, 0x22, 0x78, 0xff, 0xf0, 0xc8, 0xb1,
0x1f, 0x8d, 0x43, 0xd5, 0x76, 0x67, 0x1c, 0x6e, 0xb2, 0xbc, 0xea,
0xb4, 0x13, 0xfb, 0x83, 0xd9, 0x65, 0xd0, 0x6d, 0x2f, 0xf2},
{
"1.3.6.1.4.1.6449.1.2.1.5.1",
// This is the Network Solutions EV OID. However, this root
// cross-certifies NetSol and so we need it here too.
"1.3.6.1.4.1.782.1.2.1.8.1",
},
},
// Actalis Authentication Root CA
// https://ssltest-a.actalis.it:8443
{
{0x55, 0x92, 0x60, 0x84, 0xec, 0x96, 0x3a, 0x64, 0xb9, 0x6e, 0x2a,
0xbe, 0x01, 0xce, 0x0b, 0xa8, 0x6a, 0x64, 0xfb, 0xfe, 0xbc, 0xc7,
0xaa, 0xb5, 0xaf, 0xc1, 0x55, 0xb3, 0x7f, 0xd7, 0x60, 0x66},
{"1.3.159.1.17.1", ""},
},
// AffirmTrust Commercial
// https://commercial.affirmtrust.com/
{
{0x03, 0x76, 0xab, 0x1d, 0x54, 0xc5, 0xf9, 0x80, 0x3c, 0xe4, 0xb2,
0xe2, 0x01, 0xa0, 0xee, 0x7e, 0xef, 0x7b, 0x57, 0xb6, 0x36, 0xe8,
0xa9, 0x3c, 0x9b, 0x8d, 0x48, 0x60, 0xc9, 0x6f, 0x5f, 0xa7},
{"1.3.6.1.4.1.34697.2.1", ""},
},
// AffirmTrust Networking
// https://networking.affirmtrust.com:4431
{
{0x0a, 0x81, 0xec, 0x5a, 0x92, 0x97, 0x77, 0xf1, 0x45, 0x90, 0x4a,
0xf3, 0x8d, 0x5d, 0x50, 0x9f, 0x66, 0xb5, 0xe2, 0xc5, 0x8f, 0xcd,
0xb5, 0x31, 0x05, 0x8b, 0x0e, 0x17, 0xf3, 0xf0, 0xb4, 0x1b},
{"1.3.6.1.4.1.34697.2.2", ""},
},
// AffirmTrust Premium
// https://premium.affirmtrust.com:4432/
{
{0x70, 0xa7, 0x3f, 0x7f, 0x37, 0x6b, 0x60, 0x07, 0x42, 0x48, 0x90,
0x45, 0x34, 0xb1, 0x14, 0x82, 0xd5, 0xbf, 0x0e, 0x69, 0x8e, 0xcc,
0x49, 0x8d, 0xf5, 0x25, 0x77, 0xeb, 0xf2, 0xe9, 0x3b, 0x9a},
{"1.3.6.1.4.1.34697.2.3", ""},
},
// AffirmTrust Premium ECC
// https://premiumecc.affirmtrust.com:4433/
{
{0xbd, 0x71, 0xfd, 0xf6, 0xda, 0x97, 0xe4, 0xcf, 0x62, 0xd1, 0x64,
0x7a, 0xdd, 0x25, 0x81, 0xb0, 0x7d, 0x79, 0xad, 0xf8, 0x39, 0x7e,
0xb4, 0xec, 0xba, 0x9c, 0x5e, 0x84, 0x88, 0x82, 0x14, 0x23},
{"1.3.6.1.4.1.34697.2.4", ""},
},
// Amazon Root CA 1
// https://good.sca1a.amazontrust.com/
{
{0x8e, 0xcd, 0xe6, 0x88, 0x4f, 0x3d, 0x87, 0xb1, 0x12, 0x5b, 0xa3,
0x1a, 0xc3, 0xfc, 0xb1, 0x3d, 0x70, 0x16, 0xde, 0x7f, 0x57, 0xcc,
0x90, 0x4f, 0xe1, 0xcb, 0x97, 0xc6, 0xae, 0x98, 0x19, 0x6e},
{"2.23.140.1.1", ""},
},
// Amazon Root CA 2
// https://good.sca2a.amazontrust.com/
{
{0x1b, 0xa5, 0xb2, 0xaa, 0x8c, 0x65, 0x40, 0x1a, 0x82, 0x96, 0x01,
0x18, 0xf8, 0x0b, 0xec, 0x4f, 0x62, 0x30, 0x4d, 0x83, 0xce, 0xc4,
0x71, 0x3a, 0x19, 0xc3, 0x9c, 0x01, 0x1e, 0xa4, 0x6d, 0xb4},
{"2.23.140.1.1", ""},
},
// Amazon Root CA 3
// https://good.sca3a.amazontrust.com/
{
{0x18, 0xce, 0x6c, 0xfe, 0x7b, 0xf1, 0x4e, 0x60, 0xb2, 0xe3, 0x47,
0xb8, 0xdf, 0xe8, 0x68, 0xcb, 0x31, 0xd0, 0x2e, 0xbb, 0x3a, 0xda,
0x27, 0x15, 0x69, 0xf5, 0x03, 0x43, 0xb4, 0x6d, 0xb3, 0xa4},
{"2.23.140.1.1", ""},
},
// Amazon Root CA 4
// https://good.sca4a.amazontrust.com/
{
{0xe3, 0x5d, 0x28, 0x41, 0x9e, 0xd0, 0x20, 0x25, 0xcf, 0xa6, 0x90,
0x38, 0xcd, 0x62, 0x39, 0x62, 0x45, 0x8d, 0xa5, 0xc6, 0x95, 0xfb,
0xde, 0xa3, 0xc2, 0x2b, 0x0b, 0xfb, 0x25, 0x89, 0x70, 0x92},
{"2.23.140.1.1", ""},
},
// Autoridad de Certificacion Firmaprofesional CIF A62634068
// https://publifirma.firmaprofesional.com/
{
{0x04, 0x04, 0x80, 0x28, 0xbf, 0x1f, 0x28, 0x64, 0xd4, 0x8f, 0x9a,
0xd4, 0xd8, 0x32, 0x94, 0x36, 0x6a, 0x82, 0x88, 0x56, 0x55, 0x3f,
0x3b, 0x14, 0x30, 0x3f, 0x90, 0x14, 0x7f, 0x5d, 0x40, 0xef},
{"1.3.6.1.4.1.13177.10.1.3.10", ""},
},
// Baltimore CyberTrust Root
// https://secure.omniroot.com/repository/
{
{0x16, 0xaf, 0x57, 0xa9, 0xf6, 0x76, 0xb0, 0xab, 0x12, 0x60, 0x95,
0xaa, 0x5e, 0xba, 0xde, 0xf2, 0x2a, 0xb3, 0x11, 0x19, 0xd6, 0x44,
0xac, 0x95, 0xcd, 0x4b, 0x93, 0xdb, 0xf3, 0xf2, 0x6a, 0xeb},
{"1.3.6.1.4.1.6334.1.100.1", ""},
},
// Buypass Class 3 CA 1
// https://valid.evident.ca13.ssl.buypass.no/
{
{0xb7, 0xb1, 0x2b, 0x17, 0x1f, 0x82, 0x1d, 0xaa, 0x99, 0x0c, 0xd0,
0xfe, 0x50, 0x87, 0xb1, 0x28, 0x44, 0x8b, 0xa8, 0xe5, 0x18, 0x4f,
0x84, 0xc5, 0x1e, 0x02, 0xb5, 0xc8, 0xfb, 0x96, 0x2b, 0x24},
{"2.16.578.1.26.1.3.3", ""},
},
// Buypass Class 3 Root CA
// https://valid.evident.ca23.ssl.buypass.no/
{
{0xed, 0xf7, 0xeb, 0xbc, 0xa2, 0x7a, 0x2a, 0x38, 0x4d, 0x38, 0x7b,
0x7d, 0x40, 0x10, 0xc6, 0x66, 0xe2, 0xed, 0xb4, 0x84, 0x3e, 0x4c,
0x29, 0xb4, 0xae, 0x1d, 0x5b, 0x93, 0x32, 0xe6, 0xb2, 0x4d},
{"2.16.578.1.26.1.3.3", ""},
},
// CertPlus Class 2 Primary CA (KEYNECTIS)
// https://www.keynectis.com/
{
{0x0f, 0x99, 0x3c, 0x8a, 0xef, 0x97, 0xba, 0xaf, 0x56, 0x87, 0x14,
0x0e, 0xd5, 0x9a, 0xd1, 0x82, 0x1b, 0xb4, 0xaf, 0xac, 0xf0, 0xaa,
0x9a, 0x58, 0xb5, 0xd5, 0x7a, 0x33, 0x8a, 0x3a, 0xfb, 0xcb},
{"1.3.6.1.4.1.22234.2.5.2.3.1", ""},
},
// Certum Trusted Network CA
// https://juice.certum.pl/
{
{0x5c, 0x58, 0x46, 0x8d, 0x55, 0xf5, 0x8e, 0x49, 0x7e, 0x74, 0x39,
0x82, 0xd2, 0xb5, 0x00, 0x10, 0xb6, 0xd1, 0x65, 0x37, 0x4a, 0xcf,
0x83, 0xa7, 0xd4, 0xa3, 0x2d, 0xb7, 0x68, 0xc4, 0x40, 0x8e},
{"1.2.616.1.113527.2.5.1.1", ""},
},
// CFCA EV ROOT
// https://www.erenepu.com/
{
{0x5c, 0xc3, 0xd7, 0x8e, 0x4e, 0x1d, 0x5e, 0x45, 0x54, 0x7a, 0x04,
0xe6, 0x87, 0x3e, 0x64, 0xf9, 0x0c, 0xf9, 0x53, 0x6d, 0x1c, 0xcc,
0x2e, 0xf8, 0x00, 0xf3, 0x55, 0xc4, 0xc5, 0xfd, 0x70, 0xfd},
{"2.16.156.112554.3", ""},
},
// China Internet Network Information Center EV Certificates Root
// https://evdemo.cnnic.cn/
{
// Root
{0x1c, 0x01, 0xc6, 0xf4, 0xdb, 0xb2, 0xfe, 0xfc, 0x22, 0x55, 0x8b,
0x2b, 0xca, 0x32, 0x56, 0x3f, 0x49, 0x84, 0x4a, 0xcf, 0xc3, 0x2b,
0x7b, 0xe4, 0xb0, 0xff, 0x59, 0x9f, 0x9e, 0x8c, 0x7a, 0xf7},
{"1.3.6.1.4.1.29836.1.10", ""},
},
// COMODO Certification Authority
// https://secure.comodo.com/
{
{0x0c, 0x2c, 0xd6, 0x3d, 0xf7, 0x80, 0x6f, 0xa3, 0x99, 0xed, 0xe8,
0x09, 0x11, 0x6b, 0x57, 0x5b, 0xf8, 0x79, 0x89, 0xf0, 0x65, 0x18,
0xf9, 0x80, 0x8c, 0x86, 0x05, 0x03, 0x17, 0x8b, 0xaf, 0x66},
{"1.3.6.1.4.1.6449.1.2.1.5.1", ""},
},
// COMODO Certification Authority (reissued certificate with NotBefore of
// Jan 1 00:00:00 2011 GMT)
// https://secure.comodo.com/
{
{0x1a, 0x0d, 0x20, 0x44, 0x5d, 0xe5, 0xba, 0x18, 0x62, 0xd1, 0x9e,
0xf8, 0x80, 0x85, 0x8c, 0xbc, 0xe5, 0x01, 0x02, 0xb3, 0x6e, 0x8f,
0x0a, 0x04, 0x0c, 0x3c, 0x69, 0xe7, 0x45, 0x22, 0xfe, 0x6e},
{"1.3.6.1.4.1.6449.1.2.1.5.1", ""},
},
// COMODO ECC Certification Authority
// https://comodoecccertificationauthority-ev.comodoca.com/
{
{0x17, 0x93, 0x92, 0x7a, 0x06, 0x14, 0x54, 0x97, 0x89, 0xad, 0xce,
0x2f, 0x8f, 0x34, 0xf7, 0xf0, 0xb6, 0x6d, 0x0f, 0x3a, 0xe3, 0xa3,
0xb8, 0x4d, 0x21, 0xec, 0x15, 0xdb, 0xba, 0x4f, 0xad, 0xc7},
{"1.3.6.1.4.1.6449.1.2.1.5.1", ""},
},
// COMODO RSA Certification Authority
// https://comodorsacertificationauthority-ev.comodoca.com/
{
{0x52, 0xf0, 0xe1, 0xc4, 0xe5, 0x8e, 0xc6, 0x29, 0x29, 0x1b, 0x60,
0x31, 0x7f, 0x07, 0x46, 0x71, 0xb8, 0x5d, 0x7e, 0xa8, 0x0d, 0x5b,
0x07, 0x27, 0x34, 0x63, 0x53, 0x4b, 0x32, 0xb4, 0x02, 0x34},
{"1.3.6.1.4.1.6449.1.2.1.5.1", ""},
},
// Cybertrust Global Root
// https://evup.cybertrust.ne.jp/ctj-ev-upgrader/evseal.gif
{
{0x96, 0x0a, 0xdf, 0x00, 0x63, 0xe9, 0x63, 0x56, 0x75, 0x0c, 0x29,
0x65, 0xdd, 0x0a, 0x08, 0x67, 0xda, 0x0b, 0x9c, 0xbd, 0x6e, 0x77,
0x71, 0x4a, 0xea, 0xfb, 0x23, 0x49, 0xab, 0x39, 0x3d, 0xa3},
{"1.3.6.1.4.1.6334.1.100.1", ""},
},
// DigiCert Assured ID Root CA
// https://assured-id-root-ca.chain-demos.digicert.com/
{
{0x3e, 0x90, 0x99, 0xb5, 0x01, 0x5e, 0x8f, 0x48, 0x6c, 0x00, 0xbc,
0xea, 0x9d, 0x11, 0x1e, 0xe7, 0x21, 0xfa, 0xba, 0x35, 0x5a, 0x89,
0xbc, 0xf1, 0xdf, 0x69, 0x56, 0x1e, 0x3d, 0xc6, 0x32, 0x5c},
{"2.16.840.1.114412.2.1", ""},
},
// DigiCert Global Root CA
// https://global-root-ca.chain-demos.digicert.com/
{
{0x43, 0x48, 0xa0, 0xe9, 0x44, 0x4c, 0x78, 0xcb, 0x26, 0x5e, 0x05,
0x8d, 0x5e, 0x89, 0x44, 0xb4, 0xd8, 0x4f, 0x96, 0x62, 0xbd, 0x26,
0xdb, 0x25, 0x7f, 0x89, 0x34, 0xa4, 0x43, 0xc7, 0x01, 0x61},
{"2.16.840.1.114412.2.1", ""},
},
// DigiCert Global Root G2
// https://global-root-g2.chain-demos.digicert.com/
{
{0xcb, 0x3c, 0xcb, 0xb7, 0x60, 0x31, 0xe5, 0xe0, 0x13, 0x8f, 0x8d,
0xd3, 0x9a, 0x23, 0xf9, 0xde, 0x47, 0xff, 0xc3, 0x5e, 0x43, 0xc1,
0x14, 0x4c, 0xea, 0x27, 0xd4, 0x6a, 0x5a, 0xb1, 0xcb, 0x5f},
{"2.16.840.1.114412.2.1", ""},
},
// DigiCert Global Root G3
// https://global-root-g3.chain-demos.digicert.com/
{
{0x31, 0xad, 0x66, 0x48, 0xf8, 0x10, 0x41, 0x38, 0xc7, 0x38, 0xf3,
0x9e, 0xa4, 0x32, 0x01, 0x33, 0x39, 0x3e, 0x3a, 0x18, 0xcc, 0x02,
0x29, 0x6e, 0xf9, 0x7c, 0x2a, 0xc9, 0xef, 0x67, 0x31, 0xd0},
{"2.16.840.1.114412.2.1", ""},
},
// DigiCert High Assurance EV Root CA
// https://www.digicert.com
{
{0x74, 0x31, 0xe5, 0xf4, 0xc3, 0xc1, 0xce, 0x46, 0x90, 0x77, 0x4f,
0x0b, 0x61, 0xe0, 0x54, 0x40, 0x88, 0x3b, 0xa9, 0xa0, 0x1e, 0xd0,
0x0b, 0xa6, 0xab, 0xd7, 0x80, 0x6e, 0xd3, 0xb1, 0x18, 0xcf},
{"2.16.840.1.114412.2.1", ""},
},
// DigiCert Trusted Root G4
// https://trusted-root-g4.chain-demos.digicert.com/
{
{0x55, 0x2f, 0x7b, 0xdc, 0xf1, 0xa7, 0xaf, 0x9e, 0x6c, 0xe6, 0x72,
0x01, 0x7f, 0x4f, 0x12, 0xab, 0xf7, 0x72, 0x40, 0xc7, 0x8e, 0x76,
0x1a, 0xc2, 0x03, 0xd1, 0xd9, 0xd2, 0x0a, 0xc8, 0x99, 0x88},
{"2.16.840.1.114412.2.1", ""},
},
// D-TRUST Root Class 3 CA 2 EV 2009
// https://certdemo-ev-valid.ssl.d-trust.net/
{
{0xee, 0xc5, 0x49, 0x6b, 0x98, 0x8c, 0xe9, 0x86, 0x25, 0xb9, 0x34,
0x09, 0x2e, 0xec, 0x29, 0x08, 0xbe, 0xd0, 0xb0, 0xf3, 0x16, 0xc2,
0xd4, 0x73, 0x0c, 0x84, 0xea, 0xf1, 0xf3, 0xd3, 0x48, 0x81},
{"1.3.6.1.4.1.4788.2.202.1", ""},
},
// Entrust.net Secure Server Certification Authority
// https://www.entrust.net/
{
{0x62, 0xf2, 0x40, 0x27, 0x8c, 0x56, 0x4c, 0x4d, 0xd8, 0xbf, 0x7d,
0x9d, 0x4f, 0x6f, 0x36, 0x6e, 0xa8, 0x94, 0xd2, 0x2f, 0x5f, 0x34,
0xd9, 0x89, 0xa9, 0x83, 0xac, 0xec, 0x2f, 0xff, 0xed, 0x50},
{"2.16.840.1.114028.10.1.2", ""},
},
// Entrust Root Certification Authority
// https://www.entrust.net/
{
{0x73, 0xc1, 0x76, 0x43, 0x4f, 0x1b, 0xc6, 0xd5, 0xad, 0xf4, 0x5b,
0x0e, 0x76, 0xe7, 0x27, 0x28, 0x7c, 0x8d, 0xe5, 0x76, 0x16, 0xc1,
0xe6, 0xe6, 0x14, 0x1a, 0x2b, 0x2c, 0xbc, 0x7d, 0x8e, 0x4c},
{"2.16.840.1.114028.10.1.2", ""},
},
// Entrust Root Certification Authority G2
// https://validg2.entrust.net
{
{0x43, 0xdf, 0x57, 0x74, 0xb0, 0x3e, 0x7f, 0xef, 0x5f, 0xe4, 0x0d,
0x93, 0x1a, 0x7b, 0xed, 0xf1, 0xbb, 0x2e, 0x6b, 0x42, 0x73, 0x8c,
0x4e, 0x6d, 0x38, 0x41, 0x10, 0x3d, 0x3a, 0xa7, 0xf3, 0x39},
{"2.16.840.1.114028.10.1.2", ""},
},
// Entrust Root Certification Authority EC1
// https://validec.entrust.net
{
{0x02, 0xed, 0x0e, 0xb2, 0x8c, 0x14, 0xda, 0x45, 0x16, 0x5c, 0x56,
0x67, 0x91, 0x70, 0x0d, 0x64, 0x51, 0xd7, 0xfb, 0x56, 0xf0, 0xb2,
0xab, 0x1d, 0x3b, 0x8e, 0xb0, 0x70, 0xe5, 0x6e, 0xdf, 0xf5},
{"2.16.840.1.114028.10.1.2", ""},
},
// Equifax Secure Certificate Authority (GeoTrust)
// https://www.geotrust.com/
{
{0x08, 0x29, 0x7a, 0x40, 0x47, 0xdb, 0xa2, 0x36, 0x80, 0xc7, 0x31,
0xdb, 0x6e, 0x31, 0x76, 0x53, 0xca, 0x78, 0x48, 0xe1, 0xbe, 0xbd,
0x3a, 0x0b, 0x01, 0x79, 0xa7, 0x07, 0xf9, 0x2c, 0xf1, 0x78},
{"1.3.6.1.4.1.14370.1.6", ""},
},
// E-Tugra Certification Authority
// https://sslev.e-tugra.com.tr
{
{0xb0, 0xbf, 0xd5, 0x2b, 0xb0, 0xd7, 0xd9, 0xbd, 0x92, 0xbf, 0x5d,
0x4d, 0xc1, 0x3d, 0xa2, 0x55, 0xc0, 0x2c, 0x54, 0x2f, 0x37, 0x83,
0x65, 0xea, 0x89, 0x39, 0x11, 0xf5, 0x5e, 0x55, 0xf2, 0x3c},
{"2.16.792.3.0.4.1.1.4", ""},
},
// GeoTrust Primary Certification Authority
// https://www.geotrust.com/
{
{0x37, 0xd5, 0x10, 0x06, 0xc5, 0x12, 0xea, 0xab, 0x62, 0x64, 0x21,
0xf1, 0xec, 0x8c, 0x92, 0x01, 0x3f, 0xc5, 0xf8, 0x2a, 0xe9, 0x8e,
0xe5, 0x33, 0xeb, 0x46, 0x19, 0xb8, 0xde, 0xb4, 0xd0, 0x6c},
{"1.3.6.1.4.1.14370.1.6", ""},
},
// GeoTrust Primary Certification Authority - G2
{
{0x5e, 0xdb, 0x7a, 0xc4, 0x3b, 0x82, 0xa0, 0x6a, 0x87, 0x61, 0xe8,
0xd7, 0xbe, 0x49, 0x79, 0xeb, 0xf2, 0x61, 0x1f, 0x7d, 0xd7, 0x9b,
0xf9, 0x1c, 0x1c, 0x6b, 0x56, 0x6a, 0x21, 0x9e, 0xd7, 0x66},
{"1.3.6.1.4.1.14370.1.6", ""},
},
// GeoTrust Primary Certification Authority - G3
{
{0xb4, 0x78, 0xb8, 0x12, 0x25, 0x0d, 0xf8, 0x78, 0x63, 0x5c, 0x2a,
0xa7, 0xec, 0x7d, 0x15, 0x5e, 0xaa, 0x62, 0x5e, 0xe8, 0x29, 0x16,
0xe2, 0xcd, 0x29, 0x43, 0x61, 0x88, 0x6c, 0xd1, 0xfb, 0xd4},
{"1.3.6.1.4.1.14370.1.6", ""},
},
// GlobalSign Root CA - R2
// https://www.globalsign.com/
{
{0xca, 0x42, 0xdd, 0x41, 0x74, 0x5f, 0xd0, 0xb8, 0x1e, 0xb9, 0x02,
0x36, 0x2c, 0xf9, 0xd8, 0xbf, 0x71, 0x9d, 0xa1, 0xbd, 0x1b, 0x1e,
0xfc, 0x94, 0x6f, 0x5b, 0x4c, 0x99, 0xf4, 0x2c, 0x1b, 0x9e},
{"1.3.6.1.4.1.4146.1.1", ""},
},
// GlobalSign Root CA
{
{0xeb, 0xd4, 0x10, 0x40, 0xe4, 0xbb, 0x3e, 0xc7, 0x42, 0xc9, 0xe3,
0x81, 0xd3, 0x1e, 0xf2, 0xa4, 0x1a, 0x48, 0xb6, 0x68, 0x5c, 0x96,
0xe7, 0xce, 0xf3, 0xc1, 0xdf, 0x6c, 0xd4, 0x33, 0x1c, 0x99},
{"1.3.6.1.4.1.4146.1.1", ""},
},
// GlobalSign Root CA - R3
// https://2029.globalsign.com/
{
{0xcb, 0xb5, 0x22, 0xd7, 0xb7, 0xf1, 0x27, 0xad, 0x6a, 0x01, 0x13,
0x86, 0x5b, 0xdf, 0x1c, 0xd4, 0x10, 0x2e, 0x7d, 0x07, 0x59, 0xaf,
0x63, 0x5a, 0x7c, 0xf4, 0x72, 0x0d, 0xc9, 0x63, 0xc5, 0x3b},
{"1.3.6.1.4.1.4146.1.1", ""},
},
// GlobalSign ECC Root CA - R4
// https://2038r4.globalsign.com
{
{0xbe, 0xc9, 0x49, 0x11, 0xc2, 0x95, 0x56, 0x76, 0xdb, 0x6c, 0x0a,
0x55, 0x09, 0x86, 0xd7, 0x6e, 0x3b, 0xa0, 0x05, 0x66, 0x7c, 0x44,
0x2c, 0x97, 0x62, 0xb4, 0xfb, 0xb7, 0x73, 0xde, 0x22, 0x8c},
{"1.3.6.1.4.1.4146.1.1", ""},
},
// GlobalSign ECC Root CA - R5
// https://2038r5.globalsign.com/
{
{0x17, 0x9f, 0xbc, 0x14, 0x8a, 0x3d, 0xd0, 0x0f, 0xd2, 0x4e, 0xa1,
0x34, 0x58, 0xcc, 0x43, 0xbf, 0xa7, 0xf5, 0x9c, 0x81, 0x82, 0xd7,
0x83, 0xa5, 0x13, 0xf6, 0xeb, 0xec, 0x10, 0x0c, 0x89, 0x24},
{"1.3.6.1.4.1.4146.1.1", ""},
},
// Go Daddy Class 2 Certification Authority
// https://www.godaddy.com/
{
{0xc3, 0x84, 0x6b, 0xf2, 0x4b, 0x9e, 0x93, 0xca, 0x64, 0x27, 0x4c,
0x0e, 0xc6, 0x7c, 0x1e, 0xcc, 0x5e, 0x02, 0x4f, 0xfc, 0xac, 0xd2,
0xd7, 0x40, 0x19, 0x35, 0x0e, 0x81, 0xfe, 0x54, 0x6a, 0xe4},
{"2.16.840.1.114413.1.7.23.3", ""},
},
// Go Daddy Root Certificate Authority - G2
// https://valid.gdig2.catest.godaddy.com/
{
{0x45, 0x14, 0x0b, 0x32, 0x47, 0xeb, 0x9c, 0xc8, 0xc5, 0xb4, 0xf0,
0xd7, 0xb5, 0x30, 0x91, 0xf7, 0x32, 0x92, 0x08, 0x9e, 0x6e, 0x5a,
0x63, 0xe2, 0x74, 0x9d, 0xd3, 0xac, 0xa9, 0x19, 0x8e, 0xda},
{"2.16.840.1.114413.1.7.23.3", ""},
},
// GTE CyberTrust Global Root
// https://www.cybertrust.ne.jp/
{
{0xa5, 0x31, 0x25, 0x18, 0x8d, 0x21, 0x10, 0xaa, 0x96, 0x4b, 0x02,
0xc7, 0xb7, 0xc6, 0xda, 0x32, 0x03, 0x17, 0x08, 0x94, 0xe5, 0xfb,
0x71, 0xff, 0xfb, 0x66, 0x67, 0xd5, 0xe6, 0x81, 0x0a, 0x36},
{"1.3.6.1.4.1.6334.1.100.1", ""},
},
// Izenpe.com - SHA256 root
// The first OID is for businesses and the second for government entities.
// These are the test sites, respectively:
// https://servicios.izenpe.com
// https://servicios1.izenpe.com
{
{0x25, 0x30, 0xcc, 0x8e, 0x98, 0x32, 0x15, 0x02, 0xba, 0xd9, 0x6f,
0x9b, 0x1f, 0xba, 0x1b, 0x09, 0x9e, 0x2d, 0x29, 0x9e, 0x0f, 0x45,
0x48, 0xbb, 0x91, 0x4f, 0x36, 0x3b, 0xc0, 0xd4, 0x53, 0x1f},
{"1.3.6.1.4.1.14777.6.1.1", "1.3.6.1.4.1.14777.6.1.2"},
},
// Izenpe.com - SHA1 root
// Windows XP finds this, SHA1, root instead. The policy OIDs are the same
// as for the SHA256 root, above.
{
{0x23, 0x80, 0x42, 0x03, 0xca, 0x45, 0xd8, 0xcd, 0xe7, 0x16, 0xb8,
0xc1, 0x3b, 0xf3, 0xb4, 0x48, 0x45, 0x7f, 0xa0, 0x6c, 0xc1, 0x02,
0x50, 0x99, 0x7f, 0xa0, 0x14, 0x58, 0x31, 0x7c, 0x41, 0xe5},
{"1.3.6.1.4.1.14777.6.1.1", "1.3.6.1.4.1.14777.6.1.2"},
},
// LuxTrust Global Root 2
// https://ltsslca5.trustme.lu/
{
{0x54, 0x45, 0x5f, 0x71, 0x29, 0xc2, 0x0b, 0x14, 0x47, 0xc4, 0x18,
0xf9, 0x97, 0x16, 0x8f, 0x24, 0xc5, 0x8f, 0xc5, 0x02, 0x3b, 0xf5,
0xda, 0x5b, 0xe2, 0xeb, 0x6e, 0x1d, 0xd8, 0x90, 0x2e, 0xd5},
{"1.3.171.1.1.10.5.2", ""},
},
// Network Solutions Certificate Authority
// https://www.networksolutions.com/website-packages/index.jsp
{
{0x15, 0xf0, 0xba, 0x00, 0xa3, 0xac, 0x7a, 0xf3, 0xac, 0x88, 0x4c,
0x07, 0x2b, 0x10, 0x11, 0xa0, 0x77, 0xbd, 0x77, 0xc0, 0x97, 0xf4,
0x01, 0x64, 0xb2, 0xf8, 0x59, 0x8a, 0xbd, 0x83, 0x86, 0x0c},
{"1.3.6.1.4.1.782.1.2.1.8.1", ""},
},
// Network Solutions Certificate Authority (reissued certificate with
// NotBefore of Jan 1 00:00:00 2011 GMT).
// https://www.networksolutions.com/website-packages/index.jsp
{
{0x00, 0x16, 0x86, 0xcd, 0x18, 0x1f, 0x83, 0xa1, 0xb1, 0x21, 0x7d,
0x30, 0x5b, 0x36, 0x5c, 0x41, 0xe3, 0x47, 0x0a, 0x78, 0xa1, 0xd3,
0x7b, 0x13, 0x4a, 0x98, 0xcd, 0x54, 0x7b, 0x92, 0xda, 0xb3},
{"1.3.6.1.4.1.782.1.2.1.8.1", ""},
},
// OISTE WISeKey Global Root GB CA
// https://goodevssl.wisekey.com
{
{0x6b, 0x9c, 0x08, 0xe8, 0x6e, 0xb0, 0xf7, 0x67, 0xcf, 0xad, 0x65,
0xcd, 0x98, 0xb6, 0x21, 0x49, 0xe5, 0x49, 0x4a, 0x67, 0xf5, 0x84,
0x5e, 0x7b, 0xd1, 0xed, 0x01, 0x9f, 0x27, 0xb8, 0x6b, 0xd6},
{"2.16.756.5.14.7.4.8", ""},
},
// QuoVadis Root CA 2
// https://www.quovadis.bm/
{
{0x85, 0xa0, 0xdd, 0x7d, 0xd7, 0x20, 0xad, 0xb7, 0xff, 0x05, 0xf8,
0x3d, 0x54, 0x2b, 0x20, 0x9d, 0xc7, 0xff, 0x45, 0x28, 0xf7, 0xd6,
0x77, 0xb1, 0x83, 0x89, 0xfe, 0xa5, 0xe5, 0xc4, 0x9e, 0x86},
{"1.3.6.1.4.1.8024.0.2.100.1.2", ""},
},
// QuoVadis Root CA 2 G3
// https://evsslicag3-v.quovadisglobal.com/
{
{0x8f, 0xe4, 0xfb, 0x0a, 0xf9, 0x3a, 0x4d, 0x0d, 0x67, 0xdb, 0x0b,
0xeb, 0xb2, 0x3e, 0x37, 0xc7, 0x1b, 0xf3, 0x25, 0xdc, 0xbc, 0xdd,
0x24, 0x0e, 0xa0, 0x4d, 0xaf, 0x58, 0xb4, 0x7e, 0x18, 0x40},
{"1.3.6.1.4.1.8024.0.2.100.1.2", ""},
},
// SecureTrust CA, SecureTrust Corporation
// https://www.securetrust.com
// https://www.trustwave.com/
{
{0xf1, 0xc1, 0xb5, 0x0a, 0xe5, 0xa2, 0x0d, 0xd8, 0x03, 0x0e, 0xc9,
0xf6, 0xbc, 0x24, 0x82, 0x3d, 0xd3, 0x67, 0xb5, 0x25, 0x57, 0x59,
0xb4, 0xe7, 0x1b, 0x61, 0xfc, 0xe9, 0xf7, 0x37, 0x5d, 0x73},
{"2.16.840.1.114404.1.1.2.4.1", ""},
},
// Secure Global CA, SecureTrust Corporation
{
{0x42, 0x00, 0xf5, 0x04, 0x3a, 0xc8, 0x59, 0x0e, 0xbb, 0x52, 0x7d,
0x20, 0x9e, 0xd1, 0x50, 0x30, 0x29, 0xfb, 0xcb, 0xd4, 0x1c, 0xa1,
0xb5, 0x06, 0xec, 0x27, 0xf1, 0x5a, 0xde, 0x7d, 0xac, 0x69},
{"2.16.840.1.114404.1.1.2.4.1", ""},
},
// Security Communication RootCA1
// https://www.secomtrust.net/contact/form.html
{
{0xe7, 0x5e, 0x72, 0xed, 0x9f, 0x56, 0x0e, 0xec, 0x6e, 0xb4, 0x80,
0x00, 0x73, 0xa4, 0x3f, 0xc3, 0xad, 0x19, 0x19, 0x5a, 0x39, 0x22,
0x82, 0x01, 0x78, 0x95, 0x97, 0x4a, 0x99, 0x02, 0x6b, 0x6c},
{"1.2.392.200091.100.721.1", ""},
},
// Security Communication EV RootCA1
// https://www.secomtrust.net/contact/form.html
{
{0xa2, 0x2d, 0xba, 0x68, 0x1e, 0x97, 0x37, 0x6e, 0x2d, 0x39, 0x7d,
0x72, 0x8a, 0xae, 0x3a, 0x9b, 0x62, 0x96, 0xb9, 0xfd, 0xba, 0x60,
0xbc, 0x2e, 0x11, 0xf6, 0x47, 0xf2, 0xc6, 0x75, 0xfb, 0x37},
{"1.2.392.200091.100.721.1", ""},
},
// Security Communication EV RootCA2
// https://www.secomtrust.net/contact/form.html
{
{0x51, 0x3b, 0x2c, 0xec, 0xb8, 0x10, 0xd4, 0xcd, 0xe5, 0xdd, 0x85,
0x39, 0x1a, 0xdf, 0xc6, 0xc2, 0xdd, 0x60, 0xd8, 0x7b, 0xb7, 0x36,
0xd2, 0xb5, 0x21, 0x48, 0x4a, 0xa4, 0x7a, 0x0e, 0xbe, 0xf6},
{"1.2.392.200091.100.721.1", ""},
},
// Staat der Nederlanden EV Root CA
// https://pkioevssl-v.quovadisglobal.com/
{
{0x4d, 0x24, 0x91, 0x41, 0x4c, 0xfe, 0x95, 0x67, 0x46, 0xec, 0x4c,
0xef, 0xa6, 0xcf, 0x6f, 0x72, 0xe2, 0x8a, 0x13, 0x29, 0x43, 0x2f,
0x9d, 0x8a, 0x90, 0x7a, 0xc4, 0xcb, 0x5d, 0xad, 0xc1, 0x5a},
{"2.16.528.1.1003.1.2.7", ""},
},
// StartCom Certification Authority
// https://www.startssl.com/
{
{0xc7, 0x66, 0xa9, 0xbe, 0xf2, 0xd4, 0x07, 0x1c, 0x86, 0x3a, 0x31,
0xaa, 0x49, 0x20, 0xe8, 0x13, 0xb2, 0xd1, 0x98, 0x60, 0x8c, 0xb7,
0xb7, 0xcf, 0xe2, 0x11, 0x43, 0xb8, 0x36, 0xdf, 0x09, 0xea},
{"1.3.6.1.4.1.23223.1.1.1", ""},
},
// Starfield Class 2 Certification Authority
// https://www.starfieldtech.com/
{
{0x14, 0x65, 0xfa, 0x20, 0x53, 0x97, 0xb8, 0x76, 0xfa, 0xa6, 0xf0,
0xa9, 0x95, 0x8e, 0x55, 0x90, 0xe4, 0x0f, 0xcc, 0x7f, 0xaa, 0x4f,
0xb7, 0xc2, 0xc8, 0x67, 0x75, 0x21, 0xfb, 0x5f, 0xb6, 0x58},
{"2.16.840.1.114414.1.7.23.3", ""},
},
// Starfield Root Certificate Authority - G2
// https://valid.sfig2.catest.starfieldtech.com/
{
{0x2c, 0xe1, 0xcb, 0x0b, 0xf9, 0xd2, 0xf9, 0xe1, 0x02, 0x99, 0x3f,
0xbe, 0x21, 0x51, 0x52, 0xc3, 0xb2, 0xdd, 0x0c, 0xab, 0xde, 0x1c,
0x68, 0xe5, 0x31, 0x9b, 0x83, 0x91, 0x54, 0xdb, 0xb7, 0xf5},
{"2.16.840.1.114414.1.7.23.3", ""},
},
// Starfield Services Root Certificate Authority - G2
// https://valid.sfsg2.catest.starfieldtech.com/
{
{0x56, 0x8d, 0x69, 0x05, 0xa2, 0xc8, 0x87, 0x08, 0xa4, 0xb3, 0x02,
0x51, 0x90, 0xed, 0xcf, 0xed, 0xb1, 0x97, 0x4a, 0x60, 0x6a, 0x13,
0xc6, 0xe5, 0x29, 0x0f, 0xcb, 0x2a, 0xe6, 0x3e, 0xda, 0xb5},
{"2.16.840.1.114414.1.7.24.3", "2.23.140.1.1"},
},
// SwissSign Gold CA - G2
// https://testevg2.swisssign.net/
{
{0x62, 0xdd, 0x0b, 0xe9, 0xb9, 0xf5, 0x0a, 0x16, 0x3e, 0xa0, 0xf8,
0xe7, 0x5c, 0x05, 0x3b, 0x1e, 0xca, 0x57, 0xea, 0x55, 0xc8, 0x68,
0x8f, 0x64, 0x7c, 0x68, 0x81, 0xf2, 0xc8, 0x35, 0x7b, 0x95},
{"2.16.756.1.89.1.2.1.1", ""},
},
// Swisscom Root EV CA 2
// https://test-quarz-ev-ca-2.pre.swissdigicert.ch
{
{0xd9, 0x5f, 0xea, 0x3c, 0xa4, 0xee, 0xdc, 0xe7, 0x4c, 0xd7, 0x6e,
0x75, 0xfc, 0x6d, 0x1f, 0xf6, 0x2c, 0x44, 0x1f, 0x0f, 0xa8, 0xbc,
0x77, 0xf0, 0x34, 0xb1, 0x9e, 0x5d, 0xb2, 0x58, 0x01, 0x5d},
{"2.16.756.1.83.21.0", ""},
},
// Thawte Premium Server CA
// https://www.thawte.com/
{
{0xab, 0x70, 0x36, 0x36, 0x5c, 0x71, 0x54, 0xaa, 0x29, 0xc2, 0xc2,
0x9f, 0x5d, 0x41, 0x91, 0x16, 0x3b, 0x16, 0x2a, 0x22, 0x25, 0x01,
0x13, 0x57, 0xd5, 0x6d, 0x07, 0xff, 0xa7, 0xbc, 0x1f, 0x72},
{"2.16.840.1.113733.1.7.48.1", ""},
},
// thawte Primary Root CA
// https://www.thawte.com/
{
{0x8d, 0x72, 0x2f, 0x81, 0xa9, 0xc1, 0x13, 0xc0, 0x79, 0x1d, 0xf1,
0x36, 0xa2, 0x96, 0x6d, 0xb2, 0x6c, 0x95, 0x0a, 0x97, 0x1d, 0xb4,
0x6b, 0x41, 0x99, 0xf4, 0xea, 0x54, 0xb7, 0x8b, 0xfb, 0x9f},
{"2.16.840.1.113733.1.7.48.1", ""},
},
// thawte Primary Root CA - G2
{
{0xa4, 0x31, 0x0d, 0x50, 0xaf, 0x18, 0xa6, 0x44, 0x71, 0x90, 0x37,
0x2a, 0x86, 0xaf, 0xaf, 0x8b, 0x95, 0x1f, 0xfb, 0x43, 0x1d, 0x83,
0x7f, 0x1e, 0x56, 0x88, 0xb4, 0x59, 0x71, 0xed, 0x15, 0x57},
{"2.16.840.1.113733.1.7.48.1", ""},
},
// thawte Primary Root CA - G3
{
{0x4b, 0x03, 0xf4, 0x58, 0x07, 0xad, 0x70, 0xf2, 0x1b, 0xfc, 0x2c,
0xae, 0x71, 0xc9, 0xfd, 0xe4, 0x60, 0x4c, 0x06, 0x4c, 0xf5, 0xff,
0xb6, 0x86, 0xba, 0xe5, 0xdb, 0xaa, 0xd7, 0xfd, 0xd3, 0x4c},
{"2.16.840.1.113733.1.7.48.1", ""},
},
// TWCA Global Root CA
// https://evssldemo3.twca.com.tw/index.html
{
{0x59, 0x76, 0x90, 0x07, 0xf7, 0x68, 0x5d, 0x0f, 0xcd, 0x50, 0x87,
0x2f, 0x9f, 0x95, 0xd5, 0x75, 0x5a, 0x5b, 0x2b, 0x45, 0x7d, 0x81,
0xf3, 0x69, 0x2b, 0x61, 0x0a, 0x98, 0x67, 0x2f, 0x0e, 0x1b},
{"1.3.6.1.4.1.40869.1.1.22.3", ""},
},
// TWCA Root Certification Authority
// https://evssldemo.twca.com.tw/index.html
{
{0xbf, 0xd8, 0x8f, 0xe1, 0x10, 0x1c, 0x41, 0xae, 0x3e, 0x80, 0x1b,
0xf8, 0xbe, 0x56, 0x35, 0x0e, 0xe9, 0xba, 0xd1, 0xa6, 0xb9, 0xbd,
0x51, 0x5e, 0xdc, 0x5c, 0x6d, 0x5b, 0x87, 0x11, 0xac, 0x44},
{"1.3.6.1.4.1.40869.1.1.22.3", ""},
},
// T-TeleSec GlobalRoot Class 3
// http://www.telesec.de/ / https://root-class3.test.telesec.de/
{
{0xfd, 0x73, 0xda, 0xd3, 0x1c, 0x64, 0x4f, 0xf1, 0xb4, 0x3b, 0xef,
0x0c, 0xcd, 0xda, 0x96, 0x71, 0x0b, 0x9c, 0xd9, 0x87, 0x5e, 0xca,
0x7e, 0x31, 0x70, 0x7a, 0xf3, 0xe9, 0x6d, 0x52, 0x2b, 0xbd},
{"1.3.6.1.4.1.7879.13.24.1", ""},
},
// USERTrust ECC Certification Authority
// https://usertrustecccertificationauthority-ev.comodoca.com/
{
{0x4f, 0xf4, 0x60, 0xd5, 0x4b, 0x9c, 0x86, 0xda, 0xbf, 0xbc, 0xfc,
0x57, 0x12, 0xe0, 0x40, 0x0d, 0x2b, 0xed, 0x3f, 0xbc, 0x4d, 0x4f,
0xbd, 0xaa, 0x86, 0xe0, 0x6a, 0xdc, 0xd2, 0xa9, 0xad, 0x7a},
{"1.3.6.1.4.1.6449.1.2.1.5.1", ""},
},
// USERTrust RSA Certification Authority
// https://usertrustrsacertificationauthority-ev.comodoca.com/
{
{0xe7, 0x93, 0xc9, 0xb0, 0x2f, 0xd8, 0xaa, 0x13, 0xe2, 0x1c, 0x31,
0x22, 0x8a, 0xcc, 0xb0, 0x81, 0x19, 0x64, 0x3b, 0x74, 0x9c, 0x89,
0x89, 0x64, 0xb1, 0x74, 0x6d, 0x46, 0xc3, 0xd4, 0xcb, 0xd2},
{"1.3.6.1.4.1.6449.1.2.1.5.1", ""},
},
// UTN-USERFirst-Hardware
{
{0x6e, 0xa5, 0x47, 0x41, 0xd0, 0x04, 0x66, 0x7e, 0xed, 0x1b, 0x48,
0x16, 0x63, 0x4a, 0xa3, 0xa7, 0x9e, 0x6e, 0x4b, 0x96, 0x95, 0x0f,
0x82, 0x79, 0xda, 0xfc, 0x8d, 0x9b, 0xd8, 0x81, 0x21, 0x37},
{
"1.3.6.1.4.1.6449.1.2.1.5.1",
// This is the Network Solutions EV OID. However, this root
// cross-certifies NetSol and so we need it here too.
"1.3.6.1.4.1.782.1.2.1.8.1",
},
},
// ValiCert Class 2 Policy Validation Authority
{
{0x58, 0xd0, 0x17, 0x27, 0x9c, 0xd4, 0xdc, 0x63, 0xab, 0xdd, 0xb1,
0x96, 0xa6, 0xc9, 0x90, 0x6c, 0x30, 0xc4, 0xe0, 0x87, 0x83, 0xea,
0xe8, 0xc1, 0x60, 0x99, 0x54, 0xd6, 0x93, 0x55, 0x59, 0x6b},
{"2.16.840.1.114413.1.7.23.3", "2.16.840.1.114414.1.7.23.3"},
},
// VeriSign Class 3 Public Primary Certification Authority
// https://www.verisign.com/
{
{0xe7, 0x68, 0x56, 0x34, 0xef, 0xac, 0xf6, 0x9a, 0xce, 0x93, 0x9a,
0x6b, 0x25, 0x5b, 0x7b, 0x4f, 0xab, 0xef, 0x42, 0x93, 0x5b, 0x50,
0xa2, 0x65, 0xac, 0xb5, 0xcb, 0x60, 0x27, 0xe4, 0x4e, 0x70},
{"2.16.840.1.113733.1.7.23.6", ""},
},
// VeriSign Class 3 Public Primary Certification Authority - G4
{
{0x69, 0xdd, 0xd7, 0xea, 0x90, 0xbb, 0x57, 0xc9, 0x3e, 0x13, 0x5d,
0xc8, 0x5e, 0xa6, 0xfc, 0xd5, 0x48, 0x0b, 0x60, 0x32, 0x39, 0xbd,
0xc4, 0x54, 0xfc, 0x75, 0x8b, 0x2a, 0x26, 0xcf, 0x7f, 0x79},
{"2.16.840.1.113733.1.7.23.6", ""},
},
// VeriSign Class 3 Public Primary Certification Authority - G5
// https://www.verisign.com/
{
{0x9a, 0xcf, 0xab, 0x7e, 0x43, 0xc8, 0xd8, 0x80, 0xd0, 0x6b, 0x26,
0x2a, 0x94, 0xde, 0xee, 0xe4, 0xb4, 0x65, 0x99, 0x89, 0xc3, 0xd0,
0xca, 0xf1, 0x9b, 0xaf, 0x64, 0x05, 0xe4, 0x1a, 0xb7, 0xdf},
{"2.16.840.1.113733.1.7.23.6", ""},
},
// VeriSign Universal Root Certification Authority
{
{0x23, 0x99, 0x56, 0x11, 0x27, 0xa5, 0x71, 0x25, 0xde, 0x8c, 0xef,
0xea, 0x61, 0x0d, 0xdf, 0x2f, 0xa0, 0x78, 0xb5, 0xc8, 0x06, 0x7f,
0x4e, 0x82, 0x82, 0x90, 0xbf, 0xb8, 0x60, 0xe8, 0x4b, 0x3c},
{"2.16.840.1.113733.1.7.23.6", ""},
},
// Wells Fargo WellsSecure Public Root Certificate Authority
// https://nerys.wellsfargo.com/test.html
{
{0xa7, 0x12, 0x72, 0xae, 0xaa, 0xa3, 0xcf, 0xe8, 0x72, 0x7f, 0x7f,
0xb3, 0x9f, 0x0f, 0xb3, 0xd1, 0xe5, 0x42, 0x6e, 0x90, 0x60, 0xb0,
0x6e, 0xe6, 0xf1, 0x3e, 0x9a, 0x3c, 0x58, 0x33, 0xcd, 0x43},
{"2.16.840.1.114171.500.9", ""},
},
// XRamp Global Certification Authority
{
{0xce, 0xcd, 0xdc, 0x90, 0x50, 0x99, 0xd8, 0xda, 0xdf, 0xc5, 0xb1,
0xd2, 0x09, 0xb7, 0x37, 0xcb, 0xe2, 0xc1, 0x8c, 0xfb, 0x2c, 0x10,
0xc0, 0xff, 0x0b, 0xcf, 0x0d, 0x32, 0x86, 0xfc, 0x1a, 0xa2},
{"2.16.840.1.114404.1.1.2.4.1", ""},
}
};
int ssl_x509_is_ev(const char* policy_oid)
{
size_t i=0, j=0;
if(!policy_oid||strlen(policy_oid)==0)
{
return 0;
}
for(i=0; i< sizeof(kEvRootCaMetadata)/sizeof(struct EVMetadata); i++)
{
for(j=0; j<kMaxOIDsPerCA; j++)
{
if(strlen(kEvRootCaMetadata[i].policy_oids[j])>0 &&
strstr(policy_oid, kEvRootCaMetadata[i].policy_oids[j]))
{
return 1;
}
}
}
return 0;
}

9
platform/src/ssl_stream.cpp
View File

@@ -173,6 +173,7 @@ struct ssl_upstream_parts
{
struct cert_verify_param verify_param;
struct cert_verify_result verify_result;
char verify_failed_action;
struct ssl_bypass bypass_condition;
@@ -1077,7 +1078,13 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
else
{
s_stream->up_parts.is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param), error_str, sizeof(error_str));
s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param),
error_str, sizeof(error_str), &(s_stream->up_parts.verify_result));
TFE_LOG_DEBUG(mgr->logger, "SNI: %s hostmatch:%d, ct:%d, ev:%d",
s_upstream->client_hello->sni,
s_stream->up_parts.verify_result.is_hostmatched,
s_stream->up_parts.verify_result.is_ct,
s_stream->up_parts.verify_result.is_ev);
}
if(s_stream->up_parts.is_server_cert_verify_passed)
{

55
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -321,9 +321,9 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
return ret;
}
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason)
int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, SSL * ssl, const char* hostname, struct cert_verify_param* param, char* reason, size_t n_reason, struct cert_verify_result* result)
{
int ret = 0, err_code=0, host_matched=1;
int ret = 0, err_code=0;
char *subj=NULL, *issuer=NULL;
STACK_OF(X509) * cert_chain = SSL_get_peer_cert_chain(ssl);
if (cert_chain == NULL)
@@ -332,47 +332,52 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
return 1;
}
X509 * cert = sk_X509_value(cert_chain, 0);
if(!param->no_verify_cn&&hostname)
{
result->is_hostmatched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
}
else
{
result->is_hostmatched=1;
}
char* oid=ssl_x509_get_extension(cert, NID_certificate_policies);
if(oid)
{
result->is_ev=ssl_x509_is_ev(oid);
}
free(oid);
oid=NULL;
ASN1_OCTET_STRING *sct=NULL;
int crit = 0;
sct = (ASN1_OCTET_STRING*)X509_get_ext_d2i(cert, NID_ct_precert_scts, &crit, NULL);
if(sct)
{
result->is_ct=1;
}
ASN1_STRING_free(sct);
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
pthread_rwlock_rdlock(&(storage->rwlock));
ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain);
assert(ret == 1);
if(!param->no_verify_cn&&!hostname)
{
host_matched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
}
else
{
host_matched=1;
}
X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
// SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_VERIFY_PARAM, &(s_stream->up_parts.verify_param));
X509_STORE_CTX_set_ex_data(ctx, SSL_EX_DATA_IDX_VERIFY_PARAM, param);
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
ret = X509_verify_cert(ctx);
err_code=X509_STORE_CTX_get_error(ctx);
if(ret!=1||host_matched!=1)
result->error_code=err_code;
if(ret!=1)
{
subj=ssl_x509_subject(cert);
issuer=ssl_x509_issuer(cert);
if(host_matched!=1)
{
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
"hostname not matched",
subj,
issuer);
}
else
{
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
snprintf(reason, n_reason, "%s : subject - %s issuer - %s",
X509_verify_cert_error_string(err_code),
subj,
issuer);
}
free(subj);
free(issuer);
ret=0;

46
platform/src/ssl_utils.cpp
View File

@@ -1607,6 +1607,52 @@ char * ssl_x509_to_pem(X509 * crt)
BIO_free(bio);
return ret;
}
char* ssl_x509_get_extension(X509 *cert, int ext_NID)
{
int loc=0;
X509_EXTENSION *ex=NULL;
ASN1_OBJECT *obj=NULL;
BUF_MEM *bptr = NULL;
char *buf = NULL;
BIO *bio=NULL;
char buff[1024];
int ret=0;
loc=X509_get_ext_by_NID(cert, ext_NID, -1);
if(loc<0)
{
goto leave;
}
ex = X509_get_ext(cert, loc);
if(ex==NULL)
{
goto leave;
}
obj = X509_EXTENSION_get_object(ex);
OBJ_obj2txt(buff, 1024, obj, 0);
bio = BIO_new(BIO_s_mem());
if (!X509V3_EXT_print(bio, ex, 0, 0))
{
fprintf(stderr, "Error in reading extensions");
goto leave;
}
ret=BIO_flush(bio);
if(ret!=1)
{
goto leave;
}
BIO_get_mem_ptr(bio, &bptr);
//bptr->data is not NULL terminated - add null character
buf = (char *) malloc((bptr->length + 1) * sizeof(char));
memcpy(buf, bptr->data, bptr->length);
buf[bptr->length] = '\0';
leave:
BIO_free_all(bio);
return buf;
}
/*
* Print SSL_SESSION data to a newly allocated string.