Commit 3b14423a authored by Oleksii Beketov's avatar Oleksii Beketov

[IOT-3276] Multiple CAs allowed

This patch unites reverted #22987 and CTT fix 23279.

PEM/DER casting removed,  allowing mbedtls to manage
certificate conversion by itself. Credresource loads
certificates that could be either PEM or DER encoded
to a linked list instead of pushing them to a buffer.

Change-Id: I6dd0d957721d59feaf70f3dd421bf65d7c02ef1d
Signed-off-by: default avatarOleksii Beketov <ol.beketov@samsung.com>
parent 5a93b8ee
......@@ -45,6 +45,13 @@ typedef struct ByteArray
size_t len; /**< Data size */
} ByteArray_t;
typedef struct ByteArrayLL ByteArrayLL_t;
struct ByteArrayLL
{
ByteArray_t *cert;
ByteArrayLL_t *next;
};
/**@def BYTE_ARRAY_INITIALIZER
*
......@@ -53,6 +60,13 @@ typedef struct ByteArray
#undef BYTE_ARRAY_INITIALIZER
#define BYTE_ARRAY_INITIALIZER {NULL, 0}
/**@def CERT_CHAIN_INITIALIZER
*
* Initializes of existing certificate chain pointer to \a NULL.
*/
#undef CERT_CHAIN_INITIALIZER
#define CERT_CHAIN_INITIALIZER {NULL, NULL}
/**@def INIT_BYTE_ARRAY(array)
*
* Initializes of existing byte array \a array.
......
......@@ -109,6 +109,7 @@ bool CAGetSecureEndpointAttributes(const CAEndpoint_t* peer, uint32_t* allAttrib
*
*/
typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId);
/**
* Binary structure containing PKIX related info
* own certificate chain, public key, CA's and CRL's
......@@ -119,9 +120,9 @@ typedef void (*CAgetCredentialTypesHandler)(bool * list, const char* deviceId);
*/
typedef struct
{
ByteArray_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */
ByteArrayLL_t crt; /**< own certificate chain as a null-terminated PEM string of certificates */
ByteArray_t key; /**< own private key as binary-encoded DER */
ByteArray_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */
ByteArrayLL_t ca; /**< trusted CAs as a null-terminated PEM string of certificates */
ByteArray_t crl; /**< trusted CRLs as binary-encoded DER */
} PkiInfo_t;
......@@ -333,4 +334,3 @@ void CAcloseSslConnectionAll(CATransportAdapter_t transportType);
#endif /* CA_SECURITY_INTERFACE_H_ */
......@@ -27,6 +27,9 @@ ca_common_src = [
os.path.join(ca_common_src_path, 'caremotehandler.c')
]
if connectivity_env.get('SECURED') == '1':
ca_common_src.append(os.path.join(ca_common_src_path, 'parsechain.c'))
if connectivity_env['POSIX_SUPPORTED'] or target_os in ['windows']:
ca_common_src.append(os.path.join(ca_common_src_path, 'cathreadpool_pthreads.c'))
......
/* ****************************************************************
*
* Copyright 2017 Samsung Electronics All Rights Reserved.
*
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************/
#ifndef U_PARSECHAIN_H_
#define U_PARSECHAIN_H_
#include <mbedtls/ssl.h>
#include "casecurityinterface.h"
#ifdef __cplusplus
extern "C"
{
#endif
/**
* Parse chain of X.509 certificates.
*
* @param[out] crt container for X.509 certificates
* @param[in] certs array of X.509 certificates
* @param[in] errNum number of certificates that failed to parse
*
* @return number of successfully parsed certificates or -1 on error
*/
int ParseChain(mbedtls_x509_crt *crt, const ByteArrayLL_t *certs, int *errNum);
/**
* Free chain of X.509 certificates.
*
* @param[in] certs array of X.509 certificates
*/
void FreeCertChain(ByteArrayLL_t *certs);
#ifdef __cplusplus
}
#endif
#endif /* U_ARRAYLIST_H_ */
/******************************************************************
*
* Copyright 2017 Samsung Electronics All Rights Reserved.
*
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
******************************************************************/
#include "parsechain.h"
#include "utlist.h"
#include "caadapterutils.h"
#include "oic_malloc.h"
#define PARSE_CHAIN_TAG "OIC_PARSE_CHAIN"
int ParseChain(mbedtls_x509_crt *crt, const ByteArrayLL_t *certs, int *errNum)
{
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "In %s", __func__);
VERIFY_NON_NULL_RET(crt, PARSE_CHAIN_TAG, "Param crt is NULL", -1);
VERIFY_NON_NULL_RET(certs, PARSE_CHAIN_TAG, "Param certs is NULL", -1);
VERIFY_NON_NULL_RET(errNum, PARSE_CHAIN_TAG, "Param errNum is NULL", -1);
VERIFY_NON_NULL_RET(certs->cert, PARSE_CHAIN_TAG, "certs->cert is NULL", -1);
int count = 0;
int ret = 0;
*errNum = 0;
const ByteArrayLL_t *temp = certs;
LL_FOREACH(certs, temp)
{
ret = mbedtls_x509_crt_parse(crt, temp->cert->data, temp->cert->len);
if (0 == ret)
{
count++;
}
else
{
(*errNum)++;
OIC_LOG_V(ERROR, PARSE_CHAIN_TAG, "mbedtls_x509_crt_parse returned -0x%04x\n", -(ret));
return -1;
}
}
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "%s successfully parsed %d certificates", __func__, count);
OIC_LOG_V(DEBUG, PARSE_CHAIN_TAG, "Out %s", __func__);
return count;
}
void FreeCertChain(ByteArrayLL_t *certs)
{
ByteArrayLL_t *tmp0 = certs, *tmp1 = NULL, *tmp2 = NULL;
LL_FOREACH_SAFE(tmp0, tmp1, tmp2)
{
LL_DELETE(tmp0, tmp1);
if (NULL != tmp1->cert) {
if (NULL != tmp1->cert->data)
{
OICFree(tmp1->cert->data);
}
OICFree(tmp1->cert);
}
tmp1 = NULL;
}
}
......@@ -38,6 +38,8 @@
#include "experimental/byte_array.h"
#include "octhread.h"
#include "octimer.h"
#include "utlist.h"
#include "parsechain.h"
// headers required for mbed TLS
#include "mbedtls/platform.h"
......@@ -647,57 +649,6 @@ static int RecvCallBack(void * tep, unsigned char * data, size_t dataLen)
return (int)retLen;
}
/**
* Parse chain of X.509 certificates.
*
* @param[out] crt container for X.509 certificates
* @param[in] buf buffer with X.509 certificates. Certificates must be in a single null-terminated
* string, with each certificate in PEM encoding with headers.
* @param[in] bufLen buffer length
* @param[in] errNum number certificates that failed to parse
*
* @return number of successfully parsed certificates or -1 on error
*/
static int ParseChain(mbedtls_x509_crt * crt, unsigned char * buf, size_t bufLen, int * errNum)
{
int ret;
OIC_LOG_V(DEBUG, NET_SSL_TAG, "In %s", __func__);
VERIFY_NON_NULL_RET(crt, NET_SSL_TAG, "Param crt is NULL", -1);
VERIFY_NON_NULL_RET(buf, NET_SSL_TAG, "Param buf is NULL", -1);
if (NULL != errNum)
{
*errNum = 0;
}
if ((bufLen >= 2) && (buf[0] == 0x30) && (buf[1] == 0x82))
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "DER-encoded certificate passed to ParseChain");
return -1;
}
ret = mbedtls_x509_crt_parse(crt, buf, bufLen);
if (0 > ret)
{
OIC_LOG_V(ERROR, NET_SSL_TAG, "mbedtls_x509_crt_parse failed: -0x%04x", -(ret));
return -1;
}
if (NULL != errNum)
{
*errNum = ret;
}
ret = 0;
for (const mbedtls_x509_crt *cur = crt; cur != NULL; cur = cur->next)
{
ret++;
}
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
return ret;
}
/**
* Deinit Pki Info
*
......@@ -714,9 +665,9 @@ static void DeInitPkixInfo(PkiInfo_t * inf)
return;
}
DEINIT_BYTE_ARRAY(inf->crt);
FreeCertChain(&(inf->crt));
DEINIT_BYTE_ARRAY(inf->key);
DEINIT_BYTE_ARRAY(inf->ca);
FreeCertChain(&(inf->ca));
DEINIT_BYTE_ARRAY(inf->crl);
OIC_LOG_V(DEBUG, NET_SSL_TAG, "Out %s", __func__);
......@@ -729,9 +680,9 @@ static int InitPKIX(CATransportAdapter_t adapter)
VERIFY_NON_NULL_RET(g_getPkixInfoCallback, NET_SSL_TAG, "PKIX info callback is NULL", -1);
// load pk key, cert, trust chain and crl
PkiInfo_t pkiInfo = {
CERT_CHAIN_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
BYTE_ARRAY_INITIALIZER,
CERT_CHAIN_INITIALIZER,
BYTE_ARRAY_INITIALIZER
};
......@@ -739,7 +690,6 @@ static int InitPKIX(CATransportAdapter_t adapter)
{
g_getPkixInfoCallback(&pkiInfo);
}
VERIFY_NON_NULL_RET(g_caSslContext, NET_SSL_TAG, "SSL Context is NULL", -1);
mbedtls_x509_crt_free(&g_caSslContext->ca);
......@@ -751,7 +701,6 @@ static int InitPKIX(CATransportAdapter_t adapter)
mbedtls_x509_crt_init(&g_caSslContext->crt);
mbedtls_pk_init(&g_caSslContext->pkey);
mbedtls_x509_crl_init(&g_caSslContext->crl);
mbedtls_ssl_config * serverConf = (adapter == CA_ADAPTER_IP ||
adapter == CA_ADAPTER_GATT_BTLE ?
&g_caSslContext->serverDtlsConf : &g_caSslContext->serverTlsConf);
......@@ -761,7 +710,7 @@ static int InitPKIX(CATransportAdapter_t adapter)
// optional
int ret;
int errNum;
int count = ParseChain(&g_caSslContext->crt, pkiInfo.crt.data, pkiInfo.crt.len, &errNum);
int count = ParseChain(&g_caSslContext->crt, &(pkiInfo.crt), &errNum);
if (0 >= count)
{
OIC_LOG(WARNING, NET_SSL_TAG, "Own certificate chain parsing error");
......@@ -810,7 +759,7 @@ static int InitPKIX(CATransportAdapter_t adapter)
}
required:
count = ParseChain(&g_caSslContext->ca, pkiInfo.ca.data, pkiInfo.ca.len, &errNum);
count = ParseChain(&g_caSslContext->ca, &(pkiInfo.ca), &errNum);
if(0 >= count)
{
OIC_LOG(ERROR, NET_SSL_TAG, "CA chain parsing error");
......
......@@ -81,7 +81,7 @@ void adapter_handler(CATransportAdapter_t /*adapter*/,
{
}
void connection_handler(const CAEndpoint_t * /*endpoint*/,
void connection_handler(const CAEndpoint_t * /*endpoint*/,
bool /*connected*/)
{
}
......@@ -199,12 +199,14 @@ void provide_x509_cert_and_key(PkiInfo_t* inf)
{
/* PEM data must end in newline and be null terminated for IoTivity */
inf->crt.data = (uint8_t*) our_cert;
inf->crt.len = strlen(our_cert) + 1;
inf->crt.cert->data = (uint8_t*) our_cert;
inf->crt.cert->len = strlen(our_cert) + 1;
inf->crt.next = NULL;
inf->key.data = (uint8_t*) our_key;
inf->key.len = strlen(our_key) + 1;
inf->ca.data = (uint8_t*) our_ca;
inf->ca.len = strlen(our_ca) + 1;
inf->ca.cert->data = (uint8_t*) our_ca;
inf->ca.cert->len = strlen(our_ca) + 1;
inf->ca.next = NULL;
// CRL not provided
inf->crl.data = NULL;
......@@ -222,11 +224,11 @@ void provide_supported_credential_types(bool* list, const char* /*deviceId*/)
{
list[1] = true;
/*
* Note: there is a default implementation of this in credresource.c, exposed by
* pkix_interface.h, called InitManufacturerCipherSuiteList. If the cred resource
* has a credential of the required type, it updates list accordingly.
* Note: there is a default implementation of this in credresource.c, exposed by
* pkix_interface.h, called InitManufacturerCipherSuiteList. If the cred resource
* has a credential of the required type, it updates list accordingly.
*
* In a separate test, we could use the cred resource and APIs (credresource.h).
* In a separate test, we could use the cred resource and APIs (credresource.h).
*/
return;
}
......@@ -365,9 +367,9 @@ TEST_F(CATests, DISABLED_PkiTest)
{
// @todo: this test is disabled for now, it crashes with an invalid write. Cert data
// provided by the provide_x509_cert_and_key is stored as const char, but ParseChain()
// (in ca_adapter_net_ssl.c) writes to it while reading. We could change the test to
// (in ca_adapter_net_ssl.c) writes to it while reading. We could change the test to
// provide data on the heap, but the CA stack should not be changing data provided to it
// by callbacks.
// by callbacks.
const char* local_addr = "127.0.0.1";
uint16_t local_port = 5503;
......@@ -391,7 +393,7 @@ TEST_F(CATests, DISABLED_PkiTest)
// Register a working callback to provide the keys, expect success.
EXPECT_EQ(CA_STATUS_OK, CAregisterPkixInfoHandler(provide_x509_cert_and_key));
EXPECT_EQ(CA_STATUS_OK, CAInitiateHandshake(serverAddr));
EXPECT_EQ(CA_STATUS_OK, CAInitiateHandshake(serverAddr));
CADestroyEndpoint(serverAddr);
}
......
......@@ -106,9 +106,8 @@
*
* *************************/
// Data blob contains 7 certificates in PEM and DER encoding
unsigned char certChain[] = {
// PEM encoded certificate
// 10 certificates in PEM and DER encoding
unsigned char cert0[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43,
0x6e, 0x44, 0x43, 0x43, 0x41, 0x6a, 0x2b, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49, 0x55,
......@@ -169,8 +168,9 @@ unsigned char certChain[] = {
0x61, 0x6b, 0x76, 0x72, 0x4e, 0x4b, 0x66, 0x44, 0x79, 0x2b, 0x4f, 0x4e, 0x43, 0x6e, 0x4e, 0x6e,
0x43, 0x59, 0x57, 0x4a, 0x37, 0x39, 0x35, 0x4b, 0x49, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45,
0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d,
// PEM encoded certificate
0x2d, 0x2d, 0x2d, 0x00
};
unsigned char cert1[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43,
0x6e, 0x44, 0x43, 0x43, 0x41, 0x6a, 0x2b, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49, 0x55,
......@@ -231,8 +231,9 @@ unsigned char certChain[] = {
0x61, 0x6b, 0x76, 0x72, 0x4e, 0x4b, 0x66, 0x44, 0x79, 0x2b, 0x4f, 0x4e, 0x43, 0x6e, 0x4e, 0x6e,
0x43, 0x59, 0x57, 0x4a, 0x37, 0x39, 0x35, 0x4b, 0x49, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45,
0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d,
// PEM encoded certificate
0x2d, 0x2d, 0x2d, 0x00
};
unsigned char cert2[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0d, 0x0a, 0x4d, 0x49, 0x49,
0x45, 0x67, 0x44, 0x43, 0x43, 0x41, 0x32, 0x69, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49,
......@@ -336,7 +337,9 @@ unsigned char certChain[] = {
0x56, 0x6e, 0x79, 0x63, 0x6e, 0x4a, 0x73, 0x43, 0x68, 0x65, 0x73, 0x0d, 0x0a, 0x46, 0x4c, 0x78,
0x6f, 0x6c, 0x77, 0x3d, 0x3d, 0x0d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20,
0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
// PEM encoded certificate
0x00
};
unsigned char cert3[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x44,
0x38, 0x44, 0x43, 0x43, 0x41, 0x74, 0x69, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49, 0x44,
......@@ -426,8 +429,9 @@ unsigned char certChain[] = {
0x6c, 0x6d, 0x77, 0x75, 0x39, 0x52, 0x59, 0x32, 0x33, 0x6e, 0x48, 0x4d, 0x41, 0x63, 0x49, 0x53,
0x0a, 0x77, 0x53, 0x48, 0x47, 0x46, 0x67, 0x3d, 0x3d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45,
0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d,
// PEM encoded certificate
0x2d, 0x2d, 0x2d, 0x00
};
unsigned char cert4[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43,
0x6e, 0x44, 0x43, 0x43, 0x41, 0x6a, 0x2b, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49, 0x55,
......@@ -488,8 +492,9 @@ unsigned char certChain[] = {
0x61, 0x6b, 0x76, 0x72, 0x4e, 0x4b, 0x66, 0x44, 0x79, 0x2b, 0x4f, 0x4e, 0x43, 0x6e, 0x4e, 0x6e,
0x43, 0x59, 0x57, 0x4a, 0x37, 0x39, 0x35, 0x4b, 0x49, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45,
0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d,
// PEM encoded certificate
0x2d, 0x2d, 0x2d, 0x00
};
unsigned char cert5[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x44,
0x38, 0x44, 0x43, 0x43, 0x41, 0x74, 0x69, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49, 0x44,
......@@ -579,8 +584,9 @@ unsigned char certChain[] = {
0x6c, 0x6d, 0x77, 0x75, 0x39, 0x52, 0x59, 0x32, 0x33, 0x6e, 0x48, 0x4d, 0x41, 0x63, 0x49, 0x53,
0x0a, 0x77, 0x53, 0x48, 0x47, 0x46, 0x67, 0x3d, 0x3d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45,
0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d,
// PEM encoded certificate
0x2d, 0x2d, 0x2d, 0x00
};
unsigned char cert6[] = {
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49,
0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x49, 0x49, 0x43,
0x6e, 0x44, 0x43, 0x43, 0x41, 0x6a, 0x2b, 0x67, 0x41, 0x77, 0x49, 0x42, 0x41, 0x67, 0x49, 0x55,
......@@ -641,11 +647,122 @@ unsigned char certChain[] = {
0x61, 0x6b, 0x76, 0x72, 0x4e, 0x4b, 0x66, 0x44, 0x79, 0x2b, 0x4f, 0x4e, 0x43, 0x6e, 0x4e, 0x6e,
0x43, 0x59, 0x57, 0x4a, 0x37, 0x39, 0x35, 0x4b, 0x49, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45,
0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d,
// NULL terminator
0x00
0x2d, 0x2d, 0x2d, 0x00
};
unsigned char cert7[] = {
0x30, 0x82, 0x02, 0x39, 0x30, 0x82, 0x01, 0xdf, 0x02, 0x01, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x7c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
0x09, 0x53, 0x6f, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x74, 0x65, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03,
0x55, 0x04, 0x07, 0x0c, 0x08, 0x53, 0x6f, 0x6d, 0x65, 0x63, 0x69, 0x74, 0x79, 0x31, 0x0b, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x42, 0x42, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
0x55, 0x04, 0x0b, 0x0c, 0x0d, 0x53, 0x65, 0x71, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x50, 0x61,
0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x6f, 0x62, 0x31,
0x14, 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x05,
0x6f, 0x62, 0x40, 0x62, 0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x38, 0x31, 0x35, 0x31,
0x33, 0x31, 0x31, 0x31, 0x37, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x35, 0x31, 0x32, 0x31, 0x33,
0x31, 0x31, 0x31, 0x37, 0x5a, 0x30, 0x81, 0xd4, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x41, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x03,
0x41, 0x73, 0x64, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x06, 0x47, 0x6f,
0x74, 0x68, 0x61, 0x6d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x5a,
0x5a, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x08, 0x42, 0x65, 0x61, 0x6d,
0x54, 0x65, 0x61, 0x6d, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x09, 0x01, 0x16, 0x0d, 0x72, 0x61, 0x69, 0x6c, 0x40, 0x6d, 0x61, 0x69, 0x6c, 0x2e, 0x63,
0x6f, 0x6d, 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x29, 0x75, 0x75, 0x69,
0x64, 0x3a, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x2d,
0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32,
0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x0c,
0x2b, 0x75, 0x73, 0x65, 0x72, 0x69, 0x64, 0x3a, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37,
0x2d, 0x36, 0x37, 0x36, 0x37, 0x2d, 0x36, 0x37, 0x36, 0x37, 0x2d, 0x36, 0x37, 0x36, 0x37, 0x2d,
0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x30, 0x59, 0x30, 0x13,
0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xf7, 0x13, 0x5c, 0x73, 0x72, 0xce, 0x10, 0xe5, 0x09,
0x97, 0x9a, 0xf8, 0xf2, 0x70, 0xa6, 0x3d, 0x89, 0xf5, 0xc5, 0xe4, 0x44, 0xe2, 0x4a, 0xb6, 0x61,
0xa8, 0x12, 0x8d, 0xb4, 0xdc, 0x2b, 0x47, 0x84, 0x60, 0x0c, 0x25, 0x66, 0xe9, 0xe0, 0xe5, 0xac,
0x22, 0xbf, 0x15, 0xdc, 0x71, 0xb1, 0x88, 0x4f, 0x16, 0xbf, 0xc2, 0x77, 0x37, 0x76, 0x3f, 0xe0,
0x67, 0xc6, 0x1d, 0x23, 0xfe, 0x7c, 0x8b, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x47, 0xcc, 0x41, 0x8a, 0x27, 0xc7,
0xd0, 0xaa, 0xb4, 0xab, 0x85, 0xbf, 0x09, 0x4d, 0x06, 0xd7, 0x7e, 0x0d, 0x39, 0xf9, 0x36, 0xa1,
0x3d, 0x96, 0x23, 0xe2, 0x24, 0x64, 0x98, 0x63, 0x21, 0xba, 0x02, 0x21, 0x00, 0xe5, 0x8f, 0x7f,
0xf1, 0xa6, 0x82, 0x03, 0x6a, 0x18, 0x7a, 0x54, 0xe7, 0x0e, 0x25, 0x77, 0xd8, 0x46, 0xfa, 0x96,
0x8a, 0x7e, 0x14, 0xc4, 0xcb, 0x21, 0x32, 0x3e, 0x89, 0xd9, 0xba, 0x8c, 0x3f
};
unsigned char cert8[] = {
0x30, 0x82, 0x02, 0x39, 0x30, 0x82, 0x01, 0xdf, 0x02, 0x01, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x7c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
0x09, 0x53, 0x6f, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x74, 0x65, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03,
0x55, 0x04, 0x07, 0x0c, 0x08, 0x53, 0x6f, 0x6d, 0x65, 0x63, 0x69, 0x74, 0x79, 0x31, 0x0b, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x42, 0x42, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
0x55, 0x04, 0x0b, 0x0c, 0x0d, 0x53, 0x65, 0x71, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x50, 0x61,
0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x6f, 0x62, 0x31,
0x14, 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x05,
0x6f, 0x62, 0x40, 0x62, 0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x38, 0x31, 0x35, 0x31,
0x33, 0x31, 0x31, 0x31, 0x37, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x35, 0x31, 0x32, 0x31, 0x33,
0x31, 0x31, 0x31, 0x37, 0x5a, 0x30, 0x81, 0xd4, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x41, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x03,
0x41, 0x73, 0x64, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x06, 0x47, 0x6f,
0x74, 0x68, 0x61, 0x6d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x5a,
0x5a, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x08, 0x42, 0x65, 0x61, 0x6d,
0x54, 0x65, 0x61, 0x6d, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x09, 0x01, 0x16, 0x0d, 0x72, 0x61, 0x69, 0x6c, 0x40, 0x6d, 0x61, 0x69, 0x6c, 0x2e, 0x63,
0x6f, 0x6d, 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x29, 0x75, 0x75, 0x69,
0x64, 0x3a, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x2d,
0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32,
0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x0c,
0x2b, 0x75, 0x73, 0x65, 0x72, 0x69, 0x64, 0x3a, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37,
0x2d, 0x36, 0x37, 0x36, 0x37, 0x2d, 0x36, 0x37, 0x36, 0x37, 0x2d, 0x36, 0x37, 0x36, 0x37, 0x2d,
0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x36, 0x37, 0x30, 0x59, 0x30, 0x13,
0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xf7, 0x13, 0x5c, 0x73, 0x72, 0xce, 0x10, 0xe5, 0x09,
0x97, 0x9a, 0xf8, 0xf2, 0x70, 0xa6, 0x3d, 0x89, 0xf5, 0xc5, 0xe4, 0x44, 0xe2, 0x4a, 0xb6, 0x61,
0xa8, 0x12, 0x8d, 0xb4, 0xdc, 0x2b, 0x47, 0x84, 0x60, 0x0c, 0x25, 0x66, 0xe9, 0xe0, 0xe5, 0xac,
0x22, 0xbf, 0x15, 0xdc, 0x71, 0xb1, 0x88, 0x4f, 0x16, 0xbf, 0xc2, 0x77, 0x37, 0x76, 0x3f, 0xe0,
0x67, 0xc6, 0x1d, 0x23, 0xfe, 0x7c, 0x8b, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x47, 0xcc, 0x41, 0x8a, 0x27, 0xc7,
0xd0, 0xaa, 0xb4, 0xab, 0x85, 0xbf, 0x09, 0x4d, 0x06, 0xd7, 0x7e, 0x0d, 0x39, 0xf9, 0x36, 0xa1,
0x3d, 0x96, 0x23, 0xe2, 0x24, 0x64, 0x98, 0x63, 0x21, 0xba, 0x02, 0x21, 0x00, 0xe5, 0x8f, 0x7f,
0xf1, 0xa6, 0x82, 0x03, 0x6a, 0x18, 0x7a, 0x54, 0xe7, 0x0e, 0x25, 0x77, 0xd8, 0x46, 0xfa, 0x96,
0x8a, 0x7e, 0x14, 0xc4, 0xcb, 0x21, 0x32, 0x3e, 0x89, 0xd9, 0xba, 0x8c, 0x3f
};
unsigned char cert9[] = {
0x30, 0x82, 0x02, 0x39, 0x30, 0x82, 0x01, 0xdf, 0x02, 0x01, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x7c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
0x09, 0x53, 0x6f, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x74, 0x65, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03,
0x55, 0x04, 0x07, 0x0c, 0x08, 0x53, 0x6f, 0x6d, 0x65, 0x63, 0x69, 0x74, 0x79, 0x31, 0x0b, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x42, 0x42, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
0x55, 0x04, 0x0b, 0x0c, 0x0d, 0x53, 0x65, 0x71, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x50, 0x61,
0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x02, 0x6f, 0x62, 0x31,
0x14, 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x05,
0x6f, 0x62, 0x40, 0x62, 0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x38, 0x31, 0x35, 0x31,
0x33, 0x31, 0x31, 0x31, 0x37, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x35, 0x31, 0x32, 0x31, 0x33,
0x31, 0x31, 0x31, 0x37, 0x5a, 0x30, 0x81, 0xd4, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x41, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x03,
0x41, 0x73, 0x64, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x06, 0x47, 0x6f,
0x74, 0x68, 0x61, 0x6d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x5a,
0x5a, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x08, 0x42, 0x65, 0x61, 0x6d,
0x54, 0x65, 0x61, 0x6d, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x09, 0x01, 0x16, 0x0d, 0x72, 0x61, 0x69, 0x6c, 0x40, 0x6d, 0x61, 0x69, 0x6c, 0x2e, 0x63,
0x6f, 0x6d, 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x29, 0x75, 0x75, 0x69,
0x64, 0x3a, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x33, 0x32, 0x2d, 0x33, 0x32, 0x33, 0x32, 0x2d,