aboutsummaryrefslogtreecommitdiff
path: root/lib/hx509
diff options
context:
space:
mode:
Diffstat (limited to 'lib/hx509')
-rw-r--r--lib/hx509/Makefile.am100
-rw-r--r--lib/hx509/Makefile.in2337
-rw-r--r--lib/hx509/NTMakefile51
-rw-r--r--lib/hx509/ca.c1889
-rw-r--r--lib/hx509/cert.c621
-rw-r--r--lib/hx509/cms.c109
-rw-r--r--lib/hx509/collector.c27
-rw-r--r--lib/hx509/crmf.asn1113
-rw-r--r--lib/hx509/crypto-ec.c513
-rw-r--r--lib/hx509/crypto.c156
-rw-r--r--lib/hx509/data/PKITS.pdfbin0 -> 754584 bytes
-rw-r--r--lib/hx509/data/ca.crt60
-rw-r--r--lib/hx509/data/ca.key100
-rw-r--r--lib/hx509/data/crl1.crl26
-rw-r--r--lib/hx509/data/crl1.derbin649 -> 649 bytes
-rw-r--r--lib/hx509/data/https.crt188
-rw-r--r--lib/hx509/data/https.key100
-rw-r--r--lib/hx509/data/kdc.crt192
-rw-r--r--lib/hx509/data/kdc.key100
-rw-r--r--lib/hx509/data/no-proxy-test.crt56
-rw-r--r--lib/hx509/data/no-proxy-test.key100
-rw-r--r--lib/hx509/data/ocsp-req1.derbin105 -> 105 bytes
-rw-r--r--lib/hx509/data/ocsp-req2.derbin105 -> 105 bytes
-rw-r--r--lib/hx509/data/ocsp-resp1-ca.derbin2157 -> 2159 bytes
-rw-r--r--lib/hx509/data/ocsp-resp1-keyhash.derbin2058 -> 2060 bytes
-rw-r--r--lib/hx509/data/ocsp-resp1-ocsp-no-cert.derbin748 -> 748 bytes
-rw-r--r--lib/hx509/data/ocsp-resp1-ocsp.derbin2076 -> 2078 bytes
-rw-r--r--lib/hx509/data/ocsp-resp2.derbin2093 -> 2095 bytes
-rw-r--r--lib/hx509/data/ocsp-responder.crt190
-rw-r--r--lib/hx509/data/ocsp-responder.key100
-rw-r--r--lib/hx509/data/pkinit-ec.crt112
-rw-r--r--lib/hx509/data/pkinit-ec.key6
-rw-r--r--lib/hx509/data/pkinit-proxy-chain.crt246
-rw-r--r--lib/hx509/data/pkinit-proxy.crt56
-rw-r--r--lib/hx509/data/pkinit-proxy.key100
-rw-r--r--lib/hx509/data/pkinit-pw.key100
-rw-r--r--lib/hx509/data/pkinit.crt190
-rw-r--r--lib/hx509/data/pkinit.key100
-rw-r--r--lib/hx509/data/proxy-level-test.crt58
-rw-r--r--lib/hx509/data/proxy-level-test.key100
-rw-r--r--lib/hx509/data/proxy-test.crt56
-rw-r--r--lib/hx509/data/proxy-test.key100
-rw-r--r--lib/hx509/data/proxy10-child-child-test.crt58
-rw-r--r--lib/hx509/data/proxy10-child-child-test.key100
-rw-r--r--lib/hx509/data/proxy10-child-test.crt58
-rw-r--r--lib/hx509/data/proxy10-child-test.key100
-rw-r--r--lib/hx509/data/proxy10-test.crt56
-rw-r--r--lib/hx509/data/proxy10-test.key100
-rw-r--r--lib/hx509/data/revoke.crt188
-rw-r--r--lib/hx509/data/revoke.key100
-rw-r--r--lib/hx509/data/sub-ca.crt196
-rw-r--r--lib/hx509/data/sub-ca.key100
-rw-r--r--lib/hx509/data/sub-cert.crt188
-rw-r--r--lib/hx509/data/sub-cert.key100
-rw-r--r--lib/hx509/data/sub-cert.p12bin7064 -> 7072 bytes
-rw-r--r--lib/hx509/data/tcg-devid.pem24
-rw-r--r--lib/hx509/data/tcg-ek-cp.pem24
-rw-r--r--lib/hx509/data/test-ds-only.crt190
-rw-r--r--lib/hx509/data/test-ds-only.key100
-rw-r--r--lib/hx509/data/test-enveloped-aes-128bin3547 -> 3547 bytes
-rw-r--r--lib/hx509/data/test-enveloped-aes-256bin3547 -> 3547 bytes
-rw-r--r--lib/hx509/data/test-enveloped-desbin3527 -> 3527 bytes
-rw-r--r--lib/hx509/data/test-enveloped-des-ede3bin3530 -> 3530 bytes
-rw-r--r--lib/hx509/data/test-enveloped-rc2-128bin3535 -> 3535 bytes
-rw-r--r--lib/hx509/data/test-enveloped-rc2-40bin3536 -> 3536 bytes
-rw-r--r--lib/hx509/data/test-enveloped-rc2-64bin3535 -> 3535 bytes
-rw-r--r--lib/hx509/data/test-ke-only.crt190
-rw-r--r--lib/hx509/data/test-ke-only.key100
-rw-r--r--lib/hx509/data/test-nopw.p12bin5508 -> 5510 bytes
-rw-r--r--lib/hx509/data/test-pw.key100
-rw-r--r--lib/hx509/data/test-signed-databin5055 -> 5057 bytes
-rw-r--r--lib/hx509/data/test-signed-data-noattrbin4824 -> 4826 bytes
-rw-r--r--lib/hx509/data/test-signed-data-noattr-nocertsbin3537 -> 3537 bytes
-rw-r--r--lib/hx509/data/test-signed-sha-1bin5035 -> 5037 bytes
-rw-r--r--lib/hx509/data/test-signed-sha-256bin5055 -> 5057 bytes
-rw-r--r--lib/hx509/data/test-signed-sha-512bin5088 -> 5090 bytes
-rw-r--r--lib/hx509/data/test.combined.crt288
-rw-r--r--lib/hx509/data/test.crt188
-rw-r--r--lib/hx509/data/test.key100
-rw-r--r--lib/hx509/data/test.p12bin5600 -> 5608 bytes
-rw-r--r--lib/hx509/env.c10
-rw-r--r--lib/hx509/error.c75
-rw-r--r--lib/hx509/file.c105
-rw-r--r--lib/hx509/hx509-private.h493
-rw-r--r--lib/hx509/hx509-protos.h3154
-rw-r--r--lib/hx509/hx509.h37
-rw-r--r--lib/hx509/hx509_err.et1
-rw-r--r--lib/hx509/hx_locl.h11
-rw-r--r--lib/hx509/hxtool-commands.in290
-rw-r--r--lib/hx509/hxtool.1380
-rw-r--r--lib/hx509/hxtool.c1255
-rw-r--r--lib/hx509/keyset.c121
-rw-r--r--lib/hx509/ks_dir.c9
-rw-r--r--lib/hx509/ks_file.c219
-rw-r--r--lib/hx509/ks_keychain.c10
-rw-r--r--lib/hx509/ks_mem.c5
-rw-r--r--lib/hx509/ks_null.c3
-rw-r--r--lib/hx509/ks_p11.c22
-rw-r--r--lib/hx509/ks_p12.c106
-rw-r--r--lib/hx509/libhx509-exports.def76
-rw-r--r--lib/hx509/lock.c30
-rw-r--r--lib/hx509/name.c696
-rw-r--r--lib/hx509/ocsp.asn1113
-rw-r--r--lib/hx509/ocsp.opt2
-rw-r--r--lib/hx509/peer.c18
-rw-r--r--lib/hx509/pkcs10.asn125
-rw-r--r--lib/hx509/pkcs10.opt1
-rw-r--r--lib/hx509/print.c415
-rw-r--r--lib/hx509/req.c1440
-rw-r--r--lib/hx509/revoke.c58
-rw-r--r--lib/hx509/sel-gram.c1546
-rw-r--r--lib/hx509/sel-gram.h108
-rw-r--r--lib/hx509/sel-gram.y4
-rw-r--r--lib/hx509/sel-lex.c1941
-rw-r--r--lib/hx509/sel.c15
-rw-r--r--lib/hx509/sel.h14
-rw-r--r--lib/hx509/softp11.c48
-rw-r--r--lib/hx509/test_ca.in28
-rw-r--r--lib/hx509/test_name.c88
-rw-r--r--lib/hx509/test_nist.in15
-rw-r--r--lib/hx509/test_req.in110
-rw-r--r--lib/hx509/version-script.map67
122 files changed, 10308 insertions, 13856 deletions
diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
index b21d85202c1f..fe13451d1f24 100644
--- a/lib/hx509/Makefile.am
+++ b/lib/hx509/Makefile.am
@@ -2,56 +2,16 @@ include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_openssl_crypto)
-lib_LTLIBRARIES = libhx509.la
+lib_LTLIBRARIES = libhx509.la libhx509template.la
libhx509_la_LDFLAGS = -version-info 5:0:0
+libhx509template_la_LDFLAGS = -version-info 5:0:0
BUILT_SOURCES = \
sel-gram.h \
- $(gen_files_ocsp:.x=.c) \
- $(gen_files_pkcs10:.x=.c) \
hx509_err.c \
hx509_err.h
-gen_files_ocsp = \
- asn1_OCSPBasicOCSPResponse.x \
- asn1_OCSPCertID.x \
- asn1_OCSPCertStatus.x \
- asn1_OCSPInnerRequest.x \
- asn1_OCSPKeyHash.x \
- asn1_OCSPRequest.x \
- asn1_OCSPResponderID.x \
- asn1_OCSPResponse.x \
- asn1_OCSPResponseBytes.x \
- asn1_OCSPResponseData.x \
- asn1_OCSPResponseStatus.x \
- asn1_OCSPSignature.x \
- asn1_OCSPSingleResponse.x \
- asn1_OCSPTBSRequest.x \
- asn1_OCSPVersion.x \
- asn1_id_pkix_ocsp.x \
- asn1_id_pkix_ocsp_basic.x \
- asn1_id_pkix_ocsp_nonce.x
-
-gen_files_pkcs10 = \
- asn1_CertificationRequestInfo.x \
- asn1_CertificationRequest.x
-
-gen_files_crmf = \
- asn1_CRMFRDNSequence.x \
- asn1_CertReqMessages.x \
- asn1_CertReqMsg.x \
- asn1_CertRequest.x \
- asn1_CertTemplate.x \
- asn1_Controls.x \
- asn1_PBMParameter.x \
- asn1_PKMACValue.x \
- asn1_POPOPrivKey.x \
- asn1_POPOSigningKey.x \
- asn1_POPOSigningKeyInput.x \
- asn1_ProofOfPossession.x \
- asn1_SubsequentMessage.x
-
-AM_YFLAGS = -d
+AM_YFLAGS = -d -o sel-gram.c
dist_libhx509_la_SOURCES = \
ca.c \
@@ -88,9 +48,13 @@ dist_libhx509_la_SOURCES = \
req.c \
revoke.c
+dist_libhx509template_la_SOURCES = $(dist_libhx509_la_SOURCES)
+
+sel-gram.h: sel-gram.c
sel-lex.c: sel-gram.h
libhx509_la_DEPENDENCIES = version-script.map
+libhx509template_la_DEPENDENCIES = version-script.map
libhx509_la_LIBADD = \
$(LIB_com_err) \
@@ -102,43 +66,36 @@ libhx509_la_LIBADD = \
$(LIBADD_roken) \
$(LIB_dlopen)
+libhx509template_la_LIBADD = \
+ $(LIB_com_err) \
+ $(LIB_hcrypto) \
+ $(LIB_openssl_crypto) \
+ $(top_builddir)/lib/asn1/libasn1template.la \
+ $(top_builddir)/lib/wind/libwind.la \
+ $(top_builddir)/lib/base/libheimbase.la \
+ $(LIBADD_roken) \
+ $(LIB_dlopen)
+
if FRAMEWORK_SECURITY
libhx509_la_LDFLAGS += -framework Security -framework CoreFoundation
+libhx509template_la_LDFLAGS += -framework Security -framework CoreFoundation
endif
if versionscript
libhx509_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
+libhx509template_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
endif
$(libhx509_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
+$(libhx509template_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
-
-$(gen_files_ocsp) ocsp_asn1.hx ocsp_asn1-priv.hx: ocsp_asn1_files
-$(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
-$(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
+nodist_libhx509template_la_SOURCES = $(BUILT_SOURCES)
dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
noinst_HEADERS = $(srcdir)/hx509-private.h
nodist_include_HEADERS = hx509_err.h
-nodist_include_HEADERS += ocsp_asn1.h
-nodist_include_HEADERS += pkcs10_asn1.h
-nodist_include_HEADERS += crmf_asn1.h
-
-priv_headers = ocsp_asn1-priv.h
-priv_headers += pkcs10_asn1-priv.h
-priv_headers += crmf_asn1-priv.h
-
-
-ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
- $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
-
-pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
- $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
-
-crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
- $(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
ALL_OBJECTS = $(libhx509_la_OBJECTS)
ALL_OBJECTS += $(hxtool_OBJECTS)
@@ -148,7 +105,7 @@ HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
$(ALL_OBJECTS): $(HX509_PROTOS)
$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
-$(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
+$(libhx509template_la_OBJECTS): $(srcdir)/hx_locl.h
$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
@@ -167,19 +124,13 @@ nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
hxtool_LDADD = \
- libhx509.la \
+ libhx509template.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_hcrypto) \
$(LIB_roken) \
$(top_builddir)/lib/sl/libsl.la
CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
- $(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
- ocsp_asn1-template.[chx]* \
- $(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
- pkcs10_asn1-template.[chx]* \
- $(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
- crmf_asn1-template.[chx]* \
$(TESTS) \
hxtool-commands.c hxtool-commands.h *.tmp \
request.out \
@@ -314,14 +265,9 @@ EXTRA_DIST = \
hxtool-version.rc \
libhx509-exports.def \
version-script.map \
- crmf.asn1 \
hx509_err.et \
hxtool-commands.in \
quote.py \
- ocsp.asn1 \
- ocsp.opt \
- pkcs10.asn1 \
- pkcs10.opt \
test_ca.in \
test_chain.in \
test_cert.in \
diff --git a/lib/hx509/Makefile.in b/lib/hx509/Makefile.in
deleted file mode 100644
index 19eabe4bc552..000000000000
--- a/lib/hx509/Makefile.in
+++ /dev/null
@@ -1,2337 +0,0 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# $Id$
-
-# $Id$
-
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
- if test -z '$(MAKELEVEL)'; then \
- false; \
- elif test -n '$(MAKE_HOST)'; then \
- true; \
- elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
- true; \
- else \
- false; \
- fi; \
-}
-am__make_running_with_option = \
- case $${target_option-} in \
- ?) ;; \
- *) echo "am__make_running_with_option: internal error: invalid" \
- "target option '$${target_option-}' specified" >&2; \
- exit 1;; \
- esac; \
- has_opt=no; \
- sane_makeflags=$$MAKEFLAGS; \
- if $(am__is_gnu_make); then \
- sane_makeflags=$$MFLAGS; \
- else \
- case $$MAKEFLAGS in \
- *\\[\ \ ]*) \
- bs=\\; \
- sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
- | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
- esac; \
- fi; \
- skip_next=no; \
- strip_trailopt () \
- { \
- flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
- }; \
- for flg in $$sane_makeflags; do \
- test $$skip_next = yes && { skip_next=no; continue; }; \
- case $$flg in \
- *=*|--*) continue;; \
- -*I) strip_trailopt 'I'; skip_next=yes;; \
- -*I?*) strip_trailopt 'I';; \
- -*O) strip_trailopt 'O'; skip_next=yes;; \
- -*O?*) strip_trailopt 'O';; \
- -*l) strip_trailopt 'l'; skip_next=yes;; \
- -*l?*) strip_trailopt 'l';; \
- -[dEDm]) skip_next=yes;; \
- -[JT]) skip_next=yes;; \
- esac; \
- case $$flg in \
- *$$target_option*) has_opt=yes; break;; \
- esac; \
- done; \
- test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-@FRAMEWORK_SECURITY_TRUE@am__append_1 = -framework Security -framework CoreFoundation
-@versionscript_TRUE@am__append_2 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
-bin_PROGRAMS = hxtool$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1) test_soft_pkcs11$(EXEEXT)
-TESTS = $(SCRIPT_TESTS) $(am__EXEEXT_1)
-subdir = lib/hx509
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
- $(top_srcdir)/cf/auth-modules.m4 \
- $(top_srcdir)/cf/broken-glob.m4 \
- $(top_srcdir)/cf/broken-realloc.m4 \
- $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
- $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
- $(top_srcdir)/cf/capabilities.m4 \
- $(top_srcdir)/cf/check-compile-et.m4 \
- $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
- $(top_srcdir)/cf/check-man.m4 \
- $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
- $(top_srcdir)/cf/check-type-extra.m4 \
- $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
- $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
- $(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
- $(top_srcdir)/cf/find-func-no-libs.m4 \
- $(top_srcdir)/cf/find-func-no-libs2.m4 \
- $(top_srcdir)/cf/find-func.m4 \
- $(top_srcdir)/cf/find-if-not-broken.m4 \
- $(top_srcdir)/cf/framework-security.m4 \
- $(top_srcdir)/cf/have-struct-field.m4 \
- $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
- $(top_srcdir)/cf/krb-bigendian.m4 \
- $(top_srcdir)/cf/krb-func-getlogin.m4 \
- $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
- $(top_srcdir)/cf/krb-prog-perl.m4 \
- $(top_srcdir)/cf/krb-readline.m4 \
- $(top_srcdir)/cf/krb-struct-spwd.m4 \
- $(top_srcdir)/cf/krb-struct-winsize.m4 \
- $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/libtool.m4 \
- $(top_srcdir)/cf/ltoptions.m4 $(top_srcdir)/cf/ltsugar.m4 \
- $(top_srcdir)/cf/ltversion.m4 $(top_srcdir)/cf/lt~obsolete.m4 \
- $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
- $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
- $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/pkg.m4 \
- $(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
- $(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
- $(top_srcdir)/cf/roken-frag.m4 \
- $(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
- $(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
- $(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
- $(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
- $(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
- $(noinst_HEADERS) $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/include/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" \
- "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
-am__EXEEXT_1 = test_name$(EXEEXT) test_expr$(EXEEXT)
-PROGRAMS = $(bin_PROGRAMS)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
- $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
- *) f=$$p;; \
- esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
- srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
- for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
- for p in $$list; do echo "$$p $$p"; done | \
- sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
- $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
- if (++n[$$2] == $(am__install_max)) \
- { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
- END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
- sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
- sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
- test -z "$$files" \
- || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
- || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
- $(am__cd) "$$dir" && rm -f $$files; }; \
- }
-LTLIBRARIES = $(lib_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-dist_libhx509_la_OBJECTS = ca.lo cert.lo cms.lo collector.lo crypto.lo \
- crypto-ec.lo doxygen.lo error.lo env.lo file.lo sel.lo \
- sel-gram.lo sel-lex.lo keyset.lo ks_dir.lo ks_file.lo \
- ks_mem.lo ks_null.lo ks_p11.lo ks_p12.lo ks_keychain.lo \
- lock.lo name.lo peer.lo print.lo softp11.lo req.lo revoke.lo
-am__objects_1 = asn1_OCSPBasicOCSPResponse.lo asn1_OCSPCertID.lo \
- asn1_OCSPCertStatus.lo asn1_OCSPInnerRequest.lo \
- asn1_OCSPKeyHash.lo asn1_OCSPRequest.lo \
- asn1_OCSPResponderID.lo asn1_OCSPResponse.lo \
- asn1_OCSPResponseBytes.lo asn1_OCSPResponseData.lo \
- asn1_OCSPResponseStatus.lo asn1_OCSPSignature.lo \
- asn1_OCSPSingleResponse.lo asn1_OCSPTBSRequest.lo \
- asn1_OCSPVersion.lo asn1_id_pkix_ocsp.lo \
- asn1_id_pkix_ocsp_basic.lo asn1_id_pkix_ocsp_nonce.lo
-am__objects_2 = asn1_CertificationRequestInfo.lo \
- asn1_CertificationRequest.lo
-am__objects_3 = $(am__objects_1) $(am__objects_2) hx509_err.lo
-nodist_libhx509_la_OBJECTS = $(am__objects_3)
-libhx509_la_OBJECTS = $(dist_libhx509_la_OBJECTS) \
- $(nodist_libhx509_la_OBJECTS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 =
-libhx509_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(libhx509_la_LDFLAGS) $(LDFLAGS) -o $@
-dist_hxtool_OBJECTS = hxtool.$(OBJEXT)
-nodist_hxtool_OBJECTS = hxtool-commands.$(OBJEXT)
-hxtool_OBJECTS = $(dist_hxtool_OBJECTS) $(nodist_hxtool_OBJECTS)
-hxtool_DEPENDENCIES = libhx509.la $(top_builddir)/lib/asn1/libasn1.la \
- $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/sl/libsl.la
-test_expr_SOURCES = test_expr.c
-test_expr_OBJECTS = test_expr.$(OBJEXT)
-test_expr_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la
-test_name_SOURCES = test_name.c
-test_name_OBJECTS = test_name.$(OBJEXT)
-test_name_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
- $(top_builddir)/lib/asn1/libasn1.la
-test_soft_pkcs11_SOURCES = test_soft_pkcs11.c
-test_soft_pkcs11_OBJECTS = test_soft_pkcs11.$(OBJEXT)
-test_soft_pkcs11_DEPENDENCIES = libhx509.la \
- $(top_builddir)/lib/asn1/libasn1.la
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo " GEN " $@;
-am__v_GEN_1 =
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 =
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/asn1_CertificationRequest.Plo \
- ./$(DEPDIR)/asn1_CertificationRequestInfo.Plo \
- ./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo \
- ./$(DEPDIR)/asn1_OCSPCertID.Plo \
- ./$(DEPDIR)/asn1_OCSPCertStatus.Plo \
- ./$(DEPDIR)/asn1_OCSPInnerRequest.Plo \
- ./$(DEPDIR)/asn1_OCSPKeyHash.Plo \
- ./$(DEPDIR)/asn1_OCSPRequest.Plo \
- ./$(DEPDIR)/asn1_OCSPResponderID.Plo \
- ./$(DEPDIR)/asn1_OCSPResponse.Plo \
- ./$(DEPDIR)/asn1_OCSPResponseBytes.Plo \
- ./$(DEPDIR)/asn1_OCSPResponseData.Plo \
- ./$(DEPDIR)/asn1_OCSPResponseStatus.Plo \
- ./$(DEPDIR)/asn1_OCSPSignature.Plo \
- ./$(DEPDIR)/asn1_OCSPSingleResponse.Plo \
- ./$(DEPDIR)/asn1_OCSPTBSRequest.Plo \
- ./$(DEPDIR)/asn1_OCSPVersion.Plo \
- ./$(DEPDIR)/asn1_id_pkix_ocsp.Plo \
- ./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo \
- ./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo ./$(DEPDIR)/ca.Plo \
- ./$(DEPDIR)/cert.Plo ./$(DEPDIR)/cms.Plo \
- ./$(DEPDIR)/collector.Plo ./$(DEPDIR)/crypto-ec.Plo \
- ./$(DEPDIR)/crypto.Plo ./$(DEPDIR)/doxygen.Plo \
- ./$(DEPDIR)/env.Plo ./$(DEPDIR)/error.Plo ./$(DEPDIR)/file.Plo \
- ./$(DEPDIR)/hx509_err.Plo ./$(DEPDIR)/hxtool-commands.Po \
- ./$(DEPDIR)/hxtool.Po ./$(DEPDIR)/keyset.Plo \
- ./$(DEPDIR)/ks_dir.Plo ./$(DEPDIR)/ks_file.Plo \
- ./$(DEPDIR)/ks_keychain.Plo ./$(DEPDIR)/ks_mem.Plo \
- ./$(DEPDIR)/ks_null.Plo ./$(DEPDIR)/ks_p11.Plo \
- ./$(DEPDIR)/ks_p12.Plo ./$(DEPDIR)/lock.Plo \
- ./$(DEPDIR)/name.Plo ./$(DEPDIR)/peer.Plo \
- ./$(DEPDIR)/print.Plo ./$(DEPDIR)/req.Plo \
- ./$(DEPDIR)/revoke.Plo ./$(DEPDIR)/sel-gram.Plo \
- ./$(DEPDIR)/sel-lex.Plo ./$(DEPDIR)/sel.Plo \
- ./$(DEPDIR)/softp11.Plo ./$(DEPDIR)/test_expr.Po \
- ./$(DEPDIR)/test_name.Po ./$(DEPDIR)/test_soft_pkcs11.Po
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
- $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
- $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo " CC " $@;
-am__v_CC_1 =
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo " CCLD " $@;
-am__v_CCLD_1 =
-@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
-LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
-AM_V_LEX = $(am__v_LEX_@AM_V@)
-am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
-am__v_LEX_0 = @echo " LEX " $@;
-am__v_LEX_1 =
-YLWRAP = $(top_srcdir)/ylwrap
-@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
-am__yacc_c2h = sed -e s/cc$$/hh/ -e s/cpp$$/hpp/ -e s/cxx$$/hxx/ \
- -e s/c++$$/h++/ -e s/c$$/h/
-YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
-AM_V_YACC = $(am__v_YACC_@AM_V@)
-am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
-am__v_YACC_0 = @echo " YACC " $@;
-am__v_YACC_1 =
-SOURCES = $(dist_libhx509_la_SOURCES) $(nodist_libhx509_la_SOURCES) \
- $(dist_hxtool_SOURCES) $(nodist_hxtool_SOURCES) test_expr.c \
- test_name.c test_soft_pkcs11.c
-DIST_SOURCES = $(dist_libhx509_la_SOURCES) $(dist_hxtool_SOURCES) \
- test_expr.c test_name.c test_soft_pkcs11.c
-am__can_run_installinfo = \
- case $$AM_UPDATE_INFO_DIR in \
- n|no|NO) false;; \
- *) (install-info --version) >/dev/null 2>&1;; \
- esac
-HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS) \
- $(noinst_HEADERS)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates. Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
- BEGIN { nonempty = 0; } \
- { items[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique. This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
- list='$(am__tagged_files)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | $(am__uniquify_input)`
-am__tty_colors_dummy = \
- mgn= red= grn= lgn= blu= brg= std=; \
- am__color_tests=no
-am__tty_colors = { \
- $(am__tty_colors_dummy); \
- if test "X$(AM_COLOR_TESTS)" = Xno; then \
- am__color_tests=no; \
- elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
- am__color_tests=yes; \
- elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
- am__color_tests=yes; \
- fi; \
- if test $$am__color_tests = yes; then \
- red=''; \
- grn=''; \
- lgn=''; \
- blu=''; \
- mgn=''; \
- brg=''; \
- std=''; \
- fi; \
-}
-am__recheck_rx = ^[ ]*:recheck:[ ]*
-am__global_test_result_rx = ^[ ]*:global-test-result:[ ]*
-am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
- recheck = 1; \
- while ((rc = (getline line < ($$0 ".trs"))) != 0) \
- { \
- if (rc < 0) \
- { \
- if ((getline line2 < ($$0 ".log")) < 0) \
- recheck = 0; \
- break; \
- } \
- else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
- { \
- recheck = 0; \
- break; \
- } \
- else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
- { \
- break; \
- } \
- }; \
- if (recheck) \
- print $$0; \
- close ($$0 ".trs"); \
- close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
- print "fatal: making $@: " msg | "cat >&2"; \
- exit 1; \
-} \
-function rst_section(header) \
-{ \
- print header; \
- len = length(header); \
- for (i = 1; i <= len; i = i + 1) \
- printf "="; \
- printf "\n\n"; \
-} \
-{ \
- copy_in_global_log = 1; \
- global_test_result = "RUN"; \
- while ((rc = (getline line < ($$0 ".trs"))) != 0) \
- { \
- if (rc < 0) \
- fatal("failed to read from " $$0 ".trs"); \
- if (line ~ /$(am__global_test_result_rx)/) \
- { \
- sub("$(am__global_test_result_rx)", "", line); \
- sub("[ ]*$$", "", line); \
- global_test_result = line; \
- } \
- else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
- copy_in_global_log = 0; \
- }; \
- if (copy_in_global_log) \
- { \
- rst_section(global_test_result ": " $$0); \
- while ((rc = (getline line < ($$0 ".log"))) != 0) \
- { \
- if (rc < 0) \
- fatal("failed to read from " $$0 ".log"); \
- print line; \
- }; \
- printf "\n"; \
- }; \
- close ($$0 ".trs"); \
- close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
- --color-tests "$$am__color_tests" \
- --enable-hard-errors "$$am__enable_hard_errors" \
- --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test. Creates the
-# directory for the log if needed. Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log. Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT. Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup); \
-$(am__vpath_adj_setup) $(am__vpath_adj) \
-$(am__tty_colors); \
-srcdir=$(srcdir); export srcdir; \
-case "$@" in \
- */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \
- *) am__odir=.;; \
-esac; \
-test "x$$am__odir" = x"." || test -d "$$am__odir" \
- || $(MKDIR_P) "$$am__odir" || exit $$?; \
-if test -f "./$$f"; then dir=./; \
-elif test -f "$$f"; then dir=; \
-else dir="$(srcdir)/"; fi; \
-tst=$$dir$$f; log='$@'; \
-if test -n '$(DISABLE_HARD_ERRORS)'; then \
- am__enable_hard_errors=no; \
-else \
- am__enable_hard_errors=yes; \
-fi; \
-case " $(XFAIL_TESTS) " in \
- *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \
- am__expect_failure=yes;; \
- *) \
- am__expect_failure=no;; \
-esac; \
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed). The result is saved in the shell variable
-# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
- bases='$(TEST_LOGS)'; \
- bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
- bases=`echo $$bases`
-AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
- case '$@' in \
- */*) \
- case '$*' in \
- */*) b='$*';; \
- *) b=`echo '$@' | sed 's/\.log$$//'`; \
- esac;; \
- *) \
- b='$*';; \
- esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
- $(TEST_LOG_FLAGS)
-am__DIST_COMMON = $(srcdir)/Makefile.in \
- $(top_srcdir)/Makefile.am.common \
- $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
- $(top_srcdir)/test-driver $(top_srcdir)/ylwrap ChangeLog TODO \
- sel-gram.c sel-gram.h sel-lex.c
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AS = @AS@
-ASN1_COMPILE = @ASN1_COMPILE@
-ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CANONICAL_HOST = @CANONICAL_HOST@
-CAPNG_CFLAGS = @CAPNG_CFLAGS@
-CAPNG_LIBS = @CAPNG_LIBS@
-CATMAN = @CATMAN@
-CATMANEXT = @CATMANEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLANG_FORMAT = @CLANG_FORMAT@
-COMPILE_ET = @COMPILE_ET@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
-CYGPATH_W = @CYGPATH_W@
-DB1LIB = @DB1LIB@
-DB3LIB = @DB3LIB@
-DBHEADER = @DBHEADER@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DIR_com_err = @DIR_com_err@
-DIR_hdbdir = @DIR_hdbdir@
-DIR_roken = @DIR_roken@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
-ETAGS = @ETAGS@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-FILECMD = @FILECMD@
-GCD_MIG = @GCD_MIG@
-GREP = @GREP@
-GROFF = @GROFF@
-INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_libedit = @INCLUDE_libedit@
-INCLUDE_libintl = @INCLUDE_libintl@
-INCLUDE_openldap = @INCLUDE_openldap@
-INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
-INCLUDE_readline = @INCLUDE_readline@
-INCLUDE_sqlite3 = @INCLUDE_sqlite3@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBADD_roken = @LIBADD_roken@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_bswap16 = @LIB_bswap16@
-LIB_bswap32 = @LIB_bswap32@
-LIB_bswap64 = @LIB_bswap64@
-LIB_com_err = @LIB_com_err@
-LIB_com_err_a = @LIB_com_err_a@
-LIB_com_err_so = @LIB_com_err_so@
-LIB_crypt = @LIB_crypt@
-LIB_db_create = @LIB_db_create@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dispatch_async_f = @LIB_dispatch_async_f@
-LIB_dladdr = @LIB_dladdr@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_dns_search = @LIB_dns_search@
-LIB_door_create = @LIB_door_create@
-LIB_freeaddrinfo = @LIB_freeaddrinfo@
-LIB_gai_strerror = @LIB_gai_strerror@
-LIB_getaddrinfo = @LIB_getaddrinfo@
-LIB_gethostbyname = @LIB_gethostbyname@
-LIB_gethostbyname2 = @LIB_gethostbyname2@
-LIB_getnameinfo = @LIB_getnameinfo@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_hcrypto = @LIB_hcrypto@
-LIB_hcrypto_a = @LIB_hcrypto_a@
-LIB_hcrypto_appl = @LIB_hcrypto_appl@
-LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hstrerror = @LIB_hstrerror@
-LIB_kdb = @LIB_kdb@
-LIB_libedit = @LIB_libedit@
-LIB_libintl = @LIB_libintl@
-LIB_loadquery = @LIB_loadquery@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
-LIB_openldap = @LIB_openldap@
-LIB_openpty = @LIB_openpty@
-LIB_openssl_crypto = @LIB_openssl_crypto@
-LIB_otp = @LIB_otp@
-LIB_pidfile = @LIB_pidfile@
-LIB_readline = @LIB_readline@
-LIB_res_ndestroy = @LIB_res_ndestroy@
-LIB_res_nsearch = @LIB_res_nsearch@
-LIB_res_search = @LIB_res_search@
-LIB_roken = @LIB_roken@
-LIB_security = @LIB_security@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_sqlite3 = @LIB_sqlite3@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-LIPO = @LIPO@
-LMDBLIB = @LMDBLIB@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-NDBMLIB = @NDBMLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-NO_AFS = @NO_AFS@
-NROFF = @NROFF@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
-PTHREAD_LDADD = @PTHREAD_LDADD@
-PTHREAD_LIBADD = @PTHREAD_LIBADD@
-PYTHON = @PYTHON@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SLC = @SLC@
-SLC_DEP = @SLC_DEP@
-STRIP = @STRIP@
-VERSION = @VERSION@
-VERSIONING = @VERSIONING@
-WFLAGS = @WFLAGS@
-WFLAGS_LITE = @WFLAGS_LITE@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-db_type = @db_type@
-db_type_preference = @db_type_preference@
-docdir = @docdir@
-dpagaix_cflags = @dpagaix_cflags@
-dpagaix_ldadd = @dpagaix_ldadd@
-dpagaix_ldflags = @dpagaix_ldflags@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-runstatedir = @runstatedir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-subdirs = @subdirs@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
- .cat5 .cat7 .cat8
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_openssl_crypto)
-@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
-AM_CFLAGS = $(WFLAGS)
-CP = cp
-buildinclude = $(top_builddir)/include
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_el_init = @LIB_el_init@
-LIB_getattr = @LIB_getattr@
-LIB_getpwent_r = @LIB_getpwent_r@
-LIB_odm_initialize = @LIB_odm_initialize@
-LIB_setpcred = @LIB_setpcred@
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-libexec_heimdaldir = $(libexecdir)/heimdal
-NROFF_MAN = groff -mandoc -Tascii
-@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-@NO_AFS_TRUE@LIB_kafs =
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la
-
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
-@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-
-#silent-rules
-heim_verbose = $(heim_verbose_$(V))
-heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
-heim_verbose_0 = @echo " GEN "$@;
-lib_LTLIBRARIES = libhx509.la
-libhx509_la_LDFLAGS = -version-info 5:0:0 $(am__append_1) \
- $(am__append_2)
-BUILT_SOURCES = \
- sel-gram.h \
- $(gen_files_ocsp:.x=.c) \
- $(gen_files_pkcs10:.x=.c) \
- hx509_err.c \
- hx509_err.h
-
-gen_files_ocsp = \
- asn1_OCSPBasicOCSPResponse.x \
- asn1_OCSPCertID.x \
- asn1_OCSPCertStatus.x \
- asn1_OCSPInnerRequest.x \
- asn1_OCSPKeyHash.x \
- asn1_OCSPRequest.x \
- asn1_OCSPResponderID.x \
- asn1_OCSPResponse.x \
- asn1_OCSPResponseBytes.x \
- asn1_OCSPResponseData.x \
- asn1_OCSPResponseStatus.x \
- asn1_OCSPSignature.x \
- asn1_OCSPSingleResponse.x \
- asn1_OCSPTBSRequest.x \
- asn1_OCSPVersion.x \
- asn1_id_pkix_ocsp.x \
- asn1_id_pkix_ocsp_basic.x \
- asn1_id_pkix_ocsp_nonce.x
-
-gen_files_pkcs10 = \
- asn1_CertificationRequestInfo.x \
- asn1_CertificationRequest.x
-
-gen_files_crmf = \
- asn1_CRMFRDNSequence.x \
- asn1_CertReqMessages.x \
- asn1_CertReqMsg.x \
- asn1_CertRequest.x \
- asn1_CertTemplate.x \
- asn1_Controls.x \
- asn1_PBMParameter.x \
- asn1_PKMACValue.x \
- asn1_POPOPrivKey.x \
- asn1_POPOSigningKey.x \
- asn1_POPOSigningKeyInput.x \
- asn1_ProofOfPossession.x \
- asn1_SubsequentMessage.x
-
-AM_YFLAGS = -d
-dist_libhx509_la_SOURCES = \
- ca.c \
- cert.c \
- char_map.h \
- cms.c \
- collector.c \
- crypto.c \
- crypto-ec.c \
- doxygen.c \
- error.c \
- env.c \
- file.c \
- hx509.h \
- hx_locl.h \
- sel.c \
- sel.h \
- sel-gram.y \
- sel-lex.l \
- keyset.c \
- ks_dir.c \
- ks_file.c \
- ks_mem.c \
- ks_null.c \
- ks_p11.c \
- ks_p12.c \
- ks_keychain.c \
- lock.c \
- name.c \
- peer.c \
- print.c \
- softp11.c \
- ref/pkcs11.h \
- req.c \
- revoke.c
-
-libhx509_la_DEPENDENCIES = version-script.map
-libhx509_la_LIBADD = \
- $(LIB_com_err) \
- $(LIB_hcrypto) \
- $(LIB_openssl_crypto) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(top_builddir)/lib/wind/libwind.la \
- $(top_builddir)/lib/base/libheimbase.la \
- $(LIBADD_roken) \
- $(LIB_dlopen)
-
-nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
-dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
-noinst_HEADERS = $(srcdir)/hx509-private.h
-nodist_include_HEADERS = hx509_err.h ocsp_asn1.h pkcs10_asn1.h \
- crmf_asn1.h
-priv_headers = ocsp_asn1-priv.h pkcs10_asn1-priv.h crmf_asn1-priv.h
-ALL_OBJECTS = $(libhx509_la_OBJECTS) $(hxtool_OBJECTS)
-HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
-dist_hxtool_SOURCES = hxtool.c
-nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
-hxtool_LDADD = \
- libhx509.la \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_hcrypto) \
- $(LIB_roken) \
- $(top_builddir)/lib/sl/libsl.la
-
-CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
- $(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
- ocsp_asn1-template.[chx]* \
- $(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
- pkcs10_asn1-template.[chx]* \
- $(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
- crmf_asn1-template.[chx]* \
- $(TESTS) \
- hxtool-commands.c hxtool-commands.h *.tmp \
- request.out \
- out.pem out2.pem \
- sd sd.pem \
- sd.data sd.data.out \
- ev.data ev.data.out \
- cert-null.pem cert-sub-ca2.pem \
- cert-ee.pem cert-ca.pem \
- cert-sub-ee.pem cert-sub-ca.pem \
- cert-proxy.der cert-ca.der cert-ee.der pkcs10-request.der \
- wca.pem wuser.pem wdc.pem wcrl.crl \
- random-data statfile crl.crl \
- test p11dbg.log pkcs11.cfg \
- test-rc-file.rc
-
-
-#
-# regression tests
-#
-check_SCRIPTS = $(SCRIPT_TESTS)
-LDADD = libhx509.la
-test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la
-test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
-test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
-PROGRAM_TESTS = \
- test_name \
- test_expr
-
-SCRIPT_TESTS = \
- test_ca \
- test_cert \
- test_chain \
- test_cms \
- test_crypto \
- test_nist \
- test_nist2 \
- test_pkcs11 \
- test_java_pkcs11 \
- test_nist_cert \
- test_nist_pkcs12 \
- test_req \
- test_windows \
- test_query
-
-do_subst = $(heim_verbose)sed -e 's,[@]srcdir[@],$(srcdir),g' \
- -e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g' \
- -e 's,[@]egrep[@],$(EGREP),g'
-
-EXTRA_DIST = \
- NTMakefile \
- hxtool-version.rc \
- libhx509-exports.def \
- version-script.map \
- crmf.asn1 \
- hx509_err.et \
- hxtool-commands.in \
- quote.py \
- ocsp.asn1 \
- ocsp.opt \
- pkcs10.asn1 \
- pkcs10.opt \
- test_ca.in \
- test_chain.in \
- test_cert.in \
- test_cms.in \
- test_crypto.in \
- test_nist.in \
- test_nist2.in \
- test_nist_cert.in \
- test_nist_pkcs12.in \
- test_pkcs11.in \
- test_java_pkcs11.in \
- test_query.in \
- test_req.in \
- test_windows.in \
- tst-crypto-available1 \
- tst-crypto-available2 \
- tst-crypto-available3 \
- tst-crypto-select \
- tst-crypto-select1 \
- tst-crypto-select2 \
- tst-crypto-select3 \
- tst-crypto-select4 \
- tst-crypto-select5 \
- tst-crypto-select6 \
- tst-crypto-select7 \
- data/PKITS_data.zip \
- data/eccurve.pem \
- data/https.crt \
- data/https.key \
- data/mkcert.sh \
- data/nist-result2 \
- data/n0ll.pem \
- data/secp256r1TestCA.cert.pem \
- data/secp256r1TestCA.key.pem \
- data/secp256r1TestCA.pem \
- data/secp256r2TestClient.cert.pem \
- data/secp256r2TestClient.key.pem \
- data/secp256r2TestClient.pem \
- data/secp256r2TestServer.cert.pem \
- data/secp256r2TestServer.key.pem \
- data/secp256r2TestServer.pem \
- data/bleichenbacher-bad.pem \
- data/bleichenbacher-good.pem \
- data/bleichenbacher-sf-pad-correct.pem \
- data/ca.crt \
- data/ca.key \
- data/crl1.crl \
- data/crl1.der \
- data/gen-req.sh \
- data/j.pem \
- data/kdc.crt \
- data/kdc.key \
- data/key.der \
- data/key2.der \
- data/nist-data \
- data/nist-data2 \
- data/no-proxy-test.crt \
- data/no-proxy-test.key \
- data/ocsp-req1.der \
- data/ocsp-req2.der \
- data/ocsp-resp1-2.der \
- data/ocsp-resp1-3.der \
- data/ocsp-resp1-ca.der \
- data/ocsp-resp1-keyhash.der \
- data/ocsp-resp1-ocsp-no-cert.der \
- data/ocsp-resp1-ocsp.der \
- data/ocsp-resp1.der \
- data/ocsp-resp2.der \
- data/ocsp-responder.crt \
- data/ocsp-responder.key \
- data/openssl.1.0.cnf \
- data/openssl.1.1.cnf \
- data/pkinit-proxy-chain.crt \
- data/pkinit-proxy.crt \
- data/pkinit-proxy.key \
- data/pkinit-pw.key \
- data/pkinit.crt \
- data/pkinit.key \
- data/pkinit-ec.crt \
- data/pkinit-ec.key \
- data/proxy-level-test.crt \
- data/proxy-level-test.key \
- data/proxy-test.crt \
- data/proxy-test.key \
- data/proxy10-child-test.crt \
- data/proxy10-child-test.key \
- data/proxy10-child-child-test.crt \
- data/proxy10-child-child-test.key \
- data/proxy10-test.crt \
- data/proxy10-test.key \
- data/revoke.crt \
- data/revoke.key \
- data/sf-class2-root.pem \
- data/static-file \
- data/sub-ca.crt \
- data/sub-ca.key \
- data/sub-cert.crt \
- data/sub-cert.key \
- data/sub-cert.p12 \
- data/test-ds-only.crt \
- data/test-ds-only.key \
- data/test-enveloped-aes-128 \
- data/test-enveloped-aes-256 \
- data/test-enveloped-des \
- data/test-enveloped-des-ede3 \
- data/test-enveloped-rc2-128 \
- data/test-enveloped-rc2-40 \
- data/test-enveloped-rc2-64 \
- data/test-ke-only.crt \
- data/test-ke-only.key \
- data/test-nopw.p12 \
- data/test-pw.key \
- data/test-signed-data \
- data/test-signed-data-noattr \
- data/test-signed-data-noattr-nocerts \
- data/test-signed-sha-1 \
- data/test-signed-sha-256 \
- data/test-signed-sha-512 \
- data/test.combined.crt \
- data/test.crt \
- data/test.key \
- data/test.p12 \
- data/win-u16-in-printablestring.der \
- data/yutaka-pad-broken-ca.pem \
- data/yutaka-pad-broken-cert.pem \
- data/yutaka-pad-ok-ca.pem \
- data/yutaka-pad-ok-cert.pem \
- data/yutaka-pad.key
-
-all: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) all-am
-
-.SUFFIXES:
-.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .l .lo .log .o .obj .test .test$(EXEEXT) .trs .y
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
- @for dep in $?; do \
- case '$(am__configure_deps)' in \
- *$$dep*) \
- ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
- && { if test -f $@; then exit 0; else break; fi; }; \
- exit 1;; \
- esac; \
- done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hx509/Makefile'; \
- $(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --foreign lib/hx509/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- @case '$?' in \
- *config.status*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
- *) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
- esac;
-$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
- @$(NORMAL_INSTALL)
- @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
- fi; \
- for p in $$list; do echo "$$p $$p"; done | \
- sed 's/$(EXEEXT)$$//' | \
- while read p p1; do if test -f $$p \
- || test -f $$p1 \
- ; then echo "$$p"; echo "$$p"; else :; fi; \
- done | \
- sed -e 'p;s,.*/,,;n;h' \
- -e 's|.*|.|' \
- -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
- sed 'N;N;N;s,\n, ,g' | \
- $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
- { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
- if ($$2 == $$4) files[d] = files[d] " " $$1; \
- else { print "f", $$3 "/" $$4, $$1; } } \
- END { for (d in files) print "f", d, files[d] }' | \
- while read type dir files; do \
- if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
- test -z "$$files" || { \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
- } \
- ; done
-
-uninstall-binPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
- files=`for p in $$list; do echo "$$p"; done | \
- sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
- -e 's/$$/$(EXEEXT)/' \
- `; \
- test -n "$$list" || exit 0; \
- echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
- @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-clean-checkPROGRAMS:
- @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-install-libLTLIBRARIES: $(lib_LTLIBRARIES)
- @$(NORMAL_INSTALL)
- @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
- list2=; for p in $$list; do \
- if test -f $$p; then \
- list2="$$list2 $$p"; \
- else :; fi; \
- done; \
- test -z "$$list2" || { \
- echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
- }
-
-uninstall-libLTLIBRARIES:
- @$(NORMAL_UNINSTALL)
- @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
- for p in $$list; do \
- $(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
- done
-
-clean-libLTLIBRARIES:
- -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
- @list='$(lib_LTLIBRARIES)'; \
- locs=`for p in $$list; do echo $$p; done | \
- sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
- sort -u`; \
- test -z "$$locs" || { \
- echo rm -f $${locs}; \
- rm -f $${locs}; \
- }
-sel-gram.h: sel-gram.c
- @if test ! -f $@; then rm -f sel-gram.c; else :; fi
- @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) sel-gram.c; else :; fi
-
-libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES) $(EXTRA_libhx509_la_DEPENDENCIES)
- $(AM_V_CCLD)$(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
-
-hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES) $(EXTRA_hxtool_DEPENDENCIES)
- @rm -f hxtool$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
-
-test_expr$(EXEEXT): $(test_expr_OBJECTS) $(test_expr_DEPENDENCIES) $(EXTRA_test_expr_DEPENDENCIES)
- @rm -f test_expr$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_expr_OBJECTS) $(test_expr_LDADD) $(LIBS)
-
-test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES) $(EXTRA_test_name_DEPENDENCIES)
- @rm -f test_name$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
-
-test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES) $(EXTRA_test_soft_pkcs11_DEPENDENCIES)
- @rm -f test_soft_pkcs11$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT)
-
-distclean-compile:
- -rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequestInfo.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertID.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertStatus.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPInnerRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPKeyHash.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponderID.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponse.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseBytes.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseData.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseStatus.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSignature.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSingleResponse.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPTBSRequest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPVersion.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cms.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/collector.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto-ec.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/doxygen.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hx509_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-commands.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyset.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_dir.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_keychain.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_mem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_null.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p11.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p12.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/name.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revoke.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-gram.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-lex.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/softp11.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expr.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_name.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_soft_pkcs11.Po@am__quote@ # am--include-marker
-
-$(am__depfiles_remade):
- @$(MKDIR_P) $(@D)
- @echo '# dummy' >$@-t && $(am__mv) $@-t $@
-
-am--depfiles: $(am__depfiles_remade)
-
-.c.o:
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-.l.c:
- $(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
-
-.y.c:
- $(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h `echo $@ | $(am__yacc_c2h)` y.output $*.output -- $(YACCCOMPILE)
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-install-dist_includeHEADERS: $(dist_include_HEADERS)
- @$(NORMAL_INSTALL)
- @list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
- fi; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; \
- done | $(am__base_list) | \
- while read files; do \
- echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
- $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
- done
-
-uninstall-dist_includeHEADERS:
- @$(NORMAL_UNINSTALL)
- @list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-install-nodist_includeHEADERS: $(nodist_include_HEADERS)
- @$(NORMAL_INSTALL)
- @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
- fi; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; \
- done | $(am__base_list) | \
- while read files; do \
- echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
- $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
- done
-
-uninstall-nodist_includeHEADERS:
- @$(NORMAL_UNINSTALL)
- @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
- files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
- dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
- $(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- set x; \
- here=`pwd`; \
- $(am__define_uniq_tagged_files); \
- shift; \
- if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
- test -n "$$unique" || unique=$$empty_fix; \
- if test $$# -gt 0; then \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- "$$@" $$unique; \
- else \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$unique; \
- fi; \
- fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- $(am__define_uniq_tagged_files); \
- test -z "$(CTAGS_ARGS)$$unique" \
- || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && $(am__cd) $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
- list='$(am__tagged_files)'; \
- case "$(srcdir)" in \
- [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
- *) sdir=$(subdir)/$(srcdir) ;; \
- esac; \
- for i in $$list; do \
- if test -f "$$i"; then \
- echo "$(subdir)/$$i"; \
- else \
- echo "$$sdir/$$i"; \
- fi; \
- done >> $(top_builddir)/cscope.files
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
- rm -f $< $@
- $(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
- @:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
- @$(am__set_TESTS_bases); \
- am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
- redo_bases=`for i in $$bases; do \
- am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
- done`; \
- if test -n "$$redo_bases"; then \
- redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
- redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
- if $(am__make_dryrun); then :; else \
- rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
- fi; \
- fi; \
- if test -n "$$am__remaking_logs"; then \
- echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
- "recursion detected" >&2; \
- elif test -n "$$redo_logs"; then \
- am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
- fi; \
- if $(am__make_dryrun); then :; else \
- st=0; \
- errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
- for i in $$redo_bases; do \
- test -f $$i.trs && test -r $$i.trs \
- || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
- test -f $$i.log && test -r $$i.log \
- || { echo "$$errmsg $$i.log" >&2; st=1; }; \
- done; \
- test $$st -eq 0 || exit 1; \
- fi
- @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
- ws='[ ]'; \
- results=`for b in $$bases; do echo $$b.trs; done`; \
- test -n "$$results" || results=/dev/null; \
- all=` grep "^$$ws*:test-result:" $$results | wc -l`; \
- pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \
- fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \
- skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \
- xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
- xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
- error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
- if test `expr $$fail + $$xpass + $$error` -eq 0; then \
- success=true; \
- else \
- success=false; \
- fi; \
- br='==================='; br=$$br$$br$$br$$br; \
- result_count () \
- { \
- if test x"$$1" = x"--maybe-color"; then \
- maybe_colorize=yes; \
- elif test x"$$1" = x"--no-color"; then \
- maybe_colorize=no; \
- else \
- echo "$@: invalid 'result_count' usage" >&2; exit 4; \
- fi; \
- shift; \
- desc=$$1 count=$$2; \
- if test $$maybe_colorize = yes && test $$count -gt 0; then \
- color_start=$$3 color_end=$$std; \
- else \
- color_start= color_end=; \
- fi; \
- echo "$${color_start}# $$desc $$count$${color_end}"; \
- }; \
- create_testsuite_report () \
- { \
- result_count $$1 "TOTAL:" $$all "$$brg"; \
- result_count $$1 "PASS: " $$pass "$$grn"; \
- result_count $$1 "SKIP: " $$skip "$$blu"; \
- result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
- result_count $$1 "FAIL: " $$fail "$$red"; \
- result_count $$1 "XPASS:" $$xpass "$$red"; \
- result_count $$1 "ERROR:" $$error "$$mgn"; \
- }; \
- { \
- echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \
- $(am__rst_title); \
- create_testsuite_report --no-color; \
- echo; \
- echo ".. contents:: :depth: 2"; \
- echo; \
- for b in $$bases; do echo $$b; done \
- | $(am__create_global_log); \
- } >$(TEST_SUITE_LOG).tmp || exit 1; \
- mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \
- if $$success; then \
- col="$$grn"; \
- else \
- col="$$red"; \
- test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \
- fi; \
- echo "$${col}$$br$${std}"; \
- echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \
- echo "$${col}$$br$${std}"; \
- create_testsuite_report --maybe-color; \
- echo "$$col$$br$$std"; \
- if $$success; then :; else \
- echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \
- if test -n "$(PACKAGE_BUGREPORT)"; then \
- echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \
- fi; \
- echo "$$col$$br$$std"; \
- fi; \
- $$success || exit 1
-
-check-TESTS: $(check_PROGRAMS) $(check_SCRIPTS)
- @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
- @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
- @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
- @set +e; $(am__set_TESTS_bases); \
- log_list=`for i in $$bases; do echo $$i.log; done`; \
- trs_list=`for i in $$bases; do echo $$i.trs; done`; \
- log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
- $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
- exit $$?;
-recheck: all $(check_PROGRAMS) $(check_SCRIPTS)
- @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
- @set +e; $(am__set_TESTS_bases); \
- bases=`for i in $$bases; do echo $$i; done \
- | $(am__list_recheck_tests)` || exit 1; \
- log_list=`for i in $$bases; do echo $$i.log; done`; \
- log_list=`echo $$log_list`; \
- $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
- am__force_recheck=am--force-recheck \
- TEST_LOGS="$$log_list"; \
- exit $$?
-test_ca.log: test_ca
- @p='test_ca'; \
- b='test_ca'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_cert.log: test_cert
- @p='test_cert'; \
- b='test_cert'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_chain.log: test_chain
- @p='test_chain'; \
- b='test_chain'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_cms.log: test_cms
- @p='test_cms'; \
- b='test_cms'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_crypto.log: test_crypto
- @p='test_crypto'; \
- b='test_crypto'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist.log: test_nist
- @p='test_nist'; \
- b='test_nist'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist2.log: test_nist2
- @p='test_nist2'; \
- b='test_nist2'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pkcs11.log: test_pkcs11
- @p='test_pkcs11'; \
- b='test_pkcs11'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_java_pkcs11.log: test_java_pkcs11
- @p='test_java_pkcs11'; \
- b='test_java_pkcs11'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist_cert.log: test_nist_cert
- @p='test_nist_cert'; \
- b='test_nist_cert'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_nist_pkcs12.log: test_nist_pkcs12
- @p='test_nist_pkcs12'; \
- b='test_nist_pkcs12'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_req.log: test_req
- @p='test_req'; \
- b='test_req'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_windows.log: test_windows
- @p='test_windows'; \
- b='test_windows'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_query.log: test_query
- @p='test_query'; \
- b='test_query'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_name.log: test_name$(EXEEXT)
- @p='test_name$(EXEEXT)'; \
- b='test_name'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-test_expr.log: test_expr$(EXEEXT)
- @p='test_expr$(EXEEXT)'; \
- b='test_expr'; \
- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
- @p='$<'; \
- $(am__set_b); \
- $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
- --log-file $$b.log --trs-file $$b.trs \
- $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
- "$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@ @p='$<'; \
-@am__EXEEXT_TRUE@ $(am__set_b); \
-@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) distdir-am
-
-distdir-am: $(DISTFILES)
- @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- list='$(DISTFILES)'; \
- dist_files=`for file in $$list; do echo $$file; done | \
- sed -e "s|^$$srcdirstrip/||;t" \
- -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
- case $$dist_files in \
- */*) $(MKDIR_P) `echo "$$dist_files" | \
- sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
- sort -u` ;; \
- esac; \
- for file in $$dist_files; do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- if test -d $$d/$$file; then \
- dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test -d "$(distdir)/$$file"; then \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
- else \
- test -f "$(distdir)/$$file" \
- || cp -p $$d/$$file "$(distdir)/$$file" \
- || exit 1; \
- fi; \
- done
- $(MAKE) $(AM_MAKEFLAGS) \
- top_distdir="$(top_distdir)" distdir="$(distdir)" \
- dist-hook
-check-am: all-am
- $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_SCRIPTS)
- $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
-check: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(HEADERS) all-local
-install-binPROGRAMS: install-libLTLIBRARIES
-
-install-checkPROGRAMS: install-libLTLIBRARIES
-
-installdirs:
- for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \
- test -z "$$dir" || $(MKDIR_P) "$$dir"; \
- done
-install: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) install-am
-install-exec: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- if test -z '$(STRIP)'; then \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- install; \
- else \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
- fi
-mostlyclean-generic:
- -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
- -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
- -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-
-clean-generic:
- -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
- -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
- -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
- -rm -f sel-gram.c
- -rm -f sel-gram.h
- -rm -f sel-lex.c
- -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
- clean-libLTLIBRARIES clean-libtool clean-local mostlyclean-am
-
-distclean: distclean-am
- -rm -f ./$(DEPDIR)/asn1_CertificationRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_CertificationRequestInfo.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPCertID.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPCertStatus.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPInnerRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPKeyHash.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponderID.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponse.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponseBytes.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponseData.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponseStatus.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPSignature.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPSingleResponse.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPTBSRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPVersion.Plo
- -rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp.Plo
- -rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo
- -rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo
- -rm -f ./$(DEPDIR)/ca.Plo
- -rm -f ./$(DEPDIR)/cert.Plo
- -rm -f ./$(DEPDIR)/cms.Plo
- -rm -f ./$(DEPDIR)/collector.Plo
- -rm -f ./$(DEPDIR)/crypto-ec.Plo
- -rm -f ./$(DEPDIR)/crypto.Plo
- -rm -f ./$(DEPDIR)/doxygen.Plo
- -rm -f ./$(DEPDIR)/env.Plo
- -rm -f ./$(DEPDIR)/error.Plo
- -rm -f ./$(DEPDIR)/file.Plo
- -rm -f ./$(DEPDIR)/hx509_err.Plo
- -rm -f ./$(DEPDIR)/hxtool-commands.Po
- -rm -f ./$(DEPDIR)/hxtool.Po
- -rm -f ./$(DEPDIR)/keyset.Plo
- -rm -f ./$(DEPDIR)/ks_dir.Plo
- -rm -f ./$(DEPDIR)/ks_file.Plo
- -rm -f ./$(DEPDIR)/ks_keychain.Plo
- -rm -f ./$(DEPDIR)/ks_mem.Plo
- -rm -f ./$(DEPDIR)/ks_null.Plo
- -rm -f ./$(DEPDIR)/ks_p11.Plo
- -rm -f ./$(DEPDIR)/ks_p12.Plo
- -rm -f ./$(DEPDIR)/lock.Plo
- -rm -f ./$(DEPDIR)/name.Plo
- -rm -f ./$(DEPDIR)/peer.Plo
- -rm -f ./$(DEPDIR)/print.Plo
- -rm -f ./$(DEPDIR)/req.Plo
- -rm -f ./$(DEPDIR)/revoke.Plo
- -rm -f ./$(DEPDIR)/sel-gram.Plo
- -rm -f ./$(DEPDIR)/sel-lex.Plo
- -rm -f ./$(DEPDIR)/sel.Plo
- -rm -f ./$(DEPDIR)/softp11.Plo
- -rm -f ./$(DEPDIR)/test_expr.Po
- -rm -f ./$(DEPDIR)/test_name.Po
- -rm -f ./$(DEPDIR)/test_soft_pkcs11.Po
- -rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-dist_includeHEADERS \
- install-nodist_includeHEADERS
- @$(NORMAL_INSTALL)
- $(MAKE) $(AM_MAKEFLAGS) install-data-hook
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS install-exec-local \
- install-libLTLIBRARIES
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
- -rm -f ./$(DEPDIR)/asn1_CertificationRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_CertificationRequestInfo.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPCertID.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPCertStatus.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPInnerRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPKeyHash.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponderID.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponse.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponseBytes.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponseData.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPResponseStatus.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPSignature.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPSingleResponse.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPTBSRequest.Plo
- -rm -f ./$(DEPDIR)/asn1_OCSPVersion.Plo
- -rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp.Plo
- -rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo
- -rm -f ./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo
- -rm -f ./$(DEPDIR)/ca.Plo
- -rm -f ./$(DEPDIR)/cert.Plo
- -rm -f ./$(DEPDIR)/cms.Plo
- -rm -f ./$(DEPDIR)/collector.Plo
- -rm -f ./$(DEPDIR)/crypto-ec.Plo
- -rm -f ./$(DEPDIR)/crypto.Plo
- -rm -f ./$(DEPDIR)/doxygen.Plo
- -rm -f ./$(DEPDIR)/env.Plo
- -rm -f ./$(DEPDIR)/error.Plo
- -rm -f ./$(DEPDIR)/file.Plo
- -rm -f ./$(DEPDIR)/hx509_err.Plo
- -rm -f ./$(DEPDIR)/hxtool-commands.Po
- -rm -f ./$(DEPDIR)/hxtool.Po
- -rm -f ./$(DEPDIR)/keyset.Plo
- -rm -f ./$(DEPDIR)/ks_dir.Plo
- -rm -f ./$(DEPDIR)/ks_file.Plo
- -rm -f ./$(DEPDIR)/ks_keychain.Plo
- -rm -f ./$(DEPDIR)/ks_mem.Plo
- -rm -f ./$(DEPDIR)/ks_null.Plo
- -rm -f ./$(DEPDIR)/ks_p11.Plo
- -rm -f ./$(DEPDIR)/ks_p12.Plo
- -rm -f ./$(DEPDIR)/lock.Plo
- -rm -f ./$(DEPDIR)/name.Plo
- -rm -f ./$(DEPDIR)/peer.Plo
- -rm -f ./$(DEPDIR)/print.Plo
- -rm -f ./$(DEPDIR)/req.Plo
- -rm -f ./$(DEPDIR)/revoke.Plo
- -rm -f ./$(DEPDIR)/sel-gram.Plo
- -rm -f ./$(DEPDIR)/sel-lex.Plo
- -rm -f ./$(DEPDIR)/sel.Plo
- -rm -f ./$(DEPDIR)/softp11.Plo
- -rm -f ./$(DEPDIR)/test_expr.Po
- -rm -f ./$(DEPDIR)/test_name.Po
- -rm -f ./$(DEPDIR)/test_soft_pkcs11.Po
- -rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
- uninstall-libLTLIBRARIES uninstall-nodist_includeHEADERS
- @$(NORMAL_INSTALL)
- $(MAKE) $(AM_MAKEFLAGS) uninstall-hook
-.MAKE: all check check-am install install-am install-data-am \
- install-exec install-strip uninstall-am
-
-.PHONY: CTAGS GTAGS TAGS all all-am all-local am--depfiles check \
- check-TESTS check-am check-local clean clean-binPROGRAMS \
- clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
- clean-libtool clean-local cscopelist-am ctags ctags-am \
- dist-hook distclean distclean-compile distclean-generic \
- distclean-libtool distclean-tags distdir dvi dvi-am html \
- html-am info info-am install install-am install-binPROGRAMS \
- install-data install-data-am install-data-hook \
- install-dist_includeHEADERS install-dvi install-dvi-am \
- install-exec install-exec-am install-exec-local install-html \
- install-html-am install-info install-info-am \
- install-libLTLIBRARIES install-man \
- install-nodist_includeHEADERS install-pdf install-pdf-am \
- install-ps install-ps-am install-strip installcheck \
- installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-compile \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- recheck tags tags-am uninstall uninstall-am \
- uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
- uninstall-hook uninstall-libLTLIBRARIES \
- uninstall-nodist_includeHEADERS
-
-.PRECIOUS: Makefile
-
-
-install-suid-programs:
- @foo='$(bin_SUIDS)'; \
- for file in $$foo; do \
- x=$(DESTDIR)$(bindir)/$$file; \
- if chown 0:0 $$x && chmod u+s $$x; then :; else \
- echo "*"; \
- echo "* Failed to install $$x setuid root"; \
- echo "*"; \
- fi; \
- done
-
-install-exec-local: install-suid-programs
-
-codesign-all:
- @if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
- foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
- for file in $$foo ; do \
- echo "CODESIGN $$file" ; \
- codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
- done ; \
- fi
-
-all-local: codesign-all
-
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
- @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
- for f in $$foo; do \
- f=`basename $$f`; \
- if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
- else file="$$f"; fi; \
- if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \
- : ; else \
- echo " $(CP) $$file $(buildinclude)/$$f"; \
- $(CP) $$file $(buildinclude)/$$f || true; \
- fi ; \
- done ; \
- foo='$(nobase_include_HEADERS)'; \
- for f in $$foo; do \
- if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
- else file="$$f"; fi; \
- $(mkdir_p) $(buildinclude)/`dirname $$f` ; \
- if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \
- : ; else \
- echo " $(CP) $$file $(buildinclude)/$$f"; \
- $(CP) $$file $(buildinclude)/$$f; \
- fi ; \
- done
-
-all-local: install-build-headers
-
-check-local::
- @if test '$(CHECK_LOCAL)' = "no-check-local"; then \
- foo=''; elif test '$(CHECK_LOCAL)'; then \
- foo='$(CHECK_LOCAL)'; else \
- foo='$(PROGRAMS)'; fi; \
- if test "$$foo"; then \
- failed=0; all=0; \
- for i in $$foo; do \
- all=`expr $$all + 1`; \
- if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
- echo "PASS: $$i"; \
- else \
- echo "FAIL: $$i"; \
- failed=`expr $$failed + 1`; \
- fi; \
- done; \
- if test "$$failed" -eq 0; then \
- banner="All $$all tests passed"; \
- else \
- banner="$$failed of $$all tests failed"; \
- fi; \
- dashes=`echo "$$banner" | sed s/./=/g`; \
- echo "$$dashes"; \
- echo "$$banner"; \
- echo "$$dashes"; \
- test "$$failed" -eq 0 || exit 1; \
- fi
-
-# It's useful for debugging to format generated sources. The default for all
-# clang-format styles is to sort includes, but in many cases in-tree we really
-# don't want to do that.
-.x.c:
- @if [ -z "$(CLANG_FORMAT)" ]; then \
- cmp -s $< $@ 2> /dev/null || cp $< $@; \
- else \
- cp $< $@.tmp.c; \
- $(CLANG_FORMAT) -style='{BasedOnStyle: Chromium, SortIncludes: false}' -i $@.tmp.c; \
- cmp -s $@.tmp.c $@ 2> /dev/null || mv $@.tmp.c $@; \
- fi
-
-.hx.h:
- @cmp -s $< $@ 2> /dev/null || cp $< $@;
-#NROFF_MAN = nroff -man
-.1.cat1:
- $(NROFF_MAN) $< > $@
-.3.cat3:
- $(NROFF_MAN) $< > $@
-.5.cat5:
- $(NROFF_MAN) $< > $@
-.7.cat7:
- $(NROFF_MAN) $< > $@
-.8.cat8:
- $(NROFF_MAN) $< > $@
-
-dist-cat1-mans:
- @foo='$(man1_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.1) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat3-mans:
- @foo='$(man3_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.3) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat5-mans:
- @foo='$(man5_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.5) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat7-mans:
- @foo='$(man7_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.7) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat8-mans:
- @foo='$(man8_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.8) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
-
-install-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-uninstall-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-install-data-hook: install-cat-mans
-uninstall-hook: uninstall-cat-mans
-
-.et.h:
- $(COMPILE_ET) $<
-.et.c:
- $(COMPILE_ET) $<
-
-#
-# Useful target for debugging
-#
-
-check-valgrind:
- tobjdir=`cd $(top_builddir) && pwd` ; \
- tsrcdir=`cd $(top_srcdir) && pwd` ; \
- env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
-
-#
-# Target to please samba build farm, builds distfiles in-tree.
-# Will break when automake changes...
-#
-
-distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
- list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
- if test "$$subdir" != .; then \
- (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
- fi ; \
- done
-
-sel-lex.c: sel-gram.h
-$(libhx509_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
-
-$(gen_files_ocsp) ocsp_asn1.hx ocsp_asn1-priv.hx: ocsp_asn1_files
-$(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
-$(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
-
-ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
- $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
-
-pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
- $(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
-
-crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
- $(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
-
-$(ALL_OBJECTS): $(HX509_PROTOS)
-
-$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
-$(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
-
-$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
- $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
-
-$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
- $(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
-
-hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
- $(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
-
-$(hxtool_OBJECTS): hxtool-commands.h $(nodist_include_HEADERS)
-
-clean-local:
- @echo "cleaning PKITS" ; rm -rf PKITS_data
-
-test_ca: test_ca.in Makefile
- $(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
- $(heim_verbose)chmod +x test_ca.tmp
- mv test_ca.tmp test_ca
-
-test_cert: test_cert.in Makefile
- $(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
- $(heim_verbose)chmod +x test_cert.tmp
- mv test_cert.tmp test_cert
-
-test_chain: test_chain.in Makefile
- $(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
- $(heim_verbose)chmod +x test_chain.tmp
- mv test_chain.tmp test_chain
-
-test_cms: test_cms.in Makefile
- $(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
- $(heim_verbose)chmod +x test_cms.tmp
- mv test_cms.tmp test_cms
-
-test_crypto: test_crypto.in Makefile
- $(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
- $(heim_verbose)chmod +x test_crypto.tmp
- mv test_crypto.tmp test_crypto
-
-test_nist: test_nist.in Makefile
- $(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
- $(heim_verbose)chmod +x test_nist.tmp
- mv test_nist.tmp test_nist
-
-test_nist2: test_nist2.in Makefile
- $(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
- $(heim_verbose)chmod +x test_nist2.tmp
- mv test_nist2.tmp test_nist2
-
-test_pkcs11: test_pkcs11.in Makefile
- $(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
- $(heim_verbose)chmod +x test_pkcs11.tmp
- mv test_pkcs11.tmp test_pkcs11
-
-test_java_pkcs11: test_java_pkcs11.in Makefile
- $(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
- $(heim_verbose)chmod +x test_java_pkcs11.tmp
- mv test_java_pkcs11.tmp test_java_pkcs11
-
-test_nist_cert: test_nist_cert.in Makefile
- $(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
- $(heim_verbose)chmod +x test_nist_cert.tmp
- mv test_nist_cert.tmp test_nist_cert
-
-test_nist_pkcs12: test_nist_pkcs12.in Makefile
- $(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
- $(heim_verbose)chmod +x test_nist_pkcs12.tmp
- mv test_nist_pkcs12.tmp test_nist_pkcs12
-
-test_req: test_req.in Makefile
- $(do_subst) < $(srcdir)/test_req.in > test_req.tmp
- $(heim_verbose)chmod +x test_req.tmp
- mv test_req.tmp test_req
-
-test_windows: test_windows.in Makefile
- $(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
- $(heim_verbose)chmod +x test_windows.tmp
- mv test_windows.tmp test_windows
-
-test_query: test_query.in Makefile
- $(do_subst) < $(srcdir)/test_query.in > test_query.tmp
- $(heim_verbose)chmod +x test_query.tmp
- mv test_query.tmp test_query
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/lib/hx509/NTMakefile b/lib/hx509/NTMakefile
index ee1bb69d09d6..4d5ff09e734d 100644
--- a/lib/hx509/NTMakefile
+++ b/lib/hx509/NTMakefile
@@ -35,12 +35,6 @@ localcflags=-DASN1_LIB
!include ../../windows/NTMakefile.w32
-gen_files_ocsp = $(OBJ)\asn1_ocsp_asn1.x
-
-gen_files_pkcs10 = $(OBJ)\asn1_pkcs10_asn1.x
-
-gen_files_crmf = $(OBJ)\asn1_crmf_asn1.x
-
libhx509_la_OBJS = \
$(OBJ)\ca.obj \
$(OBJ)\cert.obj \
@@ -69,9 +63,7 @@ libhx509_la_OBJS = \
$(OBJ)\print.obj \
$(OBJ)\softp11.obj \
$(OBJ)\req.obj \
- $(OBJ)\revoke.obj \
- $(gen_files_ocsp:.x=.obj) \
- $(gen_files_pkcs10:.x=.obj)
+ $(OBJ)\revoke.obj
$(LIBHX509): $(libhx509_la_OBJS)
$(LIBCON)
@@ -110,48 +102,19 @@ dist_libhx509_la_SOURCES = \
$(SRCDIR)\req.c \
$(SRCDIR)\revoke.c
-asn1_compile=$(BINDIR)\asn1_compile.exe
-
-$(gen_files_ocsp:.x=.c): $$(@R).x
-
-$(gen_files_pkcs10:.x=.c): $$(@R).x
+{}.c{$(OBJ)}.obj::
+ $(C2OBJ_P) -DBUILD_HX509_LIB -DASN1_LIB
-$(gen_files_crmf:.x=.c): $$(@R).x
+{$(OBJ)}.c{$(OBJ)}.obj::
+ $(C2OBJ_P) -DBUILD_HX509_LIB -DASN1_LIB
-$(gen_files_ocsp) $(OBJ)\ocsp_asn1.hx: $(asn1_compile) ocsp.asn1
- cd $(OBJ)
- $(asn1_compile) --one-code-file \
- --preserve-binary=OCSPTBSRequest \
- --preserve-binary=OCSPResponseData \
- $(SRCDIR)\ocsp.asn1 ocsp_asn1 \
- || ( $(RM) -f $(gen_files_ocsp) $(OBJ)\ocsp_asn1.h ; exit /b 1 )
- cd $(SRCDIR)
-
-$(gen_files_pkcs10) $(OBJ)\pkcs10_asn1.hx: $(asn1_compile) pkcs10.asn1
- cd $(OBJ)
- $(asn1_compile) --one-code-file \
- --preserve-binary=CertificationRequestInfo \
- $(SRCDIR)\pkcs10.asn1 pkcs10_asn1 \
- || ( $(RM) -f $(gen_files_pkcs10) $(OBJ)\pkcs10_asn1.h ; exit /b 1 )
- cd $(SRCDIR)
-
-$(gen_files_crmf) $(OBJ)\crmf_asn1.hx: $(asn1_compile) crmf.asn1
- cd $(OBJ)
- $(asn1_compile) --one-code-file $(SRCDIR)\crmf.asn1 crmf_asn1 \
- || ( $(RM) -f $(gen_files_crmf) $(OBJ)\crmf_asn1.h ; exit /b 1 )
- cd $(SRCDIR)
+asn1_compile=$(BINDIR)\asn1_compile.exe
INCFILES= \
$(INCDIR)\hx509.h \
$(INCDIR)\hx509-protos.h \
$(INCDIR)\hx509-private.h \
- $(INCDIR)\hx509_err.h \
- $(INCDIR)\ocsp_asn1.h \
- $(INCDIR)\pkcs10_asn1.h \
- $(INCDIR)\crmf_asn1.h \
- $(OBJ)\ocsp_asn1-priv.h \
- $(OBJ)\pkcs10_asn1-priv.h \
- $(OBJ)\crmf_asn1-priv.h
+ $(INCDIR)\hx509_err.h
hxtool.c: $(OBJ)\hxtool-commands.h
diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index 418a404b4aa9..1ca8d51da39e 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -32,7 +32,6 @@
*/
#include "hx_locl.h"
-#include <pkinit_asn1.h>
/**
* @page page_ca Hx509 CA functions
@@ -43,9 +42,11 @@
struct hx509_ca_tbs {
hx509_name subject;
SubjectPublicKeyInfo spki;
+ KeyUsage ku;
ExtKeyUsage eku;
GeneralNames san;
- unsigned key_usage;
+ CertificatePolicies cps;
+ PolicyMappings pms;
heim_integer serial;
struct {
unsigned int proxy:1;
@@ -57,6 +58,7 @@ struct hx509_ca_tbs {
} flags;
time_t notBefore;
time_t notAfter;
+ HeimPkinitPrincMaxLifeSecs pkinitTicketMaxLife;
int pathLenConstraint; /* both for CA and Proxy */
CRLDistributionPoints crldp;
heim_bit_string subjectUniqueID;
@@ -77,7 +79,7 @@ struct hx509_ca_tbs {
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
{
*tbs = calloc(1, sizeof(**tbs));
@@ -95,20 +97,23 @@ hx509_ca_tbs_init(hx509_context context, hx509_ca_tbs *tbs)
* @ingroup hx509_ca
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_ca_tbs_free(hx509_ca_tbs *tbs)
{
if (tbs == NULL || *tbs == NULL)
return;
free_SubjectPublicKeyInfo(&(*tbs)->spki);
+ free_CertificatePolicies(&(*tbs)->cps);
+ free_PolicyMappings(&(*tbs)->pms);
free_GeneralNames(&(*tbs)->san);
free_ExtKeyUsage(&(*tbs)->eku);
der_free_heim_integer(&(*tbs)->serial);
free_CRLDistributionPoints(&(*tbs)->crldp);
der_free_bit_string(&(*tbs)->subjectUniqueID);
der_free_bit_string(&(*tbs)->issuerUniqueID);
- hx509_name_free(&(*tbs)->subject);
+ if ((*tbs)->subject)
+ hx509_name_free(&(*tbs)->subject);
if ((*tbs)->sigalg) {
free_AlgorithmIdentifier((*tbs)->sigalg);
free((*tbs)->sigalg);
@@ -132,7 +137,7 @@ hx509_ca_tbs_free(hx509_ca_tbs *tbs)
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_notBefore(hx509_context context,
hx509_ca_tbs tbs,
time_t t)
@@ -153,7 +158,7 @@ hx509_ca_tbs_set_notBefore(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_notAfter(hx509_context context,
hx509_ca_tbs tbs,
time_t t)
@@ -174,7 +179,7 @@ hx509_ca_tbs_set_notAfter(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
hx509_ca_tbs tbs,
time_t delta)
@@ -182,6 +187,15 @@ hx509_ca_tbs_set_notAfter_lifetime(hx509_context context,
return hx509_ca_tbs_set_notAfter(context, tbs, time(NULL) + delta);
}
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_set_pkinit_max_life(hx509_context context,
+ hx509_ca_tbs tbs,
+ time_t max_life)
+{
+ tbs->pkinitTicketMaxLife = max_life;
+ return 0;
+}
+
static const struct units templatebits[] = {
{ "ExtendedKeyUsage", HX509_CA_TEMPLATE_EKU },
{ "KeyUsage", HX509_CA_TEMPLATE_KU },
@@ -190,6 +204,7 @@ static const struct units templatebits[] = {
{ "notBefore", HX509_CA_TEMPLATE_NOTBEFORE },
{ "serial", HX509_CA_TEMPLATE_SERIAL },
{ "subject", HX509_CA_TEMPLATE_SUBJECT },
+ { "pkinitMaxLife", HX509_CA_TEMPLATE_PKINIT_MAX_LIFE },
{ NULL, 0 }
};
@@ -202,19 +217,19 @@ static const struct units templatebits[] = {
* @ingroup hx509_ca
*/
-const struct units *
+HX509_LIB_FUNCTION const struct units * HX509_LIB_CALL
hx509_ca_tbs_template_units(void)
{
return templatebits;
}
/**
- * Initialize the to-be-signed certificate object from a template certifiate.
+ * Initialize the to-be-signed certificate object from a template certificate.
*
* @param context A hx509 context.
* @param tbs object to be signed.
* @param flags bit field selecting what to copy from the template
- * certifiate.
+ * certificate.
* @param cert template certificate.
*
* @return An hx509 error code, see hx509_get_error_string().
@@ -222,7 +237,7 @@ hx509_ca_tbs_template_units(void)
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_template(hx509_context context,
hx509_ca_tbs tbs,
int flags,
@@ -262,11 +277,9 @@ hx509_ca_tbs_set_template(hx509_context context,
return ret;
}
if (flags & HX509_CA_TEMPLATE_KU) {
- KeyUsage ku;
- ret = _hx509_cert_get_keyusage(context, cert, &ku);
+ ret = _hx509_cert_get_keyusage(context, cert, &tbs->ku);
if (ret)
return ret;
- tbs->key_usage = KeyUsage2int(ku);
}
if (flags & HX509_CA_TEMPLATE_EKU) {
ExtKeyUsage eku;
@@ -283,6 +296,12 @@ hx509_ca_tbs_set_template(hx509_context context,
}
free_ExtKeyUsage(&eku);
}
+ if (flags & HX509_CA_TEMPLATE_PKINIT_MAX_LIFE) {
+ time_t max_life;
+
+ if ((max_life = hx509_cert_get_pkinit_max_life(context, cert, 0)) > 0)
+ hx509_ca_tbs_set_pkinit_max_life(context, tbs, max_life);
+ }
return 0;
}
@@ -300,7 +319,7 @@ hx509_ca_tbs_set_template(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_ca(hx509_context context,
hx509_ca_tbs tbs,
int pathLenConstraint)
@@ -324,7 +343,7 @@ hx509_ca_tbs_set_ca(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_proxy(hx509_context context,
hx509_ca_tbs tbs,
int pathLenConstraint)
@@ -346,7 +365,7 @@ hx509_ca_tbs_set_proxy(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_domaincontroller(hx509_context context,
hx509_ca_tbs tbs)
{
@@ -368,7 +387,7 @@ hx509_ca_tbs_set_domaincontroller(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_spki(hx509_context context,
hx509_ca_tbs tbs,
const SubjectPublicKeyInfo *spki)
@@ -393,7 +412,7 @@ hx509_ca_tbs_set_spki(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_serialnumber(hx509_context context,
hx509_ca_tbs tbs,
const heim_integer *serialNumber)
@@ -406,6 +425,65 @@ hx509_ca_tbs_set_serialnumber(hx509_context context,
}
/**
+ * Copy elements of a CSR into a TBS, but only if all of them are authorized.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param req CSR
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_set_from_csr(hx509_context context,
+ hx509_ca_tbs tbs,
+ hx509_request req)
+{
+ hx509_san_type san_type;
+ heim_oid oid = { 0, 0 };
+ KeyUsage ku;
+ size_t i;
+ char *s = NULL;
+ int ret;
+
+ if (hx509_request_count_unauthorized(req)) {
+ hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ return EACCES;
+ }
+
+ ret = hx509_request_get_ku(context, req, &ku);
+ if (ret == 0 && KeyUsage2int(ku))
+ ret = hx509_ca_tbs_add_ku(context, tbs, ku);
+
+ for (i = 0; ret == 0; i++) {
+ free(s); s = NULL;
+ der_free_oid(&oid);
+ ret = hx509_request_get_eku(req, i, &s);
+ if (ret == 0)
+ ret = der_parse_heim_oid(s, ".", &oid);
+ if (ret == 0)
+ ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
+ }
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+
+ for (i = 0; ret == 0; i++) {
+ free(s); s = NULL;
+ ret = hx509_request_get_san(req, i, &san_type, &s);
+ if (ret == 0)
+ ret = hx509_ca_tbs_add_san(context, tbs, san_type, s);
+ }
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+
+ der_free_oid(&oid);
+ free(s);
+ return ret;
+}
+
+/**
* An an extended key usage to the to-be-signed certificate object.
* Duplicates will detected and not added.
*
@@ -418,7 +496,29 @@ hx509_ca_tbs_set_serialnumber(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_ku(hx509_context context,
+ hx509_ca_tbs tbs,
+ KeyUsage ku)
+{
+ tbs->ku = ku;
+ return 0;
+}
+
+/**
+ * An an extended key usage to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid extended key usage to add.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_eku(hx509_context context,
hx509_ca_tbs tbs,
const heim_oid *oid)
@@ -449,6 +549,127 @@ hx509_ca_tbs_add_eku(hx509_context context,
}
/**
+ * Add a certificate policy to the to-be-signed certificate object. Duplicates
+ * will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid policy OID.
+ * @param cps_uri CPS URI to qualify policy with.
+ * @param user_notice user notice display text to qualify policy with.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_pol(hx509_context context,
+ hx509_ca_tbs tbs,
+ const heim_oid *oid,
+ const char *cps_uri,
+ const char *user_notice)
+{
+ PolicyQualifierInfos pqis;
+ PolicyQualifierInfo pqi;
+ PolicyInformation pi;
+ size_t i, size;
+ int ret = 0;
+
+ /* search for duplicates */
+ for (i = 0; i < tbs->cps.len; i++) {
+ if (der_heim_oid_cmp(oid, &tbs->cps.val[i].policyIdentifier) == 0)
+ return 0;
+ }
+
+ memset(&pi, 0, sizeof(pi));
+ memset(&pqi, 0, sizeof(pqi));
+ memset(&pqis, 0, sizeof(pqis));
+
+ pi.policyIdentifier = *oid;
+ if (cps_uri) {
+ CPSuri uri;
+
+ uri.length = strlen(cps_uri);
+ uri.data = (void *)(uintptr_t)cps_uri;
+ pqi.policyQualifierId = asn1_oid_id_pkix_qt_cps;
+
+ ASN1_MALLOC_ENCODE(CPSuri,
+ pqi.qualifier.data,
+ pqi.qualifier.length,
+ &uri, &size, ret);
+ if (ret == 0) {
+ ret = add_PolicyQualifierInfos(&pqis, &pqi);
+ free_heim_any(&pqi.qualifier);
+ }
+ }
+ if (ret == 0 && user_notice) {
+ DisplayText dt;
+ UserNotice un;
+
+ dt.element = choice_DisplayText_utf8String;
+ dt.u.utf8String = (void *)(uintptr_t)user_notice;
+ un.explicitText = &dt;
+ un.noticeRef = 0;
+
+ pqi.policyQualifierId = asn1_oid_id_pkix_qt_unotice;
+ ASN1_MALLOC_ENCODE(UserNotice,
+ pqi.qualifier.data,
+ pqi.qualifier.length,
+ &un, &size, ret);
+ if (ret == 0) {
+ ret = add_PolicyQualifierInfos(&pqis, &pqi);
+ free_heim_any(&pqi.qualifier);
+ }
+ }
+
+ pi.policyQualifiers = pqis.len ? &pqis : 0;
+
+ if (ret == 0)
+ ret = add_CertificatePolicies(&tbs->cps, &pi);
+
+ free_PolicyQualifierInfos(&pqis);
+ return ret;
+}
+
+/**
+ * Add a certificate policy mapping to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param issuer issuerDomainPolicy policy OID.
+ * @param subject subjectDomainPolicy policy OID.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_pol_mapping(hx509_context context,
+ hx509_ca_tbs tbs,
+ const heim_oid *issuer,
+ const heim_oid *subject)
+{
+ PolicyMapping pm;
+ size_t i;
+
+ /* search for duplicates */
+ for (i = 0; i < tbs->pms.len; i++) {
+ PolicyMapping *pmp = &tbs->pms.val[i];
+ if (der_heim_oid_cmp(issuer, &pmp->issuerDomainPolicy) == 0 &&
+ der_heim_oid_cmp(subject, &pmp->subjectDomainPolicy) == 0)
+ return 0;
+ }
+
+ memset(&pm, 0, sizeof(pm));
+ pm.issuerDomainPolicy = *issuer;
+ pm.subjectDomainPolicy = *subject;
+ return add_PolicyMappings(&tbs->pms, &pm);
+}
+
+/**
* Add CRL distribution point URI to the to-be-signed certificate
* object.
*
@@ -462,94 +683,49 @@ hx509_ca_tbs_add_eku(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_crl_dp_uri(hx509_context context,
hx509_ca_tbs tbs,
const char *uri,
hx509_name issuername)
{
+ DistributionPointName dpn;
DistributionPoint dp;
+ GeneralNames crlissuer;
+ GeneralName gn, ign;
+ Name in;
int ret;
memset(&dp, 0, sizeof(dp));
-
- dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
-
- {
- DistributionPointName name;
- GeneralName gn;
- size_t size;
-
- name.element = choice_DistributionPointName_fullName;
- name.u.fullName.len = 1;
- name.u.fullName.val = &gn;
-
- gn.element = choice_GeneralName_uniformResourceIdentifier;
- gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);
- gn.u.uniformResourceIdentifier.length = strlen(uri);
-
- ASN1_MALLOC_ENCODE(DistributionPointName,
- dp.distributionPoint->data,
- dp.distributionPoint->length,
- &name, &size, ret);
- if (ret) {
- hx509_set_error_string(context, 0, ret,
- "Failed to encoded DistributionPointName");
- goto out;
- }
- if (dp.distributionPoint->length != size)
- _hx509_abort("internal ASN.1 encoder error");
- }
+ memset(&gn, 0, sizeof(gn));
+ memset(&ign, 0, sizeof(ign));
+ memset(&in, 0, sizeof(in));
+ gn.element = choice_GeneralName_uniformResourceIdentifier;
+ gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);
+ gn.u.uniformResourceIdentifier.length = strlen(uri);
+ dpn.element = choice_DistributionPointName_fullName;
+ dpn.u.fullName.len = 1;
+ dpn.u.fullName.val = &gn;
+ dp.distributionPoint = &dpn;
if (issuername) {
-#if 1
- /**
- * issuername not supported
- */
- hx509_set_error_string(context, 0, EINVAL,
- "CRLDistributionPoints.name.issuername not yet supported");
- return EINVAL;
-#else
- GeneralNames *crlissuer;
- GeneralName gn;
- Name n;
-
- crlissuer = calloc(1, sizeof(*crlissuer));
- if (crlissuer == NULL) {
- return ENOMEM;
- }
- memset(&gn, 0, sizeof(gn));
-
- gn.element = choice_GeneralName_directoryName;
- ret = hx509_name_to_Name(issuername, &n);
- if (ret) {
- hx509_set_error_string(context, 0, ret, "out of memory");
- goto out;
- }
-
- gn.u.directoryName.element = n.element;
- gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;
-
- ret = add_GeneralNames(&crlissuer, &gn);
- free_Name(&n);
+ ign.element = choice_GeneralName_directoryName;
+ ret = hx509_name_to_Name(issuername, &ign.u.directoryName);
if (ret) {
hx509_set_error_string(context, 0, ret, "out of memory");
- goto out;
+ return ret;
}
-
+ crlissuer.len = 1;
+ crlissuer.val = &ign;
dp.cRLIssuer = &crlissuer;
-#endif
}
ret = add_CRLDistributionPoints(&tbs->crldp, &dp);
- if (ret) {
- hx509_set_error_string(context, 0, ret, "out of memory");
- goto out;
- }
-
-out:
- free_DistributionPoint(&dp);
+ if (issuername)
+ free_Name(&ign.u.directoryName);
+ if (ret)
+ hx509_set_error_string(context, 0, ret, "out of memory");
return ret;
}
@@ -567,7 +743,7 @@ out:
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_san_otherName(hx509_context context,
hx509_ca_tbs tbs,
const heim_oid *oid,
@@ -583,52 +759,100 @@ hx509_ca_tbs_add_san_otherName(hx509_context context,
return add_GeneralNames(&tbs->san, &gn);
}
-/**
- * Add Kerberos Subject Alternative Name to the to-be-signed
- * certificate object. The principal string is a UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param principal Kerberos principal to add to the certificate.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
+static
+int
+dequote_strndup(hx509_context context, const char *in, size_t len, char **out)
+{
+ size_t i, k;
+ char *s;
+
+ *out = NULL;
+ if ((s = malloc(len + 1)) == NULL) {
+ hx509_set_error_string(context, 0, ENOMEM, "malloc: out of memory");
+ return ENOMEM;
+ }
+
+ for (k = i = 0; i < len; i++) {
+ if (in[i] == '\\') {
+ switch (in[++i]) {
+ case 't': s[k++] = '\t'; break;
+ case 'b': s[k++] = '\b'; break;
+ case 'n': s[k++] = '\n'; break;
+ case '0':
+ for (i++; i < len; i++) {
+ if (in[i] == '\0')
+ break;
+ if (in[i++] == '\\' && in[i] == '0')
+ continue;
+ hx509_set_error_string(context, 0,
+ HX509_PARSING_NAME_FAILED,
+ "embedded NULs not supported in "
+ "PKINIT SANs");
+ free(s);
+ return HX509_PARSING_NAME_FAILED;
+ }
+ break;
+ case '\0':
+ hx509_set_error_string(context, 0,
+ HX509_PARSING_NAME_FAILED,
+ "trailing unquoted backslashes not "
+ "allowed in PKINIT SANs");
+ free(s);
+ return HX509_PARSING_NAME_FAILED;
+ default: s[k++] = in[i]; break;
+ }
+ } else {
+ s[k++] = in[i];
+ }
+ }
+ s[k] = '\0';
+
+ *out = s;
+ return 0;
+}
int
-hx509_ca_tbs_add_san_pkinit(hx509_context context,
- hx509_ca_tbs tbs,
- const char *principal)
+_hx509_make_pkinit_san(hx509_context context,
+ const char *principal,
+ heim_octet_string *os)
{
- heim_octet_string os;
KRB5PrincipalName p;
size_t size;
int ret;
- char *s = NULL;
+ os->data = NULL;
+ os->length = 0;
memset(&p, 0, sizeof(p));
- /* parse principal */
+ /* Parse principal */
{
- const char *str;
- char *q;
- int n;
+ const char *str, *str_start;
+ size_t n, i;
- /* count number of component */
+ /* Count number of components */
n = 1;
- for(str = principal; *str != '\0' && *str != '@'; str++){
- if(*str=='\\'){
- if(str[1] == '\0' || str[1] == '@') {
+ for (str = principal; *str != '\0' && *str != '@'; str++) {
+ if (*str == '\\') {
+ if (str[1] == '\0') {
ret = HX509_PARSING_NAME_FAILED;
hx509_set_error_string(context, 0, ret,
"trailing \\ in principal name");
goto out;
}
str++;
- } else if(*str == '/')
+ } else if(*str == '/') {
n++;
+ } else if(*str == '@') {
+ break;
+ }
}
+ if (*str != '@') {
+ /* Note that we allow the realm to be empty */
+ ret = HX509_PARSING_NAME_FAILED;
+ hx509_set_error_string(context, 0, ret, "Missing @ in principal");
+ goto out;
+ };
+
p.principalName.name_string.val =
calloc(n, sizeof(*p.principalName.name_string.val));
if (p.principalName.name_string.val == NULL) {
@@ -637,49 +861,136 @@ hx509_ca_tbs_add_san_pkinit(hx509_context context,
goto out;
}
p.principalName.name_string.len = n;
-
p.principalName.name_type = KRB5_NT_PRINCIPAL;
- q = s = strdup(principal);
- if (q == NULL) {
- ret = ENOMEM;
- hx509_set_error_string(context, 0, ret, "malloc: out of memory");
- goto out;
- }
- p.realm = strrchr(q, '@');
- if (p.realm == NULL) {
- ret = HX509_PARSING_NAME_FAILED;
- hx509_set_error_string(context, 0, ret, "Missing @ in principal");
- goto out;
- };
- *p.realm++ = '\0';
-
- n = 0;
- while (q) {
- p.principalName.name_string.val[n++] = q;
- q = strchr(q, '/');
- if (q)
- *q++ = '\0';
+
+ for (i = 0, str_start = str = principal; *str != '\0'; str++) {
+ if (*str=='\\') {
+ str++;
+ } else if(*str == '/') {
+ /* Note that we allow components to be empty */
+ ret = dequote_strndup(context, str_start, str - str_start,
+ &p.principalName.name_string.val[i++]);
+ if (ret)
+ goto out;
+ str_start = str + 1;
+ } else if(*str == '@') {
+ ret = dequote_strndup(context, str_start, str - str_start,
+ &p.principalName.name_string.val[i++]);
+ if (ret == 0)
+ ret = dequote_strndup(context, str + 1, strlen(str + 1), &p.realm);
+ if (ret)
+ goto out;
+ break;
+ }
}
}
- ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
+ ASN1_MALLOC_ENCODE(KRB5PrincipalName, os->data, os->length, &p, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
}
+ if (size != os->length)
+ _hx509_abort("internal ASN.1 encoder error");
+
+out:
+ free_KRB5PrincipalName(&p);
+ return ret;
+}
+
+static int
+add_ia5string_san(hx509_context context,
+ hx509_ca_tbs tbs,
+ const heim_oid *oid,
+ const char *string)
+{
+ SRVName ustring;
+ heim_octet_string os;
+ size_t size;
+ int ret;
+
+ ustring.data = (void *)(uintptr_t)string;
+ ustring.length = strlen(string);
+
+ os.length = 0;
+ os.data = NULL;
+
+ ASN1_MALLOC_ENCODE(SRVName, os.data, os.length, &ustring, &size, ret);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ return ret;
+ }
if (size != os.length)
_hx509_abort("internal ASN.1 encoder error");
- ret = hx509_ca_tbs_add_san_otherName(context,
- tbs,
- &asn1_oid_id_pkinit_san,
- &os);
+ ret = hx509_ca_tbs_add_san_otherName(context, tbs, oid, &os);
+ free(os.data);
+ return ret;
+}
+
+/**
+ * Add DNSSRV Subject Alternative Name to the to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param dnssrv An ASCII string of the for _Service.Name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_dnssrv(hx509_context context,
+ hx509_ca_tbs tbs,
+ const char *dnssrv)
+{
+ size_t i, len;
+
+ /* Minimal DNSSRV input validation */
+ if (dnssrv == 0 || dnssrv[0] != '_') {
+ hx509_set_error_string(context, 0, EINVAL, "Invalid DNSSRV name");
+ return EINVAL;
+ }
+ for (i = 1, len = strlen(dnssrv); i < len; i++) {
+ if (dnssrv[i] == '.' && dnssrv[i + 1] != '\0')
+ break;
+ }
+ if (i == len) {
+ hx509_set_error_string(context, 0, EINVAL, "Invalid DNSSRV name");
+ return EINVAL;
+ }
+
+ return add_ia5string_san(context, tbs,
+ &asn1_oid_id_pkix_on_dnsSRV, dnssrv);
+}
+
+/**
+ * Add Kerberos Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Kerberos principal to add to the certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_pkinit(hx509_context context,
+ hx509_ca_tbs tbs,
+ const char *principal)
+{
+ heim_octet_string os;
+ int ret;
+
+ ret = _hx509_make_pkinit_san(context, principal, &os);
+ if (ret == 0)
+ ret = hx509_ca_tbs_add_san_otherName(context, tbs,
+ &asn1_oid_id_pkinit_san, &os);
free(os.data);
-out:
- if (p.principalName.name_string.val)
- free (p.principalName.name_string.val);
- if (s)
- free(s);
return ret;
}
@@ -693,7 +1004,7 @@ add_utf8_san(hx509_context context,
const heim_oid *oid,
const char *string)
{
- const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string;
+ const PKIXXmppAddr ustring = (const PKIXXmppAddr)(uintptr_t)string;
heim_octet_string os;
size_t size;
int ret;
@@ -704,17 +1015,13 @@ add_utf8_san(hx509_context context,
ASN1_MALLOC_ENCODE(PKIXXmppAddr, os.data, os.length, &ustring, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
- goto out;
+ return ret;
}
if (size != os.length)
_hx509_abort("internal ASN.1 encoder error");
- ret = hx509_ca_tbs_add_san_otherName(context,
- tbs,
- oid,
- &os);
+ ret = hx509_ca_tbs_add_san_otherName(context, tbs, oid, &os);
free(os.data);
-out:
return ret;
}
@@ -731,7 +1038,7 @@ out:
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_san_ms_upn(hx509_context context,
hx509_ca_tbs tbs,
const char *principal)
@@ -752,7 +1059,7 @@ hx509_ca_tbs_add_san_ms_upn(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_san_jid(hx509_context context,
hx509_ca_tbs tbs,
const char *jid)
@@ -777,7 +1084,7 @@ hx509_ca_tbs_add_san_jid(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_san_hostname(hx509_context context,
hx509_ca_tbs tbs,
const char *dnsname)
@@ -805,7 +1112,7 @@ hx509_ca_tbs_add_san_hostname(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_add_san_rfc822name(hx509_context context,
hx509_ca_tbs tbs,
const char *rfc822Name)
@@ -820,6 +1127,295 @@ hx509_ca_tbs_add_san_rfc822name(hx509_context context,
return add_GeneralNames(&tbs->san, &gn);
}
+/*
+ * PermanentIdentifier is one SAN for naming devices with TPMs after their
+ * endorsement keys or EK certificates. See TPM 2.0 Keys for Device Identity
+ * and Attestation, Version 1.00, Revision 2, 9/17/2020 (DRAFT).
+ *
+ * The text on the form of permanent identifiers for TPM endorsement keys sans
+ * certificates is clearly problematic, saying: "When the TPM does not have an
+ * EK certificate, the identifierValue is a digest of a concatenation of the
+ * UTF8 string “EkPubkey” (terminating NULL not included) with the binary EK
+ * public key", but since arbitrary binary is not necessarily valid UTF-8...
+ * and since NULs embedded in UTF-8 might be OK in some contexts but really
+ * isn't in C (and Heimdal's ASN.1 compiler does not allow NULs in the
+ * middle of strings)... That just cannot be correct. Since elsewhere the TCG
+ * specs use the hex encoding of the SHA-256 digest of the DER encoding of
+ * public keys, that's what we should support in Heimdal, and maybe send in a
+ * comment.
+ *
+ * Also, even where one should use hex encoding of the SHA-256 digest of the
+ * DER encoding of public keys, how should the public keys be represented?
+ * Presumably as SPKIs, with all the required parameters and no more.
+ */
+
+/**
+ * Add a Subject Alternative Name of PermanentIdentifier type to a to-be-signed
+ * certificate object. The permanent identifier form for TPM endorsement key
+ * certificates is the hex encoding of the SHA-256 digest of the DER encoding
+ * of the certificate. The permanent identifier form for TPM endorsement keys
+ * are of the form "EkPubkey<public-key>", where the form of <public-key> is
+ * not well specified at this point. It is the caller's responsibility to
+ * format the identifierValue.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param str permanent identifier name in the form "[<assigner-oid>]:[<id>]".
+ * @param assigner The OID of an assigner.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_permanentIdentifier_string(hx509_context context,
+ hx509_ca_tbs tbs,
+ const char *str)
+{
+ const heim_oid *found = NULL;
+ heim_oid oid;
+ const char *oidstr, *id;
+ char *freeme, *p;
+ int ret;
+
+ memset(&oid, 0, sizeof(oid));
+ if ((freeme = strdup(str)) == NULL)
+ return hx509_enomem(context);
+
+ oidstr = freeme;
+ p = strchr(freeme, ':');
+ if (!p) {
+ hx509_set_error_string(context, 0, EINVAL,
+ "Invalid PermanentIdentifier string (should be \"[<oid>]:[<id>]\")",
+ oidstr);
+ free(freeme);
+ return EINVAL;
+ }
+ if (p) {
+ *(p++) = '\0';
+ id = p;
+ }
+ if (oidstr[0] != '\0') {
+ ret = der_find_heim_oid_by_name(oidstr, &found);
+ if (ret) {
+ ret = der_parse_heim_oid(oidstr, " .", &oid);
+ if (ret == 0)
+ found = &oid;
+ }
+ }
+ ret = hx509_ca_tbs_add_san_permanentIdentifier(context, tbs, id, found);
+ if (found == &oid)
+ der_free_oid(&oid);
+ free(freeme);
+ return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of PermanentIdentifier type to a to-be-signed
+ * certificate object. The permanent identifier form for TPM endorsement key
+ * certificates is the hex encoding of the SHA-256 digest of the DER encoding
+ * of the certificate. The permanent identifier form for TPM endorsement keys
+ * are of the form "EkPubkey<public-key>", where the form of <public-key> is
+ * not well specified at this point. It is the caller's responsibility to
+ * format the identifierValue.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param identifierValue The permanent identifier name.
+ * @param assigner The OID of an assigner.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_permanentIdentifier(hx509_context context,
+ hx509_ca_tbs tbs,
+ const char *identifierValue,
+ const heim_oid *assigner)
+{
+ PermanentIdentifier pi;
+ heim_utf8_string s = (void *)(uintptr_t)identifierValue;
+ heim_octet_string os;
+ size_t size;
+ int ret;
+
+ pi.identifierValue = &s;
+ pi.assigner = (heim_oid*)(uintptr_t)assigner;
+ os.length = 0;
+ os.data = NULL;
+
+ ASN1_MALLOC_ENCODE(PermanentIdentifier, os.data, os.length, &pi, &size,
+ ret);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ return ret;
+ }
+ if (size != os.length)
+ _hx509_abort("internal ASN.1 encoder error");
+
+ ret = hx509_ca_tbs_add_san_otherName(context, tbs,
+ &asn1_oid_id_pkix_on_permanentIdentifier,
+ &os);
+ free(os.data);
+ return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of HardwareModuleName type to a to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param str a string of the form "<oid>:<serial>".
+ * @param hwserial The serial number.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_hardwareModuleName_string(hx509_context context,
+ hx509_ca_tbs tbs,
+ const char *str)
+{
+ const heim_oid *found = NULL;
+ heim_oid oid;
+ const char *oidstr, *sno;
+ char *freeme, *p;
+ int ret;
+
+ memset(&oid, 0, sizeof(oid));
+ if ((freeme = strdup(str)) == NULL)
+ return hx509_enomem(context);
+
+ oidstr = freeme;
+ p = strchr(freeme, ':');
+ if (!p) {
+ hx509_set_error_string(context, 0, EINVAL,
+ "Invalid HardwareModuleName string (should be "
+ "\"<oid>:<serial>\")",
+ oidstr);
+ free(freeme);
+ return EINVAL;
+ }
+ if (p) {
+ *(p++) = '\0';
+ sno = p;
+ }
+ if (oidstr[0] == '\0') {
+ found = &asn1_oid_tcg_tpm20;
+ } else {
+ ret = der_find_heim_oid_by_name(oidstr, &found);
+ if (ret) {
+ ret = der_parse_heim_oid(oidstr, " .", &oid);
+ if (ret == 0)
+ found = &oid;
+ }
+ }
+ if (!found) {
+ hx509_set_error_string(context, 0, EINVAL,
+ "Could not resolve or parse OID \"%s\"",
+ oidstr);
+ free(freeme);
+ return EINVAL;
+ }
+ ret = hx509_ca_tbs_add_san_hardwareModuleName(context, tbs, found, sno);
+ if (found == &oid)
+ der_free_oid(&oid);
+ free(freeme);
+ return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of HardwareModuleName type to a to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param hwtype The hardwar module type (e.g., `&asn1_oid_tcg_tpm20').
+ * @param hwserial The serial number.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san_hardwareModuleName(hx509_context context,
+ hx509_ca_tbs tbs,
+ const heim_oid *hwtype,
+ const char *hwserial)
+{
+ HardwareModuleName hm;
+ heim_octet_string os;
+ size_t size;
+ int ret;
+
+ hm.hwType = *hwtype;
+ hm.hwSerialNum.data = (void *)(uintptr_t)hwserial;
+ hm.hwSerialNum.length = strlen(hwserial);
+ os.length = 0;
+ os.data = NULL;
+
+ ASN1_MALLOC_ENCODE(HardwareModuleName, os.data, os.length, &hm, &size,
+ ret);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ return ret;
+ }
+ if (size != os.length)
+ _hx509_abort("internal ASN.1 encoder error");
+
+ ret = hx509_ca_tbs_add_san_otherName(context, tbs,
+ &asn1_oid_id_on_hardwareModuleName,
+ &os);
+ free(os.data);
+ return ret;
+}
+
+/**
+ * Add a Subject Alternative Name of the given type to the
+ * to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param rfc822Name a string to a email address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_ca_tbs_add_san(hx509_context context,
+ hx509_ca_tbs tbs,
+ hx509_san_type type,
+ const char *s)
+{
+ switch (type) {
+ case HX509_SAN_TYPE_EMAIL:
+ return hx509_ca_tbs_add_san_rfc822name(context, tbs, s);
+ case HX509_SAN_TYPE_DNSNAME:
+ return hx509_ca_tbs_add_san_hostname(context, tbs, s);
+ case HX509_SAN_TYPE_DN:
+ return ENOTSUP;
+ case HX509_SAN_TYPE_REGISTERED_ID:
+ return ENOTSUP;
+ case HX509_SAN_TYPE_XMPP:
+ return hx509_ca_tbs_add_san_jid(context, tbs, s);
+ case HX509_SAN_TYPE_PKINIT:
+ return hx509_ca_tbs_add_san_pkinit(context, tbs, s);
+ case HX509_SAN_TYPE_MS_UPN:
+ return hx509_ca_tbs_add_san_ms_upn(context, tbs, s);
+ default:
+ return ENOTSUP;
+ }
+}
+
/**
* Set the subject name of a to-be-signed certificate object.
*
@@ -832,7 +1428,7 @@ hx509_ca_tbs_add_san_rfc822name(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_subject(hx509_context context,
hx509_ca_tbs tbs,
hx509_name subject)
@@ -860,7 +1456,7 @@ hx509_ca_tbs_set_subject(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_unique(hx509_context context,
hx509_ca_tbs tbs,
const heim_bit_string *subjectUniqueID,
@@ -900,7 +1496,7 @@ hx509_ca_tbs_set_unique(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_subject_expand(hx509_context context,
hx509_ca_tbs tbs,
hx509_env env)
@@ -909,6 +1505,23 @@ hx509_ca_tbs_subject_expand(hx509_context context,
}
/**
+ * Get the name of a to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ *
+ * @return An hx509 name.
+ *
+ * @ingroup hx509_ca
+ */
+
+HX509_LIB_FUNCTION hx509_name HX509_LIB_CALL
+hx509_ca_tbs_get_name(hx509_ca_tbs tbs)
+{
+ return tbs->subject;
+}
+
+/**
* Set signature algorithm on the to be signed certificate
*
* @param context A hx509 context.
@@ -920,7 +1533,7 @@ hx509_ca_tbs_subject_expand(hx509_context context,
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_tbs_set_signature_algorithm(hx509_context context,
hx509_ca_tbs tbs,
const AlgorithmIdentifier *sigalg)
@@ -957,16 +1570,7 @@ add_extension(hx509_context context,
memset(&ext, 0, sizeof(ext));
- if (critical_flag) {
- ext.critical = malloc(sizeof(*ext.critical));
- if (ext.critical == NULL) {
- ret = ENOMEM;
- hx509_set_error_string(context, 0, ret, "Out of memory");
- goto out;
- }
- *ext.critical = TRUE;
- }
-
+ ext.critical = critical_flag;
ret = der_copy_oid(oid, &ext.extnID);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
@@ -1033,7 +1637,6 @@ ca_sign(hx509_context context,
const AlgorithmIdentifier *sigalg;
time_t notBefore;
time_t notAfter;
- unsigned key_usage;
sigalg = tbs->sigalg;
if (sigalg == NULL)
@@ -1053,21 +1656,12 @@ ca_sign(hx509_context context,
if (notAfter == 0)
notAfter = time(NULL) + 3600 * 24 * 365;
- key_usage = tbs->key_usage;
- if (key_usage == 0) {
- KeyUsage ku;
- memset(&ku, 0, sizeof(ku));
- ku.digitalSignature = 1;
- ku.keyEncipherment = 1;
- key_usage = KeyUsage2int(ku);
- }
-
if (tbs->flags.ca) {
- KeyUsage ku;
- memset(&ku, 0, sizeof(ku));
- ku.keyCertSign = 1;
- ku.cRLSign = 1;
- key_usage |= KeyUsage2int(ku);
+ tbs->ku.keyCertSign = 1;
+ tbs->ku.cRLSign = 1;
+ } else if (KeyUsage2int(tbs->ku) == 0) {
+ tbs->ku.digitalSignature = 1;
+ tbs->ku.keyEncipherment = 1;
}
/*
@@ -1076,6 +1670,12 @@ ca_sign(hx509_context context,
tbsc = &c.tbsCertificate;
+ /* Default subject Name to empty */
+ if (tbs->subject == NULL &&
+ (ret = hx509_empty_name(context, &tbs->subject)))
+ return ret;
+
+ /* Sanity checks */
if (tbs->flags.key == 0) {
ret = EINVAL;
hx509_set_error_string(context, 0, ret, "No public key set");
@@ -1086,13 +1686,9 @@ ca_sign(hx509_context context,
* will be generated below.
*/
if (!tbs->flags.proxy) {
- if (tbs->subject == NULL) {
- hx509_set_error_string(context, 0, EINVAL, "No subject name set");
- return EINVAL;
- }
if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
hx509_set_error_string(context, 0, EINVAL,
- "NULL subject and no SubjectAltNames");
+ "Empty subject and no SubjectAltNames");
return EINVAL;
}
}
@@ -1146,7 +1742,7 @@ ca_sign(hx509_context context,
/* signature AlgorithmIdentifier, */
ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
if (ret) {
- hx509_set_error_string(context, 0, ret, "Failed to copy sigature alg");
+ hx509_set_error_string(context, 0, ret, "Failed to copy signature alg");
goto out;
}
/* issuer Name, */
@@ -1159,10 +1755,32 @@ ca_sign(hx509_context context,
goto out;
}
/* validity Validity, */
- tbsc->validity.notBefore.element = choice_Time_generalTime;
- tbsc->validity.notBefore.u.generalTime = notBefore;
- tbsc->validity.notAfter.element = choice_Time_generalTime;
- tbsc->validity.notAfter.u.generalTime = notAfter;
+ {
+ /*
+ * From RFC 5280, section 4.1.2.5:
+ *
+ * CAs conforming to this profile MUST always encode certificate
+ * validity dates through the year 2049 as UTCTime; certificate validity
+ * dates in 2050 or later MUST be encoded as GeneralizedTime.
+ * Conforming applications MUST be able to process validity dates that
+ * are encoded in either UTCTime or GeneralizedTime.
+ *
+ * 2524608000 is seconds since the epoch for 2050-01-01T00:00:00Z.
+ *
+ * Both, ...u.generalTime and ...u..utcTime are time_t.
+ */
+ if (notBefore < 1 || (int64_t)notBefore < 2524608000)
+ tbsc->validity.notBefore.element = choice_Time_utcTime;
+ else
+ tbsc->validity.notBefore.element = choice_Time_generalTime;
+ tbsc->validity.notBefore.u.generalTime = notBefore;
+
+ if (notAfter < 1 || (int64_t)notAfter < 2524608000)
+ tbsc->validity.notAfter.element = choice_Time_utcTime;
+ else
+ tbsc->validity.notAfter.element = choice_Time_generalTime;
+ tbsc->validity.notAfter.u.generalTime = notAfter;
+ }
/* subject Name, */
if (tbs->flags.proxy) {
ret = build_proxy_prefix(context, &tbsc->issuer, &tbsc->subject);
@@ -1236,12 +1854,10 @@ ca_sign(hx509_context context,
goto out;
}
- /* add KeyUsage */
- {
- KeyUsage ku;
-
- ku = int2KeyUsage(key_usage);
- ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);
+ /* Add KeyUsage */
+ if (KeyUsage2int(tbs->ku) > 0) {
+ ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length,
+ &tbs->ku, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
@@ -1255,7 +1871,7 @@ ca_sign(hx509_context context,
goto out;
}
- /* add ExtendedKeyUsage */
+ /* Add ExtendedKeyUsage */
if (tbs->eku.len > 0) {
ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
&tbs->eku, &size, ret);
@@ -1265,14 +1881,14 @@ ca_sign(hx509_context context,
}
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
- ret = add_extension(context, tbsc, 0,
+ ret = add_extension(context, tbsc, 1,
&asn1_oid_id_x509_ce_extKeyUsage, &data);
free(data.data);
if (ret)
goto out;
}
- /* add Subject Alternative Name */
+ /* Add Subject Alternative Name */
if (tbs->san.len > 0) {
ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
&tbs->san, &size, ret);
@@ -1282,9 +1898,10 @@ ca_sign(hx509_context context,
}
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
- ret = add_extension(context, tbsc, 0,
- &asn1_oid_id_x509_ce_subjectAltName,
- &data);
+
+ /* The SAN extension is critical if the subject Name is empty */
+ ret = add_extension(context, tbsc, hx509_name_is_null_p(tbs->subject),
+ &asn1_oid_id_x509_ce_subjectAltName, &data);
free(data.data);
if (ret)
goto out;
@@ -1346,13 +1963,12 @@ ca_sign(hx509_context context,
/* Add BasicConstraints */
{
BasicConstraints bc;
- int aCA = 1;
unsigned int path;
memset(&bc, 0, sizeof(bc));
if (tbs->flags.ca) {
- bc.cA = &aCA;
+ bc.cA = 1;
if (tbs->pathLenConstraint >= 0) {
path = tbs->pathLenConstraint;
bc.pathLenConstraint = &path;
@@ -1376,7 +1992,7 @@ ca_sign(hx509_context context,
goto out;
}
- /* add Proxy */
+ /* Add Proxy */
if (tbs->flags.proxy) {
ProxyCertInfo info;
@@ -1418,8 +2034,8 @@ ca_sign(hx509_context context,
goto out;
}
+ /* Add CRL distribution point */
if (tbs->crldp.len) {
-
ASN1_MALLOC_ENCODE(CRLDistributionPoints, data.data, data.length,
&tbs->crldp, &size, ret);
if (ret) {
@@ -1436,6 +2052,57 @@ ca_sign(hx509_context context,
goto out;
}
+ /* Add CertificatePolicies */
+ if (tbs->cps.len) {
+ ASN1_MALLOC_ENCODE(CertificatePolicies, data.data, data.length,
+ &tbs->cps, &size, ret);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ goto out;
+ }
+ if (size != data.length)
+ _hx509_abort("internal ASN.1 encoder error");
+ ret = add_extension(context, tbsc, FALSE,
+ &asn1_oid_id_x509_ce_certificatePolicies, &data);
+ free(data.data);
+ if (ret)
+ goto out;
+ }
+
+ /* Add PolicyMappings */
+ if (tbs->cps.len) {
+ ASN1_MALLOC_ENCODE(PolicyMappings, data.data, data.length,
+ &tbs->pms, &size, ret);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ goto out;
+ }
+ if (size != data.length)
+ _hx509_abort("internal ASN.1 encoder error");
+ ret = add_extension(context, tbsc, FALSE,
+ &asn1_oid_id_x509_ce_policyMappings, &data);
+ free(data.data);
+ if (ret)
+ goto out;
+ }
+
+ /* Add Heimdal PKINIT ticket max life extension */
+ if (tbs->pkinitTicketMaxLife > 0) {
+ ASN1_MALLOC_ENCODE(HeimPkinitPrincMaxLifeSecs, data.data, data.length,
+ &tbs->pkinitTicketMaxLife, &size, ret);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ goto out;
+ }
+ if (size != data.length)
+ _hx509_abort("internal ASN.1 encoder error");
+ ret = add_extension(context, tbsc, FALSE,
+ &asn1_oid_id_heim_ce_pkinit_princ_max_life, &data);
+ free(data.data);
+ if (ret)
+ goto out;
+ }
+
ASN1_MALLOC_ENCODE(TBSCertificate, data.data, data.length,tbsc, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "malloc out of memory");
@@ -1531,8 +2198,7 @@ get_AuthorityKeyIdentifier(hx509_context context,
memset(&gn, 0, sizeof(gn));
gn.element = choice_GeneralName_directoryName;
- gn.u.directoryName.element =
- choice_GeneralName_directoryName_rdnSequence;
+ gn.u.directoryName.element = choice_Name_rdnSequence;
gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
ret = add_GeneralNames(&gns, &gn);
@@ -1583,7 +2249,7 @@ out:
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_sign(hx509_context context,
hx509_ca_tbs tbs,
hx509_cert signer,
@@ -1627,7 +2293,7 @@ out:
* @ingroup hx509_ca
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ca_sign_self(hx509_context context,
hx509_ca_tbs tbs,
hx509_private_key signer,
@@ -1640,3 +2306,790 @@ hx509_ca_sign_self(hx509_context context,
NULL,
certificate);
}
+
+/*
+ * The following used to be `kdc_issue_certificate()', which was added for
+ * kx509 support in the kdc, then adapted for bx509d. It now has no
+ * kdc-specific code and very little krb5-specific code, and is named
+ * `hx509_ca_issue_certificate()'.
+ */
+
+/* From lib/krb5/principal.c */
+#define princ_num_comp(P) ((P)->principalName.name_string.len)
+#define princ_type(P) ((P)->principalName.name_type)
+#define princ_comp(P) ((P)->principalName.name_string.val)
+#define princ_ncomp(P, N) ((P)->principalName.name_string.val[(N)])
+#define princ_realm(P) ((P)->realm)
+
+static const char *
+princ_get_comp_string(KRB5PrincipalName *principal, unsigned int component)
+{
+ if (component >= princ_num_comp(principal))
+ return NULL;
+ return princ_ncomp(principal, component);
+}
+/* XXX Add unparse_name() */
+
+typedef enum {
+ CERT_NOTSUP = 0,
+ CERT_CLIENT = 1,
+ CERT_SERVER = 2,
+ CERT_MIXED = 3
+} cert_type;
+
+static void
+frees(char **s)
+{
+ free(*s);
+ *s = NULL;
+}
+
+static heim_error_code
+count_sans(hx509_request req, size_t *n)
+{
+ size_t i;
+ char *s = NULL;
+ int ret = 0;
+
+ *n = 0;
+ for (i = 0; ret == 0; i++) {
+ hx509_san_type san_type;
+
+ ret = hx509_request_get_san(req, i, &san_type, &s);
+ if (ret)
+ break;
+ switch (san_type) {
+ case HX509_SAN_TYPE_DNSNAME:
+ case HX509_SAN_TYPE_EMAIL:
+ case HX509_SAN_TYPE_XMPP:
+ case HX509_SAN_TYPE_PKINIT:
+ case HX509_SAN_TYPE_MS_UPN:
+ (*n)++;
+ break;
+ default:
+ ret = ENOTSUP;
+ }
+ frees(&s);
+ }
+ free(s);
+ return ret == HX509_NO_ITEM ? 0 : ret;
+}
+
+static int
+has_sans(hx509_request req)
+{
+ hx509_san_type san_type;
+ char *s = NULL;
+ int ret = hx509_request_get_san(req, 0, &san_type, &s);
+
+ frees(&s);
+ return ret == HX509_NO_ITEM ? 0 : 1;
+}
+
+static cert_type
+characterize_cprinc(hx509_context context,
+ KRB5PrincipalName *cprinc)
+{
+ unsigned int ncomp = princ_num_comp(cprinc);
+ const char *comp1 = princ_get_comp_string(cprinc, 1);
+
+ switch (ncomp) {
+ case 1:
+ return CERT_CLIENT;
+ case 2:
+ if (strchr(comp1, '.') == NULL)
+ return CERT_CLIENT;
+ return CERT_SERVER;
+ case 3:
+ if (strchr(comp1, '.'))
+ return CERT_SERVER;
+ return CERT_NOTSUP;
+ default:
+ return CERT_NOTSUP;
+ }
+}
+
+/* Characterize request as client or server cert req */
+static cert_type
+characterize(hx509_context context,
+ KRB5PrincipalName *cprinc,
+ hx509_request req)
+{
+ heim_error_code ret = 0;
+ cert_type res = CERT_NOTSUP;
+ size_t i;
+ char *s = NULL;
+ int want_ekus = 0;
+
+ if (!has_sans(req))
+ return characterize_cprinc(context, cprinc);
+
+ for (i = 0; ret == 0; i++) {
+ heim_oid oid;
+
+ frees(&s);
+ ret = hx509_request_get_eku(req, i, &s);
+ if (ret)
+ break;
+
+ want_ekus = 1;
+ ret = der_parse_heim_oid(s, ".", &oid);
+ if (ret)
+ break;
+ /*
+ * If the client wants only a server certificate, then we'll be
+ * willing to issue one that may be longer-lived than the client's
+ * ticket/token.
+ *
+ * There may be other server EKUs, but these are the ones we know
+ * of.
+ */
+ if (der_heim_oid_cmp(&asn1_oid_id_pkix_kp_serverAuth, &oid) &&
+ der_heim_oid_cmp(&asn1_oid_id_pkix_kp_OCSPSigning, &oid) &&
+ der_heim_oid_cmp(&asn1_oid_id_pkix_kp_secureShellServer, &oid))
+ res |= CERT_CLIENT;
+ else
+ res |= CERT_SERVER;
+ der_free_oid(&oid);
+ }
+ frees(&s);
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+
+ for (i = 0; ret == 0; i++) {
+ hx509_san_type san_type;
+
+ frees(&s);
+ ret = hx509_request_get_san(req, i, &san_type, &s);
+ if (ret)
+ break;
+ switch (san_type) {
+ case HX509_SAN_TYPE_DNSNAME:
+ if (!want_ekus)
+ res |= CERT_SERVER;
+ break;
+ case HX509_SAN_TYPE_EMAIL:
+ case HX509_SAN_TYPE_XMPP:
+ case HX509_SAN_TYPE_PKINIT:
+ case HX509_SAN_TYPE_MS_UPN:
+ if (!want_ekus)
+ res |= CERT_CLIENT;
+ break;
+ default:
+ ret = ENOTSUP;
+ }
+ if (ret)
+ break;
+ }
+ frees(&s);
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+ return ret ? CERT_NOTSUP : res;
+}
+
+/*
+ * Get a configuration sub-tree for kx509 based on what's being requested and
+ * by whom.
+ *
+ * We have a number of cases:
+ *
+ * - default certificate (no CSR used, or no certificate extensions requested)
+ * - for client principals
+ * - for service principals
+ * - client certificate requested (CSR used and client-y SANs/EKUs requested)
+ * - server certificate requested (CSR used and server-y SANs/EKUs requested)
+ * - mixed client/server certificate requested (...)
+ */
+static heim_error_code
+get_cf(hx509_context context,
+ const heim_config_binding *cf,
+ heim_log_facility *logf,
+ hx509_request req,
+ KRB5PrincipalName *cprinc,
+ const heim_config_binding **out)
+{
+ heim_error_code ret;
+ unsigned int ncomp = princ_num_comp(cprinc);
+ const char *realm = princ_realm(cprinc);
+ const char *comp0 = princ_get_comp_string(cprinc, 0);
+ const char *comp1 = princ_get_comp_string(cprinc, 1);
+ const char *label = NULL;
+ const char *svc = NULL;
+ const char *def = NULL;
+ cert_type certtype = CERT_NOTSUP;
+ size_t nsans = 0;
+
+ *out = NULL;
+ if (ncomp == 0) {
+ heim_log_msg(context->hcontext, logf, 5, NULL,
+ "Client principal has no components!");
+ hx509_set_error_string(context, 0, ret = ENOTSUP,
+ "Client principal has no components!");
+ return ret;
+ }
+
+ if ((ret = count_sans(req, &nsans)) ||
+ (certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
+ heim_log_msg(context->hcontext, logf, 5, NULL,
+ "Could not characterize CSR");
+ hx509_set_error_string(context, 0, ret, "Could not characterize CSR");
+ return ret;
+ }
+
+ if (nsans) {
+ def = "custom";
+ /* Client requested some certificate extension, a SAN or EKU */
+ switch (certtype) {
+ case CERT_MIXED: label = "mixed"; break;
+ case CERT_CLIENT: label = "client"; break;
+ case CERT_SERVER: label = "server"; break;
+ default:
+ hx509_set_error_string(context, 0, ret = ENOTSUP,
+ "Requested SAN/EKU combination not "
+ "supported");
+ return ret;
+ }
+ } else {
+ def = "default";
+ /* Default certificate desired */
+ if (ncomp == 1) {
+ label = "user";
+ } else if (ncomp == 2 && strcmp(comp1, "root") == 0) {
+ label = "root_user";
+ } else if (ncomp == 2 && strcmp(comp1, "admin") == 0) {
+ label = "admin_user";
+ } else if (strchr(comp1, '.')) {
+ label = "hostbased_service";
+ svc = comp0;
+ } else {
+ label = "other";
+ }
+ }
+
+ *out = heim_config_get_list(context->hcontext, cf, label, svc, NULL);
+ if (*out) {
+ ret = 0;
+ } else {
+ heim_log_msg(context->hcontext, logf, 3, NULL,
+ "No configuration for %s %s certificate's realm "
+ "-> %s -> kx509 -> %s%s%s", def, label, realm, label,
+ svc ? " -> " : "", svc ? svc : "");
+ hx509_set_error_string(context, 0, EACCES,
+ "No configuration for %s %s certificate's realm "
+ "-> %s -> kx509 -> %s%s%s", def, label, realm, label,
+ svc ? " -> " : "", svc ? svc : "");
+ }
+ return ret;
+}
+
+
+/*
+ * Find and set a certificate template using a configuration sub-tree
+ * appropriate to the requesting principal.
+ *
+ * This allows for the specification of the following in configuration:
+ *
+ * - certificates as templates, with ${var} tokens in subjectName attribute
+ * values that will be expanded later
+ * - a plain string with ${var} tokens to use as the subjectName
+ * - EKUs
+ * - whether to include a PKINIT SAN
+ */
+static heim_error_code
+set_template(hx509_context context,
+ heim_log_facility *logf,
+ const heim_config_binding *cf,
+ hx509_ca_tbs tbs)
+{
+ heim_error_code ret = 0;
+ const char *cert_template = NULL;
+ const char *subj_name = NULL;
+ char **ekus = NULL;
+
+ if (cf == NULL)
+ return EACCES; /* Can't happen */
+
+ cert_template = heim_config_get_string(context->hcontext, cf,
+ "template_cert", NULL);
+ subj_name = heim_config_get_string(context->hcontext, cf, "subject_name",
+ NULL);
+
+ if (cert_template) {
+ hx509_certs certs;
+ hx509_cert template;
+
+ ret = hx509_certs_init(context, cert_template, 0, NULL, &certs);
+ if (ret == 0)
+ ret = hx509_get_one_cert(context, certs, &template);
+ hx509_certs_free(&certs);
+ if (ret) {
+ heim_log_msg(context->hcontext, logf, 1, NULL,
+ "Failed to load certificate template from %s",
+ cert_template);
+ hx509_set_error_string(context, 0, EACCES,
+ "Failed to load certificate template from "
+ "%s", cert_template);
+ return ret;
+ }
+
+ /*
+ * Only take the subjectName, the keyUsage, and EKUs from the template
+ * certificate.
+ */
+ ret = hx509_ca_tbs_set_template(context, tbs,
+ HX509_CA_TEMPLATE_SUBJECT |
+ HX509_CA_TEMPLATE_KU |
+ HX509_CA_TEMPLATE_EKU,
+ template);
+ hx509_cert_free(template);
+ if (ret)
+ return ret;
+ }
+
+ if (subj_name) {
+ hx509_name dn = NULL;
+
+ ret = hx509_parse_name(context, subj_name, &dn);
+ if (ret == 0)
+ ret = hx509_ca_tbs_set_subject(context, tbs, dn);
+ hx509_name_free(&dn);
+ if (ret)
+ return ret;
+ }
+
+ if (cert_template == NULL && subj_name == NULL) {
+ hx509_name dn = NULL;
+
+ ret = hx509_empty_name(context, &dn);
+ if (ret == 0)
+ ret = hx509_ca_tbs_set_subject(context, tbs, dn);
+ hx509_name_free(&dn);
+ if (ret)
+ return ret;
+ }
+
+ ekus = heim_config_get_strings(context->hcontext, cf, "ekus", NULL);
+ if (ekus) {
+ size_t i;
+
+ for (i = 0; ret == 0 && ekus[i]; i++) {
+ heim_oid oid = { 0, 0 };
+
+ if ((ret = der_find_or_parse_heim_oid(ekus[i], ".", &oid)) == 0)
+ ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
+ der_free_oid(&oid);
+ }
+ heim_config_free_strings(ekus);
+ }
+
+ /*
+ * XXX A KeyUsage template would be nice, but it needs some smarts to
+ * remove, e.g., encipherOnly, decipherOnly, keyEncipherment, if the SPKI
+ * algorithm does not support encryption. The same logic should be added
+ * to hx509_ca_tbs_set_template()'s HX509_CA_TEMPLATE_KU functionality.
+ */
+ return ret;
+}
+
+/*
+ * Find and set a certificate template, set "variables" in `env', and add add
+ * default SANs/EKUs as appropriate.
+ *
+ * TODO:
+ * - lookup a template for the client principal in its HDB entry
+ * - lookup subjectName, SANs for a principal in its HDB entry
+ * - lookup a host-based client principal's HDB entry and add its canonical
+ * name / aliases as dNSName SANs
+ * (this would have to be if requested by the client, perhaps)
+ */
+static heim_error_code
+set_tbs(hx509_context context,
+ heim_log_facility *logf,
+ const heim_config_binding *cf,
+ hx509_request req,
+ KRB5PrincipalName *cprinc,
+ hx509_env *env,
+ hx509_ca_tbs tbs)
+{
+ KRB5PrincipalName cprinc_no_realm = *cprinc;
+ heim_error_code ret;
+ unsigned int ncomp = princ_num_comp(cprinc);
+ const char *realm = princ_realm(cprinc);
+ const char *comp0 = princ_get_comp_string(cprinc, 0);
+ const char *comp1 = princ_get_comp_string(cprinc, 1);
+ const char *comp2 = princ_get_comp_string(cprinc, 2);
+ struct rk_strpool *strpool;
+ char *princ_no_realm = NULL;
+ char *princ = NULL;
+
+ strpool = _hx509_unparse_kerberos_name(NULL, cprinc);
+ if (strpool)
+ princ = rk_strpoolcollect(strpool);
+ cprinc_no_realm.realm = NULL;
+ strpool = _hx509_unparse_kerberos_name(NULL, &cprinc_no_realm);
+ if (strpool)
+ princ_no_realm = rk_strpoolcollect(strpool);
+ if (princ == NULL || princ_no_realm == NULL) {
+ free(princ);
+ return hx509_enomem(context);
+ }
+ strpool = NULL;
+ ret = hx509_env_add(context, env, "principal-name-without-realm",
+ princ_no_realm);
+ if (ret == 0)
+ ret = hx509_env_add(context, env, "principal-name", princ);
+ if (ret == 0)
+ ret = hx509_env_add(context, env, "principal-name-realm",
+ realm);
+
+ /* Populate requested certificate extensions from CSR/CSRPlus if allowed */
+ if (ret == 0)
+ ret = hx509_ca_tbs_set_from_csr(context, tbs, req);
+ if (ret == 0)
+ ret = set_template(context, logf, cf, tbs);
+
+ /*
+ * Optionally add PKINIT SAN.
+ *
+ * Adding an id-pkinit-san means the client can use the certificate to
+ * initiate PKINIT. That might seem odd, but it enables a sort of PKIX
+ * credential delegation by allowing forwarded Kerberos tickets to be
+ * used to acquire PKIX credentials. Thus this can work:
+ *
+ * PKIX (w/ HW token) -> Kerberos ->
+ * PKIX (w/ softtoken) -> Kerberos ->
+ * PKIX (w/ softtoken) -> Kerberos ->
+ * ...
+ *
+ * Note that we may not have added the PKINIT EKU -- that depends on the
+ * template, and host-based service templates might well not include it.
+ */
+ if (ret == 0 && !has_sans(req) &&
+ heim_config_get_bool_default(context->hcontext, cf, FALSE,
+ "include_pkinit_san", NULL)) {
+ ret = hx509_ca_tbs_add_san_pkinit(context, tbs, princ);
+ }
+
+ if (ret)
+ goto out;
+
+ if (ncomp == 1) {
+ const char *email_domain;
+
+ ret = hx509_env_add(context, env, "principal-component0",
+ princ_no_realm);
+
+ /*
+ * If configured, include an rfc822Name that's just the client's
+ * principal name sans realm @ configured email domain.
+ */
+ if (ret == 0 && !has_sans(req) &&
+ (email_domain = heim_config_get_string(context->hcontext, cf,
+ "email_domain", NULL))) {
+ char *email;
+
+ if (asprintf(&email, "%s@%s", princ_no_realm, email_domain) == -1 ||
+ email == NULL)
+ goto enomem;
+ ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email);
+ free(email);
+ }
+ } else if (ncomp == 2 || ncomp == 3) {
+ /*
+ * 2- and 3-component principal name.
+ *
+ * We do not have a reliable name-type indicator. If the second
+ * component has a '.' in it then we'll assume that the name is a
+ * host-based (2-component) or domain-based (3-component) service
+ * principal name. Else we'll assume it's a two-component admin-style
+ * username.
+ */
+
+ ret = hx509_env_add(context, env, "principal-component0", comp0);
+ if (ret == 0)
+ ret = hx509_env_add(context, env, "principal-component1", comp1);
+ if (ret == 0 && ncomp == 3)
+ ret = hx509_env_add(context, env, "principal-component2", comp2);
+ if (ret == 0 && strchr(comp1, '.')) {
+ /* Looks like host-based or domain-based service */
+ ret = hx509_env_add(context, env, "principal-service-name", comp0);
+ if (ret == 0)
+ ret = hx509_env_add(context, env, "principal-host-name",
+ comp1);
+ if (ret == 0 && ncomp == 3)
+ ret = hx509_env_add(context, env, "principal-domain-name",
+ comp2);
+ if (ret == 0 && !has_sans(req) &&
+ heim_config_get_bool_default(context->hcontext, cf, FALSE,
+ "include_dnsname_san", NULL)) {
+ ret = hx509_ca_tbs_add_san_hostname(context, tbs, comp1);
+ }
+ }
+ } else {
+ heim_log_msg(context->hcontext, logf, 5, NULL,
+ "kx509/bx509 client %s has too many components!", princ);
+ hx509_set_error_string(context, 0, ret = EACCES,
+ "kx509/bx509 client %s has too many "
+ "components!", princ);
+ }
+
+out:
+ if (ret == ENOMEM)
+ goto enomem;
+ free(princ_no_realm);
+ free(princ);
+ return ret;
+
+enomem:
+ heim_log_msg(context->hcontext, logf, 0, NULL,
+ "Could not set up TBSCertificate: Out of memory");
+ ret = hx509_enomem(context);
+ goto out;
+}
+
+/*
+ * Set the notBefore/notAfter for the certificate to be issued.
+ *
+ * Here `starttime' is the supplicant's credentials' notBefore equivalent,
+ * while `endtime' is the supplicant's credentials' notAfter equivalent.
+ *
+ * `req_life' is the lifetime requested by the supplicant.
+ *
+ * `endtime' must be larger than the current time.
+ *
+ * `starttime' can be zero or negative, in which case the notBefore will be the
+ * current time minus five minutes.
+ *
+ * `endtime', `req_life' and configuration parameters will be used to compute
+ * the actual notAfter.
+ */
+static heim_error_code
+tbs_set_times(hx509_context context,
+ const heim_config_binding *cf,
+ heim_log_facility *logf,
+ time_t starttime,
+ time_t endtime,
+ time_t req_life,
+ hx509_ca_tbs tbs)
+{
+ time_t now = time(NULL);
+ time_t force = heim_config_get_time_default(context->hcontext,
+ cf, 5 * 24 * 3600,
+ "force_cert_lifetime", NULL);
+ time_t clamp = heim_config_get_time_default(context->hcontext, cf, 0,
+ "max_cert_lifetime", NULL);
+ int allow_more = heim_config_get_bool_default(context->hcontext, cf, FALSE,
+ "allow_extra_lifetime",
+ NULL);
+ starttime = starttime > 0 ? starttime : now - 5 * 60;
+
+ if (endtime < now) {
+ heim_log_msg(context->hcontext, logf, 3, NULL,
+ "Endtime is in the past");
+ hx509_set_error_string(context, 0, ERANGE, "Endtime is in the past");
+ return ERANGE;
+ }
+
+ /* Apply requested lifetime if shorter or if allowed more */
+ if (req_life > 0 && req_life <= endtime - now)
+ endtime = now + req_life;
+ else if (req_life > 0 && allow_more)
+ endtime = now + req_life;
+
+ /* Apply floor */
+ if (force > 0 && force > endtime - now)
+ endtime = now + force;
+
+ /* Apply ceiling */
+ if (clamp > 0 && clamp < endtime - now)
+ endtime = now + clamp;
+
+ hx509_ca_tbs_set_notAfter(context, tbs, endtime);
+ hx509_ca_tbs_set_notBefore(context, tbs, starttime);
+ return 0;
+}
+
+/*
+ * Build a certifate for `principal' and its CSR.
+ *
+ * XXX Make `cprinc' a GeneralName! That's why this is private for now.
+ */
+heim_error_code
+_hx509_ca_issue_certificate(hx509_context context,
+ const heim_config_binding *cf,
+ heim_log_facility *logf,
+ hx509_request req,
+ KRB5PrincipalName *cprinc,
+ time_t starttime,
+ time_t endtime,
+ time_t req_life,
+ int send_chain,
+ hx509_certs *out)
+{
+ heim_error_code ret;
+ const char *ca;
+ hx509_ca_tbs tbs = NULL;
+ hx509_certs chain = NULL;
+ hx509_cert signer = NULL;
+ hx509_cert cert = NULL;
+ hx509_env env = NULL;
+ KeyUsage ku;
+
+ *out = NULL;
+ /* Force KU */
+ ku = int2KeyUsage(0);
+ ku.digitalSignature = 1;
+ hx509_request_authorize_ku(req, ku);
+
+ ret = get_cf(context, cf, logf, req, cprinc, &cf);
+ if (ret)
+ return ret;
+
+ if ((ca = heim_config_get_string(context->hcontext, cf,
+ "ca", NULL)) == NULL) {
+ heim_log_msg(context->hcontext, logf, 3, NULL,
+ "No kx509 CA issuer credential specified");
+ hx509_set_error_string(context, 0, ret = EACCES,
+ "No kx509 CA issuer credential specified");
+ return ret;
+ }
+
+ ret = hx509_ca_tbs_init(context, &tbs);
+ if (ret) {
+ heim_log_msg(context->hcontext, logf, 0, NULL,
+ "Failed to create certificate: Out of memory");
+ return ret;
+ }
+
+ /* Lookup a template and set things in `env' and `tbs' as appropriate */
+ if (ret == 0)
+ ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs);
+
+ /* Populate generic template "env" variables */
+
+ /*
+ * The `tbs' and `env' are now complete as to naming and EKUs.
+ *
+ * We check that the `tbs' is not name-less, after which all remaining
+ * failures here will not be policy failures. So we also log the intent to
+ * issue a certificate now.
+ */
+ if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
+ !has_sans(req)) {
+ heim_log_msg(context->hcontext, logf, 3, NULL,
+ "Not issuing certificate because it would have no names");
+ hx509_set_error_string(context, 0, ret = EACCES,
+ "Not issuing certificate because it "
+ "would have no names");
+ }
+ if (ret)
+ goto out;
+
+ /*
+ * Still to be done below:
+ *
+ * - set certificate spki
+ * - set certificate validity
+ * - expand variables in certificate subject name template
+ * - sign certificate
+ * - encode certificate and chain
+ */
+
+ /* Load the issuer certificate and private key */
+ {
+ hx509_certs certs;
+ hx509_query *q;
+
+ ret = hx509_certs_init(context, ca, 0, NULL, &certs);
+ if (ret) {
+ heim_log_msg(context->hcontext, logf, 1, NULL,
+ "Failed to load CA certificate and private key %s",
+ ca);
+ hx509_set_error_string(context, 0, ret, "Failed to load "
+ "CA certificate and private key %s", ca);
+ goto out;
+ }
+ ret = hx509_query_alloc(context, &q);
+ if (ret) {
+ hx509_certs_free(&certs);
+ goto out;
+ }
+
+ hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+ hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
+
+ ret = hx509_certs_find(context, certs, q, &signer);
+ hx509_query_free(context, q);
+ hx509_certs_free(&certs);
+ if (ret) {
+ heim_log_msg(context->hcontext, logf, 1, NULL,
+ "Failed to find a CA certificate in %s", ca);
+ hx509_set_error_string(context, 0, ret,
+ "Failed to find a CA certificate in %s",
+ ca);
+ goto out;
+ }
+ }
+
+ /* Populate the subject public key in the TBS context */
+ {
+ SubjectPublicKeyInfo spki;
+
+ ret = hx509_request_get_SubjectPublicKeyInfo(context,
+ req, &spki);
+ if (ret == 0)
+ ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
+ free_SubjectPublicKeyInfo(&spki);
+ if (ret)
+ goto out;
+ }
+
+ /* Work out cert expiration */
+ if (ret == 0)
+ ret = tbs_set_times(context, cf, logf, starttime, endtime, req_life,
+ tbs);
+
+ /* Expand the subjectName template in the TBS using the env */
+ if (ret == 0)
+ ret = hx509_ca_tbs_subject_expand(context, tbs, env);
+ hx509_env_free(&env);
+
+ /* All done with the TBS, sign/issue the certificate */
+ if (ret == 0)
+ ret = hx509_ca_sign(context, tbs, signer, &cert);
+
+ /*
+ * Gather the certificate and chain into a MEMORY store, being careful not
+ * to include private keys in the chain.
+ *
+ * We could have specified a separate configuration parameter for an hx509
+ * store meant to have only the chain and no private keys, but expecting
+ * the full chain in the issuer credential store and copying only the certs
+ * (but not the private keys) is safer and easier to configure.
+ */
+ if (ret == 0)
+ ret = hx509_certs_init(context, "MEMORY:certs",
+ HX509_CERTS_NO_PRIVATE_KEYS, NULL, out);
+ if (ret == 0)
+ ret = hx509_certs_add(context, *out, cert);
+ if (ret == 0 && send_chain) {
+ ret = hx509_certs_init(context, ca,
+ HX509_CERTS_NO_PRIVATE_KEYS, NULL, &chain);
+ if (ret == 0)
+ ret = hx509_certs_merge(context, *out, chain);
+ }
+
+out:
+ hx509_certs_free(&chain);
+ if (env)
+ hx509_env_free(&env);
+ if (tbs)
+ hx509_ca_tbs_free(&tbs);
+ if (cert)
+ hx509_cert_free(cert);
+ if (signer)
+ hx509_cert_free(signer);
+ if (ret)
+ hx509_certs_free(out);
+ return ret;
+}
diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index dcd467c56f9a..e7e2423c54dc 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -102,6 +102,44 @@ init_context_once(void *ignored)
}
/**
+ * Return a cookie identifying this instance of a library.
+ *
+ * Inputs:
+ *
+ * @context A krb5_context
+ * @module Our library name or a library we depend on
+ *
+ * Outputs: The instance cookie
+ *
+ * @ingroup krb5_support
+ */
+
+HX509_LIB_FUNCTION uintptr_t HX509_LIB_CALL
+hx509_get_instance(const char *libname)
+{
+ static const char *instance = "libhx509";
+
+ if (strcmp(libname, "hx509") == 0)
+ return (uintptr_t)instance;
+
+ return 0;
+}
+
+#ifndef PATH_SEP
+# define PATH_SEP ":"
+#endif
+static const char *hx509_config_file =
+"~/.hx509/config" PATH_SEP
+SYSCONFDIR "/hx509.conf" PATH_SEP
+#ifdef _WIN32
+"%{COMMON_APPDATA}/Heimdal/hx509.conf" PATH_SEP
+"%{WINDOWS}/hx509.ini"
+#else /* _WIN32 */
+"/etc/hx509.conf"
+#endif /* _WIN32 */
+;
+
+/**
* Creates a hx509 context that most functions in the library
* uses. The context is only allowed to be used by one thread at each
* moment. Free the context with hx509_context_free().
@@ -113,38 +151,90 @@ init_context_once(void *ignored)
* @ingroup hx509
*/
-int
-hx509_context_init(hx509_context *context)
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_context_init(hx509_context *contextp)
{
static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
-
- *context = calloc(1, sizeof(**context));
- if (*context == NULL)
+ heim_error_code ret;
+ hx509_context context;
+ const char *anchors;
+ char **files = NULL;
+
+ *contextp = NULL;
+ context = calloc(1, sizeof(*context));
+ if (context == NULL)
return ENOMEM;
heim_base_once_f(&init_context, NULL, init_context_once);
- _hx509_ks_null_register(*context);
- _hx509_ks_mem_register(*context);
- _hx509_ks_file_register(*context);
- _hx509_ks_pkcs12_register(*context);
- _hx509_ks_pkcs11_register(*context);
- _hx509_ks_dir_register(*context);
- _hx509_ks_keychain_register(*context);
+ if ((context->hcontext = heim_context_init()) == NULL) {
+ free(context);
+ return ENOMEM;
+ }
- (*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
+ if ((ret = heim_get_default_config_files(hx509_config_file,
+ "HX509_CONFIG",
+ &files))) {
+ heim_context_free(&context->hcontext);
+ free(context);
+ return ret;
+ }
+
+ /* If there's no hx509 config, we continue, as we never needed it before */
+ if (files)
+ (void) heim_set_config_files(context->hcontext, files, &context->cf);
+ heim_free_config_files(files);
+
+ _hx509_ks_null_register(context);
+ _hx509_ks_mem_register(context);
+ _hx509_ks_file_register(context);
+ _hx509_ks_pkcs12_register(context);
+ _hx509_ks_pkcs11_register(context);
+ _hx509_ks_dir_register(context);
+ _hx509_ks_keychain_register(context);
- initialize_hx_error_table_r(&(*context)->et_list);
- initialize_asn1_error_table_r(&(*context)->et_list);
+ context->ocsp_time_diff =
+ heim_config_get_time_default(context->hcontext, context->cf,
+ HX509_DEFAULT_OCSP_TIME_DIFF,
+ "libdefaults", "ocsp_time_dif", NULL);
+
+ initialize_hx_error_table_r(&context->et_list);
+ initialize_asn1_error_table_r(&context->et_list);
#ifdef HX509_DEFAULT_ANCHORS
- (void)hx509_certs_init(*context, HX509_DEFAULT_ANCHORS, 0,
- NULL, &(*context)->default_trust_anchors);
+ anchors = heim_config_get_string_default(context->hcontext, context->cf,
+ HX509_DEFAULT_ANCHORS,
+ "libdefaults", "anchors", NULL);
+#else
+ anchors = heim_config_get_string(context->hcontext, context->cf,
+ "libdefaults", "anchors", NULL);
#endif
+ if (anchors)
+ (void)hx509_certs_init(context, anchors, 0, NULL,
+ &context->default_trust_anchors);
+ *contextp = context;
return 0;
}
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_set_log_dest(hx509_context context, heim_log_facility *fac)
+{
+ return heim_set_log_dest(context->hcontext, fac);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_set_debug_dest(hx509_context context, heim_log_facility *fac)
+{
+ return heim_set_debug_dest(context->hcontext, fac);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_set_warn_dest(hx509_context context, heim_log_facility *fac)
+{
+ return heim_set_warn_dest(context->hcontext, fac);
+}
+
/**
* Selects if the hx509_revoke_verify() function is going to require
* the existans of a revokation method (OCSP, CRL) or not. Note that
@@ -158,7 +248,7 @@ hx509_context_init(hx509_context *context)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_context_set_missing_revoke(hx509_context context, int flag)
{
if (flag)
@@ -175,9 +265,12 @@ hx509_context_set_missing_revoke(hx509_context context, int flag)
* @ingroup hx509
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_context_free(hx509_context *context)
{
+ if (!*context)
+ return;
+
hx509_clear_error_string(*context);
if ((*context)->ks_ops) {
free((*context)->ks_ops);
@@ -187,6 +280,9 @@ hx509_context_free(hx509_context *context)
free_error_table ((*context)->et_list);
if ((*context)->querystat)
free((*context)->querystat);
+ hx509_certs_free(&(*context)->default_trust_anchors);
+ heim_config_file_free((*context)->hcontext, (*context)->cf);
+ heim_context_free(&(*context)->hcontext);
memset(*context, 0, sizeof(**context));
free(*context);
*context = NULL;
@@ -196,7 +292,7 @@ hx509_context_free(hx509_context *context)
*
*/
-Certificate *
+HX509_LIB_FUNCTION Certificate * HX509_LIB_CALL
_hx509_get_cert(hx509_cert cert)
{
return cert->data;
@@ -206,12 +302,35 @@ _hx509_get_cert(hx509_cert cert)
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_get_version(const Certificate *t)
{
return t->tbsCertificate.version ? *t->tbsCertificate.version + 1 : 1;
}
+static hx509_cert
+cert_init(hx509_context context, heim_error_t *error)
+{
+ hx509_cert cert;
+
+ cert = malloc(sizeof(*cert));
+ if (cert == NULL) {
+ if (error)
+ *error = heim_error_create_enomem();
+ return NULL;
+ }
+ cert->ref = 1;
+ cert->friendlyname = NULL;
+ cert->attrs.len = 0;
+ cert->attrs.val = NULL;
+ cert->private_key = NULL;
+ cert->basename = NULL;
+ cert->release = NULL;
+ cert->ctx = NULL;
+ cert->data= NULL;
+ return cert;
+}
+
/**
* Allocate and init an hx509 certificate object from the decoded
* certificate `c´.
@@ -225,26 +344,14 @@ _hx509_cert_get_version(const Certificate *t)
* @ingroup hx509_cert
*/
-hx509_cert
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error)
{
hx509_cert cert;
int ret;
- cert = malloc(sizeof(*cert));
- if (cert == NULL) {
- if (error)
- *error = heim_error_create_enomem();
- return NULL;
- }
- cert->ref = 1;
- cert->friendlyname = NULL;
- cert->attrs.len = 0;
- cert->attrs.val = NULL;
- cert->private_key = NULL;
- cert->basename = NULL;
- cert->release = NULL;
- cert->ctx = NULL;
+ if ((cert = cert_init(context, error)) == NULL)
+ return NULL;
cert->data = calloc(1, sizeof(*(cert->data)));
if (cert->data == NULL) {
@@ -263,6 +370,51 @@ hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error
}
/**
+ * Copy a certificate object, but drop any private key assignment.
+ *
+ * @param context A hx509 context.
+ * @param src Certificate object
+ * @param error
+ *
+ * @return Returns an hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
+
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
+hx509_cert_copy_no_private_key(hx509_context context,
+ hx509_cert src,
+ heim_error_t *error)
+{
+ return hx509_cert_init(context, src->data, error);
+}
+
+/**
+ * Allocate and init an hx509 certificate object containing only a private key
+ * (but no Certificate).
+ *
+ * @param context A hx509 context.
+ * @param key
+ * @param error
+ *
+ * @return Returns an hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
+
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
+hx509_cert_init_private_key(hx509_context context,
+ hx509_private_key key,
+ heim_error_t *error)
+{
+ hx509_cert cert;
+
+ if ((cert = cert_init(context, error)))
+ (void) _hx509_cert_assign_key(cert, key);
+ return cert;
+}
+
+/**
* Just like hx509_cert_init(), but instead of a decode certificate
* takes an pointer and length to a memory region that contains a
* DER/BER encoded certificate.
@@ -281,7 +433,7 @@ hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error
* @ingroup hx509_cert
*/
-hx509_cert
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
hx509_cert_init_data(hx509_context context,
const void *ptr,
size_t len,
@@ -296,6 +448,7 @@ hx509_cert_init_data(hx509_context context,
if (ret) {
if (error)
*error = heim_error_create(ret, "Failed to decode certificate");
+ errno = ret;
return NULL;
}
if (size != len) {
@@ -303,6 +456,7 @@ hx509_cert_init_data(hx509_context context,
if (error)
*error = heim_error_create(HX509_EXTRA_DATA_AFTER_STRUCTURE,
"Extra data after certificate");
+ errno = HX509_EXTRA_DATA_AFTER_STRUCTURE;
return NULL;
}
@@ -311,7 +465,7 @@ hx509_cert_init_data(hx509_context context,
return cert;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_cert_set_release(hx509_cert cert,
_hx509_cert_release_func release,
void *ctx)
@@ -323,7 +477,7 @@ _hx509_cert_set_release(hx509_cert cert,
/* Doesn't make a copy of `private_key'. */
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
{
if (cert->private_key)
@@ -341,7 +495,7 @@ _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
* @ingroup hx509_cert
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_cert_free(hx509_cert cert)
{
size_t i;
@@ -360,7 +514,8 @@ hx509_cert_free(hx509_cert cert)
if (cert->private_key)
hx509_private_key_free(&cert->private_key);
- free_Certificate(cert->data);
+ if (cert->data)
+ free_Certificate(cert->data);
free(cert->data);
for (i = 0; i < cert->attrs.len; i++) {
@@ -386,7 +541,7 @@ hx509_cert_free(hx509_cert cert)
* @ingroup hx509_cert
*/
-hx509_cert
+HX509_LIB_FUNCTION hx509_cert HX509_LIB_CALL
hx509_cert_ref(hx509_cert cert)
{
if (cert == NULL)
@@ -411,7 +566,7 @@ hx509_cert_ref(hx509_cert cert)
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_verify_init_ctx(hx509_context context, hx509_verify_ctx *ctx)
{
hx509_verify_ctx c;
@@ -435,7 +590,7 @@ hx509_verify_init_ctx(hx509_context context, hx509_verify_ctx *ctx)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_destroy_ctx(hx509_verify_ctx ctx)
{
if (ctx) {
@@ -458,7 +613,7 @@ hx509_verify_destroy_ctx(hx509_verify_ctx ctx)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_attach_anchors(hx509_verify_ctx ctx, hx509_certs set)
{
if (ctx->trust_anchors)
@@ -479,7 +634,7 @@ hx509_verify_attach_anchors(hx509_verify_ctx ctx, hx509_certs set)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_attach_revoke(hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)
{
if (ctx->revoke_ctx)
@@ -499,14 +654,14 @@ hx509_verify_attach_revoke(hx509_verify_ctx ctx, hx509_revoke_ctx revoke_ctx)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_set_time(hx509_verify_ctx ctx, time_t t)
{
ctx->flags |= HX509_VERIFY_CTX_F_TIME_SET;
ctx->time_now = t;
}
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
_hx509_verify_get_time(hx509_verify_ctx ctx)
{
return ctx->time_now;
@@ -523,7 +678,7 @@ _hx509_verify_get_time(hx509_verify_ctx ctx)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_set_max_depth(hx509_verify_ctx ctx, unsigned int max_depth)
{
ctx->max_depth = max_depth;
@@ -538,7 +693,7 @@ hx509_verify_set_max_depth(hx509_verify_ctx ctx, unsigned int max_depth)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
{
if (boolean)
@@ -558,7 +713,7 @@ hx509_verify_set_proxy_certificate(hx509_verify_ctx ctx, int boolean)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
{
if (boolean)
@@ -581,7 +736,7 @@ hx509_verify_set_strict_rfc3280_verification(hx509_verify_ctx ctx, int boolean)
* @ingroup hx509_cert
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
{
if (boolean)
@@ -590,7 +745,7 @@ hx509_verify_ctx_f_allow_default_trustanchors(hx509_verify_ctx ctx, int boolean)
ctx->flags |= HX509_VERIFY_CTX_F_NO_DEFAULT_ANCHORS;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
int boolean)
{
@@ -634,7 +789,7 @@ find_extension_auth_key_id(const Certificate *subject,
ai, &size);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_find_extension_subject_key_id(const Certificate *issuer,
SubjectKeyIdentifier *si)
{
@@ -734,13 +889,16 @@ add_to_list(hx509_octet_string_list *list, const heim_octet_string *entry)
* @ingroup hx509_misc
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_free_octet_string_list(hx509_octet_string_list *list)
{
size_t i;
- for (i = 0; i < list->len; i++)
- der_free_octet_string(&list->val[i]);
- free(list->val);
+
+ if (list->val) {
+ for (i = 0; i < list->len; i++)
+ der_free_octet_string(&list->val[i]);
+ free(list->val);
+ }
list->val = NULL;
list->len = 0;
}
@@ -762,7 +920,7 @@ hx509_free_octet_string_list(hx509_octet_string_list *list)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_find_subjectAltName_otherName(hx509_context context,
hx509_cert cert,
const heim_oid *oid,
@@ -816,7 +974,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
size_t size;
int ret;
size_t i = 0;
- unsigned ku_flags;
+ uint64_t ku_flags;
if (_hx509_cert_get_version(cert) < 3)
return 0;
@@ -826,7 +984,7 @@ check_key_usage(hx509_context context, const Certificate *cert,
if (req_present) {
hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
"Required extension key "
- "usage missing from certifiate");
+ "usage missing from certificate");
return HX509_KU_CERT_MISSING;
}
return 0;
@@ -837,14 +995,16 @@ check_key_usage(hx509_context context, const Certificate *cert,
return ret;
ku_flags = KeyUsage2int(ku);
if ((ku_flags & flags) != flags) {
- unsigned missing = (~ku_flags) & flags;
+ uint64_t missing = (~ku_flags) & flags;
char buf[256], *name;
- unparse_flags(missing, asn1_KeyUsage_units(), buf, sizeof(buf));
+ int result = unparse_flags(missing, asn1_KeyUsage_units(),
+ buf, sizeof(buf));
_hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
"Key usage %s required but missing "
- "from certifiate %s", buf,
+ "from certificate %s",
+ (result > 0) ? buf : "<unknown>",
name ? name : "<unknown>");
free(name);
return HX509_KU_CERT_MISSING;
@@ -854,11 +1014,11 @@ check_key_usage(hx509_context context, const Certificate *cert,
/*
* Return 0 on matching key usage 'flags' for 'cert', otherwise return
- * an error code. If 'req_present' the existance is required of the
+ * an error code. If 'req_present' the existence is required of the
* KeyUsage extension.
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_check_key_usage(hx509_context context, hx509_cert cert,
unsigned flags, int req_present)
{
@@ -906,14 +1066,14 @@ check_basic_constraints(hx509_context context, const Certificate *cert,
return ret;
switch(type) {
case PROXY_CERT:
- if (bc.cA != NULL && *bc.cA)
+ if (bc.cA)
ret = HX509_PARENT_IS_CA;
break;
case EE_CERT:
ret = 0;
break;
case CA_CERT:
- if (bc.cA == NULL || !*bc.cA)
+ if (!bc.cA)
ret = HX509_PARENT_NOT_CA;
else if (bc.pathLenConstraint)
if (depth - 1 > *bc.pathLenConstraint)
@@ -924,7 +1084,7 @@ check_basic_constraints(hx509_context context, const Certificate *cert,
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_is_parent_cmp(const Certificate *subject,
const Certificate *issuer,
int allow_self_signed)
@@ -1047,12 +1207,71 @@ certificate_is_self_signed(hx509_context context,
if (ret) {
hx509_set_error_string(context, 0, ret,
"Failed to check if self signed");
- } else
+ } else if (diff == 0)
ret = _hx509_self_signed_valid(context, &cert->signatureAlgorithm);
return ret;
}
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_self_signed(hx509_context context,
+ hx509_cert c,
+ int *self_signed)
+{
+ return certificate_is_self_signed(context, c->data, self_signed);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_ca(hx509_context context,
+ hx509_cert c,
+ int *is_ca)
+{
+ BasicConstraints bc;
+ const Extension *e;
+ size_t size;
+ size_t i = 0;
+ int ret = 0;
+
+ *is_ca = 0;
+ if (_hx509_cert_get_version(c->data) < 3)
+ return certificate_is_self_signed(context, c->data, is_ca);
+
+ e = find_extension(c->data, &asn1_oid_id_x509_ce_basicConstraints, &i);
+ if (e == NULL) {
+ *is_ca = 0;
+ return 0;
+ }
+
+ ret = decode_BasicConstraints(e->extnValue.data,
+ e->extnValue.length, &bc,
+ &size);
+ if (ret)
+ return ret;
+
+ *is_ca = bc.cA;
+ free_BasicConstraints(&bc);
+ return 0;
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_root(hx509_context context,
+ hx509_cert c,
+ int *is_root)
+{
+ int ret;
+
+ *is_root = 0;
+ ret = hx509_cert_is_ca(context, c, is_root);
+ if (ret)
+ return ret;
+ if (*is_root == 0)
+ /* Not a CA certificate -> not a root certificate */
+ return 0;
+
+ /* A CA certificate. If it's self-signed, it's a root certificate. */
+ return hx509_cert_is_self_signed(context, c, is_root);
+}
+
/*
* The subjectName is "null" when it's empty set of relative DBs.
*/
@@ -1203,7 +1422,7 @@ is_proxy_cert(hx509_context context,
* internal so we can do easy searches.
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_path_append(hx509_context context, hx509_path *path, hx509_cert cert)
{
hx509_cert *val;
@@ -1220,7 +1439,7 @@ _hx509_path_append(hx509_context context, hx509_path *path, hx509_cert cert)
return 0;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_path_free(hx509_path *path)
{
unsigned i;
@@ -1249,7 +1468,7 @@ _hx509_path_free(hx509_path *path)
* failure.
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_calculate_path(hx509_context context,
int flags,
time_t time_now,
@@ -1305,7 +1524,7 @@ _hx509_calculate_path(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_AlgorithmIdentifier_cmp(const AlgorithmIdentifier *p,
const AlgorithmIdentifier *q)
{
@@ -1327,7 +1546,7 @@ _hx509_AlgorithmIdentifier_cmp(const AlgorithmIdentifier *p,
}
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_Certificate_cmp(const Certificate *p, const Certificate *q)
{
int diff;
@@ -1355,7 +1574,7 @@ _hx509_Certificate_cmp(const Certificate *p, const Certificate *q)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_cmp(hx509_cert p, hx509_cert q)
{
return _hx509_Certificate_cmp(p->data, q->data);
@@ -1373,7 +1592,7 @@ hx509_cert_cmp(hx509_cert p, hx509_cert q)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_issuer(hx509_cert p, hx509_name *name)
{
return _hx509_name_from_Name(&p->data->tbsCertificate.issuer, name);
@@ -1391,7 +1610,7 @@ hx509_cert_get_issuer(hx509_cert p, hx509_name *name)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_subject(hx509_cert p, hx509_name *name)
{
return _hx509_name_from_Name(&p->data->tbsCertificate.subject, name);
@@ -1414,7 +1633,7 @@ hx509_cert_get_subject(hx509_cert p, hx509_name *name)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
hx509_name *name)
{
@@ -1423,8 +1642,8 @@ hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
if (is_proxy_cert(context, c->data, NULL) == 0) {
int ret = HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED;
hx509_set_error_string(context, 0, ret,
- "Proxy certificate have not been "
- "canonicalize yet, no base name");
+ "Proxy certificate has not been "
+ "canonicalized yet: no base name");
return ret;
}
return _hx509_name_from_Name(&c->data->tbsCertificate.subject, name);
@@ -1441,7 +1660,7 @@ hx509_cert_get_base_subject(hx509_context context, hx509_cert c,
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_serialnumber(hx509_cert p, heim_integer *i)
{
return der_copy_heim_integer(&p->data->tbsCertificate.serialNumber, i);
@@ -1457,7 +1676,7 @@ hx509_cert_get_serialnumber(hx509_cert p, heim_integer *i)
* @ingroup hx509_cert
*/
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
hx509_cert_get_notBefore(hx509_cert p)
{
return _hx509_Time2time_t(&p->data->tbsCertificate.validity.notBefore);
@@ -1473,13 +1692,70 @@ hx509_cert_get_notBefore(hx509_cert p)
* @ingroup hx509_cert
*/
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
hx509_cert_get_notAfter(hx509_cert p)
{
return _hx509_Time2time_t(&p->data->tbsCertificate.validity.notAfter);
}
/**
+ * Get a maximum Kerberos credential lifetime from a Heimdal certificate
+ * extension.
+ *
+ * @param context hx509 context.
+ * @param cert Certificate.
+ * @param bound If larger than zero, return no more than this.
+ *
+ * @return maximum ticket lifetime.
+ */
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
+hx509_cert_get_pkinit_max_life(hx509_context context,
+ hx509_cert cert,
+ time_t bound)
+{
+ HeimPkinitPrincMaxLifeSecs r = 0;
+ size_t sz, i;
+ time_t b, e;
+ int ret;
+
+ for (i = 0; i < cert->data->tbsCertificate.extensions->len; i++) {
+ Extension *ext = &cert->data->tbsCertificate.extensions->val[i];
+
+ if (ext->_ioschoice_extnValue.element !=
+ choice_Extension_iosnumunknown &&
+ ext->_ioschoice_extnValue.element !=
+ choice_Extension_iosnum_id_heim_ce_pkinit_princ_max_life)
+ continue;
+ if (ext->_ioschoice_extnValue.element == choice_Extension_iosnumunknown &&
+ der_heim_oid_cmp(&asn1_oid_id_heim_ce_pkinit_princ_max_life, &ext->extnID))
+ continue;
+ if (ext->_ioschoice_extnValue.u.ext_HeimPkinitPrincMaxLife) {
+ r = *ext->_ioschoice_extnValue.u.ext_HeimPkinitPrincMaxLife;
+ } else {
+ ret = decode_HeimPkinitPrincMaxLifeSecs(ext->extnValue.data,
+ ext->extnValue.length,
+ &r, &sz);
+ /* No need to free_HeimPkinitPrincMaxLifeSecs(); it's an int */
+ if (ret || r < 1)
+ return 0;
+ }
+ if (bound > 0 && r > bound)
+ return bound;
+ return r;
+ }
+ if (hx509_cert_check_eku(context, cert,
+ &asn1_oid_id_heim_eku_pkinit_certlife_is_max_life, 0))
+ return 0;
+ b = hx509_cert_get_notBefore(cert);
+ e = hx509_cert_get_notAfter(cert);
+ if (e > b)
+ r = e - b;
+ if (bound > 0 && r > bound)
+ return bound;
+ return r;
+}
+
+/**
* Get the SubjectPublicKeyInfo structure from the hx509 certificate.
*
* @param context a hx509 context.
@@ -1492,7 +1768,7 @@ hx509_cert_get_notAfter(hx509_cert p)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_SPKI(hx509_context context, hx509_cert p, SubjectPublicKeyInfo *spki)
{
int ret;
@@ -1518,7 +1794,7 @@ hx509_cert_get_SPKI(hx509_context context, hx509_cert p, SubjectPublicKeyInfo *s
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_SPKI_AlgorithmIdentifier(hx509_context context,
hx509_cert p,
AlgorithmIdentifier *alg)
@@ -1540,7 +1816,7 @@ get_x_unique_id(hx509_context context, const char *name,
if (cert == NULL) {
ret = HX509_EXTENSION_NOT_FOUND;
- hx509_set_error_string(context, 0, ret, "%s unique id doesn't exists", name);
+ hx509_set_error_string(context, 0, ret, "%s unique id doesn't exist", name);
return ret;
}
ret = der_copy_bit_string(cert, subject);
@@ -1565,7 +1841,7 @@ get_x_unique_id(hx509_context context, const char *name,
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_issuer_unique_id(hx509_context context, hx509_cert p, heim_bit_string *issuer)
{
return get_x_unique_id(context, "issuer", p->data->tbsCertificate.issuerUniqueID, issuer);
@@ -1585,27 +1861,51 @@ hx509_cert_get_issuer_unique_id(hx509_context context, hx509_cert p, heim_bit_st
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_get_subject_unique_id(hx509_context context, hx509_cert p, heim_bit_string *subject)
{
return get_x_unique_id(context, "subject", p->data->tbsCertificate.subjectUniqueID, subject);
}
-hx509_private_key
+HX509_LIB_FUNCTION hx509_private_key HX509_LIB_CALL
_hx509_cert_private_key(hx509_cert p)
{
return p->private_key;
}
-int
+/**
+ * Indicate whether a hx509_cert has a private key.
+ *
+ * @param p a hx509 certificate
+ *
+ * @return 1 if p has a private key, 0 otherwise.
+ *
+ * @ingroup hx509_cert
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_have_private_key(hx509_cert p)
{
return p->private_key ? 1 : 0;
}
+/**
+ * Indicate whether a hx509_cert has a private key only (no certificate).
+ *
+ * @param p a hx509 certificate
+ *
+ * @return 1 if p has a private key only (no certificate), 0 otherwise.
+ *
+ * @ingroup hx509_cert
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_have_private_key_only(hx509_cert p)
+{
+ return p->private_key && !p->data ? 1 : 0;
+}
+
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_private_key_exportable(hx509_cert p)
{
if (p->private_key == NULL)
@@ -1613,7 +1913,7 @@ _hx509_cert_private_key_exportable(hx509_cert p)
return _hx509_private_key_exportable(p->private_key);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_private_decrypt(hx509_context context,
const heim_octet_string *ciphertext,
const heim_oid *encryption_oid,
@@ -1636,7 +1936,7 @@ _hx509_cert_private_decrypt(hx509_context context,
cleartext);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_public_encrypt(hx509_context context,
const heim_octet_string *cleartext,
const hx509_cert p,
@@ -1652,7 +1952,7 @@ hx509_cert_public_encrypt(hx509_context context,
*
*/
-time_t
+HX509_LIB_FUNCTION time_t HX509_LIB_CALL
_hx509_Time2time_t(const Time *t)
{
switch(t->element) {
@@ -1896,7 +2196,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
memset(&certname, 0, sizeof(certname));
certname.element = choice_GeneralName_directoryName;
- certname.u.directoryName.element = (enum GeneralName_directoryName_enum)
+ certname.u.directoryName.element = (enum Name_enum)
c->tbsCertificate.subject.element;
certname.u.directoryName.u.rdnSequence =
c->tbsCertificate.subject.u.rdnSequence;
@@ -1937,7 +2237,7 @@ check_name_constraints(hx509_context context,
/* allow null subjectNames, they wont matches anything */
if (match == 0 && !subject_null_p(c)) {
hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
- "Error verify constraints, "
+ "Error verifying constraints: "
"certificate didn't match any "
"permitted subtree");
return HX509_VERIFY_CONSTRAINTS;
@@ -1952,7 +2252,7 @@ check_name_constraints(hx509_context context,
}
if (match) {
hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
- "Error verify constraints, "
+ "Error verifying constraints: "
"certificate included in excluded "
"subtree");
return HX509_VERIFY_CONSTRAINTS;
@@ -1987,7 +2287,7 @@ free_name_constraints(hx509_name_constraints *nc)
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_verify_path(hx509_context context,
hx509_verify_ctx ctx,
hx509_cert cert,
@@ -2009,7 +2309,7 @@ hx509_verify_path(hx509_context context,
ret = HX509_PROXY_CERT_INVALID;
hx509_set_error_string(context, 0, ret,
"Proxy certificate is not allowed as an EE "
- "certificae if proxy certificate is disabled");
+ "certificate if proxy certificate is disabled");
return ret;
}
@@ -2110,7 +2410,7 @@ hx509_verify_path(hx509_context context,
ret = HX509_PATH_TOO_LONG;
hx509_set_error_string(context, 0, ret,
"Proxy certificate chain "
- "longer then allowed");
+ "longer than allowed");
goto out;
}
/* XXX MUST check info.proxyPolicy */
@@ -2120,7 +2420,7 @@ hx509_verify_path(hx509_context context,
if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) {
ret = HX509_PROXY_CERT_INVALID;
hx509_set_error_string(context, 0, ret,
- "Proxy certificate have explicity "
+ "Proxy certificate has explicitly "
"forbidden subjectAltName");
goto out;
}
@@ -2129,7 +2429,7 @@ hx509_verify_path(hx509_context context,
if (find_extension(c, &asn1_oid_id_x509_ce_issuerAltName, &j)) {
ret = HX509_PROXY_CERT_INVALID;
hx509_set_error_string(context, 0, ret,
- "Proxy certificate have explicity "
+ "Proxy certificate has explicitly "
"forbidden issuerAltName");
goto out;
}
@@ -2202,7 +2502,7 @@ hx509_verify_path(hx509_context context,
type = EE_CERT;
}
}
- /* FALLTHROUGH */
+ HEIM_FALLTHROUGH;
case EE_CERT:
/*
* If there where any proxy certificates in the chain
@@ -2415,7 +2715,7 @@ out:
* @ingroup hx509_crypto
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_verify_signature(hx509_context context,
const hx509_cert signer,
const AlgorithmIdentifier *alg,
@@ -2425,7 +2725,7 @@ hx509_verify_signature(hx509_context context,
return _hx509_verify_signature(context, signer, alg, data, sig);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_verify_signature_bitstring(hx509_context context,
const hx509_cert signer,
const AlgorithmIdentifier *alg,
@@ -2468,7 +2768,7 @@ _hx509_verify_signature_bitstring(hx509_context context,
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_verify_hostname(hx509_context context,
const hx509_cert cert,
int flags,
@@ -2561,7 +2861,7 @@ hx509_verify_hostname(hx509_context context,
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_set_cert_attribute(hx509_context context,
hx509_cert cert,
const heim_oid *oid,
@@ -2569,6 +2869,12 @@ _hx509_set_cert_attribute(hx509_context context,
{
hx509_cert_attribute a;
void *d;
+ int ret;
+
+ /*
+ * TODO: Rewrite this (and hx509_cert_attribute, and _hx509_cert_attrs) to
+ * use the add_AttributeValues() util generated by asn1_compile.
+ */
if (hx509_cert_get_attribute(cert, oid) != NULL)
return 0;
@@ -2585,13 +2891,18 @@ _hx509_set_cert_attribute(hx509_context context,
if (a == NULL)
return ENOMEM;
- der_copy_octet_string(attr, &a->data);
- der_copy_oid(oid, &a->oid);
-
- cert->attrs.val[cert->attrs.len] = a;
- cert->attrs.len++;
+ ret = der_copy_octet_string(attr, &a->data);
+ if (ret == 0)
+ ret = der_copy_oid(oid, &a->oid);
+ if (ret == 0) {
+ cert->attrs.val[cert->attrs.len] = a;
+ cert->attrs.len++;
+ } else {
+ der_free_octet_string(&a->data);
+ free(a);
+ }
- return 0;
+ return ret;
}
/**
@@ -2607,7 +2918,7 @@ _hx509_set_cert_attribute(hx509_context context,
* @ingroup hx509_cert
*/
-hx509_cert_attribute
+HX509_LIB_FUNCTION hx509_cert_attribute HX509_LIB_CALL
hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
{
size_t i;
@@ -2628,7 +2939,7 @@ hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_set_friendly_name(hx509_cert cert, const char *name)
{
if (cert->friendlyname)
@@ -2650,7 +2961,7 @@ hx509_cert_set_friendly_name(hx509_cert cert, const char *name)
* @ingroup hx509_cert
*/
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
hx509_cert_get_friendly_name(hx509_cert cert)
{
hx509_cert_attribute a;
@@ -2703,7 +3014,7 @@ hx509_cert_get_friendly_name(hx509_cert cert)
return cert->friendlyname;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_query_clear(hx509_query *q)
{
memset(q, 0, sizeof(*q));
@@ -2720,7 +3031,7 @@ _hx509_query_clear(hx509_query *q)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_query_alloc(hx509_context context, hx509_query **q)
{
*q = calloc(1, sizeof(**q));
@@ -2741,7 +3052,7 @@ hx509_query_alloc(hx509_context context, hx509_query **q)
* @ingroup hx509_cert
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_query_match_option(hx509_query *q, hx509_query_option option)
{
switch(option) {
@@ -2776,7 +3087,7 @@ hx509_query_match_option(hx509_query *q, hx509_query_option option)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_query_match_issuer_serial(hx509_query *q,
const Name *issuer,
const heim_integer *serialNumber)
@@ -2823,7 +3134,7 @@ hx509_query_match_issuer_serial(hx509_query *q,
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_query_match_friendly_name(hx509_query *q, const char *name)
{
if (q->friendlyname)
@@ -2848,7 +3159,7 @@ hx509_query_match_friendly_name(hx509_query *q, const char *name)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_query_match_eku(hx509_query *q, const heim_oid *eku)
{
int ret;
@@ -2879,7 +3190,7 @@ hx509_query_match_eku(hx509_query *q, const heim_oid *eku)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
{
if (q->expr) {
@@ -2889,12 +3200,21 @@ hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
if (expr == NULL) {
q->match &= ~HX509_QUERY_MATCH_EXPR;
- } else {
- q->expr = _hx509_expr_parse(expr);
- if (q->expr)
- q->match |= HX509_QUERY_MATCH_EXPR;
+ return 0;
+ }
+
+ q->expr = _hx509_expr_parse(expr);
+ if (q->expr == NULL) {
+ const char *reason = _hx509_expr_parse_error();
+
+ hx509_set_error_string(context, 0, EINVAL,
+ "Invalid certificate query match expression: "
+ "%s (%s)", expr,
+ reason ? reason : "syntax error");
+ return EINVAL;
}
+ q->match |= HX509_QUERY_MATCH_EXPR;
return 0;
}
@@ -2911,7 +3231,7 @@ hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_query_match_cmp_func(hx509_query *q,
int (*func)(hx509_context, hx509_cert, void *),
void *ctx)
@@ -2934,7 +3254,7 @@ hx509_query_match_cmp_func(hx509_query *q,
* @ingroup hx509_cert
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_query_free(hx509_context context, hx509_query *q)
{
if (q == NULL)
@@ -2961,7 +3281,7 @@ hx509_query_free(hx509_context context, hx509_query *q)
free(q);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert cert)
{
Certificate *c = _hx509_get_cert(cert);
@@ -3122,7 +3442,7 @@ _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert
* @ingroup hx509_cert
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_query_statistic_file(hx509_context context, const char *fn)
{
if (context->querystat)
@@ -3130,7 +3450,7 @@ hx509_query_statistic_file(hx509_context context, const char *fn)
context->querystat = strdup(fn);
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_query_statistic(hx509_context context, int type, const hx509_query *q)
{
FILE *f;
@@ -3193,7 +3513,7 @@ stat_sort(const void *a, const void *b)
* @ingroup hx509_cert
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
{
rtbl_t t;
@@ -3207,7 +3527,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
return;
f = fopen(context->querystat, "r");
if (f == NULL) {
- fprintf(out, "No statistic file %s: %s.\n",
+ fprintf(out, "No statistics file %s: %s.\n",
context->querystat, strerror(errno));
return;
}
@@ -3282,7 +3602,7 @@ hx509_query_unparse_stats(hx509_context context, int printtype, FILE *out)
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_check_eku(hx509_context context, hx509_cert cert,
const heim_oid *eku, int allow_any_eku)
{
@@ -3302,12 +3622,11 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
return 0;
}
if (allow_any_eku) {
-#if 0
- if (der_heim_oid_cmp(id_any_eku, &e.val[i]) == 0) {
+ if (der_heim_oid_cmp(&asn1_oid_id_x509_ce_anyExtendedKeyUsage,
+ &e.val[i]) == 0) {
free_ExtKeyUsage(&e);
return 0;
}
-#endif
}
}
free_ExtKeyUsage(&e);
@@ -3315,7 +3634,7 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
return HX509_CERTIFICATE_MISSING_EKU;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_get_keyusage(hx509_context context,
hx509_cert c,
KeyUsage *ku)
@@ -3343,7 +3662,7 @@ _hx509_cert_get_keyusage(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_get_eku(hx509_context context,
hx509_cert cert,
ExtKeyUsage *e)
@@ -3373,7 +3692,7 @@ _hx509_cert_get_eku(hx509_context context,
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
{
size_t size;
@@ -3391,7 +3710,6 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
}
if (os->length != size)
_hx509_abort("internal ASN.1 encoder error");
-
return ret;
}
@@ -3402,7 +3720,7 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
#undef __attribute__
#define __attribute__(X)
-void
+HX509_LIB_NORETURN_FUNCTION void HX509_LIB_CALL
_hx509_abort(const char *fmt, ...)
__attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)))
{
@@ -3423,7 +3741,7 @@ _hx509_abort(const char *fmt, ...)
* @ingroup hx509_misc
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_xfree(void *ptr)
{
free(ptr);
@@ -3433,7 +3751,7 @@ hx509_xfree(void *ptr)
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
{
ExtKeyUsage eku;
@@ -3459,13 +3777,12 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
goto out;
ret = hx509_name_to_string(name, &buf);
- if (ret) {
- hx509_name_free(&name);
+ hx509_name_free(&name);
+ if (ret)
goto out;
- }
ret = hx509_env_add(context, &envcert, "subject", buf);
- hx509_name_free(&name);
+ hx509_xfree(buf);
if (ret)
goto out;
@@ -3582,7 +3899,7 @@ out:
* @ingroup hx509_cert
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_print_cert(hx509_context context, hx509_cert cert, FILE *out)
{
hx509_name name;
@@ -3622,7 +3939,7 @@ hx509_print_cert(hx509_context context, hx509_cert cert, FILE *out)
free(str);
}
- printf(" keyusage: ");
+ fprintf(out, " keyusage: ");
ret = hx509_cert_keyusage_print(context, cert, &str);
if (ret == 0) {
fprintf(out, "%s\n", str);
diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 1da8a93d343a..c770b8132624 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -71,7 +71,7 @@
* @ingroup hx509_cms
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_wrap_ContentInfo(const heim_oid *oid,
const heim_octet_string *buf,
heim_octet_string *res)
@@ -125,7 +125,7 @@ hx509_cms_wrap_ContentInfo(const heim_oid *oid,
* @ingroup hx509_cms
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_unwrap_ContentInfo(const heim_octet_string *in,
heim_oid *oid,
heim_octet_string *out,
@@ -182,7 +182,7 @@ fill_CMSIdentifier(const hx509_cert cert,
&id->u.subjectKeyIdentifier);
if (ret == 0)
break;
- /* FALLTHROUGH */
+ HEIM_FALLTHROUGH;
case CMS_ID_NAME: {
hx509_name name;
@@ -349,7 +349,7 @@ find_CMSIdentifier(hx509_context context,
* @ingroup hx509_cms
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_unenvelope(hx509_context context,
hx509_certs certs,
int flags,
@@ -555,7 +555,7 @@ out:
* @ingroup hx509_cms
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_envelope_1(hx509_context context,
int flags,
hx509_cert cert,
@@ -633,7 +633,7 @@ hx509_cms_envelope_1(hx509_context context,
if (enc_alg->parameters == NULL) {
ret = ENOMEM;
hx509_set_error_string(context, 0, ret,
- "Failed to allocate crypto paramaters "
+ "Failed to allocate crypto parameters "
"for EnvelopedData");
goto out;
}
@@ -789,7 +789,7 @@ find_attribute(const CMSAttributes *attr, const heim_oid *oid)
* @ingroup hx509_cms
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_verify_signed(hx509_context context,
hx509_verify_ctx ctx,
unsigned int flags,
@@ -801,6 +801,60 @@ hx509_cms_verify_signed(hx509_context context,
heim_octet_string *content,
hx509_certs *signer_certs)
{
+ unsigned int verify_flags;
+
+ return hx509_cms_verify_signed_ext(context,
+ ctx,
+ flags,
+ data,
+ length,
+ signedContent,
+ pool,
+ contentType,
+ content,
+ signer_certs,
+ &verify_flags);
+}
+
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param ctx a hx509 verify context.
+ * @param flags to control the behaivor of the function.
+ * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
+ * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
+ * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
+ * @param data pointer to CMS SignedData encoded data.
+ * @param length length of the data that data point to.
+ * @param signedContent external data used for signature.
+ * @param pool certificate pool to build certificates paths.
+ * @param contentType free with der_free_oid().
+ * @param content the output of the function, free with
+ * der_free_octet_string().
+ * @param signer_certs list of the cerficates used to sign this
+ * request, free with hx509_certs_free().
+ * @param verify_flags flags indicating whether the certificate
+ * was verified or not
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cms_verify_signed_ext(hx509_context context,
+ hx509_verify_ctx ctx,
+ unsigned int flags,
+ const void *data,
+ size_t length,
+ const heim_octet_string *signedContent,
+ hx509_certs pool,
+ heim_oid *contentType,
+ heim_octet_string *content,
+ hx509_certs *signer_certs,
+ unsigned int *verify_flags)
+{
SignerInfo *signer_info;
hx509_cert cert = NULL;
hx509_certs certs = NULL;
@@ -810,6 +864,8 @@ hx509_cms_verify_signed(hx509_context context,
size_t i;
*signer_certs = NULL;
+ *verify_flags = 0;
+
content->data = NULL;
content->length = 0;
contentType->length = 0;
@@ -1038,22 +1094,19 @@ hx509_cms_verify_signed(hx509_context context,
goto next_sigature;
/**
- * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
- * signing certificates and leave that up to the caller.
+ * If HX509_CMS_VS_NO_VALIDATE flags is set, return the signer
+ * certificate unconditionally but do not set HX509_CMS_VSE_VALIDATED.
*/
-
- if ((flags & HX509_CMS_VS_NO_VALIDATE) == 0) {
- ret = hx509_verify_path(context, ctx, cert, certs);
- if (ret)
- goto next_sigature;
+ ret = hx509_verify_path(context, ctx, cert, certs);
+ if (ret == 0 || (flags & HX509_CMS_VS_NO_VALIDATE)) {
+ if (ret == 0)
+ *verify_flags |= HX509_CMS_VSE_VALIDATED;
+
+ ret = hx509_certs_add(context, *signer_certs, cert);
+ if (ret == 0)
+ found_valid_sig++;
}
- ret = hx509_certs_add(context, *signer_certs, cert);
- if (ret)
- goto next_sigature;
-
- found_valid_sig++;
-
next_sigature:
if (cert)
hx509_cert_free(cert);
@@ -1158,7 +1211,7 @@ add_one_attribute(Attribute **attr,
* @ingroup hx509_cms
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_create_signed_1(hx509_context context,
int flags,
const heim_oid *eContentType,
@@ -1205,7 +1258,7 @@ struct sigctx {
hx509_certs pool;
};
-static int
+static int HX509_LIB_CALL
sig_process(hx509_context context, void *ctx, hx509_cert cert)
{
struct sigctx *sigctx = ctx;
@@ -1423,7 +1476,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert)
return ret;
}
-static int
+static int HX509_LIB_CALL
cert_process(hx509_context context, void *ctx, hx509_cert cert)
{
struct sigctx *sigctx = ctx;
@@ -1451,7 +1504,7 @@ cmp_AlgorithmIdentifier(const AlgorithmIdentifier *p, const AlgorithmIdentifier
return der_heim_oid_cmp(&p->algorithm, &q->algorithm);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_create_signed(hx509_context context,
int flags,
const heim_oid *eContentType,
@@ -1510,9 +1563,11 @@ hx509_cms_create_signed(hx509_context context,
sigctx.anchors = anchors;
sigctx.pool = pool;
- sigctx.sd.version = CMSVersion_v3;
+ sigctx.sd.version = cMSVersion_v3;
- der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
+ ret = der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
+ if (ret)
+ goto out;
/**
* Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures.
@@ -1600,7 +1655,7 @@ out:
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cms_decrypt_encrypted(hx509_context context,
hx509_lock lock,
const void *data,
diff --git a/lib/hx509/collector.c b/lib/hx509/collector.c
index 15f8163f8093..f1423aced2f3 100644
--- a/lib/hx509/collector.c
+++ b/lib/hx509/collector.c
@@ -50,7 +50,7 @@ struct hx509_collector {
};
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_collector_alloc(hx509_context context, hx509_lock lock, struct hx509_collector **collector)
{
struct hx509_collector *c;
@@ -85,14 +85,14 @@ _hx509_collector_alloc(hx509_context context, hx509_lock lock, struct hx509_coll
return 0;
}
-hx509_lock
+HX509_LIB_FUNCTION hx509_lock HX509_LIB_CALL
_hx509_collector_get_lock(struct hx509_collector *c)
{
return c->lock;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_collector_certs_add(hx509_context context,
struct hx509_collector *c,
hx509_cert cert)
@@ -110,7 +110,7 @@ free_private_key(struct private_key *key)
free(key);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_collector_private_key_add(hx509_context context,
struct hx509_collector *c,
const AlgorithmIdentifier *alg,
@@ -147,6 +147,16 @@ _hx509_collector_private_key_add(hx509_context context,
key_data->data, key_data->length,
HX509_KEY_FORMAT_DER,
&key->private_key);
+ if (ret && localKeyId) {
+ int ret2;
+
+ ret2 = hx509_parse_private_key(context, alg,
+ localKeyId->data, localKeyId->length,
+ HX509_KEY_FORMAT_PKCS8,
+ &key->private_key);
+ if (ret2 == 0)
+ ret = 0;
+ }
if (ret)
goto out;
}
@@ -191,8 +201,9 @@ match_localkeyid(hx509_context context,
q.local_key_id = &value->localKeyId;
ret = hx509_certs_find(context, certs, &q, &cert);
+ if (ret == 0 && cert == NULL)
+ ret = HX509_CERT_NOT_FOUND;
if (ret == 0) {
-
if (value->private_key)
_hx509_cert_assign_key(cert, value->private_key);
hx509_cert_free(cert);
@@ -247,7 +258,7 @@ match_keys(hx509_context context, struct private_key *value, hx509_certs certs)
return found;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_collector_collect_certs(hx509_context context,
struct hx509_collector *c,
hx509_certs *ret_certs)
@@ -282,7 +293,7 @@ _hx509_collector_collect_certs(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_collector_collect_private_keys(hx509_context context,
struct hx509_collector *c,
hx509_private_key **keys)
@@ -313,7 +324,7 @@ _hx509_collector_collect_private_keys(hx509_context context,
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_collector_free(struct hx509_collector *c)
{
size_t i;
diff --git a/lib/hx509/crmf.asn1 b/lib/hx509/crmf.asn1
deleted file mode 100644
index 3d8403c8e86a..000000000000
--- a/lib/hx509/crmf.asn1
+++ /dev/null
@@ -1,113 +0,0 @@
--- $Id$
-PKCS10 DEFINITIONS ::=
-
-BEGIN
-
-IMPORTS
- Time,
- GeneralName,
- SubjectPublicKeyInfo,
- RelativeDistinguishedName,
- AttributeTypeAndValue,
- Extension,
- AlgorithmIdentifier
- FROM rfc2459
- heim_any
- FROM heim;
-
-CRMFRDNSequence ::= SEQUENCE OF RelativeDistinguishedName
-
-Controls ::= SEQUENCE -- SIZE(1..MAX) -- OF AttributeTypeAndValue
-
--- XXX IMPLICIT brokenness
-POPOSigningKey ::= SEQUENCE {
- poposkInput [0] IMPLICIT POPOSigningKeyInput OPTIONAL,
- algorithmIdentifier AlgorithmIdentifier,
- signature BIT STRING }
-
-PKMACValue ::= SEQUENCE {
- algId AlgorithmIdentifier,
- value BIT STRING
-}
-
--- XXX IMPLICIT brokenness
-POPOSigningKeyInput ::= SEQUENCE {
- authInfo CHOICE {
- sender [0] IMPLICIT GeneralName,
- publicKeyMAC PKMACValue
- },
- publicKey SubjectPublicKeyInfo
-} -- from CertTemplate
-
-
-PBMParameter ::= SEQUENCE {
- salt OCTET STRING,
- owf AlgorithmIdentifier,
- iterationCount INTEGER,
- mac AlgorithmIdentifier
-}
-
-SubsequentMessage ::= INTEGER {
- encrCert (0),
- challengeResp (1)
-}
-
--- XXX IMPLICIT brokenness
-POPOPrivKey ::= CHOICE {
- thisMessage [0] BIT STRING, -- Deprecated
- subsequentMessage [1] IMPLICIT SubsequentMessage,
- dhMAC [2] BIT STRING, -- Deprecated
- agreeMAC [3] IMPLICIT PKMACValue,
- encryptedKey [4] heim_any
-}
-
--- XXX IMPLICIT brokenness
-ProofOfPossession ::= CHOICE {
- raVerified [0] NULL,
- signature [1] POPOSigningKey,
- keyEncipherment [2] POPOPrivKey,
- keyAgreement [3] POPOPrivKey
-}
-
-CertTemplate ::= SEQUENCE {
- version [0] INTEGER OPTIONAL,
- serialNumber [1] INTEGER OPTIONAL,
- signingAlg [2] SEQUENCE {
- algorithm OBJECT IDENTIFIER,
- parameters heim_any OPTIONAL
- } -- AlgorithmIdentifier -- OPTIONAL,
- issuer [3] IMPLICIT CHOICE {
- rdnSequence CRMFRDNSequence
- } -- Name -- OPTIONAL,
- validity [4] SEQUENCE {
- notBefore [0] Time OPTIONAL,
- notAfter [1] Time OPTIONAL
- } -- OptionalValidity -- OPTIONAL,
- subject [5] IMPLICIT CHOICE {
- rdnSequence CRMFRDNSequence
- } -- Name -- OPTIONAL,
- publicKey [6] IMPLICIT SEQUENCE {
- algorithm AlgorithmIdentifier,
- subjectPublicKey BIT STRING OPTIONAL
- } -- SubjectPublicKeyInfo -- OPTIONAL,
- issuerUID [7] IMPLICIT BIT STRING OPTIONAL,
- subjectUID [8] IMPLICIT BIT STRING OPTIONAL,
- extensions [9] IMPLICIT SEQUENCE OF Extension OPTIONAL
-}
-
-CertRequest ::= SEQUENCE {
- certReqId INTEGER,
- certTemplate CertTemplate,
- controls Controls OPTIONAL
-}
-
-CertReqMsg ::= SEQUENCE {
- certReq CertRequest,
- popo ProofOfPossession OPTIONAL,
- regInfo SEQUENCE OF AttributeTypeAndValue OPTIONAL }
-
-CertReqMessages ::= SEQUENCE OF CertReqMsg
-
-
-END
-
diff --git a/lib/hx509/crypto-ec.c b/lib/hx509/crypto-ec.c
index 4777171cae52..bd5d01a609ad 100644
--- a/lib/hx509/crypto-ec.c
+++ b/lib/hx509/crypto-ec.c
@@ -34,11 +34,16 @@
#include <config.h>
#ifdef HAVE_HCRYPTO_W_OPENSSL
+#include <openssl/evp.h>
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
#include <openssl/rsa.h>
#include <openssl/bn.h>
#include <openssl/objects.h>
+#ifdef HAVE_OPENSSL_30
+#include <openssl/asn1.h>
+#include <openssl/core_names.h>
+#endif
#define HEIM_NO_CRYPTO_HDRS
#endif /* HAVE_HCRYPTO_W_OPENSSL */
@@ -49,47 +54,54 @@ extern const AlgorithmIdentifier _hx509_signature_sha384_data;
extern const AlgorithmIdentifier _hx509_signature_sha256_data;
extern const AlgorithmIdentifier _hx509_signature_sha1_data;
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_private_eckey_free(void *eckey)
{
#ifdef HAVE_HCRYPTO_W_OPENSSL
+#ifdef HAVE_OPENSSL_30
+ EVP_PKEY_free(eckey);
+#else
EC_KEY_free(eckey);
#endif
+#endif
}
#ifdef HAVE_HCRYPTO_W_OPENSSL
-static int
-heim_oid2ecnid(heim_oid *oid)
-{
- /*
- * Now map to openssl OID fun
- */
-
- if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
- return NID_X9_62_prime256v1;
+static struct oid2nid_st {
+ const heim_oid *oid;
+ int nid;
+} oid2nid[] = {
+ { ASN1_OID_ID_EC_GROUP_SECP256R1, NID_X9_62_prime256v1 },
#ifdef NID_secp521r1
- else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP521R1) == 0)
- return NID_secp521r1;
+ { ASN1_OID_ID_EC_GROUP_SECP521R1, NID_secp521r1 },
#endif
#ifdef NID_secp384r1
- else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP384R1) == 0)
- return NID_secp384r1;
+ { ASN1_OID_ID_EC_GROUP_SECP384R1, NID_secp384r1 },
#endif
#ifdef NID_secp160r1
- else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
- return NID_secp160r1;
+ { ASN1_OID_ID_EC_GROUP_SECP160R1, NID_secp160r1 },
#endif
#ifdef NID_secp160r2
- else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
- return NID_secp160r2;
+ { ASN1_OID_ID_EC_GROUP_SECP160R2, NID_secp160r2 },
#endif
+ /* XXX Add more! Add X25519! */
+};
+
+int
+_hx509_ossl_oid2nid(heim_oid *oid)
+{
+ size_t i;
+ for (i = 0; i < sizeof(oid2nid)/sizeof(oid2nid[0]); i++)
+ if (der_heim_oid_cmp(oid, oid2nid[i].oid) == 0)
+ return oid2nid[i].nid;
return NID_undef;
}
static int
-parse_ECParameters(hx509_context context,
- heim_octet_string *parameters, int *nid)
+ECParameters2nid(hx509_context context,
+ heim_octet_string *parameters,
+ int *nid)
{
ECParameters ecparam;
size_t size;
@@ -117,7 +129,7 @@ parse_ECParameters(hx509_context context,
return HX509_CRYPTO_SIG_INVALID_FORMAT;
}
- *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
+ *nid = _hx509_ossl_oid2nid(&ecparam.u.namedCurve);
free_ECParameters(&ecparam);
if (*nid == NID_undef) {
hx509_set_error_string(context, 0, ret,
@@ -127,6 +139,39 @@ parse_ECParameters(hx509_context context,
return 0;
}
+#ifdef HAVE_OPENSSL_30
+static const EVP_MD *
+signature_alg2digest_evp_md(hx509_context context,
+ const AlgorithmIdentifier *digest_alg)
+{
+ if ((&digest_alg->algorithm == &asn1_oid_id_sha512 ||
+ der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_sha512) == 0))
+ return EVP_sha512();
+ if ((&digest_alg->algorithm == &asn1_oid_id_sha384 ||
+ der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_sha384) == 0))
+ return EVP_sha384();
+ if ((&digest_alg->algorithm == &asn1_oid_id_sha256 ||
+ der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_sha256) == 0))
+ return EVP_sha256();
+ if ((&digest_alg->algorithm == &asn1_oid_id_secsig_sha_1 ||
+ der_heim_oid_cmp(&digest_alg->algorithm, &asn1_oid_id_secsig_sha_1) == 0))
+ return EVP_sha1();
+ if ((&digest_alg->algorithm == &asn1_oid_id_rsa_digest_md5 ||
+ der_heim_oid_cmp(&digest_alg->algorithm,
+ &asn1_oid_id_rsa_digest_md5) == 0))
+ return EVP_md5();
+
+ /*
+ * XXX Decode the `digest_alg->algorithm' OID and include it in the error
+ * message.
+ */
+ hx509_set_error_string(context, 0, EINVAL,
+ "Digest algorithm not found");
+ return NULL;
+}
+#endif
+
+
/*
*
@@ -140,6 +185,106 @@ ecdsa_verify_signature(hx509_context context,
const heim_octet_string *data,
const heim_octet_string *sig)
{
+#ifdef HAVE_OPENSSL_30
+ const AlgorithmIdentifier *digest_alg = sig_alg->digest_alg;
+ const EVP_MD *md = signature_alg2digest_evp_md(context, digest_alg);
+ const SubjectPublicKeyInfo *spi;
+ const char *curve_sn = NULL; /* sn == short name in OpenSSL parlance */
+ OSSL_PARAM params[2];
+ EVP_PKEY_CTX *pctx = NULL;
+ EVP_MD_CTX *mdctx = NULL;
+ EVP_PKEY *template = NULL;
+ EVP_PKEY *public = NULL;
+ const unsigned char *p;
+ size_t len;
+ char *curve_sn_dup = NULL;
+ int groupnid;
+ int ret = 0;
+
+ spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+ if (der_heim_oid_cmp(&spi->algorithm.algorithm,
+ ASN1_OID_ID_ECPUBLICKEY) != 0)
+ hx509_set_error_string(context, 0,
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+ /* XXX Include the OID in the message */
+ "Unsupported subjectPublicKey algorithm");
+ if (ret == 0)
+ ret = ECParameters2nid(context, spi->algorithm.parameters, &groupnid);
+ if (ret == 0 && (curve_sn = OBJ_nid2sn(groupnid)) == NULL)
+ hx509_set_error_string(context, 0,
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+ "Could not resolve curve NID %d to its short name",
+ groupnid);
+ if (ret == 0 && (curve_sn_dup = strdup(curve_sn)) == NULL)
+ ret = hx509_enomem(context);
+ if (ret == 0 && (mdctx = EVP_MD_CTX_new()) == NULL)
+ ret = hx509_enomem(context);
+
+ /*
+ * In order for d2i_PublicKey() to work we need to create a template key
+ * that has the curve parameters for the subjectPublicKey.
+ *
+ * Or maybe we could learn to use the OSSL_DECODER(3) API. But this works,
+ * at least until OpenSSL deprecates d2i_PublicKey() and forces us to use
+ * OSSL_DECODER(3).
+ */
+ if (ret == 0) {
+ /*
+ * Apparently there's no error checking to be done here? Why does
+ * OSSL_PARAM_construct_utf8_string() want a non-const for the value?
+ * Is that a bug in OpenSSL?
+ */
+ params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
+ curve_sn_dup, 0);
+ params[1] = OSSL_PARAM_construct_end();
+
+ if ((pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL)
+ ret = hx509_enomem(context);
+ }
+ if (ret == 0 && EVP_PKEY_fromdata_init(pctx) != 1)
+ ret = hx509_enomem(context);
+ if (ret == 0 &&
+ EVP_PKEY_fromdata(pctx, &template,
+ OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, params) != 1)
+ hx509_set_error_string(context, 0,
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+ "Could not set up to parse key for curve %s",
+ curve_sn);
+
+ /* Finally we can decode the subjectPublicKey */
+ p = spi->subjectPublicKey.data;
+ len = spi->subjectPublicKey.length / 8;
+ if (ret == 0 &&
+ (public = d2i_PublicKey(EVP_PKEY_EC, &template, &p, len)) == NULL)
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+
+ /* EVP_DigestVerifyInit() will allocate a new pctx */
+ EVP_PKEY_CTX_free(pctx);
+ pctx = NULL;
+
+ if (ret == 0 &&
+ EVP_DigestVerifyInit(mdctx, &pctx, md, NULL, public) != 1)
+ hx509_set_error_string(context, 0,
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+ "Could not initialize "
+ "OpenSSL signature verification");
+ if (ret == 0 &&
+ EVP_DigestVerifyUpdate(mdctx, data->data, data->length) != 1)
+ hx509_set_error_string(context, 0,
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+ "Could not initialize "
+ "OpenSSL signature verification");
+ if (ret == 0 &&
+ EVP_DigestVerifyFinal(mdctx, sig->data, sig->length) != 1)
+ hx509_set_error_string(context, 0,
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT,
+ "Signature verification failed");
+
+ EVP_MD_CTX_free(mdctx);
+ EVP_PKEY_free(template);
+ free(curve_sn_dup);
+ return ret;
+#else
const AlgorithmIdentifier *digest_alg;
const SubjectPublicKeyInfo *spi;
heim_octet_string digest;
@@ -153,28 +298,28 @@ ecdsa_verify_signature(hx509_context context,
digest_alg = sig_alg->digest_alg;
ret = _hx509_create_signature(context,
- NULL,
- digest_alg,
- data,
- NULL,
- &digest);
+ NULL,
+ digest_alg,
+ data,
+ NULL,
+ &digest);
if (ret)
- return ret;
+ return ret;
/* set up EC KEY */
spi = &signer->tbsCertificate.subjectPublicKeyInfo;
if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
/*
* Find the group id
*/
- ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
+ ret = ECParameters2nid(context, spi->algorithm.parameters, &groupnid);
if (ret) {
- der_free_octet_string(&digest);
- return ret;
+ der_free_octet_string(&digest);
+ return ret;
}
/*
@@ -190,20 +335,21 @@ ecdsa_verify_signature(hx509_context context,
len = spi->subjectPublicKey.length / 8;
if (o2i_ECPublicKey(&key, &p, len) == NULL) {
- EC_KEY_free(key);
- return HX509_CRYPTO_SIG_INVALID_FORMAT;
+ EC_KEY_free(key);
+ return HX509_CRYPTO_SIG_INVALID_FORMAT;
}
ret = ECDSA_verify(-1, digest.data, digest.length,
- sig->data, sig->length, key);
+ sig->data, sig->length, key);
der_free_octet_string(&digest);
EC_KEY_free(key);
if (ret != 1) {
- ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
- return ret;
+ ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+ return ret;
}
return 0;
+#endif
}
static int
@@ -215,6 +361,56 @@ ecdsa_create_signature(hx509_context context,
AlgorithmIdentifier *signatureAlgorithm,
heim_octet_string *sig)
{
+#ifdef HAVE_OPENSSL_30
+ const AlgorithmIdentifier *digest_alg = sig_alg->digest_alg;
+ const EVP_MD *md = signature_alg2digest_evp_md(context, digest_alg);
+ EVP_MD_CTX *mdctx = NULL;
+ EVP_PKEY_CTX *pctx = NULL;
+ const heim_oid *sig_oid;
+ int ret = 0;
+
+ sig->data = NULL;
+ sig->length = 0;
+ if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
+ _hx509_abort("internal error passing private key to wrong ops");
+
+ sig_oid = sig_alg->sig_oid;
+ digest_alg = sig_alg->digest_alg;
+
+ if (signatureAlgorithm)
+ ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
+ "\x05\x00", 2);
+ mdctx = EVP_MD_CTX_new();
+ if (mdctx == NULL)
+ ret = hx509_enomem(context);
+ if (ret == 0 && EVP_DigestSignInit(mdctx, &pctx, md, NULL,
+ signer->private_key.ecdsa) != 1)
+ ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+ if (ret == 0 && EVP_DigestSignUpdate(mdctx, data->data, data->length) != 1)
+ ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+ if (ret == 0 && EVP_DigestSignFinal(mdctx, NULL, &sig->length) != 1)
+ ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+ if (ret == 0 && (sig->data = malloc(sig->length)) == NULL)
+ ret = hx509_enomem(context);
+ if (ret == 0 && EVP_DigestSignFinal(mdctx, sig->data, &sig->length) != 1)
+ ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+
+ if (ret == HX509_CMS_FAILED_CREATE_SIGATURE) {
+ /* XXX Extract error detail from OpenSSL */
+ hx509_set_error_string(context, 0, ret,
+ "ECDSA sign failed");
+ }
+
+ if (ret) {
+ if (signatureAlgorithm)
+ free_AlgorithmIdentifier(signatureAlgorithm);
+ free(sig->data);
+ sig->data = NULL;
+ sig->length = 0;
+ }
+ EVP_MD_CTX_free(mdctx);
+ return ret;
+#else
const AlgorithmIdentifier *digest_alg;
heim_octet_string indata;
const heim_oid *sig_oid;
@@ -222,7 +418,7 @@ ecdsa_create_signature(hx509_context context,
int ret;
if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
- _hx509_abort("internal error passing private key to wrong ops");
+ _hx509_abort("internal error passing private key to wrong ops");
sig_oid = sig_alg->sig_oid;
digest_alg = sig_alg->digest_alg;
@@ -230,59 +426,63 @@ ecdsa_create_signature(hx509_context context,
if (signatureAlgorithm) {
ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
"\x05\x00", 2);
- if (ret) {
- hx509_clear_error_string(context);
- return ret;
- }
+ if (ret) {
+ hx509_clear_error_string(context);
+ return ret;
+ }
}
ret = _hx509_create_signature(context,
- NULL,
- digest_alg,
- data,
- NULL,
- &indata);
+ NULL,
+ digest_alg,
+ data,
+ NULL,
+ &indata);
if (ret)
- goto error;
+ goto error;
sig->length = ECDSA_size(signer->private_key.ecdsa);
sig->data = malloc(sig->length);
if (sig->data == NULL) {
- der_free_octet_string(&indata);
- ret = ENOMEM;
- hx509_set_error_string(context, 0, ret, "out of memory");
- goto error;
+ der_free_octet_string(&indata);
+ ret = ENOMEM;
+ hx509_set_error_string(context, 0, ret, "out of memory");
+ goto error;
}
siglen = sig->length;
ret = ECDSA_sign(-1, indata.data, indata.length,
- sig->data, &siglen, signer->private_key.ecdsa);
+ sig->data, &siglen, signer->private_key.ecdsa);
der_free_octet_string(&indata);
if (ret != 1) {
- ret = HX509_CMS_FAILED_CREATE_SIGATURE;
- hx509_set_error_string(context, 0, ret,
- "ECDSA sign failed: %d", ret);
- goto error;
+ ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+ hx509_set_error_string(context, 0, ret,
+ "ECDSA sign failed: %d", ret);
+ goto error;
}
if (siglen > sig->length)
- _hx509_abort("ECDSA signature prelen longer the output len");
+ _hx509_abort("ECDSA signature prelen longer the output len");
sig->length = siglen;
return 0;
- error:
+error:
if (signatureAlgorithm)
- free_AlgorithmIdentifier(signatureAlgorithm);
+ free_AlgorithmIdentifier(signatureAlgorithm);
return ret;
+#endif
}
static int
ecdsa_available(const hx509_private_key signer,
const AlgorithmIdentifier *sig_alg)
{
+#ifdef HAVE_OPENSSL_30
const struct signature_alg *sig;
- const EC_GROUP *group;
+ size_t group_name_len = 0;
+ char group_name_buf[96];
+ EC_GROUP *group = NULL;
BN_CTX *bnctx = NULL;
BIGNUM *order = NULL;
int ret = 0;
@@ -291,34 +491,75 @@ ecdsa_available(const hx509_private_key signer,
_hx509_abort("internal error passing private key to wrong ops");
sig = _hx509_find_sig_alg(&sig_alg->algorithm);
-
if (sig == NULL || sig->digest_size == 0)
return 0;
+ if (EVP_PKEY_get_group_name(signer->private_key.ecdsa, group_name_buf,
+ sizeof(group_name_buf),
+ &group_name_len) != 1 ||
+ group_name_len >= sizeof(group_name_buf)) {
+ return 0;
+ }
+ group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(group_name_buf));
+ bnctx = BN_CTX_new();
+ order = BN_new();
+ if (group && bnctx && order &&
+ EC_GROUP_get_order(group, order, bnctx) == 1)
+ ret = 1;
+
+#if 0
+ /*
+ * If anything, require a digest at least as wide as the EC key size
+ *
+ * if (BN_num_bytes(order) > sig->digest_size)
+ * ret = 0;
+ */
+#endif
+
+ BN_CTX_free(bnctx);
+ BN_clear_free(order);
+ EC_GROUP_free(group);
+ return ret;
+#else
+ const struct signature_alg *sig;
+ const EC_GROUP *group;
+ BN_CTX *bnctx = NULL;
+ BIGNUM *order = NULL;
+ int ret = 0;
+
+ if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
+ _hx509_abort("internal error passing private key to wrong ops");
+
+ sig = _hx509_find_sig_alg(&sig_alg->algorithm);
+
+ if (sig == NULL || sig->digest_size == 0)
+ return 0;
+
group = EC_KEY_get0_group(signer->private_key.ecdsa);
if (group == NULL)
- return 0;
+ return 0;
bnctx = BN_CTX_new();
order = BN_new();
if (order == NULL)
- goto err;
+ goto err;
if (EC_GROUP_get_order(group, order, bnctx) != 1)
- goto err;
+ goto err;
#if 0
/* If anything, require a digest at least as wide as the EC key size */
if (BN_num_bytes(order) > sig->digest_size)
#endif
- ret = 1;
+ ret = 1;
err:
if (bnctx)
- BN_CTX_free(bnctx);
+ BN_CTX_free(bnctx);
if (order)
- BN_clear_free(order);
+ BN_clear_free(order);
- return ret;
+ return ret;
+#endif
}
static int
@@ -347,55 +588,119 @@ ecdsa_private_key_import(hx509_context context,
hx509_key_format_t format,
hx509_private_key private_key)
{
+#ifdef HAVE_OPENSSL_30
+ const unsigned char *p = data;
+ EVP_PKEY *key = NULL;
+ int ret = 0;
+
+ switch (format) {
+ case HX509_KEY_FORMAT_PKCS8:
+ key = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, len);
+ if (key == NULL) {
+ hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+ "Failed to parse EC private key");
+ return HX509_PARSING_KEY_FAILED;
+ }
+ break;
+
+ default:
+ return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+ }
+
+ /*
+ * We used to have to call EC_KEY_new(), then EC_KEY_set_group() the group
+ * (curve) on the resulting EC_KEY _before_ we could d2i_ECPrivateKey() the
+ * key, but that's all deprecated in OpenSSL 3.0.
+ *
+ * In fact, it's not clear how ever to assign a group to a private key,
+ * but that's what the documentation for d2i_PrivateKey() says: that
+ * its `EVP_PKEY **' argument must be non-NULL pointing to a key that
+ * has had the group set.
+ *
+ * However, from code inspection it's clear that when the ECParameters
+ * are present in the private key payload passed to d2i_PrivateKey(),
+ * the group will be taken from that.
+ *
+ * What we'll do is that if we have `keyai->parameters' we'll check if the
+ * key we got is for the same group.
+ */
+ if (keyai->parameters) {
+ size_t gname_len = 0;
+ char buf[96];
+ int got_group_nid = NID_undef;
+ int want_groupnid = NID_undef;
+
+ ret = ECParameters2nid(context, keyai->parameters, &want_groupnid);
+ if (ret == 0 &&
+ (EVP_PKEY_get_group_name(key, buf, sizeof(buf), &gname_len) != 1 ||
+ gname_len >= sizeof(buf)))
+ ret = HX509_ALG_NOT_SUPP;
+ if (ret == 0)
+ got_group_nid = OBJ_txt2nid(buf);
+ if (ret == 0 &&
+ (got_group_nid == NID_undef || want_groupnid != got_group_nid))
+ ret = HX509_ALG_NOT_SUPP;
+ }
+
+ if (ret == 0) {
+ private_key->private_key.ecdsa = key;
+ private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
+ key = NULL;
+ }
+
+ EVP_PKEY_free(key);
+ return ret;
+#else
const unsigned char *p = data;
EC_KEY **pkey = NULL;
EC_KEY *key;
if (keyai->parameters) {
- EC_GROUP *group;
- int groupnid;
- int ret;
-
- ret = parse_ECParameters(context, keyai->parameters, &groupnid);
- if (ret)
- return ret;
-
- key = EC_KEY_new();
- if (key == NULL)
- return ENOMEM;
-
- group = EC_GROUP_new_by_curve_name(groupnid);
- if (group == NULL) {
- EC_KEY_free(key);
- return ENOMEM;
- }
- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
- if (EC_KEY_set_group(key, group) == 0) {
- EC_KEY_free(key);
- EC_GROUP_free(group);
- return ENOMEM;
- }
- EC_GROUP_free(group);
- pkey = &key;
+ EC_GROUP *group;
+ int groupnid;
+ int ret;
+
+ ret = ECParameters2nid(context, keyai->parameters, &groupnid);
+ if (ret)
+ return ret;
+
+ key = EC_KEY_new();
+ if (key == NULL)
+ return ENOMEM;
+
+ group = EC_GROUP_new_by_curve_name(groupnid);
+ if (group == NULL) {
+ EC_KEY_free(key);
+ return ENOMEM;
+ }
+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+ if (EC_KEY_set_group(key, group) != 1) {
+ EC_KEY_free(key);
+ EC_GROUP_free(group);
+ return ENOMEM;
+ }
+ EC_GROUP_free(group);
+ pkey = &key;
}
switch (format) {
case HX509_KEY_FORMAT_DER:
- private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
- if (private_key->private_key.ecdsa == NULL) {
- hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
- "Failed to parse EC private key");
- return HX509_PARSING_KEY_FAILED;
- }
- private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
- break;
+ private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
+ if (private_key->private_key.ecdsa == NULL) {
+ hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+ "Failed to parse EC private key");
+ return HX509_PARSING_KEY_FAILED;
+ }
+ private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
+ break;
default:
- return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+ return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
}
return 0;
+#endif
}
static int
@@ -512,7 +817,7 @@ const struct signature_alg ecdsa_with_sha1_alg = {
#endif /* HAVE_HCRYPTO_W_OPENSSL */
-const AlgorithmIdentifier *
+HX509_LIB_FUNCTION const AlgorithmIdentifier * HX509_LIB_CALL
hx509_signature_ecPublicKey(void)
{
#ifdef HAVE_HCRYPTO_W_OPENSSL
@@ -522,7 +827,7 @@ hx509_signature_ecPublicKey(void)
#endif /* HAVE_HCRYPTO_W_OPENSSL */
}
-const AlgorithmIdentifier *
+HX509_LIB_FUNCTION const AlgorithmIdentifier * HX509_LIB_CALL
hx509_signature_ecdsa_with_sha256(void)
{
#ifdef HAVE_HCRYPTO_W_OPENSSL
diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index 0df91699b513..05f694b41c58 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -136,7 +136,7 @@ heim_int2BN(const heim_integer *i)
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_set_digest_alg(DigestAlgorithmIdentifier *id,
const heim_oid *oid,
const void *param, size_t length)
@@ -436,6 +436,8 @@ rsa_private_key2SPKI(hx509_context context,
memset(spki, 0, sizeof(*spki));
len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);
+ if (len < 0)
+ return -1;
spki->subjectPublicKey.data = malloc(len);
if (spki->subjectPublicKey.data == NULL) {
@@ -1041,7 +1043,7 @@ static struct hx509_private_key_ops *private_algs[] = {
NULL
};
-hx509_private_key_ops *
+HX509_LIB_FUNCTION hx509_private_key_ops * HX509_LIB_CALL
hx509_find_private_alg(const heim_oid *oid)
{
int i;
@@ -1059,7 +1061,7 @@ hx509_find_private_alg(const heim_oid *oid)
* des, make sure the its before the time `t'.
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_signature_is_weak(hx509_context context, const AlgorithmIdentifier *alg)
{
const struct signature_alg *md;
@@ -1077,7 +1079,7 @@ _hx509_signature_is_weak(hx509_context context, const AlgorithmIdentifier *alg)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_self_signed_valid(hx509_context context,
const AlgorithmIdentifier *alg)
{
@@ -1098,7 +1100,7 @@ _hx509_self_signed_valid(hx509_context context,
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_verify_signature(hx509_context context,
const hx509_cert cert,
const AlgorithmIdentifier *alg,
@@ -1136,7 +1138,7 @@ _hx509_verify_signature(hx509_context context,
return (*md->verify_signature)(context, md, signer, alg, data, sig);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_create_signature(hx509_context context,
const hx509_private_key signer,
const AlgorithmIdentifier *alg,
@@ -1163,7 +1165,7 @@ _hx509_create_signature(hx509_context context,
signatureAlgorithm, sig);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_create_signature_bitstring(hx509_context context,
const hx509_private_key signer,
const AlgorithmIdentifier *alg,
@@ -1183,7 +1185,7 @@ _hx509_create_signature_bitstring(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_public_encrypt(hx509_context context,
const heim_octet_string *cleartext,
const Certificate *cert,
@@ -1246,7 +1248,7 @@ _hx509_public_encrypt(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_private_key_private_decrypt(hx509_context context,
const heim_octet_string *ciphertext,
const heim_oid *encryption_oid,
@@ -1289,7 +1291,7 @@ hx509_private_key_private_decrypt(hx509_context context,
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_parse_private_key(hx509_context context,
const AlgorithmIdentifier *keyai,
const void *data,
@@ -1318,6 +1320,30 @@ hx509_parse_private_key(hx509_context context,
if (ret)
hx509_private_key_free(private_key);
+ if (ret && format == HX509_KEY_FORMAT_PKCS8) {
+ PKCS8PrivateKeyInfo ki;
+ hx509_private_key key;
+
+ /* Re-enter to try parsing the DER-encoded key from PKCS#8 envelope */
+ ret = decode_PKCS8PrivateKeyInfo(data, len, &ki, NULL);
+ if (ret) {
+ hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+ "Failed to parse PKCS#8-encoded private "
+ "key");
+ return HX509_PARSING_KEY_FAILED;
+ }
+ ret = hx509_parse_private_key(context, &ki.privateKeyAlgorithm,
+ ki.privateKey.data, ki.privateKey.length,
+ HX509_KEY_FORMAT_DER, &key);
+ free_PKCS8PrivateKeyInfo(&ki);
+ if (ret) {
+ hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+ "Failed to parse RSA key from PKCS#8 "
+ "envelope");
+ return HX509_PARSING_KEY_FAILED;
+ }
+ *private_key = key;
+ }
return ret;
}
@@ -1325,7 +1351,7 @@ hx509_parse_private_key(hx509_context context,
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_private_key2SPKI(hx509_context context,
hx509_private_key private_key,
SubjectPublicKeyInfo *spki)
@@ -1339,7 +1365,7 @@ hx509_private_key2SPKI(hx509_context context,
return (*ops->get_spki)(context, private_key, spki);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_generate_private_key_init(hx509_context context,
const heim_oid *oid,
struct hx509_generate_private_context **ctx)
@@ -1362,7 +1388,7 @@ _hx509_generate_private_key_init(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_generate_private_key_is_ca(hx509_context context,
struct hx509_generate_private_context *ctx)
{
@@ -1370,7 +1396,7 @@ _hx509_generate_private_key_is_ca(hx509_context context,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_generate_private_key_bits(hx509_context context,
struct hx509_generate_private_context *ctx,
unsigned long bits)
@@ -1380,14 +1406,14 @@ _hx509_generate_private_key_bits(hx509_context context,
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_generate_private_key_free(struct hx509_generate_private_context **ctx)
{
free(*ctx);
*ctx = NULL;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_generate_private_key(hx509_context context,
struct hx509_generate_private_context *ctx,
hx509_private_key *private_key)
@@ -1495,7 +1521,7 @@ const AlgorithmIdentifier * _hx509_crypto_default_secret_alg =
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_private_key_init(hx509_private_key *key,
hx509_private_key_ops *ops,
void *keydata)
@@ -1509,7 +1535,7 @@ hx509_private_key_init(hx509_private_key *key,
return 0;
}
-hx509_private_key
+HX509_LIB_FUNCTION hx509_private_key HX509_LIB_CALL
_hx509_private_key_ref(hx509_private_key key)
{
if (key->ref == 0)
@@ -1520,13 +1546,13 @@ _hx509_private_key_ref(hx509_private_key key)
return key;
}
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
_hx509_private_pem_name(hx509_private_key key)
{
return key->ops->pemtype;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_private_key_free(hx509_private_key *key)
{
if (key == NULL || *key == NULL)
@@ -1551,7 +1577,7 @@ hx509_private_key_free(hx509_private_key *key)
return 0;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
{
if (key->private_key.rsa)
@@ -1561,7 +1587,7 @@ hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
key->md = &pkcs1_rsa_sha1_alg;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_private_key_oid(hx509_context context,
const hx509_private_key key,
heim_oid *data)
@@ -1573,7 +1599,7 @@ _hx509_private_key_oid(hx509_context context,
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_private_key_exportable(hx509_private_key key)
{
if (key->ops->export == NULL)
@@ -1581,7 +1607,7 @@ _hx509_private_key_exportable(hx509_private_key key)
return 1;
}
-BIGNUM *
+HX509_LIB_FUNCTION BIGNUM * HX509_LIB_CALL
_hx509_private_key_get_internal(hx509_context context,
hx509_private_key key,
const char *type)
@@ -1591,16 +1617,56 @@ _hx509_private_key_get_internal(hx509_context context,
return (*key->ops->get_internal)(context, key, type);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_private_key_export(hx509_context context,
const hx509_private_key key,
hx509_key_format_t format,
heim_octet_string *data)
{
+ data->length = 0;
+ data->data = NULL;
if (key->ops->export == NULL) {
hx509_clear_error_string(context);
return HX509_UNIMPLEMENTED_OPERATION;
}
+ if (format == HX509_KEY_FORMAT_PKCS8) {
+ PKCS8PrivateKeyInfo ki;
+ size_t size;
+ int ret;
+
+ memset(&ki, 0, sizeof(ki));
+ ki.attributes = NULL; /* No localKeyId needed */
+ ki.privateKey.data = NULL;
+ ki.privateKeyAlgorithm.algorithm.components = NULL;
+ ret = der_parse_hex_heim_integer("00", &ki.version);
+ if (ret == 0)
+ ret = _hx509_private_key_oid(context, key,
+ &ki.privateKeyAlgorithm.algorithm);
+ if (ret == 0)
+ /* Re-enter */
+ ret = _hx509_private_key_export(context, key, HX509_KEY_FORMAT_DER,
+ &ki.privateKey);
+
+ /*
+ * XXX To set ki.privateKeyAlgorithm.parameters we'll need to either
+ * move this code into the *key->ops->export() functions, or expand
+ * their signature to allow them to set it for us, or add a method to
+ * hx509_private_key_ops that allows us to get the parameters from the
+ * backend.
+ */
+ ki.privateKeyAlgorithm.parameters = NULL;
+
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, data->data, data->length,
+ &ki, &size, ret);
+ free_PKCS8PrivateKeyInfo(&ki);
+ if (ret == 0 && size != data->length)
+ ret = EINVAL;
+ if (ret)
+ hx509_set_error_string(context, 0, ret,
+ "Private key PKCS#8 encoding failed");
+ return ret;
+ }
return (*key->ops->export)(context, key, format, data);
}
@@ -1880,7 +1946,7 @@ find_cipher_by_name(const char *name)
}
-const heim_oid *
+HX509_LIB_FUNCTION const heim_oid * HX509_LIB_CALL
hx509_crypto_enctype_by_name(const char *name)
{
const struct hx509cipher *cipher;
@@ -1891,7 +1957,7 @@ hx509_crypto_enctype_by_name(const char *name)
return cipher->oid;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_init(hx509_context context,
const char *provider,
const heim_oid *enctype,
@@ -1928,13 +1994,13 @@ hx509_crypto_init(hx509_context context,
return 0;
}
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
hx509_crypto_provider(hx509_crypto crypto)
{
return "unknown";
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_crypto_destroy(hx509_crypto crypto)
{
if (crypto->name)
@@ -1948,19 +2014,19 @@ hx509_crypto_destroy(hx509_crypto crypto)
free(crypto);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_set_key_name(hx509_crypto crypto, const char *name)
{
return 0;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_crypto_allow_weak(hx509_crypto crypto)
{
crypto->flags |= ALLOW_WEAK;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
{
switch (padding_type) {
@@ -1977,7 +2043,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
}
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
{
if (EVP_CIPHER_key_length(crypto->c) > (int)length)
@@ -1997,7 +2063,7 @@ hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
{
if (crypto->key.data) {
@@ -2023,7 +2089,7 @@ hx509_crypto_set_random_key(hx509_crypto crypto, heim_octet_string *key)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_set_params(hx509_context context,
hx509_crypto crypto,
const heim_octet_string *param,
@@ -2032,7 +2098,7 @@ hx509_crypto_set_params(hx509_context context,
return (*crypto->cipher->set_params)(context, param, crypto, ivec);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_get_params(hx509_context context,
hx509_crypto crypto,
const heim_octet_string *ivec,
@@ -2041,7 +2107,7 @@ hx509_crypto_get_params(hx509_context context,
return (*crypto->cipher->get_params)(context, crypto, ivec, param);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
{
ivec->length = EVP_CIPHER_iv_length(crypto->c);
@@ -2060,7 +2126,7 @@ hx509_crypto_random_iv(hx509_crypto crypto, heim_octet_string *ivec)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_encrypt(hx509_crypto crypto,
const void *data,
const size_t length,
@@ -2148,7 +2214,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_decrypt(hx509_crypto crypto,
const void *data,
const size_t length,
@@ -2365,7 +2431,7 @@ find_string2key(const heim_oid *oid,
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_pbe_encrypt(hx509_context context,
hx509_lock lock,
const AlgorithmIdentifier *ai,
@@ -2380,7 +2446,7 @@ _hx509_pbe_encrypt(hx509_context context,
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_pbe_decrypt(hx509_context context,
hx509_lock lock,
const AlgorithmIdentifier *ai,
@@ -2530,7 +2596,7 @@ match_keys_ec(hx509_cert c, hx509_private_key private_key)
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_match_keys(hx509_cert c, hx509_private_key key)
{
if (!key->ops)
@@ -2558,7 +2624,7 @@ find_keytype(const hx509_private_key key)
return md->key_oid;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_select(const hx509_context context,
int type,
const hx509_private_key source,
@@ -2638,7 +2704,7 @@ hx509_crypto_select(const hx509_context context,
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crypto_available(hx509_context context,
int type,
hx509_cert source,
@@ -2723,7 +2789,7 @@ out:
return ENOMEM;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_crypto_free_algs(AlgorithmIdentifier *val,
unsigned int len)
{
diff --git a/lib/hx509/data/PKITS.pdf b/lib/hx509/data/PKITS.pdf
new file mode 100644
index 000000000000..3a56862a2ae5
--- /dev/null
+++ b/lib/hx509/data/PKITS.pdf
Binary files differ
diff --git a/lib/hx509/data/ca.crt b/lib/hx509/data/ca.crt
index b8e7bb789556..7aa8bcf7fa85 100644
--- a/lib/hx509/data/ca.crt
+++ b/lib/hx509/data/ca.crt
@@ -1,32 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIIFcTCCA1mgAwIBAgIJAJll+TTDkMFyMA0GCSqGSIb3DQEBCwUAMCoxGzAZBgNV
-BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwHhcNMTkwNTIzMTUw
-NTExWhcNMzgwMTE2MTUwNTExWjAqMRswGQYDVQQDDBJoeDUwOSBUZXN0IFJvb3Qg
-Q0ExCzAJBgNVBAYTAlNFMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-vQovoPWtDeqaAUSXDD7gFfXXfxbI4M6yho6C+lc9JqnzeVYk5obeyM14Er+HHNS0
-pGJGvgelSeR0UCUmifr12zQT3hne/J225fobuO6UwcRNstTTaRxO1BdYSsIzixq+
-XJzDb3MRCY/TpE3AJZ5SqdXUexfFzCH12FXuMv4wvOlvrq2pbcKiRMBzgrWK756b
-LRR2uD9JjsN7KawVSZCRbc0gudiCX++kZAuIviv2G+kys81gBmZXJAVsVPrb+9+y
-wQXvRq2p7XPn6XpPndMHaQgD/2iNOTXbuBby0v71rheaOWFtYVbMseiB0rsdv6Ik
-Zl/L55usKDGzgLs8w6kPieDpebYmlXQW3V8LW+QyYHWvcdSmNcqej4Y+FiZqDjin
-xPzvqPVJQydVw/yi8gWILNLKB947O5O8NjSxhzHCjB+aIXgLx8uSXXY2EesR8lJz
-2SZKdCawut+kWSgHqH5UYf5IXKo+Skg+f1hWdjc44OZyMveMLzk4hTJZWYqVNxll
-OiBfz/Hke54CXaDKd4S1C3NVbrZ8w6NADaNQTMyFlHy2VEHDXRrqGrl0h0/4HIrF
-7i9ZKkz6uhr209chvFAuSbM4M5dPHE/bIMivVkk4UAm2Y1O9hAnzOMMtpkHnb4M+
-7fTwUXTLT4cSWurzcrAsIG20R3KgApQ95mQlw63gebcCAwEAAaOBmTCBljAdBgNV
-HQ4EFgQU/cZWcrzqghlIALCji/d5P/cm/CMwWgYDVR0jBFMwUYAU/cZWcrzqghlI
-ALCji/d5P/cm/COhLqQsMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9vdCBDQTEL
-MAkGA1UEBhMCU0WCCQCZZfk0w5DBcjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
-5jANBgkqhkiG9w0BAQsFAAOCAgEAAuwu6a/S/Jc05hjMKWx3VG5leTiUr+DyA+/y
-9kHP+FInHa+qd9xil2Ms1kvW4d+A8709On+Gfv96Tzw/FKIr86kgJScwQ5dWHgDV
-DN+ogZ9MLW7sjbShSGVrUuJti/nCax5nOw0yzBvkq5tBefDIt185pS+j8utNZYQT
-6A1DNVIjWZUywCXZDiAsSXmp+LmAI9fTyUsN5ioLgaVLq/GN8zAUyXmf+VLbNnM3
-k4ZsWmjU98GZYLwuf/cocBiJMf09kwJ3o2NIdb/hgaOjlmY15LehDLVbIuF+FVp3
-hEjohF43zcFxSOLlCLhCVhcM79mzZef+xT9iCtVPiWySEhalmfXIPQ6tTY80doLW
-Ed6HhmiRx0sW3yKFfINb12qk4hZJMCMoxBK1AZlEbaB2mQxzz6Iph3kOthIJxilf
-/2dmGGi76bT66zz/sK3kz8xHUr+DUCUyVSqDdxS8ODOL4fUxT570JjVZQtzQtD3G
-CAq41zsDMGByy+vp61CyU9qrq9OxX2POTQJ7LEegKqLeksGqfFclYnEFKe8VKJRL
-kDKIqCk7CeYF3t/7aaUNAHOfNSOiFyRYXYYZLCGmIQyujJFHDz2ziPn/OD/WMkVP
-090LkDNjg4FW+DT74Iyda7dl4YQAuE9oZdVk5ZBoruJOOIW7J3e8AuL9znmIBzju
-n61nXvY=
+MIIFczCCA1ugAwIBAgIJAI34CtjBcJHEMA0GCSqGSIb3DQEBCwUAMCoxGzAZBgNV
+BAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0UwIBcNMTkwMzIyMjIy
+NTAxWhgPMjUxODExMjEyMjI1MDFaMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
+dCBDQTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDE4gbVQ/vlPFU2W62rukqiUkJ/EIDo1HE4r+xpxO12Ke45NtqSep0d2FfSvEu8
+dhot1jWIkijF7B/bFuB0LyFryCAV/zlU9rLoadCmur5ONIgXRm7eW19wxo5YRD4C
+A1IRwvT+Axz0TC3eyquUN1C0r7ZWbiOY8uQy3Sjfar16Z3TtqlKgo4R/yF7dIPJO
+OVHaznC+xsfLsYE2r9PqbTjBF3O1pIhwV9oA3tfs23EtvcZBP3y3LSsjnKaF0b/N
+XmjLNW9hbmAfN+16TEMOlVZvBjUPO3CC/GU0PJzm1/FqyzXWeRx5FZNi7fCPKg8J
+9QDAgK5mMn+ZPazuUt70uxUFrnRLCjCia/TgC+t2d+3AqsnRlYnLYDv/MeP/QwqH
+GK3+WuAS6uqXZMtilDhY+oiMTZ4vDHvwzJ5q3UhIpWXj5cSGWAxQurKgUsjT9sta
+gGmXlBauMYSzFM5T+TXica1qE7dNXjXr2sTy9BHIp+aWJuGkX9rSx8tHwbkIkVTp
+4UCZ+QoxBRaSmiuyFPM77yg6wZBuSuRRN/BNKvAhuJaE1MdA+vobbyyNbv56MU0+
+WI4ucD+b08JmJp3k+fgM0fKXBQlEL4mp7zeUoLmC1yCy48Zk1foPZTRH9pIGB/zU
+z4B8o20NmereB9bX0IjJ6eqMDqvAZWZ99Nf16Q3X88T88wIDAQABo4GZMIGWMB0G
+A1UdDgQWBBRTuMwJxp9C6tXkdCC0Ze1o+J21BTBaBgNVHSMEUzBRgBRTuMwJxp9C
+6tXkdCC0Ze1o+J21BaEupCwwKjEbMBkGA1UEAwwSaHg1MDkgVGVzdCBSb290IENB
+MQswCQYDVQQGEwJTRYIJAI34CtjBcJHEMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgHmMA0GCSqGSIb3DQEBCwUAA4ICAQCdea8Tx/1vuQCqn2AOmIzEO9xgmaY3opl9
+0Px82DafNuFFJu9WlPrsKeADtSqpA/MwBjL8K+T3dhL4Bxhq8jed0gGsS3C3xFTl
+/RJbnFiLuveMErPTEtxaRYpa3oibQ15eJbDq533Is1x8oeK6NnHB6St3nboST0f3
+6SeAsoeHrI16eUEJQ3UKJYJlxATEqOpeaWwdlT6jF9u0WyENz0ijD0b9FPY/zq6D
+zx47Zd5F6aisrtKNXFjB9/oHV6jOh9OGxz6WfT1z2AZ+69jEm+xE8coq4nyWcJrS
+cf7ENBIw1Rknpxk3/H1p0q+Zze5/JBYlKOtEML1dwRIRquVgfhcI/tOq7m5jUxTl
+/6dW8FCnuEFBnUvUrZ0Hv3g2jvHElpPjYkLwZyKFYyvY/G+xCZAiqaYZ2kQqRmti
+KvSfh8fJlV2Jj2aDI1I4JjACG7LYBe7WXCs7TccRrhnx/RUY7cpJwEQrIOKBq8wx
+DD58oPgvkmNPP5lZcFARjnWcY8xS9KzT+KaZWM3ZPefg3Vk//3HfwZfDE3Y7IMgu
+quuLcpeGtMDyurnm6piUdPITt8yW+MMJR8V+PeF0zLdN4dA0nuJpZWZ3fvnevmAL
+jh/ia0LuzkhVSj1R1dXXopZevazh/tmAuKU9BbeYGvwI1RFXVvyzpGRfMbgaze3Q
+tIrreKeFxg==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/ca.key b/lib/hx509/data/ca.key
index e635b57ccd09..83cff752b77a 100644
--- a/lib/hx509/data/ca.key
+++ b/lib/hx509/data/ca.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC9Ci+g9a0N6poB
-RJcMPuAV9dd/FsjgzrKGjoL6Vz0mqfN5ViTmht7IzXgSv4cc1LSkYka+B6VJ5HRQ
-JSaJ+vXbNBPeGd78nbbl+hu47pTBxE2y1NNpHE7UF1hKwjOLGr5cnMNvcxEJj9Ok
-TcAlnlKp1dR7F8XMIfXYVe4y/jC86W+uraltwqJEwHOCtYrvnpstFHa4P0mOw3sp
-rBVJkJFtzSC52IJf76RkC4i+K/Yb6TKzzWAGZlckBWxU+tv737LBBe9Grantc+fp
-ek+d0wdpCAP/aI05Ndu4FvLS/vWuF5o5YW1hVsyx6IHSux2/oiRmX8vnm6woMbOA
-uzzDqQ+J4Ol5tiaVdBbdXwtb5DJgda9x1KY1yp6Phj4WJmoOOKfE/O+o9UlDJ1XD
-/KLyBYgs0soH3js7k7w2NLGHMcKMH5oheAvHy5JddjYR6xHyUnPZJkp0JrC636RZ
-KAeoflRh/khcqj5KSD5/WFZ2Nzjg5nIy94wvOTiFMllZipU3GWU6IF/P8eR7ngJd
-oMp3hLULc1VutnzDo0ANo1BMzIWUfLZUQcNdGuoauXSHT/gcisXuL1kqTPq6GvbT
-1yG8UC5Jszgzl08cT9sgyK9WSThQCbZjU72ECfM4wy2mQedvgz7t9PBRdMtPhxJa
-6vNysCwgbbRHcqAClD3mZCXDreB5twIDAQABAoICAGl8N5ufu5NaZ9lxRsAkjbJz
-Xm6ibjFT5bbD6z56U7sxdpUshqbEd6ihTvFXQrPJ1Yss88CyT39uJaFbOaghC/Pn
-mXaEBTP9ZcPqznFhYEzHl3vE2rt6elpLNI9y0oQ6xiKzrzKPiOBHC5hRcnkLYaE3
-mrudRlhkUuUG/kYiJVwk/pcAfNyskRPAODSlzQNtA7YiByVE22z4k89rIO3N5/jX
-T/2kXQvfk2HoNcO4kDp+5DYE0iKAFPwaspqw6PQhnYOsJhrQaVQBK1XTVH4C9c2c
-FW7+Dl/wN8z/sTwf3UPqE7sVLI32e36C+X53v1/hwGIH7qYs7eH36exZjsy3l90o
-jbWvavSNB5U94rNVU42LuQUSL8ftAA9YjpmuqeZlhiumSGaz+ezC/BQ2SE0aUjyg
-/C4ZWTbwkMXif5p8DJng9vNofQJQ4qcLGnykan0tvI1naGNyVpvXcL+qGo5znN8E
-xH9hPZHk/axbV9U5sIhUM8IjGPCHldU9W+t+Ngy+k+yF9cYVQSwBnyeVM0dlWVOb
-Fy4kmXYxG7mZc6HI1aRg1Xd6rQadJ+5RkfPCa+2p2ZafoJIkNr+LbuTsri7AWlrf
-aI8MS27Wp6BmXL5YnofX2pFstLL4tStAknAMzK16RtYSs/dd69gbUdaTrmpVCi1s
-YzOmtNXFLZs+Lh0X+KgBAoIBAQDl6mycpf3clYkJ/sFaY1svX/L0Zs4BJqajKIuJ
-K1SoVCTtmiEcA0n9tZzEBp1rBgpAYdxkI8tWge6weel6Ckbunl8CLYZ0VvmAaYaJ
-/VHBzAorcH/RIlAUV/P5WSdGjtAnPK0TSdAARRppW1k01kO+XmIL/f0Mk+6KD4MX
-wgiKVKyutJ8/SjOkfzhpe/zyqAMZV0W1aDkq5focaIqy2pVZsuX47jWZyZeeCy8i
-OzpYzlCE9os+0sQU107LLcQ3YsmLFP93MA+nsatUaMzeXE5VcHsq1UbqgV3tEPgA
-QALbn7ulw6ChGzHrTyJc93dHWqGfqVi0incienn4NRnHZRYBAoIBAQDSfJQSLPBp
-UQL6kGkIPc0C8y836cNmrj5QZppbIyoTggA2ZTC8E+qKJ0rHrbzKkBZBwhLhmjcs
-qsGwuoOqQfdWW+1AAVIrjrjjoSwrT4CZqOR/vvu/2Rvb1DTxyq8Ysf4Ure/sjDUo
-EenufVQTqeBlYpvaIZirMPrvWNq0Ky7AHi5sUYQ0J6nx5uB4iwboWGB7aBf7KSh9
-hMXivYKI1hiHylkvRzGY91OCOsiHyqGrEC77lH4tMGexbkUxc+VnAhuwxdhDDJ3l
-34O4iMEhS10gBLYc6Gi174YmHQMpPvbjtcNQ8DjNDqWr7wBYhfUVw3aqpRs5D8JX
-Jxco6PRXM7+3AoIBAQC8gGr0NBPjGqb0ju4wEW3ddalYQEF+KBZPhxqAKAqMyBBO
-ziN/OCMd5BzXiyTdbmJRTurHH6HDF1x/TDTkXjCxyx7SRkkKcZS2d85arFqvrX5Z
-By+EY8GMLGBXe4T8EHMQ+GpeehITZpS09LQ64cFA/1kbw+4ItfDJONaeT/N4ltvN
-kUFPPqMAp120/nbw7Fc+G5OHnB/i0BMz33J4GUaB+G8cnRFNOT8Z0MmgIzc/QEg7
-+3dG1r7052IuqyNI1bGwWlLpgXoUX1K9Lf9p//wpiMMy5xHxiodbqqHqcpDlSB0t
-VysHa6iN6J+f4TTmR6RjpxCXVT9AAXKm0cKE/JgBAoIBAQDRbUCKoQoHT6KOGddX
-at4rnDkUAdP4u0+nAZ99JIy94jBB7wbBa3OGSDgAWx4n0ZtDjEzrCVzyZWfYZouQ
-gJgO5eI2N9pBGn1dh0SCR1UmDkRj0mt75BHy9L5FAayb/qVWgAXjL1HIb6J5N1vL
-QM/TMHzvWVQkqNRUBu18LCcU4jLAdY77sadG17fqWDHkReKhht2tebMeyFd4FaTm
-b1by7OM1xjlUAGmnfsN9UKDwqmaEzKeKYMobYSMZZD4Q8qkIhqF5fPkx+eV+WxsF
-/I1IyUdFlfxxYUPxchZuGIbf5D7Url9lr7gpTODkM0y6fcP5X9OpP8PWoT9K5hYP
-GZ8bAoIBADA78xaN+InvJYPY/a7mPmLpLm44KsCRvB/aYZmwQl00Cz1miOLZgKC0
-9crfkTdZKt8v/RZSAAduyiYMFNaXMBR9mNYCwmLzFfcNydI4ow6sJYr3nj0SOsN5
-v0XJp+cJxqlC2ZGNlNYZVGcoxXyM00PSAA1AL/oRyplC99o5DgLDhMr01ok1PuPQ
-7K3z06yCKBrAwEFXxzhI7YwdN97iY050TQLvOfO+conf5KIbb3EHycfeF0mM4OdO
-q4WdmPePVkve8PwRBdENjjrdgbUCPJV9Nk9MiAQOf5CpuH6SvuhhaRQTJgSJnxmN
-iW68RMhfob7KD8lBv9mlYZ4ZQSwJRtM=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDE4gbVQ/vlPFU2
+W62rukqiUkJ/EIDo1HE4r+xpxO12Ke45NtqSep0d2FfSvEu8dhot1jWIkijF7B/b
+FuB0LyFryCAV/zlU9rLoadCmur5ONIgXRm7eW19wxo5YRD4CA1IRwvT+Axz0TC3e
+yquUN1C0r7ZWbiOY8uQy3Sjfar16Z3TtqlKgo4R/yF7dIPJOOVHaznC+xsfLsYE2
+r9PqbTjBF3O1pIhwV9oA3tfs23EtvcZBP3y3LSsjnKaF0b/NXmjLNW9hbmAfN+16
+TEMOlVZvBjUPO3CC/GU0PJzm1/FqyzXWeRx5FZNi7fCPKg8J9QDAgK5mMn+ZPazu
+Ut70uxUFrnRLCjCia/TgC+t2d+3AqsnRlYnLYDv/MeP/QwqHGK3+WuAS6uqXZMti
+lDhY+oiMTZ4vDHvwzJ5q3UhIpWXj5cSGWAxQurKgUsjT9stagGmXlBauMYSzFM5T
++TXica1qE7dNXjXr2sTy9BHIp+aWJuGkX9rSx8tHwbkIkVTp4UCZ+QoxBRaSmiuy
+FPM77yg6wZBuSuRRN/BNKvAhuJaE1MdA+vobbyyNbv56MU0+WI4ucD+b08JmJp3k
++fgM0fKXBQlEL4mp7zeUoLmC1yCy48Zk1foPZTRH9pIGB/zUz4B8o20NmereB9bX
+0IjJ6eqMDqvAZWZ99Nf16Q3X88T88wIDAQABAoICAQCD8TXDFpxpM9WnaCkrPN1n
+itklbln1rulxo/Q7rc21ssQDc89m+uTwa1vvzmCzHDLPJQ8bR1gry+JNYTdqpWsw
+YB2goDo7xlh/iOpb0ipXHr1VW85RFcsQOQCMBq/HiZImdRDaahutXKAg/pGd8rQT
+Yu4/XfBdP+nObIhHsbDppwules+E+BCD0jRA3SOFaMSCbncAYxbiW0LM82iBYlD2
+llDlGi6Vm0pt6umpwiZHETcb4wAhghO2+fRfGgIAD5ULGfRaxy2DvmdX3mPSEiKq
+pO5KFvt/zMXGDBjaWz1e5HBgGyoJu3vagLsGNpl9gsPOPm6h7pW0jLCnxsHEINwk
+lGbhCR9ubaZMCNuwEppPNeusURG35XiSEHC4fBPhlG6pB737a6ih/w9dwOkLuijJ
+X3vOaVj2K5waExi72uij+GnZBylemOTAy9lE3xlUzhO74h9F8DuoJHMxXKU5a24L
+/hmnnIYHOJpHQIfcfkMIx9VuG/qsug+DdOxlgByT6hbkRbX2gGSP3iqy7XUnb2g0
+3QQdyQpz8wJ2x568EAAC0HKhQj2fcL1L5lpM5xpbg6s87o50reMhcAogb2mGjx3Q
+r8u9PJeYgJ5FOqu0zLbenWkb4OLtLz6kHhOdimkCrybL+bLQFdl9lNAOqgVuJxyT
+NaClP+v9lAACBkONihU8AQKCAQEA9hxExY0NXFDZHiLq4M4DG79BthLWLi4QFZI5
+2vpzrS5kT90rptAzBenTBWdUifAI8JPkq2R8VKB8j7F5YELQ9UTmoT+qMGEslQ1p
+RTE8fZln6UhLUIv5tTwhL6Afbs2Faz7Vd7rUq9eUkyxsjxtZe5cPH1dGplx0iPQI
+QQ1OasSWc8TmZWXRvcRWe5vWiJLFZKt6fJZWYyBBvu8L7PZ6QR5Oa2EO1UTPPX+W
+7+BwsoH9Bguv+hYliKEReN8SIfOF9E/OElrNooy7eANFTQ3pNEou68rqpzX4jgdW
+G4Nnsu9rkO8K+bb+/MLBvdxrEiKrNb+xwcVOFaJNqz6aNMC14QKCAQEAzMtbIpig
+dLUha3QXrXIsEjH/hlGx0c6Q9VH/toQbBNE4LOrS4QlurX3iRz79tNYLYdwLrZ2Q
++tK31/ilX/hGIiA1w6fHcrQokddMJhhGoR6nSUiybs+75Ac01xHDSYXCo/YOkr8m
+HOtRWi+0qJqzU4sticPwi2YStM6L2gNpEDU9FQTG/wgLLHPxDEjRpkhmgQbt8nEQ
+M+amXK1othrZVSTJl1hREF11DkzhkZYyGgY4ifAyAOPW7z5K0nS2drV8PExFSkr+
+2eriVvavu/40WbvadhTy1cyVL7N3svzY34TgwqsXX1Stz8dQBa+uImt9gxmZIK9I
+reONiErKBhClUwKCAQEAjY1IyM8OBjDCECFJMq+K/iSM6OoAomMAAUgvWpF+gvcR
+3xV4i+Nn1VjddFgwOX4Dxktp1GJhWFNOEV+kTgdgJBHTDJ+PhW/+smQaTh+5iQv4
+xiY8m0FHCERjWf8g1RwERuDG6qxcsdG2tMdyUQUL/JevrPkHu5ulszeYn8HFfoc/
+eaqgUWW0sw8AJuxFAhxYyEQQmSPm3/Cnn+fh1hMV0epadExIucVv5RFDgQh4CVPW
+cem6935RbDon0HuM9FYaj6BvCAOODpYfJTHMZDtCDD82qYv2VuIl6ZqynfSAalxm
+Y9/5UhM8qahiwo7KTo3+J1XwKWEQPkUxovLIwtqsQQKCAQEAgMgwWyUXYcy1Y1jx
+usRdKmP+h3zAEWuQhHQ4FZIlW3YlmTlhutmvm7HZpWvbJuii57r0LQ00qkXwDgPy
+GtOJZtRSeuL67QqVqIB3Bk2lvJQGJnNsoXpIcTCG7efhok5XA7wrleRWF0FzOv9c
+39nIgvS2gjeRAFgD02c/Uq1qWCLicmE6sg1g2WdfYZY5IBPPQbwVzauDwN9+JjF1
+824W1Q/5JQ8Iiv36Ki/2eRK2Ft9qlnNRPnYIJxJJAucaBrRBl7luqTVX5blq87zU
+7acBTJxw2Gh7/C5WclStJQUTbBunK0NjwzMAyfRQQgMjwclOeC6UuJUBYzgBPH+r
+Yvz8uQKCAQA8WchJ0UQmOP98voo0cnIX0lcZcddwzdsZm78p1PrXqmsrxnlmRILA
+wZ5okzIzEqu1Xltu5DS/CAAWdRkY/2LFGty1dW5UR47xsWE7fMf4dbPeOcBxgfh4
+sQgG7KcWY9mw3PZ4PmPP63nRC/1Ws/+dlvpNA77BjyHH7laTVZbUadS/0bCzhJG0
+RW27r5UcPV8IhKTNU8iOxvaN2U0N2RaaxZ8AaYj8UEeMlFp91DXYa5SCWY1yM0c7
+QYpO3EtSLj+ECk09lDzQBPUo4jzb5CoTFYDEdXr8Rt4I/r03fkOwHslWUzXVyqRe
+xC/DrYbFBHh4yQWuQPsmCbi6OkGKDvwA
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/crl1.crl b/lib/hx509/data/crl1.crl
index 606efb7240e5..575f80ea7da7 100644
--- a/lib/hx509/data/crl1.crl
+++ b/lib/hx509/data/crl1.crl
@@ -1,16 +1,16 @@
-----BEGIN X509 CRL-----
MIIChTBvMA0GCSqGSIb3DQEBBQUAMCoxGzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9v
-dCBDQTELMAkGA1UEBhMCU0UXDTE5MDUyMzE1MDUzMFoXDTI5MDMzMTE1MDUzMFow
-FDASAgEDFw0xOTA1MjMxNTA1MzBaMA0GCSqGSIb3DQEBBQUAA4ICAQBV451IywmB
-L153EAciLerLs05gqigj3qrqnmzS7AVV9u05u4bq/XYllIIWua7kCnGXmx0xqY+p
-FpFlS3BKrSIOkSHL4gpwMOmZmCssaOivd88/tHCGeOtMKz3q811m4q8MyfzEc+T3
-EHg6yjsCWrWbZmrM+A8MYO2S/XZOPG88N87nQxKYbrZA/SDspNODujdXdKFMI8Qj
-9xY7aqI6w9GYiTYDXrJ+2VGtFacYwVrY1Xk3pt7DoFbq6VwVfpsYHf0zRag/xfGW
-EbIQywJDhLuLWB3gtWTYnZ3MD2LS5uCEfolckuFBw66JOZCmUq66VscTHOE5d59q
-bld2YoPVUme4QJfYMygWgyi8rnN4YkSfYaCxnDPO9vFk968N6PA+py5jHjecyVw9
-ih2rXNIk/Ia2wvyN84MBu/vpC7GyD0bBpB+aMxQvHuNYUDDnIeMRCu+Hs2Td6U57
-lmdFudCxJ8S0kF6eCx5HdOrvyRtHagsGPt1aFLxnNEc2x4ewJa1iggTBcs+X5qXC
-pk6D5FDLN5TXooi9NbLFSCdLWpoMI+KOB40Ma3KaGej0a2pZiJe8j4EPQ6WhR6Og
-nZSdwCtgTyoynI6g6YeGzkD0ZzuPujt8rsyu+cBZOdxnhuAn7F1UtIcwE4jVmmca
-EuMR2oFhjnEH4ooS/kWmgmzGPEMixKSbpA==
+dCBDQTELMAkGA1UEBhMCU0UXDTE5MDMyMjIyMjUxNloXDTI5MDEyODIyMjUxNlow
+FDASAgEDFw0xOTAzMjIyMjI1MTZaMA0GCSqGSIb3DQEBBQUAA4ICAQBCM4u2dByD
+hPsQUpPAPsZ/a7tPdvkgmcLtk2CFhtJqtDBT96SAr0tVpcpIbZoB0tH/MvJfhAaR
+AOLrgdmrwlKaIbq3uyEDIghRlRiG2WXX+gsP9yK1xS6AuQnXS8Pnyng0xo2V8fMy
+UCN+gKvO70O6dqcDApU1Tt5jxkPFACBYSSMsuunrjWGuttKGebJJGeBzU+PYt7bZ
+7CT2BgsLgl5J2DL6KO9tGjDmlGKKC2joF1PDkjzbIfs389eyOZqJu/3Q4EtBFzad
+Yz0DAEDzDrn7dj53NJp6dxbqOM86woak37dtDG5Mwu8KTQEGpfsqdofQf39nluJu
+70NHJrXP+9IQ7Tvb3bakZbyigw7J9PBXaHyImXN/gejYD/FQjghnmS2QU72JsSKT
+3nAN3I6MRAEIhoaxForCl3f+uHgtvQBBITSIUdnGaTZnI0mXrkHS9H4eWWJREZbc
+wBqKGZxbfy8ZbPaKv75Zzj0ZMns7vNybUqLEE/OcwrEjd/pCLwWZ6KzgtS1t22TU
+o3H26GNLzMQvg/1dVsRZWrkWxAjVNHtUIXXbmBOvSii3BX7jPIfH1bCZrfsl0xrS
+BsqhtIZj74hyTV1FX79CdFu0Ag/ugtzY4K8rdIu9kaPe2Ju6ulQBtpmCK++H7szP
+48fJOwV1aKzJGVCH61kSGc8ljyGjDEDn4Q==
-----END X509 CRL-----
diff --git a/lib/hx509/data/crl1.der b/lib/hx509/data/crl1.der
index f42512706a12..a6674231a379 100644
--- a/lib/hx509/data/crl1.der
+++ b/lib/hx509/data/crl1.der
Binary files differ
diff --git a/lib/hx509/data/https.crt b/lib/hx509/data/https.crt
index 0d393a8e1db0..54d5df11ec48 100644
--- a/lib/hx509/data/https.crt
+++ b/lib/hx509/data/https.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:17 2019 GMT
- Not After : Jan 16 15:05:17 2038 GMT
+ Not Before: Mar 22 22:25:10 2019 GMT
+ Not After : Nov 21 22:25:10 2518 GMT
Subject: C=SE, CN=www.test.h5l.se
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:b5:58:e9:eb:2d:b3:7c:94:b7:a2:08:ec:fd:50:
- c2:61:a4:35:c8:eb:ad:d6:93:4c:50:9a:ad:e0:9a:
- 00:ae:4e:ef:ed:5e:ef:d9:cb:98:a6:5e:65:7f:a6:
- 38:c0:ee:17:48:90:80:4c:6c:71:7a:11:af:11:22:
- 1b:17:2c:db:c2:cc:2c:d0:0e:de:ea:95:6a:d0:42:
- bb:b0:a1:eb:7c:9e:f0:28:64:dd:44:7f:c8:f6:d5:
- 48:e4:80:be:f7:58:18:d6:d4:57:7a:09:07:3f:23:
- d8:00:53:84:0f:72:e9:0d:a8:b9:49:57:80:f4:00:
- 9c:92:16:bd:a7:ea:12:81:96:59:48:8b:ff:b9:8b:
- 9d:68:e6:7c:0d:fb:c8:57:cc:ba:6a:4c:57:cc:e4:
- eb:af:cc:6e:38:80:e6:47:a0:f2:e4:09:39:79:fb:
- 42:c4:29:b2:8d:f1:8f:b9:45:1f:47:c2:e8:30:84:
- a5:e7:fa:7c:df:f0:07:89:1e:fd:6f:a5:1d:88:57:
- 4e:76:bf:91:c7:39:ac:87:6f:b0:29:0b:c0:04:89:
- 95:9a:8a:b3:4a:22:63:7c:26:e2:ea:fc:e5:f8:43:
- b5:67:50:0f:99:e0:9d:e2:2b:3f:fa:19:e4:61:1a:
- e4:c7:68:66:43:a1:05:15:24:c4:09:3b:5d:b4:3a:
- f8:87:d4:d8:80:cf:6c:ed:fa:b1:b7:7d:2b:68:ca:
- 3a:26:a6:49:1e:e7:27:fc:4f:89:7b:19:ce:8d:c9:
- 9d:cd:55:63:72:29:b1:2b:1b:35:a4:07:32:4f:13:
- f1:bd:03:1f:b4:fc:f0:05:c4:9e:b0:c8:72:37:2c:
- 0c:82:bc:d4:a7:87:d3:33:10:f3:80:fe:bf:61:1b:
- 5e:c0:5b:c0:09:3d:db:c0:9d:91:92:c4:7c:7a:eb:
- ec:b0:8e:69:a1:47:66:53:02:51:55:90:d1:e2:9a:
- 86:70:7b:63:d4:b9:03:18:c8:01:69:c6:e9:63:bc:
- 2b:b5:75:dc:03:5f:ef:b2:d3:3a:c8:db:3c:b6:3d:
- 59:91:fc:7d:96:bf:43:97:5a:40:d6:f2:f8:82:44:
- fb:9d:36:47:3f:3a:33:43:6d:9c:44:ba:60:1a:9d:
- 77:02:44:14:d0:73:99:53:6d:ef:70:34:0b:11:b1:
- 16:c3:c9:4b:41:66:64:4c:88:fe:12:8f:3d:4f:29:
- 2f:b3:e8:15:8b:26:5a:ba:f9:fc:6b:ec:9d:8a:d9:
- 65:17:de:e5:ce:a7:84:1b:1e:f1:ad:32:b3:78:15:
- 7a:08:e3:93:9e:e5:eb:3c:33:9e:d5:2a:21:20:62:
- 90:c7:d8:3e:d4:1e:0f:06:20:01:6e:22:a4:67:de:
- 68:f0:b9
+ 00:bb:ca:85:9c:3d:6b:5a:21:1b:2c:84:35:48:37:
+ bc:13:62:93:ff:7b:be:49:40:e2:36:b5:7a:54:a4:
+ e3:0f:b1:87:29:de:6b:7d:86:ec:b6:25:c5:9c:dc:
+ 13:06:57:4c:80:1b:86:f0:ac:e6:64:8f:aa:63:cc:
+ 28:49:5c:84:09:b8:0f:31:99:dd:36:d2:42:b5:aa:
+ df:31:f6:27:ca:c2:4c:50:11:5b:01:94:17:da:2a:
+ 5c:21:e5:b5:81:23:69:3e:4f:1d:08:48:95:57:30:
+ 77:96:ae:9b:78:87:10:e4:6d:90:e8:78:ad:19:41:
+ 3d:b8:91:1c:b6:04:78:52:e5:e4:3f:28:df:01:13:
+ da:aa:cb:24:cf:f5:93:f9:02:b8:c5:dc:47:fb:79:
+ e5:de:9e:19:b3:28:ab:2d:bd:73:48:0f:71:0a:b6:
+ 81:5a:6d:02:6d:9c:c8:c3:14:d5:82:bf:19:b8:d0:
+ 6f:58:32:6c:76:91:f3:07:6b:25:4a:59:f4:2d:c9:
+ 8d:da:ee:cc:30:5b:5b:d8:f3:0d:63:28:8d:9c:df:
+ 21:b5:3a:41:e0:55:d0:5f:f1:32:45:0b:6b:40:b6:
+ d8:43:0c:7b:28:3d:2d:7c:40:19:a2:e0:d6:a2:0b:
+ 32:65:a3:81:e9:1c:e5:6a:f6:61:7c:66:fa:c6:10:
+ bf:5d:1d:d9:c1:1a:67:fb:a0:43:15:ff:f5:40:5a:
+ 0c:8a:4b:48:38:d5:c7:77:48:19:f7:21:de:73:17:
+ 97:cf:03:d7:c3:84:22:38:ae:f2:be:d2:61:af:37:
+ 38:31:41:01:97:58:93:ba:80:da:bb:00:33:a8:2b:
+ 98:34:80:8b:00:1e:83:02:c4:26:3f:5c:51:a9:29:
+ e3:ac:b1:36:31:57:87:43:94:57:3a:17:f4:6d:34:
+ bf:23:b6:a2:56:d2:b7:72:7e:35:34:d9:58:46:c1:
+ 64:2d:3f:e7:ff:e4:fd:42:11:d9:04:98:ba:9d:88:
+ ec:e7:ae:bb:11:42:fd:00:cb:24:17:27:94:2c:a0:
+ 34:df:18:8b:7a:bc:39:55:6c:02:3b:44:cf:a4:42:
+ f3:e3:81:5b:d6:90:8e:78:d7:3f:4c:ef:6c:de:4d:
+ 7e:41:ce:87:8f:c0:38:a4:57:05:63:32:85:c3:de:
+ 88:aa:8c:0b:04:df:c3:86:64:4c:19:91:e1:e4:b2:
+ f8:f6:f3:fe:93:c3:3e:c1:b1:74:b4:72:ff:88:94:
+ 8d:34:a3:b0:9d:55:aa:fe:bc:bc:41:55:49:8a:f1:
+ ee:dd:fa:0e:a1:fa:b9:71:a7:d5:fc:b7:fc:ab:c2:
+ af:8f:bd:6e:48:ec:54:f0:f8:a8:b4:d7:6c:11:0e:
+ f9:16:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,63 +54,63 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- 91:03:3F:14:E3:BD:43:98:B2:D4:7F:46:C2:A7:B7:BB:0F:74:99:F3
+ AA:3C:0D:95:CD:14:0A:9C:A5:2D:09:6E:EE:5B:43:A9:AF:3F:6E:54
Signature Algorithm: sha1WithRSAEncryption
- 27:3f:d8:cb:68:c8:ef:35:ed:a0:50:d7:58:60:77:48:76:45:
- 7a:2c:20:22:81:62:e3:e2:0d:10:48:d7:74:23:95:76:fb:78:
- c3:98:d2:39:13:13:7f:2a:38:dc:2a:80:ba:33:0a:51:d6:9e:
- 0c:44:04:84:f0:ae:20:1e:e6:e8:89:09:cd:87:66:1b:80:21:
- e7:bc:03:e0:c7:15:19:23:b7:05:0b:f9:64:50:b6:6f:7d:14:
- 68:96:bb:4d:d6:c0:29:7f:e3:a1:48:c4:ad:6f:a7:bf:d2:63:
- de:b7:fa:4f:8c:5e:ad:8e:c8:7e:4f:a4:9a:95:71:29:10:64:
- 78:a0:55:ac:ec:9a:f0:27:03:2e:c4:ec:fb:4f:d2:a0:7e:98:
- 90:88:30:02:45:07:10:d5:ad:f6:a8:e7:01:6c:87:c7:2e:0d:
- d1:35:3a:e6:b0:e9:19:c9:c9:f7:ce:5e:77:d1:50:84:8a:c3:
- d1:f1:56:2d:6e:65:0d:6f:e2:a0:c5:0e:48:82:6e:da:37:42:
- fa:cf:5d:92:84:3a:67:bd:41:28:19:b8:81:1c:c3:eb:00:f0:
- b0:a9:59:17:79:87:4b:d9:4f:e8:cf:30:76:42:55:9c:57:00:
- d1:b2:2e:19:59:31:24:c2:9c:fa:c1:0b:54:56:a5:29:19:fd:
- 14:82:c0:3f:a8:d1:a1:c9:6d:1e:f4:11:89:50:58:4f:8d:8a:
- f8:f2:47:29:8c:a8:2d:21:1b:9b:ef:c6:1f:63:90:85:f1:c7:
- d0:40:a0:53:29:9b:49:6a:73:38:d2:25:95:f7:52:2f:a0:24:
- 1c:af:f1:f9:6e:78:d3:81:03:cd:3d:91:b0:99:45:fb:87:39:
- 6e:b3:7c:fb:f7:60:01:86:71:40:5f:85:8b:7e:fb:cf:95:df:
- 76:cc:7b:2c:06:d9:a5:cf:4d:f7:62:ab:57:2c:da:83:6e:34:
- bc:bd:d8:d1:d4:5f:1b:94:78:c0:d3:b1:8c:82:d7:b1:f5:2c:
- e5:30:bf:59:3e:d2:1f:a4:8e:0b:0c:d6:d1:fd:08:24:2c:31:
- cb:b0:e6:36:3f:d7:b0:46:99:e1:48:18:8f:9f:42:fd:44:cb:
- 6d:cc:b3:07:3b:7c:eb:44:d2:b4:52:12:2a:ba:c3:cb:f8:04:
- 65:02:27:61:b9:35:9c:0d:0b:70:a1:d4:e7:c8:49:91:37:03:
- 9e:8f:6e:a5:91:e8:6e:5e:ec:c4:17:4c:f6:dd:93:11:9d:40:
- ad:e2:3c:05:dc:22:ff:1a:04:d7:b0:d4:a4:c0:03:e3:ba:4c:
- 5e:b3:7a:bc:08:73:52:92:42:ab:7a:85:e1:64:e1:4e:b5:63:
- 98:a9:b1:fb:23:61:1e:d5
+ a3:ec:06:1b:66:b3:cb:a3:12:38:ef:30:dc:a6:a1:fc:d3:52:
+ d0:73:c8:a9:4d:0b:8e:02:2a:08:a6:4f:55:41:2f:46:2b:cf:
+ e9:04:07:9d:42:47:0d:88:64:1f:39:ae:d7:9b:30:43:47:f9:
+ ba:96:a8:2f:7a:6e:4b:22:9c:65:c7:9c:8c:c6:d2:f2:5f:a9:
+ fd:de:eb:9e:7a:13:b8:22:0c:59:15:90:ba:65:b7:08:3d:dd:
+ 2e:e2:09:be:47:53:25:0a:8c:d3:e0:78:e9:1a:15:8e:32:b2:
+ 5f:76:e1:68:3c:2f:33:3f:38:17:ff:3b:ad:43:b7:0e:87:08:
+ 97:6b:8d:a7:6c:3b:de:1a:18:3d:5b:74:0b:87:03:8a:49:b0:
+ 22:84:2a:72:f1:01:c3:b5:55:9e:4a:56:c1:96:6c:ba:9c:eb:
+ 58:ce:4e:53:fd:b8:99:02:c1:d5:62:ef:b5:44:73:1c:c6:4f:
+ 26:f9:8d:6b:e9:58:be:3c:4a:56:ef:65:6a:f5:71:1c:3b:8e:
+ f4:ae:43:44:ab:26:80:41:da:a9:6b:9b:63:49:bc:39:76:3b:
+ 1e:fe:a5:24:0e:4c:59:51:9d:47:c4:ce:2b:90:65:e8:f8:ae:
+ ab:aa:14:cc:d2:4a:cf:85:20:40:dd:80:49:ea:7c:98:04:ee:
+ 57:41:e6:bc:13:fc:28:5e:08:5c:ee:fa:1b:72:ea:80:e8:ba:
+ 7e:d6:34:eb:fc:88:f1:16:42:b2:bb:22:9c:e0:36:84:23:f5:
+ 20:86:dc:38:55:89:dc:0e:67:7c:c7:bb:2f:36:25:bc:ca:be:
+ 2b:1c:79:26:79:2b:49:17:3c:76:02:cf:f9:e3:8a:3f:15:69:
+ 2c:12:5c:99:93:85:11:c8:90:68:d6:f1:8d:87:30:bf:0d:ec:
+ 89:9a:f4:48:cc:26:95:c7:65:cd:30:cc:d0:93:c3:80:3f:ad:
+ a6:fa:7c:88:82:53:0e:9b:16:c3:dd:27:9a:d0:99:05:fb:2d:
+ d0:e6:fa:08:92:46:ee:dd:44:9d:56:b2:95:52:99:db:5a:20:
+ 16:c9:a7:a3:0b:a3:c5:d8:0a:b7:c2:cf:f7:95:a4:df:4c:f9:
+ 2f:69:a0:27:6e:0f:85:3e:76:b4:3d:6b:f7:4a:de:1a:de:a4:
+ d3:01:91:f1:44:59:44:2c:93:15:52:99:da:6e:93:b8:da:54:
+ b5:06:ff:82:9b:cf:57:0c:7d:06:6b:ff:ce:b9:c9:47:62:c9:
+ 15:f4:67:4e:57:12:74:d7:b5:31:53:cc:eb:d7:05:4d:34:58:
+ a9:5d:33:85:2d:72:6f:12:99:7e:60:63:27:05:74:8b:85:0c:
+ 0b:f9:b3:b4:e7:f6:4e:4b
-----BEGIN CERTIFICATE-----
-MIIFBTCCAu2gAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxN1oXDTM4
-MDExNjE1MDUxN1owJzELMAkGA1UEBhMCU0UxGDAWBgNVBAMMD3d3dy50ZXN0Lmg1
-bC5zZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVY6ests3yUt6II
-7P1QwmGkNcjrrdaTTFCareCaAK5O7+1e79nLmKZeZX+mOMDuF0iQgExscXoRrxEi
-Gxcs28LMLNAO3uqVatBCu7Ch63ye8Chk3UR/yPbVSOSAvvdYGNbUV3oJBz8j2ABT
-hA9y6Q2ouUlXgPQAnJIWvafqEoGWWUiL/7mLnWjmfA37yFfMumpMV8zk66/MbjiA
-5keg8uQJOXn7QsQpso3xj7lFH0fC6DCEpef6fN/wB4ke/W+lHYhXTna/kcc5rIdv
-sCkLwASJlZqKs0oiY3wm4ur85fhDtWdQD5ngneIrP/oZ5GEa5MdoZkOhBRUkxAk7
-XbQ6+IfU2IDPbO36sbd9K2jKOiamSR7nJ/xPiXsZzo3Jnc1VY3IpsSsbNaQHMk8T
-8b0DH7T88AXEnrDIcjcsDIK81KeH0zMQ84D+v2EbXsBbwAk928CdkZLEfHrr7LCO
-aaFHZlMCUVWQ0eKahnB7Y9S5AxjIAWnG6WO8K7V13ANf77LTOsjbPLY9WZH8fZa/
-Q5daQNby+IJE+502Rz86M0NtnES6YBqddwJEFNBzmVNt73A0CxGxFsPJS0FmZEyI
-/hKPPU8pL7PoFYsmWrr5/GvsnYrZZRfe5c6nhBse8a0ys3gVegjjk57l6zwzntUq
-ISBikMfYPtQeDwYgAW4ipGfeaPC5AgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0P
-BAQDAgXgMB0GA1UdDgQWBBSRAz8U471DmLLUf0bCp7e7D3SZ8zANBgkqhkiG9w0B
-AQUFAAOCAgEAJz/Yy2jI7zXtoFDXWGB3SHZFeiwgIoFi4+INEEjXdCOVdvt4w5jS
-ORMTfyo43CqAujMKUdaeDEQEhPCuIB7m6IkJzYdmG4Ah57wD4McVGSO3BQv5ZFC2
-b30UaJa7TdbAKX/joUjErW+nv9Jj3rf6T4xerY7Ifk+kmpVxKRBkeKBVrOya8CcD
-LsTs+0/SoH6YkIgwAkUHENWt9qjnAWyHxy4N0TU65rDpGcnJ985ed9FQhIrD0fFW
-LW5lDW/ioMUOSIJu2jdC+s9dkoQ6Z71BKBm4gRzD6wDwsKlZF3mHS9lP6M8wdkJV
-nFcA0bIuGVkxJMKc+sELVFalKRn9FILAP6jRocltHvQRiVBYT42K+PJHKYyoLSEb
-m+/GH2OQhfHH0ECgUymbSWpzONIllfdSL6AkHK/x+W5404EDzT2RsJlF+4c5brN8
-+/dgAYZxQF+Fi377z5Xfdsx7LAbZpc9N92KrVyzag240vL3Y0dRfG5R4wNOxjILX
-sfUs5TC/WT7SH6SOCwzW0f0IJCwxy7DmNj/XsEaZ4UgYj59C/UTLbcyzBzt860TS
-tFISKrrDy/gEZQInYbk1nA0LcKHU58hJkTcDno9upZHobl7sxBdM9t2TEZ1AreI8
-Bdwi/xoE17DUpMAD47pMXrN6vAhzUpJCq3qF4WThTrVjmKmx+yNhHtU=
+MIIFBzCCAu+gAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUxMFoYDzI1
+MTgxMTIxMjIyNTEwWjAnMQswCQYDVQQGEwJTRTEYMBYGA1UEAwwPd3d3LnRlc3Qu
+aDVsLnNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu8qFnD1rWiEb
+LIQ1SDe8E2KT/3u+SUDiNrV6VKTjD7GHKd5rfYbstiXFnNwTBldMgBuG8KzmZI+q
+Y8woSVyECbgPMZndNtJCtarfMfYnysJMUBFbAZQX2ipcIeW1gSNpPk8dCEiVVzB3
+lq6beIcQ5G2Q6HitGUE9uJEctgR4UuXkPyjfARPaqsskz/WT+QK4xdxH+3nl3p4Z
+syirLb1zSA9xCraBWm0CbZzIwxTVgr8ZuNBvWDJsdpHzB2slSln0LcmN2u7MMFtb
+2PMNYyiNnN8htTpB4FXQX/EyRQtrQLbYQwx7KD0tfEAZouDWogsyZaOB6RzlavZh
+fGb6xhC/XR3ZwRpn+6BDFf/1QFoMiktIONXHd0gZ9yHecxeXzwPXw4QiOK7yvtJh
+rzc4MUEBl1iTuoDauwAzqCuYNICLAB6DAsQmP1xRqSnjrLE2MVeHQ5RXOhf0bTS/
+I7aiVtK3cn41NNlYRsFkLT/n/+T9QhHZBJi6nYjs5667EUL9AMskFyeULKA03xiL
+erw5VWwCO0TPpELz44Fb1pCOeNc/TO9s3k1+Qc6Hj8A4pFcFYzKFw96IqowLBN/D
+hmRMGZHh5LL49vP+k8M+wbF0tHL/iJSNNKOwnVWq/ry8QVVJivHu3foOofq5cafV
+/Lf8q8Kvj71uSOxU8PiotNdsEQ75FqsCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBeAwHQYDVR0OBBYEFKo8DZXNFAqcpS0Jbu5bQ6mvP25UMA0GCSqGSIb3
+DQEBBQUAA4ICAQCj7AYbZrPLoxI47zDcpqH801LQc8ipTQuOAioIpk9VQS9GK8/p
+BAedQkcNiGQfOa7XmzBDR/m6lqgvem5LIpxlx5yMxtLyX6n93uueehO4IgxZFZC6
+ZbcIPd0u4gm+R1MlCozT4HjpGhWOMrJfduFoPC8zPzgX/zutQ7cOhwiXa42nbDve
+Ghg9W3QLhwOKSbAihCpy8QHDtVWeSlbBlmy6nOtYzk5T/biZAsHVYu+1RHMcxk8m
++Y1r6Vi+PEpW72Vq9XEcO470rkNEqyaAQdqpa5tjSbw5djse/qUkDkxZUZ1HxM4r
+kGXo+K6rqhTM0krPhSBA3YBJ6nyYBO5XQea8E/woXghc7vobcuqA6Lp+1jTr/Ijx
+FkKyuyKc4DaEI/Ughtw4VYncDmd8x7svNiW8yr4rHHkmeStJFzx2As/544o/FWks
+ElyZk4URyJBo1vGNhzC/DeyJmvRIzCaVx2XNMMzQk8OAP62m+nyIglMOmxbD3Sea
+0JkF+y3Q5voIkkbu3USdVrKVUpnbWiAWyaejC6PF2Aq3ws/3laTfTPkvaaAnbg+F
+Pna0PWv3St4a3qTTAZHxRFlELJMVUpnabpO42lS1Bv+Cm89XDH0Ga//OuclHYskV
+9GdOVxJ017UxU8zr1wVNNFipXTOFLXJvEpl+YGMnBXSLhQwL+bO05/ZOSw==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/https.key b/lib/hx509/data/https.key
index 1a1c28e5eac8..59d7bfd2ae52 100644
--- a/lib/hx509/data/https.key
+++ b/lib/hx509/data/https.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC1WOnrLbN8lLei
-COz9UMJhpDXI663Wk0xQmq3gmgCuTu/tXu/Zy5imXmV/pjjA7hdIkIBMbHF6Ea8R
-IhsXLNvCzCzQDt7qlWrQQruwoet8nvAoZN1Ef8j21UjkgL73WBjW1Fd6CQc/I9gA
-U4QPcukNqLlJV4D0AJySFr2n6hKBlllIi/+5i51o5nwN+8hXzLpqTFfM5OuvzG44
-gOZHoPLkCTl5+0LEKbKN8Y+5RR9HwugwhKXn+nzf8AeJHv1vpR2IV052v5HHOayH
-b7ApC8AEiZWairNKImN8JuLq/OX4Q7VnUA+Z4J3iKz/6GeRhGuTHaGZDoQUVJMQJ
-O120OviH1NiAz2zt+rG3fStoyjompkke5yf8T4l7Gc6NyZ3NVWNyKbErGzWkBzJP
-E/G9Ax+0/PAFxJ6wyHI3LAyCvNSnh9MzEPOA/r9hG17AW8AJPdvAnZGSxHx66+yw
-jmmhR2ZTAlFVkNHimoZwe2PUuQMYyAFpxuljvCu1ddwDX++y0zrI2zy2PVmR/H2W
-v0OXWkDW8viCRPudNkc/OjNDbZxEumAanXcCRBTQc5lTbe9wNAsRsRbDyUtBZmRM
-iP4Sjz1PKS+z6BWLJlq6+fxr7J2K2WUX3uXOp4QbHvGtMrN4FXoI45Oe5es8M57V
-KiEgYpDH2D7UHg8GIAFuIqRn3mjwuQIDAQABAoICAQCmrGPCHSzcEat9J4r5f2JI
-b65nTgVmM9duNdwdlC2QB0kI97qmiDNypUvQOKvs1mdb8EOa+giJ0vr+WkRf1oDc
-1t9REnnbTRzw8ISk4Q0YatP7rEiZjoDcLEdkjNf3aWba/CqyJN4eMAl0s02rDUgZ
-n7s8J0qD+JPuySviyoXbyJ2iydltZV51bXETQRhvaeDjlesUjEn6N4AOOpprtwfG
-gpvq+v3wYQqU3zHjbB5FzGOvRBtfzJ89CtVCN9Ni63TrPKMHDSck3mMtz38vGneP
-NAzmDxidyGF7WBozM+EBfumZXMIaAZHarzmL2oRGo3sls1RaUAHl3va2LXQAFDsa
-vwAZBc5vcoBvnBCmnQCGnOF4NLSvo+x1CBWpDl7hatUfO35D/aLtIPZh6RofEVCy
-IQAM/ScZfk9kGyy7QfoTiPNjzCx+YF8iXQV/04Q2E2/nHRhq5OnyL3gzXd5PWuzM
-SLsEcYZecAJ3K4OJCtXTMguaaPNQqdGbkBKW47/lun216QL2CVAeKcRnqC+xNJ51
-Rv9sQTMrBhByPZvhO7I6m0PA1CU5ACcVYHHx1zkVRNYbC9Wv8KSk3Nj3Yi0br8wO
-akPDFCUcA5VSysQ3Be5VxF5yUiwuAb+sjl1E815l+ElvVFH4I1AY8GyC1kgBg0Q4
-L3lTiKS7EVZJTOvDGgH4iQKCAQEA6ufkBK3t6JOgq1LRl5+XdSZtMklwh7/0E7ma
-Kwma55gpmiOZmEK5mkBowR2J7NS1XXtOJkV2oj9vVU6hFFipU/5eNTEc7FqhJzxs
-WPtsJmVrwzEXq9rTDQ+EsOoyfPamocg3eMeWIfpjtWue7rn779/enamkUVuxal+C
-Tpw7zC/V3cg8jvjOMktafCUGtO4GtsRyxJeiNxWkd1Dfb4WYkc9pye6m7SpciKUJ
-HunNtLzHuXCc0nlt60JffecGgfGl6M2rWDPROYR64WXmYufus4JrP/qdBiWYV9zl
-33NNuTRuLKitFQsPv12+MHB6vUWj2x5SpfH5sJAK0LiMRTQW9wKCAQEAxaHMdh7e
-Votke9cQ8n/AXAkczLEI2XnGUFYkqCirqw+kQhNyzyy0iO36N1bUY5GyaJP2xz4X
-gUYoxcNnnjXghiJ8aEqnrbpcS/4YxvgVf4wMDaBgc3PNFA5zrKplYDVzUT8rYsmR
-6m/q84CGcmPYelP/reVBpMqJKucB4vIY+tbBoF2jre1EPJBTjNggaHavQ+j5Hi6Q
-ec+n18KhXZt+vFKFHmkYxMweHnOFEMNDY5s7q5pwnee93f+2NCtYmcmkNaNRUMRf
-3N4t8HRPLbtObYYp9A3u8C8p3Zcj7GjiWA7uzKOB0hCQaf8zEKmVky5GuvawZhm3
-vT1FSKJ1aQXZzwKCAQA1xLh7nbg8KTZ4oK9a7mvDo/UQsqCwYe6jaTNxsHQlmL3F
-C2sH4BYNybpwoatFa3bMHAJKXlIGV1DLjQDv4E9561pzAHfnXeNPUNRYFcyuiT5+
-YklRy/fNIIU13ZWK5wZDN8oCumSSCHc0OpsZd7bENFEHc6IqATv95ji0d6x0U2q3
-pjK+YxMHjhn7GpqLZYRh51uBxleaFjkcGoXaSBEhJwHG9/p7hNvDZ0tMKSYtvZxV
-xQIQZz0SwZGMBwqFSeO5AwK6YLn+WWWrHCD8+Ku5qRuVfG7ezlItomF3oTPkNa0W
-SdG8ZFjJa9Kx0b02f68+45T1aQrHMGFZXzS0TnUHAoIBAHPAxZF1mQIVmKAUIj/2
-ZUNCrxSQqD9AXNAW9FdtosaJXcq5u2fupjsBL6mT+MfswRMRftvJ2ViFMEJMpfb7
-VWsa7cTj3PwbCA4WYIrBKU5QR4r/oR5d+ALESCocj03fYJB4sD+nEgi+zl0arSR4
-qIVVh45hlaYgXmC7dtZmuAzLFhOIZOLs8ieK3PTEbY7h3Nuoq6hq24INByCPRZYf
-CgbhSki6g6BYcVeij5B23ZSMilGDHmzOG93X9O7vaHCCsuQbqPfmXMNvena4mNuP
-NmtdxlrEgms5JIs+B/Nipxeuf11qcxIHU55Rs6YRvaK72v+Ml1rlu0Fijp7xUFVX
-8O8CggEBALa5eXFkbBLudIrvum4+trQDD1WWjUO6WmR+VuddKSsEsKj4q6ubbCEZ
-Dj4RyRNlDJ4yCaJtMFdfT8bjRcbLrHw5ZVgUpvtPBWGAvuVc9Tr/xq1Hn75w6isu
-BEeWN2DSWSofpWCaAQk20EKzXxkIrzgzt1Ht5t22wsZ9Def07G6eUWlRQy1hRbH+
-G8sv+E5soYm5/3mAcUuUqsbyCqm4zaxSPquvbuywYPjQXyU24tfr8TtQz3XiWpzM
-ZS0Wou4EgiJQUZGcwV8rX5j8ELSTNkm5UnBaLRWT/raG3s30F6B3WjLbsxr926mB
-2zmdO3l0e9ryWpkYHrKaEdZhkQx6ryE=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC7yoWcPWtaIRss
+hDVIN7wTYpP/e75JQOI2tXpUpOMPsYcp3mt9huy2JcWc3BMGV0yAG4bwrOZkj6pj
+zChJXIQJuA8xmd020kK1qt8x9ifKwkxQEVsBlBfaKlwh5bWBI2k+Tx0ISJVXMHeW
+rpt4hxDkbZDoeK0ZQT24kRy2BHhS5eQ/KN8BE9qqyyTP9ZP5ArjF3Ef7eeXenhmz
+KKstvXNID3EKtoFabQJtnMjDFNWCvxm40G9YMmx2kfMHayVKWfQtyY3a7swwW1vY
+8w1jKI2c3yG1OkHgVdBf8TJFC2tAtthDDHsoPS18QBmi4NaiCzJlo4HpHOVq9mF8
+ZvrGEL9dHdnBGmf7oEMV//VAWgyKS0g41cd3SBn3Id5zF5fPA9fDhCI4rvK+0mGv
+NzgxQQGXWJO6gNq7ADOoK5g0gIsAHoMCxCY/XFGpKeOssTYxV4dDlFc6F/RtNL8j
+tqJW0rdyfjU02VhGwWQtP+f/5P1CEdkEmLqdiOznrrsRQv0AyyQXJ5QsoDTfGIt6
+vDlVbAI7RM+kQvPjgVvWkI541z9M72zeTX5BzoePwDikVwVjMoXD3oiqjAsE38OG
+ZEwZkeHksvj28/6Twz7BsXS0cv+IlI00o7CdVar+vLxBVUmK8e7d+g6h+rlxp9X8
+t/yrwq+PvW5I7FTw+Ki012wRDvkWqwIDAQABAoICAQCUxRFqQGIeieGsN6S6bKUL
+umnC2XZbNBLCAq1CB0p2sU6CBdmkHVLDzlKqPNK5kEljp+sUGfV/ryzuWNuFmsxj
+orQuuFU+y/3bS938B6VohNrOB6HQM1FeHXbVx9Qt1S7YFPbMDCx7YUMsVXGHX4Er
+Zf2JnaiMPFo4MIXNUOc9zTAwNSHOCbuO2NZ2BXhPqi9VWHiSKfTIkvmLLGnIF7EP
+YmRMd18skvV8ftuxaHzpUpl/B2leNrwkhuVAeEqXh4HhEC7YRZvvp0CxM4PkjUj7
+AO4EU33CylkE2ODZP/2cy/2xyF5891Jkf6ePmI2Q3Ev1pz4QvjqlrUB3vGForfXa
+4fLUY+UjmIUPrfF81qryfVbie96wcXIKLEa9osnd/vSJLvs5jrKtpuN1z2lsonz+
+kwwV3lBVeL+DtBJnpGV0qHGaa0GFxjtQKtVPm2HMjPpk0oUh1lAnv4rfdxR0QQIP
+JWhYTt6TfqvClmvKKNuu1O8WGw7ngpUniqenWvHXmgnZtfuVMUvjn55nPWSyV2gf
+r1qRSYZQKlgzCOrCvX1+tXpRfsYqdQccxgBnxrnXTBknwvIEbFbK/QrLnfUnskuQ
+GHbTJUsM3wXChFsx3l4HsxuJG8hbvk5ayX64R8WKzw4tcE78b+vII489GjjuSqdp
+L5uniS8kOO99OqZydUiYeQKCAQEA+ALfEEa70OzH5rJxGEbQu34LB3rQTMGONKrc
+dbdO2MWfsnIJsmybSYOH1YHT2DdUe9aQUNvlu8CVQKEElyG3YPHDR2a0/9roMmy+
+89vw0OScpqjdhl6ULiyzJGM0f23HfbpugBNRhAdrSK02aPDQrenw8Yuk9abhFi+k
+V3VOd+q3Vx9QZ+5BIugqBnWr+2P7tCUxr5sjp5Srj3iyEzH24Yt5OEGPq5GuM2T1
+xYWmjJ5DkJEh5lG1/aeYjZAj4vHFkUZMnIH/A9EYcZG7cHXifwT1/o/SCRazLK1u
+yTV5fJ2Cj5Fc4AtbNzR6nt8nQ3yYOpU/jiNRZZ3rz/PIMksTFwKCAQEAwdcRlA9u
+mDkKQF2xcyFbdjE+FBz4ZdenpjBtoCOLlDJpOhC+rc7meCbnWfwV52dmMOEJVjj8
+y/8Aa2+ZAIGm1GfFaYxR0kdqoiAmbNdUtqqIS0gqOngAZ3kgDBxWCW7vEtggE9wS
+84Nb+2OrhuqxhEo4vJAtlqDLo8ajjgg1iwIrtjfuFGJsBfLiM/AR0E1ZUi6X+FDW
+StGZfzwM9/3VNrJ2yzVXy1VKzS6nzX5OjzDlbdDXHl0XbEKXwkSMXrkfPCvqJmy1
+R9Hiz4ajYnEBJ47SPuV6vfivV591HKEdVWGgS9ezh2wAG1yHUATlUHjFuaTjYJO1
+efc5YXe3kFTljQKCAQEAz//4fHoWQp6S+NRnLWkW3mhTb658zCL41QsHYmKeagc0
+bEBgCZg0lG8PmO0NcqTU4heNaYNDJTfa9R0V8HqChXe9w0BMRNifLMsvSu4HBer1
+xoCRaYQg2qj6hWX+PXEggj29NwT8tLJUM9uxakmtem5dePcZHj0bQbQrLH5hlQjx
+Qswsbz3OuyvjMw+1cVzlWKxpA1IlkQKK8ATVtGuPFpIW1CuIBuhjJQ9jYIk6qWyC
+Vdiiibu12kqZEwD0V/1VKQXAcvJDojvXOEh031i+4LCUby7HhH/ZPXsnEvEaNn0T
+Zr0PG4fqtF37CQs2rs7sDRXm+5p7RbIwd3OJT0TPeQKCAQBObUn7cdL5W/q92Cq3
+vkNXKs1HLgGCkyKNpwJzzG3o5AyXJbdAc3nkGzl3uvrRyZAbLrGsZRpDH0V4Morh
+HZP2VJYXAmMIhUSrm/5wAx+PWKgUbXpIdc0UEHna7IwS/QNVyIQSBPTV+cv5hnYb
+/FEeiTkzcdJAI4bBGNmL2d5wA8zTyQVW0guKzJ6hDPzoHqOJELkECxDo7K0CQbWt
+kNH3c3WE+mwvJK9DHSFfjz8RyGLLb7fZ3Shg8QCd5UY1/QiaO9pc+ZbPHCh8dqkc
+Z0RkUPDX6dkji77F4QptLvLDXOCSTw+gNx5D88f7pD9zs6msVv54UMsYMeLRgLKQ
+fwjxAoIBAQD3C6bhnfTvlphLX+Fq9ObNJNNIYm5+k5cWjgAYJG9ZbC/hbVE3ZUuL
+kYynfu56rA73yb1TBJswpem1tEwDRCUfuEcgIWmjlKdQOMqVaW3EtZDDZpJyZJpQ
+Vf4P46WCsM8pzDK2eYsy3IHRhJgrDMu+cLNOtq/7e1zeOtmPzutuZm5eo9KP7jJ2
+bse1S5e5j2VwOeyHW5wUGer99JizbbcoSn4GkejRTj8I+SHsOu1kQzAV3pQCcvJe
+4Kk7itN65RsZOxh5BShk+X3TIna8QholzxuqSi9aZdBUouUWXYHpM8ch8UDEXCy+
+PJKGZjLpgXkldTcRw00N0NRePp73WR86
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/kdc.crt b/lib/hx509/data/kdc.crt
index 6a0e32934a6d..a92fcc0a6863 100644
--- a/lib/hx509/data/kdc.crt
+++ b/lib/hx509/data/kdc.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:16 2019 GMT
- Not After : Jan 16 15:05:16 2038 GMT
+ Not Before: Mar 22 22:25:09 2019 GMT
+ Not After : Nov 21 22:25:09 2518 GMT
Subject: C=SE, CN=kdc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:ab:f2:c2:da:bb:d1:bc:5a:96:c0:76:11:4e:7a:
- 52:49:8b:84:ae:ca:44:4c:5b:30:ad:9a:6d:94:5b:
- 1a:52:3f:d5:9b:d9:62:4b:96:51:bd:e3:55:be:5b:
- 09:65:7b:3a:3b:2a:1f:9b:a2:95:e5:a6:f6:85:1f:
- 7b:35:b8:2c:55:14:19:13:91:bd:56:6e:5b:f7:49:
- 03:a8:53:01:16:27:53:8e:3e:71:1d:9c:dc:38:30:
- 38:c2:55:e3:58:15:bb:de:53:8d:2a:5f:68:b0:49:
- e4:7f:dc:38:57:fe:89:1b:6f:5d:52:fc:fd:cc:ef:
- 37:71:e6:70:13:3f:24:5a:a2:8d:b5:a4:90:4a:2a:
- 0e:e0:c2:6f:4d:0e:ef:ab:c9:2f:90:0a:ee:20:e8:
- be:6b:bb:4e:43:8b:56:9f:50:aa:e0:71:2b:0f:2b:
- b6:68:d6:11:c0:c4:31:b0:ab:32:a1:2e:93:54:6d:
- ab:d3:c1:84:4f:c3:fc:10:a5:fa:6a:ae:8c:80:05:
- 7c:54:4c:c1:aa:bc:50:ec:3c:19:9e:aa:df:82:0c:
- e7:6e:ed:c9:f4:46:3e:60:6b:81:d9:b3:d7:64:19:
- 5f:64:bc:b5:a6:f6:38:03:02:ab:f2:b3:ba:2f:4f:
- be:e3:c3:34:cb:d8:01:42:3d:43:81:9d:a9:4f:5e:
- 6f:14:d1:84:05:b6:f3:f0:9b:fa:b5:e8:1f:e6:40:
- e2:b9:ce:a9:eb:1c:c4:da:85:b2:6b:b1:c7:a5:91:
- 0f:a0:79:7a:85:b2:b4:b5:4e:a6:8c:cd:c6:45:5c:
- 97:d2:e8:3c:01:2a:77:b2:e1:a7:2f:ed:2c:bf:42:
- 77:94:a4:47:bf:c7:58:43:14:08:66:4e:5d:24:99:
- bd:5f:0d:e1:b1:56:f1:c3:db:97:f6:b5:22:92:23:
- eb:a5:f5:49:4d:76:80:4a:83:af:a8:17:31:38:b6:
- 3b:49:1e:37:5e:fb:e7:9e:90:1d:8c:b0:8a:c2:dd:
- 5e:1d:1c:2f:c4:71:aa:d2:2b:c5:16:09:f1:5d:63:
- 7c:02:dc:b6:e0:b9:f6:2b:a1:56:1b:20:8f:13:c4:
- 60:d0:21:c9:91:a4:43:de:f9:64:d8:4a:5c:4a:cd:
- 51:87:66:55:ec:9c:2d:10:b3:23:6e:0e:48:44:2b:
- 86:01:73:2e:77:28:5b:6e:43:09:ea:0f:cc:0e:da:
- da:88:f9:ef:6b:37:48:bd:e4:47:4a:4f:f9:72:bd:
- b9:c4:a0:bc:67:29:ec:5a:55:22:b6:8e:f0:23:9f:
- c1:fb:86:9c:18:59:43:4c:eb:b6:bd:2e:18:fb:44:
- ae:27:15:e7:3d:6d:9a:c7:6f:61:99:e1:7a:80:de:
- 64:a8:e7
+ 00:d1:73:ec:58:67:7a:65:30:ab:19:15:a1:bf:1e:
+ de:db:e5:4a:92:f0:99:8a:eb:02:6d:e4:31:1a:c7:
+ 4d:07:57:b1:82:9e:d2:d2:c7:f3:0b:b2:82:61:5c:
+ ba:38:c3:54:e9:e1:be:6b:5f:0d:22:62:2b:cb:d5:
+ 34:0e:63:0b:50:8a:8b:b3:be:6a:e1:85:dc:b1:28:
+ 13:ee:dd:6e:40:d5:48:1d:eb:aa:04:0b:e7:c8:1c:
+ 6d:60:54:b6:cc:be:52:5a:88:22:ce:07:2d:3f:cb:
+ fc:00:ab:8b:a5:e7:32:8e:b1:8b:03:d8:81:a2:69:
+ d4:9f:3a:ff:da:b5:e3:0d:e3:21:54:29:cb:61:ba:
+ 16:13:94:97:1b:72:24:6d:da:d7:d9:35:b1:57:f1:
+ 3b:9d:ee:90:76:4e:58:1f:4e:76:12:c6:89:2a:54:
+ bf:e8:53:5a:de:05:79:93:0b:41:2c:03:c5:30:58:
+ a8:e6:57:08:f9:47:7c:c0:3a:5c:eb:1b:33:68:52:
+ 02:19:08:e6:35:48:05:a7:51:22:89:1c:1e:c8:0b:
+ 55:73:b2:c9:75:f9:74:aa:de:5e:3a:54:f8:96:47:
+ cf:25:2d:75:e7:71:74:31:91:17:85:44:89:8a:16:
+ 88:ca:12:dd:0e:36:4d:e5:af:b3:db:d3:7c:53:8d:
+ 7a:08:69:92:72:81:c8:13:c7:71:96:8f:2d:54:98:
+ c9:63:10:26:be:59:8f:db:82:47:c1:29:c6:28:7f:
+ a0:16:bf:85:a2:eb:2f:2f:46:86:6b:77:1f:31:30:
+ d4:52:35:32:09:16:cd:48:ec:3c:4c:2c:03:e5:b9:
+ 90:e9:f7:b4:7d:97:91:31:27:4e:df:b6:bd:b6:ec:
+ ca:47:16:00:58:e9:87:4f:20:af:ef:4c:34:42:5b:
+ 3e:28:aa:cd:39:75:3b:6f:7c:b9:7b:50:76:67:25:
+ 31:46:f5:34:aa:c6:5a:22:77:b5:9d:6d:88:4d:f1:
+ e6:e7:ca:d2:d8:70:10:58:39:58:0f:ce:8d:b3:4d:
+ e4:f4:80:ca:31:75:3c:38:61:6c:d9:17:d2:aa:72:
+ f9:e0:ac:86:ab:33:16:84:e8:c8:de:58:9d:78:ac:
+ f1:2a:64:b8:e3:f2:cb:20:42:dd:f9:bd:2e:c2:84:
+ 6e:11:34:76:a5:c5:54:c5:51:9b:cb:85:d1:05:82:
+ 1c:33:d5:95:18:ad:4c:94:d2:7b:4f:72:23:ff:c1:
+ 4b:a2:ea:1a:3a:18:c2:f5:c8:08:76:00:12:25:e5:
+ ee:30:b9:8d:2f:0f:95:3d:70:ac:6a:eb:d8:c5:71:
+ 9a:cf:a9:a6:6a:ce:45:07:a4:41:de:85:fb:ad:e0:
+ 39:0b:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -56,67 +56,67 @@ Certificate:
X509v3 Extended Key Usage:
Signing KDC Response
X509v3 Subject Key Identifier:
- E6:0A:BC:C8:0C:58:A4:53:82:C7:15:E0:42:D6:73:67:26:2C:39:D1
+ 62:AF:D5:17:E4:9F:2A:8D:8A:CA:2B:05:E1:25:66:BB:61:03:77:EA
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
- 31:6b:88:4f:57:8a:4b:7b:25:d8:53:0f:04:e9:52:a7:e3:93:
- 12:ed:bc:96:03:c3:ae:53:6a:10:60:76:18:85:1d:9c:b6:93:
- d8:92:d1:d8:e5:af:23:d6:64:93:11:f3:23:8e:ed:43:12:dc:
- 5d:1b:d5:49:b8:3d:fd:e7:52:58:a9:26:2c:cb:49:09:d4:54:
- 6e:e6:45:c9:1c:3f:50:b9:f3:13:65:84:45:a7:1c:23:48:ad:
- 93:c0:f9:b2:fa:1e:25:d0:40:d5:8f:7a:c8:8c:72:ba:88:22:
- 19:a7:3a:08:cf:7d:9c:45:da:3e:12:64:3f:b4:e0:c4:36:97:
- a9:be:ef:e2:4a:1a:cc:c7:f9:8f:4f:30:04:11:f4:16:cf:ff:
- 6e:85:f1:cf:98:3d:09:e9:f1:98:30:ff:a2:3c:d5:96:50:3d:
- cb:21:db:89:56:8c:f4:a6:87:e3:78:44:49:c5:53:c9:19:a1:
- ff:a0:0d:4e:a7:89:d9:11:52:39:21:b4:b9:21:e8:af:39:9e:
- 2c:41:3d:82:3e:20:b8:60:8a:b6:de:d6:6c:f3:b7:5a:10:ce:
- ba:92:a7:6a:0d:5f:22:e6:98:e4:2c:d7:2d:7a:d4:22:bd:15:
- ce:2c:79:7f:d6:d0:78:f8:d9:a6:e7:87:84:cb:0b:8b:1e:aa:
- 0c:57:4b:8c:3a:a9:e5:66:92:eb:00:b2:2c:05:1f:14:ab:23:
- 7a:61:b0:00:02:bf:24:42:8e:0e:1d:52:20:11:93:94:b5:2a:
- 56:33:f4:bb:63:21:ea:64:cf:d2:92:8c:70:7e:b5:f9:4a:c2:
- aa:a5:81:36:bb:76:cb:ec:98:bb:3c:8c:67:1a:0c:3e:97:f1:
- 4c:dc:25:e2:59:a2:6d:fd:db:54:ea:9b:14:5f:18:dc:2c:e1:
- 45:89:27:a0:b7:f0:09:57:94:b5:dd:9e:84:51:35:98:12:c7:
- 20:ad:75:4d:42:54:44:30:e2:b9:cb:25:0f:e0:a9:6d:d5:6d:
- 7a:97:b6:fe:b7:54:4e:83:ed:bb:4d:d3:80:99:2b:1b:ee:a1:
- 3b:b8:69:52:64:f7:d2:bc:2f:18:73:d6:8d:04:54:c1:3f:14:
- 05:65:fb:cf:c2:38:25:92:33:cc:f1:48:cf:e5:d1:a6:c2:57:
- 1d:06:d8:1d:a1:0d:d6:e6:8e:ba:b6:d6:88:3c:a7:87:02:bb:
- 32:47:82:aa:d6:5f:8a:69:d8:5e:38:99:a6:1d:09:a8:d5:b8:
- 4c:80:23:ed:83:67:5f:b8:8e:f2:c4:8f:8b:76:b6:a2:09:b5:
- 44:1c:70:d2:5b:61:cb:c6:68:f9:9b:93:72:5a:bc:08:98:80:
- 90:64:a7:d3:a1:f8:ee:b7
+ 41:29:9f:70:6b:36:28:cc:86:e1:4d:ae:25:34:b1:24:ab:f8:
+ 03:de:28:da:d1:13:8e:03:d3:5a:57:72:69:f9:04:1c:e0:1d:
+ 14:91:c7:a0:8b:ab:c7:61:6e:4e:86:2a:2a:40:22:10:10:58:
+ 0c:18:95:eb:d2:15:18:35:3c:fc:42:25:1a:dc:03:cb:ba:f3:
+ 81:80:d2:45:4e:c6:90:11:2f:e9:db:76:9a:e3:1d:0c:04:dc:
+ fb:d9:ec:bd:48:38:66:78:d6:52:c2:bc:ae:20:9b:1d:87:28:
+ 9f:38:fa:db:8f:17:1f:3e:29:85:17:a0:95:bd:72:88:0c:93:
+ 88:ba:8e:31:67:2b:03:b0:bf:3a:7e:e4:e2:82:f7:6c:36:1a:
+ d1:8e:7c:87:63:17:e4:68:7f:4b:e7:dc:40:b5:02:5a:62:be:
+ 54:ee:11:30:39:80:2a:c0:3e:8f:3b:67:cb:9d:9f:ee:c1:ea:
+ f1:4c:e8:55:24:6a:73:84:ef:82:ca:99:ec:84:05:5e:82:a1:
+ 52:40:5e:71:10:c9:c3:9b:18:ce:7f:50:db:8a:49:d4:b6:b9:
+ 5e:ef:13:4c:e8:be:76:2b:cc:f9:eb:9e:9b:4b:29:8e:ee:1c:
+ e5:bd:08:f0:50:63:e2:c3:94:20:2f:fe:cb:6a:ed:2b:2a:e2:
+ 51:44:3d:06:d1:b4:43:26:43:07:4d:c9:e1:4f:9d:3d:0f:a6:
+ 74:93:ff:51:74:c8:aa:2d:76:ab:93:6f:84:47:2d:70:37:d2:
+ 21:f0:cb:4d:a5:8b:df:91:4b:95:f0:ba:fe:d9:fc:f2:ed:b5:
+ e7:91:03:5a:ad:12:43:f3:ba:c8:a7:51:34:9b:40:bd:71:39:
+ af:b1:9f:e4:9f:3f:1b:27:a5:84:43:a2:c3:3f:52:63:a8:bf:
+ 8b:59:82:53:b5:26:64:16:73:90:f8:7b:7d:ce:f6:41:b6:8b:
+ 81:56:90:c2:ff:46:46:8f:63:3d:95:d9:f0:49:73:37:d9:14:
+ 2b:26:95:ac:19:29:1d:cb:c2:03:d7:36:4e:4a:39:3e:51:02:
+ de:aa:dc:6b:77:a8:57:ba:50:21:0e:8e:b7:48:bc:44:fa:45:
+ db:c9:bb:72:ea:e4:2a:7a:35:75:3c:68:29:5d:b9:57:0b:d3:
+ 2e:2c:4f:01:1b:f0:21:0c:fc:95:17:b7:40:be:aa:0c:f9:04:
+ 60:6a:d1:54:0d:b9:68:d7:e9:7a:f4:96:ad:f1:a0:15:15:c2:
+ 51:61:44:5f:0e:bb:98:d1:81:9f:c1:81:d6:e2:26:d5:11:56:
+ d2:cd:0f:9c:6b:69:f0:78:24:ff:bf:df:02:2b:0d:d1:83:5b:
+ 14:4d:c0:e2:80:47:65:2b
-----BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNloXDTM4
-MDExNjE1MDUxNlowGzELMAkGA1UEBhMCU0UxDDAKBgNVBAMMA2tkYzCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKvywtq70bxalsB2EU56UkmLhK7KRExb
-MK2abZRbGlI/1ZvZYkuWUb3jVb5bCWV7OjsqH5uileWm9oUfezW4LFUUGRORvVZu
-W/dJA6hTARYnU44+cR2c3DgwOMJV41gVu95TjSpfaLBJ5H/cOFf+iRtvXVL8/czv
-N3HmcBM/JFqijbWkkEoqDuDCb00O76vJL5AK7iDovmu7TkOLVp9QquBxKw8rtmjW
-EcDEMbCrMqEuk1Rtq9PBhE/D/BCl+mqujIAFfFRMwaq8UOw8GZ6q34IM527tyfRG
-PmBrgdmz12QZX2S8tab2OAMCq/Kzui9PvuPDNMvYAUI9Q4GdqU9ebxTRhAW28/Cb
-+rXoH+ZA4rnOqescxNqFsmuxx6WRD6B5eoWytLVOpozNxkVcl9LoPAEqd7Lhpy/t
-LL9Cd5SkR7/HWEMUCGZOXSSZvV8N4bFW8cPbl/a1IpIj66X1SU12gEqDr6gXMTi2
-O0keN177556QHYywisLdXh0cL8RxqtIrxRYJ8V1jfALctuC59iuhVhsgjxPEYNAh
-yZGkQ975ZNhKXErNUYdmVeycLRCzI24OSEQrhgFzLncoW25DCeoPzA7a2oj572s3
-SL3kR0pP+XK9ucSgvGcp7FpVIraO8COfwfuGnBhZQ0zrtr0uGPtEricV5z1tmsdv
-YZnheoDeZKjnAgMBAAGjgZgwgZUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEgYD
-VR0lBAswCQYHKwYBBQIDBTAdBgNVHQ4EFgQU5gq8yAxYpFOCxxXgQtZzZyYsOdEw
-SAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC1RFU1QuSDVMLlNFoSAwHqADAgEB
-oRcwFRsGa3JidGd0GwtURVNULkg1TC5TRTANBgkqhkiG9w0BAQUFAAOCAgEAMWuI
-T1eKS3sl2FMPBOlSp+OTEu28lgPDrlNqEGB2GIUdnLaT2JLR2OWvI9ZkkxHzI47t
-QxLcXRvVSbg9/edSWKkmLMtJCdRUbuZFyRw/ULnzE2WERaccI0itk8D5svoeJdBA
-1Y96yIxyuogiGac6CM99nEXaPhJkP7TgxDaXqb7v4koazMf5j08wBBH0Fs//boXx
-z5g9CenxmDD/ojzVllA9yyHbiVaM9KaH43hEScVTyRmh/6ANTqeJ2RFSOSG0uSHo
-rzmeLEE9gj4guGCKtt7WbPO3WhDOupKnag1fIuaY5CzXLXrUIr0Vzix5f9bQePjZ
-pueHhMsLix6qDFdLjDqp5WaS6wCyLAUfFKsjemGwAAK/JEKODh1SIBGTlLUqVjP0
-u2Mh6mTP0pKMcH61+UrCqqWBNrt2y+yYuzyMZxoMPpfxTNwl4lmibf3bVOqbFF8Y
-3CzhRYknoLfwCVeUtd2ehFE1mBLHIK11TUJURDDiucslD+CpbdVtepe2/rdUToPt
-u03TgJkrG+6hO7hpUmT30rwvGHPWjQRUwT8UBWX7z8I4JZIzzPFIz+XRpsJXHQbY
-HaEN1uaOurbWiDynhwK7MkeCqtZfimnYXjiZph0JqNW4TIAj7YNnX7iO8sSPi3a2
-ogm1RBxw0lthy8Zo+ZuTclq8CJiAkGSn06H47rc=
+MIIFWzCCA0OgAwIBAgIBCDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwOVoYDzI1
+MTgxMTIxMjIyNTA5WjAbMQswCQYDVQQGEwJTRTEMMAoGA1UEAwwDa2RjMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0XPsWGd6ZTCrGRWhvx7e2+VKkvCZ
+iusCbeQxGsdNB1exgp7S0sfzC7KCYVy6OMNU6eG+a18NImIry9U0DmMLUIqLs75q
+4YXcsSgT7t1uQNVIHeuqBAvnyBxtYFS2zL5SWogizgctP8v8AKuLpecyjrGLA9iB
+omnUnzr/2rXjDeMhVCnLYboWE5SXG3IkbdrX2TWxV/E7ne6Qdk5YH052EsaJKlS/
+6FNa3gV5kwtBLAPFMFio5lcI+Ud8wDpc6xszaFICGQjmNUgFp1EiiRweyAtVc7LJ
+dfl0qt5eOlT4lkfPJS1153F0MZEXhUSJihaIyhLdDjZN5a+z29N8U416CGmScoHI
+E8dxlo8tVJjJYxAmvlmP24JHwSnGKH+gFr+FousvL0aGa3cfMTDUUjUyCRbNSOw8
+TCwD5bmQ6fe0fZeRMSdO37a9tuzKRxYAWOmHTyCv70w0Qls+KKrNOXU7b3y5e1B2
+ZyUxRvU0qsZaIne1nW2ITfHm58rS2HAQWDlYD86Ns03k9IDKMXU8OGFs2RfSqnL5
+4KyGqzMWhOjI3lideKzxKmS44/LLIELd+b0uwoRuETR2pcVUxVGby4XRBYIcM9WV
+GK1MlNJ7T3Ij/8FLouoaOhjC9cgIdgASJeXuMLmNLw+VPXCsauvYxXGaz6mmas5F
+B6RB3oX7reA5C28CAwEAAaOBmDCBlTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAS
+BgNVHSUECzAJBgcrBgEFAgMFMB0GA1UdDgQWBBRir9UX5J8qjYrKKwXhJWa7YQN3
+6jBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsLVEVTVC5INUwuU0WhIDAeoAMC
+AQGhFzAVGwZrcmJ0Z3QbC1RFU1QuSDVMLlNFMA0GCSqGSIb3DQEBBQUAA4ICAQBB
+KZ9wazYozIbhTa4lNLEkq/gD3ija0ROOA9NaV3Jp+QQc4B0Ukcegi6vHYW5Ohioq
+QCIQEFgMGJXr0hUYNTz8QiUa3APLuvOBgNJFTsaQES/p23aa4x0MBNz72ey9SDhm
+eNZSwryuIJsdhyifOPrbjxcfPimFF6CVvXKIDJOIuo4xZysDsL86fuTigvdsNhrR
+jnyHYxfkaH9L59xAtQJaYr5U7hEwOYAqwD6PO2fLnZ/uwerxTOhVJGpzhO+Cypns
+hAVegqFSQF5xEMnDmxjOf1DbiknUtrle7xNM6L52K8z5656bSymO7hzlvQjwUGPi
+w5QgL/7Lau0rKuJRRD0G0bRDJkMHTcnhT509D6Z0k/9RdMiqLXark2+ERy1wN9Ih
+8MtNpYvfkUuV8Lr+2fzy7bXnkQNarRJD87rIp1E0m0C9cTmvsZ/knz8bJ6WEQ6LD
+P1JjqL+LWYJTtSZkFnOQ+Ht9zvZBtouBVpDC/0ZGj2M9ldnwSXM32RQrJpWsGSkd
+y8ID1zZOSjk+UQLeqtxrd6hXulAhDo63SLxE+kXbybty6uQqejV1PGgpXblXC9Mu
+LE8BG/AhDPyVF7dAvqoM+QRgatFUDblo1+l69Jat8aAVFcJRYURfDruY0YGfwYHW
+4ibVEVbSzQ+ca2nweCT/v98CKw3Rg1sUTcDigEdlKw==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/kdc.key b/lib/hx509/data/kdc.key
index bdb97b919a9e..1984f201178d 100644
--- a/lib/hx509/data/kdc.key
+++ b/lib/hx509/data/kdc.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCr8sLau9G8WpbA
-dhFOelJJi4SuykRMWzCtmm2UWxpSP9Wb2WJLllG941W+Wwllezo7Kh+bopXlpvaF
-H3s1uCxVFBkTkb1Wblv3SQOoUwEWJ1OOPnEdnNw4MDjCVeNYFbveU40qX2iwSeR/
-3DhX/okbb11S/P3M7zdx5nATPyRaoo21pJBKKg7gwm9NDu+ryS+QCu4g6L5ru05D
-i1afUKrgcSsPK7Zo1hHAxDGwqzKhLpNUbavTwYRPw/wQpfpqroyABXxUTMGqvFDs
-PBmeqt+CDOdu7cn0Rj5ga4HZs9dkGV9kvLWm9jgDAqvys7ovT77jwzTL2AFCPUOB
-nalPXm8U0YQFtvPwm/q16B/mQOK5zqnrHMTahbJrscelkQ+geXqFsrS1TqaMzcZF
-XJfS6DwBKney4acv7Sy/QneUpEe/x1hDFAhmTl0kmb1fDeGxVvHD25f2tSKSI+ul
-9UlNdoBKg6+oFzE4tjtJHjde++eekB2MsIrC3V4dHC/EcarSK8UWCfFdY3wC3Lbg
-ufYroVYbII8TxGDQIcmRpEPe+WTYSlxKzVGHZlXsnC0QsyNuDkhEK4YBcy53KFtu
-QwnqD8wO2tqI+e9rN0i95EdKT/lyvbnEoLxnKexaVSK2jvAjn8H7hpwYWUNM67a9
-Lhj7RK4nFec9bZrHb2GZ4XqA3mSo5wIDAQABAoICAHA3A/df76ausAd2hiDjL2ST
-ysmPczcppAEH8U+KjQj0Y+FL4xxVQ49bF5AdNWqnGv+Vo/8cAhtX9TY3r18FjNkR
-PrRIvnnzl80wN1TYprLgg2UnVwbuYcHBpqkdCDtqI6sad9wZW+cAskDHZXX3xV7E
-NPF97dyamWKZ8rZ81KrZvwW2Gfxsqj0AZ0aw4rUHnSSyHWoYunzwRklKXAOoz3ue
-H23NJ0QPwJI+9/bGI0qRbNECqcqOVl0AGDZ9O4n30/WQnu0dEp7sOxuQtV+ZQDhN
-V5RLVys11Gt0fc+n0H+hF2JUzW/i6/b6/WBs7qsFrhxSPthxZZDnDnE+hUoo5PBt
-OTn3eeyMBP4SdZmB8z3ekWeDd6qS+EnbEee0Y8CwW3YU2KKo5jRCpL18regVW0HW
-4t2NRjB4ioMLCSVrCukiWM6vPnStaeg5klTnb9GzsO99ruXNDSENjStEcoRCGjfk
-9OPb4inrKIcKiNxvfOOvXNtpi9+7UDR9w15oHscxU13LySMQVPc2TCwACx6G55iD
-MFGPDkDsm9m4Xee96To0abxiu/7Vc1H9lrnOMXfZP0DgNcOWFwa73QfSJvKwTl1w
-kHQTnk9yDYHgn/DPLAbhELxkNkIJNTz66tknhak8pkIFTsrTdEwMOqvdRCr9z7XL
-tStd7GcxCSVQskthkSSxAoIBAQDYYHjCGoEKojMUZzCbNDq+Z3ZiZ7m/sl8xduO5
-zUvY0sWuJi5ijOLfiGwDm+wEIannQhSnhVskevFC6ZXoynYufzSBD1z4wPsLpIwY
-TAxUB1NEHKBONWECiOpXeiEP0itRXxqoV4Gb9SFjrRbA/yvQqonNtMoeWZ/Sco1O
-CAzi20/LRtv/oMUsEzyOnvsDlHORIKgu1hpj/d/ik6e1F+k/1lqtzaRKLwPwgwfA
-LbLlYppu/6MzhAI5E3ujq3NeiqPU29tpxrQJnEOxPaPTrpwKjM/qBLF/H5o5e9Q0
-MkZFkPKQWLVQJFb+AWTWAGJzFdcw6X7KFURoafljsrN7DlPNAoIBAQDLb4YCUUDk
-pIzizpSuhhJCmh6B7/bSvoCr9pMwJadPhuADs9f4AZhaJGv745uxjaNx9seWCP4s
-4tEEhYFASzYyTfi6ChJZb+5+RJlkYkUplx1RVFCrEmi+X0Sy4SlhdTxTsnVd3Qtb
-0Ak7br422pc75YiEGf7Iz2k/ry8xif6pRsU7eeXm3e/rNIAr0x9RZ5aRl9Xg43N9
-GYcjdTK7G2KTUPYkRwFT/u3WK0DulTVnRX1+qraemq+fiyelox/SwY6n0c6K9hiD
-M21LOGBmjEirWU/OtCD6fsIYIilEu+u6RhyoKNWYwRxmdKQoKfow52gpyGU7lCI7
-plFXCFyJxeODAoIBAQDFwlZcQVETYO+ChFV+ZJwUDge7JMY2GFa8pMa5uJLL1sfp
-xOe8Frv8RXlDSyzJEeNxg4nRGicVDnCXEVp76x9cm9Jm6p20lNxd5cRNKKRT4GYP
-6IHzOQIzCOP1k5/ID/SbaGq61U+WNNKRgU88kXuAOX29TrE0UAGsnBnd6amtZXhm
-d5r25f+Pqv079L3CpdmCGPDd7b0tComnUgCDmRkLyWQTWdIAIzxcg8V/tcS9tgMj
-0+1bVhmaBN6J1leZXukh0NeWs481AWc1BPtIq1veoJgecK+xWjbgtvZZxmFHj5TC
-rPD6EFyZxrhchvlz6dBF2gKRvCJLtB/FKTy1CYE5AoIBAGFbqgKJ6EiEB3iz7Kvp
-Nevx3g/JS5Jn4SRrCN3N51hD8AlVlFH4UXUyYQtXTjeW1VXBCJthCmNo2ScUzVp7
-pCBG+HXwQ//RdY2wPsivzvGshDdb5o84bDBPX41L/IXLmWdkzI5zLvBtiz2KLjYK
-Pr5HhyHRXwGzYWc865UFuX5BhDqGh+QI6rzhj0Vp8F8A+CoNRCowMCD6ipYJjJHG
-9VITOPj7kkMkiaYpZRXJCpm1w+1Ovb8BwHLWIc8/VgeC4kamPfZ6+BgyEGgjPt9U
-26JFR9BgnDfFWhY6ow1l8dZfn29Ku44zPOg7giRGkpm85Ti50tjEd+2cFulT8xVs
-QwkCggEAJ5+tgWw3kHch4pK94R8hSzv5OzNQUZvdXYZk751/k92ZSrYeiZ7cj8de
-kcFLiQjY5pkOrkF7oKUKDZXyVU2BQN0jjX5/0Hqpwwj9gBXuXnit4J0mrPDFBEh6
-KcC2Cjw/ul7MdzWlJEdAgu0sR9EPIPmTO9pdziH2k6uNSfj1S+hIAPNQ1tvME4zg
-M+0THn2pVqhAZxBj4VREbGzk8tIBl1LZEx88REdSbe9FKcS/wiGCpnttQqL/WSu0
-9pXx0T27VSdxXoSQF3kVdEdQ9EEsfAi9t95UJqOfpkKamEefao3xDrE5whSddD+q
-HWEzextsObokaNciuMPKlJLizq1W+w==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDRc+xYZ3plMKsZ
+FaG/Ht7b5UqS8JmK6wJt5DEax00HV7GCntLSx/MLsoJhXLo4w1Tp4b5rXw0iYivL
+1TQOYwtQiouzvmrhhdyxKBPu3W5A1Ugd66oEC+fIHG1gVLbMvlJaiCLOBy0/y/wA
+q4ul5zKOsYsD2IGiadSfOv/ateMN4yFUKcthuhYTlJcbciRt2tfZNbFX8Tud7pB2
+TlgfTnYSxokqVL/oU1reBXmTC0EsA8UwWKjmVwj5R3zAOlzrGzNoUgIZCOY1SAWn
+USKJHB7IC1Vzssl1+XSq3l46VPiWR88lLXXncXQxkReFRImKFojKEt0ONk3lr7Pb
+03xTjXoIaZJygcgTx3GWjy1UmMljECa+WY/bgkfBKcYof6AWv4Wi6y8vRoZrdx8x
+MNRSNTIJFs1I7DxMLAPluZDp97R9l5ExJ07ftr227MpHFgBY6YdPIK/vTDRCWz4o
+qs05dTtvfLl7UHZnJTFG9TSqxloid7WdbYhN8ebnytLYcBBYOVgPzo2zTeT0gMox
+dTw4YWzZF9KqcvngrIarMxaE6MjeWJ14rPEqZLjj8ssgQt35vS7ChG4RNHalxVTF
+UZvLhdEFghwz1ZUYrUyU0ntPciP/wUui6ho6GML1yAh2ABIl5e4wuY0vD5U9cKxq
+69jFcZrPqaZqzkUHpEHehfut4DkLbwIDAQABAoICAH37+GGEfH55M7E27b+D1hD2
+blDMH88LZL6sz0yILLEJ8l/bIHxggLS8fugJWoniFCVJ/7udxMy1uBo298TflmKv
+szA+jRNx7TkyHitDTZn5sBMvOWiNsLERSEj1K68jm22RDT5X2sPQ8peEl88GrcZe
+zHtXs0H53kaYumTXmuczg0yYhxkVUUodynZbxcW+KK8iOLXpCC8K3CINJbxO+X55
+pO+tYnFgEfwR1vq3fk/3RJi7+3vxRhiLA2KsuE9CYT2SdmiQjcfmtl/Z0agfHfS9
+vHyHQd6QWbidYJg9m/jo4JRAL/cyqu1VlIw4mXJR8514kzaFO324nbrQDqxDIO7v
+jvFL9SjnReVxUjfnQ7W5BackMn7rxaa4gGm3P1ZAYY0DrSBThlleKkuGhuOHaRFG
+P3uPjfar4ybGnozqCrVpuFJLOtQocdJpPBdQtS0WuE3sMOUkOV9HfqxusnS074on
+2qn3Yy7PhKBfqBYKVqd0l99QHjwr3/0VLjDpnVvvFZFDcH9uL9daD+JfZj3aaGdv
+bmPGwO4svlVEDzfScoI3NnReGEH/bgmdbaPBcSiX42NX12XHWZ55d9grQlJWdSw5
+W8+Dqy86/gCA0VJ4fKaJM5ZGbngOwjgCYZkNHyFo42/zTFSI1S9PiWTNAHPGqZyD
+nOjpXLR1N+dk0yBwpOQhAoIBAQDy5BeFO+mqp3NWHZXVoy+THqumajCR5AjEsbFl
+aWosL99Zk/avfA7G8orHXrAj1XEsGxkFtCnRUlg35LqMYK1tYYIk5NqdFCAeQUOe
+7NgNlicjiKG+a69bQ5TOtgmtdhIh+Uu1yNgbNelWJFizyxoFFFX7jp52utNWix3r
+x6LfTZmNUQqbFetuMKln0WzVwa0uqezzvxZ7oPLVeEc4LT7wtKTPDf6/VTfoeLoO
+JvvMb5cnKZGQmpC8Jub5mRkEFcUIGmbKM2G9sRFPNt2Lh08xVCDXEJSFZPiBpLGP
+6TvJ9DkKEd0Shj0VdnV9304XkcFdfjWIDHlfLJnzwn++Wx9rAoIBAQDcwdUVfsFE
+kVJtdWjtAAj1uSEAPDiggfDhTlOsJMQ3U7PlmdgiafNMKpzmLwqH8Pe5IK4Z9KZ1
+pT+d89udXGOUXhqU6kvxfVu3S7skE9r5DYS/kg7xXJerir+fGsZ5lGDqz90xYxhp
+ect5jOtsRxDlI7Vg5guUp30h8FsAdrP42jiUZxy4AkBdVuyqKAbl5ZtnV4eCk3fV
+iLyVmD27I6h8jnvGvPVODjpesuu7XzQe9ZhyAU/7JSsshLKoKIjwZSx77dhfqI9i
+pm1cwhKbT7opZa2zuXd1h/nDo4SLOfBRTQ+424NPhfk754HKup+lskXuedlumqhj
+z6V8QbfjVRkNAoIBAG+WxQuMC/1AMyfkLbtZ3niLxbaN4MSV7EVZkbOSq5mjYMyJ
+wvK6XxudwI55/RhpbjYiOOu66t9lImyDZAUsQWEYRC9pCNrTrTHZMBTqoRQU4ORd
+WFngpU6bjNkvHuEXdpsvKk5Y+Jf/u7S8vBfV/p1Iy3vn+Pt5N7Dx9wwkyromr54S
+FnpLpr8YEixFNeg6s7LVlKwjJVQlDItwV+ACQYFarMEHn/sNTsM5+9iWpmY0+k+e
+tGan7EjU4pbXdHvA+KWRY5oP4x7AI8Ct5zi8MHDsQq4ryuBCFD2TiZQhRjuxPSdY
+L6XcEGI06yOqHPmNGDY4zqUzfetw1UX9HK06tgMCggEAF5UZRz+QM9v2Wz0UpWTA
+kEdjkBvezL601czBQX13/JUTfa6OmTaKSBOxSSGzVUxXmk40aw9ojN7HSf9X8ZqC
+BMJ8wnW5ASYsGwubBUKdvMdF7BUVRZFnnmqnB78bfrdsFwl3jqQQYowhQW3dZGa/
+FktXP++zQwEVa/+6KPWFSks9ihTty3ZqG86CX7cA7aQ2kraWAkvwnD4ML0rhJVGs
+2Ql7jYJ4DguVDrK8XfrQnZIM4/jh62lQEGRolXAnGM8mDmMdHzLphldTDXqp9C9z
+KqLzCGUCruqEsvKP4TOiSX0a9dt1TpR4SH71rYt8LH473DrmEFuzK15uRjTbCQz5
+LQKCAQEA0hy4cQ07D32jcaN0xQ40Av8fO3dDwgcrSrTfBIk2naa7w9ssshhIFCWT
+pXC68HjbXJAm+FUmzp1wyj1ss+1CWSHD9sWPUwJj/T0fGSfpPKC5UpuvSMXRsych
+DX2WwGIExAHDF1vHlhc9mn26IZo+oZPA1X2SqurKz7RYuDXpiAdMQx1azjMuzQF0
+xBPoILyT4ZgDW1YCs87QF+Rk7x6S1HePF0dCDo6vke34ydZe+by/UnLhiGtbTtI7
+uBLJkF39dTie3vP+2I6eQbV+RUhhf1MGHSf8tVw7sIdtTbB3b7pEemMQhpyGJ02P
+RCBsiAswkZ1vTsDII1BKYPknuvgH9g==
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/no-proxy-test.crt b/lib/hx509/data/no-proxy-test.crt
index 7e38cd9b564f..5f27bcd50800 100644
--- a/lib/hx509/data/no-proxy-test.crt
+++ b/lib/hx509/data/no-proxy-test.crt
@@ -1,30 +1,30 @@
-----BEGIN CERTIFICATE-----
-MIIFETCCAvmgAwIBAgIJAKQmPUkmhyKoMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTI2WhcNMzgw
-MTE2MTUwNTI2WjA0MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MREw
-DwYDVQQDDAhuby1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
-AJ++Eu48QHbj9zWx743IdmFihU06xR/IAezZPoZYhQsxw0kVQXNnC1sdGqpl7DWe
-IQGmokhpfRq0LPOtK4QhZBAqvpWohdreJfPrEM75U9LdPQXtKcbzV5hfz4tVUbcH
-jvgvH+M5Zyr1SvDWsK7/CEyNC7d9EYfLcVtas+uPtq6YWtRW7A1SeHiZKGPikkQy
-cSwtsqtyrbNyHvz32GdasW1exOLXwqH4dXNeO/C7EQCQu8gv/klWfKC9d3wBp+6h
-LQsXoTh3JqaszucAMhen4RihyRcofsEbWLpmzGIyIDIB2IQ/ZYwF1xfOFi7gTGFF
-Il80EdEvw8x7GcZFVMJUQzYH8rnHEU73bzAuEVJay4vR5SwWjGIgIcZl5gYWSGMq
-4VhLQisIVfo1hcLniPCSQH3GExCQ8QvVi8Ks8tkd+0zs/24B5HFzWHJspKSnuOya
-dZreKjAvNWPPflolipjKDORxocJDojIbW03cgZwHULRP6sU8H/dXnLBw8t9natJk
-zHGslG8rZoR61QHVcalk2qAzP78lhRfOU/XlGTkOX8zbfnaVS/O6IbBxhagtBApc
-Ms2aunf0H6fxyyzSAllAu+fnDsUMBhQWTkQmK2GmEEba8FYbS+K5rbn/fzn+xaS4
-+Lh3GaaPI67+2EwcDWdfBAzHC4Mj3UF2i4o3r3fAazHrAgMBAAGjOTA3MAkGA1Ud
-EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQU3CICEd4bSVDR3MKEOFoAqRYt
-8jANBgkqhkiG9w0BAQsFAAOCAgEAMAG64y2s7lZi+1yZtIfvgBe/QwO0s3TrZVc/
-VTSmVgcsI4pOW9A2NYxJR5RwEg1fNAoKPz8+D/9FeZwVED8Q9xUAuvtEsr2npd6d
-ogQblbVBFkuQ+3Wt7ILYBKXgFQB+473yu91o/k7Mg07/2XsWMhkNspMpBo4frUo1
-7JlXH4wLs1pAGbhFZ7e4s+8Xm3zSPa9UuhYNDqwheeVulwiP4v4zf5DZD9iyFcYj
-9COnCYNvY2gSi+GaT712jLR9/0CUfFbiY02e6VS9TI8pvHlCbOaUAqTeYAr8GkpH
-qupkvOmTWwgubeK7BrDvuKJIavK8sN5mqK/KzFpzRjMzzppeuv/ArKMnjbr52BtG
-fZK8LxbeXuxbcqHpxRT2uFIoQAtIxf1oMYoqac2TNZ2V+x3nRMfsgW6JK+huoQpB
-Z9pyRNTGb5B6JNDaW5qeXmJz3zVKWFCRO9kwWajBDmQcd9A2BMukCtcWIDR9PSuO
-zqRXI64gh/Pm+pHrG+U8/m/WhEmMquJHjbeU7lpd7wiRwHyvGqka/pHIKt3Eozkh
-FCthDU5sK1pLWCyQU+DmrL3+LKJaL+Yiok0lKiPT42II3d0yVIeV6BtVHpFQLYBm
-rJHozXOvFEE1i8o4jl7mjvXJHfkUHgmpuny5RicuxOrE12YrdQIq4qyTZiskd4N4
-fDTnu7M=
+MIIFEzCCAvugAwIBAgIJAKQmPUkmhyKiMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwIBcNMTkwMzIyMjIyNTEzWhgPMjUx
+ODExMjEyMjI1MTNaMDQxCzAJBgNVBAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQx
+ETAPBgNVBAMMCG5vLXByb3h5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEA1wY5NrUAYbdIiJyOwEG5zo6892LuPxYrJ39qy0868pQMPuViT3IjP8fOockf
+IHFqM1M/rYEKBCaHm3W5d0+QET1T3pJq7eOTuG8Ep4BiMDm2mD0VeWOCeLJjfnuR
+8WPG3Fz//55NBCByMc4as5+Gw9b6z6Mh8pFMyz4zyMQI420Gss9hHoTiD9o4fhM4
+U5M+l+gvVYmvLhZ0Z8hIJAqnlRJoIKeEbcHS1qIqkN0vkdRZc5usJmxhpJi8SjTS
+pGiP53QDmGDJMHd5Fsfyv98n6T6fIkf+O2sAVnxdgOBIyYibdMH021/UzbXZHoDK
+Nx5HH9lr1R9vE5fy969yCQ10lgaNmlp68j8/5B8QPeRbe29DQ1rRBzheji1kkxbg
+8FU7GKu92GHrDhK5dasl7tH3qx4WKOAD4ENJI4vSDWo/IxkKYLLuNIMcVhmGORGl
+IvxaDVxr5wHdGgpBJwc2BxcHU6/8cuYGDewR2h/TWb6jTVmfq7lx+fefEkTDmOxI
+WbXwGtbZqqX5EzWp3VTBakONdRjJwxg3MShWJ1ZhYawzeTwZg3FOIn9W2tLkPNU7
+Ly/fZMBD6qJ5X/0gJGkx9QRlANMJnj0POaBvIyzkGz95QlyIoiAJyuzCKbX5WQdd
+jy1drnB2VdAjWyAjUP+9JsMJJKyLYOWxvemE1yAIIL9yjVMCAwEAAaM5MDcwCQYD
+VR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFN8mmgQlHmnWopRs35laOYZ9
+/02LMA0GCSqGSIb3DQEBCwUAA4ICAQB6dmCcY2XRzeZz2CQ2DdGJRyBDdHFf7W3O
+4Tk/w2ZQLFx6BwttOB94LcaVFRUHp9arkNDH6ne9ntQ1LZ3fPoRR4RXwQO8c+pIf
+ZDWPEr7Exv1F1zrjAEHx2UcP1pu4PU9PDqmGs2BarnHgKotfY8AXdJkl1g128LIQ
+WOmQFyI6Ny//4MT/5YB6OSr2zzrKz5FyGxKSG49xfPSSAf3mHAUxHzBJ1orpHIpo
+zQcrt6oRbi9G9cKVYTEVRVM2CgqMJwBUH7d9BRIab4hp7lqynFJKg3uOH90cmms1
+dY5NRmy+jmAqveEGvCw2+vmHtbj5NikwUBnRqZGW/XHLSj8niCtO2PT30xzpDiEa
+iYBGyuETV5vwFIbucdbenaBrrbvumr4lWqhjadQVwjhNcqdmhIxuGGXF/XGG5+do
+hFaYD5fguyfQDGaeFQIipPEyZcx0QcGA77g7eKYgPyBFZxGHS7P1x1GrchZIOH1q
+W59AuSwxKWGEAM2tlp2+Esp3Zj8UBy2nL9fXRyDEMerCuJUcbCLODGYDc0/s/7Cs
+G8ZNK+GXs68CgxJCbxY5uUcYQyVpRFi62jvghuPGQkxytQ/GWM+q94ncr8I2+lsO
+kTcdzYbAapst+XoPL9enQwAkw4yksJ8Rx2P2TDRAZl58+utRrdQyL0oD9cJy57LE
+cpMYhZWsyQ==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/no-proxy-test.key b/lib/hx509/data/no-proxy-test.key
index 37d7f29962ff..9f304001c152 100644
--- a/lib/hx509/data/no-proxy-test.key
+++ b/lib/hx509/data/no-proxy-test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCfvhLuPEB24/c1
-se+NyHZhYoVNOsUfyAHs2T6GWIULMcNJFUFzZwtbHRqqZew1niEBpqJIaX0atCzz
-rSuEIWQQKr6VqIXa3iXz6xDO+VPS3T0F7SnG81eYX8+LVVG3B474Lx/jOWcq9Urw
-1rCu/whMjQu3fRGHy3FbWrPrj7aumFrUVuwNUnh4mShj4pJEMnEsLbKrcq2zch78
-99hnWrFtXsTi18Kh+HVzXjvwuxEAkLvIL/5JVnygvXd8AafuoS0LF6E4dyamrM7n
-ADIXp+EYockXKH7BG1i6ZsxiMiAyAdiEP2WMBdcXzhYu4ExhRSJfNBHRL8PMexnG
-RVTCVEM2B/K5xxFO928wLhFSWsuL0eUsFoxiICHGZeYGFkhjKuFYS0IrCFX6NYXC
-54jwkkB9xhMQkPEL1YvCrPLZHftM7P9uAeRxc1hybKSkp7jsmnWa3iowLzVjz35a
-JYqYygzkcaHCQ6IyG1tN3IGcB1C0T+rFPB/3V5ywcPLfZ2rSZMxxrJRvK2aEetUB
-1XGpZNqgMz+/JYUXzlP15Rk5Dl/M2352lUvzuiGwcYWoLQQKXDLNmrp39B+n8css
-0gJZQLvn5w7FDAYUFk5EJithphBG2vBWG0viua25/385/sWkuPi4dxmmjyOu/thM
-HA1nXwQMxwuDI91BdouKN693wGsx6wIDAQABAoICAQCVA0tHf18nSOrf5PexjFGZ
-8Lym2W7vgbUCC3m++y5Izgf80d43V+WI/jJUyDU7oyHpF1eFMxpn4bGZMm5ImJlu
-V2Fn3EfZbqd6zUnluUHPj2AQejchhvishJvnvxQ2J8/fhp45ad/qe92Hos44wGEu
-f9hxNzM2OLqq3Ia/9FUWs7rvH5KdrtQAs+awnreQ9HkMHCjytEyC+68ajd0KNNkU
-THZfoaPHUi3GDB7gJrDqlRkG2nZcVVh23adrP2Q3P5T0JvvW35dnngZ4CH+x/4IE
-Z09d0gHEA82WPLTl2Rqda4ldfIIux3fple6tlcDKcCJrKvh/6g29XwwhH6W8jbwP
-Xq++ZK8SYY5Fk2puBzDGH/pX+ljxRh0jRD7FpsUwF+9Bk0aqkycbX+75T8R3LLXt
-mi2n/gBs5CyQHRBKnrui85KkM5nCQiYiUQbyilcbZSHOKPQi7bNGBK4/idEcmDjR
-iIwpV/lvAJPMetFJe+3c3CSqU8xHKz3vK97LX1qoQJE/ozUU+iCv6qVMUZjOCiNh
-p/Oa5/UWO1GDrM9rcmeufjwKu/OuZyoivi4Je4GDVVfPHswIyAg72bmhFmx0M8Qu
-+G9QidwDfRjezX/hFFtMqaC+PKyabHVfoNKm+bv/XjXq4mbsmUUK67qrZhdwyRyV
-XRIpnsBs6pEjmzUiQI21OQKCAQEAzWsewm+YCfmuY/W61Q88F4ew4CnYjI/saP0J
-kDOLNeKh/1UeWhAaHrZxW0c1F+R57aYMyQtzh92OQ7bd218DXwkzsdX5VXH4ThvK
-jW/hLe178RBABk9lWXYU3u1UndbfDH3FRa3fKfd7uQXoSdK02l9i9WtHFdSqv1uW
-jjXIC4tfBlIaN+H2KSvNAxmejcwfnCEZgdoUGfXbzyOaiIj/J8EORty7n4HdFM8L
-AUT+vNDARHKY/5L01Dp92bsWltibIFuCX53fPZ51ZCfNeDe3e/zgxr+VUL5VVy7P
-6r28ersysIzhDK3YiSMaCl9EI8YOHOedp1Gh6MO/taoRTp0mrQKCAQEAxxOyTG2G
-qzGqXgI1uduPo1DBfNKJYSA9d7lJneANjCtBj4ovMt2mzwojgPOaYj9lit5xnXFU
-qki8wZI1+xM8ylE7AKzUt/Jb7EE02QihUBgItFF1xyVIyvHDGrf9KRO7JVM2/erq
-NeF5Ol5eI61azNEzCAm8X47R5DvyYZApO/+gU2t9U2dNXJ9w+7YU3oeMxj+YMfud
-IZTmIXQgFVezwLf/VMSxJa5eeffCdCW6BKGArYvwk2eg7fbhCw6MDmOtAFOoI5Eu
-8zVlbvg/1IjJ+YEJZZqugzQxVL5x217dCnLdu1Hnf5SxvJ2cfoRbEIqJByVDSSxs
-Qe7PG8O59d+F9wKCAQEAs/Rk1Qc4FX0TZmSOUTpwdVic/jQKjlFDVVJfP2G4UfOB
-4ZJq7ZFvoHpJ4iIGhDDXE/dE+hc7FcplaDLaNuUMqgQAsol2TYFzetHj53YcucRz
-sOKAhEanzfChJg6Z81CaxHGmEX3ZpAU38QYY0htx7mBj7AYYFyrgjpUo1tqMrnhh
-PcNNTql4oebKSi32ddhd1MQ2eUhYFcoJz3QsW/JQPT5mSHP1Ni5pRGKBDJKp6zWh
-ShVurW7LZuT6/XRlvK5zb6xbEXLXcD7SLnSkDu4YotkM/XA22a50StUqtkWTyZ0X
-Mg2o1heyO6lxlaaRphlKoc3SkhL0mVprJzWexdTsXQKCAQAjoNnLJdrxLo1QD9Mv
-tSTK1LwcK83cbRmzIJ0VPTEPgfpUxyVVVCfza9wYywA5TyFMLi1lQRAm/aeSeSli
-CvpZNxp5L3VOinh7Gtxrb0j3faWpJ98NShXyBDynvn/3ZwmaT39LCEzsYbMBiDwO
-5IqYl2Qrrxpge74Cu9vQLC3FCCXYaCdg0t8ckYh19AteHCJMpLsHTwG7LdvV5uOL
-DkwkVInE0QLnPIK6D2ZkxQ+6nnDaHm5q4yQBEqsKAIt+U8Z1hYNVAjnF2yuRJaq+
-zdBf8AEPhxRudNvTT9YurZaftRkL2ke1JJZ+rDKCzgtCNZj6h2e4Y9PoJOY6ENhq
-MZvXAoIBAQCFrLrJwWFpRCAUGRygAVeyEMiSHhWuG38dHLrDd6t+8taoOSy2AsXo
-vPyCKAFwElan0cehYY31WTSg1L9KfnIw2S2e6dMJEiJidMj95v9+Vh5+X4WJeF6F
-WtwmgyN24p/6ymEPSuCeENAZQjyWFj1gT5jp0KjbCFYZ8V2ubERpNzt0CLqZ0zJb
-WTgptd/MKT398ENPU1fQRnFScm74SHnxbvhPzuhRI66vBC6ofx0Irx4KWfQaEGcD
-OzU0LeCarXE7JWSbG3+AHOglPYBRCQ3/KaTOZiDALR3KKaJ6od7EkPqNWzTUd23K
-IMZ41x5JPzpQTmrb056vt40ifw3+I946
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDXBjk2tQBht0iI
+nI7AQbnOjrz3Yu4/Fisnf2rLTzrylAw+5WJPciM/x86hyR8gcWozUz+tgQoEJoeb
+dbl3T5ARPVPekmrt45O4bwSngGIwObaYPRV5Y4J4smN+e5HxY8bcXP//nk0EIHIx
+zhqzn4bD1vrPoyHykUzLPjPIxAjjbQayz2EehOIP2jh+EzhTkz6X6C9Via8uFnRn
+yEgkCqeVEmggp4RtwdLWoiqQ3S+R1Flzm6wmbGGkmLxKNNKkaI/ndAOYYMkwd3kW
+x/K/3yfpPp8iR/47awBWfF2A4EjJiJt0wfTbX9TNtdkegMo3Hkcf2WvVH28Tl/L3
+r3IJDXSWBo2aWnryPz/kHxA95Ft7b0NDWtEHOF6OLWSTFuDwVTsYq73YYesOErl1
+qyXu0ferHhYo4APgQ0kji9INaj8jGQpgsu40gxxWGYY5EaUi/FoNXGvnAd0aCkEn
+BzYHFwdTr/xy5gYN7BHaH9NZvqNNWZ+ruXH5958SRMOY7EhZtfAa1tmqpfkTNand
+VMFqQ411GMnDGDcxKFYnVmFhrDN5PBmDcU4if1ba0uQ81TsvL99kwEPqonlf/SAk
+aTH1BGUA0wmePQ85oG8jLOQbP3lCXIiiIAnK7MIptflZB12PLV2ucHZV0CNbICNQ
+/70mwwkkrItg5bG96YTXIAggv3KNUwIDAQABAoICAQDKOoMyzZbXUC66tSuY6/fZ
+qetVa8kQskPR+QcywYh6Pv0pZklI2NsIEF5pUKOiuqgcL26TOup1rtsZPeY5rS2c
+2SX5DZHdvIzhCCDDfH5cRttRYRnCOfGqnHPwsD05XxLXi+wEuBhNCkr8RpBcYWu4
+4oavJAk4fqlP+WdwqdaGNrL3Fw2LS4TlTeKVyHPQPoq/CdMCyuRkHyBJv1cB9rdX
+/6DJHWPyajlmPcx0xGIJ8EJU9ZM56/MFf9SOohF+KQ02rKj49gYiPCs5XsIS7Mk3
+l/rInhcgQOlnbb3vCIHMcVtru0MT05RsCFx0UMJehm50KOM+5TptnhoYEvzYQLxk
+578RDQUNiQxdonmcF8QXvCBHArP20SLyfwavNsFtvfNe26i+9ti/+GaLsKHRC/ZI
+NsaIsO3wGT2E2/qoyFt+aOxrlNeT4zq+tHX01U8UzK3qhp6/RuSrQeCdmE7e/Mjb
+GVDpBYBbscfcApSCVyrpJ51Fs2VKt9QBliocrxG0Voa4xpdwC9XCI3AfTyzzG5le
+fSqhl4kB0iDboWJQgiH7hJKhFtBnrBVhPQ+bcl/G4+OZYV9HNZ98gNurCW9qO7Bf
+8jP3/A1YWYY4GI7LVqsjOZdFk3EXz1g0PR8UH4+4RRrmVAe6QD4zzQmk7ecGu5k7
+nZXuAluURI6ExdBoGGxU8QKCAQEA8GYwOHkZjNNWVDBkhjVliUHtwHof+8MoJp/L
+pHR2dwIH3UXU9RrFfzfz2sQ07Vi7aiyyebVXAA1q8ENHfeHvlWbT0SPBZOKbujVJ
+S+cNYZJvlWrvS/1ZgNld5SDSaV6R5tMIdAOyWvYm3ijgVGOmEccZVdby0MagTvJx
+fwxcNe5H86KGbZrEFieaCjz69Mg9jQh9QhfRxom1H38EcXd5O9wRSpLoXBH4c8Ha
+WBiFGaNZJrvOtCZz5YYsWVoaW9GHa4fTs9aQEirDoIR1GD+b6srD/bWX+CfM/SwG
+7bDNh2NZuH/24R+55/SUxBdhttImtiE1TmJ8XkhnocuZc03SuQKCAQEA5Pp55xqe
+cAELtdHv6iyM25e8Iv9KVMJ9y9HGH9cLdk9OwOwWroIhdIYe/yvYmHSSSiCQI+JB
+DC+2n9qxda1DHMpJWPIS4bEkKEPRsVmUyQp68OSxKcPh60m1lWk+UMhcPFWJEggz
+XKDacyjC596r4FBMk6n84lhu3HII3Zfho25IeMOgOcGlFHn5TETaqUQG1D0dParO
+rtP151TKFjyihOn8WibkcZ8uT0PXjREVCXgiha4Z/eNFeIknC007uus8bCWKUz0n
+krNTz9hiGDJHRoyGdUS9PlusW1rA8kXMvQ+8SWzHCqgwfx6zB/Nzii+glFOzzIhG
+Vydp/zFrLhJKawKCAQBAddY2PlqYhU6fsn4x8n1waYo700NiObk5ah2r0kK1tIix
+T3lD49LTQwiTP4tFnUZbuPJ+ah6S+AYVuKSh34Rjljfz21ePGqhRLNqjjKfs4twi
+v5K82Ik4YJCp0Lw63s3Wi/23Rgp8E4bmiSVl23Z7S9zCRKnFS41Ovfmq7ICJQYRv
+ksPi/d3YZvQKDMHqAwtmFsGniEWKrAAyGtfxKO0MHP1R9sRxc6wgNfm7J5ABCOjt
+1uwdKDZpdCnOJ7frqOpb7gbZMQ5eoLLmBr5zKxM+yPH2xMukEeAIfta4w3DI/d3f
++AgV43Dw/ocpcW+VGxKgQZVOmF/q1BVdr/9MiLCZAoIBAEEFZ2xawLbpdRvSW6BR
+ukX5FnGRsNfUysf/75THCfg0mRZrdB1l0n42P8MR/lV8dLYb/RJTg0kkm2VVQqM5
+6h7Yym85fmccWDoe2ALWf0t/cF3Lcwt7FkIsEiY1Vn62BosTdvLp5TveaWneH0qc
+jo4J/1THJopXtlNfBml2YZp5DJdOZcdA19GyuToRK055hL7sA8upHzvB8MgZ6bDa
+0wOPNhubg69IFmxnxWPHgAPKW3M+dx8DVIzf1Xh+HAH+HpBPMLJmYUBlL92Lgn+A
+d4DvEpdmR57XhWADq1qgu3zMZRksjHDYRb0zSH9vgFWzJJQ6GIpyABdrl8vhip/w
+jbUCggEBAMelGQB2zBBbo1F+InIPkCZH/r0Z/VrB6bQG2UY5c5Em5dTliKjE9r7U
+EGJBgLxPiHQomxG6Z/AWVzbUiv650sjfTu/W9qZ4iCEAQvGtR5FxhgtBTspMURxR
+W+QiMmkKrkkQgVBXslXgOGerj1RUe+gjaaO6qEdH5famYBXOYAG1gnq3hYa8DWMg
+OOQPoWBv2bCrtFNmuMFuHI4dTACvzbEipBTsTs0AbAQbvcSuo+KQqCcXhFfENJ/d
+7F9XN3fxSG7g4YAiIVOUjNZYz36bcpV0zpHUde+mbOvE9uXny5CFRkMHkio0Kj8h
+vMvFV9XqcWhoGHKX/S/Hmjljr7ln1Dc=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/ocsp-req1.der b/lib/hx509/data/ocsp-req1.der
index 650c87976956..e536ebbf9ba1 100644
--- a/lib/hx509/data/ocsp-req1.der
+++ b/lib/hx509/data/ocsp-req1.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-req2.der b/lib/hx509/data/ocsp-req2.der
index 1c010149a2f3..e224fa61d825 100644
--- a/lib/hx509/data/ocsp-req2.der
+++ b/lib/hx509/data/ocsp-req2.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-resp1-ca.der b/lib/hx509/data/ocsp-resp1-ca.der
index 38efc09e8cc1..228918c3522a 100644
--- a/lib/hx509/data/ocsp-resp1-ca.der
+++ b/lib/hx509/data/ocsp-resp1-ca.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-resp1-keyhash.der b/lib/hx509/data/ocsp-resp1-keyhash.der
index b3b3feb76509..250a1f1934a3 100644
--- a/lib/hx509/data/ocsp-resp1-keyhash.der
+++ b/lib/hx509/data/ocsp-resp1-keyhash.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der b/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
index ec51b0c94e4e..6ebbd840b56a 100644
--- a/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
+++ b/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-resp1-ocsp.der b/lib/hx509/data/ocsp-resp1-ocsp.der
index 864f8dc32d35..c97654a9acac 100644
--- a/lib/hx509/data/ocsp-resp1-ocsp.der
+++ b/lib/hx509/data/ocsp-resp1-ocsp.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-resp2.der b/lib/hx509/data/ocsp-resp2.der
index f600bd64d97e..d731f3834ffa 100644
--- a/lib/hx509/data/ocsp-resp2.der
+++ b/lib/hx509/data/ocsp-resp2.der
Binary files differ
diff --git a/lib/hx509/data/ocsp-responder.crt b/lib/hx509/data/ocsp-responder.crt
index 7df15421a7df..753ca5602606 100644
--- a/lib/hx509/data/ocsp-responder.crt
+++ b/lib/hx509/data/ocsp-responder.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:11 2019 GMT
- Not After : Jan 16 15:05:11 2038 GMT
+ Not Before: Mar 22 22:25:01 2019 GMT
+ Not After : Nov 21 22:25:01 2518 GMT
Subject: C=SE, CN=OCSP responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:a0:76:7e:fa:ce:3d:80:e7:2a:c4:1f:02:27:f1:
- 4d:72:1f:78:57:3f:30:9d:06:2f:d4:3e:64:15:a2:
- 16:78:de:9d:f9:db:81:b2:96:50:b4:e8:3b:c1:bd:
- 6f:80:00:4a:3b:b7:ef:5e:8f:20:dd:1d:6e:36:8f:
- e4:05:66:c7:17:7f:ad:5d:e1:1a:a1:fa:5e:d2:84:
- 24:fa:00:46:26:8b:e8:68:ed:c0:86:3c:45:f5:64:
- 0f:3b:00:cb:cb:3f:45:3d:98:11:f3:cc:de:e2:cb:
- e5:b5:91:59:43:99:41:86:79:75:a2:42:4e:5e:16:
- 7a:f3:0f:ec:e4:c0:e2:9d:b5:cf:9b:a9:ea:97:70:
- 7a:20:20:8c:30:56:4b:16:29:04:d5:c6:6e:ad:14:
- 73:2d:cf:23:a5:38:11:5d:c9:bd:9d:57:f3:1a:c9:
- ff:16:64:97:d5:60:0c:08:2b:1f:a9:99:3b:5c:ac:
- b2:d7:3e:d5:f3:32:62:6e:20:8a:c2:74:29:6e:aa:
- 35:72:1b:25:dd:d1:33:94:1e:87:e8:51:9b:35:45:
- 62:19:70:b7:d7:a7:64:48:02:08:74:c3:aa:2b:21:
- f6:bc:3c:b4:74:b7:25:7a:41:23:1a:5e:e3:1b:0f:
- 1c:cd:98:d0:1a:d3:f6:7a:4a:fb:78:cf:85:6d:02:
- c4:e6:be:c7:4d:ba:90:59:c2:33:13:5e:3e:89:3c:
- 76:9f:bb:68:03:cb:26:e6:bf:fa:fd:8b:54:42:69:
- c9:12:e8:57:e3:2d:72:f5:be:7b:35:b4:60:9a:a7:
- 3d:29:9f:e6:f5:38:5a:96:36:72:ad:d8:9e:26:0c:
- d0:2a:58:34:8a:dc:75:ef:ad:a5:f2:36:68:b0:6a:
- 1c:8e:c3:9f:43:09:5c:53:48:16:6e:58:4c:46:1e:
- a6:d0:d8:de:7a:85:d0:59:cb:10:e6:86:5e:a4:71:
- d5:8e:8b:4e:d9:a5:8a:8e:91:30:23:fc:22:35:fc:
- 78:8b:aa:66:2b:e2:f0:2f:c9:72:ee:ab:ec:a9:0f:
- 1c:ad:7a:15:f3:dc:7d:db:39:bd:e1:ee:88:de:04:
- 5f:43:d4:3d:7a:1b:f8:b9:9e:38:6b:06:8d:04:28:
- 5a:93:8b:2d:16:03:99:ac:60:a5:40:c3:94:10:0f:
- 87:0d:3b:db:74:59:fa:c2:5f:f7:ef:2c:87:29:f0:
- 76:7e:50:29:86:5c:cc:7b:89:6b:11:e3:b2:9b:aa:
- 9d:36:58:d1:89:ad:77:53:9f:e3:85:89:65:29:6f:
- d8:f7:79:68:49:c6:09:97:e5:fa:a2:79:23:b7:48:
- c7:da:98:ea:ba:bc:16:9b:3c:ca:71:0c:6a:10:08:
- df:ef:1b
+ 00:b1:21:1d:c9:2b:44:9e:62:fe:13:94:ea:a1:e1:
+ cd:17:0e:bb:4d:1c:62:27:ee:d3:f7:61:c8:26:c1:
+ 0f:45:fc:10:d8:39:c3:da:86:a0:00:30:d7:ad:86:
+ ff:c6:36:6c:f5:e2:26:8c:f6:76:1b:d0:09:b6:a5:
+ f8:cb:d5:88:fc:ca:ca:28:49:ed:64:2b:f3:88:4e:
+ 8e:ec:7c:63:b8:75:6a:cc:73:b6:66:6c:c3:7c:e4:
+ d7:50:95:88:12:84:e7:5c:50:87:db:4c:bf:91:98:
+ b1:3a:44:57:0b:1a:7a:f1:93:e3:4c:69:8b:9f:d7:
+ b9:20:8d:0e:cb:ff:de:38:6f:6a:91:55:1a:6f:a6:
+ 82:1d:05:f6:fc:46:8c:83:8b:ab:6e:3f:6a:6f:c5:
+ 0c:cc:ff:3c:78:74:d4:f8:56:be:59:60:d5:3f:4d:
+ 3e:e4:e1:4b:2d:c5:2a:d1:6a:7a:21:b9:6e:61:10:
+ 03:79:88:5b:74:f4:29:0d:56:d3:6b:d5:7d:8c:59:
+ 5d:4e:89:0d:a3:a6:8b:43:28:e8:e2:f1:bb:d5:eb:
+ 65:9b:c2:d6:62:aa:df:66:d5:92:dd:84:6c:29:28:
+ 1a:e8:29:b3:09:d1:45:14:44:cb:30:03:73:3a:94:
+ a3:a3:24:89:15:fb:ca:e0:a6:62:35:48:f8:92:50:
+ 3a:ff:17:d8:4a:1e:a0:9c:d9:68:cc:21:e1:c9:36:
+ d1:47:bc:f1:56:3e:87:18:10:0d:f5:56:9a:c9:79:
+ 16:c0:08:a0:59:65:b2:00:dd:9a:e9:97:e7:8f:85:
+ ee:cd:0d:20:5e:2d:58:ff:8e:e3:ce:4f:36:65:c3:
+ f1:88:39:dd:34:29:db:8c:ed:6e:c8:7b:30:ad:49:
+ 58:e6:f9:5b:85:46:0a:04:0f:9e:ea:ca:a8:2a:35:
+ 0d:66:f3:48:b6:e3:c7:e0:e8:a3:ed:6c:f3:e4:cd:
+ 1d:45:f3:e2:2c:6c:5b:91:b8:26:dd:49:d4:78:d3:
+ 4e:57:3a:b5:af:cd:3a:05:d5:89:63:f5:bc:73:1f:
+ 26:cc:2c:4b:2d:81:b3:5d:49:28:04:46:f8:24:5a:
+ 68:1d:06:1b:2d:be:56:f9:b3:f4:d1:50:2f:95:9b:
+ 9f:45:c7:62:35:bc:46:a9:df:c6:45:21:e9:1c:7d:
+ a8:2e:b1:87:91:0b:7c:fb:97:52:31:f9:41:73:ba:
+ 83:22:4a:80:f9:ff:f1:95:74:79:f7:20:95:f0:17:
+ 20:7d:ac:55:e8:b0:c6:b2:a6:56:c6:c0:cf:3d:78:
+ d5:9e:37:41:b4:78:aa:30:f0:2d:59:7c:6a:c8:68:
+ cc:91:09:13:f8:9f:04:e3:a9:86:c2:74:ba:f6:32:
+ 44:0d:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -56,64 +56,64 @@ Certificate:
X509v3 Extended Key Usage:
OCSP No Check, OCSP Signing
X509v3 Subject Key Identifier:
- D4:A0:90:A6:79:F7:F8:6A:CE:29:92:37:2D:36:32:22:B5:41:75:45
+ D0:3C:E8:05:07:BB:9A:96:36:88:44:AA:9A:4F:62:9E:9F:33:5B:03
Signature Algorithm: sha1WithRSAEncryption
- 1c:37:c2:22:e7:c3:1e:f9:b5:7a:9b:ee:fe:bc:15:89:cb:34:
- 59:2c:b9:c5:e1:c6:56:3a:da:6a:6b:08:df:f4:69:3c:5d:62:
- 4d:b9:e2:65:8f:23:48:30:8b:9a:a3:55:7b:8a:4b:d2:ab:8b:
- 85:31:78:09:45:2d:9b:fc:59:ad:67:0b:ef:20:b5:70:23:71:
- 21:26:d2:e1:c4:4c:54:8f:02:1e:84:35:ff:7b:67:90:05:7c:
- 25:2e:ca:13:a4:32:ba:0a:9a:aa:6b:79:53:81:6b:3b:95:fe:
- 17:51:57:89:71:22:6b:3e:15:06:6f:1c:d6:8a:9c:e1:49:67:
- 4b:3f:4e:f5:2b:b3:8f:89:5b:f7:c9:94:78:02:b7:f9:db:c3:
- b9:2f:b9:17:9b:0c:ba:e2:ab:49:e7:5f:0d:85:ef:4b:35:f2:
- 39:e7:4c:ef:6a:88:81:99:7e:a7:8c:b1:f7:d9:ec:fd:70:92:
- 8d:12:1d:22:49:3e:ef:62:54:92:34:e7:67:27:a1:5c:38:d5:
- 1e:b8:95:c2:9b:12:95:4f:8c:64:d6:c5:06:a6:bf:19:fe:c3:
- b7:fd:68:d7:7f:f2:7d:7f:aa:4f:71:7a:78:c2:af:b6:6a:5a:
- 56:cf:5a:99:82:4b:39:d3:83:03:07:b9:7b:35:31:6c:ac:4c:
- c6:8c:46:dc:d3:4c:57:3d:01:6d:5e:76:94:53:9c:ba:e8:42:
- d9:8b:2e:88:4d:9a:8f:12:c7:2b:cc:e2:f9:9f:1d:b1:5f:55:
- bb:15:4e:e6:f5:bc:7d:03:a1:00:47:b0:1f:26:0e:58:64:24:
- a8:ef:96:51:d5:66:cc:4b:0d:0b:37:16:33:ef:d3:a6:c2:05:
- e1:6c:38:b6:21:f2:c3:0f:3e:65:d0:6a:0f:37:4b:c5:db:01:
- 0a:ce:f7:c5:e1:4e:3f:55:aa:8a:51:23:7b:66:59:ab:20:64:
- 7a:0d:bd:dc:cb:79:46:0b:57:51:cf:6f:37:94:03:96:19:a5:
- 61:e4:a8:4d:7c:84:0b:b8:79:ba:22:8c:e0:67:0f:8c:ff:44:
- 02:3b:a2:54:6e:3f:f9:a6:d0:46:b3:ed:e1:d1:18:16:ea:4a:
- 56:b5:9b:a0:b6:ab:40:2e:6b:c4:8d:7f:75:c9:92:b6:ed:31:
- 92:1a:24:94:c7:67:16:fe:6d:9b:d1:f8:2b:25:9d:34:a6:18:
- 21:8f:33:5c:9b:81:31:69:c6:f4:b3:f2:51:2e:7d:17:96:50:
- 33:07:f6:f7:1d:df:62:bf:29:a7:da:8e:15:e2:62:83:36:a5:
- 77:17:f7:29:11:0d:cf:8f:e0:97:b7:24:6c:b6:64:78:8d:e7:
- f6:97:d0:1a:3d:ea:38:4f
+ c0:72:d2:af:26:74:de:f8:7c:96:bf:ab:d2:ed:95:d9:bb:0b:
+ 07:31:8a:4b:21:f0:b5:7e:ab:b4:50:b0:af:bf:96:64:ce:38:
+ 99:3d:f3:26:02:4d:5a:da:71:ad:6d:a6:f7:fc:5e:46:16:3d:
+ 9e:cf:95:a3:5d:0c:4a:64:a1:84:88:b0:31:0e:eb:54:cb:99:
+ 42:45:09:92:ea:b7:74:f5:fb:ff:c6:91:31:27:bd:54:55:9f:
+ 6c:bb:e2:45:4a:33:ed:00:a5:4e:e2:7b:2c:98:f1:3b:bc:f2:
+ 87:33:e5:22:d8:fc:a8:4c:90:e2:df:ce:48:c8:3c:56:43:6c:
+ ac:f1:f6:e0:75:c2:a7:f9:33:87:4e:75:a6:22:17:78:32:88:
+ aa:f9:2a:40:4c:e0:25:6c:4c:0c:cb:6f:1a:7b:13:0d:35:a6:
+ 23:86:42:75:3c:c1:69:c1:c5:79:77:51:4b:19:14:e7:4b:f9:
+ df:0b:30:aa:c4:97:84:6e:57:7b:00:b3:a5:31:c6:9f:17:f1:
+ b0:4c:81:f7:e6:df:e8:c0:d2:91:03:c2:e3:dd:94:c4:f0:ee:
+ 1c:73:1c:33:ae:91:60:fe:cf:48:08:0a:95:c1:95:28:af:31:
+ 23:a6:2a:1c:d1:6c:7f:68:e8:a9:a4:27:8f:6f:29:33:a9:48:
+ 0c:03:8f:fa:b5:ef:2a:9a:ce:ed:ba:74:39:88:ef:3b:d9:93:
+ 77:34:30:d1:a3:5c:9d:f1:3c:30:19:c2:ca:2e:41:5b:23:bb:
+ 6a:67:35:e3:e2:c6:6e:a0:3e:76:50:db:6b:ee:02:98:81:bf:
+ 75:ac:3a:78:4f:f4:fb:d1:7a:1f:85:1a:24:cd:b8:06:7e:95:
+ 28:85:2a:c6:41:23:35:08:31:59:ce:ad:a3:23:1a:7a:11:26:
+ d9:45:57:bf:ea:e0:72:3a:f8:48:e0:c1:5c:b3:20:93:b5:1a:
+ 93:75:ef:f3:19:9d:ed:5d:9f:81:73:21:02:96:fa:ee:c9:4c:
+ c7:95:1b:aa:65:b9:69:15:3c:ef:b3:f6:e1:f5:89:78:05:50:
+ d3:54:c4:c9:40:e5:5f:3e:bd:36:d2:0e:27:99:5e:83:e5:4b:
+ bf:72:84:13:64:8d:d9:db:69:8b:04:37:e8:db:22:46:29:84:
+ 08:83:40:34:d8:e0:bf:cc:5c:7c:b2:bd:c5:38:7d:59:e6:9d:
+ 8a:78:87:08:13:6f:a5:7d:2f:88:80:ce:e5:86:38:6f:53:b8:
+ 99:ba:f5:21:9e:8f:5f:aa:3a:07:73:9b:02:f1:97:1f:8b:52:
+ 53:5e:24:af:d7:b9:a4:3f:4e:64:c8:62:26:b3:c0:44:dd:bb:
+ 29:8c:b5:66:05:5d:fd:f7
-----BEGIN CERTIFICATE-----
-MIIFJDCCAwygAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMVoXDTM4
-MDExNjE1MDUxMVowJjELMAkGA1UEBhMCU0UxFzAVBgNVBAMMDk9DU1AgcmVzcG9u
-ZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoHZ++s49gOcqxB8C
-J/FNch94Vz8wnQYv1D5kFaIWeN6d+duBspZQtOg7wb1vgABKO7fvXo8g3R1uNo/k
-BWbHF3+tXeEaofpe0oQk+gBGJovoaO3AhjxF9WQPOwDLyz9FPZgR88ze4svltZFZ
-Q5lBhnl1okJOXhZ68w/s5MDinbXPm6nql3B6ICCMMFZLFikE1cZurRRzLc8jpTgR
-Xcm9nVfzGsn/FmSX1WAMCCsfqZk7XKyy1z7V8zJibiCKwnQpbqo1chsl3dEzlB6H
-6FGbNUViGXC316dkSAIIdMOqKyH2vDy0dLclekEjGl7jGw8czZjQGtP2ekr7eM+F
-bQLE5r7HTbqQWcIzE14+iTx2n7toA8sm5r/6/YtUQmnJEuhX4y1y9b57NbRgmqc9
-KZ/m9ThaljZyrdieJgzQKlg0itx1762l8jZosGocjsOfQwlcU0gWblhMRh6m0Nje
-eoXQWcsQ5oZepHHVjotO2aWKjpEwI/wiNfx4i6pmK+LwL8ly7qvsqQ8crXoV89x9
-2zm94e6I3gRfQ9Q9ehv4uZ44awaNBChak4stFgOZrGClQMOUEA+HDTvbdFn6wl/3
-7yyHKfB2flAphlzMe4lrEeOym6qdNljRia13U5/jhYllKW/Y93loScYJl+X6onkj
-t0jH2pjqurwWmzzKcQxqEAjf7xsCAwEAAaNZMFcwCQYDVR0TBAIwADALBgNVHQ8E
-BAMCBeAwHgYDVR0lBBcwFQYJKwYBBQUHMAEFBggrBgEFBQcDCTAdBgNVHQ4EFgQU
-1KCQpnn3+GrOKZI3LTYyIrVBdUUwDQYJKoZIhvcNAQEFBQADggIBABw3wiLnwx75
-tXqb7v68FYnLNFksucXhxlY62mprCN/0aTxdYk254mWPI0gwi5qjVXuKS9Kri4Ux
-eAlFLZv8Wa1nC+8gtXAjcSEm0uHETFSPAh6ENf97Z5AFfCUuyhOkMroKmqpreVOB
-azuV/hdRV4lxIms+FQZvHNaKnOFJZ0s/TvUrs4+JW/fJlHgCt/nbw7kvuRebDLri
-q0nnXw2F70s18jnnTO9qiIGZfqeMsffZ7P1wko0SHSJJPu9iVJI052cnoVw41R64
-lcKbEpVPjGTWxQamvxn+w7f9aNd/8n1/qk9xenjCr7ZqWlbPWpmCSznTgwMHuXs1
-MWysTMaMRtzTTFc9AW1edpRTnLroQtmLLohNmo8SxyvM4vmfHbFfVbsVTub1vH0D
-oQBHsB8mDlhkJKjvllHVZsxLDQs3FjPv06bCBeFsOLYh8sMPPmXQag83S8XbAQrO
-98XhTj9VqopRI3tmWasgZHoNvdzLeUYLV1HPbzeUA5YZpWHkqE18hAu4eboijOBn
-D4z/RAI7olRuP/mm0Eaz7eHRGBbqSla1m6C2q0Aua8SNf3XJkrbtMZIaJJTHZxb+
-bZvR+CslnTSmGCGPM1ybgTFpxvSz8lEufReWUDMH9vcd32K/KafajhXiYoM2pXcX
-9ykRDc+P4Je3JGy2ZHiN5/aX0Bo96jhP
+MIIFJjCCAw6gAwIBAgIBATANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwMVoYDzI1
+MTgxMTIxMjIyNTAxWjAmMQswCQYDVQQGEwJTRTEXMBUGA1UEAwwOT0NTUCByZXNw
+b25kZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCxIR3JK0SeYv4T
+lOqh4c0XDrtNHGIn7tP3YcgmwQ9F/BDYOcPahqAAMNethv/GNmz14iaM9nYb0Am2
+pfjL1Yj8ysooSe1kK/OITo7sfGO4dWrMc7ZmbMN85NdQlYgShOdcUIfbTL+RmLE6
+RFcLGnrxk+NMaYuf17kgjQ7L/944b2qRVRpvpoIdBfb8RoyDi6tuP2pvxQzM/zx4
+dNT4Vr5ZYNU/TT7k4UstxSrRanohuW5hEAN5iFt09CkNVtNr1X2MWV1OiQ2jpotD
+KOji8bvV62WbwtZiqt9m1ZLdhGwpKBroKbMJ0UUURMswA3M6lKOjJIkV+8rgpmI1
+SPiSUDr/F9hKHqCc2WjMIeHJNtFHvPFWPocYEA31VprJeRbACKBZZbIA3Zrpl+eP
+he7NDSBeLVj/juPOTzZlw/GIOd00KduM7W7IezCtSVjm+VuFRgoED57qyqgqNQ1m
+80i248fg6KPtbPPkzR1F8+IsbFuRuCbdSdR4005XOrWvzToF1Ylj9bxzHybMLEst
+gbNdSSgERvgkWmgdBhstvlb5s/TRUC+Vm59Fx2I1vEap38ZFIekcfagusYeRC3z7
+l1Ix+UFzuoMiSoD5//GVdHn3IJXwFyB9rFXosMayplbGwM89eNWeN0G0eKow8C1Z
+fGrIaMyRCRP4nwTjqYbCdLr2MkQNvQIDAQABo1kwVzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIF4DAeBgNVHSUEFzAVBgkrBgEFBQcwAQUGCCsGAQUFBwMJMB0GA1UdDgQW
+BBTQPOgFB7ualjaIRKqaT2KenzNbAzANBgkqhkiG9w0BAQUFAAOCAgEAwHLSryZ0
+3vh8lr+r0u2V2bsLBzGKSyHwtX6rtFCwr7+WZM44mT3zJgJNWtpxrW2m9/xeRhY9
+ns+Vo10MSmShhIiwMQ7rVMuZQkUJkuq3dPX7/8aRMSe9VFWfbLviRUoz7QClTuJ7
+LJjxO7zyhzPlItj8qEyQ4t/OSMg8VkNsrPH24HXCp/kzh051piIXeDKIqvkqQEzg
+JWxMDMtvGnsTDTWmI4ZCdTzBacHFeXdRSxkU50v53wswqsSXhG5XewCzpTHGnxfx
+sEyB9+bf6MDSkQPC492UxPDuHHMcM66RYP7PSAgKlcGVKK8xI6YqHNFsf2joqaQn
+j28pM6lIDAOP+rXvKprO7bp0OYjvO9mTdzQw0aNcnfE8MBnCyi5BWyO7amc14+LG
+bqA+dlDba+4CmIG/daw6eE/0+9F6H4UaJM24Bn6VKIUqxkEjNQgxWc6toyMaehEm
+2UVXv+rgcjr4SODBXLMgk7Uak3Xv8xmd7V2fgXMhApb67slMx5UbqmW5aRU877P2
+4fWJeAVQ01TEyUDlXz69NtIOJ5leg+VLv3KEE2SN2dtpiwQ36NsiRimECINANNjg
+v8xcfLK9xTh9WeadiniHCBNvpX0viIDO5YY4b1O4mbr1IZ6PX6o6B3ObAvGXH4tS
+U14kr9e5pD9OZMhiJrPARN27KYy1ZgVd/fc=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/ocsp-responder.key b/lib/hx509/data/ocsp-responder.key
index 98cdf65d0b18..140aaf807095 100644
--- a/lib/hx509/data/ocsp-responder.key
+++ b/lib/hx509/data/ocsp-responder.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQCgdn76zj2A5yrE
-HwIn8U1yH3hXPzCdBi/UPmQVohZ43p3524GyllC06DvBvW+AAEo7t+9ejyDdHW42
-j+QFZscXf61d4Rqh+l7ShCT6AEYmi+ho7cCGPEX1ZA87AMvLP0U9mBHzzN7iy+W1
-kVlDmUGGeXWiQk5eFnrzD+zkwOKdtc+bqeqXcHogIIwwVksWKQTVxm6tFHMtzyOl
-OBFdyb2dV/Mayf8WZJfVYAwIKx+pmTtcrLLXPtXzMmJuIIrCdCluqjVyGyXd0TOU
-HofoUZs1RWIZcLfXp2RIAgh0w6orIfa8PLR0tyV6QSMaXuMbDxzNmNAa0/Z6Svt4
-z4VtAsTmvsdNupBZwjMTXj6JPHafu2gDyybmv/r9i1RCackS6FfjLXL1vns1tGCa
-pz0pn+b1OFqWNnKt2J4mDNAqWDSK3HXvraXyNmiwahyOw59DCVxTSBZuWExGHqbQ
-2N56hdBZyxDmhl6kcdWOi07ZpYqOkTAj/CI1/HiLqmYr4vAvyXLuq+ypDxytehXz
-3H3bOb3h7ojeBF9D1D16G/i5njhrBo0EKFqTiy0WA5msYKVAw5QQD4cNO9t0WfrC
-X/fvLIcp8HZ+UCmGXMx7iWsR47Kbqp02WNGJrXdTn+OFiWUpb9j3eWhJxgmX5fqi
-eSO3SMfamOq6vBabPMpxDGoQCN/vGwIDAQABAoICAQCHnl8H3xPARKCyjXqnA5zv
-HYX6R1/w9u+ptOmmFw5jLdPa/xkJNV4U6ErJHjCEwLn86yKWiuW9vEgQOWEA57LR
-O4ntVHnL+O33gtQ1r9GadpkBRiB3061VDzKILc4Qg/MjccmKgtbGXIpTAPuu1HK7
-EyDG+L9/agSUNhuD4zolDSrgZ6XsRJYTXS7fE6/2lMiPXVzhT+1hBDceRtr2p7Fo
-sJK5S4wbAv4Iy1qf9MKX9vhjBVtJ7MOq/iSO61Ybr03tSFJPlH5WkZ/ESmGXipFh
-Xrjgw5G95K4u5fj7pvvF5LjCs5PZKYm1YCQo/5V2ozk20zbf1dH13jXYD5y3W6XK
-APscRKXMjP4sXBq1GrjSqeWbgHpLeL9Gct3E40ytNw93hkjWDdT8xihlDrekT/hQ
-bUcB+4ok1qXqurZzf7A49UGK9la/5/jHDMNvG0L5Ssecz9zPtEdA5dcTwVZtndmk
-QzrxykvHZPSlcTm4plySGMo0JWvDhBQlAZdnzkEF84OTkT1Irc0SXQ65N0N5ouRI
-p5f8/e6hjPKjhRetg7wYmgZbsR9HHFJQrGiSUeQi83PHmmJtn/EUCgFIiGDNkUge
-djIY4OSwk8vsfwVgw6Alc0X3pqOcc3jJpHtwtKvAHBaeI1+qXywqK6IeXMzKDNyz
-wP2Raxms7IVcTAEXdVs9AQKCAQEA07PS3OfV6of8E7l+kMdN3a2xrlMEtHVjGQ2L
-tzaUbn35mE9xDCCgaEjQcx2VU9imGrSnv24KFNPIzmzH6N2ftyCQ/8XVnerEGmle
-L4AMIEV9VUIIf3Au5oW0zw+pVU6my9Q40cBGnun84oUMW55mEA0QNrfQh4br10H3
-+D4Z4NYT64ecyvexX1a7oKGJTSBSWV4+KxS8Yk9Q9llLI9GEr+nXY2IwMKjjYpaJ
-g26AWhsnPy/xkGmus5ed10HkG67+fsHr/zmucDgI8Jj023nsnggiv1NrbrYld6QF
-1CyhA+dvza+o4jriLb77kVHc7wVrfVhxDRwloTmbHfvdgIt12wKCAQEAwgnxrvph
-Ko+kARo+00s0rlEAqHiJ21Ty8YWZQH2LuSN9BK3POWzKSQJpxRFzTKdhXU1FVU5r
-gULdsGlA0MSNoZxSgYkVJFywFR8SYHDekjIYyoLVtRxKepmLqVUHbefbvRDu8NVD
-7elBmgCinGWigPNlCsnxSN9HtQ+exhQAYx6eoLQzZfocyf/i4QVnRnHSj93yTTT5
-u/OmNEJPLEb9Tt5OoYRMHf4IR+rNxm+H474XrYdn01h2nNUkEG2L3W7qJXPocWSZ
-43HnNYuwFUKF78EghO3eGWLv7H4laD0MpF842eJmt2PGOGcWYOLpn2Df8fEPXOZd
-I5xnoY4BxVDPwQKCAQEAq90MjjHXw/JpfknUqgxi9lgQKwlShH3X2XrZtf8lOR4k
-BrZXfBTwpDiYoRufItZ64qtOk2Xt4UKdfpdpI27oPm69yCb/aJgyY46u27kEHx7K
-xPA6ndqg+JwLUR3RxmN3nXnINt/1dQVYOzzv72EEUnuIciN/ssahp7ryaCFiONkS
-it8pNs0mvdNXtuvs3yQiNlL//VF0LgteGuAa1BU/tuAL767CmH5DOsIjGQQYRw5M
-Kkvtu+NP5JRtm1burFrAWH9t62EUcB3NhCVogtTUdub77n72dIaCnEIYSUuB2/2D
-EmRMonxTKfglmq/uwEySGsw12wLCucReXVUfWT/eiQKCAQEAktIdaq4PmbnIegEW
-6qAsQ34NRmy2uxxjG3dgh5i3gaYlscWmWChGQ8osqC3VFXpNROD0BmFpHQywXAy4
-O3+OP2veTh+gvLvZjJHPQOQGtY5sjcdD11+Jx4ypTb6F+ZaIAV5vvhFQ7hMiTVoP
-sNGCjZodqXU2OlKgmpMwK2b1CAsiMi1H+vCumfYiAOwqwfXcQnnJHrxn/tyUtVQ7
-PiCVCPlTfAlz4vnV4Dz96Rl5NE0g82/SkuuMDI2GVVveifWj/CThC/P4MU59iVmi
-KeQFHm3+ojauaH0hV8v3mBEhoLpgdRVHbZp0YTc3iqYH6k3OBe7GFiBE924gR/EA
-zAGiwQKCAQEAtNHidzC/J8qQql9+DPczfpSSu5wiZPf7y3rLK5flByysg/TmnjG1
-21V5JnOETy69sTAqEz4pzuf14lsNHlz4fjUKo8u3LKLtmrYlfaM3XT8B1vGIkZYv
-XZ1U8DReOIgAgjDgs3MTHJZ2JeAo6naHNIheQDWm+PUuRfG2ojz8srfVFvp+6M8l
-yv7UOmSKJZTWc4KFntdsPv5leEw+Mm428mdnw+mqAspEv1i27JC5eJ9c3wi8IBus
-YDwA8sGkOyty1rELE28s8rOJ2LqT2Pf/SoZfvp2O1FUuU0T7Ma/zg+oYJ/heUkPu
-Nv1cW+onrP/nvshX+2f5xy2Yy6uQYK9Khg==
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCxIR3JK0SeYv4T
+lOqh4c0XDrtNHGIn7tP3YcgmwQ9F/BDYOcPahqAAMNethv/GNmz14iaM9nYb0Am2
+pfjL1Yj8ysooSe1kK/OITo7sfGO4dWrMc7ZmbMN85NdQlYgShOdcUIfbTL+RmLE6
+RFcLGnrxk+NMaYuf17kgjQ7L/944b2qRVRpvpoIdBfb8RoyDi6tuP2pvxQzM/zx4
+dNT4Vr5ZYNU/TT7k4UstxSrRanohuW5hEAN5iFt09CkNVtNr1X2MWV1OiQ2jpotD
+KOji8bvV62WbwtZiqt9m1ZLdhGwpKBroKbMJ0UUURMswA3M6lKOjJIkV+8rgpmI1
+SPiSUDr/F9hKHqCc2WjMIeHJNtFHvPFWPocYEA31VprJeRbACKBZZbIA3Zrpl+eP
+he7NDSBeLVj/juPOTzZlw/GIOd00KduM7W7IezCtSVjm+VuFRgoED57qyqgqNQ1m
+80i248fg6KPtbPPkzR1F8+IsbFuRuCbdSdR4005XOrWvzToF1Ylj9bxzHybMLEst
+gbNdSSgERvgkWmgdBhstvlb5s/TRUC+Vm59Fx2I1vEap38ZFIekcfagusYeRC3z7
+l1Ix+UFzuoMiSoD5//GVdHn3IJXwFyB9rFXosMayplbGwM89eNWeN0G0eKow8C1Z
+fGrIaMyRCRP4nwTjqYbCdLr2MkQNvQIDAQABAoICAF7zLJ9Y5ViuIhrnGfubKjBx
+AjBsxaU4XkHfFcbIeOKAI5t1I6rxvbU8eXEYy+U56aDJEPdBasCv/XT+dWb22Y8B
+Oers7idjdBGeYvkcGOyZbJ2aba1sIkLB/TXCYoXi3o7a0GjbNFnc6ywb1Dksgbkc
+GJ0uet09a4yqcMMkLsA74Xl0kE5HiLn8J5DGVK5zYXsg3XJ6w8jkDUtY/Yz+Gt2Y
+jdd4Ff3lU0J+zdwiYsPPPf8j8WjlknkYJSV0ZLMKZ1mj0eO2jiwqq75doLF++bzL
+idU8VWXgyQ678BV01fIeAIZxS/s4Rfp+ghkD0HIXmbxralzxc6iHKF/99Nmhzm1o
+/1PxIqTkso1G1MvizXgr54Uxdv7N01nuL+nDp4q1kBieCqAfkDbbbk9NQb/BUntx
+ZZH2VJxFk8iit8O9BLPM5xiwsdx0QNeYEYQ+fXl75QCLN2zEMaPeOXpV6zWy2NR4
+P+eUEmOC+8Uj44/k21R/Zf46SAEB9YZPmAmq7rW9ACj17sj6e2F1hsVStMy3aG3h
+59GG+sxMSIHwMJ/xB9r+xfaoX4iUapogy1N8pKyYL2CT6c2VB+wBW0gJsuxEGIt3
+x5LugOkCiArTOxTO54tTNeO/5+G+PkYrZwQazCuj9PQPTymHd4ieh61t/8CpasxT
+faIJQt+GxtrBWI8Pc2h1AoIBAQDn22N6+XkouiQcg+sunLFwT5jxQsUZIOVAjx8r
+WFoCW6onzltldxrpP+dx0nOaeBbwHTCRDYrHJhA3bmpaXjBYI8MunfYzHTxmCS1p
+0/cGCMhcZc4dokOh60c1C9/UTG5hAEUAB9kP5C3H1OoL63OM24XQl7hwwX7WFOdL
+VzzADDssLlfhsWRuXa9H5uD2ziqmWE6EZE9Jx5UlolgGpAGcS4YoJi5PaMnYdIJF
+Cpf4gqhtuuUWD7brF9QCKF+e2lLqt4FHSrInqUIYD8HL4xToDPdKfxzUrI3S9dDh
+g7yWWIRKR1W2IFSxBCwedLHl7VGpmgJ+RVovsTbnU+DLplGnAoIBAQDDktp+6FJP
+WorkWUOUWLz4Ao3R3Cd/s7zZlhyNd2fjonH4uBry+X0Vunz2525YtOEVXcVM8Mqa
+KDRyluAwp9pHYc3mhqGafWjoyH1+aDbkALSRcrGw1MkodqgSqxSt1RjgjXwbJb9Y
+wUQSTxd7eJym2WtWAp0WQjH20ygMLu4Lt79HK6M+L0hi9lcxbNNxlQEC5FKgplLn
+urpACHtzrUiIBfpu0LJL0E3dUytQUSVXE02R8j8STRO4lu3n90lZktEl0XuHEHqr
+JXn+p1EhgxpMaYbKr+/v1dFc1RFnaDJO1b2IIaX4psKPPjF408EGqzwXeUen4RLJ
+oaaDSTftN+n7AoIBACBe8w6yUgYrpusMSAOkAOoLUvEsP1R40UkoMlPc7AQ0RBd2
+qjAKZwl10JyFo3pHlfxENwmpeFzBpbX3hoXDbMCBjbiueTc9t7cPRPXnkC+Zfk/Y
+LuTYSNUMgk6Xr9J2MVr9rKSKc/XSB8pEocC0SNe7tn0fEbM8cLb3CCvurB6sFn7e
+oYpzN/BoyBYj1/jdY/sBjUTStHc6lEpC1kNnFop5yOtGGWUg3j2IVr/I8NrTcyyO
+0Xk5DHLaStFaTa9iD/2RTU1k0mbTLNUrLgWHWN3lIYmXIbFXvh1cEKPLvsLG7QFp
+4D+jV++3A2nlJQlTDvm89OgoSqUp+t5lSZdlSzUCggEBAJ+BA+aA/7Bsfd6i1rUE
+coorOxMvZJ+ILbuf7AWMnxROhnl9Xa1QwS2ZfRW5xoteajyMz79imzqDE9NpLctA
++otBPzaGEwL2yTshWQhhYnMuCBaf3kAEK1NvAsDG+wSTScjKW6+gZ6Cxbx0nmFVB
+FzIVHK93Tjq7HhjaOk1FcSvpXn1jH641zem4U4Ch6wk1py9+m80eGXuZFRHoWRcM
++pzFk2wRlXizmO2rSSYmKDgOLDOdyMbaSf1ASyPm0NHXJfCcGw0a6ZDv7cE9ILQe
+QrKTVjW0rBGE5025EIqvtmgJdpyyJLTY/NDqvlp3CXSw7z+N0F0g+bustStZ6dz0
+v0UCggEAXsErHCyXn4LGb77CKdqLPC+VzXUtpY7ydBBOZ/4jemRdGn1YjgDPBrOl
+tESL90Ir1F36zAQOenEOn2VIfCX0DWFLKA5FE2dRM/7X79yTOFwZ2n9Ubz0ulNVH
+zHB2eSHsUhhVszRgqXFwWWwDnkqB7V8HkEXGodl77qf79KL6BQdBj9HbX/4Es1KS
+C4OedUoFIgkvDppiG3mS9JftlHpKM60ckDpkTREdbsRxy2UEjXSdaW/ycJne+xYs
+KKwq1IWDGJYoAfcH6f/9ipG/tC7e5ckUXIQO2bQdtVwqpL0b2VneiWdK4F8EmdiZ
+SSGDNVUC8knNaz9M5HYwvqUl1if8yg==
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-ec.crt b/lib/hx509/data/pkinit-ec.crt
index 7029daa66e5a..54435d387f1b 100644
--- a/lib/hx509/data/pkinit-ec.crt
+++ b/lib/hx509/data/pkinit-ec.crt
@@ -5,18 +5,18 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:15 2019 GMT
- Not After : Jan 16 15:05:15 2038 GMT
+ Not Before: Mar 22 22:25:06 2019 GMT
+ Not After : Nov 21 22:25:06 2518 GMT
Subject: C=SE, CN=pkinit-ec
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
- 04:57:a2:25:14:5b:a7:ac:55:9e:e0:ea:c2:92:98:
- c9:13:91:d3:c4:13:00:0c:f9:d6:29:a4:45:c3:53:
- f2:f6:92:8e:d9:ce:d4:24:48:56:80:1c:04:8e:13:
- ec:49:c1:4d:78:5e:f5:1c:d7:c2:0e:8d:93:da:a4:
- 79:18:6b:0a:9a
+ 04:c0:2b:8e:f3:0c:c3:1b:88:94:eb:4e:6a:12:f2:
+ fb:63:99:77:a2:13:7a:16:ce:48:dc:48:9a:83:91:
+ 5e:a9:b8:ab:17:77:94:ae:55:09:8d:69:4a:a4:a8:
+ 6b:77:12:01:fb:3c:6f:cd:b1:e3:02:be:63:b1:43:
+ 8d:8f:df:8c:75
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
@@ -25,57 +25,57 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- 1D:2E:2D:D0:63:94:5A:99:95:87:DD:A3:11:F8:82:5A:2A:43:2B:28
+ 77:9B:74:4B:75:90:50:CE:20:C3:00:9B:A5:23:F7:69:A8:C7:CC:34
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
- b3:3e:84:9b:be:cd:a0:cc:21:dd:f7:12:41:90:8e:9e:25:30:
- 0b:2d:b5:1c:35:a1:15:76:9c:7e:dc:23:33:16:bf:ab:60:82:
- ad:3a:2e:4f:84:f1:62:21:7c:1c:a1:37:45:01:12:cf:99:aa:
- a3:b4:72:fe:c9:e3:bd:25:ef:4d:bf:b5:e2:ac:15:3f:b3:b7:
- df:78:2b:0e:2d:95:71:0b:c7:6c:31:54:c0:c1:e0:8f:00:10:
- 31:20:a6:5e:71:bd:d6:6f:45:cc:25:11:3d:ce:26:75:8b:ba:
- 03:3c:d4:87:89:c7:93:5b:d9:76:b1:20:96:83:07:91:34:05:
- 12:2d:56:e8:18:b2:4a:2d:ba:b0:59:02:65:81:60:3b:92:96:
- 7d:d1:c9:ab:bf:ac:bb:aa:f7:b3:a5:0b:de:e5:cb:0c:16:ac:
- 65:1c:da:6a:c5:16:43:15:b7:14:55:b9:6d:0f:f0:79:ef:b1:
- d0:6e:bf:85:fb:bb:93:6b:30:69:98:db:da:8c:f2:3a:e8:a3:
- c9:57:3c:d0:fa:7e:db:cd:48:93:7a:cd:af:a4:71:06:3d:a6:
- 94:b4:99:3a:2e:9c:3a:ac:2f:19:f5:19:1d:71:3d:96:00:74:
- c9:99:58:40:0d:c2:bf:cf:85:8f:dd:f6:ff:b0:cf:1a:84:6d:
- 02:87:4d:96:7d:db:2f:f1:8a:e5:39:30:8b:89:c4:8d:34:60:
- 05:85:96:92:fc:a0:6a:b9:df:54:53:e6:f3:9a:27:2d:bc:9d:
- 8d:a5:44:bd:81:83:d3:8a:d6:96:b1:71:b3:4b:40:b6:95:e2:
- 45:19:e3:a5:3c:17:af:a8:39:2a:52:68:e4:7c:0f:fa:fd:15:
- 07:fd:e5:e8:1c:cb:b3:2c:d4:97:21:7b:86:fb:fb:78:9a:6a:
- f2:71:0b:b7:2e:d7:df:96:cb:2e:83:2e:81:29:50:0f:e0:50:
- 0f:d5:34:7d:13:eb:a2:68:d2:a1:26:35:15:08:a9:ac:7e:f5:
- 8d:4c:68:01:a2:01:05:db:5b:7d:ea:ba:45:ea:34:93:db:89:
- 0e:46:58:6e:a3:6f:aa:4a:6c:ac:28:58:a0:48:cc:e2:75:54:
- e4:79:19:b3:d5:6c:c9:04:b3:d0:9b:51:f5:07:0e:e1:a0:07:
- 61:e9:53:dc:0f:83:3c:7f:54:7b:ca:7e:35:b9:6c:0a:e5:b4:
- 61:48:11:a1:92:27:1d:2e:57:07:67:f0:b0:66:61:0b:a5:15:
- d1:1a:10:05:34:90:52:a3:c4:a8:19:cf:3e:52:b3:c9:ab:49:
- e8:84:96:a9:9f:d7:bb:a4:43:2b:ef:b2:bf:8b:01:46:b0:48:
- e4:80:b8:3e:4a:ab:85:5f
+ 70:02:b8:13:0f:d9:2b:7a:e9:42:5c:82:6a:9d:ea:f8:51:dc:
+ a9:2e:67:ec:c3:cb:67:48:fe:6a:bd:58:86:67:c2:1f:d4:a0:
+ dc:7d:17:41:93:8d:e0:67:60:01:60:cc:34:1f:0e:b0:fc:9b:
+ 5f:f6:cf:91:2b:a3:ec:28:5b:80:ff:31:21:14:5b:3c:a2:5c:
+ 6b:3b:32:94:de:ab:03:d9:41:70:c1:4f:4e:49:4d:63:8f:9a:
+ 8b:be:14:87:b0:df:bc:64:83:e1:99:ce:e6:77:12:5a:43:e3:
+ 3b:d7:e9:10:5e:68:36:38:de:88:c2:78:af:97:a3:a2:4e:bf:
+ a9:2d:e1:98:f4:9a:35:ec:b4:2a:70:18:09:99:ff:80:fb:73:
+ 49:75:47:54:31:7a:e1:43:28:4b:53:71:81:92:4c:42:db:9b:
+ 52:38:ad:90:47:db:4e:da:75:6f:37:14:ce:56:6e:06:d0:40:
+ 8e:df:f1:71:23:98:ee:b4:43:b7:77:3a:1c:a5:a3:6f:3e:d3:
+ 5f:86:0b:6d:d4:b8:4a:2e:8a:e0:d7:d2:75:5f:ca:bc:9c:e2:
+ d8:b9:04:bf:ec:8a:1e:78:28:f5:13:73:9c:dd:2c:10:73:55:
+ cf:40:96:8d:8a:b4:1c:79:bd:aa:01:de:b2:de:c4:30:04:11:
+ af:d5:fb:cb:28:44:25:02:ab:b3:68:22:02:1b:99:b1:96:eb:
+ f7:f3:ad:6e:32:76:67:be:bb:78:bc:46:9a:1c:b3:8e:66:39:
+ eb:cb:d8:76:c8:06:e5:79:1e:f0:fa:54:3f:a1:ea:ff:60:e8:
+ fb:55:d9:1c:47:3a:e7:67:df:c8:69:1d:d1:9a:56:96:2b:01:
+ 79:ad:22:f2:7a:3b:e6:be:32:84:9a:e3:50:db:89:69:c1:3e:
+ 19:09:d5:b3:3c:2c:08:90:8b:93:aa:39:ae:48:90:ec:cf:79:
+ 3d:15:91:86:3e:38:0e:0a:99:b1:d9:78:14:59:17:44:c0:76:
+ 70:a0:7a:92:64:2a:60:04:aa:ce:6b:b1:d5:c1:3b:e8:1b:58:
+ 6f:7d:dd:dc:90:49:55:e1:37:5a:7b:75:89:da:08:c1:a5:33:
+ c9:f9:0d:4a:1d:08:e0:a8:be:3f:0e:a2:e0:10:71:92:50:f8:
+ 75:33:98:7c:be:c9:2f:c8:7c:b2:19:94:14:59:0b:1c:ca:bc:
+ 34:ff:03:a4:3c:f0:bd:ac:c8:f6:63:8f:59:d3:eb:65:e9:96:
+ 9b:21:a9:94:a7:7d:fe:dd:62:cd:77:62:6a:58:38:de:63:4c:
+ 0c:c3:ea:09:4f:6a:80:76:07:59:ba:15:d2:b4:c1:46:1e:11:
+ 50:5b:be:8d:8e:21:4e:78
-----BEGIN CERTIFICATE-----
-MIIDbjCCAVagAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
-MDExNjE1MDUxNVowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCXBraW5pdC1lYzBZ
-MBMGByqGSM49AgEGCCqGSM49AwEHA0IABFeiJRRbp6xVnuDqwpKYyROR08QTAAz5
-1imkRcNT8vaSjtnO1CRIVoAcBI4T7EnBTXhe9RzXwg6Nk9qkeRhrCpqjczBxMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQdLi3QY5RamZWH3aMR+IJa
-KkMrKDA4BgNVHREEMTAvoC0GBisGAQUCAqAjMCGgDRsLVEVTVC5INUwuU0WhEDAO
-oAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcNAQEFBQADggIBALM+hJu+zaDMId33EkGQ
-jp4lMAsttRw1oRV2nH7cIzMWv6tggq06Lk+E8WIhfByhN0UBEs+ZqqO0cv7J470l
-702/teKsFT+zt994Kw4tlXELx2wxVMDB4I8AEDEgpl5xvdZvRcwlET3OJnWLugM8
-1IeJx5Nb2XaxIJaDB5E0BRItVugYskoturBZAmWBYDuSln3Ryau/rLuq97OlC97l
-ywwWrGUc2mrFFkMVtxRVuW0P8HnvsdBuv4X7u5NrMGmY29qM8jroo8lXPND6ftvN
-SJN6za+kcQY9ppS0mTounDqsLxn1GR1xPZYAdMmZWEANwr/PhY/d9v+wzxqEbQKH
-TZZ92y/xiuU5MIuJxI00YAWFlpL8oGq531RT5vOaJy28nY2lRL2Bg9OK1paxcbNL
-QLaV4kUZ46U8F6+oOSpSaOR8D/r9FQf95egcy7Ms1Jche4b7+3iaavJxC7cu19+W
-yy6DLoEpUA/gUA/VNH0T66Jo0qEmNRUIqax+9Y1MaAGiAQXbW33qukXqNJPbiQ5G
-WG6jb6pKbKwoWKBIzOJ1VOR5GbPVbMkEs9CbUfUHDuGgB2HpU9wPgzx/VHvKfjW5
-bArltGFIEaGSJx0uVwdn8LBmYQulFdEaEAU0kFKjxKgZzz5Ss8mrSeiElqmf17uk
-Qyvvsr+LAUawSOSAuD5Kq4Vf
+MIIDcDCCAVigAwIBAgIBBzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNloYDzI1
+MTgxMTIxMjIyNTA2WjAhMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJcGtpbml0LWVj
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwCuO8wzDG4iU605qEvL7Y5l3ohN6
+Fs5I3Eiag5FeqbirF3eUrlUJjWlKpKhrdxIB+zxvzbHjAr5jsUONj9+MdaNzMHEw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFHebdEt1kFDOIMMAm6Uj
+92mox8w0MDgGA1UdEQQxMC+gLQYGKwYBBQICoCMwIaANGwtURVNULkg1TC5TRaEQ
+MA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG9w0BAQUFAAOCAgEAcAK4Ew/ZK3rpQlyC
+ap3q+FHcqS5n7MPLZ0j+ar1YhmfCH9Sg3H0XQZON4GdgAWDMNB8OsPybX/bPkSuj
+7ChbgP8xIRRbPKJcazsylN6rA9lBcMFPTklNY4+ai74Uh7DfvGSD4ZnO5ncSWkPj
+O9fpEF5oNjjeiMJ4r5ejok6/qS3hmPSaNey0KnAYCZn/gPtzSXVHVDF64UMoS1Nx
+gZJMQtubUjitkEfbTtp1bzcUzlZuBtBAjt/xcSOY7rRDt3c6HKWjbz7TX4YLbdS4
+Si6K4NfSdV/KvJzi2LkEv+yKHngo9RNznN0sEHNVz0CWjYq0HHm9qgHest7EMAQR
+r9X7yyhEJQKrs2giAhuZsZbr9/OtbjJ2Z767eLxGmhyzjmY568vYdsgG5Xke8PpU
+P6Hq/2Do+1XZHEc652ffyGkd0ZpWlisBea0i8no75r4yhJrjUNuJacE+GQnVszws
+CJCLk6o5rkiQ7M95PRWRhj44DgqZsdl4FFkXRMB2cKB6kmQqYASqzmux1cE76BtY
+b33d3JBJVeE3Wnt1idoIwaUzyfkNSh0I4Ki+Pw6i4BBxklD4dTOYfL7JL8h8shmU
+FFkLHMq8NP8DpDzwvazI9mOPWdPrZemWmyGplKd9/t1izXdialg43mNMDMPqCU9q
+gHYHWboV0rTBRh4RUFu+jY4hTng=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-ec.key b/lib/hx509/data/pkinit-ec.key
index 846bb51aae15..0ac3fe4861e3 100644
--- a/lib/hx509/data/pkinit-ec.key
+++ b/lib/hx509/data/pkinit-ec.key
@@ -1,5 +1,5 @@
-----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgf0P72e36G4JST5z5
-hGIETF9eViQ6rCu3pu3793hC6DuhRANCAARXoiUUW6esVZ7g6sKSmMkTkdPEEwAM
-+dYppEXDU/L2ko7ZztQkSFaAHASOE+xJwU14XvUc18IOjZPapHkYawqa
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg38AlgS7f0d6rvR6u
+mLJVGl/UF04RYiIeWsVJYUNS7RKhRANCAATAK47zDMMbiJTrTmoS8vtjmXeiE3oW
+zkjcSJqDkV6puKsXd5SuVQmNaUqkqGt3EgH7PG/NseMCvmOxQ42P34x1
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-proxy-chain.crt b/lib/hx509/data/pkinit-proxy-chain.crt
index 15fd65fdc846..2b425bcb28f6 100644
--- a/lib/hx509/data/pkinit-proxy-chain.crt
+++ b/lib/hx509/data/pkinit-proxy-chain.crt
@@ -1,32 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIJAJd7zCsMMPvCMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
-BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMTkwNTIzMTUwNTE1WhcNMzgwMTE2
-MTUwNTE1WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
-DAxwa2luaXQtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh
-U0hTlQYhDONlH8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYa
-EernC2mrTxvSSy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQ
-iZy19sl6tG+kLZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJe
-pkPUAcjOOQZTd2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny
-8hoEHuc34+a/hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzM
-q2jRalsj/XlYCEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9e
-MFSv0ATDFoKi55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dM
-sYcqkl5uVZXPJxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbI
-NJBq1sWi6bO6+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0
-HJzeaqDwfmiT1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnX
-PTcaT8BSqQejfZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABo2AwXjAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUzoShaVViBQhilqB70YV+yuLcWIEw
-JQYIKwYBBQUHAQ4BAf8EFjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcN
-AQELBQADggIBAL45/vKz88cBG7c11gyePde86H7qWgIKrWocohn6eoXF1p2ZkLvP
-na4o7WVr/WC7t4DiBZVUNVvrqss/nOI3wMVjU9Mn9wrJbycvrVPAWH1nIhlKR3gM
-H8PTcZiHI+Vf14aHTjeRFEXxy0i+K7JxtKRQC/Bi+MuwnBvPwvar3tqFLXprRk4p
-p42I7/ngT8WcAzz/LWj0rWYNl/TEFU3esDBr3rz+B5TFVcp2dLpcZW7ScFRh9bLT
-OwJ/QNhzvnH5cwsWlb8cpDTFVeyTOBgqh9t6ut6SnDfCu03xIBVuCk+P5KhOGWAS
-3cOVqvGn3Y3q1glE2XdKgyYqU2z3itneUyiCeopItFaKZIV52s4WuIuGO+PK8XOi
-QhwtnsWO91toEFUpUNkxf/C6C61G4xuvHeMVLdTzO1Xi5kuHyN9gD8rLAuUfaV1c
-Zv3f2S8WpvEGkSSu8Ap1k3ExfIaFhgxzu3pjGL5e6YV2lK9d/UGXOpDRFZOUuoRm
-dyowQcF3XcH6zTDu+ThXlPSq5bkjrnMnNt2z2LfqGb/GFp1vl11LsXeLgpHmFTq2
-4umDDUwMHVzrmFoa3BtUkgO3BUoSrt2l63TFqTQZgZAf/D042jBcmOhV6Mt5MsDK
-MFZkoYjtv+8jTeRwxP2zi3EceCvGkV1Mf3t2/h4wYGa25J6HFq86VVRU
+MIIFODCCAyCgAwIBAgIJAJd7zCsMMPvAMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwIBcNMTkwMzIyMjIyNTA3WhgPMjUxODEx
+MjEyMjI1MDdaMDUxCzAJBgNVBAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQxFTATBgNV
+BAMMDHBraW5pdC1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AM1Z218qhKJXqYoQ/5DZgDYNtgJ9QLkPF0vsu6cScVhykomP1H2Qjj3+u6ZFB9oj
+YS/ynPgkCjwexA7nDGVxfrR0OksDNFGHwCu/O1wagzyeImgvYYzPlKyFqT+0IN0U
+TgEoMdtXUduxmJGr0wEr2aMeiETUGZmRc02icTPZIznhf9elXmAp7EQspjtN9P04
+OCkVygr/FKkeI7XsZR8Ekzqdaf400g1Cy+X2kMvnRs/Tyf3qp/xv1RG7cDz+vfiB
+8S/Vd2zSyBFboOZZi0xVo2vEs9nzBbmTQFAFINSEtIjJWb9Tupz4YwU/xK9bq2G7
+/eOrt4e9pXry1gUKNN/qZIEkbaebhWxW6twMVO/nyXlnklpF1PvPKHsWP2JqhJK7
+9SZcqZkeRit1wlwXsWhb+Zzl27K74P1WgNQF9lbPwhQ6bPmadirCs0kkMBDjmh4U
+SJe/5wIOLVPY0KrhQeC7Vn+hkCxqRTwZQuLKDWUKgd4jmvsjfLYAZVQfGUBX1x7D
+Wng44pW7ytOSbn/4pAu38FGGLbPcKNw+cRRtHtBpWiCthDIJ6gOmJo8JngaU2Iss
+ozmxfGZsdQscUEFVwL5X9YaBpWcGKKxZH7UXq3S3wOEm2yQ6/UrdJnuP+xIYFEiA
+c7tQIFBYoX11+/cZGyVZmn8ESM4ytw9QqmxxaDAEdaJjAgMBAAGjYDBeMAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBSU/W8lX964Gjrb5YqSo3zg3XLl
+vzAlBggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG
+9w0BAQsFAAOCAgEA2bcpIO8UZ7eDFPtIZd6BWVrQZ5Dj+LZA0KV2v+FjoZQN0/w6
+gzloDy0x3yym6lOtCNPnjxcYP2yfGl5WZet1VXCR+KXXHGID2MkOXhXTCH7eSCGC
+GZpOsSEWs+CXyP/X5B85nkweK8MzLRdJc4Ilxf1UMMOdobgQnRq41NgWyQxA8xLR
+jEeGV+CD5dvteyqBeXvq4IBBUTqAiyoH57XXZRPwWH7z3h9f7B4GdoQuRBQK+idM
+hLgtQ9nkT+DDyoMC6iAtIVwntxsAIg5rUSkQ6RgS3ap6SC94+v3q5V2BJaJl/R+0
+X5ybK2hRKWsUAvU280UX/xT5EGeokHwegI+F7yQflTGI1p090uhBYZvWYj2G8wf5
+nlE7a2h8IG3SmS7qUlKe+RyPwHce+jgHU0aS3ROxreLGf/VX1k3yR2Vk0wpVWFis
+WeC7U5g+iqv/UomqxpFwP3iH8RJhL3eGYVmatHIXjm838wepofexqUL4UKoY/t+h
+FmMusCz2SFZFbgOHF1Vd9C3c/mr6J4HbYju1hO09iOFuQmoo4CjNjdKyLvP1HSap
+g7IPdLP0f++1gGcRq8AkFC9U/vZx5OPwjIku645WeOBoLhFcSoLxyhMeekSNXpwS
+WHArnvVC7cmuvuzmzf5+XqmBzSD0RWGK09drTZdryXuzv8djbeqldeRr1Zg=
-----END CERTIFICATE-----
Certificate:
Data:
@@ -35,48 +35,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:15 2019 GMT
- Not After : Jan 16 15:05:15 2038 GMT
+ Not Before: Mar 22 22:25:06 2019 GMT
+ Not After : Nov 21 22:25:06 2518 GMT
Subject: C=SE, CN=pkinit
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:bf:4b:44:8f:d1:dd:56:18:41:5c:c2:c4:2b:ff:
- 28:e6:7f:68:26:d4:0f:08:e6:af:dd:72:28:9b:ec:
- 5f:5a:2f:f1:9a:7b:21:0f:c2:01:96:d8:85:32:20:
- 5c:c7:91:fb:2d:71:33:d7:dc:81:06:32:2e:e5:ec:
- 61:37:8a:0b:0c:23:57:cd:9c:ae:93:79:58:26:1e:
- de:26:18:12:52:c3:76:7a:d1:6a:dc:98:67:13:4d:
- 73:dc:8f:7f:7b:dc:97:15:dd:eb:6e:0b:54:cc:f7:
- ef:db:14:8f:d2:89:47:3e:8c:e7:de:ef:61:34:67:
- 10:60:8a:87:13:6d:86:91:9d:8a:92:64:72:5c:ef:
- 64:57:b9:0e:91:ea:41:2c:03:e0:67:c7:51:cf:ea:
- 09:5a:e9:0e:ba:eb:be:53:10:90:e5:0f:87:33:3b:
- e6:53:11:1c:6d:75:34:ea:4a:7c:59:f4:6b:da:82:
- 30:4d:f5:72:ad:ae:41:f7:c1:ca:b2:7e:74:a4:45:
- bd:2d:80:c5:47:d3:ed:c2:02:fb:d9:85:76:00:3d:
- a6:ab:da:2a:ef:a4:c7:d6:74:c4:88:02:63:d5:a0:
- 5f:6b:88:ee:bc:df:0f:43:78:8f:62:1a:c6:c8:e5:
- 3a:43:aa:75:94:d0:71:15:a4:8a:f9:67:5d:93:93:
- bd:78:04:46:39:90:48:22:05:78:17:ec:b9:26:3f:
- 4f:7b:a9:e2:79:b3:cf:13:ce:34:9f:3c:7a:8f:a8:
- b7:b4:12:39:01:4f:26:44:33:b9:7d:eb:c7:0d:c7:
- 1c:d3:c5:52:2b:cb:65:a2:48:b8:c6:b2:e5:17:d3:
- df:ed:ef:e9:ea:21:5f:2e:42:23:40:35:7e:97:23:
- 28:42:0e:22:25:79:f6:ea:ae:a3:cf:c6:c4:ef:ed:
- c3:1f:14:05:5f:66:ab:20:a0:5e:80:11:32:1f:ff:
- 69:10:e2:8e:d6:70:e4:97:ab:82:89:37:57:74:43:
- 81:e6:85:ca:6e:3b:1d:ae:3f:ca:7f:da:2b:7b:db:
- ee:ab:ad:a1:a1:16:38:9c:b6:f2:af:be:b0:19:e1:
- 63:14:6f:26:24:f4:a8:3a:04:0e:9a:9c:5a:0a:bd:
- 22:91:c4:c3:ab:2f:ea:54:d7:ca:ad:ed:b7:a0:98:
- 8a:c8:94:15:ea:13:22:97:29:df:3a:85:4c:80:0d:
- ee:3f:d0:66:3d:9c:0f:41:2b:fd:1e:90:f5:8a:fb:
- 4c:10:20:3b:91:cc:fc:ab:d8:89:ac:7a:9f:bc:c9:
- e4:09:fe:81:ba:53:cf:f5:13:1b:4b:b0:f3:bf:34:
- 3d:3d:2c:8c:90:89:d6:37:78:cc:7c:f0:a8:97:08:
- ac:ea:f5
+ 00:e4:e6:1a:b1:de:91:30:34:8a:c7:f2:d9:0a:09:
+ 82:13:46:e9:db:c8:54:1e:0e:b0:b0:0a:e3:a3:b5:
+ 55:3c:6f:f8:45:8f:24:ed:56:c5:16:23:aa:ad:86:
+ 5a:5a:e0:8f:a2:f5:82:59:cc:70:b7:45:cc:1b:44:
+ a7:49:4b:ff:63:28:9d:01:22:79:ca:1a:6a:2b:75:
+ f8:40:c0:f0:93:b1:ab:85:cd:af:88:ac:30:f3:cb:
+ 42:87:fc:be:76:bb:fd:1c:a4:45:7a:66:37:47:ea:
+ aa:bf:c4:4b:47:fb:5b:ab:3f:c1:22:a9:06:f2:61:
+ 3d:5b:20:51:fc:ce:a7:82:74:6f:3d:ac:68:d6:78:
+ a2:77:83:26:af:23:63:20:3f:21:6e:29:1f:55:4c:
+ a6:d0:5a:51:e5:96:c1:cd:22:03:22:ee:de:42:3c:
+ 82:4d:29:20:c6:be:85:5b:04:3a:5f:8b:c7:e8:4e:
+ aa:3c:8e:dd:0d:d8:e5:d0:ff:0b:52:37:40:51:0d:
+ 33:f7:a8:05:07:76:dc:48:20:cd:52:38:a4:1f:44:
+ 11:cf:6d:58:a9:5a:9a:34:cb:93:07:30:e3:66:7b:
+ dc:d3:0b:6b:a2:1c:3f:19:ec:0b:0c:ea:29:6c:75:
+ 4d:7a:86:cf:35:87:9e:50:15:f3:34:73:0e:ac:4b:
+ a5:aa:1f:a2:f9:d5:8f:34:bd:5f:19:ae:22:8c:7f:
+ f7:ca:64:e6:ed:42:75:e5:92:9c:53:53:b7:66:68:
+ e5:07:eb:08:40:ec:bd:7c:ae:b0:c4:a5:4b:d7:4b:
+ 58:86:05:a8:91:db:ee:7a:3f:c4:fd:83:e5:7b:cb:
+ d0:8c:87:68:3b:83:67:e5:6a:5e:fa:28:b5:ee:07:
+ b1:0d:6a:93:1e:b0:c7:5c:57:fd:ce:e2:9c:0f:5e:
+ fe:41:cf:20:f2:1d:88:52:00:d4:83:fe:5b:d7:87:
+ 49:b0:78:2b:a7:60:c2:55:c6:c3:a2:6d:16:04:7f:
+ 8b:12:f7:65:c6:91:41:53:d8:ac:70:c0:3d:83:d8:
+ e0:6c:bb:3e:48:b8:c2:72:be:c0:35:61:40:ff:9f:
+ 97:18:9e:c7:39:0f:93:36:8f:0e:a6:3c:6d:5b:fd:
+ 89:6a:bb:ee:5e:43:f8:0d:29:7a:cf:23:bf:0b:c1:
+ 29:76:ae:a2:9a:73:b2:d0:b9:bd:48:51:25:8a:6b:
+ a9:c5:07:94:26:03:10:74:7b:fc:b7:5d:8f:2d:97:
+ 55:11:3e:7c:04:89:0e:b9:b9:73:2a:6c:5b:12:19:
+ 65:92:48:64:d5:4f:2c:79:3f:16:ad:65:97:21:db:
+ 3c:30:68:67:aa:42:14:86:59:57:b0:79:15:9e:a3:
+ 05:4f:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -84,66 +84,66 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- 76:9F:AA:4D:D1:1E:92:61:23:CE:AE:DC:C3:CD:07:EB:A7:13:43:2F
+ 7A:C6:DB:B8:D2:75:D1:8D:BB:72:AE:B5:25:6E:6F:8C:AF:63:3A:4D
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
- 3d:2f:62:54:90:6a:d1:f1:93:cc:21:b6:45:d2:d8:d3:ae:c8:
- c4:63:6d:9a:25:a1:c3:33:3a:c0:90:ea:ac:4b:67:a4:af:dd:
- 75:3f:03:13:44:a9:7e:5a:9e:3b:6f:df:06:d0:6d:ae:bf:fc:
- bf:23:b0:5e:c9:1b:98:d1:e6:6c:20:83:48:2f:b1:8d:ef:c1:
- 33:fd:d1:7f:d0:ca:03:9a:e4:3a:42:17:0d:e6:40:25:2f:f3:
- 80:83:36:c4:cc:8e:4b:7b:90:9d:22:ca:83:c1:a3:d0:c9:13:
- af:b4:a6:d7:d9:3b:be:fd:d1:5a:da:71:f8:6e:18:c8:8e:82:
- d0:b8:a6:de:58:c8:9b:8f:c1:20:ab:81:a8:3b:29:81:2d:cb:
- a2:f3:b2:9b:81:7d:78:c6:55:ed:05:75:7f:4c:64:6b:fe:00:
- e7:2b:6e:17:d5:32:de:e1:1d:33:f6:ce:89:4b:c6:be:92:54:
- f7:16:ea:91:b7:af:46:80:41:8f:6c:47:d6:07:d7:62:34:1b:
- 7c:69:e8:6c:ac:6f:39:b2:3c:60:cd:b3:89:95:3a:9e:ef:75:
- fa:b1:ad:b4:bc:89:69:1c:69:53:dd:94:25:93:7c:64:56:75:
- 0a:a9:8d:2b:6d:ed:9c:e7:cf:9a:ad:02:ca:79:f4:fa:59:4e:
- 51:33:c3:f9:4d:a6:35:62:50:e7:f3:2d:aa:32:b3:60:2f:1e:
- e3:71:6b:78:98:f7:9f:fe:0f:0f:f1:a5:6a:4f:f7:01:22:52:
- 60:6b:62:b5:5b:15:6d:4f:41:e0:23:a0:43:45:39:70:f3:a0:
- bd:30:14:63:01:01:f4:1f:fb:65:43:c8:99:57:aa:47:2d:53:
- 0c:f6:c2:65:f3:1a:64:69:67:f3:7b:b1:2f:0f:c1:e8:a2:5e:
- 78:bd:df:a6:d8:3e:ce:6a:fc:bb:c6:14:a1:6b:de:fa:47:5d:
- ce:6a:24:60:da:1b:5d:fd:c1:5f:27:34:a2:b6:dc:bb:e5:f4:
- cb:14:88:e6:66:e7:49:e8:a0:22:49:da:af:1a:30:f6:ac:a7:
- 99:56:5e:b4:b0:19:71:67:59:cd:0d:67:4b:82:54:0d:c9:88:
- cb:ea:36:7f:60:d5:df:8a:74:78:25:2a:b5:ca:89:ac:9a:0b:
- bc:a4:25:f9:38:c0:13:58:1b:5c:60:0a:b7:9c:74:de:b1:7b:
- e2:5e:1d:85:50:e0:69:22:c5:2f:e1:1a:1c:ca:cd:a7:ab:0d:
- a2:ce:f1:88:92:68:10:fa:1d:ca:f4:62:6d:cd:8b:1b:72:2f:
- 67:a1:b6:f6:ef:b9:f1:e8:bd:42:54:d8:4b:e0:8b:9b:6d:2d:
- 1c:ca:c3:eb:79:5c:d7:00
+ 7f:5c:76:fd:3d:ef:0c:7f:70:c7:09:d3:5c:c1:b6:40:25:47:
+ a3:6a:bf:4e:ad:d1:e6:cc:92:86:b6:6a:42:3d:4f:bc:f1:6f:
+ fd:7e:22:52:9c:dc:a6:0b:71:98:80:44:cf:f1:91:bb:50:c8:
+ 15:cd:8c:d8:9c:7d:8d:69:61:1b:4c:66:40:77:44:45:33:9c:
+ 9a:04:01:a1:4b:82:3a:d7:39:97:27:90:a6:71:9a:b1:9c:ce:
+ 60:01:8b:a5:6f:39:a3:e1:75:de:3c:5c:61:66:a5:50:db:0f:
+ 4a:03:32:8d:dd:e5:b6:ab:6a:b2:53:6a:4c:c9:99:74:f7:f5:
+ 1e:a5:06:1a:d3:64:26:c5:77:f4:a6:40:1a:c4:7e:22:05:a6:
+ a5:25:f7:5d:74:a5:c9:86:c0:3a:88:2e:6e:0e:58:4f:e5:6e:
+ e9:2a:34:2a:1d:1d:a4:e4:74:f3:a5:e5:56:5d:5f:02:c4:eb:
+ c7:12:f2:55:6a:f1:6c:ec:6e:b8:c1:2d:aa:4a:7d:ed:91:c8:
+ 78:1b:b7:b9:37:17:32:ee:1b:b5:d9:5c:98:d2:cf:d8:c6:90:
+ a5:c9:f1:eb:8d:2c:d4:90:b2:8c:e5:53:9a:66:20:92:8b:a2:
+ 0c:8b:76:9b:5f:5b:39:77:69:67:a7:8c:de:10:57:85:45:a4:
+ 8f:85:3a:59:5f:fc:0c:70:de:1c:67:33:5e:9b:a5:21:3d:bd:
+ 2e:de:3e:c2:0d:cf:8f:52:43:92:01:cc:47:da:af:47:85:69:
+ 94:d3:9f:c9:d5:5d:50:ca:27:a5:bb:c0:53:12:e0:e8:3c:ed:
+ 0d:bd:47:97:af:be:b8:f9:0c:10:2a:79:21:3c:15:ef:c0:a5:
+ eb:33:38:93:5b:a3:de:1a:97:eb:c3:db:04:1f:e8:f4:23:10:
+ ff:2d:1e:9b:4e:1f:8e:27:7d:71:34:e2:be:74:a2:62:69:9a:
+ 83:7b:6e:9e:e4:a2:7c:84:82:ff:83:b3:cd:d2:0f:74:05:72:
+ b8:b0:45:23:b6:cd:04:25:2d:58:7f:92:ce:68:f9:ba:d0:9e:
+ a8:e1:f8:c0:86:0e:aa:ee:f9:af:ff:5c:bf:46:76:08:b1:83:
+ e7:66:8b:ca:1b:8f:f4:9f:6a:ac:71:4e:3a:d1:77:fd:97:81:
+ ff:0e:d0:d1:4a:7e:6d:94:e6:8c:e1:28:92:b1:68:83:5a:62:
+ 48:0d:26:ee:28:60:57:ff:52:b8:1e:8c:03:d8:fb:c1:6e:4f:
+ fd:7a:46:0b:0f:c8:05:ad:3a:a4:68:be:fd:30:62:ce:f2:0a:
+ b1:34:2c:95:e7:e2:91:ec:a3:c6:4e:2d:a5:fe:09:45:84:38:
+ 9c:d7:f4:0b:18:22:9d:df
-----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
-MDExNjE1MDUxNVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9LRI/R3VYYQVzCxCv/KOZ/aCbU
-Dwjmr91yKJvsX1ov8Zp7IQ/CAZbYhTIgXMeR+y1xM9fcgQYyLuXsYTeKCwwjV82c
-rpN5WCYe3iYYElLDdnrRatyYZxNNc9yPf3vclxXd624LVMz379sUj9KJRz6M597v
-YTRnEGCKhxNthpGdipJkclzvZFe5DpHqQSwD4GfHUc/qCVrpDrrrvlMQkOUPhzM7
-5lMRHG11NOpKfFn0a9qCME31cq2uQffByrJ+dKRFvS2AxUfT7cIC+9mFdgA9pqva
-Ku+kx9Z0xIgCY9WgX2uI7rzfD0N4j2IaxsjlOkOqdZTQcRWkivlnXZOTvXgERjmQ
-SCIFeBfsuSY/T3up4nmzzxPONJ88eo+ot7QSOQFPJkQzuX3rxw3HHNPFUivLZaJI
-uMay5RfT3+3v6eohXy5CI0A1fpcjKEIOIiV59uquo8/GxO/twx8UBV9mqyCgXoAR
-Mh//aRDijtZw5Jergok3V3RDgeaFym47Ha4/yn/aK3vb7qutoaEWOJy28q++sBnh
-YxRvJiT0qDoEDpqcWgq9IpHEw6sv6lTXyq3tt6CYisiUFeoTIpcp3zqFTIAN7j/Q
-Zj2cD0Er/R6Q9Yr7TBAgO5HM/KvYiax6n7zJ5An+gbpTz/UTG0uw8780PT0sjJCJ
-1jd4zHzwqJcIrOr1AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
-A1UdDgQWBBR2n6pN0R6SYSPOrtzDzQfrpxNDLzA4BgNVHREEMTAvoC0GBisGAQUC
-AqAjMCGgDRsLVEVTVC5INUwuU0WhEDAOoAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcN
-AQEFBQADggIBAD0vYlSQatHxk8whtkXS2NOuyMRjbZolocMzOsCQ6qxLZ6Sv3XU/
-AxNEqX5anjtv3wbQba6//L8jsF7JG5jR5mwgg0gvsY3vwTP90X/QygOa5DpCFw3m
-QCUv84CDNsTMjkt7kJ0iyoPBo9DJE6+0ptfZO7790VracfhuGMiOgtC4pt5YyJuP
-wSCrgag7KYEty6LzspuBfXjGVe0FdX9MZGv+AOcrbhfVMt7hHTP2zolLxr6SVPcW
-6pG3r0aAQY9sR9YH12I0G3xp6GysbzmyPGDNs4mVOp7vdfqxrbS8iWkcaVPdlCWT
-fGRWdQqpjStt7Zznz5qtAsp59PpZTlEzw/lNpjViUOfzLaoys2AvHuNxa3iY95/+
-Dw/xpWpP9wEiUmBrYrVbFW1PQeAjoENFOXDzoL0wFGMBAfQf+2VDyJlXqkctUwz2
-wmXzGmRpZ/N7sS8PweiiXni936bYPs5q/LvGFKFr3vpHXc5qJGDaG139wV8nNKK2
-3Lvl9MsUiOZm50nooCJJ2q8aMPasp5lWXrSwGXFnWc0NZ0uCVA3JiMvqNn9g1d+K
-dHglKrXKiayaC7ykJfk4wBNYG1xgCrecdN6xe+JeHYVQ4GkixS/hGhzKzaerDaLO
-8YiSaBD6Hcr0Ym3NixtyL2ehtvbvufHovUJU2Evgi5ttLRzKw+t5XNcA
+MIIFODCCAyCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNloYDzI1
+MTgxMTIxMjIyNTA2WjAeMQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OYasd6RMDSKx/LZCgmCE0bp
+28hUHg6wsArjo7VVPG/4RY8k7VbFFiOqrYZaWuCPovWCWcxwt0XMG0SnSUv/Yyid
+ASJ5yhpqK3X4QMDwk7Grhc2viKww88tCh/y+drv9HKRFemY3R+qqv8RLR/tbqz/B
+IqkG8mE9WyBR/M6ngnRvPaxo1niid4MmryNjID8hbikfVUym0FpR5ZbBzSIDIu7e
+QjyCTSkgxr6FWwQ6X4vH6E6qPI7dDdjl0P8LUjdAUQ0z96gFB3bcSCDNUjikH0QR
+z21YqVqaNMuTBzDjZnvc0wtrohw/GewLDOopbHVNeobPNYeeUBXzNHMOrEulqh+i
++dWPNL1fGa4ijH/3ymTm7UJ15ZKcU1O3ZmjlB+sIQOy9fK6wxKVL10tYhgWokdvu
+ej/E/YPle8vQjIdoO4Nn5Wpe+ii17gexDWqTHrDHXFf9zuKcD17+Qc8g8h2IUgDU
+g/5b14dJsHgrp2DCVcbDom0WBH+LEvdlxpFBU9iscMA9g9jgbLs+SLjCcr7ANWFA
+/5+XGJ7HOQ+TNo8OpjxtW/2JarvuXkP4DSl6zyO/C8Epdq6imnOy0Lm9SFElimup
+xQeUJgMQdHv8t12PLZdVET58BIkOublzKmxbEhllkkhk1U8seT8WrWWXIds8MGhn
+qkIUhllXsHkVnqMFTzMCAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
+HQYDVR0OBBYEFHrG27jSddGNu3KutSVub4yvYzpNMDgGA1UdEQQxMC+gLQYGKwYB
+BQICoCMwIaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG
+9w0BAQUFAAOCAgEAf1x2/T3vDH9wxwnTXMG2QCVHo2q/Tq3R5syShrZqQj1PvPFv
+/X4iUpzcpgtxmIBEz/GRu1DIFc2M2Jx9jWlhG0xmQHdERTOcmgQBoUuCOtc5lyeQ
+pnGasZzOYAGLpW85o+F13jxcYWalUNsPSgMyjd3ltqtqslNqTMmZdPf1HqUGGtNk
+JsV39KZAGsR+IgWmpSX3XXSlyYbAOogubg5YT+Vu6So0Kh0dpOR086XlVl1fAsTr
+xxLyVWrxbOxuuMEtqkp97ZHIeBu3uTcXMu4btdlcmNLP2MaQpcnx640s1JCyjOVT
+mmYgkouiDIt2m19bOXdpZ6eM3hBXhUWkj4U6WV/8DHDeHGczXpulIT29Lt4+wg3P
+j1JDkgHMR9qvR4VplNOfydVdUMonpbvAUxLg6DztDb1Hl6++uPkMECp5ITwV78Cl
+6zM4k1uj3hqX68PbBB/o9CMQ/y0em04fjid9cTTivnSiYmmag3tunuSifISC/4Oz
+zdIPdAVyuLBFI7bNBCUtWH+Szmj5utCeqOH4wIYOqu75r/9cv0Z2CLGD52aLyhuP
+9J9qrHFOOtF3/ZeB/w7Q0Up+bZTmjOEokrFog1piSA0m7ihgV/9SuB6MA9j7wW5P
+/XpGCw/IBa06pGi+/TBizvIKsTQslefikeyjxk4tpf4JRYQ4nNf0Cxgind8=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-proxy.crt b/lib/hx509/data/pkinit-proxy.crt
index 3fe393e4193e..d92acdfceafd 100644
--- a/lib/hx509/data/pkinit-proxy.crt
+++ b/lib/hx509/data/pkinit-proxy.crt
@@ -1,30 +1,30 @@
-----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIJAJd7zCsMMPvCMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
-BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwHhcNMTkwNTIzMTUwNTE1WhcNMzgwMTE2
-MTUwNTE1WjA1MQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MRUwEwYDVQQD
-DAxwa2luaXQtcHJveHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh
-U0hTlQYhDONlH8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYa
-EernC2mrTxvSSy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQ
-iZy19sl6tG+kLZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJe
-pkPUAcjOOQZTd2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny
-8hoEHuc34+a/hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzM
-q2jRalsj/XlYCEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9e
-MFSv0ATDFoKi55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dM
-sYcqkl5uVZXPJxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbI
-NJBq1sWi6bO6+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0
-HJzeaqDwfmiT1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnX
-PTcaT8BSqQejfZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABo2AwXjAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUzoShaVViBQhilqB70YV+yuLcWIEw
-JQYIKwYBBQUHAQ4BAf8EFjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcN
-AQELBQADggIBAL45/vKz88cBG7c11gyePde86H7qWgIKrWocohn6eoXF1p2ZkLvP
-na4o7WVr/WC7t4DiBZVUNVvrqss/nOI3wMVjU9Mn9wrJbycvrVPAWH1nIhlKR3gM
-H8PTcZiHI+Vf14aHTjeRFEXxy0i+K7JxtKRQC/Bi+MuwnBvPwvar3tqFLXprRk4p
-p42I7/ngT8WcAzz/LWj0rWYNl/TEFU3esDBr3rz+B5TFVcp2dLpcZW7ScFRh9bLT
-OwJ/QNhzvnH5cwsWlb8cpDTFVeyTOBgqh9t6ut6SnDfCu03xIBVuCk+P5KhOGWAS
-3cOVqvGn3Y3q1glE2XdKgyYqU2z3itneUyiCeopItFaKZIV52s4WuIuGO+PK8XOi
-QhwtnsWO91toEFUpUNkxf/C6C61G4xuvHeMVLdTzO1Xi5kuHyN9gD8rLAuUfaV1c
-Zv3f2S8WpvEGkSSu8Ap1k3ExfIaFhgxzu3pjGL5e6YV2lK9d/UGXOpDRFZOUuoRm
-dyowQcF3XcH6zTDu+ThXlPSq5bkjrnMnNt2z2LfqGb/GFp1vl11LsXeLgpHmFTq2
-4umDDUwMHVzrmFoa3BtUkgO3BUoSrt2l63TFqTQZgZAf/D042jBcmOhV6Mt5MsDK
-MFZkoYjtv+8jTeRwxP2zi3EceCvGkV1Mf3t2/h4wYGa25J6HFq86VVRU
+MIIFODCCAyCgAwIBAgIJAJd7zCsMMPvAMA0GCSqGSIb3DQEBCwUAMB4xCzAJBgNV
+BAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQwIBcNMTkwMzIyMjIyNTA3WhgPMjUxODEx
+MjEyMjI1MDdaMDUxCzAJBgNVBAYTAlNFMQ8wDQYDVQQDDAZwa2luaXQxFTATBgNV
+BAMMDHBraW5pdC1wcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AM1Z218qhKJXqYoQ/5DZgDYNtgJ9QLkPF0vsu6cScVhykomP1H2Qjj3+u6ZFB9oj
+YS/ynPgkCjwexA7nDGVxfrR0OksDNFGHwCu/O1wagzyeImgvYYzPlKyFqT+0IN0U
+TgEoMdtXUduxmJGr0wEr2aMeiETUGZmRc02icTPZIznhf9elXmAp7EQspjtN9P04
+OCkVygr/FKkeI7XsZR8Ekzqdaf400g1Cy+X2kMvnRs/Tyf3qp/xv1RG7cDz+vfiB
+8S/Vd2zSyBFboOZZi0xVo2vEs9nzBbmTQFAFINSEtIjJWb9Tupz4YwU/xK9bq2G7
+/eOrt4e9pXry1gUKNN/qZIEkbaebhWxW6twMVO/nyXlnklpF1PvPKHsWP2JqhJK7
+9SZcqZkeRit1wlwXsWhb+Zzl27K74P1WgNQF9lbPwhQ6bPmadirCs0kkMBDjmh4U
+SJe/5wIOLVPY0KrhQeC7Vn+hkCxqRTwZQuLKDWUKgd4jmvsjfLYAZVQfGUBX1x7D
+Wng44pW7ytOSbn/4pAu38FGGLbPcKNw+cRRtHtBpWiCthDIJ6gOmJo8JngaU2Iss
+ozmxfGZsdQscUEFVwL5X9YaBpWcGKKxZH7UXq3S3wOEm2yQ6/UrdJnuP+xIYFEiA
+c7tQIFBYoX11+/cZGyVZmn8ESM4ytw9QqmxxaDAEdaJjAgMBAAGjYDBeMAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBSU/W8lX964Gjrb5YqSo3zg3XLl
+vzAlBggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG
+9w0BAQsFAAOCAgEA2bcpIO8UZ7eDFPtIZd6BWVrQZ5Dj+LZA0KV2v+FjoZQN0/w6
+gzloDy0x3yym6lOtCNPnjxcYP2yfGl5WZet1VXCR+KXXHGID2MkOXhXTCH7eSCGC
+GZpOsSEWs+CXyP/X5B85nkweK8MzLRdJc4Ilxf1UMMOdobgQnRq41NgWyQxA8xLR
+jEeGV+CD5dvteyqBeXvq4IBBUTqAiyoH57XXZRPwWH7z3h9f7B4GdoQuRBQK+idM
+hLgtQ9nkT+DDyoMC6iAtIVwntxsAIg5rUSkQ6RgS3ap6SC94+v3q5V2BJaJl/R+0
+X5ybK2hRKWsUAvU280UX/xT5EGeokHwegI+F7yQflTGI1p090uhBYZvWYj2G8wf5
+nlE7a2h8IG3SmS7qUlKe+RyPwHce+jgHU0aS3ROxreLGf/VX1k3yR2Vk0wpVWFis
+WeC7U5g+iqv/UomqxpFwP3iH8RJhL3eGYVmatHIXjm838wepofexqUL4UKoY/t+h
+FmMusCz2SFZFbgOHF1Vd9C3c/mr6J4HbYju1hO09iOFuQmoo4CjNjdKyLvP1HSap
+g7IPdLP0f++1gGcRq8AkFC9U/vZx5OPwjIku645WeOBoLhFcSoLxyhMeekSNXpwS
+WHArnvVC7cmuvuzmzf5+XqmBzSD0RWGK09drTZdryXuzv8djbeqldeRr1Zg=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit-proxy.key b/lib/hx509/data/pkinit-proxy.key
index 3567bf5d1d7e..6ef1f814d47d 100644
--- a/lib/hx509/data/pkinit-proxy.key
+++ b/lib/hx509/data/pkinit-proxy.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQChU0hTlQYhDONl
-H8153Wn2/H6/OW15S9pvg/RcQ9+Mc7a3kOEnImHt4B/zevv1rfYaEernC2mrTxvS
-Sy2Oxx3yNFsV1Kys+kMYiIygswPohTHYhMQKEjqGPTN97E1JcvMQiZy19sl6tG+k
-LZKa5pSTUoFrlqw2NN9U1WjlgaZ7WnLxwLlatQnZOnA6+MoU1bJepkPUAcjOOQZT
-d2D/3tAOcBKfQ6z97XFqfxzcnclz+9BXgFdZWTR1efd5yYNy17ny8hoEHuc34+a/
-hrrhfiFiXYKFF6f07YI6lt+ElPOc93oz19fE4wVskXjvxLOwahzMq2jRalsj/XlY
-CEHrZqaYjHvY8MYNFleThQEwJ/zldgQjx2MMnUD3ApxRDutfYM9eMFSv0ATDFoKi
-55mGySMD3dMpI1I/TER459Am5c88SfxJNJXAW/2GJXQAJ7tCL3dMsYcqkl5uVZXP
-JxSQbfFCl95lhlzOtoXZTS1+cxYN0oz9YfLoG3tz3x5Xtxo0eUbINJBq1sWi6bO6
-+6GyQOxs45sawl906XFqW/qzSywNOOsT/hcuEvc4IGdZKLP/wxF0HJzeaqDwfmiT
-1tz8jArGsbqw/i77xND6tq+56rur5/BhfIapXZ9wKDfawQttpDnXPTcaT8BSqQej
-fZa0RiRvt70pypm98eZ1XRzWhC6bvQIDAQABAoICAGfmvKFgTIdCxr3dgrgnO1Ug
-f/1m3jQN/4xs/xfhevv5lseZXvmWcl4DSHDHV7l+pg9aVOEjf5YeqDuDwb7ATXAt
-+jAQPnpV4JrPb0scoLrD9juOHrihzuGgTyad55UTnKqdBrpHTLJjvbeOxmpPcYeE
-zufdLeLnoKMBo8KVAwVVVsyPJJHgIYyvz5Kbo4NRssS07uB/mbYAEiv1qhqBhZyW
-39eFfcg5gh9l6M/KK/IwT5nbheZ8xoWW3SWp/KgdepyXAtx+jsp3VKkr+/a5BoVU
-1ngjqT/dLE/R1fmM+W2yEhmLvWMIF/k5pBtAo75OSWgkSaj+h96hJOLmxpX3EfoO
-UdEYWnToOyovTUqs0mQREolOvPPjQPdgSGJsnuEsNzT3cJGrM9Nq+exQUXXXKCCa
-No06TS46ILykvT+GBXxoyIVkWmpqDHHh4NuBUAcrB5yTYn3MoMeo4y7bvE8pl3C9
-wC/5un+lzNixHNmHRNDzre8uLjhmR0PnP5y7EThOaBS9/DTjzoJqfaw1K2WC9lbe
-vdpWSf/Kwjk3SGCXaneXfaWvLaB+mSHW1JJjtdOuxOdGGGXiJN/qYz8C+pTHzVxj
-uJGNkcz2nlGLG9RdaVBenItO3lUx5Zk7uHJdIZuQf31fmEXTFms4YGTdK9+GQIQv
-N3ivhfvtuBwWoBCHK49hAoIBAQDMOhPQJlQnlPnosdOAFDNOh+2fEPEpeY9SKvGA
-zn3jsO/UphtagulkPWCE7ld4D7b1IBDFSh9CnDGPljzz6uQCGi7FHAlOauTel6eh
-lJp8sp8STc/H2QrLE00BzhSlLPxGIAS+tBBwLG2jXBmi2l/K2aFbheUak7mev7nF
-b4oWTKC9fweygfP87NX0Tsu2Wzfd2TR7gYz3r+/+wkd15pTBtuBUp0YUkCNKfhk/
-qqHOgO3neokb5YZrhq1dM+qhT9/2rM1zon0b9kt3r6+7mbdC4iAy9Ek6LOEGDu4N
-jGNhQSEj+usKJhW7X2m0dcG46JytCMOFLPVmdwTIHm6/O2PZAoIBAQDKOPqv2luX
-49Dat3A+zqQfecVmffdHbRF5EgIRfHYYHXvccJtD8MnkXBrJAwe4Y0UI00SECGzZ
-jK2ReyRWbq+qHQGLk3Zu3ojbXw0wXRR5iivGckSd1IevS5pbmVnc7FzZjxWaoqbT
-Uo7Y1LtUqulfqCJHbDB+l+kIv/kwTQG2rb1WnTY8Y4YEHuy54zh0Ke6t8XFqGME5
-/ASgTWnEIyFSuiptA+CeBm0NVMUH0MDd4j0OkYMNkIQODC72o7Qw9mwvij0xrOWq
-fXaxYocB8Z/hRSTv0r/qnPP8wjNCLtZt0iHcq+y63nANTQYk8v6PS6nl6Ppiz+hu
-M5W7ajwtqByFAoIBAQCnXYEXOBIHTiNv+ytk7ykM1oB5txyr7J7zq5W3BYJNspcZ
-IfeQuXAjYdlTly+/iMFbKSgVRqVPpUlIbssM6hZpUqO5jTxjM17UvFv4IxxnzMpn
-6bS6Bri9q9eT/xsUMkWcAmlhD5fZFc/T7Ipl16hhSPDfXF9g5GdeHalUkBAOLkYc
-hZn9RFp7kGvWhyyTCTZDbNmBza2E3n5DvVtq18hY6FH3jg30lBsX1TdD4cYwwaA1
-70mlvvfl7rzsgLtr71WPhhXpCeSVocY/E49koph5C29v0pqgPl8648la+Q4IiaNr
-JRqxenyczZiG92oG6zpa46+32BxUGH2msqn3teghAoIBAFKQrRn7p4X+iBmk5/lc
-2XnYeBZ+u+W3zHiIN7v3+yehch7xAxPcTjIkwPLtf8tzDI6r47+cyQSSAZPymUWI
-78QfD7BzRtnBllMrHfFvL5roJTNjGEzwp22VCrL3i8892jMhzopSepaxkI1LXikV
-ly9tMIHE1I/7ajQeXZmw91Ak47dnfOtvHxqznafP9A7JyB/RAqN08/++vAzPTq28
-QjDKvePAv4cFzKSyxbeJLhXp90/pbX6uUJyDsPEWqc2L72QBpzaPBz5y93E5bzIF
-+2c4mfopLB6Ycq3yhIczJG22bAjzUTaC93EWz7lqVTEgjX/HfeO2S4ojGbFpkKR7
-jRkCggEAE9shCbl5bHJR2l5FgNOr99rkpNs33WJa9ZQpsQ2oXq5yLL2plhIJO2tg
-kKM/ld6PwFinxBoLhd4Knb3X8Kf4mWCALO0lJRzB3qiEu4SP15UYchayDpjGFzNQ
-EejcYcJ59XT6PC0nlckmsBeTSXWTEsjk4vaca01kp0tM1DNuJ4V6iXXJhj70xkqr
-NRlFuTLBxE/PIs8eg6Da/4sQZ5MnZq1WRylbda42xCMebGV6zxuc9HiI348LlAhn
-Kw/dTg2m5gwYznLHSpEH1n0ILrDtMyb5tZ9KfJzVuyz1Glo7UKf5hYoqZY/n/bCN
-gvWFSlv63UgRaUrIlQWr2X01y9IGjw==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDNWdtfKoSiV6mK
+EP+Q2YA2DbYCfUC5DxdL7LunEnFYcpKJj9R9kI49/rumRQfaI2Ev8pz4JAo8HsQO
+5wxlcX60dDpLAzRRh8ArvztcGoM8niJoL2GMz5Sshak/tCDdFE4BKDHbV1HbsZiR
+q9MBK9mjHohE1BmZkXNNonEz2SM54X/XpV5gKexELKY7TfT9ODgpFcoK/xSpHiO1
+7GUfBJM6nWn+NNINQsvl9pDL50bP08n96qf8b9URu3A8/r34gfEv1Xds0sgRW6Dm
+WYtMVaNrxLPZ8wW5k0BQBSDUhLSIyVm/U7qc+GMFP8SvW6thu/3jq7eHvaV68tYF
+CjTf6mSBJG2nm4VsVurcDFTv58l5Z5JaRdT7zyh7Fj9iaoSSu/UmXKmZHkYrdcJc
+F7FoW/mc5duyu+D9VoDUBfZWz8IUOmz5mnYqwrNJJDAQ45oeFEiXv+cCDi1T2NCq
+4UHgu1Z/oZAsakU8GULiyg1lCoHeI5r7I3y2AGVUHxlAV9cew1p4OOKVu8rTkm5/
++KQLt/BRhi2z3CjcPnEUbR7QaVogrYQyCeoDpiaPCZ4GlNiLLKM5sXxmbHULHFBB
+VcC+V/WGgaVnBiisWR+1F6t0t8DhJtskOv1K3SZ7j/sSGBRIgHO7UCBQWKF9dfv3
+GRslWZp/BEjOMrcPUKpscWgwBHWiYwIDAQABAoICAQCIK2e+qXEePccc2Ly/jpro
+PRtOd0Qt8wXdwPOGjEJBBmiJc6jSQsMv9PT2Apx8WC2gH99a5Hss9rHHuAqOUj5U
+5yWojE1rKvuRhtOT9bjEv4/NSm4Dc7sA0/kxVv7b2xUGy2KUMkkDx7aGEkxvYGaH
+Nj3idksrfDnbZzZtzTUAsrmVhAEa/3G+m2T3unAUYe1LwTkjJZbLtkKz5jf/44bF
+vZCFkv0e8gZHTcMikxBvy98L00jlqjq98W8x4zKR0Yjf0UvKC9PDPuFpHkOysK8X
+TW59vhszvaNN7LiidAVLF0m+B4WdhVAUMP750W3J92EaUcn35xgOeWzWFriNKt7N
+W9P288jWeNazQoNS6ygi9zJERX869UWxw+SAiWlymhmFC9tQgMEH1RJy3TtrFQpa
+krDv8mnkYBLU7BUI//jEbWLSfrXndHKgsLEO+bXViVV80PqX3d6xxTRItuANcZKy
+Yz4kA4aKDg1lrDcDMUTG4BZJthHD1xlCg7d+xnxVmamsoQ89AyErsYmVMxd5C2IA
+TbCKseKyPd7nztHc1ktEdpM6DhXqrZw0o1pCVSQeXkPpFqG3b0vwtZFYiyNwJGpW
+Wzn3w7f6ZRwZYAbj3t1Esxjw+ej++6DTbUBZWRllhgpMoryCbtCfWRsL7S4u6I7E
+1dzmF8pdJ+vvOaeC5BZxoQKCAQEA7dPAX7ZCOp6Mgp88VIBw4Rb6duSBPWqiL3mn
+4BtV2UFbU+So4Ro5SRUF1O6KJ8tZsyRfGZn+B+wSjPUsgp4dFfpP1GSQvIk3HkEU
+Zg6VNvxPRd/oloRjvG119BBXr7mpkCDEmGxLqXAvxvafFc4gGajFBRISPWLsDAYu
+0yDMkCmPWMWMLx/sYLv2lE/0GLa7oOO/5flHFM/Mom4HOactq6nghHT8Rn77b9zg
+WOyNsX0nZTtjLlWGjH/R2mRLYwI1mq3cUTCnwRNPYhgbgIQS7666jtfUP17H1W2H
++hZrggrmVVHzYSW1Z2fLUTAMXuPUE98bnF5LytoZ1huMQU6ESwKCAQEA3QrTAZwj
+KU9Kc/Ur9K047Xfs56XpOtlo67sWY8GQRxFv+pIKT5zJIJBm6O/9Ps+ZuhykzOdZ
+uuee8pDzszFw6jprRpEutFRh//xBE+VKW1SQipKKS8hHYIH+BJlLBJ0VdvQCtoLX
+sTOmmL7E3szuKUEmCPQqYj3VrAWQXqzNF7uQdns62lSBLI2b8ZuwBbS6Pk4J9Ic8
+d902+y9kTO2j4jipMQHxVVEoaksZxdVTUZgAlku+xkMM/oxQclMoXnx4uemiQoxq
+u6k0waZpW5yvlNys23YCFPl8A3tMWZ0HC5UOQVXL2KgsVLAoYvNJAhQxWbSj0i6m
+sRSsEN/SmJobSQKCAQBJkZRTxzyLh5otmfZ+qVDBwGrwNlVoW0EacIamw631y8rl
+k7lOEN+hpNgt+zBPiQ8RZHHqqIE1kChY5ErFiQW0U784E3fWapfbSwR1YZN08+3N
+zqrTTNbRZgbz3c5SNJuoUwqdn/pzypls8cNaam3xogx4OhPcW2precooU2AURFbs
+fgeUWEq1zc9EJ8t5jaVS6sDk8gyz+mfx4xlnEzkEfkNOliWn5QYAn5Hi0CIwwmda
+YFmY7qn1cmDHLvlHAlr0o02g6+0ow8FttclkIvb8n89j+o3UoIwukHhcu2y8SITh
+5bzk01ZfS3NQhQ1+mPl0wDJ5V44YjQkq+1CSrygrAoIBAQDN9K/26Ay7CO5ObTqv
+mFdarEtI7AYMl1Zzjral7E0Kauzzg++njma4uNOqZzKHu9d42geUBFxPElG/od/w
+LzkOhbA+6DekPpuxcNESQKqvvnOPKktBoTMgcP7GOi7z9YlydJmyhOeEbKPl3pqB
+HmEqf1F5NkfnkcXtqqGCFXBjlJheTSPhGqvhX3DWBkJUjriaJQyRkxB8ftoj4VyL
+cUEqH7FFwJGk9SG7KI6zDrm7ZO3nHFx9TyxkYUjzvRf4MfIrB83wQ/WPNXG6ndu9
+SJkxEwzcz2/RK0Sp2dCiDvXpjNDjf5WYIdpsblazHAwCq93vv6iExoL6rFBGyMXo
++m5BAoIBAEEH9DWpYZRLw2SQbsdSgMRRFo2Kvu7jpmCbQVWlBA2WjAUIPhie4hkt
+DUUKVROwzPXinMCkZuZ1YL/A1R9gJ30Qo+c4Cj6tKlZ8Ux5cmEOjLfQuREMsJ9Tv
+wYyFodqKW4wRvtNn2Ij+C/VV4dDncIMM0mw8EoQ4/DP2aseqzG49rOrYGl43gs1l
+RTMyyPiWyweJZ2e0IRSnqrcSEcvPfw9ViZWNVAHMycA6ttt3gSi0+57OjPmxeEPC
+9z9x5N+7zKOfpUo6/jguC1TRFzmKJYpMlRhM/0Ruz2imghKMn86PUKI/GBrOXhx4
+k2odOmvIh8CJ2ZSNtza8KPoCHxzIOQU=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit-pw.key b/lib/hx509/data/pkinit-pw.key
index ac89d6af05fa..3fef51f6cd01 100644
--- a/lib/hx509/data/pkinit-pw.key
+++ b/lib/hx509/data/pkinit-pw.key
@@ -1,54 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,EF2C2237F4387D5197FBFEC26EFA3487
+DEK-Info: AES-256-CBC,0D7945ED368F10EDD0E5FB517DA6CEDD
-m1mmDR2qaA0u6ZSC1Xvw6o9Uyt0NvNgKM2Lln0BOvE3UvsbUxE5NEGynlthge4zX
-HfLX6PNZ4vkQASzm+e0M/cwUijDADmuHhsaZP30BriJ8SzZoeYq7WUVkv1EbCZFZ
-o/lsVFBPzW6K2Vfjphj1WRwZZEsgef+kFtwNSQxcHXRmK3njcKaP67fKzsH2rjPE
-HMEo/9vAShCmFH4Tnzxy91SF4Gftdov0xqRQZpG/1maCx0/76RJL7lxpYUYmIOPa
-j2l6SUFSOP742bLWuHQXT36/SyocF2pk9kFzTfNb0lP7lriYrWhSDqqRWtoU0m3M
-Ulku3bcDd/HH0Br70qfDDOvWuGb2ayHRKoDDVlRnwXZ9tzl9BHqzvLIORKEt2vns
-6pHNU+8GwvYgtAlLMaN7KAH6hFUkVRi49lvTJbtrVJjMcGU7Vl5zurcyrfL2eLEZ
-tdyR1lL01JWZW1gz177dn9drcB//r2ZIq6g9Ah0e1ZBj7aEFfSabfRuLgUaF859q
-lWKt8112uuVn9vqOkiOlZVsNMRzP+NUEggVQ7Jn3H8CEqHgC1a0JElaQh/kd6BkP
-RthT1Qz0WyPMz1LE2aInFavnrFXqNyuLkkd8WSb+wo8V+jZL/a2jl8d7thQsxOHt
-OjfRyioX1YmeGBWz7I1ZObk1O0xi7vj7f4LoqabUqnU2Z6FQLCNRBlnO+SJq0DJj
-Ca6r1bN3NPGH9vhL8sd6Ce+C/fMXyDLX3qp9qS6ZmiSDOTIC5si8JmWMeCC8yrim
-RjBWEtTC4ve41ObrPHeDqDQOGdPpnPH5unQZA2jul3xizbr1ToYD4Uk3FuUYd2dH
-Fp/OutvsPUz6Eu6gllOJ/KYwSakncWZknJt7spwHjoyKoqRVbqyIrMWrQDCd491M
-ezZPeFursXyMeTezWcgUvh/NWA7+neQg99CP7hBs4v7LV9GYXJOxcJ97Hwl4m7mF
-u3QZb8Izgu7IVRFju3u5kU13hi/yO+q9Yg2wvZAg5C7znpm2d/QDJCEdjqqUIjE+
-/r+a4QxSCbl7y4fiuHZqY+qTgFK4kQBCDGIixc+tDcZru4wiGKDYoMhcERDvxKLT
-Upwbx3CqA28L42A+6IwapWO+jSBmCdfD6B+GEEWPaf5YzNZmM7td+DLeyOKAEK8w
-GCZkd58hn9x0BZxEvxTcLqWFO0BMC8FSHyjPRnW9Ik5H2a8vllb3Wiq7LFZum1of
-w2s9eb3vY2Lv6WNU2Mug+QwwbCwwmQmEJfROp/CWuHMmDlBudtDvVi2zUhNrqLoI
-LSNBlyxCIHO21R2IWOpZ+xglOh7+Qc4oXZHnhttREsOL7FnE6IYdcP1hfF0uWAtc
-kArTtgvFJurlZO+k840KPS1cfYLBNTgPK+6xssC2qZr3u6zP5Oh30gGgBQeETUxW
-JrMW3LzoMH0I/RcYK3FkEb38KAQpYLvJPKzNRD3/ZU2judjlslobHhvJaXTeOxiK
-B3NoFGi9+BXFBDyuKcHwUuFA7XCM9iIUbGoMzrSKFkc0CsCrJCWVvF/1cRNpJUQz
-SOxKM/HvWD9VdpTyJ8qDoI0lKS0jn+rCcF9lMwvORVPebkypGkXC0RSwvx4+cFnT
-oRjqpfLKzJlcEk+U7hPH5ZjsDUYq+FargGDmNvGZohpGNxsdYV1v6B6l3c7sLcWf
-lShZVLMTYzAlgBpywzsoyPQxm32hVMcpme+nzMq74QB3ZHv/uy/xgTbOCnTTQQZv
-hPvnEYcsNW9IBhGLr4kIsex5O5sLuatgDLh9xWgPObriu5BBVDNNqApze6AcqnIN
-3TW/qzmyc3R95nxHCxVocwU1Pl9ZPGP+Mc+osUQD3seHAKmNQKWPiVzven8NdiBC
-nSIjmBxVRtHdoiVLXk9LkTBoS+w1iPG1ztVsf+Vjg3PUoROD0XuzqwZ4XlkT64IT
-6zcjD0IrSYgbO56Oqga8quibZl3+BVLexj/veFv2SKw31dMZ95ntnwuKpwCv3jHf
-lrxrkPzj9Fsqup+HR3yh36FKyZkgPEU4KUrraXbsQMDdJdcec944QBIftj0p44W0
-T2SeGk0rkHSFZiZqoeyJ6ubKxalnre6PwJwtvVrx0QzREIGdCG5+SyphYEtd+mBr
-ATh0LbMqD6vyJ66t4SuOdiCSfVbEomKaftS3C752Gk2QxFT+XEgNPuSDp5V8DqBR
-W3W8DB03d3DolznjjcHTUJH65A1ADepUFpIteIkhHUrQP6IqQUNaaCIFd462IDCL
-lL/4V7b1kq1pZJcF/yyDvdDAZM/6aTorKXy9l/v3SUN4z6smraISVTwShyof7Olf
-2dQx1Eh/OjYNEATG86eoW15p6EWclO0osvIxR21xeOTFQUuiR9SijtLOOTiNKrTu
-ug4/57HvGI3rI6Lujcx+js2B2aBdk+O8AkpCAcFTM7FkFRQCngP7ayyVt3I6x+M/
-8vxz6L7fdXYX/RYSIVLKlbSKo15f9NyDJiaHpACIpRzYUQLjrXcKsTiAcDoFaFGz
-TLsTLnA3QDbTRptaDSvQfPhrOM5QezKVmhT6MSzCeJFAskpIgRm4XwaOQjZ/XP0J
-ua7IG2WD6k8f62cszlbCEvMZWMBvb8JYVB/UGcBLtolFG8EGvvUrWAHWLWVvngNb
-HCI7t/Z4SqIexcBTAOal1bAT/gcvNrAmSBXkcNg3hMqMXOXuC7W5Qbqtk6Bd1uiN
-5BWMJOnGXrALbpHxNtC4QBjCAC6MshkMOJvIpNn4f30Qq4Of+NyJrIJl1jo/WLqG
-hsHXYzZYI2LcfOi7a+4oSHQ2OfsGvdKWwmJha6Koo1VlF8gnHSJaGAH/soilan0w
-KSOqSW4DJnAc3zry0jfDeLJLktrEn86xen1v2HjnS1WohfkFL5sSk3z5bVqQ6NrK
-9OOeeXIzWC7AETBc6N3TY7rKljH0ZdtiB7axVI/0Vfmiqw9vOzJ3fij9BcLvXBQs
-JKy80AdUvT4o3PGW9DJX/Ki04NBB9Y/Jlmtu2j1Iq2NVERqma/HzUliGosffdwYw
-EswIfbMjKhghu6mbHguE2DdW2vXkKgmbUJcBFb2tnc97ESslJoxssWB3uZJNQqRW
-FLl+I56S4CVUDLg6WmB7ZMyhCWJ0u2d/zvombQBnPN6GEc+VkZUzVE7NFYmK8j2Y
+U4MlgA6Abbuv+8v7XUYDCxGw8Sd4xWCuxFWu3+twUWfpN3MG95RPuCf21m1rXb0q
+BmmyRECQg6Kk+wuFKVeKEVsBT5pJ/CmutPeE3Y1Oxkn0G09RygO3+mrZInnMdACM
+9TYYUA6AGp67hF4G5pJUk7T+Zdfu5+pxhzsRC24UussXFlUtnPCS1QlRWUraVpzs
+Ei7whYsfz3Fcw5ZEo5b9z+NHqU3OIMfLH2Q0dPJ7Y2gHtteaftmOcRALcz7l4Jug
++9YCAOChw110BII76z6fwPDKbJuMAlZuzhB4XFfYbwVqvMbddQslANb2PiaReIRk
+g52kJY/cMb/nSbGwf0ZG9rGhcuw6xdvMoTFPtqqy7NXEPxfwlxoAxsJVg3Rp/4d9
+M8h4mOyvDjuluIK1GpPfoHGCOYFyduaQQM+KZ00D08j/d8y8RkaD07eXOLQE3CHY
+qXO8fE91lpcnxVRVCv1s4v63/FgqYrrU7rqSgGaQwKrcZK4hZEbL8yMcJFe4KOoJ
+m2k7pqi6hL9JILz7G9+oMnrObOZ9aK+ZiXz09+CxWYhwCcQrFXaK9XKDUWLqoSZn
+ZBj1xYqwW1kvhybdUENHXUVh3G4lA2+sWbEKvSLwcAsiIVkYxuiWwb9Ix5MPCKDK
+ZuzIQaQ5Ji5PWPqCR4iYdt8BOq/r2iMEUwJ2KZtxRcPknbH94rt31dz0cXr/fFO7
+OPxGTuJILIvf+wRZ88x8hmYA6JjRvEHZDrlwmk+uoUBsOYEcVOg7hd/AQYd1BZWQ
+HvlELIHaGgLxmq/C1InRbU/mtnIElBHAI3NLKpSgGyFH4/Mis/M/VnHJaC3sWKFR
+bJ5SobVa8HYgRy6y3mA/DsssGVj/dz2riTzjCXpNmju83D8wGJ8iDjJP0183R6Zh
+Rb83W3EAjkHHLIkli40E7H6cq1RjXTrzUpvE21Yq5vbk6rBnLRO/lDX4lpFq0S09
+Rd8UQUhXqTxtOGXIFv/4sS2P4oIAx+mk4pf+iJMltjvCLCNkPQRL+NewVHMm4zhK
+25Yo9SNObY/zk3MBKH0FnI9xAmS7xUdzjRTQvP8yqBu0lQfJo2np3FsjtGyvjYWO
+b11L4mc+n19LCA2PpU4VaWxzPfZraBBHJy75Cqk0xXx/9obtrgZ89qXgv6H6PZod
+8W64PUK+895+07plpOAmrS0WZL0muh5m9qarabmY0dcoiG16Ln2iAEJTvepKn/7f
+H7rC8OoFr6AWYRx3hj0dLCSs6VPVFLAyQvEPIQlPFndT8rhuP9z8W1W6OkLpe8wE
+fVFL3jNMwRTYTB9aAwFFeyrf1CbaTs8iRmp0eZgTteNbhshx1UdAasj7sLLUhPFe
+cU9evtCKFqoRfSiuR0uzetWMJ7vODxGDzGkbDhIqVRpcUaBz6cQs4NlslT/ebXe9
+5xL6KWI3vUIJeWcTEJbl0sUTBbmRUxPB636XdQ4l3OIYI32NK29fX2+2pHXqaWql
+L8iVwsLJM422pxHdixGmO0eLEJ1Y62tvmTWQ3Nr+/ZJP8h9yk61gj2QTHOVAyz7o
+UxZie77035ni7vZG0AjJDz80hj9rnMpznTUZCiEzArJ65RTrUmiiedSyatHYEREK
+pC3+2aqvrOaGCikIfFTAEOKlE2ZjDVZ1jYCFCVFmJE6sqtpIigMeiChsFlxg4FCo
+zIvfFEY6QdnqHPvUMsXNr/p5xcVQjZhitk8Av/Lr1gSsHapiRthbty2Yry1r2QYb
+T79qdouzk0sGdIORM5SmEvPAp/459cy91nIEav4eC5JB/owPyPB5KNuz6wL1Guo1
+TUDoOyR/vkB4Ybm9A4se6ldYftK3nxiFCL96SgqFP5WC6JAwZROBKFn5HWLdVPOD
+/lXB3SxGe48PjcAX2ugo8KySpDC41uUIHOdxPeRBUPWB9bRpAmLfV7lsBC0X7fPn
+ghdnQav0TcQTOwChNaCLpUSzRzk71y7IR/4LASgm7WZUoV3YF8SarsA+wOvKCuKf
+GJJThmSRzhSU8xbyU8hdVAd0XT8d2tSNJLuJ8PT//dqbh4Ft6U+DjpNX2XUtAINe
+9L61Wpj5HduTqcXSTeHnhdDqjuAEGrFkR3P/SmA/r+uaaVvi/sbbh8cBqvjC3O40
+Z+e4JDd2XvjCgChdJIOUJfHfvLGjkaGJIecizT8YYGO0FyebnPPah/Jj1R4XPaWZ
++Wu2ro1/GKKnHCsIMbEz4BbGrapi63RWGRufNhVE518CX7vMsqgbMFgspfbUinrq
+N6+5MD/VLrMkbCrYxVFRP8Lcug4IJhRjV9olI9GEN7/ulMV8A4UQXh0K9zPox21H
+qPf9kgPpd8GNWXZ+/kQkuLL74BjWCiiUxqDLFY6xKN+5yPwe9l0TNymuSNAxJCMZ
+2Jyfhaq3R7AlqNisoNFO99g3HVXXowi1dK9hc2AqXdqyN5w6LrO8eAy3FQsBv8iD
+pFruJeMve+Fohzrnb8L9B+Wm5nNUH9Z1/jsR+/rnaoqOYl1qza88URqlcy8ovPXh
+1y3d0YGZi877nzLPTe0WPSy0ueJkolqx27hrwvLA6SLBFwzg174pS/vmH1cmEKep
+ZekUuAUxp3pJ70Dzu+lsSnye66mUxx56JHGcCD1uiUkB8qWXTGrnTGkxUJYfZoip
+0nX6YWChnuXkQ46B/tYIaP0+d94LkqjB2VzEDv71oXU4uTD2hqK2i2oTRlXQUBV6
+iNutj1sawU7WUXBRUf0ls8GRIHb6xvNVwnus0/P0VnUkTMCVE3ohQCw2SLkCiPtX
+o24G7A6jNCsM3XTfK68P0TqkMKg5wYJM7Pbt4FLBRxy0uzeR6GarMneLP173rH+Z
+LX5zVvEveL6yHnmKHZm9OoXj+NNn9HkUdCWqxmOvYNl8TTRh58ZCIUDJn4ZQcMkw
+jjOSPfaPWkNrLXm/PxW55JmLuewgHGWo/1gfJCrewrvkuXWJffL09An1/rJoqb0B
+TSFAKj6c/WhJvG7qFYLd7+tMfoet2exw34uP6tvi8Lq/u6cG63wXKbzhpXtvyqOs
+wOOVZDnTskF5syX20FojeKCLCUQWIMv/vYKlrCeA0zpxL4qQFxpHlHAI2cw8MtVa
+Cd8XFmQihZRm+7A8dDsL0AU5ai0kh7yIAhZZ/bR4sUscnbO2y/w+AItcBbfcCK8T
-----END RSA PRIVATE KEY-----
diff --git a/lib/hx509/data/pkinit.crt b/lib/hx509/data/pkinit.crt
index 86642369ce41..3f206294112c 100644
--- a/lib/hx509/data/pkinit.crt
+++ b/lib/hx509/data/pkinit.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:15 2019 GMT
- Not After : Jan 16 15:05:15 2038 GMT
+ Not Before: Mar 22 22:25:06 2019 GMT
+ Not After : Nov 21 22:25:06 2518 GMT
Subject: C=SE, CN=pkinit
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:bf:4b:44:8f:d1:dd:56:18:41:5c:c2:c4:2b:ff:
- 28:e6:7f:68:26:d4:0f:08:e6:af:dd:72:28:9b:ec:
- 5f:5a:2f:f1:9a:7b:21:0f:c2:01:96:d8:85:32:20:
- 5c:c7:91:fb:2d:71:33:d7:dc:81:06:32:2e:e5:ec:
- 61:37:8a:0b:0c:23:57:cd:9c:ae:93:79:58:26:1e:
- de:26:18:12:52:c3:76:7a:d1:6a:dc:98:67:13:4d:
- 73:dc:8f:7f:7b:dc:97:15:dd:eb:6e:0b:54:cc:f7:
- ef:db:14:8f:d2:89:47:3e:8c:e7:de:ef:61:34:67:
- 10:60:8a:87:13:6d:86:91:9d:8a:92:64:72:5c:ef:
- 64:57:b9:0e:91:ea:41:2c:03:e0:67:c7:51:cf:ea:
- 09:5a:e9:0e:ba:eb:be:53:10:90:e5:0f:87:33:3b:
- e6:53:11:1c:6d:75:34:ea:4a:7c:59:f4:6b:da:82:
- 30:4d:f5:72:ad:ae:41:f7:c1:ca:b2:7e:74:a4:45:
- bd:2d:80:c5:47:d3:ed:c2:02:fb:d9:85:76:00:3d:
- a6:ab:da:2a:ef:a4:c7:d6:74:c4:88:02:63:d5:a0:
- 5f:6b:88:ee:bc:df:0f:43:78:8f:62:1a:c6:c8:e5:
- 3a:43:aa:75:94:d0:71:15:a4:8a:f9:67:5d:93:93:
- bd:78:04:46:39:90:48:22:05:78:17:ec:b9:26:3f:
- 4f:7b:a9:e2:79:b3:cf:13:ce:34:9f:3c:7a:8f:a8:
- b7:b4:12:39:01:4f:26:44:33:b9:7d:eb:c7:0d:c7:
- 1c:d3:c5:52:2b:cb:65:a2:48:b8:c6:b2:e5:17:d3:
- df:ed:ef:e9:ea:21:5f:2e:42:23:40:35:7e:97:23:
- 28:42:0e:22:25:79:f6:ea:ae:a3:cf:c6:c4:ef:ed:
- c3:1f:14:05:5f:66:ab:20:a0:5e:80:11:32:1f:ff:
- 69:10:e2:8e:d6:70:e4:97:ab:82:89:37:57:74:43:
- 81:e6:85:ca:6e:3b:1d:ae:3f:ca:7f:da:2b:7b:db:
- ee:ab:ad:a1:a1:16:38:9c:b6:f2:af:be:b0:19:e1:
- 63:14:6f:26:24:f4:a8:3a:04:0e:9a:9c:5a:0a:bd:
- 22:91:c4:c3:ab:2f:ea:54:d7:ca:ad:ed:b7:a0:98:
- 8a:c8:94:15:ea:13:22:97:29:df:3a:85:4c:80:0d:
- ee:3f:d0:66:3d:9c:0f:41:2b:fd:1e:90:f5:8a:fb:
- 4c:10:20:3b:91:cc:fc:ab:d8:89:ac:7a:9f:bc:c9:
- e4:09:fe:81:ba:53:cf:f5:13:1b:4b:b0:f3:bf:34:
- 3d:3d:2c:8c:90:89:d6:37:78:cc:7c:f0:a8:97:08:
- ac:ea:f5
+ 00:e4:e6:1a:b1:de:91:30:34:8a:c7:f2:d9:0a:09:
+ 82:13:46:e9:db:c8:54:1e:0e:b0:b0:0a:e3:a3:b5:
+ 55:3c:6f:f8:45:8f:24:ed:56:c5:16:23:aa:ad:86:
+ 5a:5a:e0:8f:a2:f5:82:59:cc:70:b7:45:cc:1b:44:
+ a7:49:4b:ff:63:28:9d:01:22:79:ca:1a:6a:2b:75:
+ f8:40:c0:f0:93:b1:ab:85:cd:af:88:ac:30:f3:cb:
+ 42:87:fc:be:76:bb:fd:1c:a4:45:7a:66:37:47:ea:
+ aa:bf:c4:4b:47:fb:5b:ab:3f:c1:22:a9:06:f2:61:
+ 3d:5b:20:51:fc:ce:a7:82:74:6f:3d:ac:68:d6:78:
+ a2:77:83:26:af:23:63:20:3f:21:6e:29:1f:55:4c:
+ a6:d0:5a:51:e5:96:c1:cd:22:03:22:ee:de:42:3c:
+ 82:4d:29:20:c6:be:85:5b:04:3a:5f:8b:c7:e8:4e:
+ aa:3c:8e:dd:0d:d8:e5:d0:ff:0b:52:37:40:51:0d:
+ 33:f7:a8:05:07:76:dc:48:20:cd:52:38:a4:1f:44:
+ 11:cf:6d:58:a9:5a:9a:34:cb:93:07:30:e3:66:7b:
+ dc:d3:0b:6b:a2:1c:3f:19:ec:0b:0c:ea:29:6c:75:
+ 4d:7a:86:cf:35:87:9e:50:15:f3:34:73:0e:ac:4b:
+ a5:aa:1f:a2:f9:d5:8f:34:bd:5f:19:ae:22:8c:7f:
+ f7:ca:64:e6:ed:42:75:e5:92:9c:53:53:b7:66:68:
+ e5:07:eb:08:40:ec:bd:7c:ae:b0:c4:a5:4b:d7:4b:
+ 58:86:05:a8:91:db:ee:7a:3f:c4:fd:83:e5:7b:cb:
+ d0:8c:87:68:3b:83:67:e5:6a:5e:fa:28:b5:ee:07:
+ b1:0d:6a:93:1e:b0:c7:5c:57:fd:ce:e2:9c:0f:5e:
+ fe:41:cf:20:f2:1d:88:52:00:d4:83:fe:5b:d7:87:
+ 49:b0:78:2b:a7:60:c2:55:c6:c3:a2:6d:16:04:7f:
+ 8b:12:f7:65:c6:91:41:53:d8:ac:70:c0:3d:83:d8:
+ e0:6c:bb:3e:48:b8:c2:72:be:c0:35:61:40:ff:9f:
+ 97:18:9e:c7:39:0f:93:36:8f:0e:a6:3c:6d:5b:fd:
+ 89:6a:bb:ee:5e:43:f8:0d:29:7a:cf:23:bf:0b:c1:
+ 29:76:ae:a2:9a:73:b2:d0:b9:bd:48:51:25:8a:6b:
+ a9:c5:07:94:26:03:10:74:7b:fc:b7:5d:8f:2d:97:
+ 55:11:3e:7c:04:89:0e:b9:b9:73:2a:6c:5b:12:19:
+ 65:92:48:64:d5:4f:2c:79:3f:16:ad:65:97:21:db:
+ 3c:30:68:67:aa:42:14:86:59:57:b0:79:15:9e:a3:
+ 05:4f:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,66 +54,66 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- 76:9F:AA:4D:D1:1E:92:61:23:CE:AE:DC:C3:CD:07:EB:A7:13:43:2F
+ 7A:C6:DB:B8:D2:75:D1:8D:BB:72:AE:B5:25:6E:6F:8C:AF:63:3A:4D
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
- 3d:2f:62:54:90:6a:d1:f1:93:cc:21:b6:45:d2:d8:d3:ae:c8:
- c4:63:6d:9a:25:a1:c3:33:3a:c0:90:ea:ac:4b:67:a4:af:dd:
- 75:3f:03:13:44:a9:7e:5a:9e:3b:6f:df:06:d0:6d:ae:bf:fc:
- bf:23:b0:5e:c9:1b:98:d1:e6:6c:20:83:48:2f:b1:8d:ef:c1:
- 33:fd:d1:7f:d0:ca:03:9a:e4:3a:42:17:0d:e6:40:25:2f:f3:
- 80:83:36:c4:cc:8e:4b:7b:90:9d:22:ca:83:c1:a3:d0:c9:13:
- af:b4:a6:d7:d9:3b:be:fd:d1:5a:da:71:f8:6e:18:c8:8e:82:
- d0:b8:a6:de:58:c8:9b:8f:c1:20:ab:81:a8:3b:29:81:2d:cb:
- a2:f3:b2:9b:81:7d:78:c6:55:ed:05:75:7f:4c:64:6b:fe:00:
- e7:2b:6e:17:d5:32:de:e1:1d:33:f6:ce:89:4b:c6:be:92:54:
- f7:16:ea:91:b7:af:46:80:41:8f:6c:47:d6:07:d7:62:34:1b:
- 7c:69:e8:6c:ac:6f:39:b2:3c:60:cd:b3:89:95:3a:9e:ef:75:
- fa:b1:ad:b4:bc:89:69:1c:69:53:dd:94:25:93:7c:64:56:75:
- 0a:a9:8d:2b:6d:ed:9c:e7:cf:9a:ad:02:ca:79:f4:fa:59:4e:
- 51:33:c3:f9:4d:a6:35:62:50:e7:f3:2d:aa:32:b3:60:2f:1e:
- e3:71:6b:78:98:f7:9f:fe:0f:0f:f1:a5:6a:4f:f7:01:22:52:
- 60:6b:62:b5:5b:15:6d:4f:41:e0:23:a0:43:45:39:70:f3:a0:
- bd:30:14:63:01:01:f4:1f:fb:65:43:c8:99:57:aa:47:2d:53:
- 0c:f6:c2:65:f3:1a:64:69:67:f3:7b:b1:2f:0f:c1:e8:a2:5e:
- 78:bd:df:a6:d8:3e:ce:6a:fc:bb:c6:14:a1:6b:de:fa:47:5d:
- ce:6a:24:60:da:1b:5d:fd:c1:5f:27:34:a2:b6:dc:bb:e5:f4:
- cb:14:88:e6:66:e7:49:e8:a0:22:49:da:af:1a:30:f6:ac:a7:
- 99:56:5e:b4:b0:19:71:67:59:cd:0d:67:4b:82:54:0d:c9:88:
- cb:ea:36:7f:60:d5:df:8a:74:78:25:2a:b5:ca:89:ac:9a:0b:
- bc:a4:25:f9:38:c0:13:58:1b:5c:60:0a:b7:9c:74:de:b1:7b:
- e2:5e:1d:85:50:e0:69:22:c5:2f:e1:1a:1c:ca:cd:a7:ab:0d:
- a2:ce:f1:88:92:68:10:fa:1d:ca:f4:62:6d:cd:8b:1b:72:2f:
- 67:a1:b6:f6:ef:b9:f1:e8:bd:42:54:d8:4b:e0:8b:9b:6d:2d:
- 1c:ca:c3:eb:79:5c:d7:00
+ 7f:5c:76:fd:3d:ef:0c:7f:70:c7:09:d3:5c:c1:b6:40:25:47:
+ a3:6a:bf:4e:ad:d1:e6:cc:92:86:b6:6a:42:3d:4f:bc:f1:6f:
+ fd:7e:22:52:9c:dc:a6:0b:71:98:80:44:cf:f1:91:bb:50:c8:
+ 15:cd:8c:d8:9c:7d:8d:69:61:1b:4c:66:40:77:44:45:33:9c:
+ 9a:04:01:a1:4b:82:3a:d7:39:97:27:90:a6:71:9a:b1:9c:ce:
+ 60:01:8b:a5:6f:39:a3:e1:75:de:3c:5c:61:66:a5:50:db:0f:
+ 4a:03:32:8d:dd:e5:b6:ab:6a:b2:53:6a:4c:c9:99:74:f7:f5:
+ 1e:a5:06:1a:d3:64:26:c5:77:f4:a6:40:1a:c4:7e:22:05:a6:
+ a5:25:f7:5d:74:a5:c9:86:c0:3a:88:2e:6e:0e:58:4f:e5:6e:
+ e9:2a:34:2a:1d:1d:a4:e4:74:f3:a5:e5:56:5d:5f:02:c4:eb:
+ c7:12:f2:55:6a:f1:6c:ec:6e:b8:c1:2d:aa:4a:7d:ed:91:c8:
+ 78:1b:b7:b9:37:17:32:ee:1b:b5:d9:5c:98:d2:cf:d8:c6:90:
+ a5:c9:f1:eb:8d:2c:d4:90:b2:8c:e5:53:9a:66:20:92:8b:a2:
+ 0c:8b:76:9b:5f:5b:39:77:69:67:a7:8c:de:10:57:85:45:a4:
+ 8f:85:3a:59:5f:fc:0c:70:de:1c:67:33:5e:9b:a5:21:3d:bd:
+ 2e:de:3e:c2:0d:cf:8f:52:43:92:01:cc:47:da:af:47:85:69:
+ 94:d3:9f:c9:d5:5d:50:ca:27:a5:bb:c0:53:12:e0:e8:3c:ed:
+ 0d:bd:47:97:af:be:b8:f9:0c:10:2a:79:21:3c:15:ef:c0:a5:
+ eb:33:38:93:5b:a3:de:1a:97:eb:c3:db:04:1f:e8:f4:23:10:
+ ff:2d:1e:9b:4e:1f:8e:27:7d:71:34:e2:be:74:a2:62:69:9a:
+ 83:7b:6e:9e:e4:a2:7c:84:82:ff:83:b3:cd:d2:0f:74:05:72:
+ b8:b0:45:23:b6:cd:04:25:2d:58:7f:92:ce:68:f9:ba:d0:9e:
+ a8:e1:f8:c0:86:0e:aa:ee:f9:af:ff:5c:bf:46:76:08:b1:83:
+ e7:66:8b:ca:1b:8f:f4:9f:6a:ac:71:4e:3a:d1:77:fd:97:81:
+ ff:0e:d0:d1:4a:7e:6d:94:e6:8c:e1:28:92:b1:68:83:5a:62:
+ 48:0d:26:ee:28:60:57:ff:52:b8:1e:8c:03:d8:fb:c1:6e:4f:
+ fd:7a:46:0b:0f:c8:05:ad:3a:a4:68:be:fd:30:62:ce:f2:0a:
+ b1:34:2c:95:e7:e2:91:ec:a3:c6:4e:2d:a5:fe:09:45:84:38:
+ 9c:d7:f4:0b:18:22:9d:df
-----BEGIN CERTIFICATE-----
-MIIFNjCCAx6gAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNVoXDTM4
-MDExNjE1MDUxNVowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBnBraW5pdDCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9LRI/R3VYYQVzCxCv/KOZ/aCbU
-Dwjmr91yKJvsX1ov8Zp7IQ/CAZbYhTIgXMeR+y1xM9fcgQYyLuXsYTeKCwwjV82c
-rpN5WCYe3iYYElLDdnrRatyYZxNNc9yPf3vclxXd624LVMz379sUj9KJRz6M597v
-YTRnEGCKhxNthpGdipJkclzvZFe5DpHqQSwD4GfHUc/qCVrpDrrrvlMQkOUPhzM7
-5lMRHG11NOpKfFn0a9qCME31cq2uQffByrJ+dKRFvS2AxUfT7cIC+9mFdgA9pqva
-Ku+kx9Z0xIgCY9WgX2uI7rzfD0N4j2IaxsjlOkOqdZTQcRWkivlnXZOTvXgERjmQ
-SCIFeBfsuSY/T3up4nmzzxPONJ88eo+ot7QSOQFPJkQzuX3rxw3HHNPFUivLZaJI
-uMay5RfT3+3v6eohXy5CI0A1fpcjKEIOIiV59uquo8/GxO/twx8UBV9mqyCgXoAR
-Mh//aRDijtZw5Jergok3V3RDgeaFym47Ha4/yn/aK3vb7qutoaEWOJy28q++sBnh
-YxRvJiT0qDoEDpqcWgq9IpHEw6sv6lTXyq3tt6CYisiUFeoTIpcp3zqFTIAN7j/Q
-Zj2cD0Er/R6Q9Yr7TBAgO5HM/KvYiax6n7zJ5An+gbpTz/UTG0uw8780PT0sjJCJ
-1jd4zHzwqJcIrOr1AgMBAAGjczBxMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G
-A1UdDgQWBBR2n6pN0R6SYSPOrtzDzQfrpxNDLzA4BgNVHREEMTAvoC0GBisGAQUC
-AqAjMCGgDRsLVEVTVC5INUwuU0WhEDAOoAMCAQGhBzAFGwNiYXIwDQYJKoZIhvcN
-AQEFBQADggIBAD0vYlSQatHxk8whtkXS2NOuyMRjbZolocMzOsCQ6qxLZ6Sv3XU/
-AxNEqX5anjtv3wbQba6//L8jsF7JG5jR5mwgg0gvsY3vwTP90X/QygOa5DpCFw3m
-QCUv84CDNsTMjkt7kJ0iyoPBo9DJE6+0ptfZO7790VracfhuGMiOgtC4pt5YyJuP
-wSCrgag7KYEty6LzspuBfXjGVe0FdX9MZGv+AOcrbhfVMt7hHTP2zolLxr6SVPcW
-6pG3r0aAQY9sR9YH12I0G3xp6GysbzmyPGDNs4mVOp7vdfqxrbS8iWkcaVPdlCWT
-fGRWdQqpjStt7Zznz5qtAsp59PpZTlEzw/lNpjViUOfzLaoys2AvHuNxa3iY95/+
-Dw/xpWpP9wEiUmBrYrVbFW1PQeAjoENFOXDzoL0wFGMBAfQf+2VDyJlXqkctUwz2
-wmXzGmRpZ/N7sS8PweiiXni936bYPs5q/LvGFKFr3vpHXc5qJGDaG139wV8nNKK2
-3Lvl9MsUiOZm50nooCJJ2q8aMPasp5lWXrSwGXFnWc0NZ0uCVA3JiMvqNn9g1d+K
-dHglKrXKiayaC7ykJfk4wBNYG1xgCrecdN6xe+JeHYVQ4GkixS/hGhzKzaerDaLO
-8YiSaBD6Hcr0Ym3NixtyL2ehtvbvufHovUJU2Evgi5ttLRzKw+t5XNcA
+MIIFODCCAyCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNloYDzI1
+MTgxMTIxMjIyNTA2WjAeMQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGcGtpbml0MIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OYasd6RMDSKx/LZCgmCE0bp
+28hUHg6wsArjo7VVPG/4RY8k7VbFFiOqrYZaWuCPovWCWcxwt0XMG0SnSUv/Yyid
+ASJ5yhpqK3X4QMDwk7Grhc2viKww88tCh/y+drv9HKRFemY3R+qqv8RLR/tbqz/B
+IqkG8mE9WyBR/M6ngnRvPaxo1niid4MmryNjID8hbikfVUym0FpR5ZbBzSIDIu7e
+QjyCTSkgxr6FWwQ6X4vH6E6qPI7dDdjl0P8LUjdAUQ0z96gFB3bcSCDNUjikH0QR
+z21YqVqaNMuTBzDjZnvc0wtrohw/GewLDOopbHVNeobPNYeeUBXzNHMOrEulqh+i
++dWPNL1fGa4ijH/3ymTm7UJ15ZKcU1O3ZmjlB+sIQOy9fK6wxKVL10tYhgWokdvu
+ej/E/YPle8vQjIdoO4Nn5Wpe+ii17gexDWqTHrDHXFf9zuKcD17+Qc8g8h2IUgDU
+g/5b14dJsHgrp2DCVcbDom0WBH+LEvdlxpFBU9iscMA9g9jgbLs+SLjCcr7ANWFA
+/5+XGJ7HOQ+TNo8OpjxtW/2JarvuXkP4DSl6zyO/C8Epdq6imnOy0Lm9SFElimup
+xQeUJgMQdHv8t12PLZdVET58BIkOublzKmxbEhllkkhk1U8seT8WrWWXIds8MGhn
+qkIUhllXsHkVnqMFTzMCAwEAAaNzMHEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
+HQYDVR0OBBYEFHrG27jSddGNu3KutSVub4yvYzpNMDgGA1UdEQQxMC+gLQYGKwYB
+BQICoCMwIaANGwtURVNULkg1TC5TRaEQMA6gAwIBAaEHMAUbA2JhcjANBgkqhkiG
+9w0BAQUFAAOCAgEAf1x2/T3vDH9wxwnTXMG2QCVHo2q/Tq3R5syShrZqQj1PvPFv
+/X4iUpzcpgtxmIBEz/GRu1DIFc2M2Jx9jWlhG0xmQHdERTOcmgQBoUuCOtc5lyeQ
+pnGasZzOYAGLpW85o+F13jxcYWalUNsPSgMyjd3ltqtqslNqTMmZdPf1HqUGGtNk
+JsV39KZAGsR+IgWmpSX3XXSlyYbAOogubg5YT+Vu6So0Kh0dpOR086XlVl1fAsTr
+xxLyVWrxbOxuuMEtqkp97ZHIeBu3uTcXMu4btdlcmNLP2MaQpcnx640s1JCyjOVT
+mmYgkouiDIt2m19bOXdpZ6eM3hBXhUWkj4U6WV/8DHDeHGczXpulIT29Lt4+wg3P
+j1JDkgHMR9qvR4VplNOfydVdUMonpbvAUxLg6DztDb1Hl6++uPkMECp5ITwV78Cl
+6zM4k1uj3hqX68PbBB/o9CMQ/y0em04fjid9cTTivnSiYmmag3tunuSifISC/4Oz
+zdIPdAVyuLBFI7bNBCUtWH+Szmj5utCeqOH4wIYOqu75r/9cv0Z2CLGD52aLyhuP
+9J9qrHFOOtF3/ZeB/w7Q0Up+bZTmjOEokrFog1piSA0m7ihgV/9SuB6MA9j7wW5P
+/XpGCw/IBa06pGi+/TBizvIKsTQslefikeyjxk4tpf4JRYQ4nNf0Cxgind8=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/pkinit.key b/lib/hx509/data/pkinit.key
index 804b7dc77d64..ee1c8423233a 100644
--- a/lib/hx509/data/pkinit.key
+++ b/lib/hx509/data/pkinit.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC/S0SP0d1WGEFc
-wsQr/yjmf2gm1A8I5q/dciib7F9aL/GaeyEPwgGW2IUyIFzHkfstcTPX3IEGMi7l
-7GE3igsMI1fNnK6TeVgmHt4mGBJSw3Z60WrcmGcTTXPcj3973JcV3etuC1TM9+/b
-FI/SiUc+jOfe72E0ZxBgiocTbYaRnYqSZHJc72RXuQ6R6kEsA+Bnx1HP6gla6Q66
-675TEJDlD4czO+ZTERxtdTTqSnxZ9GvagjBN9XKtrkH3wcqyfnSkRb0tgMVH0+3C
-AvvZhXYAPaar2irvpMfWdMSIAmPVoF9riO683w9DeI9iGsbI5TpDqnWU0HEVpIr5
-Z12Tk714BEY5kEgiBXgX7LkmP097qeJ5s88TzjSfPHqPqLe0EjkBTyZEM7l968cN
-xxzTxVIry2WiSLjGsuUX09/t7+nqIV8uQiNANX6XIyhCDiIlefbqrqPPxsTv7cMf
-FAVfZqsgoF6AETIf/2kQ4o7WcOSXq4KJN1d0Q4HmhcpuOx2uP8p/2it72+6rraGh
-FjictvKvvrAZ4WMUbyYk9Kg6BA6anFoKvSKRxMOrL+pU18qt7begmIrIlBXqEyKX
-Kd86hUyADe4/0GY9nA9BK/0ekPWK+0wQIDuRzPyr2Imsep+8yeQJ/oG6U8/1ExtL
-sPO/ND09LIyQidY3eMx88KiXCKzq9QIDAQABAoICAQC0fcQ3HwEEFua1K2AFUz+4
-HEadPEDjWSZefzQpyqE9azc/VyYexCLTvYAPh9GCzA5/FeygpAFpYzg04Q/pY2qB
-DWfvLQLbSwcNENryfovrY1oLEEUP1wyKfe3wEcVrjPtROo7EyhQ9QUMjJwd80uJR
-9olhI+RHmWcucAZ7IkBybH8vGW9+mLHIw2cn7iuH6DB4OuzKjDw/dt7bJ0vw/BR6
-zGf4w2/SuLZl4M0IszcZeTG6flQteoW1slGz/znNqNtNlC+nG3UJDMGs6TvQRcjM
-+V6lj7grXQLhKlO1MOwZyLO/tvfrZVv1gW9oVXNyYjbTWaaPvwy0Kwilwg3dDO0b
-CvBGS8c9PtxkUnU9ZCjkA7rmE/Nr2r78bhhMkBZs38w/MTYDUadmjhIxjnjaNu+3
-pV/kOLn8h0ZDCsLCJXUNAbcqwlz2IEDPFIYzW47+agMM21Y41um1lfLXOFcZ/61I
-vStquOwqyhciydomWyyaT0oyu1QPSaKwuVFYTBMn5fUfP3oYEehaN2VEcQaMCHt9
-OxiiXapiNEF1p4Rf+mt80yFxDhWrM7/VxDxHkS64HpULweW+/zx1J7l+Leqn8rGC
-k2puihHSAGnZ+thSnIkiimIfnijdUGRb09y5mQJoIm/pGopPTz8e6jag84a3tm7J
-08NBhWDMVMk25a6TOsl3AQKCAQEA3v5gi9C8bMcjEipI3fbgQ2mz18CzFFsIdSaE
-qvPyEZ07G6vRZg+i3Z0vOMaSiIr9nKmXIAPInpeCn4n55aJRktO5OxmF2F7qjVt+
-uEm2TPDrrkIILqT8/pINN6R7onwOcKlIb0gfyK7FyCYgjbtQlNjou0b/5CGq8qw0
-Y2E6htBPAtyXEIU8ozW/vnsMSqHsxHZKyzzHZRL8Ii1jjdXCJioKnWn36cLZrZml
-jxlgoh/4p+Jr0+otpQCJCzYjTuKmmOBlkEjoVe5yunD68O7VZWA5N8lb8t/2g6hq
-TS1kYZRlPnmtBi+iQUVbtx1eOpRXQA6YcZnyS4thY5VWj0MBZQKCAQEA25u8ODF6
-AZM33Chs9zQ9nmpsrCzZUq+2Wpv8HmzQbvWQ/OzGqgxi7GlLoi6sevxX+a2t9Qfn
-I3oaV5Fd1zZQT5mH9zlzoZp8QfwXgI9yTTF8tvFFUAMmMFHz9P5U9WLrILyvsMob
-i31y04uRe666YRSx7ra0mf1o6m4WezwQIGPOF3jsug4npuG86v7fRNrp/53bpV+V
-EGsvJN+oHZQ1t2QhYNLPXw5br1EMwjunn9P1JZfynS6VLrKQ2KiA2/1+F55ppA1i
-thtl4ZlU1nF1XkK0YR3KPYfzFSeujhtiZ/rPFW7226rUgvRP0N6YfvT08xyO639Y
-8VnERKtI6gjyUQKCAQAFnT3tBzpXOsRFRs9C115aFCU0/2MC1i/mUyvv6ehkTSMZ
-1T+WZDpjffucYFN8IJO2CAcIBVBdvc7KGX0zLN0E51O4izH1ep5JJM6R8TknwsEM
-SBlQo1LDTgYLKpb6RklOyNRMCPLT6KKOIXecWeTzemqRnH4AzmAxb+h5wA7rKf9z
-QP6EqfYW3dmQACUVE/KUF65WY5dZkhrK+X2SKpmSwGg4Alz9g6xbVIz4h1kJe+iU
-wXyZf0Ha76KDp79H0ykCnFOySEOhNjmpPAL1Ye35eWy3XNh1yvG36tuSSdxHIKdT
-5VhX2YcqQYbHm3Ot4eI4eKWZ5phVEpNHIJFnVfaJAoIBAQCWAbT5tWIffU4kxkBY
-Q4jrksqUeTYhcwDet7nplm5xvK/C9IFnWnqf/fS53aPXhlMZq3ct7q4F37vqoNM2
-1FTbaoYja0z+0CWcdPQgzttGu0zzMa8kzmHhk7lOWgPychUmEXz5B7T0/UXYFnfT
-wjBxa892vbpzjVOC/pvApfBmD4aRJfqdxFl1drCy3FHqGJbKEiwctEOAKZbUWync
-uoZOtMjP+G/KAGbERFqwukrvs7q6aSZCE7W3ZiXmuIL8whTFUWHbu4D335MiHLiE
-mo+PSYUo6U5h5WE3zBlB3JbFa97URy28Mt5ibTuv8ry7y9sdzR4a4qwAgE6+kTmH
-E4FhAoIBAQCqpFY8FPwJkDDe194tARJYXVdgvZhIcL0IP+lbNxAid+vmd1405fpx
-W4qoSHTn5aL1Vuo0qMudoUdzvHyB0fWHlVnWHhWlstkSMTMnl5DU7xhp5MP2ALXL
-LO73drcWe3r2NPYxOPWMzVvFd8o9WlnEtZ03C7s/DYUD1bWd2Z974b0tpiXNlZu0
-hn0+GgeZzmy8pyHbuyOj6+AW3zCIoIy39V68i13PjVzZKLR5vVLBaba1fZdqhYjk
-qHp+tpVdjmF+WgA0ia+hWRKkRGwX+mgi36aRzdjXPDrSxQsnEbp1LvZ80IsXM7jj
-60UoyAUhtvNbBCWkTske6/ey/kjJTUD4
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDk5hqx3pEwNIrH
+8tkKCYITRunbyFQeDrCwCuOjtVU8b/hFjyTtVsUWI6qthlpa4I+i9YJZzHC3Rcwb
+RKdJS/9jKJ0BInnKGmordfhAwPCTsauFza+IrDDzy0KH/L52u/0cpEV6ZjdH6qq/
+xEtH+1urP8EiqQbyYT1bIFH8zqeCdG89rGjWeKJ3gyavI2MgPyFuKR9VTKbQWlHl
+lsHNIgMi7t5CPIJNKSDGvoVbBDpfi8foTqo8jt0N2OXQ/wtSN0BRDTP3qAUHdtxI
+IM1SOKQfRBHPbVipWpo0y5MHMONme9zTC2uiHD8Z7AsM6ilsdU16hs81h55QFfM0
+cw6sS6WqH6L51Y80vV8ZriKMf/fKZObtQnXlkpxTU7dmaOUH6whA7L18rrDEpUvX
+S1iGBaiR2+56P8T9g+V7y9CMh2g7g2flal76KLXuB7ENapMesMdcV/3O4pwPXv5B
+zyDyHYhSANSD/lvXh0mweCunYMJVxsOibRYEf4sS92XGkUFT2KxwwD2D2OBsuz5I
+uMJyvsA1YUD/n5cYnsc5D5M2jw6mPG1b/Ylqu+5eQ/gNKXrPI78LwSl2rqKac7LQ
+ub1IUSWKa6nFB5QmAxB0e/y3XY8tl1URPnwEiQ65uXMqbFsSGWWSSGTVTyx5Pxat
+ZZch2zwwaGeqQhSGWVeweRWeowVPMwIDAQABAoICABdRKV79ISUb9RcxMdLH7Swx
+iRkOayM0s+L6+P1wN2KUtWHAly5mLGV49KYAjau8PGWJROII5WKGBaixcakRyM49
+EOFQtb9UuYP73HIcNWWWL7bNoRf3EnWDOx/HK0/FDp+gTEOPrgnxabtnL5QBkvD6
+6Z2yQjbmmO1zeWabVoz/d2V87qEKYOJzxbkJjct3Ityp67swt715teYBWXSgBlnE
+o3dz2oIpsmEMf2EqKRgakR6lBMpucy457g9AK9MQNckL40NTJlAAV6gxTzkU9AML
+WBUdOm7l/9do9W1CGagS7gfBnhFBd1wYo3eJUvbtbBsTKIB3dDUMR14Mam46toFQ
+pxRjTOpywwePQSJAxR3M1QbnOup3w8Mw9+Vw++mVS0woXhCz2zwmPTuC6/YN1WCM
+Zs4jRFQrc1fw3o6BBNmoMb9TL2aDOLbAtMSvFlH4FQQTy4RLzOoZnNAvy5f4qmzp
+VvEqiZzgXhg+VjPlQpGEoBptt3Jru9vOBCdPTd1L7jMUjC3lf+MR1QrJxFNdK0cH
+0YeSehTFOtZ4fTPwXlKJsPXSGyu3ZvN3ukt15X/qQypeqqlnln7BjKuUyltkAl8z
+727G1tgiObFDUL/oPbeqkmGoN+z8mn6PlyN3pe/mYwZES6F5RoEy/AAOrhp0HINz
+lzt7bZVoFY+tVkZU6AyBAoIBAQD6Wc6rzhwa2klX1BjOJXbgsh8tA5zvYM44fcZz
+JSanqwMfiu60nvVW0nF0jVfHKGckJ2KQYbNKucTBJRgAY4a2eXrcEIkOPY50b9Dv
+BtCNhiwfQ31VQct+qoS2693d9N3Q17d0sqUwvSAN33YcePTb/uC8L3Ys6pFrsrn/
+RRTdlcF3077jaYjKFAGRRWhHDaJNsm3XZm1jgHWRktRgiJe+EN6NjW2ScC1UqN1l
+5To2AFbxg/87T89rLcKi47CNF1akFV5o0csQX3KUZtLse5VM5R4j7NGtd8deHgJv
+c+/xC6RblmX6AgXTXUICNBjgIF/QV5XyKTvA3QEvG3eErfBDAoIBAQDqEGBL6MGG
+PT9M7GGFq7pc/BAHkm31+Zq0pTV6EbBwu4SGZtFkhXZJXAi6cAhKBr9u8colZmEW
+EG+OVPhNN4cNOPrbDESFaM5D0dNED5AAUlyE0ozI+Rlx7m91UhPufyWCg66SJNj9
+7o3Kh57N7p8RqpBicuXv6bBBna1+AA6/v3JImE4FWRyg8LwUWWmCVU8CDKzuUdQ2
+Os+irE/eXq20/FYNoFkYNiS28wh9c06v90f9n1QV6ma3tSy11g7a/uTZ4oX6HVoj
+26sMx+z+SDWnKCgTSiELdzpeLooMMAI9toyNLLLw2knzHhOz1M2wcxuYa4hSo6Dj
+N6odujQwCu5RAoIBAQD2ymNG0Aa6nebhMs9FIH+A33aGLGKfQ6Hm5G4mAkCJ1rZc
+eNv5qB2Yehmn2NHoHTcX1899HyLcjiacdBGmCHa7GSP5Hj/NjvcIZ1Xi26fpa5PB
+OgmqaxLMihIMNJXhgMrNXmmWG6lmU3nu0xOe28oduLMYL/1iJ9Y1AdoC/7mi+kbe
+9hjeG6Hh+zjUWUSDjrgpubQ4O9un0/GSENlVVDGqBv0tM3cJfZXiOBkQopjwtQMA
+UKvhbzq8oD6XzrazT4d0dzA7SlzQhhbwnjBdOTKju9Urev/z7fjWGeUys2qcB2r9
+clSS0T2m7+7rNyoyfxeUzVKehvFFnVfWdVArtj/7AoIBAQDE66wokRUn/CVicUkG
+7din3EUcKbyrgij/LDNWlMVNwuWXMa+fE43V4EFToWfH5+9sxq2cU4sAxikkpSYV
+yM6teC/M1IBdgTRv6HsGutUbAC/oaz+Y4cHfkYtiOACe2YfUSzc2qxuIYAgYyYr4
+lHZtpYM94I7FDmWEfsT0ydWeytG6c7DIXRVx7bc+o47Z4S3Mep+PDXctfMMtiCzV
+1+/q4ZUAd9QdQ4gWB1gwOy+Lac6+eSqEGaX7jsij3wi2hFZDXYn8SG+K1YgOA7HG
+qTfCf01gFTDB9bg8fokUAdwQ0aFkMKQHcI9gpABNfo7ikaU40ddqN1Hnd/B+fCbl
++HxRAoIBAQCA98OxfQECOxve0RMTAslR1mq7MqHMcmk/ukENJsErxWYp2r4Ghgmu
+wWeweGBFwTPJ1lqm0+mpyUphE20m8A6QxN4dR7ckAQfGjuc6ZRBJDhSY/rPv+3j0
+fBhKyJl+DL4RiNCXncQFD4sa8YH6UcsGDo8OkWr1ZzOQp0jTSa8yOmswDlt7boch
+5DGHb5xtngPe5lpVg+t2VZeXF7sTy7BZwwTLLZWtI5wHuUAnOeLvwCMHmZTrpwe+
+cN0oo2nQTI/EgYf5ZyVj+zfiaxvST5AN6BKj8QApwC0q/TipqoLghxD3YNzUokFI
+RGobyk3036+cucUBlLFJBboNBbUzUX7l
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy-level-test.crt b/lib/hx509/data/proxy-level-test.crt
index 24e8a8f6742c..51422e91a6fe 100644
--- a/lib/hx509/data/proxy-level-test.crt
+++ b/lib/hx509/data/proxy-level-test.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
-MIIFVTCCAz2gAwIBAgIJAOXO+qv/iXxEMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MB4XDTE5
-MDUyMzE1MDUyNFoXDTM4MDExNjE1MDUyNFowQTELMAkGA1UEBhMCU0UxEjAQBgNV
-BAMMCVRlc3QgY2VydDEOMAwGA1UEAwwFcHJveHkxDjAMBgNVBAMMBWNoaWxkMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArcTnrpY2+DYyaO9DDllOz237
-auNMA2z86fS3monYx0feQ06cCdwA1xLNk/3BlkAsTH+7Q/Z8SGRFyzMKgbt8i97j
-lyuLuXxwWK87Tz14S94BK6HIGN9yc4wNtZ8p6l3uaIeTlcEZJpltViEc+I/9kjNg
-LK/0+s6OBuSEa6bEXJ5ecPFe7OeaSctN+7CMOS8FQJHFhH6zpq5uCcSnFS7ZxOGK
-wdjziJWn7zd3qEc01cWsR7HZrRII31ctbmDxt0suAGfIZaMm8fkCQkH24w/xuNQH
-ldH3q2/H7AdWvh6copqY5sxTAfaT9TSzOu9MaH129cz7x31+xMo64YxsUDP0yC9s
-fmV3APEGX8Q8PIgs1FJjsknV9F1F78aBFAYTKlBhgMki3Fi+iC64QPfu12sGuzK7
-eoDbtD3Q3p4NpwVeQYZ8972zwhnPTT6tgoh50MaRb6c+5PmSRhKt3QL0aUp+URmY
-SAdO8V0BI+exK5/T89Yd9c0uMn+TOUMHc5OEckBi9Fi/oOsYPBahyKAZxcERHdXo
-+mZht5kl8mBVbk2hfQl75eUQ9sWvVQxn1uS4x/j4k8mMqLdbXL5keIXGOyA9S28n
-IodERwwJdxgJ9JKw5WR4wdqeZJjIUw8qe7Du2FSH6L4eHMYOcS6nXlVM6Vl65nJh
-vnqqmW6DQ+L22uBst7sCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
-HQYDVR0OBBYEFFjF34ZepMQe/Lgd/kmm+fXkMFhtMCUGCCsGAQUFBwEOAQH/BBYw
-FAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQBza0sK8s5r
-9PBUTZGQTylDsJgj6+siu6fwEOeUwJpag+9kDbyMHUTnueO4kPbahWdVtx5rwCxg
-NqHtHl0g8GwwLJ1wX0e8bi4fNimx08W9b5PnhOzUzbZnUIuwc2q0YL3yp0yfDo5h
-2R6BlCz/2AKM7i2PqoOsoctwJs5mE3I5E0AQto0tPaKqB2Z1FyU8ArY+2jrsgQq2
-EGbEeKSavjaIiuq3YQ9zyrZH17Npryw0brDkGBOvi2jANfQbvQJWlL7tklh8j/Xa
-61/VAm4wU82P8NGM1LYjxH0Ad46Ca8cUq63Qxa2hb7igdOoUbvlSGNctgtENJPAd
-XeUt1/bxjsBTgPo89tg0Hc1UBb/msd6q8/8a7mA69GrHG6yEEVHOQDal92PbP8WU
-ajv4vAM0OxOHO3eyWqh1nGlYRmwE6iGtbVZypWgh30mKELjxn1q82+HvrKMAeS+S
-4j34v4877EC+EXRPsHw5sGpmTp4eVtuFM87gGtrFLOheGi/2JHBYdgjJkuqPDYoE
-0J4U30+xaz0mtY5hSTt6LknMQEOM1REcQ/NBovq/CsMs7vbaoNtfavu+ZSX9AgvU
-5SKJ38KFndrV4VZq+hzTOXj3IhfLqSBm1EtbTQO1W8vLIR+SK6Ct0D76P+Ht5Ddg
-Z/fMiB95hkiTG72ZnjMTvLn4U9mNFWanTg==
+MIIFVzCCAz+gAwIBAgIJAOXO+qv/iXxCMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxDjAMBgNVBAMMBXByb3h5MCAXDTE5
+MDMyMjIyMjUxM1oYDzI1MTgxMTIxMjIyNTEzWjBBMQswCQYDVQQGEwJTRTESMBAG
+A1UEAwwJVGVzdCBjZXJ0MQ4wDAYDVQQDDAVwcm94eTEOMAwGA1UEAwwFY2hpbGQw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDPMfDYnc56LmPFqSovq3KU
+JcBypPhCtrOiJ3vwLIumg+NDlsWdhG0EP8xwGnbikR5RNAi/PtCV8cGsbQ3+Fio8
+AFVQs956itoNEvzoL+mbyNpyRVr1ph9qJ/lO5mzdNfCQb++b73bkygUaNKJPpdL5
+VNEwdG6bEEw59+WWqATO1geUv//AeNPqLrKFDMg5HQzCjGXhwE99J156AQ4fw6lB
+0Yubssk6AfHLKd+UKh8qRPdO1EYzgHRuSGW7olXUbiS3wmPe1/JYMEiILjGmvAaA
+Y55qsxFxZlTEehO99WF6rOrP1lC3ddcBd0fXBvJTiQeQsHT29tiVlPMFolmnQMbO
++bzLUPSx9ukW2deirFViXnC7pb5Cv8ZIJ2jsZEG3D4JM5WqZ1ycrKAq49r284LbX
+LZH0ZnKZyGJmOjsXqIwWJJthMSlb7l/TA4IdRePYlaYQNQqIYwsPv9o+wv3owUaV
+1PePDbn3PY/LENshooIV1yqhbA/Kr4ayiYuTFLtugPcWwi8sAXFNC3t6x4+xTK3n
+S0n30hvIWZGKes8Zz46E6ANAf+stiKWxhTROrfLNKvenKXc4iVETOzZkBhQPyhk5
+dM1aC9rylQnm30o8oVnNpn/z9rePdCDbBluHKcJE4xcX5QpU3qybO5W5A7dhxsjw
+0iVfuheSt5AkE4ixHAy/6wIDAQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF
+4DAdBgNVHQ4EFgQUcMWBbIV1HXTcW9hfIFew2urXq5QwJQYIKwYBBQUHAQ4BAf8E
+FjAUAgEAMA8GCCsGAQUFBxUABANmb28wDQYJKoZIhvcNAQELBQADggIBAGygvoGy
+/aUbaxSh8v1ug6qHHDMuKAddD4qnTx/JKFyUbVDKOUsiu4kuwH5uoIMhhPd5XYBw
+2gNjptKIK/o5CMGXQpAFV9cfd7h57bhBTBU5xPvdsTsXSRObkmESE07XF81Vmqbz
+3+YvbhYy98mHszMnsBzG24pJYn+Xhv0KfUINV+BzZZPZmwTkZki8gnAYpSfA85d2
+o1SO2iP0kZPUOoTRDrvN6v7EHFxar8Prka2jpHBPRXUMANbGl/Iu8SvzukVDc6g2
+pEBa9vDPl2Tf44kct+hB7Q735xSfHF5PJaUt/kzVclFNNWyNRr99S1mM5IEnAzF3
+PpkWHOke/L1dvWJT7wBSPfwMtyQz7gIGdA6Oq5CkFxE259bb7XJxRwfQV12pB4p5
+ZYUDTpd1P3D+VHQzmGi+EcgKEgoydVp4ikQj7aDUQWzZ49st+xLf0suE6wmNNSd+
+4dSuAeHbV0rglwlo/LZ3UPCd8nzhGTC5t6L8vFcDkrC7RyaBR8X2OeTU8FLP02me
+q1eMF8k89L6ar1etLfC2+PKRGhcohJjm1Yz7sTSIeT6SnSxZeoSGAkFFwy70in0m
+9mJNpNGfBCr2DS+XncpvVcIIYjHmrKWYfbnxYcouh/PJqpKKp4JXceV0u1e2DlvQ
+Cew9o2dZuv5HXMmm4xpp8gyrzCzfZuExPIZd
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy-level-test.key b/lib/hx509/data/proxy-level-test.key
index e1c99879af1b..352bfa823b72 100644
--- a/lib/hx509/data/proxy-level-test.key
+++ b/lib/hx509/data/proxy-level-test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCtxOeuljb4NjJo
-70MOWU7Pbftq40wDbPzp9LeaidjHR95DTpwJ3ADXEs2T/cGWQCxMf7tD9nxIZEXL
-MwqBu3yL3uOXK4u5fHBYrztPPXhL3gErocgY33JzjA21nynqXe5oh5OVwRkmmW1W
-IRz4j/2SM2Asr/T6zo4G5IRrpsRcnl5w8V7s55pJy037sIw5LwVAkcWEfrOmrm4J
-xKcVLtnE4YrB2POIlafvN3eoRzTVxaxHsdmtEgjfVy1uYPG3Sy4AZ8hloybx+QJC
-QfbjD/G41AeV0ferb8fsB1a+HpyimpjmzFMB9pP1NLM670xofXb1zPvHfX7Eyjrh
-jGxQM/TIL2x+ZXcA8QZfxDw8iCzUUmOySdX0XUXvxoEUBhMqUGGAySLcWL6ILrhA
-9+7Xawa7Mrt6gNu0PdDeng2nBV5Bhnz3vbPCGc9NPq2CiHnQxpFvpz7k+ZJGEq3d
-AvRpSn5RGZhIB07xXQEj57Ern9Pz1h31zS4yf5M5Qwdzk4RyQGL0WL+g6xg8FqHI
-oBnFwREd1ej6ZmG3mSXyYFVuTaF9CXvl5RD2xa9VDGfW5LjH+PiTyYyot1tcvmR4
-hcY7ID1Lbycih0RHDAl3GAn0krDlZHjB2p5kmMhTDyp7sO7YVIfovh4cxg5xLqde
-VUzpWXrmcmG+eqqZboND4vba4Gy3uwIDAQABAoICAGTtlieIZhsa14KtXYRLCQRf
-/ASkSnU+61Mz6SRgZkGxE36CfQ0Y9H/3EuKfI76SPWidU/ZwhtVBMGyKk9KwQ/G1
-nvkhuMEebt6DwO4QZPuj0Yg3KlKQDhjgwuG3tY/DyQJ7pJP5mRMbUC8TgpE4iO5O
-2tB5zs+SA1orhmJEdY7aCT6OYzU0fB/absv+SiO4lNNhF5kSQmRQsecIioc6NBAv
-c/mNej3dtrGxxNU/rodvjdYCjc0BSZf3OZL/ycVNbEWeAf5OmgM3P0GesLhHfX19
-4X36e2Dexv7ncFFy1EV5h8+d46SjRGLKnkNf1EBohxzTV3YSBPxl/XcdqZeX5dce
-Q6CYwtjv8tHFqx5vuo5hgwkssbDMqgdPaNFANCJHEVAFj/xPIa7wi4hnSeJCuGXs
-ts7prLqW4thnqd37kT0L1KToKiUVjxf8e1Yn4WiApfjqk77GkmTr7hZ5JWTuRu4e
-dMIdjWtF95NIEz3/wJVRlPOofpNTmIA//8btzNMOTSiC4P3DuwmGdGwwMwNEQFYZ
-n5YeS3+9AN/NeZ9m06eSQ1TRRogA5Unz9o7X2wzOdcB5luNsEIq97IlvTKFK6a+M
-ddt99ExDf8RzWnDQxad/FgcdoBn8u2xfe3eFjGMs++E6BBHy0T2TMcMEfr/S4qhj
-g83I2xhAxa3TvJCcrZuZAoIBAQDjoE1eCqsSPOzsBYVDFzgjMAvPLuOWXGjCmjmd
-2bvUTEKxvucMFKYssNp/GvPH/fwPrNhTewnC7RANZmJ82rsKKk8cYIvb/TTS4LvD
-ILsfaFpakjJ/+vuDqNSwzZLHkwlggDxbs44dydET+jGd4yoQkDI3ZrKI5isy80E7
-EvlgZjX8p6wFPi47YtTFUfiI8oNi3e7RSmT9AZe8o9blaE+0SBQTETu+rWGhNDSQ
-JWEid3yZZ85KQd/EO8AS9OUub1tF8dk+J75wXueTwqffEzFOvCgNlEiECQvqRx/v
-Bk85hFI3JIL71nsC/gaCRBMHjBtFwnqF3GjVm7FCBYaQxbAVAoIBAQDDbf2avR2R
-LZqupSigX8vrnbRLdjkKCfoyeVApMtgf/SwFbwrcMGjIPCJOHq9KG3jsdLhM5Rsz
-BR2T33y4dQxcGN6hE2udoqhtSLaipe60xq5UtPlDhKN44TleAmZH+qiJ1D5dJUWQ
-v5c2bP2bDWyXTUJ5yyjeijf97wompoeCKSAXlEUqqPiMGINPAaSkus28scZb+bKF
-+J7YcAwP0ztSc9FAVR7NNv6fGQKBtBpCgLG4eIlaP6maeBV0TbeE0gtRIITMo+uB
-asOvMZGkQki8n1nWrOmdf1icRUrzYyPtUlqO4BJUM3raEUL166B8dekbjUsYGc8N
-yppK8ytz/OyPAoIBAQCZodM2Gss1xws9jchQ7PYFweLmlkYjcQF//unOYWvFsSb+
-otN8st8poMAIM9+/5uvehJGJXqzK9If2E1l73YGKLd4xT/R1qWOixO3VmFzTqPH6
-2VveRz7EsQnEvytHKjWU/Vg/qGPONS25Zw9f+jek8D4EaHstrPQRMl+fiIHqD3J2
-sZCIBVzc1iq3d0jg3ZXR/+q1NZoNraqFNqvPMGVDT7bE28fQPWN8kyi69Y+m3LCr
-NYXlVqq53n4YDVQ10BDxl3dB3T9KxrNUZng5NtH7y0DZUXDUNOrm19R01nRYZLe8
-4hbJ9QwXi+5Gs72IRYcOwWFCwe275pZv8hzNz6+1AoIBADoeYcc86qgcKd46W8Sl
-+J0Pf2jZtcjYgsGz9jTqW//XaNoM1ev5sY+q4oDc+0BMvz+CzrR/hgE8SjmJwyuQ
-E6bn9n1sqxpsHy6w6y+frUextnKWh3Ke5YazZD4i9Iv/bVPf/NPym6eacrvK2fjc
-myi730MdOgBElrY7+obYC4CX/mVEwPUY3yG6wIIkePRMYZb2P4lmzsKs14CCgfPK
-299/dgFtzwU0j7B83ZP5Hb4dS70Si7Z9LFE12RuHaUZkuNzdkODS9ty8BYn6cdep
-prwBn9QKBEfEcXO337xWBX80eJ344TqNPMHRVFqSQl4BKtv4vxZhxoPRduVHP+r0
-kt0CggEBAJ+hD8bH6oxb4eCueAA708S88b/6xrULe7Dmt2wcADJMZS4z9bnkc6TD
-INu8RpeLUivji2qRuURrFVBRm4wL1aX1T/MxFoKkWPvp3dR0oA6qfw6KGeEpOtzw
-umneJvAumlfD4Nr6HMYGRpi12FxfhHCYfTmo1l6VSR9Wa4vtDkecqp7hddPYsL/+
-AMyTPnvimlXJEwU1O760wU1zXFKqhP85zY4GOxPS3QG6pyTSC1zpAk49IRo2CXzH
-eOHc7c/DLtJRfKCCWMm8zedEgTC37OZgcbHw3OwYUr+N58xihN9DhvZVBxmxm0eI
-FcKB1ity0sQYMAUGvDAqSodhrsSjn6o=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDPMfDYnc56LmPF
+qSovq3KUJcBypPhCtrOiJ3vwLIumg+NDlsWdhG0EP8xwGnbikR5RNAi/PtCV8cGs
+bQ3+Fio8AFVQs956itoNEvzoL+mbyNpyRVr1ph9qJ/lO5mzdNfCQb++b73bkygUa
+NKJPpdL5VNEwdG6bEEw59+WWqATO1geUv//AeNPqLrKFDMg5HQzCjGXhwE99J156
+AQ4fw6lB0Yubssk6AfHLKd+UKh8qRPdO1EYzgHRuSGW7olXUbiS3wmPe1/JYMEiI
+LjGmvAaAY55qsxFxZlTEehO99WF6rOrP1lC3ddcBd0fXBvJTiQeQsHT29tiVlPMF
+olmnQMbO+bzLUPSx9ukW2deirFViXnC7pb5Cv8ZIJ2jsZEG3D4JM5WqZ1ycrKAq4
+9r284LbXLZH0ZnKZyGJmOjsXqIwWJJthMSlb7l/TA4IdRePYlaYQNQqIYwsPv9o+
+wv3owUaV1PePDbn3PY/LENshooIV1yqhbA/Kr4ayiYuTFLtugPcWwi8sAXFNC3t6
+x4+xTK3nS0n30hvIWZGKes8Zz46E6ANAf+stiKWxhTROrfLNKvenKXc4iVETOzZk
+BhQPyhk5dM1aC9rylQnm30o8oVnNpn/z9rePdCDbBluHKcJE4xcX5QpU3qybO5W5
+A7dhxsjw0iVfuheSt5AkE4ixHAy/6wIDAQABAoICAQCfHKLwNn+RpH5KFJao9OiQ
+jE01vSpJUTSxmdC7p/m2biHgjbBEPqXZVYURscEKTJcTlPoCo6JbA8TPPRA5x5u3
+aCocR4TaZjb9Q0+knuavE5dtmYU4j9IgG4KA7MM9PWb4BH3lKggLunggn7rln1pc
+zp22sDMgMWvYOF6/S1gl3ocD3E3y6NcUR7ggJKi982kRHfA/ZQel/M24s4a9LeyU
+9u5XKv0M5uFgO0/O4Gn+c+fXSXx/oG3JIx+87/UppUvdMhKv1vXsc2e/7HmEqW/0
+uIu3NLx4cTU3jOgMQJwTMSdBZDuoJ35tScSJhHQjYl/E5T1tSjMY68GU2hAvOLdy
+Z+rsZTcu9orvnMij0kmxjbXdQGK3PlcLiiwYZKrwuyn3b3aMq0nq0OwTsGtSRPDf
+30dOSuTEf8GKnxB9wtogYD6aEDOhFJNXYh819W9weNyIeGu6sarsReKAJJihyO3I
+1VtlexqEWB5OFn5KbHZoRp4Fvc8XtaXolajHsCcic1uKUOG/Iuegum9EemcPnmPW
+XVe6JknXhrjxd48KiaXLQ7dYoIGCQMjvdsOvIwzppf6ZZ7WMyqxGnb3TtmDDJxIf
+ovSu43s9uWhTOA5Nrp5sY3VFSyzq0g5U8NgEC+HjGVgA3UB0GDsB+vUaEseZg0Kf
+faXIuvJg3WoGJ/VVWnaTwQKCAQEA+FSa4kjKmD+fm4LA9bmVldB+cfsqSl3TUcfr
+oxb0i2ouYhrG0eV6EjvXizswF3CuVGKQCtWg7GDeG3vKbVFtkSTg1KU9jir4ha3k
+5spAxqNBB5S+IK6xeGipHiu6AuHZZN/8Z2T2FWkGNTdRRKnw8cdfSlBq9wG/LXJW
+g/Cnxsvyu8temursSIX2nKYSUsHZIBnJZAXUwBOWUMLpzaS6UtdKIJDCaPprx4Kz
+elYqJhddT8eO3HIXXWthVzjm+dgyKnxSjIUVyVekKareNzGxZxjMu1lg6tybnR2O
+rBejni9//y2HQyFRuWUzRV9FwjiWS6AJNm1V4OvaxOIjKHFG5wKCAQEA1Zgaierq
+g8OudyNGFpNQ9TAS7lcERP3z/nyR0kgnSBlTpppaWzUgkdifmK8tMmiu+M7Mj8Qf
+Nb5/h+HdwY62xA476/iI8yrSppHj3nuC2aWn9wg6gP/iKUF0ZvaxR3MsU+k1gs6Z
+IcozjzIxuyY1whMm+FaPrHx+1l/P1Dn6JotZ1uFhikzmoZc8atLIK6wPylkz2i/X
+7OkOkkz10BpvbC44F66Owlf49Gjwa1c7Mj9kJYsY+Dqoo4nk6j7EqzJN3e3Pa+n6
+pAfQhddVUKl1ULBlnLHGh6x3vAb4L6sfmsq7EhbTGQFd/M1oxUtPW6BAJ63gYPAh
+AWU8Emg59lBSXQKCAQAxTApbNXwScT7sDi7kGO1bCkKvud6RWMLkjz116M6vBmsi
+ypIBhP6QtBR77UoEvTe+RLq3i+UgR7KP3ik3Plzz3VBMpmjr2hfv4a95KVlmlW4J
+ZTvBHSzZ7Fz2QlPw0ojnf5eJpv87DNhQpCSb7uiH9r4x8HjrhAtBqFsIYjPMQRx0
+r1CejFhPpVhpjIZCq3zA5J2YH5g2cSz751WmnzblzxtGD7aoRF41AvtCI+zGFwlN
+Fx6DIJsGzpRKTl975bE/weJZRuomSCGsq+DlMBY5kzDBWGLm/NhffkieXSr78g4E
+yDL73pdsqGxfLySYA8fCR4jMpzPPLMMHJqU4GBStAoIBAQCBwLi+d5qnGMRvU1pM
+dImFqQKXDv1k+/Cw8/ORjotuXRRX7QRey9NRRgsNsbz/FmDUfKv/2eArweGvJiKU
+ZqHYT91O59gqACWfUpjemqFOnjd+9dy0aL122nBf7BSdlvWis9Tx9ZdI05CmuJNF
+YVze3MubqNn2qlpS2DlkbyPrLlQRGTEr1rN0Dm+BZTJ8dTXScoXxUYcWQC296kqZ
+dLWjPiCNIllO7ioqL2V9j6xCRggMVoeApAG19xq8wgyvAwwSeVi78ZN0+dpOtBT7
+vzWpIr9XhRdZbAgAjStPqeC1I9qojn0Gf7Ic1JuE3s8ClkLi19mqibVDJ8BqXi53
+1ytxAoIBAQDCgJk3PsF9v2W2SVHrs1zpcEOP3JR9Oj6q6ThAHLF6uUqXsWEbXjKk
+z3ReI7tMO8A5J0rpPuCEJUdiPtly8FsyiXIheSOQ7UN0w6ip3abDwuJFGFYBqrib
+MEI+r7b6xT5o3U+csGbimhwCtGeCDL9W9YwK4nYGi/+NO+6qfX4dovOyydCZff5m
+Gl5MRo7L76EnLheVHDGq4PQLZtLJCT6O2OAA/p+5IUFWzf1uOnoceDyw2KueijN4
+67gtUS9T6ex5/MWRoWeIcNhmXM+aFcAbW79hAycliP8jIF7q5feUER5QepYGfZ3c
+JKt/SLgrlhrJ0BbcNKAnbzOeBZGPpEJk
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy-test.crt b/lib/hx509/data/proxy-test.crt
index a0d7f9862d73..9f9cd577cb40 100644
--- a/lib/hx509/data/proxy-test.crt
+++ b/lib/hx509/data/proxy-test.crt
@@ -1,30 +1,30 @@
-----BEGIN CERTIFICATE-----
-MIIFNTCCAx2gAwIBAgIJAKQmPUkmhyKnMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTIxWhcNMzgw
-MTE2MTUwNTIxWjAxMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MQ4w
-DAYDVQQDDAVwcm94eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMIM
-AgaAGNSDMgLYghbdvgtiyY4FoxSi2aJ02jC4Ji+QLWW0V9iWOW1IRNyEYRHX3AhE
-1lX+zousMm9Yni6NEtNUERvaN/9hLGJzBQMIH5grWKU4AsUZKFLAa1P/DiLh+U7I
-Blj2YESWh8BFnnfrMA2r94CYQmDCZyXL5xX5d75U5Y14isAUvthC9mbhhROu75C7
-OO2YFgMwDp0mlL02vp7z3NhbWqDxak+09LLuNwqy2H+E+qFou7mUNm1NP9dlUaYS
-tKkk6QaRe6X7tO09mYHMx5AnhsH3NU7hc8nBPIDbToRHaEXzW8gtXukXUa3KwvSq
-blqk0pWU3v/VV2Huwu4yfrzkL/Eb9Fyw6mlAP6Tui2lnqveb6xBPmyGr2UJ/pDfo
-Nd1SNKE8kfwD2MK57xwSa8unVDUQYguCs9LhdJFZ52Cb6UtfffR8OlFuzA8I7BWt
-0/Hh1lUIhTcvS6UaO3jP/7RmqmCwA6/9I5zAIh1bjSzpkJQLpEyPou9Ro+MarUOt
-YSDK1Xq5LTYiP1hZqhOkhtU9XLCCsRd5sDYHo1IsTPLLBRdU+NYjlP4qrCuZHKEM
-fLVSsMk/S8+W4nA/WrqZe+KIbgoxrQ2Zm4wTzdZWZC3ZEvF+IUjrm+nuXWTa/NBu
-fFo8OB5waYS0jrWm27FkPfZwtcWQHpjxdf9YlsifAgMBAAGjYDBeMAkGA1UdEwQC
-MAAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTZHxVeBpBui9FNbSHOWqtVj8r98TAl
-BggrBgEFBQcBDgEB/wQWMBQCAQAwDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0B
-AQsFAAOCAgEAXHVRH3wJdrTjJV0ywc1rrI1cH1itMOqzvZtbLUgMEJQuRRnRVHys
-ZG8HxNeesfTiHAH635GeJh66rCbxmJWqczLUoTib/GRO3o+NbtcvAyEpT9SXD201
-x9tVUhEb0lBmZDpnvpfaC7MF3tS/PXMurlFV5xxFRG+xRbUo7+EAQfCEuADgdlRv
-v75YrH5ShohTk5nP2SxYu6NLNqvawIb7a/GRCwD585FklQydJjPlYgPcbFW7FXBz
-nopYKJriBJdttirZ2DW0HrZyjF5FNpGIEUOxkvYoiqTOTqOhTOrm1sziS3S0DbfT
-eoMXIIV8vcFykmSh9ri/k+RKnznje6he7bt0yV3Fb+e/YnAdlxLVPCULWHS6IZtA
-g8SZ6m0pKQByH/yF3dSEzLCP9XyNUybwPIbLXq0LVII46CtjNiAIgFSDDtQ11tS2
-Ja/rhsUsSE1eRggTXSPrYSB2D5J+j5zcT35nqmlTm4ZGuG05T/yh6c6UCwA7hXmj
-YJxo+1BR+pNl6Q83mvPDKnZ7qkZdxCnuxkPEShatf5ntAxVVZPsfTbDwwkcMSCJA
-Wvp2/2Ss6rv2o7+vs2AbygXdF9H7QmOkJj1TgDKwDTkFOLvgggMHZOSZBef8Tluh
-gaX5p1Zxb9fvAhkTiSdTuos1YMPuu2zeQTmWXJqtjpGBJQBnDTA3b9k=
+MIIFNzCCAx+gAwIBAgIJAKQmPUkmhyKhMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwIBcNMTkwMzIyMjIyNTEyWhgPMjUx
+ODExMjEyMjI1MTJaMDExCzAJBgNVBAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQx
+DjAMBgNVBAMMBXByb3h5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+mPssWfri3hoR0eHC6FCqD3arIBwD+XeYJXS2y1zA9UgijF3rLDtyubOpp/5Or6Q9
+cO7m4S+4xPquasRUS8A9rJZbxi3rvptVFD2DBmpEUNbIjlW2TdymVpAtD4uHKpOA
+xeEtn6eXlhDiiJcrrqLds9cLGRG0XaPSeTwzOWqhtyEeMp3rvVQ/NeMfYsMF87m/
+txopxdJnpEoArfxxudLSQ0HrILLVV/VbQZEcoJXEMjhZg0Qnw5rHRV5dacLT1gmp
+w2yRQID0rbcKk6b3ukRHXD9OWNt074afzQJmMx1MDlHv8IeFtksxEhhA9i612LTi
+KaU5Ac11ZJ+ew2YnV3HU3roH6BHeGeWHDhxqfpV7DPXZsUVo18kgrY+w1E+lcntT
+FfWzWXF6p7gIPQKBy/IG3FsdP9ugx4y54Jl2HsrBEOjA+x45TL80T0zA0FXuu6fo
+oljNGUrQfPQiWJCnQmWkjIhbVo+aovSlBRnOSsAxr7H8Ry4jhF2eQG8TIDgPRGs3
+DSwIUJyQwoRvRpo01ZJ1akfUkJFzv519EuN/zfNVTO2KBGVXprkONCZVN6eVpDVb
+rClN5iUqCimn4xhv2T7VhDKO6mjOMMR38kdLvsrtAWBpob7hDHr0zAXCwSwheVVM
+fMkYHZEyVfsxS7/ooA+oLwbHewhV3zJQDK6zAgyi+jUCAwEAAaNgMF4wCQYDVR0T
+BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFFyuJ+5Hf8HzZNaew6ZLRnQubKRB
+MCUGCCsGAQUFBwEOAQH/BBYwFAIBADAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3
+DQEBCwUAA4ICAQAqn4xPkjg5lR+wOQwxKyxfzjS2ycEW+8WLp+l5p7qHmv4JOSwO
+/XFf+6sRSGiBwHAoOq3yJlU0NzEq+uLjEg20/MXQ1+R4N2AsWeD4wUxRkjoukmc+
+at4wza4SoJLzfv8rYtZRx7quXDq+tFgAHxZv/AB3tghCyjS9JiaAc2aA015XmAec
+qZcLjWoDmIH4mgT+LuenPbS9Dus8mGbOiTsns+iVCMZKJOBU1KF1UUy+f+J3SGqX
+nsHzfMiFqU8qA6sQ3mZy4yqPG0Yu7r6YfpV2HQPCLXy1VZ3BINf/9YINaUCe/NpQ
+Md1Pd6Q3U8+QObyAxXVfmTRFGCDu+S0NlpEfZzPnRYxr0ZfwC3SKWMwVHugv9v3k
+qkZAgB4T9u0TqBjuB9mWoyzYEqwRgFg0AjrtgWXPJ8MSnth3eSrJjcXhEqgq1NvJ
+SZVPzYW9RKB7lAM/4cDmrGXB1Lq2g4b5R8H1wzBtjL+CGjCuly9uR5HvxCOPLzPm
+btZTRQtdA96L490wcv4D3JHN9ro0cq4QB2m6XKr2wDDh3CEgQQmaTKufWR8zAL8R
+5HYtKxt1dcz6w4FiLgq9g+ADZMwJpErmGgldX/NKMz4Rfy0qMCprIn6XgPWWlSC4
+BT/0EyLjDJhwap661H5sMkchCx4uywG6EvQBRf4bxpWQgxReSO1znefULQ==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy-test.key b/lib/hx509/data/proxy-test.key
index a94127e88f68..fc303ea6c1a5 100644
--- a/lib/hx509/data/proxy-test.key
+++ b/lib/hx509/data/proxy-test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDCDAIGgBjUgzIC
-2IIW3b4LYsmOBaMUotmidNowuCYvkC1ltFfYljltSETchGER19wIRNZV/s6LrDJv
-WJ4ujRLTVBEb2jf/YSxicwUDCB+YK1ilOALFGShSwGtT/w4i4flOyAZY9mBElofA
-RZ536zANq/eAmEJgwmcly+cV+Xe+VOWNeIrAFL7YQvZm4YUTru+QuzjtmBYDMA6d
-JpS9Nr6e89zYW1qg8WpPtPSy7jcKsth/hPqhaLu5lDZtTT/XZVGmErSpJOkGkXul
-+7TtPZmBzMeQJ4bB9zVO4XPJwTyA206ER2hF81vILV7pF1GtysL0qm5apNKVlN7/
-1Vdh7sLuMn685C/xG/RcsOppQD+k7otpZ6r3m+sQT5shq9lCf6Q36DXdUjShPJH8
-A9jCue8cEmvLp1Q1EGILgrPS4XSRWedgm+lLX330fDpRbswPCOwVrdPx4dZVCIU3
-L0ulGjt4z/+0ZqpgsAOv/SOcwCIdW40s6ZCUC6RMj6LvUaPjGq1DrWEgytV6uS02
-Ij9YWaoTpIbVPVywgrEXebA2B6NSLEzyywUXVPjWI5T+KqwrmRyhDHy1UrDJP0vP
-luJwP1q6mXviiG4KMa0NmZuME83WVmQt2RLxfiFI65vp7l1k2vzQbnxaPDgecGmE
-tI61ptuxZD32cLXFkB6Y8XX/WJbInwIDAQABAoICADcofKbmYKh/xoaCjq/7Rhss
-cIibV5j1FZIVTzRMFCavAAiJ8/KP+TD0OwbH5mPRDS2Yi6iULpgLUabO9N/cn/5M
-RjS5mfNQ5vHxKfqLo5d4stD8E+V82jZzlc6hkJ4fx+M5/nvpRMIaW+oun/YMd3Nb
-b5YxMaUZfYKD7GMVr5D9xuao3h/thbYpiqsB7fcDYfutDGiVM6SiU3UeU2dZmWPL
-g/pINYHMPeD8WhZGmoTDA8Fzxl59S+dblwEI1V3f4g6oAIyX/lksn4419178hJcd
-45g5dBfMsm2CrowqDo2+SRpWxfAkVfGX3AO76i7RlQtBKu8/LNDyKVVlilo/KU9X
-eFstgoWDaux1ffezj2pkxa37wEaQIlPTrxTBZDB/ZO0+JMzvbmchLzBn4fY+1sXs
-CnPdAA+Ls1UQMCGn4jfdIS1B2oBrA58sQ15YX4o7El1NvAQ5CbAOob6Y7TfpWhgR
-2FKOxaRuK5Ep4rFY6bAKrSMigti+PGb1xx4E12hondwuEl15s1rIyB0/qjNQy4/D
-VVjujBFBbPkexI9UQOzzh3bXSfYNtYiSAEqpbp9aYiK2fKMIE+pjWivXaJH3Th61
-bxKZwIsMBBcNa/S9VPiAFL5hIab+WVueI51M9o+eWYIADPq8SgyTqCryQpEyKDic
-UQgM8EMSYnbttvKPE7x5AoIBAQDh4Gynf/FuZ2fbidv5UrnondQerFNfpCgco3gl
-dwKIWfsT/MRrCsv7Q0j0gOZ8C3RjkXzM7+ySTNuGki+XML4B60k7Vj2m/Q1nHffp
-nZUzY8PYctt2GsKnf1vi3X8NN8DsIHi/rFZu10ots5WGRnx4aqogZ0e9C0e5QaFL
-TwxKAYre/brg4zHorgkRCKQFyJkDJcupgUFbgCZvqF1RdbUzQFsJWHci1X5JFSxM
-FDnj7nOm3Eu7cjOMiL60+xHFLoePAISGc4XJvz8sWZdB04yZ+5GeCbOJ2gOiiFiY
-/3a7fHKrok8THu1cChwEjRsJwHWNvslMY7IbEEBBMIHxTu7dAoIBAQDb7OUluo1i
-7OsnRhF+1xGiuTOyeY8+6r1oA0uwHnnMUBjBV0YOWdqJp52tJsWnEgYbYc48P+oP
-h6ljcPH2glPlPQRbnet38Wft3q5P4LqiD3sgfRuu6yw+c2CZwlWeK93ft248QV+G
-v9FEQq0nC2x/aBNXxrWY4pPEAYaWYhG6D700X7+7EyKKgpVp1Gv528g7pTi92k9f
-8Ut3F3hJVoGwTpcyTnz+S4xozL0N3LZQjfw/OgN6UXk/prMj4yUlswWoPkUN/LR3
-xYcOtmPkmiMwXEN8hDCqaQWAfqq8CRCy/iRha87e4Xg9YeNQvVPODLmxkCuP3H/K
-WGlecH+knverAoIBAQCnI/lizLLrfksE0fNbf9KfhcKD3AJpwEAKSRBLsM/H88Vt
-2dnCV5/vUq+2dXeYDKXYU7zkrRkCfSroXl4m42OGagOri7pdSd1UE4HydbAE8erm
-zL8GmvC1HvHwYvRz5HC2iaSwOKdQp7B1NvELBjdup4cyKRqVkbZGKIFhB6JRVOjc
-7yYM6TFyOu3sk9dDjFdlU99rk4C4Y5CNiSlccNxfi1ySAstNlGs5SxiXR1Q7DKS5
-sUO89dmdQUbVBv/0R+T5dWmbT/qM+h6WA8mAZTkibFwpdIZNGG0eJQRiWo8SVxlH
-VfhrbrQ3KifnWj7KrYaPF8E+7HrLue/CDVHqLP1lAoIBAAfJCxOa1wZ5fJmXUWc8
-FdO82qemxftkM/BKrZM+gPFKpJWzkTdQ1vuog1xt0vFnIfA2NibL3G1QUB7FEMu5
-MV8cGdtka8GDOjqhd2o8el7iTWmJBEHc8WQEkZbf2kgPJXuV8sEPT2Jlx/KyqY6I
-SP75oDWrQyJ2YuS9aRZJwnbjt77y5Maqlr5wgPmOG4Rs01nJL4kJAWZUFGfS3N87
-wLuNDK0rOiGGayIKnWawOYQAgr16QEVEPRaTwCO1FsuO2tRp3+fu2jSjOXS74C1n
-h3dezMTLqS1fKmKyGTku2Ph9JqyMNHaPZMJHhNSG30CcErbGc8RT+fIfzxsYwGwD
-dKECggEBAIk5NwbiRe8EJmhLlHUuALYrzBJDgTSSNwrqUBt3lyP46XC3dAyQavzy
-OX1Bznr1AauC1w5JEfr5DHJ2MeRVR2V+Spb+5e7KQGemoe3jaM3724smxfhThW/W
-+nmiJ3Gk20lwBVBDZ9KTBnptg3zr4kORlNP2+EooYj/1dvzkflwDm2dLX8taSn8h
-d81XaKBBwrNi6MYBYLDzw/tSbCkMGWK+odUguw+X/IDXiFcKJ1J2lRelJxdv6h7g
-NeeTX0a6esQQO1MMTIVZSib5CubwgMhz18XvMA9mkcDjzifFhCrE7P1KlQLUYIGx
-lUR8W/if6GM2wU/6ijdEVsMAQJUI5cY=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCY+yxZ+uLeGhHR
+4cLoUKoPdqsgHAP5d5gldLbLXMD1SCKMXessO3K5s6mn/k6vpD1w7ubhL7jE+q5q
+xFRLwD2sllvGLeu+m1UUPYMGakRQ1siOVbZN3KZWkC0Pi4cqk4DF4S2fp5eWEOKI
+lyuuot2z1wsZEbRdo9J5PDM5aqG3IR4yneu9VD814x9iwwXzub+3GinF0mekSgCt
+/HG50tJDQesgstVX9VtBkRyglcQyOFmDRCfDmsdFXl1pwtPWCanDbJFAgPSttwqT
+pve6REdcP05Y23Tvhp/NAmYzHUwOUe/wh4W2SzESGED2LrXYtOIppTkBzXVkn57D
+ZidXcdTeugfoEd4Z5YcOHGp+lXsM9dmxRWjXySCtj7DUT6Vye1MV9bNZcXqnuAg9
+AoHL8gbcWx0/26DHjLngmXYeysEQ6MD7HjlMvzRPTMDQVe67p+iiWM0ZStB89CJY
+kKdCZaSMiFtWj5qi9KUFGc5KwDGvsfxHLiOEXZ5AbxMgOA9EazcNLAhQnJDChG9G
+mjTVknVqR9SQkXO/nX0S43/N81VM7YoEZVemuQ40JlU3p5WkNVusKU3mJSoKKafj
+GG/ZPtWEMo7qaM4wxHfyR0u+yu0BYGmhvuEMevTMBcLBLCF5VUx8yRgdkTJV+zFL
+v+igD6gvBsd7CFXfMlAMrrMCDKL6NQIDAQABAoICAHwnJAhmXyYHHD0sLmUhydJA
+6YJmmickkvqa7Rq/zO2DPF6Ufh5opKPnFiH7dlp/PUng6MkKVLawB0soyIytmJ/v
+as28SN1o7LQ/c42KQqUkmqFBGHG6R9hqq9c40lqQWOq+46r1dUVZsK9PmCjjjm+8
+bwpKXwm7wT2YyK2pR1L68qn7le0SaTZPfBJH2hXBwsBT4GDmcCxZzpFlFdrMKM5i
+ufLQj+oRep0MqqH8ybxEFQk+D9NkUqKOgdsqPYcwUnECNCOYRHqS2WeZEuU9Mni/
++9KLUCxwIlJbxxtmhGn+v26CXdbi0RExU883e2dC7WUE7O30k3g1PsCvr+/8ttdG
+AwzeeLb1o+dYIJrFBb/YmpehrE2JP5aTi47AtSAkKnYo5lSkxPEdqxSNuU6VQp4l
++MtPvV6JKY0HfDYKPxdXFdrGDQurNeRjrgyXZ0MSxxVCscR0TXij2bkiGd6Euknf
+Oxgg6KqFRFwXA+aWupNA1lknTEU9AIPb4QBYH8Je3st+Q4FxBCFHE6N0+uKdbX9j
+GlZ01d4WJxo3rJf2q11Wq24G3v+UBtHV/RRrWy7ZBedlr0XFQ+i4lhFFPOvLFSS1
+Hv+7Hzuh4h22RhsAOxNveX89MlhPb6ZrR+3C8U2K7EjHxVlGzAvcoutD7qjUF9N7
+rXOHJG2qwkmoGO5L6z6lAoIBAQDHlvHduYwxfAanrITkQRRodkl8V0xcQhQTNFNj
+1vhQWqzBo1C1p1A4ICuTEmAPR7r8LuCYAP07RbfxPbMS6qfCT4nnJmGPONgkn1my
+s/9s7o5k07TST/Z9VVPCewc0+XcyWHwpgZMPeLSDqB5yRK+t3NoqGOnX3LI4fNE/
+YB5zQWh7cG60SKl18kXvCunMnh0pE8mGE+Mx70RMOrmBxnLv0xDbwbqfY5K8nY7b
+ccaFVMLHkE3YipF+0/zp2H0SVlV48h/fkwYdIzcDNje7ejMRJk0/zviPuTJz4S+0
+sJC3IJ6Cyzk12zmyV7zc0VShFutUbLccmKxfWde4N9I2FiUTAoIBAQDEN+49eQho
+0q0aNLe4LxCXsjJLhDB7XcZiGsFtKrfd79jAo7v/C0HiqbZCecrbcG62Hip4aEc8
+0bFj980LM57XM89QUylzKFJXtQe7/nxvmozQTuX6tFb2AxwSwFcYHfeFPkjsqWTF
+iBsREZ4l7CS1wsgC2vb36rk6GfkAjGd6ZYn7Jl1JXHr6868gBtle1Ad3H/S7BW+J
+Io6upgPHbI11/29ScMu8c7oYk6jQiBrVZd6PEq47AhWatFqlSyq2mjlgGkleRzrN
+J4SogzRs9Emd0xF23bjdGzK1B8GJY6GqUN+lZ2SvkKT2PyQvDuWSOurlOv9GQuBq
+kELci3kNb/SXAoIBAQC0JcEfYQdx7sFO/H9iSn9yHjoL2fvZVecqwlL2TaUJWh6O
+FKuXmnHkhtztvWsov5S9ZE5hxJrMsgvp2cfVLinHT+Vn1pO+Iw+sVowuqRrGJrgt
+t4yBO51+2NJmOodxwC1fKtC+4e5ry4YbQ1ZfyzFKW4oq7xu6M8BFDhwL+OTjIMl+
+iSfS37bc95U5wn7uqlQlrG977l1lx9G8gFDKGuXJI5gW0lBw5v4d8pRr69DErZG1
+cMFizweuEwc3xqh1MamqJdixAtJE4HEaHAjH1e9b7ldRXa2qg/1O7JUToT6tm+qW
+oXl86+ey2lBkeyjI0ZgNNqc8T21eDwiPhQreuLQzAoIBACHdgVnMvN3SlpuyQ48f
+WF7GG5Ya/38bRTUDZyTfPZKpZaCB4d135Owo3FMG0DMlaYY3GJ9lZ/4gNtyJFTN8
+ukpsH7i+UaYVbHjEvsv8dR+R7gG5zEmDvIqDKOI3nhCEg4bUpCNsbP8GqZ09jC0B
+X6ibMIgFoKBTO5rChs5IbUebpL/a9DjIJFWRn0UIyZVrRMqTklqA6qohc7zC3F4b
+5yJZbq4s14zz8EdznKw5AWCZT1skHzwB9RaZUBe9LGcNoR9sCgOiiYyE6Ilo87Bm
+TRpXJml8hP5sRkkmSInczzck9CSI/sCqVz5E0YrpqEefsZDUqOBIhJD/yvpjfAYM
+r4sCggEBALY2BvWagNcnTdINCI25Tt0S6J4vAScyG/LESS+qRxTUklpqAsXNPMQ+
+O9n3B8knb/1UuXeHC7yAScNUSGqq+Z68D9my5cXanSVzOlLwRu6tUa7J58fbkkif
+I3PoVDPjEkYy/yWJEIjqKu5z0x7uMKXid/rf9BHCIH802v0s+EsQZn36kmU3MMpB
+Rriubez85f37vXES6A6DD5EmWUvAAuKvfvXWXtml0f9d/JZd+8jMrHQCwFprdTyM
+fN1crepFBAl6oheb3ColMByiMvU/WzcT5vwCnUEd+46QLuTU0BdXcKWKXviHI1Us
+2f09X6R0XLrRpaAyQD+H/2DVhYM4CV0=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-child-child-test.crt b/lib/hx509/data/proxy10-child-child-test.crt
index 9ec7112aa3ee..a606da6ef85a 100644
--- a/lib/hx509/data/proxy10-child-child-test.crt
+++ b/lib/hx509/data/proxy10-child-child-test.crt
@@ -1,32 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIIFeTCCA2GgAwIBAgIJAIZ6hp81I2P7MA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV
+MIIFezCCA2OgAwIBAgIJAIZ6hp81I2P5MA0GCSqGSIb3DQEBCwUAMEMxCzAJBgNV
BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAxDjAM
-BgNVBAMMBWNoaWxkMB4XDTE5MDUyMzE1MDUzMFoXDTM4MDExNjE1MDUzMFowUzEL
-MAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDEQMA4GA1UEAwwHcHJveHkx
-MDEOMAwGA1UEAwwFY2hpbGQxDjAMBgNVBAMMBWNoaWxkMIICIjANBgkqhkiG9w0B
-AQEFAAOCAg8AMIICCgKCAgEA5rd/XFWt7tSsRUHIdPgK+CNxME9zqxPFzb0MpToG
-3BJmFnhSA+1qFigBNHEsESN0pCG2nn/j9PXFflYOEvhcMRVd+b/dhTkyrmZScaaG
-4/hrQuHNW/k9CXsq/FEQbWqVxiHbs7KNjmHHYHSdmZ9Y19qS5kTFEE7ma2hySyJr
-7yQ1Fd9yVJyzUr4dSkxx6kGh+aILgVbNqSrd7ElBIhPMl4Qd4UVLadfFyJYmxiG0
-Gur1wXDUN4ElCh8I70elpjQH0fXmBG/FZl8zdMJVnQMSeFG2Ob42Atu/4Ndz0N3w
-9+4hVQW6v8C4TbPRaIYyUB8Lt9jxZWmOfXKAfEF1uQrZaFttQbIBNBxUmu7tRMAQ
-4OEUbNTFJ/+ErhPHHStIx1emP22WaTmQ4v3qVPr7REYuNKBLsLUZJd6qTftlUd79
-x8E81aJaAk23QW+0xldVlt7bAXF02iy2oZnJcj9Uwe/l6XQgHoPuG4Lz6q4OA5WM
-ROG2vgOtu6phY5jY16YiVvMPocW9mdJQCjRAbIGFpmUeYiB6wWr9EGZpp+RVOchG
-zS6GJCGLgyxcxHWmGYSNvdMnEacyXiCnC8DQZMcgVnqsDFBsM6QyICwXZr72qkU1
-QiWswudnspE+hw9xgceZqzNpAKhUw2skiLZOO0rnpLc/Rtd9FR65Hnvscz9Xu+p9
-pCMCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFLD1
-SUEhi6VToeKjUn/AKcXzGbOFMCUGCCsGAQUFBwEOAQH/BBYwFAIBCjAPBggrBgEF
-BQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQBy1ZfOf9nkMOa4p7Rm2uzJ8hn/
-7htPNcawOUlSiq0JjctHoYBthHAHvUrrkjjR303c21adSdjs1KusOn0sbynaEMgP
-dU2tiLn7/Tb6bAAC61vvBErsqzPwPQJX0/M+qdoqop43DG1Pv53VR5LSISjXB7Sl
-oXbJs4cV7oksxWy0eeSa3IXFEnH+NhmHIC6MtpHqRAY0dXS5IWWo1q2Hiutcdd2l
-Nc2IBgIY38oM8vpFoQp0Z9S23WIBZzKJ/eqyYZewmSKLnJ1zPvlDJX7g9sIDuO6T
-SIod413DgFYSqKAv1u8brT1KnTytyxRQOeXqLTMaJEGB/u4z+CH5Z8U5WlA3X8IO
-dHKAZM4LhGWLloyIGjSJ628Ow8VVdP3ptkKXJ4cVka92SDocCtsEdXFYoU1NA6U1
-D4VkExZTVN1sLmIsBiG8i9O8VltjMpPYvKjlUaoezCczIuEFVefuNpYLx7quoIry
-8FFW6Ccw/kMSgAhaO1l0OlMVcuZTVns1/fmAF1eOscb5ud7u6YvqQeAbouPt3I2d
-eTFG1EJgmfG4JjqTWMXIJdt2VuLutMPUSPAZ0pM0pGsrHW6FVzgHNFlgrO6gOeUq
-ytDsdPEy5H1Dk6dzoPzbfSkMQ7a6HGf1ANeNLsTXV/0+kn/T/RhZAjjRQLWeRzDv
-N0angzihXX4AspaYJg==
+BgNVBAMMBWNoaWxkMCAXDTE5MDMyMjIyMjUxNloYDzI1MTgxMTIxMjIyNTE2WjBT
+MQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAwDgYDVQQDDAdwcm94
+eTEwMQ4wDAYDVQQDDAVjaGlsZDEOMAwGA1UEAwwFY2hpbGQwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDOIxKHoKGi1/5V21RKfDqag54mjcz/ye0NvVHq
+QKXJ4I8EVZyP7fwtl4ElcZ0GyHhqetXsulqgzuoGns5eCAq9mMkX4+3/EXvy0lyz
+rVa+K5ysq6rsUMg7LPpiWA6RM3YYahNedzk3gsRghJ8q0vbvpTzNZQ1A+IOY1kdX
+AeqyBqUT6kLycPYzU/eL2WzVe6pTRt1p2LKckDjxCKJI1ocYhWrdFhbB9YduvEVp
+IRTINGXGvTpk8ZwzvgUQk1BmeGc1qqnmY+/wEEfpu1OZD2+5rJWQ7pSyB1jnMBxq
+mTc5jkrMkzJX9F5JleVY9+bKZcBGu34mmAa4vXfwQOnM2HXAvjw3DJGlZCuNKExs
+Ji9RyZcbe1NZqlBkp9l79cnlqURV6HftFFTyBNloEaNdzi81rYiMlxEoHEHqjLvo
+9HCNV90WDDHPxDG+iOKyY6OAZ/QtjGEAjizp1NYHYkvTG3PzVvqQCsNF4iWzksQY
+3M0OgyDybskOxvUN0NzDrF7Zw0+SqBSnYGWokVoghzQHMQHEOv/gYvrdw4kGs5Db
+RXPfiYKJSPlsFgi0zXpZgm8Br2GxEW6ZfADaK/eONC6FW2W4aL9oqC8XyV2kYi/v
+69G+UeULhVELL4bsUf0moPELFpuwyShHqfQ4l5Us5m66zxc/I0ekz2N66mWv/WQ9
+LNJBBwIDAQABo2AwXjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQU
+W8uH0Ungtk49Eykz3IE+8z536hswJQYIKwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsG
+AQUFBxUABANmb28wDQYJKoZIhvcNAQELBQADggIBAAJxESHv3qYUiqzpmWI13Bbe
+v9UqS/Le+WmWosv7JfbBV/aL9T2FF0uw/sMojKxxs88wfipYAaf7Or92JBlaSyt0
+YMhmhW7+miLEoWqeKkRfBx0q5IHvtmQMpNjDxA9uTXJW0U6FIyhVxXRte/3x4owk
+KUfq5P43ErPMEVipaM0ns2y4+d9WimFtUY/52l/NqH84pwgP/2JuNYtRaOZ5pjyO
+//zSUpiDbyE1OCeBG2b+YqKwDnCdxdqj0pZps/1fLieBr89GbS4SEMlqRgqN6LxO
+XHkfS3frkD87l32zTuQnhD8vxKU01Kr85t6CPL+FIUhjUCxG3Tll8Z+coxgZp8IX
+bjpyJfEx9834UqA3EDKpcuh3vndvov0nXe5XnxpmYevuCpd5fIjnbAdimFMshni7
+WhW+9HzKGTAKqaGXqRyEsPybm6Psw6F60p5Kbr9X8/+WM8j3mReQI4n1yKfW25kR
+HlqLPmwrJUOGDsf2NV0kYg/8Zd+D5uT02LUKQPh5gd/9X/vm/YNJfmLvkK9V0yI9
+5U6nxRe+kQDreWSpP0mS2Bl3o/mOKDwinn4zZLU3IStrvhoVEo9LeIuehsul8zpk
+57x1zHsKwviywBdAeJOXglQRhGhy76+jcN6Ii5rx6Na7uSlTSQqyz23bXfK8BcJr
+TpIzMZLfa2s8faTjnjAD
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-child-child-test.key b/lib/hx509/data/proxy10-child-child-test.key
index cd3e0ad4797c..7a5560171f57 100644
--- a/lib/hx509/data/proxy10-child-child-test.key
+++ b/lib/hx509/data/proxy10-child-child-test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQDmt39cVa3u1KxF
-Qch0+Ar4I3EwT3OrE8XNvQylOgbcEmYWeFID7WoWKAE0cSwRI3SkIbaef+P09cV+
-Vg4S+FwxFV35v92FOTKuZlJxpobj+GtC4c1b+T0Jeyr8URBtapXGIduzso2OYcdg
-dJ2Zn1jX2pLmRMUQTuZraHJLImvvJDUV33JUnLNSvh1KTHHqQaH5oguBVs2pKt3s
-SUEiE8yXhB3hRUtp18XIlibGIbQa6vXBcNQ3gSUKHwjvR6WmNAfR9eYEb8VmXzN0
-wlWdAxJ4UbY5vjYC27/g13PQ3fD37iFVBbq/wLhNs9FohjJQHwu32PFlaY59coB8
-QXW5CtloW21BsgE0HFSa7u1EwBDg4RRs1MUn/4SuE8cdK0jHV6Y/bZZpOZDi/epU
-+vtERi40oEuwtRkl3qpN+2VR3v3HwTzVoloCTbdBb7TGV1WW3tsBcXTaLLahmcly
-P1TB7+XpdCAeg+4bgvPqrg4DlYxE4ba+A627qmFjmNjXpiJW8w+hxb2Z0lAKNEBs
-gYWmZR5iIHrBav0QZmmn5FU5yEbNLoYkIYuDLFzEdaYZhI290ycRpzJeIKcLwNBk
-xyBWeqwMUGwzpDIgLBdmvvaqRTVCJazC52eykT6HD3GBx5mrM2kAqFTDaySItk47
-Suektz9G130VHrkee+xzP1e76n2kIwIDAQABAoICAQCeoD0Vu+bZVSmYeHEdUskf
-8CZLY+UQE4klOjyugSXkO1YrTtB82MfeseSaLNFyeyEgE/neIeoWKsB9aydEDbQ9
-Hwa8xxjEFx5sX/eBIlCN/ueoVV1/Re6cTS2xyv5zbBvL3M2UUEgZQ8rz21ncHH3V
-8vabEV84JjcwU+B5HhJ9mjRRdI7D8/UrB4FV6xdLS5LU8n/cjlTaYZmxcnAwwNIi
-vnhYwO7nt63Jisrf4J5W/4K2XB/chZN00P+wnF8c1Zsm1V0vYbWj/AKB3XdFe65A
-QVX7f3bdIj9blGaRjXa2z+fk8AqE+jj9W4u3xMRk5+ODpMnbwuZwA8CpLcyFzBrK
-4gWQlZztfvvV8+nIJRo9BNOCtxitsEflq9S9FsfOE23H78+Tr43iJIikaBy2TwjC
-HupNvpuqCSzwBD/Gqkd+zAsZmYJeqAduPyAqUIRDjcnR4srpzU5UGmrSbYCCtRT8
-pnDIUoktcV4GSlpZZRoImpCtX6qkr3JOoDuTaEhqFKAy3vHzzyJYpkBWlPqRatZ0
-elw2zVjmbgaBGkBGNU7HU7pwsiSl38CXVrxv613IlRBTTGyThl4luuZoVxgLEHwN
-c3quCQ+O9fNcD9s/8u2Y20KcPb9cr6eGl1Klj11VRkF/DrpQqUx9yBPnmFxZQD2G
-Vw0piDNSWEntLu2xvASsSQKCAQEA+Ee3TdWSh/tLTw5DMcoZTrUddtEyiI7Pm8li
-LAwxR63M1SebhTD8cQOijGJ70HEftUn0DRlbTYUuJYcH44mHVCmm3crz42aIC0Xq
-yiDoQIGsdhsusRsHqIELUiOphMIlt9Yj9H1r1FPfLNioCsmigZs2soSbBshpUr6t
-VMr1DcDmJdeIk5eiRtnpeTB53fhObMuYN7QbB+NnQyqldwTVX9LHl/Al8QTnuF5R
-m1tSCNV3EeMGp1asFX5C2noDZkXYy3XXp8nmPvOf7PgyexjOD3l6qdlGWKmAsaxT
-NgTdMjidobgmNUsXwSJ6PVpJOvokCdfTQRKMW7a2nz4qDW+OBwKCAQEA7eP6oItP
-yjxGB6wrEKV0U7KEbxMYJ+IAVOZ1sR4SbYKyncDf8msbKfFshIJrI1WpXVCgK4Wu
-nvIEymvga7fsQKKiqPhMYWgFr2oSRAIt7BpfQY6VWjYpnzQXf4drAZjq2wAZQVzt
-JA7RYxrCLixRAJ+oEBo2MxlznW4zlzT/C0w5fYtGDyYU6wl6rdULOgkIGfgMFd+2
-CHCK/szMhUV20xIrwlErj/im9P5uBqa2+UJkf1LOwv+YLTKgqE40Wfk1eITtK8Ol
-bXnZstAAIyokKq3j93jr9O0kgdchV5vEOq5JJroR9eAguhMJOQbhQGfv6U+xBWkD
-1hxsXsULETmyBQKCAQEAqiT7iWuDL40W3uZ3RfepwDZ+Kp7ScqLrw2cO0ADLBMQm
-Sy0Jdw1K8mf7TRlwoDfl8ubrSM7HsyhBp5YR4eytwQ+KOxSKbpwlPxR7Amnqv8od
-1hJqvRQ4+1Dz4SZvVXt3PbSSj0okSy3vE1ymTD5CD2++3DfjxZIyG3Jwdltf9Dzt
-e6FpBzwzCTrstRBzc5pmpEgh2Iqku5MrgOwI2LeHQlPAVG9OkQ07fy2j30OFxGgF
-YUyjkqni5BfS2MYk7kGPgF8RmvrRvvJV9p9geNtW22P0m9E6VChU+W2O2MYcj/4c
-iGcaSAteDA0EmGb3KGOjrtso+r8rUO612AtR5kM8oQKCAQEApuIS1QNF8zJ7UjCW
-eXQIehq2yxETFg92ehi+IYVeGhLg6MgAkphOkwr5PLAdJsmWKY9A/acnS/uuHq60
-3fxFsUYmY/Dj7EVED72SmMEKpCIQBvZWkdWDN1sczOsbxyAWSZH1JaRh+7SlcSe5
-ZxjRrmVSShGJSimlsKA5cu7LqIpNnmPQvxnQ/N1GgaH94TWqyET5fXLVyW/iIkNb
-inajmAicSBIXREWEIkRGvUXBAHVx+NwHjkYt5C8rA0bxdNjdiPF/S/9REs6zSLyg
-DAspGgOo89eRd93QiYF4s3PjoeLYEGHh7aHQc5idFLNd24fOhtbP8WKtPUvtPkJu
-tCPMXQKCAQEAs1/6EmojSIvZB2HjE2AGPGxD3hktqwUcgf3s3xD0MToSbdBVVgc6
-ZeIGQjtfSE5sVhxi3E/lNQFPvwLzIO4HhkOsZ6DRhAO2mixuZwaniSv0v0zAhnxU
-jZoY+mAwhUTM47Bs6Q+G/WYhJHocAG/Lk1ChTSA96bwJaB0CzObnn5loM+7FK95y
-waGm1RXNgPSQaQMylLlrO/KKj0X868PuDgD4+u795G6E6WBWvRGiHrDH92v1eV5J
-u949lT7ltg2iVBUQqENQeHMtomAkeIGGJRtAMjn4QrtbC64UEAPbTd8hYoe3q/XN
-eyMm+IBLsR7OBZ2PvfCkhvJ3qDXzx1+BdQ==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDOIxKHoKGi1/5V
+21RKfDqag54mjcz/ye0NvVHqQKXJ4I8EVZyP7fwtl4ElcZ0GyHhqetXsulqgzuoG
+ns5eCAq9mMkX4+3/EXvy0lyzrVa+K5ysq6rsUMg7LPpiWA6RM3YYahNedzk3gsRg
+hJ8q0vbvpTzNZQ1A+IOY1kdXAeqyBqUT6kLycPYzU/eL2WzVe6pTRt1p2LKckDjx
+CKJI1ocYhWrdFhbB9YduvEVpIRTINGXGvTpk8ZwzvgUQk1BmeGc1qqnmY+/wEEfp
+u1OZD2+5rJWQ7pSyB1jnMBxqmTc5jkrMkzJX9F5JleVY9+bKZcBGu34mmAa4vXfw
+QOnM2HXAvjw3DJGlZCuNKExsJi9RyZcbe1NZqlBkp9l79cnlqURV6HftFFTyBNlo
+EaNdzi81rYiMlxEoHEHqjLvo9HCNV90WDDHPxDG+iOKyY6OAZ/QtjGEAjizp1NYH
+YkvTG3PzVvqQCsNF4iWzksQY3M0OgyDybskOxvUN0NzDrF7Zw0+SqBSnYGWokVog
+hzQHMQHEOv/gYvrdw4kGs5DbRXPfiYKJSPlsFgi0zXpZgm8Br2GxEW6ZfADaK/eO
+NC6FW2W4aL9oqC8XyV2kYi/v69G+UeULhVELL4bsUf0moPELFpuwyShHqfQ4l5Us
+5m66zxc/I0ekz2N66mWv/WQ9LNJBBwIDAQABAoICAHrZ6CcwkmRMueVNS9UAaKTB
+oDV1+SDQpRi1JeaoFKZV0KZSp3YX7Vz2mB9KsLzkKO+8uVXWUkDYUB0V9AOSY2RP
+dDlqu+Jx9x7mRB1JRxMbRsqZnMot8sdhrO+Db1sWAmHWhiicgVsV8hdbssiA5m44
+Wh5HBTkdYsBppCa0m7zxvNw7lx6KOBCrEDMmp3grtXzgFQEKBpjMU0NDVAR45ha1
+HNUaXwHFZKuYRP28m3gd0jI5gF28qM0liDsysI4BX/FZ/tux38OA0Hr6C36C9qD/
+vDueFLxtKIzP3X+iRIlmxilZ6H0GxFKypPb6927UaV0+TJaPsCHVuW9UIILW1oWw
+asv7C6hix0Pkyv2mX4E/wIXEbURuNLXidWJdc86PrFHJh4vtogGpLaLJt8ez6hUh
+3fpqUG/abQrPS+Sa+B+8XdgbruU9u+egfv+kZ2tXzbB/HMlLthgFpjQdHVgU1ZQj
+gCr00fe97BU4oLJO5k+cz0idxNnoBgrgxWL/ffxdETo+Y494D9Gx6oj7JtagqPat
++tG2MVyXzcrV82GWejBPt5IhGcl2xPRSxuJ2xI9VndyAemBNGWL5150PNWAuZmCF
+38x5snuuKibeUryek4qndPHeQ6bYT5jNIkgwBjlv8o2KjFnrzA56/v125psL6sSZ
+XmkloJNZfpnAehzXWeyBAoIBAQDspyysQoCYp7dFvkJUK3LLX/wCkrPHlP4N0QiO
+sa5CUEf6jSrt32a3IR9oo1JycvxMb9zaF+6u03P/y11gVZi6V7plmhlKNDUTg9it
+skR6aBt85wrahK6CWRyKnN9hOI8G4gv7jAyW+yVCDaRHTKPMB1KoQkZ+XUFUVt1v
+tZxGG1gso7nJTjAPTnR3V9SV6I/T00x7LcrWpr39YWO9dkPzXK4kQzmAnVAIw8Jr
+RiEkTjGYWJlTYgGDmhas5u8IsUqJnjbmYMOsXy+hgL5FDp/BssP/Wk8dmHQwEVXw
+ksZfeUh67L6+D12J09LXX2f2NObO1lTqGbzTTGqfgo3QEkVhAoIBAQDe/T0zIDSF
+x2gPUNaBbaXRVSUg4MjxGtTkBfsf89bzoVeMgrR7tJ1ixu0tv5RcBmmeonGt/BS3
+qQZTHM0GUROnTYME8UqqlwfxGXptawCnyffJDEolE+UzHgm+hKsrajJZN6i+hop6
+ATrSPYwyB1dpcC9IYoaaavlkOxpCeZPvIm5r4eMDkiggip/EngmhnbzzRSv1uoUb
+j79VhTbJyOR4uDc9pSBYhtzBEv+bxhbWoH6UUfEPlbw63TtJ3Mtm1gwGy2VDtP5W
+tnTNT4U5VGHN7Y4KTKRROwerB/omWAuZfuSK8JAktQ87jCdULn8ZSdkYh3m9CHRr
+N7beNCFR4LdnAoIBAQCwF91X+Mwzy2jGjsJQW1w6FRwy1fLMqgM5SLfzZidi1NYa
+i/zLsBaAYjc653ysCP/P6NUPvAsxL8r7Jdo/mrHgxvK+M6Jp4tszwEH1TddCtkDt
++gXLgDtSZvij9AMMFsfmuUFtVlLv7cVVl00MeOzRHwnUhixqTv4TwedX/m1ghWxh
+Gxtdvb5pRVnIjCR1v+12E56vce2jN8PbzSIokt4RMn+qIBOjrmslenUq2a5Dk6O3
+1wWQVDcINBp3YgewEiyCpqX3Wz1+//0zUddDD5S0z06krhB81zptohiuwKi31kmm
+no94YXqa2nHjLOzw+YBdnILnB2vIVu5n7v+TOmVBAoIBAAUZr7uqoejpbbTj+XQO
+aPuHwgile5MgNPxeMqdBcYozB4icOLqXn/3xZN1mA2Ozddj+CDGdkW+9+voNr5bU
+ZemuuS90wWtzdugJ2CYGi4ZK9VLw6AU/Fj/8EOb9q9ibXjlyL3bkJuixfIHwjHNc
+faBYw4wZTNDdX4TuYSRiGYMfu3zWNtYPEsHjydG6d6ftrrO1wlKliIPf3tV67Yzh
+/m/QbtsHGt1LgGMeJyCOAFm6ZArKcQQVPa/u/XssBK7+eFnzbwaEbkjXdYZ4qihs
+iKwoIdaUeDGvcvZzgUI9Q06oe1u+Mt3UElwfUYr4YUnXyZJpDtzHA7qsFI+yi4yO
+4kMCggEBALjlyMbOBKzr95yhoTiO8zONQR4PzYt/mOqVrT5JUQqN7FBlGC5rWaG5
+d8Ur1lXiUtuGEVSzhAERyosr7+10nUWaAKnuFhhtLpggauXHKor7vABeu93dC2KA
+6O/K+dMfkx1sMaGXI79B6fCClbEEMJf1J0Zbm5/+UdO4/CyntbVM3tDAPNf0GgIE
+5fI84disd4D8HmLW6Snv93bS7BygXYlBq7Cq8xAw5OvxIl6eroYa6vXcymL1P1XY
+ksRGLm50drZPooekZlQyPIIUvmP/C+Byz347Hz2sDv4KuTjHV5PZSLbDIUYXinQS
+9MZTi7RGridSLpg1QpqCUOcbhOQ1MKQ=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-child-test.crt b/lib/hx509/data/proxy10-child-test.crt
index e759447a3ba7..41cb81455e7a 100644
--- a/lib/hx509/data/proxy10-child-test.crt
+++ b/lib/hx509/data/proxy10-child-test.crt
@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIJAM764JrT/2XzMA0GCSqGSIb3DQEBCwUAMDMxCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAwHhcN
-MTkwNTIzMTUwNTI5WhcNMzgwMTE2MTUwNTI5WjBDMQswCQYDVQQGEwJTRTESMBAG
-A1UEAwwJVGVzdCBjZXJ0MRAwDgYDVQQDDAdwcm94eTEwMQ4wDAYDVQQDDAVjaGls
-ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMyady7cAVLnQae6jZG0
-QWzGcIa+0EJdjG5PyLmw4nJSAWBno68VmIPzqThNPn8aHhJ28aMYdS/oLyi5+Vau
-afOvG7gOW2ayxmPelafk4J0Olbg+dHG0XzfA6Y2Y8gBigXtVR176GR418uy31HpO
-O3BnlvJFU7QkBr9A9zROTnlfUUw0mN/io9I+LAO2GsbdFl+HTbx+T3LDKORf4jWW
-suHBFEdwm0piJbP5nIk72jLp71ulubi4j5E0tVElv0DpF4FaQeCRGMXOfTYwswar
-qg2TzXBTyeq+Kmuk1hslrphEVu1IZc0D8+aAr/hvrsI90oyTysASAfoCYKASnZWN
-vcYi2Vt8Kkb1f4sxISqtm2PmHllD6grHdK1iKfoa9al7VvAu7sGyu0DF1uwmyehJ
-1FNnQl0BIbFlfXiEVv6gRAazOJkxGO3kjneFVWffFwv9F9chdSCcMKO8USOV2qey
-ySHaO+YTP+ImXD65dP7Ks9r1dBKxcU5vxJG0orHSiwstY5cRRqDeKatRdJ1kOavc
-DWTlz/MJkMS8o5QNjsvWd+a8MkW0rkjYIuPzNHkg5ydFtm4lfRj8tZkJ56M8B5Oz
-KFTD8JQ1PgxyPtzC5gnOaDuiTrmZQd+6ob02nvP7S2PgmKLyVbb28987/CG7MczD
-g1BjCYRGsQnUcnvNM5EuMNlLAgMBAAGjYDBeMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMB0GA1UdDgQWBBRtG+s2dgue8pi+jKTQONY6Gu0vdjAlBggrBgEFBQcBDgEB
-/wQWMBQCAQowDwYIKwYBBQUHFQAEA2ZvbzANBgkqhkiG9w0BAQsFAAOCAgEAcSYX
-JZ8+DUUab6RvbRAxyK483Bw7DbJuqFy90zy9RNDHV1Og/YdEey1Qvne85sVhUGhb
-PLCRyM6dgT7BRsyBT00CYFp2sjETFm2KCkEevpfUgpbdYmxccV4vlOMguYJ6DWn/
-eV8OBOkdmc4RxZ3ibZ5XvNbs7lR5B01qHviAp8MT7+QFACCnC7gpD2b5lv11ZUac
-STkklsuSY4nPBaD1NcgysG5EAUxoP6x1J7nJM4ukb762H0/svmsaYSo9kk6KGNXM
-D3VbPCF4huNJcT+GkdtFfUmFHKC7yVekLDhs4Nh2GrOLJii3alcZXEOvq2TKq4No
-Tl1nTLFVLZ9pMsWzL4aDySYGPpNDZPvetfqGprw/uLohgd6k3eFdnWWBkOk8jX7y
-V/wLTTQlQHxMENFwj/eguEI7Kav8UcoZNaRWIjUXyZ29pzuM+aRJ4SFB21iq/vTR
-mqTB7I20eh4dcjVpytU9KeQkWhhvxdiUj7dfgIkSViMG3Cy9hvu19S+nUZyvuBGQ
-TwAGQlzfc5hEBbV5qBZhF/iOiDZJfBFcrULke5FfmFE6mW23eSwisqV4l0YfpyBw
-nAhC+u25wG1JC2xXitBLqDnZqoFoX7dSzEMG01ia+c1yn9sK9mRr5ahas/QnSSC7
-2C0QAQMNb+C32deKlAfuSbtk6H5Mwf2YmArqQ38=
+MIIFWzCCA0OgAwIBAgIJAM764JrT/2XxMA0GCSqGSIb3DQEBCwUAMDMxCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAwIBcN
+MTkwMzIyMjIyNTE1WhgPMjUxODExMjEyMjI1MTVaMEMxCzAJBgNVBAYTAlNFMRIw
+EAYDVQQDDAlUZXN0IGNlcnQxEDAOBgNVBAMMB3Byb3h5MTAxDjAMBgNVBAMMBWNo
+aWxkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunD1wwgtFwDOISki
+iVAOjL6Q5UHHTFfGMkeXoa6/awWWjRBZT3IdmQlxxXlIEafS9vBMHW4xvAVf2qmg
+Y6IZUy4EGqdrzzzmf64E/QcRW6vGbqRQY+HBqYDum+se4s/XfCo7sSpTLbZexhoM
+Uz22k3reKzT3xurXtbxF+GQcpb2HnESnTL2omtU2PgEZ8BwhjisEB3rHTtQFqBdF
+1uKSvRDJtDlRSUbqgY+cYCFUMdIEtn4djesLdH7yt34i5kukN6RajXJjQTSQFGce
+egHaMOcQ7phIv7j305RFJ6waCXBwTCsBoIPtE2wt9pfgFu8zbcWenXpaxR+en/n/
+2gU7LnK3Odiyh3d0/8a+79gWxXWbmXYV2oYVl9ZxSTqa+wvzYQNaw1BPyhGxd95S
+ACJOw8XuZ16ZEqQArEH59A36NKdca3OYjAf82fOEfRdIHm/CD9SEv9NRQpgzfzBF
+cmiaIdBJg+QJJ0eNr4wZq8sVp1BKlnDosEq0nJ2ywRB3SeTbUrz3VxR3pzjtNYO1
+fIXUnBsoymZtUYqKiNLVP96RyWplxF204zEMP3zx0vIx6pKMmsWivEURxNdo/Hih
+eiDaHB93aw+5+2pgKQOfIg0jj4ChE1JN2FOKBDAFq5+9rJIDuhS0Nk4PtYy/7n4R
+iIDKiqWDNc2syEZYlEO+1QQuuRkCAwEAAaNgMF4wCQYDVR0TBAIwADALBgNVHQ8E
+BAMCBeAwHQYDVR0OBBYEFD4E+/XklnqAWUXZrJa01AuHb6IbMCUGCCsGAQUFBwEO
+AQH/BBYwFAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3DQEBCwUAA4ICAQCW
+nwXJetxx3Y82aBcyG9sQ5CTObsP1TyHRLVOKeA5jTwVxzSjQOChuUijLFbJ3QYds
+vP8h56rjn/hLSi7kdyh1s1+mDBRFWAdJCfRfQhQWvgK7eaphln7qUXUXa3JR66Um
+R56cXa6A4KG/Qk2vKw+NLjwA01vF+YzynSijwlaRptYLeOZMUMRzD8IwgqkdOAHr
+6+RgiRrRIfdZHYmMX3/7sTvzub/d4QfANjKYPVkciW3E71yeAOLOfjjK68u4OMhn
+F3I1vHdhCwxh87gZdiutmUjd+xTHhyIVObpSYIfSDCWqjp70s6sTJBdTCDnzIzcp
+ta/iI1EkyOH0aOSzz4bclcWAA2R95JeQDP8PLUA8gddvkbW4f9RJbWMjAk3r6WMM
+aSlx7djzbKdXIPd7ecFRWPf5uianNHlTHH2pZkHQoENCfuNTs688OzjBEDzUIvOZ
+S3WbVlqSzdf8Xp8xDp01QbC/bwFJwOeZjdj4IVyF2vXB2AaE5Xy/umQz1NVnIqK1
+CUyv/EP4HMbWIW5hpaMZJ4VyhrkoX4sLDj25UN1VAzD9lTyAGpMv5KpWd98MhYIX
+7KHP69Xo4CHf1RibdRVX6jW+GvzRZGHPb8/V8qgDwOM7UPjsPuwq5Cacatu0L7tQ
+hqtYGxcBDAIRIrmm5sZCW4F3l4efUtzozWZS0vzTyQ==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-child-test.key b/lib/hx509/data/proxy10-child-test.key
index 357de74a396d..7bc4a02caecc 100644
--- a/lib/hx509/data/proxy10-child-test.key
+++ b/lib/hx509/data/proxy10-child-test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDMmncu3AFS50Gn
-uo2RtEFsxnCGvtBCXYxuT8i5sOJyUgFgZ6OvFZiD86k4TT5/Gh4SdvGjGHUv6C8o
-uflWrmnzrxu4DltmssZj3pWn5OCdDpW4PnRxtF83wOmNmPIAYoF7VUde+hkeNfLs
-t9R6TjtwZ5byRVO0JAa/QPc0Tk55X1FMNJjf4qPSPiwDthrG3RZfh028fk9ywyjk
-X+I1lrLhwRRHcJtKYiWz+ZyJO9oy6e9bpbm4uI+RNLVRJb9A6ReBWkHgkRjFzn02
-MLMGq6oNk81wU8nqviprpNYbJa6YRFbtSGXNA/PmgK/4b67CPdKMk8rAEgH6AmCg
-Ep2Vjb3GItlbfCpG9X+LMSEqrZtj5h5ZQ+oKx3StYin6GvWpe1bwLu7BsrtAxdbs
-JsnoSdRTZ0JdASGxZX14hFb+oEQGsziZMRjt5I53hVVn3xcL/RfXIXUgnDCjvFEj
-ldqnsskh2jvmEz/iJlw+uXT+yrPa9XQSsXFOb8SRtKKx0osLLWOXEUag3imrUXSd
-ZDmr3A1k5c/zCZDEvKOUDY7L1nfmvDJFtK5I2CLj8zR5IOcnRbZuJX0Y/LWZCeej
-PAeTsyhUw/CUNT4Mcj7cwuYJzmg7ok65mUHfuqG9Np7z+0tj4Jii8lW29vPfO/wh
-uzHMw4NQYwmERrEJ1HJ7zTORLjDZSwIDAQABAoICAQCG+91nf+QrssBBDTW7C+Yi
-AmVYsGircBZm7KIryAQNkgaweI+nwiKl40ogB+4UYsG2Qty2Ujt2CMOcJd3XDyh9
-iWhLLMWmYom6d63aX4jEdUvXivS901cCbHZpYZ8/G737BU8Z3PxXTxZekAVRT22t
-gdo3Kf/IGACPiyfMTWE+d+El2omFI3wbB8N4C1ttGY1aJuTlV5vIxfKjgJK38h1A
-DWb4ntUE5O2k6Cga7e7NqkKs/xAhSzoEfXal+7ZK97z3LPnLU065qbo31zc1TmnZ
-nUprMgxDn4RTEiPjMyAV+vgygZIQCOyPhRUTXXM5WRogfpzDzN2a+JiQ4tcuRJ4O
-/AnCmH2MSwrTsnV1W/IgZo2/Va6eyqe3jfoN91e6q4jmoVvEyTA7oaX3PzJRggP9
-yySPLTiWJPZTgp7i8eoePdaDs1xkQyj7cX64+PtSwcf9GDssWsSUpHVtIgtZLYRH
-NI4Z+nSSDqDQzC++cQsaODKYarNmvIgIaFxGiFVnjlSk6wXFXpe3IT2I1Q02wvxr
-lSVlwwHOpbaTY+oZNE3XTl2YXx2VIVGZpjac3Bz/ML/jty7AlW50NKHgZulG8Dt6
-mV8daKR2YJIoAKMramJ9+h/qXAcpJmQQ4yqnGGRKjweVFOmxCJuCjmkhkkJ9IC9C
-6fZxzPMWcNLzcDoHK06RYQKCAQEA+I5U2Cm0XLU+TYOOpXIOjNJjOU+jUM00CD6o
-hWN54ArJxdGJjmk6V6y4ZY8mYV+PhDJGcop2kzeuEeJm7wlhSZ1nMWUVZ4bB3E25
-YAboVnAhk8uP0LVT/8O2+ENRX4WFXE4GKjytHPrHZ33rZtLg6AVJscsXg/JfKSMz
-NxahI0zYNdNcifXY8ekKvJPC0oCr7TuVp956Cc1OdSEx+j0iDkqcYp8ipDEf5GoA
-MR4FTyamaom/A3wC/WihzFmfSpB9HdvUX4uGwgaAtTEGMQBpJRcNCtZdtbrzwJnS
-ufPpmdr4xMFD8+BMcPzah8j5rOQBY4NaUAzIkKeoMpcd0OKfsQKCAQEA0rsmvfVa
-mY2mDjWZUtsohh9lPo8Upx0Ggxzn+8RMzQFtiUqns+/B/GdoGyVtJiYB0XzXKehz
-LD4+rgFK2kWm7ze6SSr+RaOaJi8eH7xLq2AjfZFhoTIAwIlpkEW2A1LuITBkbW9j
-1v64ssAJpUuM8/ljg2/OImCQk922uLRCayp+/CoyAHCJLgyBRhDy2NNuk/p59Any
-OFzgPsiTAejcigTq/AqQpgv6SDW14zdvt6De9pm2Cq9xYWUPaqkYNwJpsAGPqH+R
-Ncwigo3b9CWJPpfeCAT2qybj8ZE7yUzNeWqo3dnalXFUROpUi0rYUYPGqcg0340K
-+h3lBaVFNyEjuwKCAQBd3AGWD0mYqKh6RO+c8lEkRF5LyhL19EdtxZuFo2bmf6xq
-ExJKwNnTOdn4H/JyWs+rMAECR983AJOvFTuhkH04e0P4lx9aFL0oIAGcjX83BOjp
-ErmgKpkpwBJb9a/IznbpwFz7niYRB3I9VoOKNJ/Rfg2yIesjXGcq9avlZZo75kzP
-Jp2PS1M9Jq9zPqkXLJe/4fxFg/G5udmiyYJB6MvvcaVUaJuAPTy52H1yDtAab5Hw
-MUv8WNwYLWbL8BwC4EUe/WBZJCsjIamAwp5/6pPJ+cZnDUQd2Bcr5+p3ZfAUtWez
-hPfQJCc5k4JCPFZsPz13AqccC3fBiE4vrHkJ5EpBAoIBACEcCJ1GBIMlz1ZiM4Hi
-Lz7LhgPLRUpwdAp7qzNSh2Kae9RbZ3gNDqSStre1LK4WwKhifgf2nsnvybdbOqCK
-2wyw69L9L1BPwTOIqaoA0r7NbyYWholmKtoVfQGPAmcJS6LpUI4lN0Gbafej1qAi
-+7WFlI4dLf0WwQCKkF/66oid96+1DYAmLleO3Wzd0togdjpH24ttWKJkbVNP/lEJ
-fkUtOqJ5InsEXMGltrtJhYMLgpyqUADjyeOsljyC7uwNs/9Ub3bg/DbAqRdsJIf6
-sdKk19zYssz3Yk8dK5CYQZx3FqssxHxAfyYIz1nHW6+LDda1PyF0rqnXspkte2+L
-BGsCggEAPMUwXKXsMjE77m3jhGtxPGFk6mGOXeVdBjdamuRWcdufqDP2Ctlb6+ki
-gXsotGl/lV+ZQp88nXkHqmhsCIBHDrNLw8um2M1cLernah2qzfNPMqbj1UAntLud
-bYCUoitUFxnkMietqQtEpQlVWDazlgxaWp0AZU4iSfdhxmD+QRSBp14aBwJ+InAg
-HRYkelR8EBB5KU376QOXBViknRBgvW9yieD3n+CkFGDNkQII0D7v9gNXYK2NbVYG
-IClPaF7y+OVlauhIRaRmRjF4a49sssKd3qLNT34sM/JC2G3XXxyX+zPhDjf6dQLP
-wVvqDgPCDWKi204uIah9SC95JGv/BA==
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC6cPXDCC0XAM4h
+KSKJUA6MvpDlQcdMV8YyR5ehrr9rBZaNEFlPch2ZCXHFeUgRp9L28EwdbjG8BV/a
+qaBjohlTLgQap2vPPOZ/rgT9BxFbq8ZupFBj4cGpgO6b6x7iz9d8KjuxKlMttl7G
+GgxTPbaTet4rNPfG6te1vEX4ZBylvYecRKdMvaia1TY+ARnwHCGOKwQHesdO1AWo
+F0XW4pK9EMm0OVFJRuqBj5xgIVQx0gS2fh2N6wt0fvK3fiLmS6Q3pFqNcmNBNJAU
+Zx56Adow5xDumEi/uPfTlEUnrBoJcHBMKwGgg+0TbC32l+AW7zNtxZ6delrFH56f
++f/aBTsucrc52LKHd3T/xr7v2BbFdZuZdhXahhWX1nFJOpr7C/NhA1rDUE/KEbF3
+3lIAIk7Dxe5nXpkSpACsQfn0Dfo0p1xrc5iMB/zZ84R9F0geb8IP1IS/01FCmDN/
+MEVyaJoh0EmD5AknR42vjBmryxWnUEqWcOiwSrScnbLBEHdJ5NtSvPdXFHenOO01
+g7V8hdScGyjKZm1RioqI0tU/3pHJamXEXbTjMQw/fPHS8jHqkoyaxaK8RRHE12j8
+eKF6INocH3drD7n7amApA58iDSOPgKETUk3YU4oEMAWrn72skgO6FLQ2Tg+1jL/u
+fhGIgMqKpYM1zazIRliUQ77VBC65GQIDAQABAoICAA5i4wPeoKQSwtUaOHkB/W1s
+0v9tuPQyHbAJiDDIrCqU7s4Jwep4csI5UVcciawbGBNH7Yej1iCdBY1441Bs1Klv
+do+b9ZyzJVIa2nWv0u4Q7inhcfaTF/99XGwZk3OK+CSzmZGNI4f2d4+vuN2/eFQe
++f+5gZkOzABQ+9Ez4GYFnu42+fXY+Kah5yKXsSmu8gPnW9M77R8vCxSyXwg6yXnf
+TsEiXxxZZYUD0Nw2FioV+5kdWCh4R5UAqrfv+r9sfMpyWy5o8jG43ZlFb7uYYv69
+BbhzdcGdgzoHSeLKy+OIkpG+C80YAPYrtcw+YeNDJ+PDiP67zz9Atlu/zbdEChHk
+tazsDmDqv6ML07X4fPrkPi5PRMN0AXqDz94nXKEAh9fvgrW7c/jhakNgHWX039Ph
+5fGD09GjKUkzHr7zIZ5S6LrBrb9BLe8BiTfaZGqpSmRFEKxGwCr15k5w0Mzj/UpJ
+Ftcr78u9qthfooaGYGMXiMWZy1138TD/V6Kro/ajMUDhkmmXNuJghDBAQOhHUmcG
+Jldth0gwgyVzbQDpbEhI0ZOL4urGyNqylMmfGkN2uAfBfp0TnQT+7msru5BpNqnW
+RRAplCh47TpUJ871P7Tm5bSS4SjysfaFXiG0qQXFUSzaRFCYFkzMRoxHV1PBXr0X
+/ZmU8r9MtwRh8O+tXy6BAoIBAQDk04GAIlhDBpHmgCPWKTQ9GiYGhXsY9Wb2rbD5
+VaPdF46RW6mHDUJ+SMvNpwGZGfe59Yox1PJG1f8i7B+UCMZZFShttdBGuKRCH+aJ
+SIlkBmXK37ikAQREU+hmp0/mbMgq8Lspsjrxmlmi8rsLRKyHlAK3AUAoC2KqoohT
+dLEg3uY+5UzpkZQOfeK5/+DaKXjjkHE6dVkjQm0pNtXHJsMQMvcjfH1T6XCuwUKw
+zN8aOfvy/mFv5eOJazhAOZ3+QlUbOWh3EpBeEt7Sqqo7kQ5BZZKR+jDjWZETONya
+aYQetRHKnFlYWjewpyp+z7SDPNHcXqtK57+QRLXyrOuuQg1RAoIBAQDQlOs8TOht
+dJChYks2eiC5sQ8hC0ybMi+x7lJ8KALwPvf9VCKJIri2BxTvxkbC03YnUTsKlCm6
+7Jgkkx3Vy33FCXfaRhwLHaAuA+DwfzMn7WXtP4MJoKWyOJEck5HJzKWCqetdf7Dh
+ie/HsgtH2DHqljjhSleEYWVBcjoXVwWL2ctEcl3qr1JSpsRp+TadnIpoyDVWWszt
+xQwXpmVPs24svwI0x7p4Q2JzTAqd1oM+o2P48eFThXOobvRA+XGvucse0wWm3N+T
+4p1LbH07fguriOGqHea5ZPw7spURcP3CFEfUlsgiKUWjonuCvqjGGLV1U6RZ83FT
+S9o35O1Rut1JAoIBAEXL1dZVo4JeQKaEM2ohi1OP5EVc9Z05TTy04iRLYP4RL2Vb
+BiyxeLS4U6HY7P3cE9ne8VYd1ACTSY1HZKJswsNtVrWQHYVU0JVy0YjSXUXrRaVJ
+9DHiNYD57wtQwWhRigS/BPfE64HCSNERJMhdHBsGpIVZlk4gmundRaPfFiAmnShW
+HM2pn/WDpGKDj/w7ZipTZpYkMRo2KsHFfhOO2TTZttRWJowvyjUjscnn061WPmlx
++hp9jpfd4nyElpJ1fSweqKSZPvvS2bB8agxdRHHiH4DzRXIzYbLxRyi6QphzNogM
+hJwUeKQjeSzRAgh9xq1nGuxwH9hLfQwWfpTahOECggEAcBL0aswwP0/Yvr5gB3+L
+wfr/VBQML3/B3OtfatLc8VYEThw9Ck6bzUL03vk84EZbQDkHbmG6InQqM8zQxSW4
+CH1T5vaw7tAWV2NCJDdUt2l50QbFVBD7t01pu18XgMTzUcgXbX/E/QruyfBC23Gx
+MIlTOsqFR95FV+sWh5/8nO6Dp92D1SwrIbn147NCw2FvhWm+Lw5O+ptcKgEAgti4
+pFZlyxJegWxDpAwB0FmI38lPWF4vYn9ca+5iU980VOWR3Jgqe0RG5eFn/zTl/Wd2
+wc6k4pF6fbdjSHhmXJ7H2tam2fXCx4hBoPEXSGNFsFtqdQZiUurZw5YIROw/ECFF
+8QKCAQA8PV4eu8rzdw37cJnZOZRYg60PZ80c6LteqBnXwDp7HP7cAR11GUp1fous
+o4L1Od8aNUSVpfmmSOR28MuVhZ4wNbV/t+g9VzO4r2zuI/kkEeMstf85hXPLrkjL
+eo2HCu2xgM54vNVhG4MN2G5OWgMMkDDX3sPWeYN4Em428iYPHTgod2GaGQ9AnGI0
+wUGHhfGlP690xAvjQJLk0OvTrzKcjdPKrpUmCzIfT7ljfl2PE7l944C9aNvS9cEY
+iGkrbALi+EgfcfahEdEbQyIZU6GFDRltgnGtLeOE8NmqabQQgm0THXPjn/CzR3Os
+Qshwvh4gXup0rcomkC+d8vVJ2p35
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/proxy10-test.crt b/lib/hx509/data/proxy10-test.crt
index bf129830ecc9..9c89f7187425 100644
--- a/lib/hx509/data/proxy10-test.crt
+++ b/lib/hx509/data/proxy10-test.crt
@@ -1,30 +1,30 @@
-----BEGIN CERTIFICATE-----
-MIIFNzCCAx+gAwIBAgIJAKQmPUkmhyKpMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
-BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwHhcNMTkwNTIzMTUwNTI2WhcNMzgw
-MTE2MTUwNTI2WjAzMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0MRAw
-DgYDVQQDDAdwcm94eTEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-1RLpk560fH8JMomm7OaAxwXICdeuqhJZHlu/RegfDIsqo/qGyrEJczQVFGKnISoZ
-rDthg+005e7VtTvVC6caKRhewogFBOiLwk7SmoyzXFHcpAdLGJgUL9UCUnxL42UR
-djmY7jEtgAIcCwtvCwJb7TXZSaOaYtov5iUTeKmjP6Ixu37CjEUL0CSh2f4/5auC
-cRXDfiHmYoUK/9q0BxUaGgDOyCuyrtI25jaMtZMNtCGTGJCWeZJDk+7+/tyNGuQt
-NGNKRmJyENvgx6HXQiytXnxYbDABpLNQ8fw31gQVvSiuSHvE6zZa4VNPPjMFIXXU
-jk4LwFsuw47OZYiHrMJpuSXLY/v62uID0+88NM+naD4R+DYtxkL1RATSwbhHg5zL
-np9i3D1BL9WrPnzlKHEpW4orjeEUljJqu2IVW1OFojAMHC9cqwU2LGIhRqcf2osr
-zltVS0f+ssXPhMu/G0Ib31ow24EYZFR2C3uT5oVgDfZ59mArknUHooWjhb9WqO0q
-LoyI+5YxKDroNm8QnEhZAzye85JRuXmGt/G0xg99kq0WAlFjb2Y88oimgdpVFrDd
-BTzNEjDcG2z2L3IJyekElWeTF/qlweQfExpg+WnseCNUrTWjCVDv94vGKUXvA+Va
-xpnQWNdGnX+741vHbg3CkQhDFiQoAu9pjI3W18YUWKkCAwEAAaNgMF4wCQYDVR0T
-BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYEFHQh/SEjpZ7xoyS/k1Dzsq4CqoyF
-MCUGCCsGAQUFBwEOAQH/BBYwFAIBCjAPBggrBgEFBQcVAAQDZm9vMA0GCSqGSIb3
-DQEBCwUAA4ICAQCTubaEkl971rzVIKGtzpV6Pa2uYTijFOsCUYUPOPjgtPQ+h45A
-rfgdVYKd9sbujQf9buZb8Tut7Dt3XJvpig4xopzQezkNdLCwLfYOfDEfWWAY4gJE
-ZZ6wrVeB2jgwS+xGGYSjXWWM75wgvpeptQSJ57jvVzX6wCWrPjw9RpemkoGJyqex
-4iMILSQRFCjYYulbK2B8kWfUUxqz38l6mwbB9nk4FR8OQ9b6AhwFaVYNqbTMP7kw
-SDx4s4h54lkWJ3Z4ktxs3DpOmIyIE9yl7rq+T6RZvkgZX9+9Ftm5XfmEmxyzjSyN
-FEjrBAk4v/ryKS3JUDHKjR2MiJmNn171lfxc16MgpRL6assUSJInZ3cEEaUQoK/I
-zKFpwa2vepGkQhZ7E1cO/ynotiRsJY7K1i3H3Ai3fQid+2N+KODPV3mpXPOOWYAg
-oJXsQMUG0EaBVogtDgTsRpnv08OO/OKeXvrTTi9wDrnaedMhdSA2XpHBditBbADX
-31lISHXD/c7Va+ispKnEG1LqR+yo4XhV4qH0v6SX/493/UKZDAUEGQIA2nJ+NvPA
-INiEa2aGsdLmbu66R1OVF8cKpn03a4Dul2XbwfL3zjhHICw6hMACvxrArcN/JLku
-bZWhpWleT0Im/HqqlwS9Qp2CTneyTsvDfnyDzPA57lmUJtpVy8mFq+MHYQ==
+MIIFOTCCAyGgAwIBAgIJAKQmPUkmhyKjMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
+BAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQwIBcNMTkwMzIyMjIyNTE0WhgPMjUx
+ODExMjEyMjI1MTRaMDMxCzAJBgNVBAYTAlNFMRIwEAYDVQQDDAlUZXN0IGNlcnQx
+EDAOBgNVBAMMB3Byb3h5MTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDNg69jn3h/uqasiOdUD/MC0vJoty8ncj9NNGfU7YHSLpRnuoyPL8YCRRbxreUP
+lIQ5oAP4ERJSrrRoGWuwiboLthVj6OgM1IrU3h9M2sM7fGdLuQ1QCDP0Bsu23MPJ
+KWMCUpd3p7jXrPaf1WzUtaIql0pjFFlqZRf1RLKvH4CfDgrx/k3z49RsiZtgxlw2
+VxpGL3cPUO1MfXEq4roMWdT0sGTdJ56l+PkF3Ud2DxhNytmDv1ld2gZhC5H+k5ZI
+i3Xr8zvV2dCbSlnnXk8qTG+aWwYGpHFQPwP7UxQDUAk1XAX5/EBXwCTtTDNIhsNI
+qB6k9MF3/mreD5frofvx6xEW8CShdAf2vUXC4OB8hkO/NfdaoQj99PL7d8LiICoQ
+u4fOZ20g6zpkS+jir5p3KcVbotN0cMkx+k2YwyK3PoLV74RTsigOjp828eoT24Wz
+3/ztjn4C0uMHcJz4yHmbrn7xOf7VcaNvfm9qz9H/MpA2Eg0Nj4nBOnTf25WLvgAB
+KN0Ctb6rNbF3UfVR9h+QK4kQqhlwjMfPqeT2AL0fOFptotcdPj86z2ux1cvC/w/x
+nZrgUdcj2GLLwvCxsmVx5RWOWU7wFoo3WrWpyx228CvaPTQXN5LKBIgpf1wmk4b1
+wR3afu0I5RQp8kSD/2kQBW24D4+AAH1jFbP9IfxxSXCazwIDAQABo2AwXjAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUiFCNi8YSDjclAz4L6ZPKi9Ea
+afQwJQYIKwYBBQUHAQ4BAf8EFjAUAgEKMA8GCCsGAQUFBxUABANmb28wDQYJKoZI
+hvcNAQELBQADggIBAKEy0OrFQkrc3ngQXWBhOEoLElCYIpM5sVDn3aV8i8UAQ9KB
+uLfxmcJm5CPZcIAFive2TWVFm1eq6Fr1WEwZ2QtAOXwoQwCzKISsdFRHEV2SNtpg
+uUaKlhGUwiYWt9aPkmJD4f/VZB7LeKE4CWij88ey+76Lujkr+ILZnrXnc2Mwf3J/
+x+/RfINh4oM+7rHccAJtznwZ2TCBvF3p5cLlLH413IGnZjO/myz/EMQ8MJoFNc1G
+dWXOZiGnbq2+W9rHKOV9rYhIZ5YLLiK6L7vKsLph83KTzWCZW7tZDAmwtFFXw406
+bdWL2+gWBC9SxN3RI2jB9VQtaLspOW+v8qH7cpDaO0xTXufsVjiGbh1hPdAMonQd
+k0rrrkLY6ADguTYkHs1E3Eebki6LvyyXBEKJYTtEHfJnU2T1YWwFpqvvFOghFljH
+QyZC29QR0rLB2B6uepQXl6d4fFYfYkhjx7SANDx4QA8QqrLgeGjufj9H3yk9e/XX
+lto6sjNsOOncP9svCxJgQkp4w7tQxqZ/51RBQAJkUDkwPImstxTIFRdqeXHxLynX
+3zTv6rt/767S7SlDfLZs8OrGKPeILGDBF/Q0UQrnrk9Oa+yP2QV3Msg79odKqBzK
+MfcQ4DFIfnN9ZRq7d0ffaZ6AqJVbwYM/LlGFAC57z2xsuEAR+Ea0/bjzbaib
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/proxy10-test.key b/lib/hx509/data/proxy10-test.key
index 624e90cbaeb1..733c2ffb23b2 100644
--- a/lib/hx509/data/proxy10-test.key
+++ b/lib/hx509/data/proxy10-test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDVEumTnrR8fwky
-iabs5oDHBcgJ166qElkeW79F6B8Miyqj+obKsQlzNBUUYqchKhmsO2GD7TTl7tW1
-O9ULpxopGF7CiAUE6IvCTtKajLNcUdykB0sYmBQv1QJSfEvjZRF2OZjuMS2AAhwL
-C28LAlvtNdlJo5pi2i/mJRN4qaM/ojG7fsKMRQvQJKHZ/j/lq4JxFcN+IeZihQr/
-2rQHFRoaAM7IK7Ku0jbmNoy1kw20IZMYkJZ5kkOT7v7+3I0a5C00Y0pGYnIQ2+DH
-oddCLK1efFhsMAGks1Dx/DfWBBW9KK5Ie8TrNlrhU08+MwUhddSOTgvAWy7Djs5l
-iIeswmm5Jctj+/ra4gPT7zw0z6doPhH4Ni3GQvVEBNLBuEeDnMuen2LcPUEv1as+
-fOUocSlbiiuN4RSWMmq7YhVbU4WiMAwcL1yrBTYsYiFGpx/aiyvOW1VLR/6yxc+E
-y78bQhvfWjDbgRhkVHYLe5PmhWAN9nn2YCuSdQeihaOFv1ao7SoujIj7ljEoOug2
-bxCcSFkDPJ7zklG5eYa38bTGD32SrRYCUWNvZjzyiKaB2lUWsN0FPM0SMNwbbPYv
-cgnJ6QSVZ5MX+qXB5B8TGmD5aex4I1StNaMJUO/3i8YpRe8D5VrGmdBY10adf7vj
-W8duDcKRCEMWJCgC72mMjdbXxhRYqQIDAQABAoICAQCuw9ZlyFSNkL0AgLszsFSL
-6YgL2qZexLHoHqSiOCPPbA5LdV89vTvdDCkGEWy33Qo1pHb1eIhc2CrdfffemO7y
-KhT/RgWn4v1PIMvJDALJhDOPLpQ/1e0o1nQTJ/QuzWUnLVLse9WwGwrZXEV2KDcy
-N2rD5bbpwcBr6pkv7SQDO4vDF9OGrdNko8dFQC80uBpDmvA/8po+0JUXClGDRaGl
-FmiE8qKalb2F0dRT0gv5ZVh7W4ywpnFbUzo/3LK4DdOuFoqDdJfOkCqsU2h11KNW
-znLQOgf/CT0pXhCGL8+M2WMp/Kqlqm2cR3LFt59LtJPlLMqiuad/qxBLY1K1Nrjz
-LYJcgyQ00EzKuoY0c5f2b1p7JG4jrsocerUYCmMFMaQc9qDOicUyagjcXnUfggf6
-TyHAPFY0nYRqzGbVHOF4HPx28CJ3aE3egvlgC7G5XrHI7CIHrelazEC0iIkfutbj
-SE6MEKde8XBiXB6R/pXFlJJGUHum8VLtHjHJR8qMlI7LOmasmIsSs9py1j1V8gKr
-lPKLpGHN180RVPoYvULlJiJejmw/ODPWEaOXQQItemTSuYnD118Cb3y/nVev0wys
-yqWwVmqP1WgEixGKAg1msVrQB2iY55aNlT2auZAtc5v3OSSNX0tLNQtsvxZC6hjW
-YcSKPhFie1JxtETHxjgSCQKCAQEA+7c4SOF+V7Xme7FFOwvUb7+P+Lf68aFpKxeC
-tUS2dnL5qfLFNFjMP+qte1xFKy+zQKQbZg7vcJ1v2SLI2rmHFAFNxp+pd4q6C4oj
-eoWn5UgZutFfin6AZCIxO2i/4uVfOS8jEiIkw7eCflEvS6jB9EpieknnoFPjg42H
-Bs2kDCf/1dlUlgcADcun02ffve9WkKBCOU+FOXZFKk0LGN6KQCdrJrGutwToMefv
-ULzc7QVl1D2ARA7INjWB7PYqiWFYwRQXB4oEUVI4v2T0DPrCf+qpHvn+01fle+uN
-W7gE3POLWbS8vuTQ34tdmOzZJoJkJ9/x9tTIOD4aa06mKoo7twKCAQEA2LNSWpmd
-NjOf3W+Q9hyjpikiMJhvhaYO2jgfiNcCDDt8YRbMW2dpbWiGryzxwVMkVXkWMZLc
-1MBjKYnlaAL+NXr7J3Upga5sjXkl801CqEZT8y/J3rzWmgwwvpd8mriqtX2jI78m
-GgA6p4NmChou797GJci3Ai8cNCTzmQmLwWEgnuJKlaPcHZ5eRotGceSQ/CCFtbeC
-TIcpNWaxhvtf5aSbhoAyS4RcpVEUanEE2gPGUNngYq/19ofC7mphChBV528075bi
-661wrmmUlywrbcgsGfjUT+8y0aafWQq9JAmlRql68w0Gi30t/xznQPAlIUG8z2vR
-6POpzeuV6zTOnwKCAQAUFmUJe+VHPp7sFBOASMtlN5ZXtObzzXvFEpU9vgQJo9dE
-trkCGmwCVcoOZCio75+Qcwg0ttBo3keEvn/k5JVhBVGdnjQ58/ow3Y9DQdNKOtzC
-yd6kAMBiPVBMe2mEw+U7fQWBdvQUIlrplbT+hrMjuaPuOmOfqdIoN20lH9gNmEuU
-V0mmx1w7vZrhBhMW5zizRfbC+BObqFKQs6FFFM1XnU2xwtA8jsmw4d95Q/kleR7N
-NzM7OyrDGLYLoQF4ASrCDcZgtaTukG8y5u2K85/98U4ZyL2LRCJuJzgar67DqzPd
-rsy5Ny1sCYUopQ4XQqSXggmfNw/bXSlikt4z2uA1AoIBAFn1/99a3FgvEFP2SADU
-HOATPX1dGxcpvAq9t+GwGMqJO3Z253mesbbY6Oj6SJbQdEoDjcIgzQqJn+ETvSfz
-7iK3nmJgEk4i4i/NNoMN9Pk00Q8pLK4KSTEElIvbCcCVn1DfCoYBicjLhY4bT5Ys
-DoZIPoxbChafBh9jo7lJrDoon0k2em4q62tkXpD8qs8Ha2Uv/zJUL4Sjq+jebB60
-ZrhIIMSyna6aEXgT89zIdJIpdQAFo1B06jBhZfxiL0zlQTRmB1zbj/L1Os09SZGE
-pbbanexeT42rqLY+bPKjMagvVOzD2SXjp27rFdhN4Hcl+tQWnVKi2S7TURAKmF9f
-udMCggEBAJxkdEJ7RDZej/Fw9xbqfslU449Tp3U9B8P+SkJEfGfCLX+3SwbyB5Xz
-J0p8fMvc0iWhJ15bx+JIy6Qmi8/EPxZibZDDhPSpBgok1RrzRMh61cO/Gz8aB9xl
-jciQPCsMaWqt0rFSE2L/xZvX0DUlvPOzBYIVOeWN+5JoeEHbHLxRtDMnTXaky/Vf
-PTBLv6jSvdd4cWPOhoIRovvEBFvE8GqOusHJ5bNjRpY71F2PSJ7sYMP7RfTFfvkO
-moF8U+ZpMIIFR8H5DJSAeocbVXXNLI6iRMbXqCecc4oTYU58kC0Xm7H/3/2Gqzl/
-XnrAAFMk+GLkZE8dvbKiMb+/IIDXWsg=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDNg69jn3h/uqas
+iOdUD/MC0vJoty8ncj9NNGfU7YHSLpRnuoyPL8YCRRbxreUPlIQ5oAP4ERJSrrRo
+GWuwiboLthVj6OgM1IrU3h9M2sM7fGdLuQ1QCDP0Bsu23MPJKWMCUpd3p7jXrPaf
+1WzUtaIql0pjFFlqZRf1RLKvH4CfDgrx/k3z49RsiZtgxlw2VxpGL3cPUO1MfXEq
+4roMWdT0sGTdJ56l+PkF3Ud2DxhNytmDv1ld2gZhC5H+k5ZIi3Xr8zvV2dCbSlnn
+Xk8qTG+aWwYGpHFQPwP7UxQDUAk1XAX5/EBXwCTtTDNIhsNIqB6k9MF3/mreD5fr
+ofvx6xEW8CShdAf2vUXC4OB8hkO/NfdaoQj99PL7d8LiICoQu4fOZ20g6zpkS+ji
+r5p3KcVbotN0cMkx+k2YwyK3PoLV74RTsigOjp828eoT24Wz3/ztjn4C0uMHcJz4
+yHmbrn7xOf7VcaNvfm9qz9H/MpA2Eg0Nj4nBOnTf25WLvgABKN0Ctb6rNbF3UfVR
+9h+QK4kQqhlwjMfPqeT2AL0fOFptotcdPj86z2ux1cvC/w/xnZrgUdcj2GLLwvCx
+smVx5RWOWU7wFoo3WrWpyx228CvaPTQXN5LKBIgpf1wmk4b1wR3afu0I5RQp8kSD
+/2kQBW24D4+AAH1jFbP9IfxxSXCazwIDAQABAoICAAXV+HQGwkA2R6dcl90OOuNY
+pCOPGBqxptSFaXFlcStLwVEUvgsO2zuTRKyGOJvxprOQNKylp3SLm3ndRu6TaqIM
+gJz+ryA2JN8Yk6D2EVcuGCzRS2x7XyZNzxkZOcILl9EoET8HlzsgoTw2rkl4Auvc
+sfMQT92ykzSWx9ArP9bEalEm3IXRcWXHno7n8xRj8s4NaP8ZWDO02DLUj13saxyr
+qaGSD3I9GK0u9GmI0jLbUMPp+hqtJ0M4NeQZwsm6lBWoKYnQDplqShVE21CjLQQg
+E5K6trEFqRJI8KeLbUeDnnPT0uvq++F1KXukwATfKUeb36aNpfE6ViENz362Ix0L
+lDqWU6gSOPBOO0hD/LLSzGJY/61MrIy4P8S3gS2u40jm8YaW45Bed72pTGwkyz7Z
+9c3YbSJYWNg+o18yI7z4JVlJkptMsq3KJwj7BXIAgFT+uIteCbf7UXCNdsUzSiE8
+k2JxiNKlaaw7xnQvGuwFdDB+uCQC3PGngmDU222mq1Twm8rMHAgjt6RMO3tv42H3
+Fsap/MIDiVUQfYrTHoN2FVG852CzVbnGxPaxDJYS/vfVmSFcMeW91lbQM9J88721
+gG7hs55IrBvEse7U21EtlLISf3HYpLnMlHqH4S61VuKKS9Tmx67llfi6HMKupG27
+NfDFfoLiQCFltTCBcrHxAoIBAQD1YhrgDXmOiVCFuSdiu3k063+2pC/r4uUSo9QZ
+zPAMq9XIgXdGJoWCcQ1kg+/qEvhBxBbzywoU5zJQluu3V33JrT1Y2tNzyPaLNIpb
+aFYUP27/yC1xOyD5bcYvaVV612pVuORzN8PRShbpTyfSDhGxx8/KxXBg6iN0Adk/
+Rk1rzgl9UH0WLy7hS5hecroX/bfqlKWLjfWEtsDo+dyA/HoL6ku0YDuQvJvzZrDB
+gQfDo+FewaL+idZC2Bx61f36h93dlggeJgC4sOHh/j/AXkMaKEHFRvM0SLOE1lrm
+RyT3kdhCUoX799+Ke/BxcjfPwY1GKxsVWaiwbFUAwFcWYyPJAoIBAQDWZ/zw75El
+PjsrwIGr3BLmmyxMeJKPniIdhdEvgj4/2jY3ao7DdRcLe2RZy6J0vdrA2XfeQDdf
+zX03T23Ha0uCGXgqRUUa1wKFrzDnXTD1YAXFqQc8XXozTyEkF7+oz3wQnqpMhK6I
+X5CAwmZc6s7mObF4MiBKWQFlyL+rHybc+ZFe2LvS6UgP2btCsWvUJ1xCgwnnCA4a
+Q/8ximehCSJqYrt/icOVSdNf4rzzgzQxCObvplw3E/stRgahQcYSI61JN9Ja0ONe
+bCpuUpDNShPrE5W6uDB9ogfjX9BN9Zbwq4bR8WwhBGZLDS0Peqfe20yJ4mbsEEez
+9mgvvEeBtaXXAoIBAHPTnin6UlGUwXyNnGi/Y4Q2UW+N6szmqgh1ao3PLdRdXCkr
+63gigMzEvnSezqVn1OV+QPNM+PJK+3YM9zDwzIBhFN8XU86Ios+suk5RXqhqFOQJ
+wmF7bqIuTeldSCsW+auC/drhDL6CwXPZmEtPtsx7K7tkHRqyCpAcu0Zh0fO8KsCL
+OLA7D17rRv32G59tdN320nmgRa8icMbIAmykQJvVOWzoK9WzIc3vwClm1ZpkheIr
+dtu9hnTA/BiDYEJc1b5drnFEsPx9CfKaB8+u7u+u5vTO+8fHNW3TnM6r8Ggn4LPV
+rkb0hwEgZau3JV8c1qmzeTJHwxeb2zfiknkPzPkCggEAMsEnFXoAqApVQ4QsrhxI
+tSJimC+qsijC9q4o2NBCICdt0ix9YzOiousw1DjqWixfTmusfoZBFYK1c5Rv7lct
+5rxUv9zqAPKI/FB+iSZ8Ynm6pBHhTp7qQJ8ovzyH+FQ1kFGfCsIV9t54fKKITNKg
+68sYgdWL402ykP+2r7GOJ51ElmlD/SeQEYB/XchWOEChDHWssG4tuHYEQRv8cBiT
+dw+sRwK7s+loCjjIdfTHNBxhXrXI+pjWSt9azm2dj8m2SbDXMPxl9oIwgTE2agJx
+OKLIPQ1BHVxv9ZlG3E2Yz5wrLCO0bxR1iqqx0go9Fvpe4f0gVB1+e9GG1FYDr2bq
+vQKCAQEA5HDb2Va1e9QkK8mvTKcWad9czLwNXKdvWanv2j2+VJTmjWG0KuzNsoQQ
+5ZUpUQ1XFpC8aYaJRuWVsXShZ69E3RHGrH9jtYQ36mf+Aao0oMW4FoJ+szAHoN2K
+8f4PES5TcK7wlQafq61Tkgsrr8KT6UbNWr7F97UgcPKI0HVs6yEJ/hY3HExaBxug
+VHLUSTOPIx3Sey47wR9I6XvbESSVLh27cy/GIDBOI4OEQTN6bg3t/7Pf7o4agan+
+r41oGtzuhX2CXbiqEaynU1wOrSjBshO29Cm++5MBnqiGUA7UCv5BHX/vU0ECKEW8
+M4C7UTY7JIl5vsDk5aoxq4Rt6pBkQQ==
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/revoke.crt b/lib/hx509/data/revoke.crt
index 07a419938218..ded23252b8c0 100644
--- a/lib/hx509/data/revoke.crt
+++ b/lib/hx509/data/revoke.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:12 2019 GMT
- Not After : Jan 16 15:05:12 2038 GMT
+ Not Before: Mar 22 22:25:03 2019 GMT
+ Not After : Nov 21 22:25:03 2518 GMT
Subject: C=SE, CN=Revoke cert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:bf:d0:af:36:d0:76:65:eb:21:0c:44:48:66:6e:
- 43:c8:d4:07:73:4f:2f:36:b7:1b:ec:6a:aa:7b:60:
- f2:87:9a:94:bc:ba:91:f8:1c:c8:1a:01:e4:fb:d1:
- ac:3f:a6:07:26:2a:b7:8f:79:f8:31:ea:4f:e3:9d:
- 2d:84:43:0f:ee:d4:1d:5d:e3:f6:16:31:5c:bf:f9:
- ce:3e:b8:4a:e3:77:2b:bc:41:ee:84:52:2a:c0:7a:
- aa:86:a5:21:9c:c5:a0:2a:e6:d8:46:33:c5:87:14:
- 76:a5:71:2d:ae:7a:e6:60:0c:3c:35:cb:af:80:6c:
- bf:cf:eb:25:f3:0f:be:5b:53:59:cb:b2:9b:c9:17:
- 86:2d:08:a7:60:1e:42:d5:80:ea:74:b3:d0:7c:3c:
- 42:33:58:c2:bf:35:5b:e6:7a:8a:9c:fc:7f:fc:c9:
- cc:3f:7e:52:d6:8c:33:1a:2b:03:de:a4:fb:04:86:
- 13:a9:b6:0f:d2:a4:12:1d:88:a6:4d:aa:85:c2:ff:
- 19:11:bf:04:e0:57:1c:2e:03:97:b8:83:9b:0d:75:
- 95:d7:15:f4:31:5c:2e:76:39:25:f3:fa:b1:9a:ca:
- de:c8:39:cf:03:72:d8:23:0a:00:3a:e9:66:ef:8a:
- f2:b0:fc:56:04:3d:b8:e6:dc:f4:a0:ae:73:1b:ae:
- e4:03:42:79:f0:ee:14:51:18:8f:bb:d5:7f:cb:5a:
- 21:6d:b9:9d:b9:3c:9e:15:24:23:2d:bf:c5:a3:66:
- 45:f6:33:dc:06:7b:e1:68:f7:75:2d:58:9d:e1:73:
- 06:79:a0:de:68:e2:70:5f:5a:fc:05:a7:26:d6:76:
- 57:f8:12:7b:48:07:93:65:a8:d1:04:94:a0:42:9e:
- a8:8e:ff:3a:c7:aa:54:6d:c1:99:2d:2a:c2:33:65:
- 49:82:e7:df:bd:18:10:e3:69:df:d6:d7:16:4b:72:
- b3:3c:fb:81:72:97:cd:28:35:13:b9:2e:09:55:4d:
- 40:eb:e0:2e:24:f5:f2:0c:04:e4:38:90:db:1f:7e:
- 79:42:97:9d:74:7a:87:c3:18:da:ec:9e:8c:00:25:
- 36:87:88:05:49:77:c2:76:fc:68:76:59:b0:1f:d7:
- d5:81:d9:47:f9:e9:62:c6:f5:08:06:d0:21:50:eb:
- c7:b6:d4:9e:dc:94:68:d0:0f:df:74:f1:43:2e:38:
- 3c:76:ed:b1:b8:4d:88:8e:ae:e5:52:a9:9e:29:fa:
- da:a6:aa:28:e2:0e:cf:c9:c7:4d:fd:cb:14:a3:aa:
- d2:87:bf:e2:9f:09:86:e6:0e:77:14:c8:d8:96:b2:
- 51:65:d6:bf:23:9b:da:ed:70:47:c5:7a:3e:1e:be:
- 75:8b:8d
+ 00:ce:ac:a3:c6:69:47:c4:dd:f4:d9:0e:ac:42:90:
+ ae:57:f2:68:c4:77:89:9a:65:cd:8f:97:fc:68:6b:
+ 6b:65:0f:52:2d:d1:db:83:2c:1e:39:35:dd:fb:f6:
+ e8:c1:40:e9:ab:a6:48:23:e9:f0:e1:8f:72:27:6c:
+ e2:8d:04:e9:ca:e3:fe:ac:d9:28:16:be:db:19:fc:
+ 9a:20:d6:93:1f:15:b8:b6:97:cf:07:5a:da:ab:aa:
+ 97:c0:e9:39:7d:f9:df:96:c9:99:8f:6f:51:3f:64:
+ 13:0e:ad:0e:4e:2e:66:6f:72:6f:63:a6:a5:fd:85:
+ 0f:ac:ea:03:4d:81:14:bc:f3:5b:e5:fc:f6:6a:f7:
+ 57:b3:c3:b0:ed:4b:43:b1:cf:e2:1f:f6:44:07:83:
+ 27:b8:ef:19:9f:35:2b:95:59:b9:e1:69:c5:19:07:
+ 06:d7:17:da:35:4b:ba:74:68:c3:d3:28:ab:1e:b4:
+ 8a:ba:2b:f3:5e:06:75:0c:c8:a2:a9:ea:ec:29:1a:
+ 98:fb:b6:00:e0:98:78:cf:ea:36:2c:e1:51:8e:15:
+ 74:ba:4e:2d:8c:df:9b:72:72:52:b7:c7:82:45:35:
+ ba:c3:62:bf:29:d0:c0:17:6b:be:3b:e4:87:6a:26:
+ 34:4f:84:b5:ad:34:72:5f:4c:96:d8:d4:cd:5d:6f:
+ a3:ac:b1:55:a8:c8:c6:5d:99:0b:f0:bd:5e:f2:85:
+ 3e:74:05:d7:0f:9f:95:5a:14:1f:19:31:af:55:75:
+ 2a:80:22:7b:f7:ff:89:4b:70:5a:74:52:77:7a:ac:
+ 6b:86:2d:cc:5e:ca:57:3d:a1:20:d0:95:80:0b:48:
+ 26:52:69:9d:19:7f:0e:a9:63:97:70:b6:25:64:79:
+ ae:19:45:f8:7f:fd:23:75:9b:0f:d5:57:ae:56:50:
+ 9a:0c:fd:eb:f2:1b:a9:0a:3d:a2:1d:f3:07:cd:b9:
+ 63:5b:3d:95:21:9a:f6:27:2e:46:6a:3f:8f:48:b9:
+ e5:d7:ef:27:08:fc:45:37:70:23:88:a2:89:50:7e:
+ a3:ba:06:b3:b9:50:60:7d:aa:d6:eb:1c:b9:79:1c:
+ 16:06:d2:07:d3:c6:09:73:2a:8a:92:10:93:cc:52:
+ b4:bf:4b:09:d6:71:c1:60:57:3e:2f:12:13:90:18:
+ 06:44:cf:79:6f:50:78:11:8c:e9:ab:2b:97:19:5f:
+ b2:67:a9:fa:9b:b0:99:44:35:0e:00:18:6f:9a:00:
+ 39:e2:ac:e2:79:25:e1:46:d2:18:e4:80:d5:ca:ed:
+ 15:dc:7f:a7:90:7f:26:71:26:38:6b:ef:be:92:0c:
+ 07:64:24:64:a7:85:9d:2b:d9:14:bc:64:40:46:eb:
+ 78:b9:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,63 +54,63 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- C0:C4:1E:26:C8:53:2E:80:A5:50:44:F1:79:38:05:B4:12:CA:AA:7F
+ 3B:AC:F2:D9:72:19:FF:77:61:0C:6B:2C:C0:69:D0:28:46:8A:C1:D7
Signature Algorithm: sha1WithRSAEncryption
- b1:f4:93:82:51:8f:d2:a0:c0:a7:9a:da:d3:f6:fc:01:aa:ae:
- e9:a1:05:32:62:9b:63:a2:a3:05:ea:9e:f8:b3:af:d2:50:42:
- 70:6f:35:88:86:f2:f5:bb:6f:44:a7:9b:51:14:c8:e1:9e:13:
- c4:e6:ab:5a:bb:40:50:c2:ae:d5:b5:64:48:ab:29:30:d6:90:
- f6:6f:24:b2:e9:aa:8d:12:54:68:5f:70:bc:99:5c:cf:c5:7d:
- ae:e7:d2:7c:50:c0:7f:a6:a8:ae:0f:3b:9d:1a:e4:18:b3:f8:
- 90:2c:a4:cf:83:41:c8:54:82:20:df:bc:4e:6a:6e:e6:61:dd:
- d1:fa:95:2e:4b:22:28:84:db:d8:47:fb:a6:d7:65:07:41:64:
- 1f:16:db:39:ea:75:23:63:d5:59:df:03:cf:4f:28:2a:73:07:
- da:0c:f2:3f:3a:cb:40:3b:73:92:2e:93:79:90:a0:4c:ed:bc:
- aa:7a:c4:40:54:5f:39:cf:e2:81:59:98:73:ce:5e:71:2a:3a:
- 1f:60:94:fd:c3:c4:7f:24:05:31:66:d2:5f:ba:62:db:5c:ec:
- 40:38:79:ee:5a:6d:90:8d:f7:99:49:cc:e0:1e:8e:47:0e:50:
- c4:19:c2:43:bc:87:33:c0:fd:8a:cf:af:71:35:0b:fb:14:7a:
- c4:5b:01:09:86:5e:8a:ab:b9:8b:81:50:bc:a3:d9:59:53:30:
- 2c:97:32:97:da:16:3b:42:78:84:31:13:9a:ad:a9:a4:9d:5c:
- 5d:69:6a:eb:53:71:e8:95:11:04:d7:ef:50:c0:c2:32:55:75:
- a9:db:0d:4a:5c:b4:10:91:60:88:ec:25:8c:26:52:a9:be:5b:
- 71:5e:ba:e0:df:ad:ac:e0:cd:01:7b:8f:ff:c5:c6:f0:9e:e6:
- e2:f6:44:31:07:3c:99:d5:8f:43:1d:c4:5e:57:58:0e:72:4b:
- 76:5d:4e:14:f5:03:08:c4:d4:05:71:2b:da:71:8f:c8:ec:b2:
- 1f:cd:c3:52:6e:6d:53:db:9a:40:37:77:53:71:02:1f:a5:12:
- e6:32:1d:bc:0e:83:b5:03:e4:85:ba:54:b2:3c:2e:c0:70:77:
- a5:86:21:fc:6e:f7:46:24:84:75:9a:0f:f5:af:fa:12:26:b9:
- 65:e5:8c:89:7e:42:d3:5a:22:22:dc:96:ed:92:17:65:e4:12:
- 21:9c:ae:8d:03:c3:3b:d6:bf:68:b8:ba:08:51:44:8a:77:07:
- 9d:be:de:a1:0e:93:cf:17:29:e3:67:ff:9c:e5:ea:5a:0d:b0:
- bc:8d:5f:f3:44:d1:f8:12:b3:53:82:09:30:13:e4:12:99:3c:
- d0:73:09:85:64:95:9e:bb
+ 23:5d:75:da:82:54:6a:eb:29:cf:e0:55:da:4e:69:c3:d1:7b:
+ 27:20:37:ca:3e:ac:ba:55:30:0d:a6:57:44:de:1b:71:aa:57:
+ 80:8d:55:e1:48:fb:43:dc:23:d3:fd:85:ab:36:35:11:1d:41:
+ 30:59:ff:e4:61:e1:4d:14:8b:64:9e:cc:a0:71:19:a3:a9:10:
+ 84:47:72:dd:2b:56:5e:78:a9:ed:f1:32:8b:b4:5b:87:aa:bd:
+ 74:4f:ee:50:ba:36:d5:70:56:40:7d:64:d6:04:42:ae:50:2b:
+ 95:48:f5:74:8b:a6:b5:5c:49:9d:9c:f1:0c:0f:0a:f1:53:43:
+ ec:1f:59:6f:1e:54:ca:9d:b2:39:73:58:28:b7:0b:74:e3:ed:
+ d4:36:ef:7d:1d:c6:1f:2c:ff:a7:df:a2:a7:9e:94:b9:3f:3d:
+ 18:fa:07:d6:e9:03:f6:3a:d1:79:55:df:af:12:13:ef:45:af:
+ 63:57:fc:ef:db:5c:bd:e7:93:b5:81:35:e9:a9:e4:39:99:b9:
+ 32:7b:6f:1a:14:41:3a:fa:68:3c:0a:ae:9e:95:51:72:32:dc:
+ d6:e9:98:7d:65:db:ce:57:1f:1a:e5:2a:5a:c0:07:26:64:f0:
+ 49:ff:af:97:74:fe:98:20:94:7f:f7:3c:a7:46:ed:ad:e5:1b:
+ 7a:08:c4:d4:ce:3f:8a:ef:07:79:ec:d5:f1:1b:2b:f6:e0:95:
+ 31:ef:8e:bd:b8:ec:a7:84:f8:ff:c6:39:7a:15:8d:4b:4e:05:
+ c8:e6:2e:bb:bb:74:5a:51:92:f7:b1:04:55:2b:dc:42:18:d5:
+ 83:95:c4:d0:73:10:62:d5:55:8d:ea:a0:fd:ff:ef:10:9b:8f:
+ b3:ba:8a:91:75:5e:b9:9d:36:7d:53:5d:8d:1b:0d:c5:bb:1c:
+ 23:fc:08:5b:1f:3a:d5:1c:35:61:48:58:8e:c0:42:7c:3c:c8:
+ a0:17:8a:04:13:a6:03:49:cf:86:18:39:32:e4:fe:32:38:bd:
+ 53:bd:49:fa:65:63:3d:41:6a:c7:65:f5:df:7d:7b:8d:d0:74:
+ b2:c3:8b:bd:1e:4f:96:15:a0:7b:23:fe:81:e0:de:7f:06:b3:
+ f8:a2:52:cf:43:91:49:6f:ae:d8:6f:4f:51:85:7b:c2:f7:f8:
+ c8:4d:e0:a8:48:9a:5b:05:e2:60:fd:b7:bb:b7:7a:2b:35:e6:
+ 15:f3:e8:5f:b6:cb:d5:b0:7b:45:70:db:fe:82:97:c5:6b:be:
+ a9:60:21:87:19:b6:91:32:2f:01:b3:04:84:a3:1d:8b:06:00:
+ 3e:37:f4:c3:ff:b4:55:cb:cc:d1:d1:96:9b:d8:1a:0b:9f:47:
+ 66:b7:90:9c:d1:09:c2:aa
-----BEGIN CERTIFICATE-----
-MIIFATCCAumgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
-MDExNjE1MDUxMlowIzELMAkGA1UEBhMCU0UxFDASBgNVBAMMC1Jldm9rZSBjZXJ0
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv9CvNtB2ZeshDERIZm5D
-yNQHc08vNrcb7Gqqe2Dyh5qUvLqR+BzIGgHk+9GsP6YHJiq3j3n4MepP450thEMP
-7tQdXeP2FjFcv/nOPrhK43crvEHuhFIqwHqqhqUhnMWgKubYRjPFhxR2pXEtrnrm
-YAw8NcuvgGy/z+sl8w++W1NZy7KbyReGLQinYB5C1YDqdLPQfDxCM1jCvzVb5nqK
-nPx//MnMP35S1owzGisD3qT7BIYTqbYP0qQSHYimTaqFwv8ZEb8E4FccLgOXuIOb
-DXWV1xX0MVwudjkl8/qxmsreyDnPA3LYIwoAOulm74rysPxWBD245tz0oK5zG67k
-A0J58O4UURiPu9V/y1ohbbmduTyeFSQjLb/Fo2ZF9jPcBnvhaPd1LVid4XMGeaDe
-aOJwX1r8Bacm1nZX+BJ7SAeTZajRBJSgQp6ojv86x6pUbcGZLSrCM2VJguffvRgQ
-42nf1tcWS3KzPPuBcpfNKDUTuS4JVU1A6+AuJPXyDATkOJDbH355QpeddHqHwxja
-7J6MACU2h4gFSXfCdvxodlmwH9fVgdlH+elixvUIBtAhUOvHttSe3JRo0A/fdPFD
-Ljg8du2xuE2Ijq7lUqmeKfrapqoo4g7PycdN/csUo6rSh7/inwmG5g53FMjYlrJR
-Zda/I5va7XBHxXo+Hr51i40CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
-BeAwHQYDVR0OBBYEFMDEHibIUy6ApVBE8Xk4BbQSyqp/MA0GCSqGSIb3DQEBBQUA
-A4ICAQCx9JOCUY/SoMCnmtrT9vwBqq7poQUyYptjoqMF6p74s6/SUEJwbzWIhvL1
-u29Ep5tRFMjhnhPE5qtau0BQwq7VtWRIqykw1pD2bySy6aqNElRoX3C8mVzPxX2u
-59J8UMB/pqiuDzudGuQYs/iQLKTPg0HIVIIg37xOam7mYd3R+pUuSyIohNvYR/um
-12UHQWQfFts56nUjY9VZ3wPPTygqcwfaDPI/OstAO3OSLpN5kKBM7byqesRAVF85
-z+KBWZhzzl5xKjofYJT9w8R/JAUxZtJfumLbXOxAOHnuWm2QjfeZSczgHo5HDlDE
-GcJDvIczwP2Kz69xNQv7FHrEWwEJhl6Kq7mLgVC8o9lZUzAslzKX2hY7QniEMROa
-ramknVxdaWrrU3HolREE1+9QwMIyVXWp2w1KXLQQkWCI7CWMJlKpvltxXrrg362s
-4M0Be4//xcbwnubi9kQxBzyZ1Y9DHcReV1gOckt2XU4U9QMIxNQFcSvacY/I7LIf
-zcNSbm1T25pAN3dTcQIfpRLmMh28DoO1A+SFulSyPC7AcHelhiH8bvdGJIR1mg/1
-r/oSJrll5YyJfkLTWiIi3Jbtkhdl5BIhnK6NA8M71r9ouLoIUUSKdwedvt6hDpPP
-FynjZ/+c5epaDbC8jV/zRNH4ErNTggkwE+QSmTzQcwmFZJWeuw==
+MIIFAzCCAuugAwIBAgIBAzANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwM1oYDzI1
+MTgxMTIxMjIyNTAzWjAjMQswCQYDVQQGEwJTRTEUMBIGA1UEAwwLUmV2b2tlIGNl
+cnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOrKPGaUfE3fTZDqxC
+kK5X8mjEd4maZc2Pl/xoa2tlD1It0duDLB45Nd379ujBQOmrpkgj6fDhj3InbOKN
+BOnK4/6s2SgWvtsZ/Jog1pMfFbi2l88HWtqrqpfA6Tl9+d+WyZmPb1E/ZBMOrQ5O
+LmZvcm9jpqX9hQ+s6gNNgRS881vl/PZq91ezw7DtS0Oxz+If9kQHgye47xmfNSuV
+WbnhacUZBwbXF9o1S7p0aMPTKKsetIq6K/NeBnUMyKKp6uwpGpj7tgDgmHjP6jYs
+4VGOFXS6Ti2M35tyclK3x4JFNbrDYr8p0MAXa7475IdqJjRPhLWtNHJfTJbY1M1d
+b6OssVWoyMZdmQvwvV7yhT50BdcPn5VaFB8ZMa9VdSqAInv3/4lLcFp0Und6rGuG
+Lcxeylc9oSDQlYALSCZSaZ0Zfw6pY5dwtiVkea4ZRfh//SN1mw/VV65WUJoM/evy
+G6kKPaId8wfNuWNbPZUhmvYnLkZqP49IueXX7ycI/EU3cCOIoolQfqO6BrO5UGB9
+qtbrHLl5HBYG0gfTxglzKoqSEJPMUrS/SwnWccFgVz4vEhOQGAZEz3lvUHgRjOmr
+K5cZX7JnqfqbsJlENQ4AGG+aADnirOJ5JeFG0hjkgNXK7RXcf6eQfyZxJjhr776S
+DAdkJGSnhZ0r2RS8ZEBG63i53QIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DAdBgNVHQ4EFgQUO6zy2XIZ/3dhDGsswGnQKEaKwdcwDQYJKoZIhvcNAQEF
+BQADggIBACNdddqCVGrrKc/gVdpOacPReycgN8o+rLpVMA2mV0TeG3GqV4CNVeFI
++0PcI9P9has2NREdQTBZ/+Rh4U0Ui2SezKBxGaOpEIRHct0rVl54qe3xMou0W4eq
+vXRP7lC6NtVwVkB9ZNYEQq5QK5VI9XSLprVcSZ2c8QwPCvFTQ+wfWW8eVMqdsjlz
+WCi3C3Tj7dQ2730dxh8s/6ffoqeelLk/PRj6B9bpA/Y60XlV368SE+9Fr2NX/O/b
+XL3nk7WBNemp5DmZuTJ7bxoUQTr6aDwKrp6VUXIy3NbpmH1l285XHxrlKlrAByZk
+8En/r5d0/pgglH/3PKdG7a3lG3oIxNTOP4rvB3ns1fEbK/bglTHvjr247KeE+P/G
+OXoVjUtOBcjmLru7dFpRkvexBFUr3EIY1YOVxNBzEGLVVY3qoP3/7xCbj7O6ipF1
+XrmdNn1TXY0bDcW7HCP8CFsfOtUcNWFIWI7AQnw8yKAXigQTpgNJz4YYOTLk/jI4
+vVO9SfplYz1Basdl9d99e43QdLLDi70eT5YVoHsj/oHg3n8Gs/iiUs9DkUlvrthv
+T1GFe8L3+MhN4KhImlsF4mD9t7u3eis15hXz6F+2y9Wwe0Vw2/6Cl8VrvqlgIYcZ
+tpEyLwGzBISjHYsGAD439MP/tFXLzNHRlpvYGgufR2a3kJzRCcKq
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/revoke.key b/lib/hx509/data/revoke.key
index 374bed15b7b2..d70b74f08cc7 100644
--- a/lib/hx509/data/revoke.key
+++ b/lib/hx509/data/revoke.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC/0K820HZl6yEM
-REhmbkPI1AdzTy82txvsaqp7YPKHmpS8upH4HMgaAeT70aw/pgcmKrePefgx6k/j
-nS2EQw/u1B1d4/YWMVy/+c4+uErjdyu8Qe6EUirAeqqGpSGcxaAq5thGM8WHFHal
-cS2ueuZgDDw1y6+AbL/P6yXzD75bU1nLspvJF4YtCKdgHkLVgOp0s9B8PEIzWMK/
-NVvmeoqc/H/8ycw/flLWjDMaKwPepPsEhhOptg/SpBIdiKZNqoXC/xkRvwTgVxwu
-A5e4g5sNdZXXFfQxXC52OSXz+rGayt7IOc8DctgjCgA66WbvivKw/FYEPbjm3PSg
-rnMbruQDQnnw7hRRGI+71X/LWiFtuZ25PJ4VJCMtv8WjZkX2M9wGe+Fo93UtWJ3h
-cwZ5oN5o4nBfWvwFpybWdlf4EntIB5NlqNEElKBCnqiO/zrHqlRtwZktKsIzZUmC
-59+9GBDjad/W1xZLcrM8+4Fyl80oNRO5LglVTUDr4C4k9fIMBOQ4kNsffnlCl510
-eofDGNrsnowAJTaHiAVJd8J2/Gh2WbAf19WB2Uf56WLG9QgG0CFQ68e21J7clGjQ
-D9908UMuODx27bG4TYiOruVSqZ4p+tqmqijiDs/Jx039yxSjqtKHv+KfCYbmDncU
-yNiWslFl1r8jm9rtcEfFej4evnWLjQIDAQABAoICACTzfZ1woS5XEmG7kbrxyOsa
-NWk4Ot8ufRmZHshvz6jh1X9Z7Z6/ZKjl7oe4R5dnU389wWjJVU/AVK2DbO5KwPoA
-MLwSmyiBT93HsLySYhLZtTop9VnWPlggCVOw4f3CcG1zVPyJIqc4APc0C1nOYSzl
-jn/Kgj+aM4VJRmFBiikrsGO2P56IgpeQUDYK/lME56Wdsi8MqLAdjD6rd825k5RU
-bA91jHw6yJh+H6YN3Uv5ukWP0p/h68BnTPoVhfv2Ophq7hhmFPlmro4KsSKhb7Az
-E6+Aki8kE+tAbRhIFgi8xhgKUt/WMt7lIVA4AFVrDf+cTLG6djE7JYECujf+A/xq
-jC+BOn2BFzo5CNuc1+B0xZ6wLrQoKYSyAp2N7EbhNEb3xthxE940+PDAB0nfmDDl
-B6LPkjsBFVe7Cd63F85uVHTMclbLC/yfiKaAolNb3pNh4UMWLhHYouLRNiVM+NLY
-u06FTJPFsgUGmBPATFuV6IaHii6sMqMdArN+dU/NqMT1KTBGyZ79g6XwVSWVU2+S
-oDZYRNERihwtr8vImQky17TY2rAbZKk9OK/Re67UOwnxkVSihv1Rt4CDwKkIWrh9
-+BPiC8nd/al/XjV4hN3hQeU2CVcHt23uobtPUvaL9Scf+1+e8WToLSSPeGwfD6EM
-jpNBeI/V1IdiNUJnr8e9AoIBAQD/B5AThJW+avTqa2EfqhnB5KsVEKy8LWfUbH5I
-PcUtiStlb+RatZb4yQXVQ1TpSSAFEXL6TZR4uHQsw1wXhRyi8CGWKxSxrxhxkw2V
-RpAcuU2u9sHtmSzJHOn+sRnJPgJOijZ/EAHqc/Hi7VNdaSz6tFfFeYLYmVpeS0EU
-CY/0JqHAQ5IrzGjrl2doG7myFhLA1oAYWElhtVMcE+mowgDxE4a1UOQQyrKA2p7T
-9LuguPhOgvjB4t6uJ35HO2w3hvwAdsnsOb8g0qBdYlUpcATyb1Nl0252+ZWwA3gT
-tVZ8iQ+bibMopyns60GbVnArfVkFn7a3hS/0ZW5Zy8aKI+G3AoIBAQDAi4qTbdVv
-6BS3ePoUwsYDkC/17RGkfoFfH/jXWVhP7UNu5X/UFCM+VJwrYK3f6cpKMBtBIRPw
-uHXeFCh2Mi3x/hrz3VRfY0qrgckByxhNTuXokQBec8mU4TzpPmc5XjADtVmaxnP8
-uU6cny+0s1lJ5xZM3nPvkZ9DMV+CbTbMiWIODJ+3Ak2S6FDB+wNemMpp3ppMrWNZ
-5N0d+o/VSUTEGr/FmNAw0gZhsy8pdcDqoULDceqA40rL8F46kzAk58E4Gvb+rVMR
-bVQcBrwSVOgY6MAtY5qLZcDLHcq9JU+tMB8AJHO1io2k4Xsz5WVBLlzTudHpgmJp
-M5ELOUBwyCzbAoIBAQDrf6pVu6sjiVTcW4f2W3cpiuVIsHsx0aP9jqoWP6Qi5nXC
-V87AzMq6tbbDNkfknHgK9g/8f0NJLttosoYJ2guVkrURHHshkRS7XBXA8MYHID5S
-AN8XbsjidebGH/g10yMCL7MfJkL+o06MRKckrQiyAXLDke934DSIumk//YyG4l2f
-U0ZZV4rTcp40jtWtU6DBndHvqScqKOy0EtdD1NJVy7grGqVftC2du0PLakUQp33z
-0hGvyLXkj+eWE5NcuzNdolPX5YNO5fDcCv+lIiIPVSnn75QkHVlSjgGGAX/5w/87
-m65rLeITOzL8JJe0MS3ReaiaU0zzG+8I0Jln2raFAoIBAAGoMcUbCN8xrBv4Go7b
-LkERmJgRNjmoLQzYhZe02SG29QGbUAJPOg5rQ/zLlDN9G5SP3WwuELHdpIYIvmBm
-Bicy/KBkozk+7YGUWFp/mPHxX+EkflBRxsZVOeT3+INx4A/oG6FNW+os3hRS+mIf
-uQD90B9ROsYxBqHZZu0Ea5hPBl0Als9IYcqF3UwOEPVbc0J9++31AAniAlUjtuEr
-BEB7ynK04fXJmOx2Uk2VCdf7E0wDSvVY/2fJ5cWzRpLKu8rz0HRYoYJg4nxrQmsV
-9/le52h8lvPkKEiXNQtzqr/eziV+KtDBJH7qwdisfLaW442e58OOr7IgE3t5Pqi5
-0EkCggEBAP3J+c6s88lfGnU35CzFK93IkumaYtHlrNj/87EBPMjpL38ykFCkeXXq
-wtKAWI+i9Y7Y38xYvkWwNj8m44hCES7z8yc+blxlyg4UBTg6ms6/AMCF1OkkdAsl
-xyacDGAm7JIj1w/B7qxWOkZOI25c0YY74kq4nBIP8lklHr0iykqc8BhwlYofEh/U
-TMXAg0z+luS9Uiq4SayBeUcEkNguJu5syLtOvy+vR04fyOzHF9YFXqaRbJoCPnZg
-RRx6Jo2dRdiy9yhOHzZRykuAH92M4jACE3V3wJMjlJea+YmZgaDwv5a5xT8dUw2W
-waMpuNHGyfEypx5NFeO8UU95fKkcTWM=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDOrKPGaUfE3fTZ
+DqxCkK5X8mjEd4maZc2Pl/xoa2tlD1It0duDLB45Nd379ujBQOmrpkgj6fDhj3In
+bOKNBOnK4/6s2SgWvtsZ/Jog1pMfFbi2l88HWtqrqpfA6Tl9+d+WyZmPb1E/ZBMO
+rQ5OLmZvcm9jpqX9hQ+s6gNNgRS881vl/PZq91ezw7DtS0Oxz+If9kQHgye47xmf
+NSuVWbnhacUZBwbXF9o1S7p0aMPTKKsetIq6K/NeBnUMyKKp6uwpGpj7tgDgmHjP
+6jYs4VGOFXS6Ti2M35tyclK3x4JFNbrDYr8p0MAXa7475IdqJjRPhLWtNHJfTJbY
+1M1db6OssVWoyMZdmQvwvV7yhT50BdcPn5VaFB8ZMa9VdSqAInv3/4lLcFp0Und6
+rGuGLcxeylc9oSDQlYALSCZSaZ0Zfw6pY5dwtiVkea4ZRfh//SN1mw/VV65WUJoM
+/evyG6kKPaId8wfNuWNbPZUhmvYnLkZqP49IueXX7ycI/EU3cCOIoolQfqO6BrO5
+UGB9qtbrHLl5HBYG0gfTxglzKoqSEJPMUrS/SwnWccFgVz4vEhOQGAZEz3lvUHgR
+jOmrK5cZX7JnqfqbsJlENQ4AGG+aADnirOJ5JeFG0hjkgNXK7RXcf6eQfyZxJjhr
+776SDAdkJGSnhZ0r2RS8ZEBG63i53QIDAQABAoICAQCH6WxCXJW/1x7fZxDNLYwZ
+deaD3QB2sp/94DszCAE2El8+lpU+q9KsWMpEmljyTZfdM5qZU4z/KHAvkSFjD2oX
+7NtcG+qLGrPHYSCSm8lgVc6E9UxGT+8hmSv2xujx+VKaPLVpaBEMGOmXayLPMyBW
+BfFOnRbno4ttcO7/FvXmVDuJAVOjgEkChJxjUG2SD11rG24dapjCuyokUrj4nGrq
+272r+bz70knDZquVRhgRUttFdAEO8Tw4BxMOdxrRlxX66ezVCxmEmYBJaoJ5/Sq+
+v0lmA2ddDueQ2bGf/emjTfQl7Vg9TXQlcstFY8HRgpJAAMvgvW7BUQKaUUdEPNhq
+177x6a450fc3oN7sC/gOFXrx0bPmwJMa1gDGIAkdzB6p1R2aeM0WwFPny0iflgf9
+3oNFdA/zvK8eCSiY3TbD/F3qyzdw0j7lRW3BSYn9XWS0FJHQTXYb4H8rjFkcHMHp
+Zg7rv8C7H/vS2eCdS6j/7UhJnXLapodmxwLkcpsuilMUT9IjcdMHCqRyuEQT8vtZ
+u4Dl9nf9Rw4SMVeCwkEWFmMQUdNDSo4CO2Yyo2Qv4kEh307lFuX5icDFdbY0ODbD
+qrBaWKVkSDNKRrzwBu6dwrW5X/zTHNCi+i8nJNCUysm/Pue98x1pHzkKcE0tbSQf
+uaT+qSeTR5/iVsmgmNlbAQKCAQEA8g2YTH9SgCXoaanghvbgk4Q5uimEFdEaza6H
+XWEgC7PQDehBoJCwBhuMtSj237uU6XB8Q9o1fV1Lv0Y9Xl6Ht9QlAI5p05jXM7a8
+/e9qIg1ZJy0eUmC+ICCdW8UbWnEyb8JAGucRJ4xHSc4QIbE0uYvKlt6n/AidEYiU
+zasNUANEdT7BL0EY5XheQ8IIloI8/olz02WxJtyCnvVkfHszXaB9+l/zEQhYXBIy
+oo+PLkd0rApB/JDnive1rlwG40eLp5CvlA0uATX6ZKWOGY0UhDbQfuBwzqOoCiXf
+0qmmUk3dCAJeRSQcY8zcVn8u8qq9z56IFcaWBHKfPPnDG4kBPQKCAQEA2pUw1KnE
+rxcKHs2Giqz4edx35gddaNgvKbX1/iFrFRqjctmf74KVx7E9CAs30UUMgohVhccl
+xsbvn3SLkiGKKxp+cK8Sciq2O7g9AXwsKHWzMG6hl/tXjBYAQx7XSkbDYgDJdE9i
+PhfUkBi2PAPJzSBGT9BJiPNm5uxCLrkj+YG5qe64fG5ZiBdQ2iLz3ggrWcwUBM6t
+a1SaqDbysTiUStoUr8URbZeveRS0NmTUt5YNhQvkYHyWRD8JNMSKBoCMCRrhykEI
+oA2tzptesQs92kUrl7C7XHUczFULGH/KrXD9RAVxLFC8rlqiU0PwUEYDbGYVd/+R
+f8q+TOAjNsTlIQKCAQEA6CEFh4crFV5FTt/tRUGJCa9qtQ+PbmTEcbAIfRLh6pcc
+1dmA5n0bciAFhs6sQs/f9Sc85M1lMr7AH8U6oT/CpBa9DZWGA7i12RBMmrJ5dAKd
+Fyb7x0Cj1KeygQm8O7YHCoqdc69ZEjZDP5Jwgf8xcyeOt7T8IIYaK3ByU/LQp4Ua
+p93w4mJpf9c5f32bQsvPtsMW4wrJI12hntPy9DYqgoWhivVtY04/frys9pz6UQWR
+7FNCCPbmNq1r/LSgnmJEmgP1feRN1Ddx1Ae5COP1Yv42YRbY2DK2ulSsG5k6uf+W
+E1JCGciRuVwDiqgZ2/rGYU/FbiyuPcG22IEmDUgMeQKCAQB4sWY8Ft2WfFdHON7w
+VaAB0b2Wkzx9ttkb4/BHeXZiOcpEkWvhWS6RDAmSFnekosbMkLEAZD00rAYF+tlS
+QBjFwiRM3i6GQZVMFmgBGOpdENh3hq7Nd6gYntFYPoBL8BTUWXDjOy4Y8Rma0zpU
+mxbjn82TJoRkDVolahEFMY9uprW44iqV8myXW6B2QlR7pfEh7TCkkuZo3FdlSKnr
+Nz2SsyY3A86iv93RMqBrZHOcR0uBylY4/LIQTuora9Z2zqYEJQbFofE8RzFQYrP/
+eCCYFBeE874QyE21ecPdrDpiWIBP/d1GxfHZKAx3g4z/Fhmv0hJKpyBU+sLnOd/X
+zxJhAoIBAA1EoDaxl2E8VYtFEb/PSdXI2n1OJJ5Vo5M6ChEtkU1tc3j0GkibRzKH
+y4MpFTUYKUaAr0TYil9aZSasCLC3IpHZtTW//QcqalO76Xv/ZTDXIEDq5KIQ0/H6
+3K0cwUl6VzKgwtK+wkqR/vdQnB3uhJgHrYQQ2/9vkpcAJmeYx7Pfjor9hpivloCD
+iRhpPjE4H4yiG+85/dRZaZ21X59FKoBleVown6ZYI4Z5BKHEULesTl/kqWXvsHpu
+RD4yQ+gR2yKNYmpZ10pqZ+0EYZWf6iqrFZCWJ7pvMO0hMye17yC5QD4qMqJCtJZL
+oSgi/Llzrh+HYp+WubHP32IPhXGX+w0=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-ca.crt b/lib/hx509/data/sub-ca.crt
index befbd28d8d65..25f3ae8e62b7 100644
--- a/lib/hx509/data/sub-ca.crt
+++ b/lib/hx509/data/sub-ca.crt
@@ -5,119 +5,119 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:18 2019 GMT
- Not After : Jan 16 15:05:18 2038 GMT
+ Not Before: Mar 22 22:25:10 2019 GMT
+ Not After : Nov 21 22:25:10 2518 GMT
Subject: C=SE, CN=Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:ea:9c:d3:ba:0e:de:f9:c6:3c:2e:ef:7e:91:40:
- 8e:58:04:16:4f:ff:81:61:0c:fd:b4:d2:86:3c:8a:
- 6a:f9:33:63:0b:8e:2b:ac:9c:5c:00:28:16:fe:32:
- bc:75:55:00:d2:91:0c:92:c9:0a:2d:c7:e2:f4:dd:
- 14:fe:20:d8:45:79:d1:a0:1e:5d:91:a5:d2:00:17:
- a4:bd:44:35:9c:f4:5f:63:dc:b9:19:a5:66:73:b1:
- 16:ae:e7:d5:59:bd:d3:85:b1:b7:ae:3e:a8:a8:9e:
- 0d:d9:cd:f5:38:30:d3:56:d9:44:08:11:23:ca:bb:
- 5e:96:fd:8d:e8:77:7e:c4:8e:58:a8:02:6d:20:77:
- 9a:9d:4b:bd:6a:6e:c0:a4:77:d2:37:cb:b5:c4:4a:
- 87:03:a9:aa:a8:22:4b:e9:13:f2:22:64:44:0c:b4:
- 2b:60:56:9b:c7:76:1e:7d:ba:06:15:9a:ad:ae:36:
- 9a:9d:f0:df:83:e5:64:4b:18:53:b1:1d:ed:bc:70:
- 08:48:45:7e:c6:ab:ad:d9:bc:79:03:3d:af:e8:f6:
- cd:4e:04:27:ce:8c:d7:09:d9:50:87:f7:76:37:eb:
- a3:3b:96:46:b6:05:85:3c:f2:0a:23:3c:d2:8e:0e:
- 86:08:19:6f:8f:56:2f:bd:90:80:98:a9:8a:c4:9a:
- 71:9d:25:08:9b:d0:14:23:d4:99:ac:f9:68:44:fd:
- 01:bd:e4:b0:1f:87:f2:0c:16:88:31:01:5e:af:df:
- 81:c0:29:d1:05:c8:37:6f:4c:b6:81:b3:d0:f1:f5:
- d9:1c:cf:e6:95:40:41:ec:2f:b9:39:d2:1b:48:c9:
- 03:ca:0a:9f:4b:41:74:ff:31:bd:40:d5:46:cc:c9:
- 84:94:e9:aa:d3:ae:df:fc:07:0e:4b:6c:68:07:70:
- 92:aa:ff:9a:21:c0:67:aa:e8:72:7b:db:97:f4:d0:
- fb:e9:6d:4c:48:19:55:fb:c4:f3:fa:78:c6:94:2f:
- fd:88:b1:c7:58:fd:03:2a:28:51:5e:8e:2d:95:fa:
- 46:57:b9:6c:93:b5:8a:44:21:82:1d:d2:c7:0b:88:
- 24:2d:e0:45:0d:8f:3a:23:c4:1f:e2:2d:00:a4:71:
- a7:01:c7:17:b8:03:29:fc:2e:92:9b:dd:75:cc:1e:
- 0e:01:72:71:a7:80:9f:7b:e1:eb:35:42:1f:0c:1d:
- ae:69:2c:ee:70:65:19:4c:5b:d7:07:27:c8:2c:ce:
- cc:d1:67:39:de:88:0a:e1:21:c9:ad:50:f2:88:79:
- 15:6d:7a:46:23:4a:93:bd:72:b5:3c:a4:d2:91:27:
- ab:d2:f0:f7:5f:17:8c:7e:01:33:6e:2e:3e:8f:48:
- 18:06:ef
+ 00:c7:18:39:67:2a:c4:6b:c6:1a:64:23:bb:ba:4c:
+ 47:22:35:91:b7:c9:eb:57:b9:8b:8f:83:62:be:0a:
+ 56:49:cc:ed:de:7e:f9:44:db:8f:f9:f9:ec:db:a2:
+ 4a:d3:fa:b1:36:c0:93:e9:2b:d0:9a:64:65:43:52:
+ 64:0e:af:3c:0a:23:57:d9:66:44:0c:ef:a6:73:7e:
+ 4d:71:94:76:5d:d2:2e:9c:02:1e:44:4b:67:0d:61:
+ 05:ff:f1:cc:29:94:93:ab:f7:b6:d7:33:d0:9e:b4:
+ 02:1a:7b:03:bb:9c:52:00:21:43:97:ff:59:f3:b1:
+ eb:16:67:b1:5a:66:26:99:04:12:28:bb:68:97:38:
+ 66:cf:d3:cc:da:41:d8:4f:e2:f9:59:48:da:ca:55:
+ b9:2a:63:43:6b:0d:c5:58:75:8e:6e:55:d2:77:cd:
+ df:8a:14:82:a2:72:f3:e8:93:a1:e4:72:f3:c0:93:
+ b3:0b:72:98:ad:53:93:53:86:fc:b0:3b:77:1c:aa:
+ f5:64:77:ce:92:0c:07:82:60:39:e9:d6:bc:df:dc:
+ ad:f9:4f:42:d2:db:42:76:6e:0b:f5:fa:58:05:7f:
+ 3c:d9:cf:eb:d2:c0:9a:26:2c:e8:90:73:0a:3c:42:
+ e5:f9:0b:cd:53:2d:16:14:75:f8:47:2e:04:1a:47:
+ d8:a6:20:0f:ec:96:fe:14:30:87:30:84:04:74:42:
+ 45:b3:3b:c1:48:84:54:4e:69:9b:f5:cb:7a:da:75:
+ 1e:26:93:87:5e:a2:c6:8f:fd:0f:96:84:76:2d:18:
+ 86:f7:87:1e:95:47:10:45:b5:45:ea:38:b7:e0:22:
+ 28:c6:98:42:5f:ed:69:d6:73:a3:d4:72:de:74:f7:
+ 2a:d2:90:5d:66:86:a1:b5:a4:fb:c7:37:94:65:82:
+ 80:d7:88:84:be:d6:5f:fd:25:88:0b:ee:6b:bb:4b:
+ 94:c6:e1:39:95:74:93:44:44:8e:3f:7e:13:33:49:
+ 8e:e3:f4:a0:43:e7:2d:15:f7:02:e9:bf:a8:94:65:
+ 71:df:45:35:f7:cc:03:b6:e4:d6:32:d2:98:66:ba:
+ d6:da:76:35:e0:81:76:25:0a:94:3f:6c:a6:53:49:
+ 52:c5:38:44:4d:ea:b4:fd:50:ee:63:e1:1b:51:ef:
+ 62:64:0e:39:cb:10:73:9d:fd:b0:2e:15:5a:cb:90:
+ 1c:9f:e9:88:37:14:92:32:7b:7a:00:fd:35:b4:d3:
+ 8c:99:90:74:95:7d:bf:25:41:04:68:56:38:3e:f1:
+ f5:97:b5:f3:cc:b8:16:99:40:1f:9d:eb:51:88:46:
+ 2a:62:b9:a5:bd:ad:97:db:58:5a:d4:6c:ed:32:db:
+ b4:5a:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 4D:9F:B8:92:F4:98:3B:7E:1F:EA:AE:A3:3C:DF:CF:E7:56:4E:F6:25
+ 63:34:08:C8:42:04:47:74:99:65:DD:4F:EA:C5:0F:05:D9:F8:CE:47
X509v3 Authority Key Identifier:
- keyid:FD:C6:56:72:BC:EA:82:19:48:00:B0:A3:8B:F7:79:3F:F7:26:FC:23
+ keyid:53:B8:CC:09:C6:9F:42:EA:D5:E4:74:20:B4:65:ED:68:F8:9D:B5:05
DirName:/CN=hx509 Test Root CA/C=SE
- serial:99:65:F9:34:C3:90:C1:72
+ serial:8D:F8:0A:D8:C1:70:91:C4
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
- 8f:4e:97:f7:a7:87:17:27:af:2f:30:23:97:2e:09:35:03:01:
- 9c:13:38:12:85:49:10:ce:69:c4:74:69:67:6d:61:3a:bb:c5:
- 5a:e7:55:da:f0:a3:06:be:ff:55:eb:89:a2:65:2e:35:ca:24:
- 49:0a:fa:01:3a:c8:50:af:94:ee:cd:e9:67:2a:1b:1b:a3:40:
- 1e:e4:4a:7a:31:93:1c:e6:77:9e:a3:41:19:66:64:dd:f3:73:
- 34:d7:28:38:3f:f5:94:2d:58:3f:bd:24:cd:5b:ed:77:81:53:
- 31:45:67:e4:d7:85:ce:d2:10:f1:b7:0f:03:22:3c:c1:be:aa:
- 8a:d1:92:b6:03:e5:92:a3:4c:d3:76:ee:8a:83:01:c8:a0:0a:
- 53:3a:c6:a4:36:8d:51:35:a5:07:dc:8c:35:c9:03:fa:1d:ec:
- 49:05:f0:b0:0e:fe:24:f5:4e:db:be:f3:00:b0:35:57:d6:31:
- 02:c2:e1:6f:3a:2c:2c:42:f9:87:5b:c3:72:f7:46:6a:1f:0e:
- 16:50:ee:a6:00:42:30:ad:05:07:d4:8e:0a:0d:c6:23:b3:d7:
- 9b:01:57:12:7b:7d:1b:5d:60:b7:fe:78:4f:91:1b:76:df:a6:
- a7:f5:61:76:3b:1c:6f:7c:c7:57:7f:bf:c7:ac:23:c5:c5:cf:
- 6b:5e:83:1c:4c:7e:83:2d:f6:db:51:85:7c:d3:6b:dc:f6:f7:
- 53:1f:26:3a:8d:91:f1:6a:43:cb:57:1a:24:71:94:48:74:72:
- a1:58:ea:f8:0d:3e:71:5b:35:2f:30:b4:3a:2c:6e:b4:51:27:
- 7e:66:e5:f8:cc:2b:88:bc:98:cf:24:6b:5f:46:31:3e:ce:58:
- d4:26:01:87:c8:1b:d9:10:a1:76:3a:f1:8b:16:2f:3f:54:b0:
- 95:ff:c0:4f:3a:67:2d:28:6e:2c:fb:81:87:92:c8:8c:13:45:
- 3e:d0:ec:12:b8:52:0e:71:dc:dc:50:1f:57:44:1d:6f:80:bd:
- 50:db:26:3e:63:27:53:9f:99:46:39:04:2b:66:a7:f9:f3:f3:
- 99:c6:33:4a:44:0b:90:ea:5d:17:1c:41:1e:44:db:73:c5:68:
- d1:e4:04:01:99:49:59:23:0d:2b:06:5a:fc:db:56:90:67:6d:
- 28:b8:66:6c:56:70:12:ae:36:dd:f0:b9:6d:f1:c9:5c:77:0f:
- 30:d9:46:e1:57:e5:d3:92:92:c1:74:40:99:24:00:ff:57:59:
- 2d:48:e5:1f:97:34:8b:7f:26:3e:24:9e:a6:96:14:16:d7:be:
- 94:1a:55:37:5a:d2:94:1f:df:9d:f2:8a:88:5d:e2:8b:c4:59:
- 60:06:44:52:a9:73:29:ed
+ 77:0b:fc:11:37:04:49:92:2b:97:e1:ee:b6:94:33:11:be:bb:
+ db:8b:6e:ce:42:11:39:b2:be:61:03:a2:ef:d4:06:1f:63:d2:
+ af:1f:c5:43:80:67:1d:10:a0:3d:93:d1:7f:bd:be:9e:21:48:
+ d0:a8:ea:8c:32:0a:f7:eb:b0:c7:0f:ac:a7:8b:c6:1a:18:10:
+ 51:88:fd:1a:53:4b:1b:7b:94:5e:59:02:92:72:6c:df:32:3a:
+ 9c:f5:87:c9:fd:a2:f8:d3:df:34:be:75:7e:51:15:eb:b0:df:
+ 87:1b:15:df:fc:97:1e:06:f9:6e:8b:79:45:3d:c4:76:d2:1d:
+ 8e:04:8f:72:d6:b0:7c:09:79:23:47:7a:9a:41:76:7e:c3:3d:
+ 2d:46:26:db:72:64:a8:1d:ca:94:fe:d8:69:e7:24:1f:dc:c8:
+ 7b:4f:2f:89:7b:a3:8c:33:7f:0f:54:16:f4:45:60:e1:df:68:
+ f5:5b:3a:ce:1c:63:e6:81:ca:a6:aa:e4:a2:c1:07:e3:ec:ef:
+ ef:ad:cc:ac:5a:e1:57:40:15:09:b3:0f:f1:58:b2:2a:45:eb:
+ 5e:16:03:9c:2c:c1:ce:22:48:67:06:5e:0a:fd:fd:d5:76:8e:
+ a8:db:2c:38:15:b4:c1:e4:0f:12:98:0a:43:19:e6:74:b9:8b:
+ e3:7a:92:2e:2a:30:1d:b7:85:39:d5:29:2f:54:16:7d:b0:f6:
+ f9:17:e2:95:07:ff:0f:e6:16:55:6d:97:c8:41:c6:5f:8f:a9:
+ 3c:3a:19:8d:66:29:13:f3:00:6d:31:f3:f1:14:a5:e8:c7:2c:
+ c0:18:4b:5e:15:88:eb:59:44:97:91:1c:78:d7:a0:4d:a1:bf:
+ bf:b0:67:4f:68:df:d3:d0:c4:6e:b8:1d:36:bd:a8:c8:b4:67:
+ 34:c0:b2:28:8a:e9:1a:30:14:b3:be:d5:a3:a0:57:4f:b7:ff:
+ a0:9e:c0:28:58:90:43:57:e7:7c:d0:81:90:41:54:85:56:4b:
+ cd:f4:a3:63:3b:1a:8f:82:0d:2c:9d:79:58:40:f4:f6:37:a0:
+ fc:77:db:82:ab:de:fa:0c:7f:c2:ce:35:80:4e:f7:d8:0d:8b:
+ cd:5b:8c:a9:82:ec:a3:a1:ca:b8:4e:29:fd:35:79:dc:4d:f3:
+ bf:ee:41:a0:88:63:b9:65:22:bb:0d:27:e8:91:d4:20:51:06:
+ f9:e7:9a:e9:7c:4c:4a:64:b5:4f:22:79:36:ad:79:e8:b8:6a:
+ 6f:f8:e8:39:48:7b:3f:87:14:9a:22:ec:7d:33:94:35:42:29:
+ 56:11:de:15:bd:4c:c2:5d:ff:9f:82:72:a2:00:b3:e9:68:38:
+ 5b:ab:dd:0d:90:73:cd:80
-----BEGIN CERTIFICATE-----
-MIIFXTCCA0WgAwIBAgIBCjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxOFoXDTM4
-MDExNjE1MDUxOFowHjELMAkGA1UEBhMCU0UxDzANBgNVBAMMBlN1YiBDQTCCAiIw
-DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOqc07oO3vnGPC7vfpFAjlgEFk//
-gWEM/bTShjyKavkzYwuOK6ycXAAoFv4yvHVVANKRDJLJCi3H4vTdFP4g2EV50aAe
-XZGl0gAXpL1ENZz0X2PcuRmlZnOxFq7n1Vm904Wxt64+qKieDdnN9Tgw01bZRAgR
-I8q7Xpb9jeh3fsSOWKgCbSB3mp1LvWpuwKR30jfLtcRKhwOpqqgiS+kT8iJkRAy0
-K2BWm8d2Hn26BhWara42mp3w34PlZEsYU7Ed7bxwCEhFfsarrdm8eQM9r+j2zU4E
-J86M1wnZUIf3djfrozuWRrYFhTzyCiM80o4OhggZb49WL72QgJipisSacZ0lCJvQ
-FCPUmaz5aET9Ab3ksB+H8gwWiDEBXq/fgcAp0QXIN29MtoGz0PH12RzP5pVAQewv
-uTnSG0jJA8oKn0tBdP8xvUDVRszJhJTpqtOu3/wHDktsaAdwkqr/miHAZ6rocnvb
-l/TQ++ltTEgZVfvE8/p4xpQv/Yixx1j9AyooUV6OLZX6Rle5bJO1ikQhgh3SxwuI
-JC3gRQ2POiPEH+ItAKRxpwHHF7gDKfwukpvddcweDgFycaeAn3vh6zVCHwwdrmks
-7nBlGUxb1wcnyCzOzNFnOd6ICuEhya1Q8oh5FW16RiNKk71ytTyk0pEnq9Lw918X
-jH4BM24uPo9IGAbvAgMBAAGjgZkwgZYwHQYDVR0OBBYEFE2fuJL0mDt+H+quozzf
-z+dWTvYlMFoGA1UdIwRTMFGAFP3GVnK86oIZSACwo4v3eT/3JvwjoS6kLDAqMRsw
-GQYDVQQDDBJoeDUwOSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFggkAmWX5NMOQ
-wXIwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQEFBQADggIB
-AI9Ol/enhxcnry8wI5cuCTUDAZwTOBKFSRDOacR0aWdtYTq7xVrnVdrwowa+/1Xr
-iaJlLjXKJEkK+gE6yFCvlO7N6WcqGxujQB7kSnoxkxzmd56jQRlmZN3zczTXKDg/
-9ZQtWD+9JM1b7XeBUzFFZ+TXhc7SEPG3DwMiPMG+qorRkrYD5ZKjTNN27oqDAcig
-ClM6xqQ2jVE1pQfcjDXJA/od7EkF8LAO/iT1Ttu+8wCwNVfWMQLC4W86LCxC+Ydb
-w3L3RmofDhZQ7qYAQjCtBQfUjgoNxiOz15sBVxJ7fRtdYLf+eE+RG3bfpqf1YXY7
-HG98x1d/v8esI8XFz2tegxxMfoMt9ttRhXzTa9z291MfJjqNkfFqQ8tXGiRxlEh0
-cqFY6vgNPnFbNS8wtDosbrRRJ35m5fjMK4i8mM8ka19GMT7OWNQmAYfIG9kQoXY6
-8YsWLz9UsJX/wE86Zy0obiz7gYeSyIwTRT7Q7BK4Ug5x3NxQH1dEHW+AvVDbJj5j
-J1OfmUY5BCtmp/nz85nGM0pEC5DqXRccQR5E23PFaNHkBAGZSVkjDSsGWvzbVpBn
-bSi4ZmxWcBKuNt3wuW3xyVx3DzDZRuFX5dOSksF0QJkkAP9XWS1I5R+XNIt/Jj4k
-nqaWFBbXvpQaVTda0pQf353yiohd4ovEWWAGRFKpcynt
+MIIFXzCCA0egAwIBAgIBCjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUxMFoYDzI1
+MTgxMTIxMjIyNTEwWjAeMQswCQYDVQQGEwJTRTEPMA0GA1UEAwwGU3ViIENBMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxxg5ZyrEa8YaZCO7ukxHIjWR
+t8nrV7mLj4NivgpWSczt3n75RNuP+fns26JK0/qxNsCT6SvQmmRlQ1JkDq88CiNX
+2WZEDO+mc35NcZR2XdIunAIeREtnDWEF//HMKZSTq/e21zPQnrQCGnsDu5xSACFD
+l/9Z87HrFmexWmYmmQQSKLtolzhmz9PM2kHYT+L5WUjaylW5KmNDaw3FWHWOblXS
+d83fihSConLz6JOh5HLzwJOzC3KYrVOTU4b8sDt3HKr1ZHfOkgwHgmA56da839yt
++U9C0ttCdm4L9fpYBX882c/r0sCaJizokHMKPELl+QvNUy0WFHX4Ry4EGkfYpiAP
+7Jb+FDCHMIQEdEJFszvBSIRUTmmb9ct62nUeJpOHXqLGj/0PloR2LRiG94celUcQ
+RbVF6ji34CIoxphCX+1p1nOj1HLedPcq0pBdZoahtaT7xzeUZYKA14iEvtZf/SWI
+C+5ru0uUxuE5lXSTRESOP34TM0mO4/SgQ+ctFfcC6b+olGVx30U198wDtuTWMtKY
+ZrrW2nY14IF2JQqUP2ymU0lSxThETeq0/VDuY+EbUe9iZA45yxBznf2wLhVay5Ac
+n+mINxSSMnt6AP01tNOMmZB0lX2/JUEEaFY4PvH1l7XzzLgWmUAfnetRiEYqYrml
+va2X21ha1GztMtu0WvUCAwEAAaOBmTCBljAdBgNVHQ4EFgQUYzQIyEIER3SZZd1P
+6sUPBdn4zkcwWgYDVR0jBFMwUYAUU7jMCcafQurV5HQgtGXtaPidtQWhLqQsMCox
+GzAZBgNVBAMMEmh4NTA5IFRlc3QgUm9vdCBDQTELMAkGA1UEBhMCU0WCCQCN+ArY
+wXCRxDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB5jANBgkqhkiG9w0BAQUFAAOC
+AgEAdwv8ETcESZIrl+HutpQzEb6724tuzkIRObK+YQOi79QGH2PSrx/FQ4BnHRCg
+PZPRf72+niFI0KjqjDIK9+uwxw+sp4vGGhgQUYj9GlNLG3uUXlkCknJs3zI6nPWH
+yf2i+NPfNL51flEV67DfhxsV3/yXHgb5bot5RT3EdtIdjgSPctawfAl5I0d6mkF2
+fsM9LUYm23JkqB3KlP7YaeckH9zIe08viXujjDN/D1QW9EVg4d9o9Vs6zhxj5oHK
+pqrkosEH4+zv763MrFrhV0AVCbMP8ViyKkXrXhYDnCzBziJIZwZeCv391XaOqNss
+OBW0weQPEpgKQxnmdLmL43qSLiowHbeFOdUpL1QWfbD2+RfilQf/D+YWVW2XyEHG
+X4+pPDoZjWYpE/MAbTHz8RSl6McswBhLXhWI61lEl5EceNegTaG/v7BnT2jf09DE
+brgdNr2oyLRnNMCyKIrpGjAUs77Vo6BXT7f/oJ7AKFiQQ1fnfNCBkEFUhVZLzfSj
+Yzsaj4INLJ15WED09jeg/Hfbgqve+gx/ws41gE732A2LzVuMqYLso6HKuE4p/TV5
+3E3zv+5BoIhjuWUiuw0n6JHUIFEG+eea6XxMSmS1TyJ5Nq156Lhqb/joOUh7P4cU
+miLsfTOUNUIpVhHeFb1Mwl3/n4JyogCz6Wg4W6vdDZBzzYA=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/sub-ca.key b/lib/hx509/data/sub-ca.key
index 13570b1e2acf..1475e42dbac3 100644
--- a/lib/hx509/data/sub-ca.key
+++ b/lib/hx509/data/sub-ca.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDqnNO6Dt75xjwu
-736RQI5YBBZP/4FhDP200oY8imr5M2MLjiusnFwAKBb+Mrx1VQDSkQySyQotx+L0
-3RT+INhFedGgHl2RpdIAF6S9RDWc9F9j3LkZpWZzsRau59VZvdOFsbeuPqiong3Z
-zfU4MNNW2UQIESPKu16W/Y3od37EjlioAm0gd5qdS71qbsCkd9I3y7XESocDqaqo
-IkvpE/IiZEQMtCtgVpvHdh59ugYVmq2uNpqd8N+D5WRLGFOxHe28cAhIRX7Gq63Z
-vHkDPa/o9s1OBCfOjNcJ2VCH93Y366M7lka2BYU88gojPNKODoYIGW+PVi+9kICY
-qYrEmnGdJQib0BQj1Jms+WhE/QG95LAfh/IMFogxAV6v34HAKdEFyDdvTLaBs9Dx
-9dkcz+aVQEHsL7k50htIyQPKCp9LQXT/Mb1A1UbMyYSU6arTrt/8Bw5LbGgHcJKq
-/5ohwGeq6HJ725f00PvpbUxIGVX7xPP6eMaUL/2IscdY/QMqKFFeji2V+kZXuWyT
-tYpEIYId0scLiCQt4EUNjzojxB/iLQCkcacBxxe4Ayn8LpKb3XXMHg4BcnGngJ97
-4es1Qh8MHa5pLO5wZRlMW9cHJ8gszszRZzneiArhIcmtUPKIeRVtekYjSpO9crU8
-pNKRJ6vS8PdfF4x+ATNuLj6PSBgG7wIDAQABAoICAEljDQeiJzVSQPkdiSW+X8hA
-XwpfDgVhnuq0/7BoS9XvsQeoTRkNP+n8oFSbYkABeuRi4t/3auuvHtshXLOxanUx
-CdVgKjyo9et5edqKP4r9FemS3YOcLVP7DPFhK2eK7WNgl+g1SWSVLBf5SL9u5mzA
-QXuUgPGlco0gewdAebLaI/lJ6QDC6OZTDskAI9pOcL9rRUxFU75dkDhPohciWhdP
-7clbgkX8UXYvCJKjYcvYOoPIKM1Gz2PemWS0E1nP1tGe6bhRpLpYcWUug1v0K9Zf
-fRDuU9VUUN+PzpT5X01WtBSriSrexzKtM2aaW/J7sIlQC4l2mDBfxxn5zqJ4/Rhl
-aOJ6MDrBaA0IiVSJaYtSXS13G6MS3H3zLm7z5ZeTIa5ysqlg0Sb44xVDDhGshb3k
-/seBYviwHfZY8d2b2pp5FVUbwC3gL7wqr4oUN1iE3q8xdDxqRZfqqhvyBWuTOPvS
-TqRjcx+eK+Y4xSdlldgsj/gIiRiWe6MOYwoC0mBOXOqO5hBOKPGWX26FmqUirmJt
-3MCThLYcDTexLYiu+mpOl69YaoGCyXoWtiQpzdaJ/oPCmqLbMyL0O4t6eecK80d6
-mYSHBhqqXzNm03SMI2PyeuGadAjmJUY5GmT2V1+6JKWcVT/luMluEyfqjbZLxU7u
-s8QGchKj1btBN21iQ7RBAoIBAQD5ghu4Jm9X9V+Z4RKrSDIrcep/gkm3LoTQ7jrm
-tcZ0gOf0TLkCNEIMcCHGNj5V1seCbmsk7ysVVw0Ew1UeVBv5JlNroixV2/rF+G62
-MPT0o9BuboFfusM9G1fZP7IoTE2WL/6LXejRyxqxpdXLkT8+a/+52xpcmZzgLAJo
-rd2+4ODywc2a2K97rBYFq+I7XajHs0NI/EMAAVUUmuY3ekyo3+YDPA9ys6sRJnAu
-hhSvXPgeOep0UeDCXJFb3o+lXXnrEp6TUUPwxsmz88BNGrI3T7N5LT/6mV8Wm2i5
-gI0+KSVY2j/2aZmNk04xqVf9sYm+4OJyPqKbOPaJ9i7jzrx5AoIBAQDwt4EBESia
-YLARxkWEJkfKhRcPBC/iYLSikrJh/LwCbAT/T4M/VotBJv4qGZgQLCVSX2lDZy2e
-XPQZqmvcQbcA+rm/JX/jZkU4mW08GY4NtqZf4wAQv2vb7SCML86+QzzP2zTobyga
-a4uXF/vJCFkxQz05fGuYS5NhPYZcCIjLLb6Lx02jy8S40am7JKErrjVzyQZVKxgS
-hhvm5qW9wpbzvnczGkBWWf/bFVfzotO1Ghrdu1iBeJAN88wHNL0g8rFYAnO6ZigA
-tj2l2qSeIzZ8IU43Tqm24DH9/GQNOdw90ML/kZkp/0rr0ZXD3KMxICpGlYdbjMgx
-eZrFRFkT5rSnAoIBADMCDFSrVtvuh+rXfo+RpOAI293RbuyKEBD+gwAjbTzoFYN2
-I+R1doNAcUcqU7gMvqDFnhXg5zfnofu1SzN2EnnvAeLhNpse67eJQGjyvUE+NCA/
-ayd88OkPK/h38x4V606m5Szst+ob0Ys70edZ/EnwnkkKp+sCZHXXyW5JDSo2owY9
-5KChZ86qsZ3bM9bbIOQim8DSAYiAvToHKMVytTVZAJbssmPKo1BQQWLhel0XbooP
-YQUCsCZL8lOLvmYaJBCQr+aCGJeirB2j2U5qBMEWBCTjwU6kCDKA9vnlc/qfQslV
-ZPolQIUW9kdkzV5J61UgeGrOr0N4c75km9VqsFECggEBAJvNCfBY3MDe59b5T7Ey
-3bCU59HOUffhw8idzlthq4adx7ZADqEGMOegh01Ud3mwOQ/RtV3tADfJzix2g41x
-8zLtFSBE8zuJzC/QDkWh/LGfkJvrXvV4ECWumyxhHR1Eg629Icd3eqtvBFBtM4hw
-oNojvRLiFvnhoKiFm9shovhuyS/LddMYZmGBQqxgDvkormwcpr6lP9Vte829Z3Uk
-53MnyhsHWLELW3C/pceJkiFbnhv50FUsZYDCVUIsvmT+8A4YuDLjP+0GB2y70WSR
-QgihvfBKN8qn3XOY0mFFG+nenvevk0T9ec6cPqUgv3dibDp3Ob7lpgVvwd8AV+9r
-mW0CggEAW2N9dnmQ9Wz4l3WNGJsiEOdOgYXgFv4IqmPbUFBvVsr7EjpJ4QiEwwwK
-rAY+RZW0kFrxK0a1IeMG9WYNWwPfnmA+5jarOnVQDctcWzPWTKQMkMm6r9HTK29b
-BS5TNMyr0Tw58zhG65Y2fvqyHnnd+DeOLzAuRBNPiNDolwEHz/3NkygCYZ/vTWv5
-KzIdRRamjt2G3EAcQkmQB338Z16liqBbiAkVNfP6TaJ/f/T4McVXML1poG2Hna/k
-cdhyTVWVjzTR/awu/w27dUG5DbkaACmAmIrvKVcQOLdnCxYsuAwSgyVC5obTkMv8
-FAyxqmq2U5lLkxSX9M7dtz1OfJnbxA==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDHGDlnKsRrxhpk
+I7u6TEciNZG3yetXuYuPg2K+ClZJzO3efvlE24/5+ezbokrT+rE2wJPpK9CaZGVD
+UmQOrzwKI1fZZkQM76Zzfk1xlHZd0i6cAh5ES2cNYQX/8cwplJOr97bXM9CetAIa
+ewO7nFIAIUOX/1nzsesWZ7FaZiaZBBIou2iXOGbP08zaQdhP4vlZSNrKVbkqY0Nr
+DcVYdY5uVdJ3zd+KFIKicvPok6HkcvPAk7MLcpitU5NThvywO3ccqvVkd86SDAeC
+YDnp1rzf3K35T0LS20J2bgv1+lgFfzzZz+vSwJomLOiQcwo8QuX5C81TLRYUdfhH
+LgQaR9imIA/slv4UMIcwhAR0QkWzO8FIhFROaZv1y3radR4mk4deosaP/Q+WhHYt
+GIb3hx6VRxBFtUXqOLfgIijGmEJf7WnWc6PUct509yrSkF1mhqG1pPvHN5RlgoDX
+iIS+1l/9JYgL7mu7S5TG4TmVdJNERI4/fhMzSY7j9KBD5y0V9wLpv6iUZXHfRTX3
+zAO25NYy0phmutbadjXggXYlCpQ/bKZTSVLFOERN6rT9UO5j4RtR72JkDjnLEHOd
+/bAuFVrLkByf6Yg3FJIye3oA/TW004yZkHSVfb8lQQRoVjg+8fWXtfPMuBaZQB+d
+61GIRipiuaW9rZfbWFrUbO0y27Ra9QIDAQABAoICAHBMg6RjhSNdPGmbljoA6Gat
+XKIULMDwkX3DmCClaAJ8qvdDG4rxZYaUqDtCkX57+xVtDoEJC8LqOgv9Hx8BTJZT
+VSv0+RFq47JlXX1hRlqpQU0SDMxs05XCUkYJtyUE/z6SnPlJ6rR5yG3zUSmzhLU6
+DgxgJfbFNlsO5gSddcv9ddivzNDvKV60kunRFhgJaKgp5e8W5zi3gMGTpOq+dDZc
+Bjk5UItsAjtrJ5TaIQjgpgjLxsQAQYoSiBknHMSy5f6vl3ax9Tx/uISbjk8Npr+G
+lEL5qDGTJyvx6qE2Mgv3tvUMyHG53bkGv68qlG1lNp6BP7FYzwl/eSl9FSdVuycK
+UsUMi+dpuQlXOVprKAKTxYw+E7n8TV7ewmudbOEFR/ao6qCJqNtSQJa5dFFhU9An
+ld/rKIcY9gfobYtS0qRiGAt18Be7qt6qGpwAZogfe+VM/G3S00yVP21gGN2qju3M
+6vF99CTVLeD+g8JUJT+olzShLpZAgw09hXMx1JJJksl+kv6FNG0EotxlXCdIQTsG
+TtWvOFXck7E5FZHjj+5eXCyRNVKzWRJAU6POr3Qr0gLpcg0DBbzfLAvDEA8k3V2Y
+DqQeyi7xrd7ALKZmrLWnLQQdXQ8rUN0f/8lsus3TOiXjly3/GIediaYb+uxdACmC
+4d+twAWpdnWrAiWDaICBAoIBAQDm7vUgSu2rsbd+YvBhYrNhTmmyVr/5HWOGaDjX
+YJWj2Vqh4sVeoVjRpVgC4Yyx/iE9f4MPsiBzWmudMuG/yytxIfWWXEBGXmAHYL8Z
+d6acVWer0yZik/xYV8nUUVUzzB7EvB7XdFtGMYPTZNiqhyZ9CGMeIHcaXndqejeJ
+ycbOr+IDgBKQ9fGdpAZjTprrB0WqOhnxy6EJoObg6bicgIPCBxzdVCDo6mmkkRrQ
+lIYRMAtjIzbGdwT6OADUf9Lr2aPBuKBQeEKFbADyNNyenqvcSFKcGcug2DZ8sIYN
+US28VHke87mOg6qrNh166e00Hlp0q42Q2hV/8XxRQDDwxoqFAoIBAQDctIx8lGcJ
+kxftf5j7ss0iUYSkT77HF7V9q81X7iMSjHTEyIYD2UHt2PS0gUL1jnjOXjIDFFHU
+HzfymvsEjV8Vr8nUvKVkSUXWFnYPQ4rFP2d+Zyv64AhDKRrIOiG9ozLhqDdu7wui
+XXigEuuwG6+LObO09FwKOhDRNgpuQnDlgHPidyu4PHoz56SlzGpTXM1/nTIGkWMi
+v2aZF2hAzQM3bEqeyRUTnX/DvOQbFLDYLDc/KWaPDvBTJCwa2tPSZRA5ArmEmloc
+yxTdf+DaSBy7P2EExfXkKNgvO978GYHUBk3SdA/2BLy0kNU1BSrajtjrxSLqUD8j
+aVYafGb5eNGxAoIBAQCBZOkCVBmBt406CtPnrTcXUalVnNfqDHaEjAc1Xs/Zw+LN
+jFPMpxkuNrfuvVRpMxyK6dSUydj26XYc2bK2FW/c7ws9WalGBIFIAQRyj6FSPWRe
+WWxLleGx2lajWYMlB71BvKqHTJIL7ZiQrRPd0OZW7okjC0vRAZdlmN9fnCiCDPjV
+v0An6zabfpl5sUSKZkO5kt6QpekwjPBwm2SuhC/PWs7okMfz2cyhwhBFSMMqBEKN
+JOD/KRcn4JNOfeS/8+2WkQ16qTeUrKSHEemAEyX2wqtO/gEjuaImEX67HX5D5Q0M
+s8GHweyyDBtOkJ4xMsS6VJl4zUl4q+VdXVtOveBFAoIBAEbpl+37PLP92AVOJxhQ
+Fcr+CDFHEhQkEQNE7SBgelJeYLJNf4nDB4TlXZKVqa7+TOB5sXX91GDkevRvSVHo
+HnH4XlAFINr9E/w6kUpMOE0yFw2tFptv2hfCIEHPM8IbqqCIjO8OzV0ozTYZfjLC
+Yn/IVW5ByUTb7UVbKLTOkjmbMSDFi32RqO3+co93A36vZbOoDUfA9OpYNx3fQHb5
+qBvppnwoPaZkx4Vbrqro1f1PD50yryot8Ze1GpqyTrbeE/1NW9A4S9XOhnC4wsU/
+wEOFlKWU+XGKkhNzGC1GAMngEKca9XnlgcA+fNKhS2iX1yjB2XsRt4eoM6sk520m
+nbECggEBAM2u917mgRcyRrOF3orTy0p5aRkHmAi7rdlr/E2CC/I+Uk00cSEJKgfL
+IzLOs5ZARc6kkBAilNhz8lWWADaonmE5qDZjAzYwIuNWlZgWGYO74RwpavNaK7UM
+MhRWCzomZUyNHKJiubkM8CTaioVsqoZS/OiWGHtGtSTAAknCb1wc5fppNU0xUQ/5
+AZGlrpUdb86VGN/lNNsF16tZ0mWUazXMXDCZgT9869p41OQYgIGDPvf9y9mWyYR6
+VbQSyfvDh4Wiu4Sf7L6OP8VG+xvhD+sRZPB9i3TzvhFWrzkcP3sXRqPxpdSSWgyP
+Ca7fU8eAAjotw7SSdeefJ+CduL/cNQE=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-cert.crt b/lib/hx509/data/sub-cert.crt
index 3186c83946e6..b98c463c09d9 100644
--- a/lib/hx509/data/sub-cert.crt
+++ b/lib/hx509/data/sub-cert.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SE, CN=Sub CA
Validity
- Not Before: May 23 15:05:20 2019 GMT
- Not After : Jan 16 15:05:20 2038 GMT
+ Not Before: Mar 22 22:25:12 2019 GMT
+ Not After : Nov 21 22:25:12 2518 GMT
Subject: C=SE, CN=Test sub cert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:b0:b9:77:f4:5d:e2:66:7d:10:16:aa:24:16:3b:
- 13:8d:ad:b1:00:12:eb:49:14:8d:73:3a:e2:ee:f7:
- fe:13:98:da:d9:d6:72:e2:8e:a9:dc:c6:d9:5c:86:
- e6:03:fd:29:a5:de:46:05:02:4f:a9:79:25:61:5f:
- f7:53:64:03:cd:2e:9d:c8:43:d9:45:48:14:7e:59:
- ae:c6:ad:25:78:10:71:57:43:30:45:65:d4:0c:5d:
- 52:91:97:dc:b8:93:38:64:9a:0b:4f:da:16:f7:1b:
- 8e:aa:f5:e5:cc:3d:0d:84:ba:d7:fd:f9:5f:4a:ed:
- c3:c8:36:66:f4:42:fc:5d:00:2b:7d:7b:8b:51:94:
- 35:a9:27:3a:71:fb:ac:f5:2f:e4:d2:8b:c6:22:e5:
- e5:a3:1b:13:95:3e:0f:0d:3e:07:1f:6e:23:b0:5d:
- f7:60:01:e5:08:85:01:ac:48:31:32:38:1e:57:e8:
- 1b:3c:38:c3:70:3a:81:1b:04:60:3b:c7:20:a9:8a:
- fe:b9:c5:4b:c7:10:28:32:0a:7c:1d:f3:8f:5c:d0:
- 2a:2e:83:97:3a:5f:42:34:95:1b:c4:b1:73:ff:23:
- a9:e6:fb:9f:f4:40:2e:2f:c0:ad:9f:d6:c2:45:21:
- 40:51:f9:2e:98:db:90:34:3e:f6:54:e5:fc:cc:d5:
- 06:4c:19:81:53:af:bd:a1:8d:83:3a:b5:c7:1b:85:
- 78:dc:64:65:f8:ed:88:b6:69:4d:c0:3b:da:9b:d5:
- eb:32:e0:e0:1c:00:65:e7:f0:5b:f1:bc:e2:e8:8a:
- a5:31:9e:d6:da:d3:c3:2f:d0:84:9a:f3:f1:2d:e1:
- b3:63:3e:2a:ce:c9:98:45:1b:7e:8a:bc:2f:0a:f1:
- 39:82:39:70:d0:f7:28:18:3a:74:eb:d0:4c:e7:99:
- e5:e6:b1:f7:33:57:60:14:cf:2b:24:59:ed:30:f6:
- a5:b1:6b:54:3d:74:ef:68:7c:69:b1:35:e8:1b:9e:
- 0a:d4:38:27:ea:7c:1e:01:11:46:4e:07:b2:da:00:
- f5:8c:a5:a6:d0:7f:24:a7:d9:32:a2:bf:6e:92:a3:
- 16:83:1d:ed:74:e6:3f:6b:ab:1b:23:65:84:32:51:
- 94:2f:1e:01:1d:13:b7:b3:6e:c2:2e:67:bd:33:8e:
- 41:44:14:29:07:92:01:99:2d:f6:ac:51:26:a3:44:
- 67:5e:cd:0e:35:e7:83:43:3a:20:78:63:23:4c:ee:
- f4:5b:32:0f:17:49:14:d6:14:9d:d4:32:2d:b6:15:
- 42:2a:7e:1f:3a:90:df:df:92:6d:b8:41:e3:39:29:
- d9:c2:2c:bf:94:67:9e:a9:8b:10:14:3a:ca:0a:10:
- cf:a4:5d
+ 00:ef:45:00:67:2b:7e:d2:ea:7d:80:b1:ae:81:5e:
+ fb:dd:82:ca:de:db:98:37:70:e8:3c:a2:01:87:8b:
+ 88:2e:40:30:22:d4:65:1d:7e:cb:cb:d5:40:e0:51:
+ 06:f0:f3:d9:00:db:5d:6a:0f:d3:11:bc:a1:3c:69:
+ 25:65:a9:87:b5:8a:3e:6c:79:2a:e8:5b:1a:9e:b4:
+ a4:81:5b:c3:83:f6:fd:9a:a8:48:6a:c4:ce:7f:81:
+ 26:83:c9:e5:b5:c9:a2:18:ed:0c:ea:1a:26:59:49:
+ df:56:ea:c2:33:2f:65:c2:14:30:5d:78:4e:91:09:
+ 6d:f5:77:ee:e8:0e:fe:ca:14:92:af:73:c4:8e:91:
+ b1:62:1a:c1:46:3e:36:d2:33:6a:7f:05:4e:d5:7b:
+ fe:69:4f:6c:b1:be:89:e6:7e:8d:5b:de:10:6c:a6:
+ bc:4a:05:66:17:19:71:e3:2c:62:bf:8b:4b:3c:6d:
+ fb:2a:7b:95:d5:d4:02:f0:43:e0:ce:cc:7a:30:fb:
+ a9:93:d2:50:a0:17:67:c6:08:8d:3c:9c:83:69:1f:
+ b7:ab:cf:d0:77:b6:8e:cc:89:0d:82:cd:e1:fb:53:
+ 2c:1d:f6:6b:81:0d:8f:da:dc:6a:34:93:06:23:32:
+ fb:83:90:40:8a:7f:ad:cf:2c:81:6a:10:cb:59:29:
+ d4:f2:af:b2:ee:f0:7b:b2:d5:0f:9d:5c:e6:d3:eb:
+ 18:9b:89:01:11:5f:e7:f4:50:34:e6:2c:31:b1:f3:
+ 60:af:03:a5:40:00:47:88:76:cd:52:da:1b:11:03:
+ 57:f5:3d:a1:01:f6:2f:9e:f5:01:37:22:a0:7d:5f:
+ 40:87:2d:69:72:70:80:05:16:24:2d:a6:b1:5e:ca:
+ 40:ad:f2:da:7f:c9:8f:7a:32:b2:8c:be:9b:de:66:
+ 17:92:81:83:8d:1a:f5:c9:8b:9a:3b:4a:84:b2:24:
+ 63:97:60:f6:3a:c0:84:88:2a:dd:6b:f8:e7:44:29:
+ 79:cf:98:d9:ab:36:93:10:a8:7a:7b:90:bc:bb:e0:
+ 43:c1:93:13:80:9d:cb:a6:68:67:94:67:6b:3a:58:
+ bd:02:39:20:88:e1:64:8e:a1:7a:6b:99:3b:9b:00:
+ 65:11:b5:fd:b7:18:55:fe:67:f4:94:ab:c2:08:a7:
+ 3a:d8:a7:b4:6e:d9:e9:89:1e:b0:81:1e:23:31:a9:
+ 17:b7:c7:f9:df:5b:90:2c:46:96:c5:d5:a6:cc:8b:
+ e4:db:fd:4b:47:8d:8f:bb:e4:41:d0:99:fe:81:83:
+ 88:a7:f0:a5:81:ae:c9:62:f6:4f:d8:12:60:33:20:
+ 6f:d1:39:37:f5:1f:05:40:62:43:9b:97:a5:7b:16:
+ cc:93:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,63 +54,63 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- C8:FC:4C:74:0D:42:18:8E:0A:4B:7C:61:C7:CD:36:FD:A9:96:8E:64
+ 48:26:75:6B:4D:E0:98:93:39:02:40:D3:F1:1C:6D:D0:D8:45:A6:04
Signature Algorithm: sha1WithRSAEncryption
- 5c:65:de:68:c8:80:3b:8b:08:74:2d:f4:89:51:42:7e:ac:41:
- 83:d0:7f:ff:cb:d4:95:84:10:52:f9:2f:77:62:04:b9:03:8f:
- a5:b2:16:92:19:c9:94:62:ae:3a:2b:73:89:59:73:2e:e3:05:
- 05:0a:dc:e4:00:be:6b:fc:1e:ad:92:e2:8d:1d:a8:e2:71:6e:
- 10:3b:50:5d:1c:c1:97:e7:4a:14:c3:1e:9a:a3:4c:e6:5f:4a:
- fe:21:43:94:e1:e5:11:7c:42:c6:b7:06:d5:11:45:5d:3c:bf:
- e7:9d:9b:4e:0a:9b:7a:94:09:ed:b1:fb:07:c4:2f:16:a3:8b:
- 92:50:23:b6:5c:33:fa:2c:39:83:3a:6a:92:d2:00:a8:e0:a7:
- 28:25:8a:b6:09:ee:17:6a:f3:be:38:c8:48:04:2e:81:96:9c:
- 08:a2:3b:48:6e:f2:75:d8:5b:07:00:13:64:1f:a5:a1:7e:bf:
- d1:a4:fa:5f:61:55:40:67:8a:76:31:28:1c:f8:a7:f0:9e:bb:
- e0:bd:18:89:6c:9c:e7:21:9f:49:ab:3f:1b:43:12:c3:4d:fc:
- cc:e7:f4:4c:4f:c0:45:5b:30:f7:9b:09:60:a7:46:a5:f0:8b:
- ea:ab:62:78:3c:7a:cc:ea:09:2b:f7:7c:06:04:b2:f7:31:68:
- b0:25:e0:7e:bf:50:b5:a3:b6:f3:1d:c0:42:95:d9:79:f6:8e:
- 94:cc:b4:da:f9:e6:fe:7a:44:93:80:0b:25:d9:54:69:8e:d8:
- 7e:08:a8:63:55:67:3c:32:87:52:73:38:fa:0a:e0:4c:ac:1e:
- b1:7d:bc:89:ee:a5:d6:79:ed:79:2c:97:f0:c6:a4:1f:ff:ca:
- 1e:38:a9:86:22:46:d3:ff:69:44:aa:7c:9d:c0:35:d3:99:03:
- 86:5e:b4:d0:e4:16:c9:f1:83:16:5f:b8:b9:a0:8b:16:c2:31:
- 17:2d:59:de:a7:b0:16:cc:63:10:16:17:20:cf:e3:af:02:92:
- 48:d3:64:38:44:9c:16:a9:62:5b:be:7f:c8:1f:4e:69:d6:44:
- 35:92:cd:69:fc:e5:23:60:4e:a3:93:92:1f:aa:6e:ae:77:cc:
- 63:fe:ff:49:10:10:c4:3c:53:34:1c:d9:51:41:d8:73:86:5e:
- d5:a8:22:38:b0:20:3a:11:3f:a0:50:ba:4a:ad:8f:1b:34:51:
- 68:6e:66:6a:77:22:ec:a8:8a:14:ff:cc:3d:32:20:76:d9:a5:
- d1:fc:4c:60:35:dc:1e:38:a4:02:ee:65:8b:79:8e:65:6c:2d:
- dd:c8:54:70:c2:9e:03:29:a5:99:ac:9b:83:52:c4:19:1b:8e:
- f1:15:cd:71:c8:1d:0a:de
+ aa:a0:db:44:96:6c:b5:c7:96:93:a3:11:e5:dc:1f:69:08:87:
+ f5:5f:50:25:99:03:6c:d2:89:55:4c:04:d4:8a:49:73:e8:e1:
+ 82:4f:f6:45:24:1c:ef:46:09:b2:19:09:16:5f:11:05:13:e7:
+ 3f:ca:5b:af:4f:6f:39:df:a8:71:1c:cb:62:2b:8d:42:b9:a7:
+ 58:76:72:db:88:8d:3a:e0:33:5c:ef:41:c7:30:d6:d0:9a:9c:
+ 70:f1:72:74:e6:0d:6c:1c:11:ff:f3:4a:ee:3d:d2:f7:3a:56:
+ 9f:41:63:83:60:4c:6b:63:d5:9a:a1:c8:22:b2:a5:8c:03:99:
+ 2f:04:65:a8:52:1b:1c:cb:4b:e4:b1:a0:86:7c:d7:85:e9:9a:
+ 8b:8f:f1:2d:e9:45:d0:f4:ee:51:cf:13:da:ff:ea:e8:cc:30:
+ cc:ed:f3:7e:f9:4d:59:a3:d2:ca:f2:4f:5b:73:65:63:de:39:
+ 0e:87:e1:16:30:65:d0:fa:da:0d:57:df:82:de:09:2c:24:7a:
+ ef:9c:d8:fa:7c:5a:25:f1:1e:e3:e1:56:c5:79:c3:13:37:38:
+ 03:dd:b4:6f:c0:61:b7:cb:41:bb:77:0c:c3:4f:14:e0:8c:e9:
+ 89:4b:55:6b:dc:ce:11:9b:f0:68:32:e2:64:c8:75:6a:80:26:
+ 88:fc:c1:ad:56:07:57:07:2d:fc:10:c8:42:94:f6:f4:7a:e2:
+ 94:ee:05:aa:28:7a:f3:d6:62:4a:fb:99:c0:df:dd:ca:77:14:
+ 70:6e:63:d1:68:25:6b:de:51:8b:8c:0c:5e:68:79:25:a5:68:
+ 74:c1:43:23:75:4f:eb:30:c6:84:79:a9:df:25:a6:66:56:cd:
+ 9c:95:40:b0:12:c0:60:9d:b3:99:02:4d:d1:de:25:2d:00:49:
+ e4:8f:81:8f:14:5d:3e:1c:c4:ac:11:ac:ef:0d:a7:ca:0c:01:
+ 88:54:26:bb:38:c7:24:b8:4b:45:97:40:9b:21:ea:7b:e0:5b:
+ 5f:d4:3d:dc:01:0a:8e:3d:db:31:8b:e8:23:8b:5c:48:34:95:
+ de:71:cc:61:43:aa:59:0e:be:0a:7f:75:8d:fb:b9:f0:fd:28:
+ e9:76:8d:5f:ea:9c:59:07:28:a5:b4:df:8f:0b:3c:c7:ad:00:
+ fe:9e:28:86:cd:52:fe:e3:78:81:ed:5e:73:40:1c:06:02:a8:
+ b1:84:b3:ec:56:ce:a3:70:22:ce:ab:0f:4b:8d:36:09:2d:6d:
+ 5e:93:2d:c4:20:c4:bd:8e:78:68:0a:84:81:b9:85:b7:cb:03:
+ c0:26:b9:c3:d8:e7:ab:c6:a6:7c:55:a4:e6:96:b3:65:84:5b:
+ 7e:bd:1e:c9:94:f6:25:c7
-----BEGIN CERTIFICATE-----
-MIIE9zCCAt+gAwIBAgIBCzANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
-MA0GA1UEAwwGU3ViIENBMB4XDTE5MDUyMzE1MDUyMFoXDTM4MDExNjE1MDUyMFow
-JTELMAkGA1UEBhMCU0UxFjAUBgNVBAMMDVRlc3Qgc3ViIGNlcnQwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwuXf0XeJmfRAWqiQWOxONrbEAEutJFI1z
-OuLu9/4TmNrZ1nLijqncxtlchuYD/Sml3kYFAk+peSVhX/dTZAPNLp3IQ9lFSBR+
-Wa7GrSV4EHFXQzBFZdQMXVKRl9y4kzhkmgtP2hb3G46q9eXMPQ2Eutf9+V9K7cPI
-Nmb0QvxdACt9e4tRlDWpJzpx+6z1L+TSi8Yi5eWjGxOVPg8NPgcfbiOwXfdgAeUI
-hQGsSDEyOB5X6Bs8OMNwOoEbBGA7xyCpiv65xUvHECgyCnwd849c0Coug5c6X0I0
-lRvEsXP/I6nm+5/0QC4vwK2f1sJFIUBR+S6Y25A0PvZU5fzM1QZMGYFTr72hjYM6
-tccbhXjcZGX47Yi2aU3AO9qb1esy4OAcAGXn8FvxvOLoiqUxntba08Mv0ISa8/Et
-4bNjPirOyZhFG36KvC8K8TmCOXDQ9ygYOnTr0EznmeXmsfczV2AUzyskWe0w9qWx
-a1Q9dO9ofGmxNegbngrUOCfqfB4BEUZOB7LaAPWMpabQfySn2TKiv26SoxaDHe10
-5j9rqxsjZYQyUZQvHgEdE7ezbsIuZ70zjkFEFCkHkgGZLfasUSajRGdezQ4154ND
-OiB4YyNM7vRbMg8XSRTWFJ3UMi22FUIqfh86kN/fkm24QeM5KdnCLL+UZ56pixAU
-OsoKEM+kXQIDAQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4E
-FgQUyPxMdA1CGI4KS3xhx802/amWjmQwDQYJKoZIhvcNAQEFBQADggIBAFxl3mjI
-gDuLCHQt9IlRQn6sQYPQf//L1JWEEFL5L3diBLkDj6WyFpIZyZRirjorc4lZcy7j
-BQUK3OQAvmv8Hq2S4o0dqOJxbhA7UF0cwZfnShTDHpqjTOZfSv4hQ5Th5RF8Qsa3
-BtURRV08v+edm04Km3qUCe2x+wfELxaji5JQI7ZcM/osOYM6apLSAKjgpyglirYJ
-7hdq8744yEgELoGWnAiiO0hu8nXYWwcAE2QfpaF+v9Gk+l9hVUBninYxKBz4p/Ce
-u+C9GIlsnOchn0mrPxtDEsNN/Mzn9ExPwEVbMPebCWCnRqXwi+qrYng8eszqCSv3
-fAYEsvcxaLAl4H6/ULWjtvMdwEKV2Xn2jpTMtNr55v56RJOACyXZVGmO2H4IqGNV
-Zzwyh1JzOPoK4EysHrF9vInupdZ57Xksl/DGpB//yh44qYYiRtP/aUSqfJ3ANdOZ
-A4ZetNDkFsnxgxZfuLmgixbCMRctWd6nsBbMYxAWFyDP468CkkjTZDhEnBapYlu+
-f8gfTmnWRDWSzWn85SNgTqOTkh+qbq53zGP+/0kQEMQ8UzQc2VFB2HOGXtWoIjiw
-IDoRP6BQukqtjxs0UWhuZmp3IuyoihT/zD0yIHbZpdH8TGA13B44pALuZYt5jmVs
-Ld3IVHDCngMppZmsm4NSxBkbjvEVzXHIHQre
+MIIE+TCCAuGgAwIBAgIBCzANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQGEwJTRTEP
+MA0GA1UEAwwGU3ViIENBMCAXDTE5MDMyMjIyMjUxMloYDzI1MTgxMTIxMjIyNTEy
+WjAlMQswCQYDVQQGEwJTRTEWMBQGA1UEAwwNVGVzdCBzdWIgY2VydDCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAO9FAGcrftLqfYCxroFe+92Cyt7bmDdw
+6DyiAYeLiC5AMCLUZR1+y8vVQOBRBvDz2QDbXWoP0xG8oTxpJWWph7WKPmx5Kuhb
+Gp60pIFbw4P2/ZqoSGrEzn+BJoPJ5bXJohjtDOoaJllJ31bqwjMvZcIUMF14TpEJ
+bfV37ugO/soUkq9zxI6RsWIawUY+NtIzan8FTtV7/mlPbLG+ieZ+jVveEGymvEoF
+ZhcZceMsYr+LSzxt+yp7ldXUAvBD4M7MejD7qZPSUKAXZ8YIjTycg2kft6vP0He2
+jsyJDYLN4ftTLB32a4ENj9rcajSTBiMy+4OQQIp/rc8sgWoQy1kp1PKvsu7we7LV
+D51c5tPrGJuJARFf5/RQNOYsMbHzYK8DpUAAR4h2zVLaGxEDV/U9oQH2L571ATci
+oH1fQIctaXJwgAUWJC2msV7KQK3y2n/Jj3oysoy+m95mF5KBg40a9cmLmjtKhLIk
+Y5dg9jrAhIgq3Wv450Qpec+Y2as2kxCoenuQvLvgQ8GTE4Cdy6ZoZ5RnazpYvQI5
+IIjhZI6hemuZO5sAZRG1/bcYVf5n9JSrwginOtintG7Z6YkesIEeIzGpF7fH+d9b
+kCxGlsXVpsyL5Nv9S0eNj7vkQdCZ/oGDiKfwpYGuyWL2T9gSYDMgb9E5N/UfBUBi
+Q5uXpXsWzJPlAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1Ud
+DgQWBBRIJnVrTeCYkzkCQNPxHG3Q2EWmBDANBgkqhkiG9w0BAQUFAAOCAgEAqqDb
+RJZstceWk6MR5dwfaQiH9V9QJZkDbNKJVUwE1IpJc+jhgk/2RSQc70YJshkJFl8R
+BRPnP8pbr09vOd+ocRzLYiuNQrmnWHZy24iNOuAzXO9BxzDW0JqccPFydOYNbBwR
+//NK7j3S9zpWn0Fjg2BMa2PVmqHIIrKljAOZLwRlqFIbHMtL5LGghnzXhemai4/x
+LelF0PTuUc8T2v/q6MwwzO3zfvlNWaPSyvJPW3NlY945DofhFjBl0PraDVffgt4J
+LCR675zY+nxaJfEe4+FWxXnDEzc4A920b8Bht8tBu3cMw08U4IzpiUtVa9zOEZvw
+aDLiZMh1aoAmiPzBrVYHVwct/BDIQpT29HrilO4Fqih689ZiSvuZwN/dyncUcG5j
+0Wgla95Ri4wMXmh5JaVodMFDI3VP6zDGhHmp3yWmZlbNnJVAsBLAYJ2zmQJN0d4l
+LQBJ5I+BjxRdPhzErBGs7w2nygwBiFQmuzjHJLhLRZdAmyHqe+BbX9Q93AEKjj3b
+MYvoI4tcSDSV3nHMYUOqWQ6+Cn91jfu58P0o6XaNX+qcWQcopbTfjws8x60A/p4o
+hs1S/uN4ge1ec0AcBgKosYSz7FbOo3AizqsPS402CS1tXpMtxCDEvY54aAqEgbmF
+t8sDwCa5w9jnq8amfFWk5pazZYRbfr0eyZT2Jcc=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/sub-cert.key b/lib/hx509/data/sub-cert.key
index e9fcb0d3fb15..481dabb647d0 100644
--- a/lib/hx509/data/sub-cert.key
+++ b/lib/hx509/data/sub-cert.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCwuXf0XeJmfRAW
-qiQWOxONrbEAEutJFI1zOuLu9/4TmNrZ1nLijqncxtlchuYD/Sml3kYFAk+peSVh
-X/dTZAPNLp3IQ9lFSBR+Wa7GrSV4EHFXQzBFZdQMXVKRl9y4kzhkmgtP2hb3G46q
-9eXMPQ2Eutf9+V9K7cPINmb0QvxdACt9e4tRlDWpJzpx+6z1L+TSi8Yi5eWjGxOV
-Pg8NPgcfbiOwXfdgAeUIhQGsSDEyOB5X6Bs8OMNwOoEbBGA7xyCpiv65xUvHECgy
-Cnwd849c0Coug5c6X0I0lRvEsXP/I6nm+5/0QC4vwK2f1sJFIUBR+S6Y25A0PvZU
-5fzM1QZMGYFTr72hjYM6tccbhXjcZGX47Yi2aU3AO9qb1esy4OAcAGXn8FvxvOLo
-iqUxntba08Mv0ISa8/Et4bNjPirOyZhFG36KvC8K8TmCOXDQ9ygYOnTr0EznmeXm
-sfczV2AUzyskWe0w9qWxa1Q9dO9ofGmxNegbngrUOCfqfB4BEUZOB7LaAPWMpabQ
-fySn2TKiv26SoxaDHe105j9rqxsjZYQyUZQvHgEdE7ezbsIuZ70zjkFEFCkHkgGZ
-LfasUSajRGdezQ4154NDOiB4YyNM7vRbMg8XSRTWFJ3UMi22FUIqfh86kN/fkm24
-QeM5KdnCLL+UZ56pixAUOsoKEM+kXQIDAQABAoICAAxzNIExsAZ6XwzJtbsfNFRx
-3RtdOdgvK3vntR8St4KX7SsVkYhmdo8ILz32fvPe/PUjgJlPvV76GukOQrVMQXxO
-AW2fYgogdtkj5k0224Hm3qVAJYFuGA8679sz8KfML1ffBlb8zUthVJ60rhjCYFZu
-d1L8I3t63qUXOA+TPIYsweOYNYtsvo8JJXPsQBYR5rPyhuXkflYMTUfhVFwhd4z+
-TGNba1cHKyR7gk+p0lVwYKrevjRy50nbxUaq+0Ca2bE4CpP500nV2I8V8AKIKxxl
-yeL3AEtrdJWRv6AOxFZAI/MS3QTvFJHmqBSvo4YNPqPHw0GfjjwwB1iZz0J663OI
-5hZ1dHdaLk3HSb3XdemMnwi5guJru+ojmGv9w4si9gpVdayzRiar4BG3Q2s2u68b
-t/Gr/5grWUFzhZua2BVTRpYzMQ2dX9aX/YNJdXV67Syg1sNb6jasjYXdjMhBhkD7
-UrgyUFgB/dC2M55AuCYtuSXbEdQAlMtrHOgdYfLSNRRj8FLCgnhe/72KB1hAhCrh
-S5NKWdIfd3eDDoRYcCmiiKJ+5dPppy4G1xYxx/CvJep6NybSK18fsVYBDoXD3c00
-YoseUWueKcJshWDn71nYupwvvlbIegvOllvijcLMnFFKCDP0Yxfp8cZBZTYZrCH1
-Y4C/r4dnhCaxbS86Xf0dAoIBAQDrAqNl0BzrOBsDRDpdDy9yJgdiumII76yQFzEh
-xm0OgBleKvx50awbuACDGoVQ9wFExX3NajDX5G5hwQkzy4UnG87RS2NZuaIgkN9o
-IbSqDlswurlGYHG1azfBeOivnaGFMtxx+X0aM9TfXy50WgCnjgogXOcvfKkiCQiQ
-kQuoLwBCEDX730gzrypcfbpECuo8lKP3s3dgan6uDkvmmAVQSW30maZOltToAljq
-Hdf73JB+UNwTUrpCZH5F5EhKXZSRexDBGr5FeaxHi/R+whg73LS8Y6X97mpqs7Hq
-FSmayZ3ILJx3sWJCyV2D+6k2Sk9gBWbMSUdGpS9BmBIZKS1fAoIBAQDAgil3ZhI1
-25DxeHLAS+ZcLVl5v/j3DfZsBfn4F6MjpqI9GAjaWnq/H54nv8PcYSlhWuFsN2dz
-haJYzDJtFevor/I6DPYfrM2Sfxcz9rsi3m8+qGNLdVO/++hg9bxcUrIwiT8kv2Xi
-OJnXvEFil5Ldmb/NM98TaUu//jYg4yr2w6f70rrtyVAsio3q7xrV1r7q2FjpF/Gq
-BFJJ0pBwXtnYHJojaA2im9BnTtRmBxA4Y5/ImVofp7XFIuqI5SfYO9RNd/LX95Lv
-pIg9DofsIMnK9v8Zp09s7UtNh76JbrG35mVvR9c7VZ5bBqbAJuk6WoRKyerkrMOE
-7WfaNPtf4QvDAoIBAGyjk5WFV1kFXrdr2u8aDfzex5tEPf2Tjlot3nCWoeOKJC/7
-/yrxWnaV4Oa6Y9bB2LxJ75X9+QZUexKFghOHic5CdKEcEJlxzxju39frfPEAIfes
-2elGvEn5fpTZp/dHD1vb3zxw8Pwj6cw42+i9kn/ikZvUVqsFHcq2EleCNblRwPTJ
-Oatt1JrP5u1K0ciSoyXOMN5ZAF553IXp5fx7Wjl7OHFSdibuYw29yAyyLx4nIETE
-bHgiTihS/Gyi0yhNiliWY3BhRIQpcxLACA5w+3Lw3DwadKmmhVs+Jojnr4v2mBHp
-TYunXJ0zKR/SPq7yOy9QT+0wEtr9kZLpEbS/7FECggEAO69fadxkovwbOTKN6V7e
-4g9RYXUKnJZgo2dK9AdoFiKQxH5SKFjLG7ySzWIgOJCLQtrpbyLSWTfCeON+cuHM
-DY2XfTYNjQ6HgfcTW5IQvSPXu8Z7Wqbau3g/uOgXaUxeYLv8rskErpm74O5GG2pB
-J6GGnPmLHTqVOMZ5Q8MKzA0nZOUV/alfyR+AFqnhWRFGigtfrY016O+ED81P6PcP
-dXiQtY+KQrMqbw06vxNLjSAeJxSco5ncum0z6BOcQedy0D3zNdBVZyVM9BkwPR6B
-UgM4XlzIPE5p/XSrt3JxeUHeixzr90J5YWFzi7nEr8nmoEVwJUwHJoxwmW+5zCU6
-/wKCAQEAgg9azbPTBLQsvQxp1G+nNeGfQzwe1QrlHFdW8e/rKudsXUoEoBoT77Z/
-xEcErH5uhFPz6twMYv2qaZPTY+mmB0/5q/TCo/KXguahr5eLrunYgkkjtRz4Tw2x
-ebBwoVSorX75txGIw+AZLgzYamkZpYc8ZC46aCLEbpFj8hNAuhibY+s/1oc+zL7P
-eCe+MYKKbk91KajbceSRIzFeyFa9nUOd4EM31Ebp4lxGSaLcp386C8naFa+EowoI
-4TLagaViDshP1ysaHdpiEjt0DnjKC/TlzE17ttpdSFTwFe0GsND2TuV0Fgk0SAjG
-uj2qsRY0KoByw9kyWVQeMxTuF6/EaQ==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDvRQBnK37S6n2A
+sa6BXvvdgsre25g3cOg8ogGHi4guQDAi1GUdfsvL1UDgUQbw89kA211qD9MRvKE8
+aSVlqYe1ij5seSroWxqetKSBW8OD9v2aqEhqxM5/gSaDyeW1yaIY7QzqGiZZSd9W
+6sIzL2XCFDBdeE6RCW31d+7oDv7KFJKvc8SOkbFiGsFGPjbSM2p/BU7Ve/5pT2yx
+vonmfo1b3hBsprxKBWYXGXHjLGK/i0s8bfsqe5XV1ALwQ+DOzHow+6mT0lCgF2fG
+CI08nINpH7erz9B3to7MiQ2CzeH7Uywd9muBDY/a3Go0kwYjMvuDkECKf63PLIFq
+EMtZKdTyr7Lu8Huy1Q+dXObT6xibiQERX+f0UDTmLDGx82CvA6VAAEeIds1S2hsR
+A1f1PaEB9i+e9QE3IqB9X0CHLWlycIAFFiQtprFeykCt8tp/yY96MrKMvpveZheS
+gYONGvXJi5o7SoSyJGOXYPY6wISIKt1r+OdEKXnPmNmrNpMQqHp7kLy74EPBkxOA
+ncumaGeUZ2s6WL0COSCI4WSOoXprmTubAGURtf23GFX+Z/SUq8IIpzrYp7Ru2emJ
+HrCBHiMxqRe3x/nfW5AsRpbF1abMi+Tb/UtHjY+75EHQmf6Bg4in8KWBrsli9k/Y
+EmAzIG/ROTf1HwVAYkObl6V7FsyT5QIDAQABAoICAQC9cwIdrlfNwrM6mfVVJBMC
+0hO1n2QHydNoZtIVM8rQ7Cvw+AFT+Fh+/UxQEHgRgtI4lniBiSQTcCquPYbJ1xDI
+EjzZAJuTvMb4EIoMjs7hB0jIEyS7vTbPyD/pq4vBg3Rgjhlipu/kVNSM6nZ3tri4
+kem1qJN0zWWOLbcxcOYWtXFrkJt6UyuDRTHxX0Ni7ikNh/Nin7nSQnwKxJZFtcBR
+lCOnE+IULfAmrBP7zuIlTbJ1l5N+kLoTw7nL6cLvmwHJFQqxK56BE+cr6wuBiV+X
+dfClDne+wgKROpdDEaczqyhMVRfL6CQWI93H4P3EExMImcgwoWXKmy+g/skzwSaE
+tbFeN2cxFd3Ow3f8BWqrWEzXdwp4+26SzVXMNpjbyQoaYtxp0OhyTKI65FmaQjVS
+9We5D0asPl7Fbc+xobXQ+1InkrQevZDPcU3ejqsrm9qtGzctpv8wWaU3ByvodkQg
+ZxAzXuE8bwwJ/m/jbirXxnKfNo+22nH0ksCYH6UmQEgHdkFO22QpaiDZFvudC3mZ
+JMbP/bjXHvzukltMPXXiGcNEeP/PPVtD2EewOZV2vNVYXP/wXu9Gt2djclV1jj9j
+X3ABa7WE65ZhREqBT5RpSPizTvlyEYIUwvawnPCrwfEeVbMq/t3em1hquk2d9RTs
+UyVjuEaqKDyZdGMumiPEhQKCAQEA/09qzOJWJv5XsPUlbvmzL9Zbsv0vMlchFiNB
+zESdSmYbeNBdj9CsJjEIZldqxERAErcsHdtHUuyWNKe4phi1s5bSR3cgcjhdv4LI
+bRghUsqf7p86sINxqz5yA4jx+JmLMUbghBCSlbCKruEli0FSxUtpeYzxftEb+jZA
+PamBTNDsbaXmNhm6f95I39zxn9Gx++p+7H4/hHpXBAk7PCa1ePAzKWKiDobJbelo
+CuFxQSzPFOmhze0wVq98QIvnNnxB/x3wX8ybk4vrJSbX6NQlSWhYsrUt3HnsTDZs
+zF++euPTL04kMoaitYvZW9Mg3ZPBxazn2Cu0cswkXn4gHZ6gIwKCAQEA7+p9cMuR
+KAv4dllBm3WWxPsX7hP1f8l2d7hmyYW4r5AaWMWNI84HhArpi3EPLxd/DUwvBU57
+YejR4DXQxrZoGr5uYkzXwgPAYQujV80GGK/wpj09jQh1Xn3lE7kpPEweK9SBIJB+
+anD+8FzGo17Bz23/Wp5zjVDi/yovRZdTSqQCowiZ5df4ls42Oms5u9lipwUTv4Rk
+QFQsh7zn5JQ30U3Ef36FMpRcM4GlR+gw/JjM9zB5aboxLJmws/e3rfS/eGNXCPKE
++xiDAhdmsx44HOONBEgJ5myxJ44uifY83xIQwaE+nyuXWBIqJLKiEmEm8GJ9bgdz
+L1iD1UiNaTm4VwKCAQB49tzIRDjDcuCDdDMPOHmgobSCwpi5BjUj8wJ60Muhc21y
+uW6K9DiMQ9ESBDsO0LN26piZcMqDTJsCSbEf6Tc15rCssZGK7I/mbAWgQr2PJ3fN
+LF43QZ/6nbSRXjIfMkiTyVwY1m1NRP8ASqZqK0IXPlqz/4ZwKo1R6KBZVtVvWtGa
+Re8kFN6bNOtcPaexrD3i+MC4NjzL/Nb7j5AkOMbkjRIAer4DmfMYA22LMjNhyOQ4
+qVVDZyzu9WgugNrEouz1/e5kxWG076cyzAuiQdmExU65JUScYJwHpAW6c2ahfQ4T
+LLfTxJyU3bTXX9oDgb1edkTG1DZD6dsVdjarMfv3AoIBAC3J9z772yxlfHo59seQ
+3cGimqKZtJU7Ah0/WH7FwsXfHugqbBGVVOHio0g1v8whE+KZ06+TlwDMyqGcI8iJ
+L71K8w5X1CX3SVQ8QGSVgMBdc/SGY6TzJFNwe7QT9sbHUErVN//bFAWEo2OEkXTE
+tQC94aqN60fhVDGW/4aspvzr6ITtM1Imsg82NCtaI56ykp2F3osC3Y9ZgVY2u5to
+nm6YBRTANPO+VQqPh9f9fLv4/cV/vuxq2M/GVW9DrA7LU2/KpeXTQ4YY24gepz8w
+WU1KMLPMe/c6b2U5QbCbCmsYq5IJEEaYrz3j2Z8/aKdRW3ktkvrY+SbkIeUm/7ZB
+iekCggEBANkmkU/Mxj0C6Exv9YbrFehPxfgPcuyfAt7qdEzazjVmPWbhgpriPW55
+z/FEx/clfhaR8EWTNESKkLhX/qfGXHytlxUn8VWzcM6GIhvBTF6gUTX5hp1+peh+
+hztIBCQVPLpAXhf4Sf9+WwtBGrgo7RkIbzq/S1DynaymuVjBemSUvjKOKrVJm7gr
+DTIbmVjw5RXe5/HhPp7w8XlR4nDOYRuSd7ycG2l2xmK4VMK5QqaPEIrKDtsX0dsK
++VsrO5897j4ZZOdBif0YSRL5/zbZEA/HIA3kJ45jZDKMNPNfQBIK8yzW9KhLlBgL
+G2q8/Es7kVEQkUPyRNnHTWdnKW+vIQ0=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/sub-cert.p12 b/lib/hx509/data/sub-cert.p12
index c929d7c89667..18898c890cd9 100644
--- a/lib/hx509/data/sub-cert.p12
+++ b/lib/hx509/data/sub-cert.p12
Binary files differ
diff --git a/lib/hx509/data/tcg-devid.pem b/lib/hx509/data/tcg-devid.pem
new file mode 100644
index 000000000000..66b769c7a67a
--- /dev/null
+++ b/lib/hx509/data/tcg-devid.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlFeGFt
+cGxlQ0EwHhcNMTQwMTE1MTU0MDUwWhcNMTUwMTE1MTU0MDUwWjAAMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncvm0aOBK05rdNInYXzJGV5SFteVUFpt
+XFxg4evROvlulB3BzUmFGQYFDcItVnJX2fAvf0UJLtLBVBQggb5ylL6bRpj72cS3
+oyNbs0CGmix9Z1QDjkZZFvIsD1GcKO0tvsCvsEItH8Cm0fq8WcGFijWLdRD5eulP
+55pq1bAHAvIo4+VLMJVBG71xrKGZeHPjKoq6seYjh7AGy+hk2vmFzpZ8Ghdgqv+K
+02IZ7FEdzuylHW8U3qsxBHysMut4inj6AiVf467OOs5meHiifIK9MGkovMrfY9iX
+uUVUs/KXpE1sgeoX9BLvx1BPcODosr5K+z5i71OtIXy4CXrPvcGzRwIDAQABo4IB
+hzCCAYMwQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzAChiRodHRwOi8vd3d3LmV4
+YW1wbGUuY29tL0V4YW1wbGVDQS5jcnQwDgYDVR0PAQH/BAQDAgAgMIGBBgNVHREB
+Af8EdzB1pEswSTEWMBQGBWeBBQIBDAtpZDo1NDQzNDcwMDEXMBUGBWeBBQICDAxB
+QkNERUYxMjM0NTYxFjAUBgVngQUCAwwLaWQ6MDAwMTAwMjOgJgYIKwYBBQUHCASg
+GjAYBgVngQUBAgQPdHBtc2VyaWFsbnVtYmVyMAwGA1UdEwEB/wQCMAAwNQYDVR0f
+BC4wLDAqoCigJoYkaHR0cDovL3d3dy5leGFtcGxlLmNvbS9FeGFtcGxlQ0EuY3Js
+MBAGA1UdIAQJMAcwBQYDKgMEMB8GA1UdIwQYMBaAFDR3ZyRMRK/nnirgskxpV5Uk
+sz3aMBAGA1UdJQQJMAcGBWeBBQgBMCEGA1UdCQQaMBgwFgYFZ4EFAhAxDTALDAMy
+LjACAQACAWMwDQYJKoZIhvcNAQELBQADggEBABtrZu0n/7jPTYxak2n30AUakS7f
+Ihomojo14e8Lp/HF7/2VaUcohJH4KekCHTf8wpPxM/b9xRKLSOORA2Ey255Q2h8T
+v19he0dcdTvDPNQVY3AKaFO4cNiXeOYPR8n3IDYK5QdPqrdRX4/Bc34QcTWFDALx
+C00L/kDvBjV7l0Et2DBJIiBNziVKxs1xn136buZYRam6ZJhTRzNMMQ0eZ279Um4M
+39EI4DIFv6FzX0sC5waacVg6HFYd933NtdkDWV0VTGuk+5V8rH4Sjx+sywHahkoz
+BJhQBai2qiWEt7bB0ExGN2ZXPjiQiG4UHvLgGlCOUHX7EDNf0dvfUIZ6hLY=
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/tcg-ek-cp.pem b/lib/hx509/data/tcg-ek-cp.pem
new file mode 100644
index 000000000000..f6631b2e06f6
--- /dev/null
+++ b/lib/hx509/data/tcg-ek-cp.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIBATANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlFeGFt
+cGxlQ0EwHhcNMTQwMTE1MTU0MDUwWhcNMTUwMTE1MTU0MDUwWjAAMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncvm0aOBK05rdNInYXzJGV5SFteVUFpt
+XFxg4evROvlulB3BzUmFGQYFDcItVnJX2fAvf0UJLtLBVBQggb5ylL6bRpj72cS3
+oyNbs0CGmix9Z1QDjkZZFvIsD1GcKO0tvsCvsEItH8Cm0fq8WcGFijWLdRD5eulP
+55pq1bAHAvIo4+VLMJVBG71xrKGZeHPjKoq6seYjh7AGy+hk2vmFzpZ8Ghdgqv+K
+02IZ7FEdzuylHW8U3qsxBHysMut4inj6AiVf467OOs5meHiifIK9MGkovMrfY9iX
+uUVUs/KXpE1sgeoX9BLvx1BPcODosr5K+z5i71OtIXy4CXrPvcGzRwIDAQABo4IB
+XjCCAVowQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzAChiRodHRwOi8vd3d3LmV4
+YW1wbGUuY29tL0V4YW1wbGVDQS5jcnQwDgYDVR0PAQH/BAQDAgAgMFkGA1UdEQEB
+/wRPME2kSzBJMRYwFAYFZ4EFAgEMC2lkOjU0NDM0NzAwMRcwFQYFZ4EFAgIMDEFC
+Q0RFRjEyMzQ1NjEWMBQGBWeBBQIDDAtpZDowMDAxMDAyMzAMBgNVHRMBAf8EAjAA
+MDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly93d3cuZXhhbXBsZS5jb20vRXhhbXBs
+ZUNBLmNybDAQBgNVHSAECTAHMAUGAyoDBDAfBgNVHSMEGDAWgBQ0d2ckTESv554q
+4LJMaVeVJLM92jAQBgNVHSUECTAHBgVngQUIATAhBgNVHQkEGjAYMBYGBWeBBQIQ
+MQ0wCwwDMi4wAgEAAgFjMA0GCSqGSIb3DQEBCwUAA4IBAQAba2btJ/+4z02MWpNp
+99AFGpEu3yIaJqI6NeHvC6fxxe/9lWlHKISR+CnpAh03/MKT8TP2/cUSi0jjkQNh
+MtueUNofE79fYXtHXHU7wzzUFWNwCmhTuHDYl3jmD0fJ9yA2CuUHT6q3UV+PwXN+
+EHE1hQwC8QtNC/5A7wY1e5dBLdgwSSIgTc4lSsbNcZ9d+m7mWEWpumSYU0czTDEN
+Hmdu/VJuDN/RCOAyBb+hc19LAucGmnFYOhxWHfd9zbXZA1ldFUxrpPuVfKx+Eo8f
+rMsB2oZKMwSYUAWotqolhLe2wdBMRjdmVz44kIhuFB7y4BpQjlB1+xAzX9Hb31CG
+eoS2
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ds-only.crt b/lib/hx509/data/test-ds-only.crt
index 95df000b3007..ce0de74ed094 100644
--- a/lib/hx509/data/test-ds-only.crt
+++ b/lib/hx509/data/test-ds-only.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:14 2019 GMT
- Not After : Jan 16 15:05:14 2038 GMT
+ Not Before: Mar 22 22:25:05 2019 GMT
+ Not After : Nov 21 22:25:05 2518 GMT
Subject: C=SE, CN=Test cert DigitalSignature
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:db:8d:a2:5f:bd:67:a2:66:d7:80:3d:9b:5e:d7:
- 31:5b:05:06:4f:0c:aa:5c:e8:0b:06:bc:30:8f:f9:
- fc:b3:1d:de:4f:c4:18:0d:7a:ab:00:7a:7e:5d:b2:
- fd:85:d8:22:9d:d8:b7:e2:e8:98:e6:47:b6:63:01:
- 90:d5:e9:80:c7:ac:e4:32:bf:df:10:af:73:11:d2:
- 82:21:bf:5b:76:37:d2:03:67:c5:9a:7b:44:a5:4a:
- 4e:a6:05:d3:95:09:fb:13:3a:7a:ca:b9:4f:28:24:
- e2:cb:75:ee:6d:97:a6:62:fb:bc:57:ed:6e:2f:e9:
- 0a:7f:61:4b:c7:9a:45:7c:49:5d:03:fe:4e:09:8b:
- 9c:30:60:67:42:0f:89:44:08:0b:4e:65:96:6f:f8:
- 83:27:10:de:99:7a:8d:bc:e1:ab:23:cd:d2:83:57:
- 0f:5a:99:26:dd:6e:16:3b:d5:4d:7e:4d:d1:85:e8:
- 37:44:69:de:ea:9e:79:af:eb:b3:6f:87:0b:23:97:
- 53:81:b3:e4:64:2a:1d:f9:2c:6d:54:63:15:8e:39:
- 9c:70:b0:c1:85:91:be:21:4b:4d:73:21:0a:59:fc:
- 20:b9:60:6c:7d:ca:ed:ab:e7:22:79:cf:c4:5b:bc:
- 9e:fe:90:ec:e7:48:c0:0d:60:2c:6d:db:bb:ed:95:
- 70:cc:14:b4:45:9b:9b:45:92:fa:d2:50:ab:5a:60:
- 1b:96:6c:81:d7:2a:4f:60:df:29:38:26:9a:7b:ea:
- 68:e8:cf:dc:c3:25:a8:2a:d4:79:ea:69:7b:96:2d:
- 2d:aa:8c:39:1e:9c:00:bf:51:8c:66:4b:14:20:f0:
- cb:3a:19:b2:03:5c:78:63:72:56:bf:8f:fa:49:19:
- 98:d0:25:1b:24:ad:85:51:1f:07:d9:72:94:70:7d:
- 47:b1:9d:88:86:26:d5:01:d6:10:c9:04:60:01:b7:
- c5:5d:6f:e6:10:c4:7e:85:87:b6:8b:ce:15:ec:79:
- bb:05:83:3d:98:91:90:42:5a:28:f9:1f:65:07:63:
- 15:97:3d:8d:c2:33:f8:9c:70:c2:a5:53:6d:90:db:
- 6c:15:30:1e:6f:a1:09:8e:e5:56:79:fd:7e:11:f8:
- bd:44:5c:99:35:7c:56:03:1a:bf:15:fa:1f:08:8f:
- 1f:82:a8:2e:c3:a5:f4:94:a1:4e:9f:ef:4b:c6:6f:
- af:12:ee:ee:c0:c0:39:3e:47:bf:17:6e:09:c6:8c:
- 47:89:b0:a3:26:92:95:91:38:07:c9:eb:5e:2b:8a:
- 65:c1:26:21:60:68:f1:27:5b:76:7e:a8:81:25:31:
- 6e:14:06:08:09:62:13:9c:c8:af:01:e8:9b:4a:9e:
- 18:b1:35
+ 00:d2:e5:b6:27:f7:6c:c1:d0:ba:8a:4a:6a:4e:b5:
+ a6:92:2e:5b:98:d7:0c:6a:7e:f4:bf:19:30:2d:ee:
+ 1c:5a:ee:28:f6:5c:a8:12:03:20:c7:e8:2b:b1:44:
+ 9f:b7:54:27:6e:17:fc:c0:f6:f7:ea:38:d2:c8:77:
+ ab:6a:ae:d1:ab:9f:1e:79:df:8a:51:55:aa:6c:6a:
+ 13:74:74:2f:c0:20:57:ef:f3:e1:71:da:b0:ec:62:
+ e9:8a:01:da:f6:e6:c6:5a:fe:11:61:58:5c:a0:01:
+ ec:0e:af:70:0d:72:94:a1:d4:1c:76:53:ae:39:a0:
+ cf:70:d8:d9:7c:95:18:2b:5f:36:00:2f:5c:be:a2:
+ d5:8e:0e:e3:aa:76:0c:1f:86:b3:69:fe:e4:29:0a:
+ 30:b1:ca:83:1a:f2:88:fc:91:2f:58:be:a4:a0:25:
+ 82:bf:16:b3:ca:70:09:7e:cf:29:f9:2e:58:0b:4a:
+ 3a:3c:6d:e7:05:63:d5:53:90:ed:ee:96:9e:8e:d7:
+ a8:ef:50:8b:37:bd:dc:88:f5:12:bc:04:4e:e4:f3:
+ ec:5d:9d:e6:46:14:e1:e1:6b:15:ab:f4:52:f6:12:
+ 76:ae:2d:a7:65:ec:8f:bd:90:51:52:4d:e7:cf:ba:
+ 23:01:7a:85:8b:22:41:a6:98:08:e4:33:00:c1:e2:
+ 82:b0:b2:c6:f4:6a:34:c6:a9:d7:b1:cc:c6:1a:0b:
+ ad:69:1f:89:af:e0:63:cd:51:c9:36:7f:08:f0:31:
+ 97:ea:78:bb:ae:21:4c:aa:2d:32:de:36:03:cf:64:
+ f8:8a:c0:c5:b3:c4:f9:79:74:7a:8b:d5:ec:bf:19:
+ 87:c9:25:0c:99:7d:56:a3:93:68:97:c3:cc:08:fb:
+ 37:c0:2c:cb:87:f2:b4:4e:fe:ce:86:69:2b:8e:c3:
+ 9e:40:a9:b6:43:6e:d6:b6:3d:08:43:24:09:58:8d:
+ af:d2:5d:1c:0e:cd:bc:e3:0b:b3:4b:a5:69:a8:3c:
+ d7:07:d0:7f:d7:78:c7:5c:a4:9f:e1:a2:bc:76:77:
+ 80:25:0e:82:2b:43:1e:e4:67:49:47:d9:65:45:57:
+ ed:59:d7:6e:a1:8d:76:a0:c2:65:52:c8:c8:57:5d:
+ dd:b4:d2:4f:27:a5:08:f1:88:7e:d2:3e:5d:60:c6:
+ 67:fb:c9:19:e7:78:cc:41:6d:24:11:cd:a4:e6:cf:
+ 56:8c:41:4d:af:d6:e2:22:c0:a3:64:2c:4b:27:f6:
+ b3:87:9d:08:e6:2a:2f:db:c8:50:57:95:a3:cf:67:
+ 77:f8:80:15:f3:45:00:47:f8:80:6e:21:b5:80:f1:
+ 81:29:45:3f:a9:8a:e2:12:12:4d:c4:90:e3:da:ab:
+ 08:80:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,64 +54,64 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation
X509v3 Subject Key Identifier:
- 6B:E9:29:4E:C6:18:4A:A0:2F:A9:AC:67:3D:F7:80:7C:CE:8A:97:66
+ C4:44:DE:34:6C:55:F0:21:00:F4:CF:F0:55:67:92:FB:8F:B3:40:46
Signature Algorithm: sha1WithRSAEncryption
- 9e:b3:b6:2d:27:65:c4:2e:2a:a2:f1:d6:3c:ba:4b:c6:b9:47:
- fe:72:5a:fe:f4:f7:92:4c:17:7c:f5:88:91:eb:f9:1a:6a:c3:
- 82:a9:8b:6f:4e:e1:62:d2:15:d8:50:12:aa:cf:ef:2e:73:2a:
- 86:cb:59:49:1a:35:17:4e:c4:2e:ac:65:5a:f0:13:da:35:78:
- 20:59:e7:f9:8c:9a:97:0f:76:cf:cf:2d:79:69:b2:9f:15:77:
- d9:af:20:ff:ab:07:18:f4:ef:5d:4d:c2:56:bc:fb:a6:52:aa:
- 53:a3:5f:91:5b:83:61:e7:fe:c1:89:4f:57:c3:8a:ba:d2:89:
- ed:9f:28:b0:f7:18:25:dc:d1:e8:4e:f0:ef:50:70:e5:cf:6d:
- ba:1e:d9:98:11:13:02:53:15:9b:98:95:b2:8a:60:a4:6c:f9:
- c6:23:4a:9d:25:ce:31:fe:17:fc:1f:11:43:52:4c:45:ef:f6:
- 38:c5:e7:94:98:34:3c:05:8f:d0:a1:82:71:9d:d1:ec:93:ef:
- 7e:7d:9d:ba:2c:7d:82:14:e7:ce:8a:e1:e9:bf:6a:82:0b:44:
- 1e:5d:1e:85:b4:81:0e:f2:c1:1c:54:8b:b1:e9:35:82:c2:44:
- 23:22:b0:96:3a:ab:0e:6c:f0:24:41:e0:bf:62:86:01:1e:e2:
- 29:af:d0:cd:06:83:84:66:a6:2a:32:d4:f8:f5:31:3f:d4:20:
- 34:07:6e:78:d0:f7:a7:64:fa:d4:81:15:c0:71:bc:10:3c:44:
- 8b:fc:f0:8b:03:7e:ca:9e:6f:e0:d2:f3:14:67:3b:ea:1b:79:
- 59:3c:98:5d:70:3a:b4:87:d8:45:99:91:63:f6:db:7d:35:d3:
- 39:df:ac:31:db:94:fc:90:c8:87:01:11:1b:10:9f:2f:15:53:
- 5c:f2:5f:08:cb:72:d3:f6:ed:63:39:e9:45:b7:ae:bd:db:21:
- 93:4a:fc:42:78:2b:db:ac:cd:ed:ca:f0:06:2a:f9:45:18:ed:
- de:31:3d:78:fd:94:a2:65:63:ba:ce:13:37:4a:ce:68:8b:39:
- eb:e1:24:d7:ea:ca:7f:25:d1:a3:63:97:8c:a9:f6:19:f9:68:
- d3:8a:0b:bf:2e:8a:db:58:9c:97:42:40:de:c3:b5:e8:84:d9:
- 3b:02:56:7e:d7:83:ab:e0:4d:e0:49:4f:8a:bd:c1:e9:aa:90:
- c7:96:bb:09:e0:6c:77:1c:15:48:20:4e:95:6f:7e:87:59:33:
- 75:da:5f:91:d6:35:65:67:15:a8:1f:1a:ff:23:c8:89:90:8c:
- 38:a6:12:70:5f:78:c2:1b:ea:66:64:23:95:d2:b1:4c:fb:e1:
- ed:22:24:b0:3b:da:8f:1b
+ a3:9c:c7:b7:3d:fc:8e:3d:5b:58:98:b0:05:63:fd:a7:50:c2:
+ d4:e8:c2:48:b8:b0:a8:e3:f9:c2:8b:11:47:a1:11:5e:e8:4d:
+ 75:c5:b8:d9:ec:af:81:95:1e:ec:d8:f6:8a:b6:17:12:ab:d4:
+ 30:84:cb:35:6a:c8:50:5e:1c:55:26:77:ee:84:f0:80:92:95:
+ c3:37:50:b3:23:21:7a:3b:63:5a:18:e4:48:fc:de:9b:26:50:
+ 38:9e:2f:a3:ad:03:5f:0c:b0:a1:0e:41:0b:01:71:b9:a2:df:
+ 84:f6:c4:d6:9d:8b:f7:a8:ed:cc:7e:b6:8c:5c:bc:26:0c:97:
+ 77:15:dc:fb:66:4b:0d:01:d9:8e:58:8e:1c:bf:35:47:b8:10:
+ d4:12:e5:80:09:b3:d8:4a:f4:0a:3f:6a:2f:9f:47:16:80:a7:
+ 92:6a:d4:3b:79:7b:25:b9:3e:14:a9:90:4e:92:6e:92:7b:6f:
+ 04:3a:0d:c6:63:77:82:e2:2d:e9:24:63:ce:a0:b1:8c:23:1d:
+ db:79:b8:4f:77:b8:7f:d2:49:5d:b4:60:a0:78:bb:d6:d7:56:
+ ff:23:c1:fa:46:cd:9a:2b:0d:87:df:b5:98:eb:7e:fd:af:6e:
+ 9d:03:de:d3:97:e7:19:09:20:13:ce:2e:b5:89:f0:47:ad:b2:
+ 3d:f1:5e:77:8b:dd:d3:6e:e2:a8:3c:cd:6a:22:a1:63:92:8c:
+ 2e:ca:0a:0d:aa:2c:15:98:de:27:08:e5:ee:a5:e0:e5:54:30:
+ 26:2f:32:ab:c3:de:e0:82:32:2a:dd:39:cb:3c:75:95:8f:9e:
+ 37:34:34:80:14:27:aa:c6:89:d3:8f:7a:35:19:3b:8b:c1:56:
+ 06:76:b3:0c:12:05:10:f4:5a:62:ff:d5:ef:e0:f8:da:aa:dc:
+ 2b:14:73:ad:31:c8:da:19:fe:54:51:32:0f:3b:7f:13:21:0d:
+ 5c:4f:33:e7:07:92:36:fd:01:04:d4:e6:4c:ba:dc:b4:75:c0:
+ f6:1f:3c:5a:4a:34:40:87:3b:8c:44:60:de:11:8d:18:41:0a:
+ e4:e9:d6:19:f5:7b:8f:53:3c:d8:3d:7c:4f:f4:b0:86:93:69:
+ c1:f1:e0:cd:8f:df:cd:ef:33:31:a8:e1:93:cf:bd:13:13:66:
+ 55:ef:44:63:06:0a:11:7a:78:e7:5c:6f:d0:f9:9d:bf:90:e5:
+ f4:d1:54:31:b8:0d:ed:ed:c0:e2:63:5c:13:01:ff:a8:11:c5:
+ 7d:42:e1:94:63:6a:63:99:0f:82:ef:49:f7:93:92:e6:72:d7:
+ ed:88:d6:ab:b2:25:8c:37:8d:08:22:a0:80:9b:14:fb:a4:a2:
+ 4f:43:be:ff:d4:e9:7e:79
-----BEGIN CERTIFICATE-----
-MIIFEDCCAvigAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxNFoXDTM4
-MDExNjE1MDUxNFowMjELMAkGA1UEBhMCU0UxIzAhBgNVBAMMGlRlc3QgY2VydCBE
-aWdpdGFsU2lnbmF0dXJlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
-242iX71nombXgD2bXtcxWwUGTwyqXOgLBrwwj/n8sx3eT8QYDXqrAHp+XbL9hdgi
-ndi34uiY5ke2YwGQ1emAx6zkMr/fEK9zEdKCIb9bdjfSA2fFmntEpUpOpgXTlQn7
-Ezp6yrlPKCTiy3XubZemYvu8V+1uL+kKf2FLx5pFfEldA/5OCYucMGBnQg+JRAgL
-TmWWb/iDJxDemXqNvOGrI83Sg1cPWpkm3W4WO9VNfk3Rheg3RGne6p55r+uzb4cL
-I5dTgbPkZCod+SxtVGMVjjmccLDBhZG+IUtNcyEKWfwguWBsfcrtq+ciec/EW7ye
-/pDs50jADWAsbdu77ZVwzBS0RZubRZL60lCrWmAblmyB1ypPYN8pOCaae+po6M/c
-wyWoKtR56ml7li0tqow5HpwAv1GMZksUIPDLOhmyA1x4Y3JWv4/6SRmY0CUbJK2F
-UR8H2XKUcH1HsZ2IhibVAdYQyQRgAbfFXW/mEMR+hYe2i84V7Hm7BYM9mJGQQloo
-+R9lB2MVlz2NwjP4nHDCpVNtkNtsFTAeb6EJjuVWef1+Efi9RFyZNXxWAxq/Ffof
-CI8fgqguw6X0lKFOn+9Lxm+vEu7uwMA5Pke/F24JxoxHibCjJpKVkTgHyeteK4pl
-wSYhYGjxJ1t2fqiBJTFuFAYICWITnMivAeibSp4YsTUCAwEAAaM5MDcwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFGvpKU7GGEqgL6msZz33gHzOipdm
-MA0GCSqGSIb3DQEBBQUAA4ICAQCes7YtJ2XELiqi8dY8ukvGuUf+clr+9PeSTBd8
-9YiR6/kaasOCqYtvTuFi0hXYUBKqz+8ucyqGy1lJGjUXTsQurGVa8BPaNXggWef5
-jJqXD3bPzy15abKfFXfZryD/qwcY9O9dTcJWvPumUqpTo1+RW4Nh5/7BiU9Xw4q6
-0ontnyiw9xgl3NHoTvDvUHDlz226HtmYERMCUxWbmJWyimCkbPnGI0qdJc4x/hf8
-HxFDUkxF7/Y4xeeUmDQ8BY/QoYJxndHsk+9+fZ26LH2CFOfOiuHpv2qCC0QeXR6F
-tIEO8sEcVIux6TWCwkQjIrCWOqsObPAkQeC/YoYBHuIpr9DNBoOEZqYqMtT49TE/
-1CA0B2540PenZPrUgRXAcbwQPESL/PCLA37Knm/g0vMUZzvqG3lZPJhdcDq0h9hF
-mZFj9tt9NdM536wx25T8kMiHAREbEJ8vFVNc8l8Iy3LT9u1jOelFt6692yGTSvxC
-eCvbrM3tyvAGKvlFGO3eMT14/ZSiZWO6zhM3Ss5oiznr4STX6sp/JdGjY5eMqfYZ
-+WjTigu/LorbWJyXQkDew7XohNk7AlZ+14Or4E3gSU+KvcHpqpDHlrsJ4Gx3HBVI
-IE6Vb36HWTN12l+R1jVlZxWoHxr/I8iJkIw4phJwX3jCG+pmZCOV0rFM++HtIiSw
-O9qPGw==
+MIIFEjCCAvqgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNVoYDzI1
+MTgxMTIxMjIyNTA1WjAyMQswCQYDVQQGEwJTRTEjMCEGA1UEAwwaVGVzdCBjZXJ0
+IERpZ2l0YWxTaWduYXR1cmUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDS5bYn92zB0LqKSmpOtaaSLluY1wxqfvS/GTAt7hxa7ij2XKgSAyDH6CuxRJ+3
+VCduF/zA9vfqONLId6tqrtGrnx5534pRVapsahN0dC/AIFfv8+Fx2rDsYumKAdr2
+5sZa/hFhWFygAewOr3ANcpSh1Bx2U645oM9w2Nl8lRgrXzYAL1y+otWODuOqdgwf
+hrNp/uQpCjCxyoMa8oj8kS9YvqSgJYK/FrPKcAl+zyn5LlgLSjo8becFY9VTkO3u
+lp6O16jvUIs3vdyI9RK8BE7k8+xdneZGFOHhaxWr9FL2EnauLadl7I+9kFFSTefP
+uiMBeoWLIkGmmAjkMwDB4oKwssb0ajTGqdexzMYaC61pH4mv4GPNUck2fwjwMZfq
+eLuuIUyqLTLeNgPPZPiKwMWzxPl5dHqL1ey/GYfJJQyZfVajk2iXw8wI+zfALMuH
+8rRO/s6GaSuOw55AqbZDbta2PQhDJAlYja/SXRwOzbzjC7NLpWmoPNcH0H/XeMdc
+pJ/horx2d4AlDoIrQx7kZ0lH2WVFV+1Z126hjXagwmVSyMhXXd200k8npQjxiH7S
+Pl1gxmf7yRnneMxBbSQRzaTmz1aMQU2v1uIiwKNkLEsn9rOHnQjmKi/byFBXlaPP
+Z3f4gBXzRQBH+IBuIbWA8YEpRT+piuISEk3EkOPaqwiAvQIDAQABozkwNzAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIGwDAdBgNVHQ4EFgQUxETeNGxV8CEA9M/wVWeS+4+z
+QEYwDQYJKoZIhvcNAQEFBQADggIBAKOcx7c9/I49W1iYsAVj/adQwtTowki4sKjj
++cKLEUehEV7oTXXFuNnsr4GVHuzY9oq2FxKr1DCEyzVqyFBeHFUmd+6E8ICSlcM3
+ULMjIXo7Y1oY5Ej83psmUDieL6OtA18MsKEOQQsBcbmi34T2xNadi/eo7cx+toxc
+vCYMl3cV3PtmSw0B2Y5Yjhy/NUe4ENQS5YAJs9hK9Ao/ai+fRxaAp5Jq1Dt5eyW5
+PhSpkE6SbpJ7bwQ6DcZjd4LiLekkY86gsYwjHdt5uE93uH/SSV20YKB4u9bXVv8j
+wfpGzZorDYfftZjrfv2vbp0D3tOX5xkJIBPOLrWJ8Eetsj3xXneL3dNu4qg8zWoi
+oWOSjC7KCg2qLBWY3icI5e6l4OVUMCYvMqvD3uCCMirdOcs8dZWPnjc0NIAUJ6rG
+idOPejUZO4vBVgZ2swwSBRD0WmL/1e/g+Nqq3CsUc60xyNoZ/lRRMg87fxMhDVxP
+M+cHkjb9AQTU5ky63LR1wPYfPFpKNECHO4xEYN4RjRhBCuTp1hn1e49TPNg9fE/0
+sIaTacHx4M2P383vMzGo4ZPPvRMTZlXvRGMGChF6eOdcb9D5nb+Q5fTRVDG4De3t
+wOJjXBMB/6gRxX1C4ZRjamOZD4LvSfeTkuZy1+2I1quyJYw3jQgioICbFPukok9D
+vv/U6X55
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ds-only.key b/lib/hx509/data/test-ds-only.key
index 236df841bf58..91290387a5f8 100644
--- a/lib/hx509/data/test-ds-only.key
+++ b/lib/hx509/data/test-ds-only.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDbjaJfvWeiZteA
-PZte1zFbBQZPDKpc6AsGvDCP+fyzHd5PxBgNeqsAen5dsv2F2CKd2Lfi6JjmR7Zj
-AZDV6YDHrOQyv98Qr3MR0oIhv1t2N9IDZ8Wae0SlSk6mBdOVCfsTOnrKuU8oJOLL
-de5tl6Zi+7xX7W4v6Qp/YUvHmkV8SV0D/k4Ji5wwYGdCD4lECAtOZZZv+IMnEN6Z
-eo284asjzdKDVw9amSbdbhY71U1+TdGF6DdEad7qnnmv67Nvhwsjl1OBs+RkKh35
-LG1UYxWOOZxwsMGFkb4hS01zIQpZ/CC5YGx9yu2r5yJ5z8RbvJ7+kOznSMANYCxt
-27vtlXDMFLRFm5tFkvrSUKtaYBuWbIHXKk9g3yk4Jpp76mjoz9zDJagq1HnqaXuW
-LS2qjDkenAC/UYxmSxQg8Ms6GbIDXHhjcla/j/pJGZjQJRskrYVRHwfZcpRwfUex
-nYiGJtUB1hDJBGABt8Vdb+YQxH6Fh7aLzhXsebsFgz2YkZBCWij5H2UHYxWXPY3C
-M/iccMKlU22Q22wVMB5voQmO5VZ5/X4R+L1EXJk1fFYDGr8V+h8Ijx+CqC7DpfSU
-oU6f70vGb68S7u7AwDk+R78XbgnGjEeJsKMmkpWROAfJ614rimXBJiFgaPEnW3Z+
-qIElMW4UBggJYhOcyK8B6JtKnhixNQIDAQABAoICAFOpQ99xoCT9RU8DqsnX/GGv
-p3jF3cErVtBJM8QZQVbLoeQJWBUC0liLVM3Fn9+5vW8inuejNGhDmVdeyF8K7Fyq
-IAbKoGiOQq3e5mGPtn10xd0wVNcJ8918VD3laHuZYwgvt4y6UlR8wcM//AvcxrVf
-MaTbv6oYBj0FyUeVHLdAiWY1KG1wuqKgiZhdrTO0UQKdqVaffvKK9hfL4GjCIWGy
-U25i5WHjjDDCe0xvemkPpDB/jVfPc/c5TitgCG8OKYt1ZYe+EeCtP+CsMjj+zL72
-awtx/zwzjhzHwgqF45jof1vER3Mjua9Qkw2Rw0QluvxMI0n6qdwu8p8mJRViZalZ
-waaUk4EvlB4ZE3tA3NRKFyrmEn2zehzna0o72Je06NuShtnxPKkGAnw3ieys5noJ
-c8IB7v0R3r9xwJOt5ZO/OEnI68v6ijcGPcPkSTfJP5hlVxwtNCg6n0wCVnojemmm
-nqpEGritdpe53FkDR/EYfX/Idn4yAaJs/Z0SuN6Q2KNVSXJjlSZLg8PHATxlRWtd
-4rX4W+gFVudT59EYWY7cxa0yrrQOJXxLzxiPt0H+aKJTiwQ0mYKLH/HAugl7byhe
-U4QwJ0VNU2JxpX+1OhRQaMhooMH3Y6XSYITq04OIxYzdAlflb2WffZ3JyIpIAv7+
-Tymxyu7/DkQzFpb0QngdAoIBAQD29SgKA3n17R1MJkfmRxE5JlQpkZXRkzw1vDbW
-48b6JYna6jRvb8ktpn738iW+VJ+1j96q5MyofR/SlkO1ZOtsh3V9i1ddZTGt8Zqe
-Bgq6HYxCSZmc24wtq3G4nMNfbvcpOgssSmh/LMQeKTCVQTwmGnf1xLoI9D8qshIT
-vwQTB7/820qHsraiLVdrHpuuBCiaLo/uEy8hRwBeCzgKjo2HvrzrDtjVE8vEafYV
-7MRUtfyhwXAD5TZPhcTT0SvysISCt7NHrUEPyNN+ISs4Eeql+o93Zv7sOTQPfsIk
-ajzguDSu7E71hu4RBW185IbVj8CELi5GnCMMKlI38AosWKPXAoIBAQDjl5q7Yrz+
-nsC47scggwCStU+sXv5cKYi+gLOctj/oBLJKqnsK6o3JI2AyAIBLq/DxrZ7kvtbb
-IFrxaNQWPJKKyx+e2pcCwlgcQCIZ8spQ0cdqW0UcZmMEN/T2b16V3BoaSUnIqBlL
-yye+NsCDNNX9pTf6+8Si3WzbnWRvGO+yMJuzIbPy0I4JupKChNKdjhsZe3yGCcmJ
-dzNy2rJAX2Qtx4NNdunF2jSNqcN9ZYG8wX7cQ+JH+BXa2efqpXC7eZB0QtjVqwIm
-Awpi3FkcWlshgofo4AhcsLfBzkiZ9NyGlm+vZswNqOiTM4mLajlB0/EapEDEgru+
-P3/LIQ5+DrHTAoIBAQDrL4wjBS6H63nERIyinDml0H/EWrZwMSTdE9KyEZg0L726
-cuLe4XmY9P/kB4K0YQj8MvhejajuKMM+nQX8YRDneZWFq0bXVgDa48VZCu36Uxt5
-IXiebmNwNt8Fbp2NbDML2xA67N3Zh3t6McXnzomGzBxEPUbiMiFZ+t3GWlp5+R54
-oyq2UpclmcKv7CVcsu8r7n35v+FZcrHB3jNPsnTMuvRVcv1C5yhedH78YFCVT/84
-2OxheU+gqgdJpeGRrVN03ZdqAnB8pMftTY9IRZ/O0/D/SGIr+0o+G3yui1JQvHzH
-vZpwr0BXi3C6yTQzfEReXVCKxDWIZ2GHjh1SIFRfAoIBAD0mufuJXzCm5S+LcNOK
-f3fr4Zl1+LA4tLZDDH+Z9HfZ8zHetqrLNQeLSsiEm/Q5Icc+GEhsAnzkJ6tfuES1
-R8alJzzejN6/6z7D+KWyN6wZgZRRK7Oiyw4SHu6sI+TuO9E+SeXxTMKxtl8EhRt7
-8ddyMiVsynvcNOiZVKgJMjZVmzA5aQlgAhoZGE6bc5/D1AI3zNCTBqS584fzvRtQ
-xjEKv3vr7IotxBsgNxeVU5OtBfIXB1DBFtYz4H2KsEyfMDIc1/gpN62Q+ZRwkjzt
-BjltwijPMU/+Z5FaZOWBBlPfTej6HO+6p6sNmPJtuy61zL2UzpY+bkWC+EpS+nri
-ZeMCggEBAJRin7+udPZRw43qycfjPSIQs35QmbT922ti4l/7ywOC5RTcmb4/tB4Y
-qMliOl09FPuvBbxoZxIMX4sUVHGsmic6UAy2JxLGTok0inmtOKgwXl7eB2m+5+8C
-j8VbfUNs5mnkD7f60Huo/vLFsdV29j8wNmbEN+fMQUXNa6n//PoNqs+cYLU+2Ysx
-G78x6sdjDKvjyRmz+m43dE5aS5EddDWXSwYRhcKkXI6zqg4jHtqqPHNNsXPzTQKg
-ubXoF0YU1IIV1+HrdlxqfnbHqApB9qF8pA+ovDLMWW4Vzi8MIuebR0N78KRyaF2s
-CB/IgCJRaFy9Ch2Nz4ODay/Vbyj//Js=
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDS5bYn92zB0LqK
+SmpOtaaSLluY1wxqfvS/GTAt7hxa7ij2XKgSAyDH6CuxRJ+3VCduF/zA9vfqONLI
+d6tqrtGrnx5534pRVapsahN0dC/AIFfv8+Fx2rDsYumKAdr25sZa/hFhWFygAewO
+r3ANcpSh1Bx2U645oM9w2Nl8lRgrXzYAL1y+otWODuOqdgwfhrNp/uQpCjCxyoMa
+8oj8kS9YvqSgJYK/FrPKcAl+zyn5LlgLSjo8becFY9VTkO3ulp6O16jvUIs3vdyI
+9RK8BE7k8+xdneZGFOHhaxWr9FL2EnauLadl7I+9kFFSTefPuiMBeoWLIkGmmAjk
+MwDB4oKwssb0ajTGqdexzMYaC61pH4mv4GPNUck2fwjwMZfqeLuuIUyqLTLeNgPP
+ZPiKwMWzxPl5dHqL1ey/GYfJJQyZfVajk2iXw8wI+zfALMuH8rRO/s6GaSuOw55A
+qbZDbta2PQhDJAlYja/SXRwOzbzjC7NLpWmoPNcH0H/XeMdcpJ/horx2d4AlDoIr
+Qx7kZ0lH2WVFV+1Z126hjXagwmVSyMhXXd200k8npQjxiH7SPl1gxmf7yRnneMxB
+bSQRzaTmz1aMQU2v1uIiwKNkLEsn9rOHnQjmKi/byFBXlaPPZ3f4gBXzRQBH+IBu
+IbWA8YEpRT+piuISEk3EkOPaqwiAvQIDAQABAoICAQDFT5tL6yY6ctGDvrmVKEhO
+bcbOySvZmyvaenNkFWk7/aQfUnMAXyLVRTdTo3OWbspxK0oTMzyhS0aRvbyHlEWg
+Pr+hoG3lSLOouNm401c1dk0vt0mOXt+2WZhLwQ6efyzHRvr1y1jlbsbuul6ohjHe
+8fcrEYFoczaBSrC36TnyoiKAq88moGwSe4WvHsCa4kiLe6j1aI5EWMaueImHW0Ij
+0kFtf4rCwze0x3tqw+FuO1iuP2Ua0mwY091rUKX62bpAxC5OsFl/7kcdb8R2WcWC
+WWAj+i3OFY17e9eLyIuxo3ab4STDrD6TSSl8Slz+MRS9Nmco1AT+GzH+ZmVoAEbp
+3LeAwXK0oGdbQqi+eSiM3mPH9KTgLs2rfqh/6oKLE/eNsU7CmLWXuMME9ORfSB+i
+dLqp3s1HWXJOS8hkJAhoJgHLEQn8XWsOtRFUw4kSgaWu23fultTv5trM3ZyaGR0o
+xDpeptKDnV85oul0nT8+Qpbj/w4MQU/INC/sxN29Qkiy3lvHE/y/C7a4GxB8DY6K
+kFUdcwT5dWw6SHqqPFxeDf3sz8Uo7RQSiXZkpHHg1U/Md456G7lgQTB5YtpZPVeY
+vJt2nlyeeP/61D0K7Im/DmS0Owenz4LyvBIiTA2gZXEbvxBd1Aq9iL/LT+GIDJJN
+dC7nbMKaHRXhcG0rysOWIQKCAQEA9+b2neaBBCEoZkH4iQteocBxgXZw60BugMIL
+v5KKh58VKC6P720d2TcL3gRfwo+9tuYcXIjn2r/mjM7N1ppDNM9/VNaelQlttK1b
+sd3C7RKjhWozWhPSfh8gHl2BKeBT+2wS26pSZX43oIyyj+sa6f7JnVbn7sGqcSFD
+js5hw3jIX3z8SR06zqUHOGes9OFn1GABvxAU70PpsCfAnMLvM9TvBopG/4RtGjBA
+HyhQYN2wdPnym32P+Ectf0z+SpVqtmTA2uy0VdbacHzhvObI+zN0/PWJhPsj4QMa
+8ycDpccwBvpD2XbkC6mEEbTJBfgbmjn+0J60hNh4+kg73Sh6hQKCAQEA2clNNbfh
+6AxN5V/MT/aPA/CONexzlAPTfpV1SS6MOcPlzhUScKzcigfMLJ5eHrXpJNRrq9cL
+TQOSQq+N8dXI0ZtmLvWFIeLq51jFe3WwCN3RuwWqOpzGHPpXaq/Ib/HUR0AMJ3uV
+ofm8kCpF9szx3xb8KeAK5Z3ZPciubETVdAj6ep7T6RrAXMHF+wXhW+yZSNju38tc
+IsZgt7LPKqElsSIbilE3qYdfVoHGKabqYZkmWTESURbWQe9wC1WnePyLv8/1ROfU
+C9U4Eh/w+WlocEa/1k6pkVu0etTh0v2bKnF4XRE6FoYbMz1dOSD4yxSTG7zKhdka
+m/3wEDYJqd3u2QKCAQEAl2ZWLZ8uIjCB9NnLiR8Jf24BpFiKpBJoqnhYJnq/4g41
+JKIzQ713YkatF73CIhgZfE9S+Oyf9UgH7O0MZ0k1TFaBZHXiyhDFEHhjrOBMAO/G
+MF/o1tWOU3p86i6fCM05XS7m4YNG6TdJj+L91sl2WXxC87W01msuxgLTuK6wpGnq
+re6uQZT5amT9YORoi/HxsJGl32NZ9bqbSPsuNk8TOauNA4iFzd25qCnZr222kUIz
+V22jTnVD7RTDY6DJGRHh51znL40qodYi+Fo8n1qvWkNV6numrjGW+wAjgGbOYnuh
+CFHmCDUFF15DC3FG6D9b1DghOJYEl7GBSRG+hdYH5QKCAQAuoGFuYcr00kWPGR51
+9DSURFk+BDyOcO9Dx53PqC6PY3h80ZgcFXY1+wtkdhdyfcHHh87xgF3EBEK5EjrS
+jtGqxplu7lOteJaQJzpIf17L1ynC36idWdk0dQhoJ/BCv0SSaIzxmwzjG8OaHeLS
+vvf9qj8cfAH5PP04tBFbzrTgXde6juyRmI+cjEPlxVGFS7dZmFA0C6bTLyOf0KF3
+3/5g2QuKZm8DVZ88txYE7t55PL+wEsh4IeqHPUsAsjrjtTX6P/yj3vpP+jtB7iK6
+Uy3v88W4jSjSnQ6byZ37fR5OTPLXAgwsrFOAed/OjleVqvb/1kCJvXxr70cJQXh6
+LLCpAoIBAFckgxXk4i3X3grFXa1nhORfvdGtxSzP1Rvq1cLdOTVxtB7Xf+18dAgZ
+3OHMW0Q6WKh4hP0pEeLpiptxhhHl0I9nFJBYAd9UrLwmLzUYYySqVQvFO2JifcY2
+Zer0KdNlej0PGjzXMcOkNXyF5IctAD7svPjZ/B3KzL88xHUumKLYhTMflaMhsqhW
+RKiMQbo2NT/38Vu3j9EWG6zbizVV9owXrb7atmR/JLZsaIS1Uory7ccIq8svFAW1
+SrQP7eZ1GDg7Kbh+0rfJf6N+Hh9Qumao97yqAYJHS/Udpw5uVhVtXeAEdR2lRoDB
+dDGZmYTPMav2jSUmg7BMOO1iyjFI0hg=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test-enveloped-aes-128 b/lib/hx509/data/test-enveloped-aes-128
index a4e0c0db8b2d..a75409b969c8 100644
--- a/lib/hx509/data/test-enveloped-aes-128
+++ b/lib/hx509/data/test-enveloped-aes-128
Binary files differ
diff --git a/lib/hx509/data/test-enveloped-aes-256 b/lib/hx509/data/test-enveloped-aes-256
index f94371304eea..4fda391ab5bc 100644
--- a/lib/hx509/data/test-enveloped-aes-256
+++ b/lib/hx509/data/test-enveloped-aes-256
Binary files differ
diff --git a/lib/hx509/data/test-enveloped-des b/lib/hx509/data/test-enveloped-des
index a2df2df10b7c..944da00e5d79 100644
--- a/lib/hx509/data/test-enveloped-des
+++ b/lib/hx509/data/test-enveloped-des
Binary files differ
diff --git a/lib/hx509/data/test-enveloped-des-ede3 b/lib/hx509/data/test-enveloped-des-ede3
index d0e451e189ab..c27dfbc08319 100644
--- a/lib/hx509/data/test-enveloped-des-ede3
+++ b/lib/hx509/data/test-enveloped-des-ede3
Binary files differ
diff --git a/lib/hx509/data/test-enveloped-rc2-128 b/lib/hx509/data/test-enveloped-rc2-128
index ddc2a27c6609..72f81584680b 100644
--- a/lib/hx509/data/test-enveloped-rc2-128
+++ b/lib/hx509/data/test-enveloped-rc2-128
Binary files differ
diff --git a/lib/hx509/data/test-enveloped-rc2-40 b/lib/hx509/data/test-enveloped-rc2-40
index 13c57648bb46..0e5eb02c7a4f 100644
--- a/lib/hx509/data/test-enveloped-rc2-40
+++ b/lib/hx509/data/test-enveloped-rc2-40
Binary files differ
diff --git a/lib/hx509/data/test-enveloped-rc2-64 b/lib/hx509/data/test-enveloped-rc2-64
index 02fa0f3ecfaf..9ce6694018e4 100644
--- a/lib/hx509/data/test-enveloped-rc2-64
+++ b/lib/hx509/data/test-enveloped-rc2-64
Binary files differ
diff --git a/lib/hx509/data/test-ke-only.crt b/lib/hx509/data/test-ke-only.crt
index 27e759950536..a6cc06a2663c 100644
--- a/lib/hx509/data/test-ke-only.crt
+++ b/lib/hx509/data/test-ke-only.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:13 2019 GMT
- Not After : Jan 16 15:05:13 2038 GMT
+ Not Before: Mar 22 22:25:04 2019 GMT
+ Not After : Nov 21 22:25:04 2518 GMT
Subject: C=SE, CN=Test cert KeyEncipherment
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:cc:e5:88:ad:77:9f:da:7d:88:28:88:b6:0f:e6:
- f6:2b:a1:55:da:7e:4e:75:8b:46:8c:e6:9c:f6:c4:
- 06:ea:68:0e:85:7d:c4:d6:bb:a9:c5:82:3a:88:9e:
- d1:e5:71:f9:2b:2e:48:62:f7:ac:7a:de:cc:f4:ae:
- 07:da:86:2f:07:21:be:ec:f5:de:3b:0c:d0:66:88:
- a7:75:0a:ee:17:c6:9e:b3:2f:9b:b0:88:3a:ad:de:
- b3:bd:36:2d:20:30:9e:36:f0:3b:9d:e2:5f:4a:d4:
- 1c:42:49:29:5b:70:35:02:40:79:82:a7:9d:ee:a7:
- 05:85:d0:75:46:c2:77:4c:b9:20:6f:93:4a:85:8f:
- fa:44:08:6a:ef:26:7f:af:20:e7:b3:a2:18:4d:78:
- dc:e6:5e:c1:06:aa:54:a3:6c:07:a0:6b:92:14:f0:
- 52:62:cf:d1:c4:08:81:4e:73:3b:27:19:34:a0:32:
- 0d:66:70:05:ca:3e:13:18:85:18:d6:9c:30:b9:66:
- 93:af:df:ff:71:07:ab:77:ab:00:32:d5:c4:64:7f:
- af:06:e6:aa:7d:90:e3:7b:82:46:1b:d8:42:f5:7a:
- 15:5f:b3:ca:b2:4d:e6:8d:65:29:ff:aa:88:73:15:
- 85:21:69:23:a6:24:48:95:8e:a4:e5:2e:a0:c9:e2:
- 75:bf:79:85:1d:b9:2a:e8:da:b2:fa:15:f9:c2:1b:
- b3:69:3b:01:9c:54:4b:2b:19:ef:b8:f7:60:d9:78:
- 8b:a8:b8:84:e4:0a:73:21:22:de:d8:27:9b:a7:7d:
- 61:dc:da:55:8f:c0:36:4e:e4:99:8b:1b:44:03:d2:
- 51:24:37:d5:2e:a2:32:7c:65:20:0a:4a:9b:9f:8f:
- ea:16:7b:ac:fe:cf:57:a3:dc:75:98:4d:35:84:cf:
- 20:63:39:d4:13:34:7e:f7:10:e5:ec:31:d9:5d:1d:
- bd:e3:d9:c1:b7:ef:ce:39:d0:89:0e:b8:84:f5:9e:
- 5b:1e:da:48:1a:32:d3:0d:95:92:02:e2:bb:19:6f:
- 09:f6:6e:38:38:3c:56:1a:0c:38:81:d9:a0:d2:ac:
- 99:18:43:33:e9:0c:1c:cb:f1:80:1c:7d:9e:e3:07:
- 41:24:51:82:a5:04:00:fb:77:dd:9e:7d:7e:04:32:
- 40:d6:da:76:1a:88:77:37:64:34:44:e9:b6:c5:45:
- 50:54:28:bd:dc:aa:a8:53:f3:4c:26:77:89:56:be:
- d6:89:82:83:d6:0e:27:0a:8b:ab:7b:aa:51:d8:4d:
- e4:d5:4f:b1:27:0d:cf:80:ba:e1:ab:51:f2:47:45:
- 30:34:e2:55:a8:55:cd:03:c8:f7:12:0c:78:ac:05:
- 2c:99:47
+ 00:bf:5f:55:ca:c5:c6:c5:00:a6:40:17:fc:1f:a2:
+ c7:e7:41:1b:29:37:6e:ba:7c:01:19:f3:4a:d7:c4:
+ 9a:83:17:4d:40:cd:30:d1:9f:fd:94:49:41:5c:7a:
+ 2d:32:83:81:29:15:e3:b2:1f:06:1b:f5:f3:7f:91:
+ cf:dc:82:b1:4e:d5:a9:48:da:63:49:b8:b8:41:0d:
+ cf:eb:76:df:1a:33:5a:7b:2f:ed:13:5d:ce:77:85:
+ bc:1f:52:b4:ff:96:20:48:09:19:d7:0d:55:ed:a8:
+ 9f:de:bd:26:2a:cf:2c:f4:48:d3:eb:94:f1:b4:ca:
+ 5b:6d:1b:21:82:46:98:23:84:d7:be:08:90:54:f4:
+ 46:ef:59:6e:8b:8c:7f:65:90:5a:c3:fb:c4:1d:97:
+ 9e:1a:be:82:96:d7:86:5b:d7:1a:0e:04:1f:30:71:
+ 99:70:40:28:6c:b2:16:3c:19:f1:f3:9f:54:22:9c:
+ e0:e5:2b:c9:30:a1:01:cf:7e:1f:a2:40:d7:d3:ad:
+ 23:6d:fe:55:dc:ad:87:88:ee:e8:9b:81:e8:72:8d:
+ 2a:25:58:ff:81:18:f0:24:9a:13:31:f9:30:7c:ed:
+ f1:d5:4b:13:ce:bf:83:48:47:9c:44:99:0d:52:e7:
+ 52:4f:02:91:10:fe:77:39:f3:fc:ce:04:bf:57:4e:
+ 3b:17:a3:c2:94:85:10:d6:76:a2:c0:04:45:d1:ff:
+ 96:a7:c0:a8:39:bb:7a:4c:f4:96:4c:5f:2d:63:85:
+ 52:6e:74:5d:70:7a:de:35:7c:92:9f:ed:e6:85:c8:
+ f0:1d:b7:be:29:54:78:5e:7c:4a:a2:b8:85:ee:b7:
+ 20:2d:0c:78:a6:32:be:c0:a2:89:4f:f4:c8:e0:3c:
+ 3a:4c:b3:68:a1:a7:eb:b5:c7:21:74:b9:3d:0e:07:
+ 3f:ce:35:29:b5:33:1f:ac:d8:36:dd:d1:54:3d:47:
+ c9:29:c6:26:23:e8:51:8d:25:9a:8c:96:84:74:e9:
+ f0:10:d8:96:f5:ad:22:31:8f:e9:6a:a5:9b:3b:00:
+ 93:5e:80:22:f1:3a:e5:2d:10:7b:c6:a8:b9:6b:8f:
+ ab:33:64:99:fe:aa:77:7a:0f:96:f9:3f:fe:15:6d:
+ 8e:4a:95:a7:35:9b:f4:20:cb:a2:a1:d9:f6:62:6b:
+ a7:4e:b4:22:3d:22:73:f4:7e:0d:af:62:41:7a:d2:
+ 15:ab:b9:a2:25:a8:87:e0:b5:1b:be:c0:16:d1:e4:
+ 40:5b:56:a7:ab:39:d1:85:02:f5:4f:95:3f:37:dc:
+ 97:e4:89:c8:20:ab:11:9f:d8:f1:77:d6:b0:60:4f:
+ ab:f9:88:37:ef:9f:bc:2a:f3:22:3d:2e:21:82:63:
+ c6:21:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,64 +54,64 @@ Certificate:
X509v3 Key Usage:
Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- A1:E1:E0:08:58:84:EB:A7:1E:0E:7C:44:D0:E7:CA:B2:BC:93:8F:2B
+ FF:78:58:BD:A5:C2:4D:D1:07:04:05:DD:15:6A:A2:2C:92:EB:54:04
Signature Algorithm: sha1WithRSAEncryption
- 62:5e:48:de:71:64:4f:fd:94:97:49:a0:1d:a0:50:f1:6f:56:
- d6:90:79:51:a0:8c:04:c5:d3:ec:d2:e0:d6:4d:0e:ab:19:55:
- 0c:9e:e2:5d:e8:5b:8c:cd:14:c3:b6:28:ff:21:f7:21:37:9f:
- 0b:6e:cd:52:22:eb:61:23:4a:28:ce:80:c7:68:41:a7:4b:9a:
- 4f:9d:b2:8f:04:6d:6f:57:f1:91:e9:a4:d7:26:f9:78:c9:c2:
- 6d:e0:d7:25:9c:12:91:73:eb:2b:1e:e7:32:3f:46:1e:58:56:
- a1:fc:b9:9a:dc:85:8f:1e:51:a8:a8:d8:5b:cb:18:75:ea:1b:
- 9c:75:66:50:a1:9a:95:0f:50:8b:54:1a:7b:5f:4e:5a:c3:31:
- 1a:c4:11:81:31:d2:35:4a:d0:be:13:70:63:9f:b5:0d:6c:ce:
- 08:e9:fa:5e:41:28:92:74:f9:26:37:26:18:ca:44:b6:d7:ca:
- 1b:63:22:c1:71:86:4f:fc:e8:ef:fd:e8:ef:b6:f1:2d:a1:7a:
- e4:b5:12:f5:8e:60:fe:bc:de:8f:a9:c2:4a:29:60:f4:1b:26:
- 7a:0f:cd:34:94:a4:d2:56:21:b0:33:a9:4d:7f:fc:6c:d8:71:
- 17:8a:1b:d6:e5:78:98:76:f0:8d:d1:0e:85:bc:69:36:ec:99:
- d6:56:13:22:35:9a:dc:43:b4:f2:d7:6f:25:6d:7c:6e:70:54:
- 53:c4:fb:4f:33:c0:20:f9:fd:4e:51:b1:e9:fa:65:05:cc:09:
- d6:47:4e:3a:a0:8c:bc:e9:fe:1b:07:b7:06:3c:62:05:17:a5:
- 9e:46:79:04:9c:20:41:77:f9:50:e8:f3:86:0f:72:63:c9:6e:
- 74:1b:1e:dd:ef:e4:b7:a0:e6:83:3d:d7:38:a0:8a:80:c9:3d:
- 1b:ca:7b:96:ce:ac:37:a8:b9:51:30:98:d5:60:b5:26:c8:53:
- a1:7a:ab:18:2c:36:22:83:9f:95:19:8a:78:2d:17:e4:aa:d5:
- 37:e9:1e:fe:2a:ae:34:64:d4:9d:a7:0a:a9:a8:1b:c3:29:38:
- 89:e7:57:4f:8b:f6:3b:74:4c:39:82:ce:36:2e:24:ab:90:fb:
- dd:da:ec:eb:81:3a:66:0c:01:d6:03:8c:00:39:b0:83:96:51:
- 7f:27:0e:e5:8c:d4:ba:c7:6b:f4:13:b9:ba:5a:02:71:44:62:
- 21:33:51:6d:93:6b:04:6b:dd:e1:64:f5:3f:ca:98:39:b1:91:
- 94:68:3d:1f:ea:91:b8:db:98:c3:a5:82:aa:24:b2:32:e3:f6:
- 8e:7e:8f:e3:eb:0c:57:1f:27:70:10:d0:97:db:7a:8f:46:d9:
- 8f:db:ff:5f:2d:ff:a2:fd
+ 0d:b6:af:48:3b:0f:01:49:0b:12:d7:bc:9f:35:09:2a:42:e4:
+ d2:86:d2:c5:53:65:1b:a4:d5:52:87:28:dc:01:70:97:f3:0b:
+ 87:35:67:bb:b7:dd:f9:80:09:d3:84:33:11:2a:fe:0b:85:75:
+ 4b:d1:84:0c:46:35:d3:69:b8:fe:fc:a3:5a:c7:10:8c:2b:36:
+ c8:f0:ab:e7:f8:98:6c:b5:ec:1e:26:69:31:9b:07:29:03:ee:
+ 21:34:5c:52:1a:58:4a:c5:10:43:6b:8e:fc:9d:94:12:67:d0:
+ 12:40:55:14:f0:8f:d5:a7:a9:c7:d4:65:99:53:0d:3f:9a:23:
+ ab:13:ed:25:eb:33:56:b8:b3:ed:f5:6d:6b:a4:26:6c:80:6d:
+ 4c:27:8e:e5:5f:4d:e8:83:0b:c8:ca:17:6c:de:b9:af:ff:2f:
+ cb:9c:25:24:5f:09:e4:d9:62:a8:6e:de:da:c9:9e:1f:be:bf:
+ 19:1a:df:01:e2:dc:8c:ef:64:40:8e:b3:2a:0d:29:a9:7f:e7:
+ fa:bb:4b:76:41:c4:82:e7:07:d0:21:d5:1a:88:64:27:58:1a:
+ 8f:9e:48:e8:cb:40:d2:f0:ff:68:06:10:1b:5a:c3:1b:9f:48:
+ 52:b6:a0:8a:4c:0e:be:f3:e4:ed:a1:7a:9c:52:91:38:15:fc:
+ 92:ff:82:55:10:bd:d7:a2:1c:bb:e4:8c:56:d5:f6:c7:77:12:
+ 2f:cb:61:c6:75:a2:71:9c:4e:96:b3:0f:b6:d7:85:cb:52:0f:
+ 96:87:4a:05:15:ba:f7:31:b0:76:54:07:b8:59:38:5e:7a:03:
+ a4:87:60:e9:12:4d:aa:3a:98:d6:b9:46:a1:73:40:87:27:cf:
+ aa:87:66:e8:32:37:74:0c:93:ff:a9:ef:52:3b:a2:36:1e:16:
+ 1c:07:45:e9:65:9f:9e:de:ff:7b:b1:c4:a8:7e:59:25:79:1f:
+ da:7f:35:85:36:ea:cf:79:ff:71:96:77:28:3a:e6:af:68:f5:
+ 4c:c3:1a:20:7b:09:8d:66:15:b0:92:0a:4b:39:e4:f1:06:9e:
+ 9e:4e:f1:ca:bf:81:77:e7:00:82:79:26:0f:d1:f9:a2:4d:9a:
+ c8:7a:da:f6:d0:1e:65:04:02:2b:14:0b:84:45:eb:5d:6c:68:
+ 04:d7:a6:98:85:8c:fb:7e:de:42:63:68:5d:cd:a1:3d:4b:85:
+ 5e:e5:c3:38:a6:79:f4:02:5c:d0:ea:53:c6:91:84:08:b2:eb:
+ 2f:02:bb:5d:3b:bc:f2:e7:8d:67:44:70:0f:96:63:25:25:1a:
+ 38:1a:cc:a6:72:2d:41:23:8c:cc:95:12:4b:4f:64:91:21:79:
+ 96:46:70:8d:68:dc:dc:d5
-----BEGIN CERTIFICATE-----
-MIIFDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxM1oXDTM4
-MDExNjE1MDUxM1owMTELMAkGA1UEBhMCU0UxIjAgBgNVBAMMGVRlc3QgY2VydCBL
-ZXlFbmNpcGhlcm1lbnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM
-5Yitd5/afYgoiLYP5vYroVXafk51i0aM5pz2xAbqaA6FfcTWu6nFgjqIntHlcfkr
-Lkhi96x63sz0rgfahi8HIb7s9d47DNBmiKd1Cu4Xxp6zL5uwiDqt3rO9Ni0gMJ42
-8Dud4l9K1BxCSSlbcDUCQHmCp53upwWF0HVGwndMuSBvk0qFj/pECGrvJn+vIOez
-ohhNeNzmXsEGqlSjbAega5IU8FJiz9HECIFOczsnGTSgMg1mcAXKPhMYhRjWnDC5
-ZpOv3/9xB6t3qwAy1cRkf68G5qp9kON7gkYb2EL1ehVfs8qyTeaNZSn/qohzFYUh
-aSOmJEiVjqTlLqDJ4nW/eYUduSro2rL6FfnCG7NpOwGcVEsrGe+492DZeIuouITk
-CnMhIt7YJ5unfWHc2lWPwDZO5JmLG0QD0lEkN9UuojJ8ZSAKSpufj+oWe6z+z1ej
-3HWYTTWEzyBjOdQTNH73EOXsMdldHb3j2cG378450IkOuIT1nlse2kgaMtMNlZIC
-4rsZbwn2bjg4PFYaDDiB2aDSrJkYQzPpDBzL8YAcfZ7jB0EkUYKlBAD7d92efX4E
-MkDW2nYaiHc3ZDRE6bbFRVBUKL3cqqhT80wmd4lWvtaJgoPWDicKi6t7qlHYTeTV
-T7EnDc+AuuGrUfJHRTA04lWoVc0DyPcSDHisBSyZRwIDAQABozkwNzAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIFYDAdBgNVHQ4EFgQUoeHgCFiE66ceDnxE0OfKsryTjysw
-DQYJKoZIhvcNAQEFBQADggIBAGJeSN5xZE/9lJdJoB2gUPFvVtaQeVGgjATF0+zS
-4NZNDqsZVQye4l3oW4zNFMO2KP8h9yE3nwtuzVIi62EjSijOgMdoQadLmk+dso8E
-bW9X8ZHppNcm+XjJwm3g1yWcEpFz6yse5zI/Rh5YVqH8uZrchY8eUaio2FvLGHXq
-G5x1ZlChmpUPUItUGntfTlrDMRrEEYEx0jVK0L4TcGOftQ1szgjp+l5BKJJ0+SY3
-JhjKRLbXyhtjIsFxhk/86O/96O+28S2heuS1EvWOYP683o+pwkopYPQbJnoPzTSU
-pNJWIbAzqU1//GzYcReKG9bleJh28I3RDoW8aTbsmdZWEyI1mtxDtPLXbyVtfG5w
-VFPE+08zwCD5/U5Rsen6ZQXMCdZHTjqgjLzp/hsHtwY8YgUXpZ5GeQScIEF3+VDo
-84YPcmPJbnQbHt3v5Leg5oM91zigioDJPRvKe5bOrDeouVEwmNVgtSbIU6F6qxgs
-NiKDn5UZingtF+Sq1TfpHv4qrjRk1J2nCqmoG8MpOInnV0+L9jt0TDmCzjYuJKuQ
-+93a7OuBOmYMAdYDjAA5sIOWUX8nDuWM1LrHa/QTubpaAnFEYiEzUW2TawRr3eFk
-9T/KmDmxkZRoPR/qkbjbmMOlgqoksjLj9o5+j+PrDFcfJ3AQ0Jfbeo9G2Y/b/18t
-/6L9
+MIIFETCCAvmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwNFoYDzI1
+MTgxMTIxMjIyNTA0WjAxMQswCQYDVQQGEwJTRTEiMCAGA1UEAwwZVGVzdCBjZXJ0
+IEtleUVuY2lwaGVybWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AL9fVcrFxsUApkAX/B+ix+dBGyk3brp8ARnzStfEmoMXTUDNMNGf/ZRJQVx6LTKD
+gSkV47IfBhv183+Rz9yCsU7VqUjaY0m4uEENz+t23xozWnsv7RNdzneFvB9StP+W
+IEgJGdcNVe2on969JirPLPRI0+uU8bTKW20bIYJGmCOE174IkFT0Ru9ZbouMf2WQ
+WsP7xB2Xnhq+gpbXhlvXGg4EHzBxmXBAKGyyFjwZ8fOfVCKc4OUryTChAc9+H6JA
+19OtI23+Vdyth4ju6JuB6HKNKiVY/4EY8CSaEzH5MHzt8dVLE86/g0hHnESZDVLn
+Uk8CkRD+dznz/M4Ev1dOOxejwpSFENZ2osAERdH/lqfAqDm7ekz0lkxfLWOFUm50
+XXB63jV8kp/t5oXI8B23vilUeF58SqK4he63IC0MeKYyvsCiiU/0yOA8OkyzaKGn
+67XHIXS5PQ4HP841KbUzH6zYNt3RVD1HySnGJiPoUY0lmoyWhHTp8BDYlvWtIjGP
+6WqlmzsAk16AIvE65S0Qe8aouWuPqzNkmf6qd3oPlvk//hVtjkqVpzWb9CDLoqHZ
+9mJrp060Ij0ic/R+Da9iQXrSFau5oiWoh+C1G77AFtHkQFtWp6s50YUC9U+VPzfc
+l+SJyCCrEZ/Y8XfWsGBPq/mIN++fvCrzIj0uIYJjxiFzAgMBAAGjOTA3MAkGA1Ud
+EwQCMAAwCwYDVR0PBAQDAgVgMB0GA1UdDgQWBBT/eFi9pcJN0QcEBd0VaqIskutU
+BDANBgkqhkiG9w0BAQUFAAOCAgEADbavSDsPAUkLEte8nzUJKkLk0obSxVNlG6TV
+Uoco3AFwl/MLhzVnu7fd+YAJ04QzESr+C4V1S9GEDEY102m4/vyjWscQjCs2yPCr
+5/iYbLXsHiZpMZsHKQPuITRcUhpYSsUQQ2uO/J2UEmfQEkBVFPCP1aepx9RlmVMN
+P5ojqxPtJeszVriz7fVta6QmbIBtTCeO5V9N6IMLyMoXbN65r/8vy5wlJF8J5Nli
+qG7e2smeH76/GRrfAeLcjO9kQI6zKg0pqX/n+rtLdkHEgucH0CHVGohkJ1gaj55I
+6MtA0vD/aAYQG1rDG59IUragikwOvvPk7aF6nFKROBX8kv+CVRC916Icu+SMVtX2
+x3cSL8thxnWicZxOlrMPtteFy1IPlodKBRW69zGwdlQHuFk4XnoDpIdg6RJNqjqY
+1rlGoXNAhyfPqodm6DI3dAyT/6nvUjuiNh4WHAdF6WWfnt7/e7HEqH5ZJXkf2n81
+hTbqz3n/cZZ3KDrmr2j1TMMaIHsJjWYVsJIKSznk8Qaenk7xyr+Bd+cAgnkmD9H5
+ok2ayHra9tAeZQQCKxQLhEXrXWxoBNemmIWM+37eQmNoXc2hPUuFXuXDOKZ59AJc
+0OpTxpGECLLrLwK7XTu88ueNZ0RwD5ZjJSUaOBrMpnItQSOMzJUSS09kkSF5lkZw
+jWjc3NU=
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/test-ke-only.key b/lib/hx509/data/test-ke-only.key
index d3617847d84a..1b463b95f1bb 100644
--- a/lib/hx509/data/test-ke-only.key
+++ b/lib/hx509/data/test-ke-only.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDM5Yitd5/afYgo
-iLYP5vYroVXafk51i0aM5pz2xAbqaA6FfcTWu6nFgjqIntHlcfkrLkhi96x63sz0
-rgfahi8HIb7s9d47DNBmiKd1Cu4Xxp6zL5uwiDqt3rO9Ni0gMJ428Dud4l9K1BxC
-SSlbcDUCQHmCp53upwWF0HVGwndMuSBvk0qFj/pECGrvJn+vIOezohhNeNzmXsEG
-qlSjbAega5IU8FJiz9HECIFOczsnGTSgMg1mcAXKPhMYhRjWnDC5ZpOv3/9xB6t3
-qwAy1cRkf68G5qp9kON7gkYb2EL1ehVfs8qyTeaNZSn/qohzFYUhaSOmJEiVjqTl
-LqDJ4nW/eYUduSro2rL6FfnCG7NpOwGcVEsrGe+492DZeIuouITkCnMhIt7YJ5un
-fWHc2lWPwDZO5JmLG0QD0lEkN9UuojJ8ZSAKSpufj+oWe6z+z1ej3HWYTTWEzyBj
-OdQTNH73EOXsMdldHb3j2cG378450IkOuIT1nlse2kgaMtMNlZIC4rsZbwn2bjg4
-PFYaDDiB2aDSrJkYQzPpDBzL8YAcfZ7jB0EkUYKlBAD7d92efX4EMkDW2nYaiHc3
-ZDRE6bbFRVBUKL3cqqhT80wmd4lWvtaJgoPWDicKi6t7qlHYTeTVT7EnDc+AuuGr
-UfJHRTA04lWoVc0DyPcSDHisBSyZRwIDAQABAoICAGWOQz9PcnDWFX2ZvTuGi282
-qRoBzpueK5q81wHMSW03pDLwEncoTs5xbNe4eGqUIh8P8przDY9dDRMdixD5vyd2
-x24lsz9ra4PWqcFuaHJqZNCFgVJvQz5Yipf22UkCL/kk+zeXMwogtdz47EHBDNUP
-5eoncDUQncEkgGxRCNaDT5td0ur+YNoFnhLo7xJ7abx0VD1Z8YtRXbUTCZ5ydhlC
-GAa+0ubdAKh8WrLqlGAdsyLPjCrAzW3fdJGLrrL4eYH7YKokiTSZy5glrpSDtbLm
-QndWLxzLiqT1/g/hEdcf6qYjtAzKZcKhaL6q5LS97t2Pgjbf9wYBzKM3iERoNVmO
-D8sWmSg9fiNRjzZY1b1ulE9PQhQOUB8MWUCBPBeimQtCJKqxC9HoH+WH2OkV+ikV
-cj3pwVqvK/fJtLZ5jC42ZEsLD5YpnDpxtcj3yrrJ0g5ikWhMU94EcOOsIgkpeqCT
-L/G8x/H5rgmdN15rI3qERdJRbkDzq8AEriaNo8lbr9xEWRggzs6vmg1x5scNfpFW
-hFRkGO5iGheScrR9rIwmFVSz+N1g9K4RhKXsgGmmj0pHSn+2NozxKPXsSzNSrgGZ
-YJc1c7Yv3S5Nqwkzzy+o4WICejJAjzGf5y2bUQ+CIA/SUtmyygADYCClLQ0hjpjc
-llslljxigyjVDNFTOV3ZAoIBAQDtcdnK3Iy32+cJ1yuL2t8lWSlu1Bbazmz7heH1
-FSYzPyqidwQKIKuuZEMfRb0dBZGxPszoiWZxn3Dc8oDbHGDp9TwDkfxT2S51fvOE
-PUdc6sAFUn79joTl5kak+rPDjNWiNpax4kQJU4/kUtibs1bHkZx1voYZ3J2ZeWDH
-td3OY+lHMOU6dUpXYoQEYLbc95gU+fCLZRLP/ZVSrvhZm2/Q8HUHohf6Wb9l2ufC
-cGwUkb3iUk+OyboEu3oQgUY5DBX8rQsvje+sbmk0my6vhCO8LuuqNfxUrijSJuzW
-aWSC0khPcOolJpNJLYVDYbuzqckev/GCzCLAj55z60WQA1gVAoIBAQDc6IyFJbn8
-gPWvXPa53e2Me4kdzb6VnYHSyvAeBXMLbxXJTPFmBTa+MV2jpA6JO4pmOyfjdtZw
-a9zEXIRG/RpFitxQCcsHVI5TnARyU/J0tkrdRy/ujHYh1lg3lk2EAPxmmkzRLpES
-VatfjzQLt+teBCNWi08aeQmzwlVcwId5frEkhnz60C2YXqUIPLAHz9peMWrElSbB
-TT9pHnT+gRE/WgqHiov9va7Zz3wFYo5p1GmBIIKTvlIoWHQYIh7ily9O7Oe4kDIQ
-3rFLEtwAeiBrICRsOs3bidcdtAV9H+OTl+H6sILZGuWZfHH9Bhiwhfv0Q6qsD2du
-Jukz/jLcMUbrAoIBADYvwTAWXNaojHUmcX2dGUeArX/pTr3oVd6gkwxHI0yWobgp
-yPY2tnc50keUtq+k0bbNSh3XHVXYuPzzKozWUReTK3r1GcxYx81wh0oqYdrGh8Ov
-K+PZXmLIxl5oCBYcUbSPGJzHshcexruoXF5L8wXgKQCF1jyYqC6aEIgC7PdovZfN
-hMJueeSvSslk+NY8eqxuzYJCMqTcjfMskuiAHGhmN47iYu5zBMbNyg4JceDP0bGQ
-by96wcTKs/SIS+pA49Oh+eeEUKndGI00zNapJS6Q1p8lasw4YoBy+aGEs7dXHcFj
-V0vbHcmZZcwWxasemBM4Ynki9NtU6ygxDNLssHECggEBALXkXN+9IpjAbotIFncQ
-PupvRYVexVBX8m9oXbG6dvGxM9UeH54LKPoNl7aH/NgOSHTIvJ1UWlkS1yJvsxLo
-kFs2bRUSGzQb8Vzyl86zRG3JM3djiBn5WcOew+BxR74rOagZ4KpUl2rrU0JJnWcQ
-tyIgciBucGGxy8VRfAv1Exd8s8sJWZsDEqflNinEHoUwJfNs6SaYUOLVAiNByr9L
-8rGhKA5Wi9IP/wqlBs9ASVbmaUDDTgDssqU5v82nOpsENRXdhya2xCKT2pOgIbna
-1Rqfyp27BYmAw7lXYzWVrkL2ykEqWXL97JMmnoziGi4vBDgqBzvJKzbNnzMKWUJo
-6KUCggEAWseXquzJlsbVLjowrIua9lwfFm+YUyqKMPmZ1TUblMEv9IrkbHGyXv49
-H9jSs85g8GAH/BwB1G9oDZjnP+Yj0Zjsd9ZImFz2+VRcVCSCBUj4Qv1HAxls/Aq/
-/QCUhj0o/TIcbO5V8ImUOlwKUyoNW7rXGEl4b152J+wakxiA1LYTs08usxsv0KtY
-qbqv0VicOBYXjnn3SSSoR7i11vm9CZPa7g3YEBuI0T3QaPvZHRueovgsdmL6OLH/
-hdFb/mA9f8aEsCVUbbDstRnlldZOtfHuqj3f4NbmxcaxX0D95kl7QqRibehFTOGG
-VNAP/Wqk5Tqv9O/YM7QH6VFyharThw==
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC/X1XKxcbFAKZA
+F/wfosfnQRspN266fAEZ80rXxJqDF01AzTDRn/2USUFcei0yg4EpFeOyHwYb9fN/
+kc/cgrFO1alI2mNJuLhBDc/rdt8aM1p7L+0TXc53hbwfUrT/liBICRnXDVXtqJ/e
+vSYqzyz0SNPrlPG0ylttGyGCRpgjhNe+CJBU9EbvWW6LjH9lkFrD+8Qdl54avoKW
+14Zb1xoOBB8wcZlwQChsshY8GfHzn1QinODlK8kwoQHPfh+iQNfTrSNt/lXcrYeI
+7uibgehyjSolWP+BGPAkmhMx+TB87fHVSxPOv4NIR5xEmQ1S51JPApEQ/nc58/zO
+BL9XTjsXo8KUhRDWdqLABEXR/5anwKg5u3pM9JZMXy1jhVJudF1wet41fJKf7eaF
+yPAdt74pVHhefEqiuIXutyAtDHimMr7AoolP9MjgPDpMs2ihp+u1xyF0uT0OBz/O
+NSm1Mx+s2Dbd0VQ9R8kpxiYj6FGNJZqMloR06fAQ2Jb1rSIxj+lqpZs7AJNegCLx
+OuUtEHvGqLlrj6szZJn+qnd6D5b5P/4VbY5Klac1m/Qgy6Kh2fZia6dOtCI9InP0
+fg2vYkF60hWruaIlqIfgtRu+wBbR5EBbVqerOdGFAvVPlT833JfkicggqxGf2PF3
+1rBgT6v5iDfvn7wq8yI9LiGCY8YhcwIDAQABAoICADokNcV4Vw5tRxU79D6MTx2k
+OyNHkx2XJSKENx3cvnDLeI4SiR129SzDINd+yxKIv4oC+32XTVzbWZJNc5B0KHhi
+E59tsjKoq1ogXyYTpG6qYXgBtI5otpy7hc8iapkoPECGe1JJ2+xrib67SshAz1Cc
+e74cL18VB7fbQU/6MKjB6GX05hzZZl+7lQlSszXhKKJYcFnpQYCwlq5LZqeqb2EI
+wY0PRmXDKET1yimSXF7+7inh7bXSmrpqgElQ8T1zY98MwDHfzqhQFFh29TahvkRn
+PQHBy0amk/ca1HAfXCrog8uglrD+oF0qXIC+2zxvySL2DarTFNgHl6vj51oYC315
+pThrEPf8SZX6d7rg7t0TGAnAfYFwn9ba+cVW8YmSI78CZ/tD2kzD0QA2nnFbuQTW
+a/fwWJvPW7Fnw9S5TaCff8vYk3r4eO+R3qdR5zsxJ5io/uB6TVrFmG4JwBSOa2fR
+YvBf6SEZ/9VkQffqg6UIVhcj5BhaEIlST/lsLhgSA2nsW6ms7bfMfGjLxWrchNFy
+VKgrRC63E58vgkOw1AS8KUzzhqKvJUG2cgvZVoFylNwWY5oVI5shp08XgvoChLOS
+S8OY9MQUZby0BbXECRsa0c9/LIjk9wGILXfzORfblNE29IbLXxNsjrRnD0pzdu6k
+uGJ1khRueU9JxorWsPKRAoIBAQDeuvOyilg0wVI0Z7qSeKd/Eo9Gc7oSgiEb7uir
+XkRjWaO7H1w07b0s0pTww2GfyisgkeJgqi+k4vmYt2+gy4xHFpYJ9Pxa3cTHVRh6
+Ptb3CxXfOoE8pY3k4NH88LLz6j/3c3b8gGOUHKDBdXovPQ/uNgq5IROnMBWyopbE
+odPIErOI2Qt8bTywczCnCGaXNDtTijVvZShz3GxOlAHcL+1HIE8Sq12NehFk6MF/
+CDEd4PcIlNmTpz9/7S6fdth+tOrVo9glgC9p8TQpzE6UZEZsfD+N2nYYrmRQ/jQM
+WINC7M5rOkOu0QHMrpV7C2BWcnlcSK3xhX2RWVjCIo1ossuZAoIBAQDb9Ue32sI6
+6uAmh2dZ3EMQFTlo4pmk87YSUHaMQlr0KL/ggXxJJ2rINCxnaJXapSHqFu0X06uv
+/JaS5Hiyc1xGZdGX9UNPz4PfYDt0akGxPXtYXsLsNRpye1PGYiXeKbWWlI2Vvlpc
+wpFFf6lyXvoPZ7Pd4vjH7SgFmh3SsF84IJ6O2I6F/s4sJydROIDdmHfQRy8HpcPS
+5QOnsFwK1DKAvas9y73clAohrcfjQnLHIw1pEUtYIWXxLmVNHy73n3YeD9sajNfs
+0aypuaQ4T+BxLyqfLrCntwfdk7GljzK/ICQfsFzC/PCLZEmrMjD2cUlng7q4Ctwf
+qdURukQMtJzrAoIBAQClFm0LKP+4GpKTxU7EwilkRp1r2ttQXKOt0KckXfrSqN5z
+FAuEL7LIRk2fJzJ0/aR5v6fLfllSHepjB5P12ulex57uQmfJ8haoqKo78dfjxJOx
+oeuoyA0kWH9MvBvoLvi6sRrAjWlBnvaIbkriOKBWMDhCgAHRKhLrFRgrJseSxEnO
+ZRHeaBlTsA2fwNpJuK1AfnCc4J3bQsYEeC/oxJ1a2tfBPsNY2eGKqfrB7ZB6VQTF
+l46toomuiF7GU5CkWfS15XuQUDLUk7PWR1j3JFwOjQmOWx6trJUuczyg6fpg4KUf
+VVBVgxWSYNTrHsOJT9AkVrqXChrIYTEos/OcZuoBAoIBAQCglFfwZHdqFfDgj/em
+xcP76NLJvKyYnQeuJSn2ybanC1zRZRa8PVeao2RLdjH4tpek02nx/CkaSNgQk1V+
+SfPyvQCf5IFoscG/gPzGx4//+jejU0MQuM//BgQqD5s/rsmQDhGzYY2MrMrrpwCo
+q6f5OSc59SrUolGWjWX6W6KYUlAPTw/1yQjxeQAeLpb9sALAfkdaWO02eNULRhhc
+G4BnNpDeg3CvqTAgWENWqTssIG3455RO2csXoVx5Siu6waK03bSClJJKpORd4FaA
+eegMGXgPUEHNnzTR0bJegMV2fNuCevmtrIVb7jJOFk1ijWAefzAAjoUXZKBV2ds2
+P2FTAoIBAF7XhtL2lcAo5dPYzpOR/9p6ue1XLpZf+nbvm0mhrC/Z1jrea1e89Gzg
+TurHhSIZFUT7y9yXd2A0qDwJICKkm63XZzZ5rm4B+tfMdT9DPIxIeJMNrnatL4an
+IwgSTyvgIoKC6G93nOL9nC3Wa2AJ8dp4MeWKXa7VHGQBRc8JlPoVi9UrwMBXgGVB
+uUHvwxhUnUlsJ5kJRyF9ln2wGPba0d+HvddZZY4gPM88vn2JNleke70V0W1DkEPs
+BQBJIix7XfvXQqPHiMMaIof9IEgTHHRkhd7gYZohEZ02jlT6CwJMgkjb8+Qosfs3
+hFXFVI1+i1ntO6Nf9NvTPVfjJNWzW7Y=
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test-nopw.p12 b/lib/hx509/data/test-nopw.p12
index 9349b0fc7b6f..e94aa9aa370a 100644
--- a/lib/hx509/data/test-nopw.p12
+++ b/lib/hx509/data/test-nopw.p12
Binary files differ
diff --git a/lib/hx509/data/test-pw.key b/lib/hx509/data/test-pw.key
index 066e58170a74..495eef64247e 100644
--- a/lib/hx509/data/test-pw.key
+++ b/lib/hx509/data/test-pw.key
@@ -1,54 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,AE4D50F1D037E93C416E5EE0BA31DED7
+DEK-Info: AES-256-CBC,AE05E89E216F377B4B073A88DA8A284B
-RwILhdS+r3Tt/J+aXaydLB4AX3vuR/qXW4/Qi3LOgY5bIDEJvoc5m52gTtDgefc4
-H/Evvn9jLq72TkOipLgnnCga9uYbJgiE3/dTZXDwcnCzsorkNIECs2KyGVAR7ouT
-FDoRpx+2zC6Yt2kV3vkI+wgtkB/u+hfrZ0hiC/NjmH+3/6gSmceb6L34cAKcvLb/
-OeaI3beTSlTEQ22CtxNwmFTGSqiEdw9pFYOTjcGus4s39zGNDnFtp17jZAFQf/v/
-dm//a93yGS2ytkAsNuMNOwGTFe54ipwXOWNxenCWUWltvaHH8UbT9qcVnZ/RbKtY
-QzDl8nJGPzatM+R9xdWfjI5VU3DxfrgEzHtEUGlU1Cr17k8MubEzHQPimVYqfU9s
-9GjM3PXuLUw11tXzUS8udWhA9kHZ3VTNie+y7+XlCSibODw4BSAFokBp7uJLe7dF
-G5UH+unv7rsBtuOhqCKSnoRgztc5SsoarCt0cKadJRkLK4trgki1g6Vcq4QdqbyI
-8+qfG787fWISC6CGOQMXnpsQX3XfzpodXpEsaQDpjomAUOKcSmMdEvhf5qHlBnS1
-TNoA8qRb4e08BBez00jTAu/7M46MxgmKDFzavYsWfEqqvwPQVDAFyQkcuT3ZXwtl
-m5Ay7TBB7hh/yDH+BTXfg4l62ZlGWG0rVczhcNTLMWuWj/HErFmRD2ousUmqPJz+
-3B//V3ad0eVVfJv2bLmT4f4VTmcpvGjtFflMtrR/hGzDLaWnlswr69F8ZREdxX40
-7W0fePlUhYpT/OsA5wQylHcYx9GcA+LOS9vXK5JgaL7jH4FP/5z61VG64CBhTMYc
-aAQl4jVwKz9yvQpMCWNf2wIghNRw0p4Ih2ZEFBY1wzjL+n4uzmSNwLhX5yZ0Y9oO
-T6u38KvazXutWn6+jAOZaE/EaacOrj3m3ZCSPs6Gtre8k6lfpniY0EPGcf+x5MON
-oIGZXB43G9CQv6hLBG1Vr49CW3yFxtyX4UQlBcn+62A6CeLR9qoPdrWS3utT/sgF
-PrbhGXNbROIFd+zf/ZDCh7Gfm76+R/yJ32tZQXCAoTHitNf6UPlzQxamoFrWgJ7+
-S5+Xeh/DVvJq1P6mbo8n8Noyci+zrZIQXWMSKyirk3pnMZ9e/MtUnjG6S9fb7V7n
-eRuN3Z1k/jyKLAAPJVPe7myG5L+Cz6BS1rwT9h43Pi/pKW65Le5PU+h/9qCBOHNW
-fEegF2Bqu2/cJZovUAyekXwYQp7XQrSaxLG8EA57SGkC66tBhiyyScW271dDA5hy
-TU8nBMh39xj27uRh5AO9LrK4Q6Wn6l/b+KVMV+Kg3S7iMyuvfsHTL+vM8DlPtcb4
-e4yjGT5V4A4RsiDxs2+rDHQV24eWEgEamlzIMJsyVvFPVwKWPwSPgMd9S6uHMI7T
-Na8SGnO239JzHMav88cq1MVLUv2XH4mmqk7i/JNjl3nzQRwOlXtgICjHjlACJut1
-7vH4U8l1DmfVzrcfh2Vc9XahnTA5aWuQsPjrRv1hFTW3HVcpFwtxV1wTAwCN9dnQ
-cB9nTSe+RosfRypuwPRGOWaiWckUOAFVLJiIThuh2e5/SZkIuMgtID86rjDTAKB6
-0JP1DxMOXa0gv0SdrIwv5cQl2kG+uaXhListTm3pl/XAqpSmCyY53wRm2RWDJuNs
-m8myLHyjDCoYxWPqqhV9LYpU4VFYGgo3eZK/b9Tw4IcOpdosJxhpvGxu1a2ZmQxU
-bkx1hyzKj7ZmfGhvG/f7J+n5tuEloa1EbicAhLZDWi8lBMnKV3rAAADXXm4rhFUO
-ar8sBfJfRC0dGpgE5zoR0pU2Wx8dIFFqLlHvT0DkPIrTDYnxbbmT0CGNHzVgetn+
-N+4tGdP1v8+Vd+BipaQAXor6kd1pn+oywKttx6eZE1jHHnZzJpX6VrqwnIdxtlEJ
-3Pp4l04+bcu+/1WUKRvNXwPLjNzIZjaFJxdKUVjC/9JbB/Vx3nKi/VB+ymy/cCoM
-Zte4Owf0cxnYRXE6pBw4FkZJPitf6b67G21cbnzQPC3ZLpm0TOA6eO+Lsgb+WBo/
-3MGnIhFuT5PmIiSTLiajfKR1H6pP/Sf55P2B/qCX+aTdpvMrytnz1n9rbF8w9mYN
-QPb1UbJyZJDEOCtoYLH9hNTI5msHeBoQMCeTbDML7SqQRNHcFynXY4qqVF/avt36
-ZLrKv6PZuQTRsXr+1JbgJydHQVanqeK4XPwK84FE+guHZWo3ug6+eEgqMKYkzAKA
-GAN3Oinitkcpnt74ZH0XocmMwUGS7qj5UiNm73gIP6MEA1uYXqpb7FnJRALwb33r
-qYJ72qomcNt/iow4M3kkMDSSPlat/2OhtWtWijYKwk3c5yZmV6Bc+QX6MZS3MZXy
-vrk0L/bUV1m8YCCiuSiwuyQslEZUfY6klIJlTJ7NkHHT47vgwmJGYU1LamsuZfwe
-LzH1xeDCxtCUUGgvtngj+dgoNMr7CxB9MemJo/gFOa0XlZq0CezSfM457RgM536A
-b+62dmd12tARkRlvlNj3wck70r16Xz7tUmFWFdsro/ga9wvqnjwKVKUsA/xpZy7H
-nhtLvMnvnk0Zv+wvRWB3D16TC6kHQjnI3PjLGYa7fwMTErmBNDxMz+8JvFwMqrJd
-an4QBQocGTSO+HMsb3krHo9AdBBSsiRNYWNPda9an9qjARy7rbo9Fy5khWyZA89q
-+pGDtn5nPrNvbCz48aaGH9FBZlywweDQdCnWe4hNl3+z9NQxxf+pKRIu6AI58iqj
-IWezU+pwyJjPA3e6u5zZ7IiRfmRnuxeouH0c6YcKsgMNlsIM7D/vjo2YXpkbyQqV
-aEpAVzknHcypN1PIsfXU2Zo51jG66AD8y5zQ2nUlZnat7YciryxnpvFVef9Nf62N
-kYxzdJdAT6pfEXk2L7xORX3a97yN3mCzPp2i5jIkhOtVbVdvG7xgGcoPNGEIhMIo
-Al4YdPiMb/dJPmKAkJJptAYKpQAaEvhKtv4t8NZ0c3EEYVwJc8eJaz+cKCsLJEMX
-+7OMT8Tj6IMWIY1aWetQix3A/iQjBSUfM7AmqvYRv8Y/F14EM5eC4RLFK5o4RWWf
-Ck9XeE5fG0q1pSpbnrjeopakwy008unT+CILpjWLBnIXJ6kI8fTASeFrLtWurNkv
+4DWOJFa1qSC1Mcf/mGI09WyyEbxgbSKmRzZaPaFH7obN2o/D9zMQ6BqjnUVR6Rm7
+UXcXPpzObks/EJVyIPc/vfiGLkq/wWEiqVKWZebV4r0OhCetKdyXipiiSGLUzta8
+olQXfEthbeE9+NPB0hspGzt4owyoPuhvrgO5m+7h++iQj2ljbbUG3WLJf9Frd7eN
+GMXKJwtBUVgGPxjs89etY9JMXig9bgUDPwVhE/3VPiG+LlHeZDD5C2+gUi09d2sv
+gCN53XD1x7bFWKBzEPmGjFXMraZAd85Ew20re1RJP/R2+KJV+z72Af2DNUl3HL4f
+KgeyXkjy8xgKILnkN17hraHCwR4d/onFwjEhHyNeCHgqYSGqD5Tp80eUwHOIC8od
+Iwnw1Pe5ZrO9i1w3bdIMhOcP5jyMEAt/l3+Yc4bG34zNgRDam5V2PMYiY//OQ/Ge
+pn+Ug4WBNkab7eSOt7Dz+TskKtVy4/twBp1o6WndRwbvu3fTPkVxrOuPH1YYMmUn
+xQL/C3aMZXcjytiSHzQ09dQrOXYeT+RYcTrpXvY1RiVFawkPlBn5pSvzNG2mvXhG
+ed3iDDfBdLvqjdEeoANYOafuuuvaUBRq1ouq4sPA5zLCWmDCsH/J72RZ1ECyc2rT
+BR4Kld47cbw3+oLZmyrIfChOG/ah6IyDbF1qFiV6plmLca8JrmnCxBPbBxP4PG1f
+uT6a4ABkXbhGW3iBEzSEAjLIQssMeyHHJ6/87/+ZmvQBy02N5kwRmXRhePy1JnTF
+4LPOA/yWDqvNniOfozKvS9g3RZX5ZLKY2NQ9Xz4mPfwv3BdRbNr+8Jyf2jYJGpgQ
+pVkLdKJErW9XogbpWDbCeI5q/aA/tbwfjbM4rvH7nXhC44jzg4sHEYPmuFBpvDF0
+gNgU0mglkAFitoCh5yY688ZhbquRZF8lI2/ZwXWjmpUafkTRfrrUJSLLm3izUvtS
+R/2OBscqTiWWp7pkaivUX9/nEB7cEoXVYyE/PdbRAf3lSylgHFLfshzKkii2N1pO
+jnJ9ZUlduolaHxMMPcu5CJSEQHOavI5gLULld37iNjJwIHfh8hgaP39bcXZeVsMT
+EdePCUX2i6moBcmwuOtz2o0jGjGOmoxLv7yFAiRSCxDI04tOa0ulikf5tt/EBKKF
+p7h5/DVWN1KkbGu9Ys5xi2GBIAnyK4T7UTdWkvE4xZw6pVL0WUX/qdj42MDu4ocR
+ZP8mQqfmoiprzdO+y7J6lo4ZnRV7EK82Q2SFsoyG+Ev3vLGA6Xdr4e7cd9WFuim6
+V7eErJFpt1cHx04nJxuy43nruohDH+wOX6KZnxNQAQHoM7O5JoLGkdN/s+MNirmH
+IWUjKlm71lWTllD3UXt+sg0E9+aPbjNA8blc8zZ2VUj+3GoLt0kUTjED81TVT+Qz
+uXlGTVWUXnBYBSNN2Gbfv3/cZSHr2eraM4TiKQJ07LvgP1+VioDPG9ZyVjMVbWVT
+2Yl7xzF97O5MLIVS0HDIxIEV7MgpCF98SRXGsr4MLgG14u/FByyH6vXHNPIlDd0z
++AXnXWXEJpn73Oh6f1ht/3mXiYSNmXrr7W8kRabZmrrCajQ5Hi8eC4qV/2Z49bWu
+ryFbhI8/1+CYrkYzgFkrjptgrUHSZL0VLFINeP9uF1WNkGp3kMzW/ZZK7aksqmEM
+v5JE2HoD7+Dn7mNsHL9NfvhbH2kfwHKwrMPa9C3u5OrSX2KyyMS4UJGQ1QX+/6c4
+oYuLhslEwh+Iw1jwVentWTApNw7ONgrsxac59dOiaF/UQUBfWSDmwwlnvoAqJEVp
+l4CfetCTgZApsxKUQZWC2ls4cZDcMa3BGdyORV/5vXrxAxYQyIIkACkT3Zsxnu9V
+cjkOj/G07To8wgncc+u++yOErQ0m5OrdR0T+cJTgiyeWVgXMahiWZ5qt+GMbCzaJ
+xeKb/V6Es9ZPj2Qzqi7Sj1LRtKahh8E3XH5WVMdNKZVWZwXkd3sButezHEzB80p2
+2lhuajOolcwTfgQEtF/F/HuaokjB9r6lN0RmjUq5eIIMQ1KMRrzFsdQNDgCxGdAv
+GxjrvxOm5xM/QQ7QlXzNTxkwP4QbBDdn/nMWjAlVtQxurqtz6kxp4p03nkpToydM
+P2EeP243RpxRquadw9TqiL5IEqXdjpBon1RlKk+ZNVm4rYJWZ0UXk/CRvMeWKUeb
+Ib/0xCe2ZugyZbYQziZzrMl9WX6LKHhJP8bWA7t4Bb05bvDju0casma6gslQ/JdB
+1Ok59w59TpJYtSSEU3llMbCS4ll130/OlbKZa2Hy7LKgXkRsjVeYTBzvXC34/PKl
+v1E0PY8P6Vz60j1bxHlrEaCb+j4yxZF54cqgmvoWiKdwXSvEDw3Wb64wATFzPQKj
+T87vtU4FEVokRxgumF8BKHldKc7RPwmMuISSwG5+G7zOeOpuz7ETF4EyzX/D+a2W
+mOqX6WxS08BjzShzkdLEQtJU0TbtTPaYMQ8tVxiosypVQ+UlWh5qRtzQBodmCNYD
+3dwmrn/1IJ4LhUq0RFIczjzEP8QfkkwaNUUNp7T7DCFCn6ktkU/IBqzQf9CygfRp
+8vCdp0jMNn1JDpAW8SRvvqMlly6QeN9ndQO1Ql22k5Ihlw4yCw2/44XhEmlGsB3x
+jKEkSej5ipuQ2xX3DjFfsSKgceF0zOCGeTbw4Kt0CuwGLh6ZQLUHQktD2/BysJZu
+XH+y4NtD4Sr06DIgF43ECuTxWdptGiaDgk7neW2/1f7eLDOj8IooCHkt0a1DDzFF
+Xt5trABWgb2Qa9sjWJ89eUMc6gC48vyiLeXeaZQ5YuWcCdDcjZHY7KAvLY+r2OKN
+49O/X2WY6WmVoByoyi4S2MOER4VUbbyZEcvAqTOBcj6e4JJprtHsl4ppiDYVXVot
+U8GSYqxgNN7jyNthIti5sr/kczM3Q9peCLZN92j2CKU2wQb1qilEMkCSWpGUfyzD
+9M40fssEtIMAnwVfi8XjAezHFzdlKID0AR/b+aKndeR+4xEMdzEWkNsH452e0tRz
+vgebV+wM5Zva0+/+tG57iPQLwEpjv2septoQuuh3ACdgFkmPgcHspcu495+Wdi3g
+2Ipxrx/e1o4ragEEQXaaSSGBSCTz8qeWcvKtRm0d8fMtnERc5yzLYHRzhEm/8oc3
-----END RSA PRIVATE KEY-----
diff --git a/lib/hx509/data/test-signed-data b/lib/hx509/data/test-signed-data
index edba3857b3df..1228c8547d52 100644
--- a/lib/hx509/data/test-signed-data
+++ b/lib/hx509/data/test-signed-data
Binary files differ
diff --git a/lib/hx509/data/test-signed-data-noattr b/lib/hx509/data/test-signed-data-noattr
index 5d768f88b2a7..f2307794f91d 100644
--- a/lib/hx509/data/test-signed-data-noattr
+++ b/lib/hx509/data/test-signed-data-noattr
Binary files differ
diff --git a/lib/hx509/data/test-signed-data-noattr-nocerts b/lib/hx509/data/test-signed-data-noattr-nocerts
index 5f20eeec2cbe..49fba9bb3c5d 100644
--- a/lib/hx509/data/test-signed-data-noattr-nocerts
+++ b/lib/hx509/data/test-signed-data-noattr-nocerts
Binary files differ
diff --git a/lib/hx509/data/test-signed-sha-1 b/lib/hx509/data/test-signed-sha-1
index 3580544a0aa9..8ad1121bac62 100644
--- a/lib/hx509/data/test-signed-sha-1
+++ b/lib/hx509/data/test-signed-sha-1
Binary files differ
diff --git a/lib/hx509/data/test-signed-sha-256 b/lib/hx509/data/test-signed-sha-256
index edba3857b3df..1228c8547d52 100644
--- a/lib/hx509/data/test-signed-sha-256
+++ b/lib/hx509/data/test-signed-sha-256
Binary files differ
diff --git a/lib/hx509/data/test-signed-sha-512 b/lib/hx509/data/test-signed-sha-512
index 0816fab839c1..1e40abed4598 100644
--- a/lib/hx509/data/test-signed-sha-512
+++ b/lib/hx509/data/test-signed-sha-512
Binary files differ
diff --git a/lib/hx509/data/test.combined.crt b/lib/hx509/data/test.combined.crt
index 2adab3347413..a07dbf127567 100644
--- a/lib/hx509/data/test.combined.crt
+++ b/lib/hx509/data/test.combined.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:12 2019 GMT
- Not After : Jan 16 15:05:12 2038 GMT
+ Not Before: Mar 22 22:25:02 2019 GMT
+ Not After : Nov 21 22:25:02 2518 GMT
Subject: C=SE, CN=Test cert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:a9:c9:ce:f8:b7:77:99:3c:72:54:8c:cf:0a:63:
- 9d:f2:df:0d:07:6f:22:54:17:71:ff:76:a6:d1:9e:
- 33:f5:05:3f:ac:32:be:58:e5:7c:a7:d3:29:dd:3d:
- 38:62:64:8d:82:d2:aa:f5:05:36:f3:bc:ad:7f:4e:
- b9:c5:56:89:ea:c2:d7:b1:96:69:fd:f7:4e:35:56:
- 59:7c:03:91:79:60:f4:a1:a8:78:a0:1a:04:2e:0a:
- 98:b7:cc:be:f3:ea:28:6a:d7:5e:80:8d:74:c7:f4:
- d8:96:48:44:94:1b:ce:4f:9a:65:8d:54:c6:c4:69:
- b3:be:fb:e4:91:79:5e:c5:ba:f9:df:03:de:14:e2:
- 68:1a:6a:e9:51:83:01:0f:e6:09:0f:c9:a1:78:b4:
- 75:45:18:f0:43:7c:11:37:b2:91:cd:50:6e:71:42:
- 69:c0:36:da:e1:bc:24:fa:bd:8f:c5:ce:ca:d4:af:
- b3:f1:d7:20:c1:ac:4d:31:42:c5:cd:6e:6c:41:0c:
- 8e:8d:08:8f:2c:b0:76:02:18:d7:0d:0f:fe:ca:67:
- 3f:b6:fe:1b:36:a7:ca:33:bd:01:36:7e:97:f6:e3:
- 55:9c:4b:a5:fa:48:58:a7:07:ca:c8:71:2c:e9:05:
- 7e:3a:40:4a:aa:b7:34:13:e1:b0:5a:eb:58:50:0e:
- 99:31:bd:6f:e9:fb:bd:4b:f8:05:70:5e:01:41:36:
- cf:cd:7f:6e:d1:e6:de:e7:23:a9:86:49:61:26:fc:
- a9:58:a3:45:37:b2:47:fa:ee:cd:74:e1:a1:28:cc:
- 50:5f:e9:b0:fe:67:0b:7e:dc:4f:e9:fe:5d:ea:55:
- 9a:87:d0:13:6d:9e:b9:f1:cd:08:b3:da:c7:d2:3e:
- dc:fa:d2:03:58:f7:e6:43:03:5b:c9:0d:ee:d6:26:
- b0:fa:eb:36:5e:a3:d0:ae:cb:00:4c:97:bb:9a:63:
- 09:59:10:6b:c5:f9:e7:4a:3f:76:eb:a2:63:8f:45:
- cc:43:8f:4a:15:2f:dc:3e:f2:11:3d:07:03:c4:b8:
- c5:e5:65:1a:c7:d2:87:42:53:d3:a9:3f:fb:99:a0:
- b8:45:43:45:ec:09:59:c9:bd:55:22:e0:0e:19:ed:
- 49:fd:b6:db:5c:84:b0:01:89:50:a3:ca:1e:41:ba:
- 82:87:db:da:b5:2b:71:08:ae:1b:70:41:41:ca:24:
- 70:6b:9a:c9:db:1d:b2:65:94:01:9d:ed:b8:b5:36:
- 4c:f0:f0:39:be:bf:e4:49:02:d4:55:ec:11:dd:23:
- e3:6f:c1:28:99:77:44:29:70:a2:6e:ec:b2:53:86:
- e1:c1:45:3c:67:ea:12:08:b3:be:d2:be:9f:00:b0:
- 9b:1f:61
+ 00:da:1d:4d:ca:51:9d:f1:9f:d7:a4:7a:45:f8:75:
+ 98:66:b2:c5:7d:53:de:42:35:74:81:cd:1e:9f:f3:
+ 43:d7:a7:83:7f:fb:a2:ce:3c:44:37:80:4f:21:36:
+ a6:f6:c9:51:74:9e:e2:9b:bf:ad:e4:eb:72:11:64:
+ 36:88:b3:a9:91:63:c7:ee:38:c4:f5:8c:06:71:e5:
+ 09:b7:eb:57:5d:bf:db:5b:72:07:c5:29:e8:6f:33:
+ b3:a2:27:ef:1f:50:f0:55:33:63:41:23:e0:b2:f7:
+ 21:77:4b:ab:9d:73:2a:bb:b6:4e:88:7f:7c:e5:c6:
+ 37:3e:b6:20:c1:57:3e:6d:57:78:ef:0d:47:e9:41:
+ e7:fa:b6:2d:32:3f:42:05:8d:56:af:f5:c4:b8:6e:
+ 99:1a:e7:07:d5:a1:3f:29:7d:ce:b2:39:a6:ab:06:
+ 7a:e2:26:39:d8:96:9e:3b:c8:af:79:3e:9a:24:4e:
+ 4b:b2:af:e4:07:0e:71:dc:2f:70:27:97:3c:a2:fa:
+ 69:9b:57:4b:c5:53:5e:28:0c:b0:c7:57:1f:a2:b2:
+ 26:0f:5f:bf:d3:45:78:90:5a:2c:fc:6a:67:33:b6:
+ c1:7e:cd:17:c0:58:9e:ba:85:c5:15:5a:5a:67:db:
+ bf:2f:05:cd:38:d9:94:c9:95:7f:9b:68:b0:62:ff:
+ 37:92:cf:d8:77:be:cb:72:3d:0f:b9:80:44:57:c0:
+ c9:10:01:fd:07:25:30:eb:d8:48:05:af:98:fa:c4:
+ 64:6d:59:a6:6a:8d:1b:d4:4b:f3:07:98:68:e3:bb:
+ 59:c9:21:f8:11:b4:a2:82:1b:0d:e8:8c:e0:a5:e1:
+ 1c:71:ca:c3:2d:90:43:c3:ee:99:2c:7d:41:48:39:
+ c8:00:72:0d:80:39:23:a1:3a:27:ed:07:ca:32:8f:
+ 34:ca:bb:9d:67:13:7d:31:ed:4a:db:35:7a:ce:b3:
+ 89:e3:64:9d:3e:47:4e:d3:b7:bd:ab:12:16:10:bb:
+ 66:e8:1a:77:4c:2a:e0:b9:16:69:66:14:83:4e:4a:
+ f3:6f:ab:85:6a:70:c6:9b:ce:93:ab:75:36:a3:a5:
+ aa:9f:45:d6:a2:7f:17:c7:6f:f9:f5:e7:35:51:a5:
+ 75:c5:07:be:26:ce:7b:3f:29:3a:74:6b:17:79:4e:
+ cf:4c:0a:69:75:58:db:eb:a8:dd:f1:e6:cc:a3:18:
+ 53:a5:c5:a5:5a:a1:cf:37:6a:b1:9f:d3:d4:eb:0f:
+ 02:40:d2:ae:68:ce:bc:c5:46:e3:ee:f8:97:88:ee:
+ c8:a7:01:7a:a1:23:af:f3:31:2c:2a:6f:12:77:dc:
+ 3c:51:9d:40:f4:9a:2a:7b:85:29:1f:3e:c3:d5:37:
+ 8e:6e:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,115 +54,115 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- D3:E1:59:20:A1:DE:3D:12:57:0A:3D:BA:0A:6E:67:0E:40:A7:9A:88
+ 1B:F4:EC:34:42:BA:8B:67:AC:55:F2:37:5D:B4:68:A9:D8:5E:58:7B
Signature Algorithm: sha1WithRSAEncryption
- 0f:2c:68:90:33:67:b2:86:09:26:ec:65:29:ae:76:d6:a6:2f:
- 53:0e:d3:16:cd:2e:0d:a8:d1:14:22:f5:63:66:a9:3d:78:43:
- 40:a9:db:ef:02:52:d1:a9:c3:0b:ad:24:8e:a0:56:63:1f:ba:
- 23:48:64:74:ac:2c:bd:67:f8:87:6d:bf:d6:83:68:aa:99:ce:
- 4c:0b:30:d6:06:59:7c:74:0e:2c:8b:ee:5a:61:af:ff:f7:3c:
- 51:10:a7:93:44:6f:bb:f4:8b:5a:2b:5e:1c:4c:89:60:71:af:
- fd:bf:c0:fd:19:04:12:81:a0:ce:ed:b4:dc:64:12:80:36:18:
- 9f:1c:33:25:94:dd:94:51:eb:a1:c6:21:06:b5:16:05:7d:d3:
- 20:53:de:60:5d:40:6c:f1:7b:a1:98:7f:1a:bd:39:46:0a:ec:
- a6:cc:eb:7a:96:d5:43:6d:e5:c7:61:d2:f9:ed:76:a8:44:3f:
- c8:9d:45:1a:2c:3b:52:f8:08:7b:67:39:aa:ae:88:4f:eb:90:
- 99:9c:f8:8b:ae:c7:7a:eb:40:b1:ea:78:51:74:e9:11:2c:c2:
- d7:c0:93:35:c3:27:59:89:dd:1e:e6:4a:ed:fd:dc:1f:08:e2:
- 80:ce:a0:72:ec:04:d7:2c:1d:d6:2c:67:f3:b9:ce:e9:be:70:
- 10:82:b5:bf:45:29:c1:cc:36:11:5d:83:3d:17:11:03:b0:17:
- e1:3c:05:f0:ea:07:c6:3e:62:ce:2b:d9:55:41:dc:0c:55:82:
- 0f:e0:d5:a8:02:65:fa:c8:bd:60:16:b4:6d:53:08:9b:06:25:
- 94:c7:8f:ee:ac:5d:25:ad:cd:9d:af:7f:a8:5a:99:49:fc:fb:
- ad:69:8e:c4:c9:57:7c:88:2c:32:2b:ec:11:ed:61:cc:44:92:
- a7:18:11:19:96:e6:be:88:5d:ed:0f:dc:ca:2a:31:e9:2d:aa:
- 03:75:03:f4:42:5e:6c:86:b9:7f:b7:59:70:ba:09:b1:ba:28:
- 3a:be:68:45:a0:2e:89:0b:ea:a6:d9:85:58:bf:54:1c:02:56:
- 3a:d4:4f:88:7a:5e:c8:21:33:64:76:74:68:36:7a:a4:1c:a6:
- 5b:b8:f1:ef:98:10:82:84:d4:df:2d:34:4b:6d:15:62:55:31:
- b2:78:93:33:37:20:db:a0:30:85:db:cf:00:7c:b3:b3:a2:a9:
- 31:d7:06:fb:e7:ec:38:4f:3d:61:73:bf:b8:21:b0:c5:f8:3f:
- 98:8d:db:aa:23:01:41:d4:3c:99:cb:ce:4a:ff:10:fe:a7:52:
- 3b:8c:0f:30:6d:a4:4e:53:4d:60:2b:6a:05:ab:ef:b8:61:9c:
- a4:85:99:ae:b8:63:c8:e3
+ 95:f7:1c:99:72:42:4f:d3:bd:ba:3f:7a:75:bb:01:3a:ad:ce:
+ 6b:7b:b7:3d:5d:3b:46:51:ea:9a:36:94:70:36:1c:3b:fc:ba:
+ 9d:8b:0d:44:36:08:ad:a6:73:82:bc:23:ed:f9:5a:09:8f:9d:
+ 62:11:c1:94:7c:61:66:1f:8b:b9:0a:dc:3a:b5:eb:22:54:de:
+ a3:e5:8a:94:10:1f:84:52:6d:fe:27:c8:e5:cb:a5:8e:a9:83:
+ 16:95:0d:6c:3e:57:85:e1:ec:82:05:47:6d:28:ad:0d:84:fa:
+ 40:a0:96:f4:84:aa:d1:e1:0b:b7:91:e2:47:4f:05:97:f8:10:
+ a0:e8:57:bd:ed:48:65:55:75:da:e5:34:e8:f1:20:95:d6:40:
+ 8c:42:bf:b4:d9:55:c8:30:e8:d5:ce:d8:1d:30:65:90:39:eb:
+ e2:83:ed:11:03:cd:07:c0:e1:c4:91:84:a0:97:8e:6d:22:e6:
+ 75:77:21:7c:32:8b:48:ed:d6:b2:19:2e:af:26:ad:7d:6c:ce:
+ 09:e1:78:b6:72:61:60:22:92:b8:df:42:6b:34:6b:5f:35:ef:
+ f1:d3:c6:7f:92:05:3c:d0:08:77:01:66:f7:57:b8:65:de:d3:
+ d2:b1:bf:93:b1:8c:a3:27:e6:d4:e2:2b:9b:cd:9d:be:31:82:
+ 5b:53:dd:5a:bd:39:05:5f:8c:56:f2:7f:9b:b7:ef:e6:07:96:
+ bf:8a:d9:8d:bb:62:98:86:de:aa:91:c3:fe:e7:bb:a7:1f:f0:
+ fd:1f:6c:a6:04:04:f0:c2:51:a1:91:8c:9a:ee:f9:87:42:37:
+ 7e:9c:27:72:59:dc:60:a8:8e:d1:81:97:f1:15:c3:d8:a9:4e:
+ 9a:09:e9:81:76:39:36:b3:08:a1:e5:5e:97:37:ba:43:8f:06:
+ 1a:70:69:3b:fe:79:a6:5e:2d:26:04:e9:bc:5f:57:c9:d0:80:
+ c2:0d:4b:c7:0e:dd:04:e5:15:49:9d:d7:ff:ee:a3:1c:04:56:
+ 7d:e2:a0:d3:39:1a:59:bd:85:b0:eb:54:ea:81:8b:e1:17:94:
+ a5:fe:e3:0c:d0:74:42:ee:4a:f4:66:90:49:4b:64:bc:47:35:
+ f5:b2:60:8e:74:05:d0:a6:d2:94:b4:e0:0f:4b:3f:35:ea:2a:
+ e0:24:58:c1:6e:d0:65:6e:58:f7:e1:90:02:ae:40:23:25:e9:
+ 80:9a:d2:a7:ea:5d:fc:6d:f8:45:0f:db:53:91:55:32:46:e3:
+ 6a:c0:54:0a:5a:4c:e8:1a:1e:a6:33:3e:fe:ed:b6:ad:cf:6a:
+ 3c:2f:b2:6c:47:75:f1:29:43:31:69:c3:0c:42:56:5b:d9:b8:
+ 99:7b:ff:2b:50:87:34:2e
-----BEGIN CERTIFICATE-----
-MIIE/zCCAuegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
-MDExNjE1MDUxMlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKnJzvi3d5k8clSMzwpjnfLf
-DQdvIlQXcf92ptGeM/UFP6wyvljlfKfTKd09OGJkjYLSqvUFNvO8rX9OucVWierC
-17GWaf33TjVWWXwDkXlg9KGoeKAaBC4KmLfMvvPqKGrXXoCNdMf02JZIRJQbzk+a
-ZY1UxsRps7775JF5XsW6+d8D3hTiaBpq6VGDAQ/mCQ/JoXi0dUUY8EN8ETeykc1Q
-bnFCacA22uG8JPq9j8XOytSvs/HXIMGsTTFCxc1ubEEMjo0IjyywdgIY1w0P/spn
-P7b+GzanyjO9ATZ+l/bjVZxLpfpIWKcHyshxLOkFfjpASqq3NBPhsFrrWFAOmTG9
-b+n7vUv4BXBeAUE2z81/btHm3ucjqYZJYSb8qVijRTeyR/ruzXThoSjMUF/psP5n
-C37cT+n+XepVmofQE22eufHNCLPax9I+3PrSA1j35kMDW8kN7tYmsPrrNl6j0K7L
-AEyXu5pjCVkQa8X550o/duuiY49FzEOPShUv3D7yET0HA8S4xeVlGsfSh0JT06k/
-+5mguEVDRewJWcm9VSLgDhntSf2221yEsAGJUKPKHkG6gofb2rUrcQiuG3BBQcok
-cGuaydsdsmWUAZ3tuLU2TPDwOb6/5EkC1FXsEd0j42/BKJl3RClwom7sslOG4cFF
-PGfqEgizvtK+nwCwmx9hAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
-MB0GA1UdDgQWBBTT4Vkgod49ElcKPboKbmcOQKeaiDANBgkqhkiG9w0BAQUFAAOC
-AgEADyxokDNnsoYJJuxlKa521qYvUw7TFs0uDajRFCL1Y2apPXhDQKnb7wJS0anD
-C60kjqBWYx+6I0hkdKwsvWf4h22/1oNoqpnOTAsw1gZZfHQOLIvuWmGv//c8URCn
-k0Rvu/SLWiteHEyJYHGv/b/A/RkEEoGgzu203GQSgDYYnxwzJZTdlFHrocYhBrUW
-BX3TIFPeYF1AbPF7oZh/Gr05RgrspszrepbVQ23lx2HS+e12qEQ/yJ1FGiw7UvgI
-e2c5qq6IT+uQmZz4i67HeutAsep4UXTpESzC18CTNcMnWYndHuZK7f3cHwjigM6g
-cuwE1ywd1ixn87nO6b5wEIK1v0Upwcw2EV2DPRcRA7AX4TwF8OoHxj5izivZVUHc
-DFWCD+DVqAJl+si9YBa0bVMImwYllMeP7qxdJa3Nna9/qFqZSfz7rWmOxMlXfIgs
-MivsEe1hzESSpxgRGZbmvohd7Q/cyiox6S2qA3UD9EJebIa5f7dZcLoJsbooOr5o
-RaAuiQvqptmFWL9UHAJWOtRPiHpeyCEzZHZ0aDZ6pBymW7jx75gQgoTU3y00S20V
-YlUxsniTMzcg26AwhdvPAHyzs6KpMdcG++fsOE89YXO/uCGwxfg/mI3bqiMBQdQ8
-mcvOSv8Q/qdSO4wPMG2kTlNNYCtqBavvuGGcpIWZrrhjyOM=
+MIIFATCCAumgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwMloYDzI1
+MTgxMTIxMjIyNTAyWjAhMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2h1NylGd8Z/XpHpF+HWY
+ZrLFfVPeQjV0gc0en/ND16eDf/uizjxEN4BPITam9slRdJ7im7+t5OtyEWQ2iLOp
+kWPH7jjE9YwGceUJt+tXXb/bW3IHxSnobzOzoifvH1DwVTNjQSPgsvchd0urnXMq
+u7ZOiH985cY3PrYgwVc+bVd47w1H6UHn+rYtMj9CBY1Wr/XEuG6ZGucH1aE/KX3O
+sjmmqwZ64iY52JaeO8iveT6aJE5Lsq/kBw5x3C9wJ5c8ovppm1dLxVNeKAywx1cf
+orImD1+/00V4kFos/GpnM7bBfs0XwFieuoXFFVpaZ9u/LwXNONmUyZV/m2iwYv83
+ks/Yd77Lcj0PuYBEV8DJEAH9ByUw69hIBa+Y+sRkbVmmao0b1EvzB5ho47tZySH4
+EbSighsN6IzgpeEcccrDLZBDw+6ZLH1BSDnIAHINgDkjoTon7QfKMo80yrudZxN9
+Me1K2zV6zrOJ42SdPkdO07e9qxIWELtm6Bp3TCrguRZpZhSDTkrzb6uFanDGm86T
+q3U2o6Wqn0XWon8Xx2/59ec1UaV1xQe+Js57Pyk6dGsXeU7PTAppdVjb66jd8ebM
+oxhTpcWlWqHPN2qxn9PU6w8CQNKuaM68xUbj7viXiO7IpwF6oSOv8zEsKm8Sd9w8
+UZ1A9Joqe4UpHz7D1TeObgkCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFBv07DRCuotnrFXyN120aKnYXlh7MA0GCSqGSIb3DQEBBQUA
+A4ICAQCV9xyZckJP0726P3p1uwE6rc5re7c9XTtGUeqaNpRwNhw7/Lqdiw1ENgit
+pnOCvCPt+VoJj51iEcGUfGFmH4u5Ctw6tesiVN6j5YqUEB+EUm3+J8jly6WOqYMW
+lQ1sPleF4eyCBUdtKK0NhPpAoJb0hKrR4Qu3keJHTwWX+BCg6Fe97UhlVXXa5TTo
+8SCV1kCMQr+02VXIMOjVztgdMGWQOevig+0RA80HwOHEkYSgl45tIuZ1dyF8MotI
+7dayGS6vJq19bM4J4Xi2cmFgIpK430JrNGtfNe/x08Z/kgU80Ah3AWb3V7hl3tPS
+sb+TsYyjJ+bU4iubzZ2+MYJbU91avTkFX4xW8n+bt+/mB5a/itmNu2KYht6qkcP+
+57unH/D9H2ymBATwwlGhkYya7vmHQjd+nCdyWdxgqI7RgZfxFcPYqU6aCemBdjk2
+swih5V6XN7pDjwYacGk7/nmmXi0mBOm8X1fJ0IDCDUvHDt0E5RVJndf/7qMcBFZ9
+4qDTORpZvYWw61TqgYvhF5Sl/uMM0HRC7kr0ZpBJS2S8RzX1smCOdAXQptKUtOAP
+Sz816irgJFjBbtBlblj34ZACrkAjJemAmtKn6l38bfhFD9tTkVUyRuNqwFQKWkzo
+Gh6mMz7+7batz2o8L7JsR3XxKUMxacMMQlZb2biZe/8rUIc0Lg==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpyc74t3eZPHJU
-jM8KY53y3w0HbyJUF3H/dqbRnjP1BT+sMr5Y5Xyn0yndPThiZI2C0qr1BTbzvK1/
-TrnFVonqwtexlmn99041Vll8A5F5YPShqHigGgQuCpi3zL7z6ihq116AjXTH9NiW
-SESUG85PmmWNVMbEabO+++SReV7FuvnfA94U4mgaaulRgwEP5gkPyaF4tHVFGPBD
-fBE3spHNUG5xQmnANtrhvCT6vY/FzsrUr7Px1yDBrE0xQsXNbmxBDI6NCI8ssHYC
-GNcND/7KZz+2/hs2p8ozvQE2fpf241WcS6X6SFinB8rIcSzpBX46QEqqtzQT4bBa
-61hQDpkxvW/p+71L+AVwXgFBNs/Nf27R5t7nI6mGSWEm/KlYo0U3skf67s104aEo
-zFBf6bD+Zwt+3E/p/l3qVZqH0BNtnrnxzQiz2sfSPtz60gNY9+ZDA1vJDe7WJrD6
-6zZeo9CuywBMl7uaYwlZEGvF+edKP3bromOPRcxDj0oVL9w+8hE9BwPEuMXlZRrH
-0odCU9OpP/uZoLhFQ0XsCVnJvVUi4A4Z7Un9tttchLABiVCjyh5BuoKH29q1K3EI
-rhtwQUHKJHBrmsnbHbJllAGd7bi1Nkzw8Dm+v+RJAtRV7BHdI+NvwSiZd0QpcKJu
-7LJThuHBRTxn6hIIs77Svp8AsJsfYQIDAQABAoICAGR9MKY7z+k9wV0RSaiYdO89
-3HQ97k9e4PWVv/3oaE/oH1tHXSk4CaM6c1ih1zFE2gxHqy8BOxje3sCuU3zcTxxG
-3WoZ3/mT2RHwXV3srrjsDV1wXJRFUZv+YYzG/W1XdTxm42OqVSfTXizz8MLIAj9S
-3i/bsRimht/OLeV7s//LPgAkRdiOd5bLF/RKWOKT/2D8sTjDdXTD4c/PKlGQuoKN
-zA/0gqpkzP81X52Xe/RTA/EFXLcR4C1AUR+KqY+Af0mwqN4H5tVIS0/Ka90rTl10
-5lzj4C9k92PPxVv/aOmSeyTaEQ4kq3OQRRCFC1OPELphOs/3RjdOKBZnnAkl2ryC
-pg2EquKfA4W1LGqI+MbNhKlppnyBef5FNOHK9PsH6luF/KASTtLvc5/Xu/d0Lza5
-flS9ah/srA4ejwDsUnREjajwfroGxpl7Nem9NCneETqOc0yBRsJalDhbsxTbotQ+
-tHq2CqMNtuxXRDk59QHDSszzjUMKnDqkADdKjHy2cWkKkjgBnk4iqL+BKN7pUU50
-R7t0Fh3HNa6EGW8UQwPQFAEE7C9AhhI+keT5zyQZ3F+Dppx+qDbUv3xKwti/9Y53
-IttHyi+N3SBWNTiJZmJ1X1tY5KGXIWvbotuU8jSxXvzebn1nOjQtxcEuNdgJv5Bk
-m7mRe5VjtaFtj0qM0yJRAoIBAQDZWanHESJ/IU1BrYx10tp92CYbgZiV8g+LJB1j
-EdkaMg6ak0mzWPWmeKPKalMEcF6/RwBcicBZYZaOLGVfl3wVd9Qk+O7k5sc7HaV3
-9hIdAlpLgbl3Owf7IcW+D7A48+Cd6dHDx0pWijf17OYaPis2+2m1Kdx+VC4QA1Jb
-w/h8dctUlqrkAFBnrAxHG3RPtE4fk8SknS8MWYwNTqPaVEhHpbS7PRvSX8nAk0EP
-aLlNV+G+twqng4aZWTN/usPYW05eh4kmhnSaSNe93EQIkwcyqk1hASxgFhFxid1c
-QkiwSoJl06ilbNietbEBcdepmJKEHJyzUPFuCBe1bTdRukBbAoIBAQDH+wFG3ADb
-S8CHXVgN+YuOYgKihkPqJxWYwZJaRDg/8Brp3+U4gWy8crwAr3yyu1ZxloRjUoxw
-31Jc0ec6lGLMYWqSVjAOFWs0OL2IG27qVxZ4qiAjO+Y88KFj4b9ZJnZBGBt0bjhk
-ZTDnEJlK1F27IIFiFU1Z/lG9gjEisFf4OFDbCLzgy39IampF6FvteEx9lTcWjFSC
-dQJwGRDwvm5jWF0BYyf6yCrnkQUk80Fc6DXm5gUhFyA6qu0cbm5Z+BpGC9J2+QlE
-vANLTGeol8f3iDv264U6iQ5S6pdzcg+BHcG8F3uXvMmnEKBTKxyJeACAJzlmL/Oc
-VqCdbN5v3mvzAoIBAQDVtJmAR9K5WU8TAscWmmmGTt65MOWMmWK7FplmbYgff5Ro
-W+WdWBzAv+GcBor11F70h6VNV4wu1gsoY3KRWOsCWL3YVILfwiGmeHHXz7TjnQqX
-L0fiecJRJFW/mMFWXkQ+QEalzu/Cw0hen71nlDT9bJn1LOHFvJNF3149KCTMiy2P
-UE1avQxRwxKXX+Eu9UPTPIGesYYvCGTyOJ5W74PaHo3jhCQ050YB+UeBFSENcRlf
-Ya4yItpXMSO3tTUXKD+YJn+tx4oioPivj0G9hIMRR+2pMXQmTcx87GcgbXP3EmvA
-Hyq07J7Y/iC6IOtBr+hvyYoxraaU35QgKPC5hP39AoIBAQCjg1bt62E/7daEWAxx
-kMNNLlJdNU8+m6qK9muGJxWfIeG/rPQtmZWhGGckYFijg44Q3jNtSsfOWqtrfa2F
-NmL6HgUXliVAvr6jOmmuak/siDy1eNVCOe3tkgtEMgdVC5/RZba9Ioo1fI/Zvra4
-eqARK2jfG+/dT5biTxuB85JaQSHLln9phrqSKYCvnGfd6WkRnfonE6Ld8HKH2dcC
-IZL84/lX8w1zfkumf+sm5UdigfPg0d8LyW7uyWeKwbi1E6nX8D6sTMAJVXmUDesL
-7N7yRJBTOwv6aqotnecr2+1Vc1E/TCwgS5rOYUfV+QAiXt556piCN18HS8WUMrpF
-2iWFAoIBAD2Dn6bz86duyuuQ4CPAnawONcEVmUpajbrIKi0hqYEVIN5IF/LshvNY
-Lqtf/PWWWocF9b1K71wDuMs499Tf6Kr0b+AuBRZs9WbMthJhY5+xzU9IqwbRzgFJ
-81BGu796PezbBOS7vVqrGkpi3CBG0nDg3gQ3ZbBLVtEcx0WfX8QMXw9Ib9UxfOOX
-jKVEvNoy1R0p2C21xan5/fUyR5K/Dq5DIylUrpxWMUgC8lIktDulItGKh/3llCq+
-uu+wN91SkXC1pxTG3yDKP49PrcTV6M7G1JYUXkSQaiWgwNEz59f/7pMH7xxFsaHI
-nC68md8aa7+0IQEQqbKOdr+LhyMXCFA=
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDaHU3KUZ3xn9ek
+ekX4dZhmssV9U95CNXSBzR6f80PXp4N/+6LOPEQ3gE8hNqb2yVF0nuKbv63k63IR
+ZDaIs6mRY8fuOMT1jAZx5Qm361ddv9tbcgfFKehvM7OiJ+8fUPBVM2NBI+Cy9yF3
+S6udcyq7tk6If3zlxjc+tiDBVz5tV3jvDUfpQef6ti0yP0IFjVav9cS4bpka5wfV
+oT8pfc6yOaarBnriJjnYlp47yK95PpokTkuyr+QHDnHcL3Anlzyi+mmbV0vFU14o
+DLDHVx+isiYPX7/TRXiQWiz8amcztsF+zRfAWJ66hcUVWlpn278vBc042ZTJlX+b
+aLBi/zeSz9h3vstyPQ+5gERXwMkQAf0HJTDr2EgFr5j6xGRtWaZqjRvUS/MHmGjj
+u1nJIfgRtKKCGw3ojOCl4RxxysMtkEPD7pksfUFIOcgAcg2AOSOhOiftB8oyjzTK
+u51nE30x7UrbNXrOs4njZJ0+R07Tt72rEhYQu2boGndMKuC5FmlmFINOSvNvq4Vq
+cMabzpOrdTajpaqfRdaifxfHb/n15zVRpXXFB74mzns/KTp0axd5Ts9MCml1WNvr
+qN3x5syjGFOlxaVaoc83arGf09TrDwJA0q5ozrzFRuPu+JeI7sinAXqhI6/zMSwq
+bxJ33DxRnUD0mip7hSkfPsPVN45uCQIDAQABAoICAQDC4zgktLSJtyb5Yf+vN3PL
+H6VyjEOlqRnG+T6J8NUHljfbXT5lRFg3tz/9D1Y0YEGWEHmubKC2UOIFRCOuFcpH
+jH6SDst+E3WWwu3iFjhkHg+kL8ldlEqJQgsZstDojGuR1W60P5iAkGyoqUZYUxU1
+0HlvYWp57JhkQlwWJRw0mtoFzzoX47mhvLG5megmCdoRM2po2PmYniHT8lX7ftv3
+R6fyXMHj3AAH1Nzh0jln/lXAZu0gZiU7YN6/vOtblLirb1B5apDbadhRtLUoCGLN
+/pwfVJCT+Bj38nsLtw8rl/pgkGTOiuCZDPnCUI9DCYhUPbzXNSLK0/fHJs2kRyKh
+Nv+skWwmHdkCnzIliutxMlzehRHvRINoQ+/U/mNTE1FaNYnNEnSxpUSMKnPYUyTD
+YBhjFjtwkRpRDzbbcMBQk7Tbj2aISvFiAz/KOtRBDmBx70IxzxvqZ/5s94lyHZ5H
+fozf6LgBfJ5dmboNqHA18oBTAQDO2UBrIxyPSYExWdJ4o0vpTqwpmk8RTwgBsYfU
+EfDj3UqO5KJHTJAqdqdhXhz2c5J6EAyxDDItNg10rEVQVQbGbTPLtI8spjWfwJ6g
+P5L0j/cJx+nxNQvhrIMQgJfCrZS92PL6Yt0OqTS44m8mJgmt4z9OqZUtoT21fmcS
+uIOMYOY/NZBc+wMJ27UoeQKCAQEA8w6aZ+NAqmdDfEi/37XsbadsxDppPZ+/Ss2b
+aWOYwNU8P65rt3+EWjLrwMugiKOH1063QmZYcj74C4iaAhLblBiQH24YtiJi9tYs
+JCcFLWp01ZEqcxqBqI2kaHd9tuIaANGM+nKZH2MwTkzZ5IX1eAqZ0qgkC7Dx0JvO
+x1fXuhRTuFwTSkKZM3w4ba5G4DgczmKQr2SXm19PsMF61YX0n7HFuss85Z6xkONH
+gF6yokmPT7k/Ly4PLXZ9kycNx2EI5s1B79iAjaJAK8ifaEfUNNIi/xBf97oX6+hy
+AhO8aiC7snt6Tf2DNaJCZR1IKeO0M+5pkN6DZfV0hbQ9ulhD6wKCAQEA5bqt2VJJ
+9Vuuu8jcRlHfc4Cbubu+bMt9gbVp33ckAtRtQGQM4tHoHdd2hv4q8lV/f/K3m6Ps
+EMGeQ6QBuCWtkqD659eI5hvkchKjF+YGx/jt7k6EUlVUU1bfKXCgQv6W2VmrckzG
+ULsedOBLeT0Keppgw4kHqx+o/5DB9G3pZnVBITqGUP471q5X+c3BbAwN+9q8yRyY
+BimYJZKx0qgmpHSZ+4l3L6eLlcQiHev7TxGw1sGkpt3OF8NmR5PEzXUYC8qoi8na
+neLwTs9NKyb6hmOwTNJiWR5PNxWJeURxfl6GIfoxyUjptIrc5dve6k+ESxGgsSI1
+vyXgRUeiMlP82wKCAQEAuqx2jl+NZNLWk/fT1d+FbFpwQO2Tso6kfrEXMYQa589d
+7JLrjA1V+2ishHBgJVFjnUuJmGe+elA+da0+i2UsW7vZxSnrtMcINwga8tE9OrpO
+bVCGx8yN1ISkxs8vMGzLB+HpYtjtHZwyl5CSsN7pvn510cLtnEUUE+H2mEexGetO
+uYOOFTS9MTuwoxx8tuyhwykUcoDRp7U2IU0YKDIvxQ7mDCbX6ItPWTYVzlPs4pOY
+i+R80KGRaptcqs4N2Rl/mrP+dlVTtnPs0TPOqmqwYrkZw8gxzLOSd88Y8NtzlBb7
+0YLgVlHkmia606n/qJyH5HKxhWBAjuhLy/y4hAwSbQKB/1xtv4SwlxEg0iy7o+Sn
+DEBsfjs8TmF3fgex9ebzCIoa7dn6ZzTbP4jCJ+4oVR8rRyEzhqwYR+J2BDcyxX5R
+qoRUQJ8HGQ18K226EeSLqC7M+O3oqVR3AHaHfUIvDkvmIstQSKq0ORZCMv7TP4qI
+BK9PbZ8+gtdW5aftlhvCHSYcBxhXc7MilvDJNJxNLIVMVFQArfQ8jO3tzklPvDwF
+a4a/YzTRGiMSRhb70r43M+WcOIovXw/ELidhdsVVrtj7Q7F62FVl4Y+kvwr2XRX/
+mMx5T3WZL/irOTPwdl9UKlWtskn5YA6cR2tcc4QH8qhTVebeMMkT+ovtsU4uhBO7
+twKCAQAnvazlAlCSy/OeRqucmyqKjWTMEey6c/5dYlCkirF9J5o3n1YHhOSp8DY8
+iEjyl6ptsASapBhD6BpI4AwI6u92WBEwG15bleMlctVmtj7v39AFwNwSvvZtBZcZ
+jJ+TWaTT0nMvP90cZe5ql2DTrp/Mp4K9+3oR5qk9+EszobSoHxpgDzLogG+Zp/k/
+2NMj125uhuC0GTV5lKcrY6JquXPtqFBKOiBLr3j5sRe+iZ4UqZEjTo91nrV2E3HD
+kFJSP1weCD2HQ48T74nS775yrQnR+mWAJjuLpyDW5UXIDpvYlSbnmJ08+4C5Mu/e
+UK2bY3PmI10F5vBYLQpLlCYUyBDf
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test.crt b/lib/hx509/data/test.crt
index 2c06613ae595..40663c4241f0 100644
--- a/lib/hx509/data/test.crt
+++ b/lib/hx509/data/test.crt
@@ -5,48 +5,48 @@ Certificate:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=hx509 Test Root CA, C=SE
Validity
- Not Before: May 23 15:05:12 2019 GMT
- Not After : Jan 16 15:05:12 2038 GMT
+ Not Before: Mar 22 22:25:02 2019 GMT
+ Not After : Nov 21 22:25:02 2518 GMT
Subject: C=SE, CN=Test cert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
- 00:a9:c9:ce:f8:b7:77:99:3c:72:54:8c:cf:0a:63:
- 9d:f2:df:0d:07:6f:22:54:17:71:ff:76:a6:d1:9e:
- 33:f5:05:3f:ac:32:be:58:e5:7c:a7:d3:29:dd:3d:
- 38:62:64:8d:82:d2:aa:f5:05:36:f3:bc:ad:7f:4e:
- b9:c5:56:89:ea:c2:d7:b1:96:69:fd:f7:4e:35:56:
- 59:7c:03:91:79:60:f4:a1:a8:78:a0:1a:04:2e:0a:
- 98:b7:cc:be:f3:ea:28:6a:d7:5e:80:8d:74:c7:f4:
- d8:96:48:44:94:1b:ce:4f:9a:65:8d:54:c6:c4:69:
- b3:be:fb:e4:91:79:5e:c5:ba:f9:df:03:de:14:e2:
- 68:1a:6a:e9:51:83:01:0f:e6:09:0f:c9:a1:78:b4:
- 75:45:18:f0:43:7c:11:37:b2:91:cd:50:6e:71:42:
- 69:c0:36:da:e1:bc:24:fa:bd:8f:c5:ce:ca:d4:af:
- b3:f1:d7:20:c1:ac:4d:31:42:c5:cd:6e:6c:41:0c:
- 8e:8d:08:8f:2c:b0:76:02:18:d7:0d:0f:fe:ca:67:
- 3f:b6:fe:1b:36:a7:ca:33:bd:01:36:7e:97:f6:e3:
- 55:9c:4b:a5:fa:48:58:a7:07:ca:c8:71:2c:e9:05:
- 7e:3a:40:4a:aa:b7:34:13:e1:b0:5a:eb:58:50:0e:
- 99:31:bd:6f:e9:fb:bd:4b:f8:05:70:5e:01:41:36:
- cf:cd:7f:6e:d1:e6:de:e7:23:a9:86:49:61:26:fc:
- a9:58:a3:45:37:b2:47:fa:ee:cd:74:e1:a1:28:cc:
- 50:5f:e9:b0:fe:67:0b:7e:dc:4f:e9:fe:5d:ea:55:
- 9a:87:d0:13:6d:9e:b9:f1:cd:08:b3:da:c7:d2:3e:
- dc:fa:d2:03:58:f7:e6:43:03:5b:c9:0d:ee:d6:26:
- b0:fa:eb:36:5e:a3:d0:ae:cb:00:4c:97:bb:9a:63:
- 09:59:10:6b:c5:f9:e7:4a:3f:76:eb:a2:63:8f:45:
- cc:43:8f:4a:15:2f:dc:3e:f2:11:3d:07:03:c4:b8:
- c5:e5:65:1a:c7:d2:87:42:53:d3:a9:3f:fb:99:a0:
- b8:45:43:45:ec:09:59:c9:bd:55:22:e0:0e:19:ed:
- 49:fd:b6:db:5c:84:b0:01:89:50:a3:ca:1e:41:ba:
- 82:87:db:da:b5:2b:71:08:ae:1b:70:41:41:ca:24:
- 70:6b:9a:c9:db:1d:b2:65:94:01:9d:ed:b8:b5:36:
- 4c:f0:f0:39:be:bf:e4:49:02:d4:55:ec:11:dd:23:
- e3:6f:c1:28:99:77:44:29:70:a2:6e:ec:b2:53:86:
- e1:c1:45:3c:67:ea:12:08:b3:be:d2:be:9f:00:b0:
- 9b:1f:61
+ 00:da:1d:4d:ca:51:9d:f1:9f:d7:a4:7a:45:f8:75:
+ 98:66:b2:c5:7d:53:de:42:35:74:81:cd:1e:9f:f3:
+ 43:d7:a7:83:7f:fb:a2:ce:3c:44:37:80:4f:21:36:
+ a6:f6:c9:51:74:9e:e2:9b:bf:ad:e4:eb:72:11:64:
+ 36:88:b3:a9:91:63:c7:ee:38:c4:f5:8c:06:71:e5:
+ 09:b7:eb:57:5d:bf:db:5b:72:07:c5:29:e8:6f:33:
+ b3:a2:27:ef:1f:50:f0:55:33:63:41:23:e0:b2:f7:
+ 21:77:4b:ab:9d:73:2a:bb:b6:4e:88:7f:7c:e5:c6:
+ 37:3e:b6:20:c1:57:3e:6d:57:78:ef:0d:47:e9:41:
+ e7:fa:b6:2d:32:3f:42:05:8d:56:af:f5:c4:b8:6e:
+ 99:1a:e7:07:d5:a1:3f:29:7d:ce:b2:39:a6:ab:06:
+ 7a:e2:26:39:d8:96:9e:3b:c8:af:79:3e:9a:24:4e:
+ 4b:b2:af:e4:07:0e:71:dc:2f:70:27:97:3c:a2:fa:
+ 69:9b:57:4b:c5:53:5e:28:0c:b0:c7:57:1f:a2:b2:
+ 26:0f:5f:bf:d3:45:78:90:5a:2c:fc:6a:67:33:b6:
+ c1:7e:cd:17:c0:58:9e:ba:85:c5:15:5a:5a:67:db:
+ bf:2f:05:cd:38:d9:94:c9:95:7f:9b:68:b0:62:ff:
+ 37:92:cf:d8:77:be:cb:72:3d:0f:b9:80:44:57:c0:
+ c9:10:01:fd:07:25:30:eb:d8:48:05:af:98:fa:c4:
+ 64:6d:59:a6:6a:8d:1b:d4:4b:f3:07:98:68:e3:bb:
+ 59:c9:21:f8:11:b4:a2:82:1b:0d:e8:8c:e0:a5:e1:
+ 1c:71:ca:c3:2d:90:43:c3:ee:99:2c:7d:41:48:39:
+ c8:00:72:0d:80:39:23:a1:3a:27:ed:07:ca:32:8f:
+ 34:ca:bb:9d:67:13:7d:31:ed:4a:db:35:7a:ce:b3:
+ 89:e3:64:9d:3e:47:4e:d3:b7:bd:ab:12:16:10:bb:
+ 66:e8:1a:77:4c:2a:e0:b9:16:69:66:14:83:4e:4a:
+ f3:6f:ab:85:6a:70:c6:9b:ce:93:ab:75:36:a3:a5:
+ aa:9f:45:d6:a2:7f:17:c7:6f:f9:f5:e7:35:51:a5:
+ 75:c5:07:be:26:ce:7b:3f:29:3a:74:6b:17:79:4e:
+ cf:4c:0a:69:75:58:db:eb:a8:dd:f1:e6:cc:a3:18:
+ 53:a5:c5:a5:5a:a1:cf:37:6a:b1:9f:d3:d4:eb:0f:
+ 02:40:d2:ae:68:ce:bc:c5:46:e3:ee:f8:97:88:ee:
+ c8:a7:01:7a:a1:23:af:f3:31:2c:2a:6f:12:77:dc:
+ 3c:51:9d:40:f4:9a:2a:7b:85:29:1f:3e:c3:d5:37:
+ 8e:6e:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
@@ -54,63 +54,63 @@ Certificate:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
- D3:E1:59:20:A1:DE:3D:12:57:0A:3D:BA:0A:6E:67:0E:40:A7:9A:88
+ 1B:F4:EC:34:42:BA:8B:67:AC:55:F2:37:5D:B4:68:A9:D8:5E:58:7B
Signature Algorithm: sha1WithRSAEncryption
- 0f:2c:68:90:33:67:b2:86:09:26:ec:65:29:ae:76:d6:a6:2f:
- 53:0e:d3:16:cd:2e:0d:a8:d1:14:22:f5:63:66:a9:3d:78:43:
- 40:a9:db:ef:02:52:d1:a9:c3:0b:ad:24:8e:a0:56:63:1f:ba:
- 23:48:64:74:ac:2c:bd:67:f8:87:6d:bf:d6:83:68:aa:99:ce:
- 4c:0b:30:d6:06:59:7c:74:0e:2c:8b:ee:5a:61:af:ff:f7:3c:
- 51:10:a7:93:44:6f:bb:f4:8b:5a:2b:5e:1c:4c:89:60:71:af:
- fd:bf:c0:fd:19:04:12:81:a0:ce:ed:b4:dc:64:12:80:36:18:
- 9f:1c:33:25:94:dd:94:51:eb:a1:c6:21:06:b5:16:05:7d:d3:
- 20:53:de:60:5d:40:6c:f1:7b:a1:98:7f:1a:bd:39:46:0a:ec:
- a6:cc:eb:7a:96:d5:43:6d:e5:c7:61:d2:f9:ed:76:a8:44:3f:
- c8:9d:45:1a:2c:3b:52:f8:08:7b:67:39:aa:ae:88:4f:eb:90:
- 99:9c:f8:8b:ae:c7:7a:eb:40:b1:ea:78:51:74:e9:11:2c:c2:
- d7:c0:93:35:c3:27:59:89:dd:1e:e6:4a:ed:fd:dc:1f:08:e2:
- 80:ce:a0:72:ec:04:d7:2c:1d:d6:2c:67:f3:b9:ce:e9:be:70:
- 10:82:b5:bf:45:29:c1:cc:36:11:5d:83:3d:17:11:03:b0:17:
- e1:3c:05:f0:ea:07:c6:3e:62:ce:2b:d9:55:41:dc:0c:55:82:
- 0f:e0:d5:a8:02:65:fa:c8:bd:60:16:b4:6d:53:08:9b:06:25:
- 94:c7:8f:ee:ac:5d:25:ad:cd:9d:af:7f:a8:5a:99:49:fc:fb:
- ad:69:8e:c4:c9:57:7c:88:2c:32:2b:ec:11:ed:61:cc:44:92:
- a7:18:11:19:96:e6:be:88:5d:ed:0f:dc:ca:2a:31:e9:2d:aa:
- 03:75:03:f4:42:5e:6c:86:b9:7f:b7:59:70:ba:09:b1:ba:28:
- 3a:be:68:45:a0:2e:89:0b:ea:a6:d9:85:58:bf:54:1c:02:56:
- 3a:d4:4f:88:7a:5e:c8:21:33:64:76:74:68:36:7a:a4:1c:a6:
- 5b:b8:f1:ef:98:10:82:84:d4:df:2d:34:4b:6d:15:62:55:31:
- b2:78:93:33:37:20:db:a0:30:85:db:cf:00:7c:b3:b3:a2:a9:
- 31:d7:06:fb:e7:ec:38:4f:3d:61:73:bf:b8:21:b0:c5:f8:3f:
- 98:8d:db:aa:23:01:41:d4:3c:99:cb:ce:4a:ff:10:fe:a7:52:
- 3b:8c:0f:30:6d:a4:4e:53:4d:60:2b:6a:05:ab:ef:b8:61:9c:
- a4:85:99:ae:b8:63:c8:e3
+ 95:f7:1c:99:72:42:4f:d3:bd:ba:3f:7a:75:bb:01:3a:ad:ce:
+ 6b:7b:b7:3d:5d:3b:46:51:ea:9a:36:94:70:36:1c:3b:fc:ba:
+ 9d:8b:0d:44:36:08:ad:a6:73:82:bc:23:ed:f9:5a:09:8f:9d:
+ 62:11:c1:94:7c:61:66:1f:8b:b9:0a:dc:3a:b5:eb:22:54:de:
+ a3:e5:8a:94:10:1f:84:52:6d:fe:27:c8:e5:cb:a5:8e:a9:83:
+ 16:95:0d:6c:3e:57:85:e1:ec:82:05:47:6d:28:ad:0d:84:fa:
+ 40:a0:96:f4:84:aa:d1:e1:0b:b7:91:e2:47:4f:05:97:f8:10:
+ a0:e8:57:bd:ed:48:65:55:75:da:e5:34:e8:f1:20:95:d6:40:
+ 8c:42:bf:b4:d9:55:c8:30:e8:d5:ce:d8:1d:30:65:90:39:eb:
+ e2:83:ed:11:03:cd:07:c0:e1:c4:91:84:a0:97:8e:6d:22:e6:
+ 75:77:21:7c:32:8b:48:ed:d6:b2:19:2e:af:26:ad:7d:6c:ce:
+ 09:e1:78:b6:72:61:60:22:92:b8:df:42:6b:34:6b:5f:35:ef:
+ f1:d3:c6:7f:92:05:3c:d0:08:77:01:66:f7:57:b8:65:de:d3:
+ d2:b1:bf:93:b1:8c:a3:27:e6:d4:e2:2b:9b:cd:9d:be:31:82:
+ 5b:53:dd:5a:bd:39:05:5f:8c:56:f2:7f:9b:b7:ef:e6:07:96:
+ bf:8a:d9:8d:bb:62:98:86:de:aa:91:c3:fe:e7:bb:a7:1f:f0:
+ fd:1f:6c:a6:04:04:f0:c2:51:a1:91:8c:9a:ee:f9:87:42:37:
+ 7e:9c:27:72:59:dc:60:a8:8e:d1:81:97:f1:15:c3:d8:a9:4e:
+ 9a:09:e9:81:76:39:36:b3:08:a1:e5:5e:97:37:ba:43:8f:06:
+ 1a:70:69:3b:fe:79:a6:5e:2d:26:04:e9:bc:5f:57:c9:d0:80:
+ c2:0d:4b:c7:0e:dd:04:e5:15:49:9d:d7:ff:ee:a3:1c:04:56:
+ 7d:e2:a0:d3:39:1a:59:bd:85:b0:eb:54:ea:81:8b:e1:17:94:
+ a5:fe:e3:0c:d0:74:42:ee:4a:f4:66:90:49:4b:64:bc:47:35:
+ f5:b2:60:8e:74:05:d0:a6:d2:94:b4:e0:0f:4b:3f:35:ea:2a:
+ e0:24:58:c1:6e:d0:65:6e:58:f7:e1:90:02:ae:40:23:25:e9:
+ 80:9a:d2:a7:ea:5d:fc:6d:f8:45:0f:db:53:91:55:32:46:e3:
+ 6a:c0:54:0a:5a:4c:e8:1a:1e:a6:33:3e:fe:ed:b6:ad:cf:6a:
+ 3c:2f:b2:6c:47:75:f1:29:43:31:69:c3:0c:42:56:5b:d9:b8:
+ 99:7b:ff:2b:50:87:34:2e
-----BEGIN CERTIFICATE-----
-MIIE/zCCAuegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
-OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTE5MDUyMzE1MDUxMloXDTM4
-MDExNjE1MDUxMlowITELMAkGA1UEBhMCU0UxEjAQBgNVBAMMCVRlc3QgY2VydDCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKnJzvi3d5k8clSMzwpjnfLf
-DQdvIlQXcf92ptGeM/UFP6wyvljlfKfTKd09OGJkjYLSqvUFNvO8rX9OucVWierC
-17GWaf33TjVWWXwDkXlg9KGoeKAaBC4KmLfMvvPqKGrXXoCNdMf02JZIRJQbzk+a
-ZY1UxsRps7775JF5XsW6+d8D3hTiaBpq6VGDAQ/mCQ/JoXi0dUUY8EN8ETeykc1Q
-bnFCacA22uG8JPq9j8XOytSvs/HXIMGsTTFCxc1ubEEMjo0IjyywdgIY1w0P/spn
-P7b+GzanyjO9ATZ+l/bjVZxLpfpIWKcHyshxLOkFfjpASqq3NBPhsFrrWFAOmTG9
-b+n7vUv4BXBeAUE2z81/btHm3ucjqYZJYSb8qVijRTeyR/ruzXThoSjMUF/psP5n
-C37cT+n+XepVmofQE22eufHNCLPax9I+3PrSA1j35kMDW8kN7tYmsPrrNl6j0K7L
-AEyXu5pjCVkQa8X550o/duuiY49FzEOPShUv3D7yET0HA8S4xeVlGsfSh0JT06k/
-+5mguEVDRewJWcm9VSLgDhntSf2221yEsAGJUKPKHkG6gofb2rUrcQiuG3BBQcok
-cGuaydsdsmWUAZ3tuLU2TPDwOb6/5EkC1FXsEd0j42/BKJl3RClwom7sslOG4cFF
-PGfqEgizvtK+nwCwmx9hAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg
-MB0GA1UdDgQWBBTT4Vkgod49ElcKPboKbmcOQKeaiDANBgkqhkiG9w0BAQUFAAOC
-AgEADyxokDNnsoYJJuxlKa521qYvUw7TFs0uDajRFCL1Y2apPXhDQKnb7wJS0anD
-C60kjqBWYx+6I0hkdKwsvWf4h22/1oNoqpnOTAsw1gZZfHQOLIvuWmGv//c8URCn
-k0Rvu/SLWiteHEyJYHGv/b/A/RkEEoGgzu203GQSgDYYnxwzJZTdlFHrocYhBrUW
-BX3TIFPeYF1AbPF7oZh/Gr05RgrspszrepbVQ23lx2HS+e12qEQ/yJ1FGiw7UvgI
-e2c5qq6IT+uQmZz4i67HeutAsep4UXTpESzC18CTNcMnWYndHuZK7f3cHwjigM6g
-cuwE1ywd1ixn87nO6b5wEIK1v0Upwcw2EV2DPRcRA7AX4TwF8OoHxj5izivZVUHc
-DFWCD+DVqAJl+si9YBa0bVMImwYllMeP7qxdJa3Nna9/qFqZSfz7rWmOxMlXfIgs
-MivsEe1hzESSpxgRGZbmvohd7Q/cyiox6S2qA3UD9EJebIa5f7dZcLoJsbooOr5o
-RaAuiQvqptmFWL9UHAJWOtRPiHpeyCEzZHZ0aDZ6pBymW7jx75gQgoTU3y00S20V
-YlUxsniTMzcg26AwhdvPAHyzs6KpMdcG++fsOE89YXO/uCGwxfg/mI3bqiMBQdQ8
-mcvOSv8Q/qdSO4wPMG2kTlNNYCtqBavvuGGcpIWZrrhjyOM=
+MIIFATCCAumgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMCAXDTE5MDMyMjIyMjUwMloYDzI1
+MTgxMTIxMjIyNTAyWjAhMQswCQYDVQQGEwJTRTESMBAGA1UEAwwJVGVzdCBjZXJ0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2h1NylGd8Z/XpHpF+HWY
+ZrLFfVPeQjV0gc0en/ND16eDf/uizjxEN4BPITam9slRdJ7im7+t5OtyEWQ2iLOp
+kWPH7jjE9YwGceUJt+tXXb/bW3IHxSnobzOzoifvH1DwVTNjQSPgsvchd0urnXMq
+u7ZOiH985cY3PrYgwVc+bVd47w1H6UHn+rYtMj9CBY1Wr/XEuG6ZGucH1aE/KX3O
+sjmmqwZ64iY52JaeO8iveT6aJE5Lsq/kBw5x3C9wJ5c8ovppm1dLxVNeKAywx1cf
+orImD1+/00V4kFos/GpnM7bBfs0XwFieuoXFFVpaZ9u/LwXNONmUyZV/m2iwYv83
+ks/Yd77Lcj0PuYBEV8DJEAH9ByUw69hIBa+Y+sRkbVmmao0b1EvzB5ho47tZySH4
+EbSighsN6IzgpeEcccrDLZBDw+6ZLH1BSDnIAHINgDkjoTon7QfKMo80yrudZxN9
+Me1K2zV6zrOJ42SdPkdO07e9qxIWELtm6Bp3TCrguRZpZhSDTkrzb6uFanDGm86T
+q3U2o6Wqn0XWon8Xx2/59ec1UaV1xQe+Js57Pyk6dGsXeU7PTAppdVjb66jd8ebM
+oxhTpcWlWqHPN2qxn9PU6w8CQNKuaM68xUbj7viXiO7IpwF6oSOv8zEsKm8Sd9w8
+UZ1A9Joqe4UpHz7D1TeObgkCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFBv07DRCuotnrFXyN120aKnYXlh7MA0GCSqGSIb3DQEBBQUA
+A4ICAQCV9xyZckJP0726P3p1uwE6rc5re7c9XTtGUeqaNpRwNhw7/Lqdiw1ENgit
+pnOCvCPt+VoJj51iEcGUfGFmH4u5Ctw6tesiVN6j5YqUEB+EUm3+J8jly6WOqYMW
+lQ1sPleF4eyCBUdtKK0NhPpAoJb0hKrR4Qu3keJHTwWX+BCg6Fe97UhlVXXa5TTo
+8SCV1kCMQr+02VXIMOjVztgdMGWQOevig+0RA80HwOHEkYSgl45tIuZ1dyF8MotI
+7dayGS6vJq19bM4J4Xi2cmFgIpK430JrNGtfNe/x08Z/kgU80Ah3AWb3V7hl3tPS
+sb+TsYyjJ+bU4iubzZ2+MYJbU91avTkFX4xW8n+bt+/mB5a/itmNu2KYht6qkcP+
+57unH/D9H2ymBATwwlGhkYya7vmHQjd+nCdyWdxgqI7RgZfxFcPYqU6aCemBdjk2
+swih5V6XN7pDjwYacGk7/nmmXi0mBOm8X1fJ0IDCDUvHDt0E5RVJndf/7qMcBFZ9
+4qDTORpZvYWw61TqgYvhF5Sl/uMM0HRC7kr0ZpBJS2S8RzX1smCOdAXQptKUtOAP
+Sz816irgJFjBbtBlblj34ZACrkAjJemAmtKn6l38bfhFD9tTkVUyRuNqwFQKWkzo
+Gh6mMz7+7batz2o8L7JsR3XxKUMxacMMQlZb2biZe/8rUIc0Lg==
-----END CERTIFICATE-----
diff --git a/lib/hx509/data/test.key b/lib/hx509/data/test.key
index 927813f76062..03de157b44c9 100644
--- a/lib/hx509/data/test.key
+++ b/lib/hx509/data/test.key
@@ -1,52 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCpyc74t3eZPHJU
-jM8KY53y3w0HbyJUF3H/dqbRnjP1BT+sMr5Y5Xyn0yndPThiZI2C0qr1BTbzvK1/
-TrnFVonqwtexlmn99041Vll8A5F5YPShqHigGgQuCpi3zL7z6ihq116AjXTH9NiW
-SESUG85PmmWNVMbEabO+++SReV7FuvnfA94U4mgaaulRgwEP5gkPyaF4tHVFGPBD
-fBE3spHNUG5xQmnANtrhvCT6vY/FzsrUr7Px1yDBrE0xQsXNbmxBDI6NCI8ssHYC
-GNcND/7KZz+2/hs2p8ozvQE2fpf241WcS6X6SFinB8rIcSzpBX46QEqqtzQT4bBa
-61hQDpkxvW/p+71L+AVwXgFBNs/Nf27R5t7nI6mGSWEm/KlYo0U3skf67s104aEo
-zFBf6bD+Zwt+3E/p/l3qVZqH0BNtnrnxzQiz2sfSPtz60gNY9+ZDA1vJDe7WJrD6
-6zZeo9CuywBMl7uaYwlZEGvF+edKP3bromOPRcxDj0oVL9w+8hE9BwPEuMXlZRrH
-0odCU9OpP/uZoLhFQ0XsCVnJvVUi4A4Z7Un9tttchLABiVCjyh5BuoKH29q1K3EI
-rhtwQUHKJHBrmsnbHbJllAGd7bi1Nkzw8Dm+v+RJAtRV7BHdI+NvwSiZd0QpcKJu
-7LJThuHBRTxn6hIIs77Svp8AsJsfYQIDAQABAoICAGR9MKY7z+k9wV0RSaiYdO89
-3HQ97k9e4PWVv/3oaE/oH1tHXSk4CaM6c1ih1zFE2gxHqy8BOxje3sCuU3zcTxxG
-3WoZ3/mT2RHwXV3srrjsDV1wXJRFUZv+YYzG/W1XdTxm42OqVSfTXizz8MLIAj9S
-3i/bsRimht/OLeV7s//LPgAkRdiOd5bLF/RKWOKT/2D8sTjDdXTD4c/PKlGQuoKN
-zA/0gqpkzP81X52Xe/RTA/EFXLcR4C1AUR+KqY+Af0mwqN4H5tVIS0/Ka90rTl10
-5lzj4C9k92PPxVv/aOmSeyTaEQ4kq3OQRRCFC1OPELphOs/3RjdOKBZnnAkl2ryC
-pg2EquKfA4W1LGqI+MbNhKlppnyBef5FNOHK9PsH6luF/KASTtLvc5/Xu/d0Lza5
-flS9ah/srA4ejwDsUnREjajwfroGxpl7Nem9NCneETqOc0yBRsJalDhbsxTbotQ+
-tHq2CqMNtuxXRDk59QHDSszzjUMKnDqkADdKjHy2cWkKkjgBnk4iqL+BKN7pUU50
-R7t0Fh3HNa6EGW8UQwPQFAEE7C9AhhI+keT5zyQZ3F+Dppx+qDbUv3xKwti/9Y53
-IttHyi+N3SBWNTiJZmJ1X1tY5KGXIWvbotuU8jSxXvzebn1nOjQtxcEuNdgJv5Bk
-m7mRe5VjtaFtj0qM0yJRAoIBAQDZWanHESJ/IU1BrYx10tp92CYbgZiV8g+LJB1j
-EdkaMg6ak0mzWPWmeKPKalMEcF6/RwBcicBZYZaOLGVfl3wVd9Qk+O7k5sc7HaV3
-9hIdAlpLgbl3Owf7IcW+D7A48+Cd6dHDx0pWijf17OYaPis2+2m1Kdx+VC4QA1Jb
-w/h8dctUlqrkAFBnrAxHG3RPtE4fk8SknS8MWYwNTqPaVEhHpbS7PRvSX8nAk0EP
-aLlNV+G+twqng4aZWTN/usPYW05eh4kmhnSaSNe93EQIkwcyqk1hASxgFhFxid1c
-QkiwSoJl06ilbNietbEBcdepmJKEHJyzUPFuCBe1bTdRukBbAoIBAQDH+wFG3ADb
-S8CHXVgN+YuOYgKihkPqJxWYwZJaRDg/8Brp3+U4gWy8crwAr3yyu1ZxloRjUoxw
-31Jc0ec6lGLMYWqSVjAOFWs0OL2IG27qVxZ4qiAjO+Y88KFj4b9ZJnZBGBt0bjhk
-ZTDnEJlK1F27IIFiFU1Z/lG9gjEisFf4OFDbCLzgy39IampF6FvteEx9lTcWjFSC
-dQJwGRDwvm5jWF0BYyf6yCrnkQUk80Fc6DXm5gUhFyA6qu0cbm5Z+BpGC9J2+QlE
-vANLTGeol8f3iDv264U6iQ5S6pdzcg+BHcG8F3uXvMmnEKBTKxyJeACAJzlmL/Oc
-VqCdbN5v3mvzAoIBAQDVtJmAR9K5WU8TAscWmmmGTt65MOWMmWK7FplmbYgff5Ro
-W+WdWBzAv+GcBor11F70h6VNV4wu1gsoY3KRWOsCWL3YVILfwiGmeHHXz7TjnQqX
-L0fiecJRJFW/mMFWXkQ+QEalzu/Cw0hen71nlDT9bJn1LOHFvJNF3149KCTMiy2P
-UE1avQxRwxKXX+Eu9UPTPIGesYYvCGTyOJ5W74PaHo3jhCQ050YB+UeBFSENcRlf
-Ya4yItpXMSO3tTUXKD+YJn+tx4oioPivj0G9hIMRR+2pMXQmTcx87GcgbXP3EmvA
-Hyq07J7Y/iC6IOtBr+hvyYoxraaU35QgKPC5hP39AoIBAQCjg1bt62E/7daEWAxx
-kMNNLlJdNU8+m6qK9muGJxWfIeG/rPQtmZWhGGckYFijg44Q3jNtSsfOWqtrfa2F
-NmL6HgUXliVAvr6jOmmuak/siDy1eNVCOe3tkgtEMgdVC5/RZba9Ioo1fI/Zvra4
-eqARK2jfG+/dT5biTxuB85JaQSHLln9phrqSKYCvnGfd6WkRnfonE6Ld8HKH2dcC
-IZL84/lX8w1zfkumf+sm5UdigfPg0d8LyW7uyWeKwbi1E6nX8D6sTMAJVXmUDesL
-7N7yRJBTOwv6aqotnecr2+1Vc1E/TCwgS5rOYUfV+QAiXt556piCN18HS8WUMrpF
-2iWFAoIBAD2Dn6bz86duyuuQ4CPAnawONcEVmUpajbrIKi0hqYEVIN5IF/LshvNY
-Lqtf/PWWWocF9b1K71wDuMs499Tf6Kr0b+AuBRZs9WbMthJhY5+xzU9IqwbRzgFJ
-81BGu796PezbBOS7vVqrGkpi3CBG0nDg3gQ3ZbBLVtEcx0WfX8QMXw9Ib9UxfOOX
-jKVEvNoy1R0p2C21xan5/fUyR5K/Dq5DIylUrpxWMUgC8lIktDulItGKh/3llCq+
-uu+wN91SkXC1pxTG3yDKP49PrcTV6M7G1JYUXkSQaiWgwNEz59f/7pMH7xxFsaHI
-nC68md8aa7+0IQEQqbKOdr+LhyMXCFA=
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDaHU3KUZ3xn9ek
+ekX4dZhmssV9U95CNXSBzR6f80PXp4N/+6LOPEQ3gE8hNqb2yVF0nuKbv63k63IR
+ZDaIs6mRY8fuOMT1jAZx5Qm361ddv9tbcgfFKehvM7OiJ+8fUPBVM2NBI+Cy9yF3
+S6udcyq7tk6If3zlxjc+tiDBVz5tV3jvDUfpQef6ti0yP0IFjVav9cS4bpka5wfV
+oT8pfc6yOaarBnriJjnYlp47yK95PpokTkuyr+QHDnHcL3Anlzyi+mmbV0vFU14o
+DLDHVx+isiYPX7/TRXiQWiz8amcztsF+zRfAWJ66hcUVWlpn278vBc042ZTJlX+b
+aLBi/zeSz9h3vstyPQ+5gERXwMkQAf0HJTDr2EgFr5j6xGRtWaZqjRvUS/MHmGjj
+u1nJIfgRtKKCGw3ojOCl4RxxysMtkEPD7pksfUFIOcgAcg2AOSOhOiftB8oyjzTK
+u51nE30x7UrbNXrOs4njZJ0+R07Tt72rEhYQu2boGndMKuC5FmlmFINOSvNvq4Vq
+cMabzpOrdTajpaqfRdaifxfHb/n15zVRpXXFB74mzns/KTp0axd5Ts9MCml1WNvr
+qN3x5syjGFOlxaVaoc83arGf09TrDwJA0q5ozrzFRuPu+JeI7sinAXqhI6/zMSwq
+bxJ33DxRnUD0mip7hSkfPsPVN45uCQIDAQABAoICAQDC4zgktLSJtyb5Yf+vN3PL
+H6VyjEOlqRnG+T6J8NUHljfbXT5lRFg3tz/9D1Y0YEGWEHmubKC2UOIFRCOuFcpH
+jH6SDst+E3WWwu3iFjhkHg+kL8ldlEqJQgsZstDojGuR1W60P5iAkGyoqUZYUxU1
+0HlvYWp57JhkQlwWJRw0mtoFzzoX47mhvLG5megmCdoRM2po2PmYniHT8lX7ftv3
+R6fyXMHj3AAH1Nzh0jln/lXAZu0gZiU7YN6/vOtblLirb1B5apDbadhRtLUoCGLN
+/pwfVJCT+Bj38nsLtw8rl/pgkGTOiuCZDPnCUI9DCYhUPbzXNSLK0/fHJs2kRyKh
+Nv+skWwmHdkCnzIliutxMlzehRHvRINoQ+/U/mNTE1FaNYnNEnSxpUSMKnPYUyTD
+YBhjFjtwkRpRDzbbcMBQk7Tbj2aISvFiAz/KOtRBDmBx70IxzxvqZ/5s94lyHZ5H
+fozf6LgBfJ5dmboNqHA18oBTAQDO2UBrIxyPSYExWdJ4o0vpTqwpmk8RTwgBsYfU
+EfDj3UqO5KJHTJAqdqdhXhz2c5J6EAyxDDItNg10rEVQVQbGbTPLtI8spjWfwJ6g
+P5L0j/cJx+nxNQvhrIMQgJfCrZS92PL6Yt0OqTS44m8mJgmt4z9OqZUtoT21fmcS
+uIOMYOY/NZBc+wMJ27UoeQKCAQEA8w6aZ+NAqmdDfEi/37XsbadsxDppPZ+/Ss2b
+aWOYwNU8P65rt3+EWjLrwMugiKOH1063QmZYcj74C4iaAhLblBiQH24YtiJi9tYs
+JCcFLWp01ZEqcxqBqI2kaHd9tuIaANGM+nKZH2MwTkzZ5IX1eAqZ0qgkC7Dx0JvO
+x1fXuhRTuFwTSkKZM3w4ba5G4DgczmKQr2SXm19PsMF61YX0n7HFuss85Z6xkONH
+gF6yokmPT7k/Ly4PLXZ9kycNx2EI5s1B79iAjaJAK8ifaEfUNNIi/xBf97oX6+hy
+AhO8aiC7snt6Tf2DNaJCZR1IKeO0M+5pkN6DZfV0hbQ9ulhD6wKCAQEA5bqt2VJJ
+9Vuuu8jcRlHfc4Cbubu+bMt9gbVp33ckAtRtQGQM4tHoHdd2hv4q8lV/f/K3m6Ps
+EMGeQ6QBuCWtkqD659eI5hvkchKjF+YGx/jt7k6EUlVUU1bfKXCgQv6W2VmrckzG
+ULsedOBLeT0Keppgw4kHqx+o/5DB9G3pZnVBITqGUP471q5X+c3BbAwN+9q8yRyY
+BimYJZKx0qgmpHSZ+4l3L6eLlcQiHev7TxGw1sGkpt3OF8NmR5PEzXUYC8qoi8na
+neLwTs9NKyb6hmOwTNJiWR5PNxWJeURxfl6GIfoxyUjptIrc5dve6k+ESxGgsSI1
+vyXgRUeiMlP82wKCAQEAuqx2jl+NZNLWk/fT1d+FbFpwQO2Tso6kfrEXMYQa589d
+7JLrjA1V+2ishHBgJVFjnUuJmGe+elA+da0+i2UsW7vZxSnrtMcINwga8tE9OrpO
+bVCGx8yN1ISkxs8vMGzLB+HpYtjtHZwyl5CSsN7pvn510cLtnEUUE+H2mEexGetO
+uYOOFTS9MTuwoxx8tuyhwykUcoDRp7U2IU0YKDIvxQ7mDCbX6ItPWTYVzlPs4pOY
+i+R80KGRaptcqs4N2Rl/mrP+dlVTtnPs0TPOqmqwYrkZw8gxzLOSd88Y8NtzlBb7
+0YLgVlHkmia606n/qJyH5HKxhWBAjuhLy/y4hAwSbQKB/1xtv4SwlxEg0iy7o+Sn
+DEBsfjs8TmF3fgex9ebzCIoa7dn6ZzTbP4jCJ+4oVR8rRyEzhqwYR+J2BDcyxX5R
+qoRUQJ8HGQ18K226EeSLqC7M+O3oqVR3AHaHfUIvDkvmIstQSKq0ORZCMv7TP4qI
+BK9PbZ8+gtdW5aftlhvCHSYcBxhXc7MilvDJNJxNLIVMVFQArfQ8jO3tzklPvDwF
+a4a/YzTRGiMSRhb70r43M+WcOIovXw/ELidhdsVVrtj7Q7F62FVl4Y+kvwr2XRX/
+mMx5T3WZL/irOTPwdl9UKlWtskn5YA6cR2tcc4QH8qhTVebeMMkT+ovtsU4uhBO7
+twKCAQAnvazlAlCSy/OeRqucmyqKjWTMEey6c/5dYlCkirF9J5o3n1YHhOSp8DY8
+iEjyl6ptsASapBhD6BpI4AwI6u92WBEwG15bleMlctVmtj7v39AFwNwSvvZtBZcZ
+jJ+TWaTT0nMvP90cZe5ql2DTrp/Mp4K9+3oR5qk9+EszobSoHxpgDzLogG+Zp/k/
+2NMj125uhuC0GTV5lKcrY6JquXPtqFBKOiBLr3j5sRe+iZ4UqZEjTo91nrV2E3HD
+kFJSP1weCD2HQ48T74nS775yrQnR+mWAJjuLpyDW5UXIDpvYlSbnmJ08+4C5Mu/e
+UK2bY3PmI10F5vBYLQpLlCYUyBDf
-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/test.p12 b/lib/hx509/data/test.p12
index 2184547cdc77..32d9c81d8148 100644
--- a/lib/hx509/data/test.p12
+++ b/lib/hx509/data/test.p12
Binary files differ
diff --git a/lib/hx509/env.c b/lib/hx509/env.c
index 70969504b3a8..79704382e228 100644
--- a/lib/hx509/env.c
+++ b/lib/hx509/env.c
@@ -52,7 +52,7 @@
* @ingroup hx509_env
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_env_add(hx509_context context, hx509_env *env,
const char *key, const char *value)
{
@@ -103,7 +103,7 @@ hx509_env_add(hx509_context context, hx509_env *env,
* @ingroup hx509_env
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_env_add_binding(hx509_context context, hx509_env *env,
const char *key, hx509_env list)
{
@@ -150,7 +150,7 @@ hx509_env_add_binding(hx509_context context, hx509_env *env,
* @ingroup hx509_env
*/
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
hx509_env_lfind(hx509_context context, hx509_env env,
const char *key, size_t len)
{
@@ -175,7 +175,7 @@ hx509_env_lfind(hx509_context context, hx509_env env,
* @ingroup hx509_env
*/
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
hx509_env_find(hx509_context context, hx509_env env, const char *key)
{
while(env) {
@@ -236,7 +236,7 @@ env_free(hx509_env b)
* @ingroup hx509_env
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_env_free(hx509_env *env)
{
if (*env)
diff --git a/lib/hx509/error.c b/lib/hx509/error.c
index be09414bfffa..aee4f79e747d 100644
--- a/lib/hx509/error.c
+++ b/lib/hx509/error.c
@@ -53,7 +53,7 @@ struct hx509_error_data {
* @ingroup hx509_error
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_clear_error_string(hx509_context context)
{
if (context) {
@@ -76,7 +76,7 @@ hx509_clear_error_string(hx509_context context)
* @ingroup hx509_error
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_set_error_stringv(hx509_context context, int flags, int code,
const char *fmt, va_list ap)
{
@@ -108,7 +108,7 @@ hx509_set_error_stringv(hx509_context context, int flags, int code,
* @ingroup hx509_error
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_set_error_string(hx509_context context, int flags, int code,
const char *fmt, ...)
{
@@ -120,6 +120,20 @@ hx509_set_error_string(hx509_context context, int flags, int code,
}
/**
+ * Sets ENOMEM as the error on a hx509 context.
+ *
+ * @param context A hx509 context.
+ *
+ * @ingroup hx509_error
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_enomem(hx509_context context)
+{
+ return heim_enomem(context->hcontext);
+}
+
+/**
* Get an error string from context associated with error_code.
*
* @param context A hx509 context.
@@ -130,34 +144,31 @@ hx509_set_error_string(hx509_context context, int flags, int code,
* @ingroup hx509_error
*/
-char *
+HX509_LIB_FUNCTION char * HX509_LIB_CALL
hx509_get_error_string(hx509_context context, int error_code)
{
- heim_error_t msg = context->error;
- heim_string_t s;
- char *str = NULL;
-
- if (msg == NULL || heim_error_get_code(msg) != error_code) {
- const char *cstr;
-
- cstr = com_right(context->et_list, error_code);
- if (cstr)
- return strdup(cstr);
- cstr = strerror(error_code);
- if (cstr)
- return strdup(cstr);
- if (asprintf(&str, "<unknown error: %d>", error_code) == -1)
- return NULL;
- return str;
- }
+ heim_string_t s = NULL;
+ const char *cstr = NULL;
+ char *str;
- s = heim_error_copy_string(msg);
- if (s) {
- const char *cstr = heim_string_get_utf8(s);
- if (cstr)
- str = strdup(cstr);
- heim_release(s);
- }
+ if (context) {
+ if (context->error &&
+ heim_error_get_code(context->error) == error_code &&
+ (s = heim_error_copy_string(context->error)))
+ cstr = heim_string_get_utf8(s);
+
+ if (cstr == NULL)
+ cstr = com_right(context->et_list, error_code);
+
+ if (cstr == NULL && error_code > -1)
+ cstr = strerror(error_code);
+ } /* else this could be an error in hx509_context_init() */
+
+ if (cstr == NULL)
+ cstr = error_message(error_code); /* never returns NULL */
+
+ str = strdup(cstr);
+ heim_release(s);
return str;
}
@@ -169,7 +180,7 @@ hx509_get_error_string(hx509_context context, int error_code)
* @ingroup hx509_error
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_free_error_string(char *str)
{
free(str);
@@ -187,9 +198,11 @@ hx509_free_error_string(char *str)
* @ingroup hx509_error
*/
-void
+HX509_LIB_NORETURN_FUNCTION
+ __attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)))
+void HX509_LIB_CALL
hx509_err(hx509_context context, int exit_code,
- int error_code, const char *fmt, ...)
+ int error_code, const char *fmt, ...)
{
va_list ap;
const char *msg;
diff --git a/lib/hx509/file.c b/lib/hx509/file.c
index 6f34d3b74a9b..00f723c38bad 100644
--- a/lib/hx509/file.c
+++ b/lib/hx509/file.c
@@ -33,7 +33,7 @@
#include "hx_locl.h"
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_map_file_os(const char *fn, heim_octet_string *os)
{
size_t length;
@@ -48,13 +48,13 @@ _hx509_map_file_os(const char *fn, heim_octet_string *os)
return ret;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_unmap_file_os(heim_octet_string *os)
{
rk_xfree(os->data);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_write_file(const char *fn, const void *data, size_t length)
{
rk_dumpdata(fn, data, length);
@@ -71,7 +71,7 @@ print_pem_stamp(FILE *f, const char *type, const char *str)
fprintf(f, "-----%s %s-----\n", type, str);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_pem_write(hx509_context context, const char *type,
hx509_pem_header *headers, FILE *f,
const void *data, size_t size)
@@ -119,7 +119,7 @@ hx509_pem_write(hx509_context context, const char *type,
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_pem_add_header(hx509_pem_header **headers,
const char *header, const char *value)
{
@@ -146,7 +146,7 @@ hx509_pem_add_header(hx509_pem_header **headers,
return 0;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_pem_free_header(hx509_pem_header *headers)
{
hx509_pem_header *h;
@@ -163,7 +163,7 @@ hx509_pem_free_header(hx509_pem_header *headers)
*
*/
-const char *
+HX509_LIB_FUNCTION const char * HX509_LIB_CALL
hx509_pem_find_header(const hx509_pem_header *h, const char *header)
{
while(h) {
@@ -179,7 +179,7 @@ hx509_pem_find_header(const hx509_pem_header *h, const char *header)
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_pem_read(hx509_context context,
FILE *f,
hx509_pem_read_func func,
@@ -230,7 +230,7 @@ hx509_pem_read(hx509_context context,
where = INDATA;
goto indata;
}
- /* FALLTHROUGH */
+ HEIM_FALLTHROUGH;
case INHEADER:
if (buf[0] == '\0') {
where = INDATA;
@@ -239,7 +239,7 @@ hx509_pem_read(hx509_context context,
p = strchr(buf, ':');
if (p) {
*p++ = '\0';
- while (isspace((int)*p))
+ while (isspace((unsigned char)*p))
p++;
ret = hx509_pem_add_header(&headers, buf, p);
if (ret)
@@ -300,3 +300,88 @@ hx509_pem_read(hx509_context context,
return ret;
}
+
+/*
+ * On modern systems there's no such thing as scrubbing a file. Not this way
+ * anyways. However, for now we'll cargo-cult this along just as in lib/krb5.
+ */
+static int
+scrub_file(int fd, ssize_t sz)
+{
+ char buf[128];
+
+ memset(buf, 0, sizeof(buf));
+ while (sz > 0) {
+ ssize_t tmp;
+ size_t wr = sizeof(buf) > sz ? (size_t)sz : sizeof(buf);
+
+ tmp = write(fd, buf, wr);
+ if (tmp == -1)
+ return errno;
+ sz -= tmp;
+ }
+#ifdef _MSC_VER
+ return _commit(fd);
+#else
+ return fsync(fd);
+#endif
+}
+
+int
+_hx509_erase_file(hx509_context context, const char *fn)
+{
+ struct stat sb1, sb2;
+ int ret;
+ int fd;
+
+ if (fn == NULL)
+ return 0;
+
+ /* This is based on _krb5_erase_file(), minus file locking */
+ ret = lstat(fn, &sb1);
+ if (ret == -1 && errno == ENOENT)
+ return 0;
+ if (ret == -1) {
+ hx509_set_error_string(context, 0, errno, "hx509_certs_destroy: "
+ "stat of \"%s\": %s", fn, strerror(errno));
+ return errno;
+ }
+
+ fd = open(fn, O_RDWR | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
+ if (fd < 0)
+ return errno == ENOENT ? 0 : errno;
+ rk_cloexec(fd);
+
+ if (unlink(fn) < 0) {
+ ret = errno;
+ (void) close(fd);
+ hx509_set_error_string(context, 0, ret, "hx509_certs_destroy: "
+ "unlinking \"%s\": %s", fn, strerror(ret));
+ return ret;
+ }
+
+ /* check TOCTOU, symlinks */
+ ret = fstat(fd, &sb2);
+ if (ret < 0) {
+ ret = errno;
+ hx509_set_error_string(context, 0, ret, "hx509_certs_destroy: "
+ "fstat of %d, \"%s\": %s", fd, fn,
+ strerror(ret));
+ (void) close(fd);
+ return ret;
+ }
+ if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
+ (void) close(fd);
+ return EPERM;
+ }
+
+ /* there are still hard links to this file */
+ if (sb2.st_nlink != 0) {
+ close(fd);
+ return 0;
+ }
+
+ ret = scrub_file(fd, sb2.st_size);
+ (void) close(fd);
+ return ret;
+}
diff --git a/lib/hx509/hx509-private.h b/lib/hx509/hx509-private.h
deleted file mode 100644
index 72d3bbdfa748..000000000000
--- a/lib/hx509/hx509-private.h
+++ /dev/null
@@ -1,493 +0,0 @@
-/* This is a generated file */
-#ifndef __hx509_private_h__
-#define __hx509_private_h__
-
-#include <stdarg.h>
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-int
-_hx509_AlgorithmIdentifier_cmp (
- const AlgorithmIdentifier */*p*/,
- const AlgorithmIdentifier */*q*/);
-
-int
-_hx509_Certificate_cmp (
- const Certificate */*p*/,
- const Certificate */*q*/);
-
-int
-_hx509_Name_to_string (
- const Name */*n*/,
- char **/*str*/);
-
-time_t
-_hx509_Time2time_t (const Time */*t*/);
-
-void
-_hx509_abort (
- const char */*fmt*/,
- ...)
- __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)));
-
-int
-_hx509_calculate_path (
- hx509_context /*context*/,
- int /*flags*/,
- time_t /*time_now*/,
- hx509_certs /*anchors*/,
- unsigned int /*max_depth*/,
- hx509_cert /*cert*/,
- hx509_certs /*pool*/,
- hx509_path */*path*/);
-
-int
-_hx509_cert_assign_key (
- hx509_cert /*cert*/,
- hx509_private_key /*private_key*/);
-
-int
-_hx509_cert_get_eku (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- ExtKeyUsage */*e*/);
-
-int
-_hx509_cert_get_keyusage (
- hx509_context /*context*/,
- hx509_cert /*c*/,
- KeyUsage */*ku*/);
-
-int
-_hx509_cert_get_version (const Certificate */*t*/);
-
-int
-_hx509_cert_is_parent_cmp (
- const Certificate */*subject*/,
- const Certificate */*issuer*/,
- int /*allow_self_signed*/);
-
-int
-_hx509_cert_private_decrypt (
- hx509_context /*context*/,
- const heim_octet_string */*ciphertext*/,
- const heim_oid */*encryption_oid*/,
- hx509_cert /*p*/,
- heim_octet_string */*cleartext*/);
-
-hx509_private_key
-_hx509_cert_private_key (hx509_cert /*p*/);
-
-int
-_hx509_cert_private_key_exportable (hx509_cert /*p*/);
-
-void
-_hx509_cert_set_release (
- hx509_cert /*cert*/,
- _hx509_cert_release_func /*release*/,
- void */*ctx*/);
-
-int
-_hx509_cert_to_env (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- hx509_env */*env*/);
-
-int
-_hx509_certs_keys_add (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_private_key /*key*/);
-
-void
-_hx509_certs_keys_free (
- hx509_context /*context*/,
- hx509_private_key */*keys*/);
-
-int
-_hx509_certs_keys_get (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_private_key **/*keys*/);
-
-int
-_hx509_check_key_usage (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- unsigned /*flags*/,
- int /*req_present*/);
-
-int
-_hx509_collector_alloc (
- hx509_context /*context*/,
- hx509_lock /*lock*/,
- struct hx509_collector **/*collector*/);
-
-int
-_hx509_collector_certs_add (
- hx509_context /*context*/,
- struct hx509_collector */*c*/,
- hx509_cert /*cert*/);
-
-int
-_hx509_collector_collect_certs (
- hx509_context /*context*/,
- struct hx509_collector */*c*/,
- hx509_certs */*ret_certs*/);
-
-int
-_hx509_collector_collect_private_keys (
- hx509_context /*context*/,
- struct hx509_collector */*c*/,
- hx509_private_key **/*keys*/);
-
-void
-_hx509_collector_free (struct hx509_collector */*c*/);
-
-hx509_lock
-_hx509_collector_get_lock (struct hx509_collector */*c*/);
-
-int
-_hx509_collector_private_key_add (
- hx509_context /*context*/,
- struct hx509_collector */*c*/,
- const AlgorithmIdentifier */*alg*/,
- hx509_private_key /*private_key*/,
- const heim_octet_string */*key_data*/,
- const heim_octet_string */*localKeyId*/);
-
-int
-_hx509_create_signature (
- hx509_context /*context*/,
- const hx509_private_key /*signer*/,
- const AlgorithmIdentifier */*alg*/,
- const heim_octet_string */*data*/,
- AlgorithmIdentifier */*signatureAlgorithm*/,
- heim_octet_string */*sig*/);
-
-int
-_hx509_create_signature_bitstring (
- hx509_context /*context*/,
- const hx509_private_key /*signer*/,
- const AlgorithmIdentifier */*alg*/,
- const heim_octet_string */*data*/,
- AlgorithmIdentifier */*signatureAlgorithm*/,
- heim_bit_string */*sig*/);
-
-int
-_hx509_expr_eval (
- hx509_context /*context*/,
- hx509_env /*env*/,
- struct hx_expr */*expr*/);
-
-void
-_hx509_expr_free (struct hx_expr */*expr*/);
-
-struct hx_expr *
-_hx509_expr_parse (const char */*buf*/);
-
-int
-_hx509_find_extension_subject_key_id (
- const Certificate */*issuer*/,
- SubjectKeyIdentifier */*si*/);
-
-const struct signature_alg *
-_hx509_find_sig_alg (const heim_oid */*oid*/);
-
-int
-_hx509_generate_private_key (
- hx509_context /*context*/,
- struct hx509_generate_private_context */*ctx*/,
- hx509_private_key */*private_key*/);
-
-int
-_hx509_generate_private_key_bits (
- hx509_context /*context*/,
- struct hx509_generate_private_context */*ctx*/,
- unsigned long /*bits*/);
-
-void
-_hx509_generate_private_key_free (struct hx509_generate_private_context **/*ctx*/);
-
-int
-_hx509_generate_private_key_init (
- hx509_context /*context*/,
- const heim_oid */*oid*/,
- struct hx509_generate_private_context **/*ctx*/);
-
-int
-_hx509_generate_private_key_is_ca (
- hx509_context /*context*/,
- struct hx509_generate_private_context */*ctx*/);
-
-Certificate *
-_hx509_get_cert (hx509_cert /*cert*/);
-
-void
-_hx509_ks_dir_register (hx509_context /*context*/);
-
-void
-_hx509_ks_file_register (hx509_context /*context*/);
-
-void
-_hx509_ks_keychain_register (hx509_context /*context*/);
-
-void
-_hx509_ks_mem_register (hx509_context /*context*/);
-
-void
-_hx509_ks_null_register (hx509_context /*context*/);
-
-void
-_hx509_ks_pkcs11_register (hx509_context /*context*/);
-
-void
-_hx509_ks_pkcs12_register (hx509_context /*context*/);
-
-void
-_hx509_ks_register (
- hx509_context /*context*/,
- struct hx509_keyset_ops */*ops*/);
-
-int
-_hx509_lock_find_cert (
- hx509_lock /*lock*/,
- const hx509_query */*q*/,
- hx509_cert */*c*/);
-
-const struct _hx509_password *
-_hx509_lock_get_passwords (hx509_lock /*lock*/);
-
-hx509_certs
-_hx509_lock_unlock_certs (hx509_lock /*lock*/);
-
-struct hx_expr *
-_hx509_make_expr (
- enum hx_expr_op /*op*/,
- void */*arg1*/,
- void */*arg2*/);
-
-int
-_hx509_map_file_os (
- const char */*fn*/,
- heim_octet_string */*os*/);
-
-int
-_hx509_match_keys (
- hx509_cert /*c*/,
- hx509_private_key /*key*/);
-
-int
-_hx509_name_cmp (
- const Name */*n1*/,
- const Name */*n2*/,
- int */*c*/);
-
-int
-_hx509_name_ds_cmp (
- const DirectoryString */*ds1*/,
- const DirectoryString */*ds2*/,
- int */*diff*/);
-
-int
-_hx509_name_from_Name (
- const Name */*n*/,
- hx509_name */*name*/);
-
-int
-_hx509_name_modify (
- hx509_context /*context*/,
- Name */*name*/,
- int /*append*/,
- const heim_oid */*oid*/,
- const char */*str*/);
-
-int
-_hx509_path_append (
- hx509_context /*context*/,
- hx509_path */*path*/,
- hx509_cert /*cert*/);
-
-void
-_hx509_path_free (hx509_path */*path*/);
-
-int
-_hx509_pbe_decrypt (
- hx509_context /*context*/,
- hx509_lock /*lock*/,
- const AlgorithmIdentifier */*ai*/,
- const heim_octet_string */*econtent*/,
- heim_octet_string */*content*/);
-
-int
-_hx509_pbe_encrypt (
- hx509_context /*context*/,
- hx509_lock /*lock*/,
- const AlgorithmIdentifier */*ai*/,
- const heim_octet_string */*content*/,
- heim_octet_string */*econtent*/);
-
-void
-_hx509_pi_printf (
- int (*/*func*/)(void *, const char *),
- void */*ctx*/,
- const char */*fmt*/,
- ...);
-
-void
-_hx509_private_eckey_free (void */*eckey*/);
-
-int
-_hx509_private_key_export (
- hx509_context /*context*/,
- const hx509_private_key /*key*/,
- hx509_key_format_t /*format*/,
- heim_octet_string */*data*/);
-
-int
-_hx509_private_key_exportable (hx509_private_key /*key*/);
-
-BIGNUM *
-_hx509_private_key_get_internal (
- hx509_context /*context*/,
- hx509_private_key /*key*/,
- const char */*type*/);
-
-int
-_hx509_private_key_oid (
- hx509_context /*context*/,
- const hx509_private_key /*key*/,
- heim_oid */*data*/);
-
-hx509_private_key
-_hx509_private_key_ref (hx509_private_key /*key*/);
-
-const char *
-_hx509_private_pem_name (hx509_private_key /*key*/);
-
-int
-_hx509_public_encrypt (
- hx509_context /*context*/,
- const heim_octet_string */*cleartext*/,
- const Certificate */*cert*/,
- heim_oid */*encryption_oid*/,
- heim_octet_string */*ciphertext*/);
-
-void
-_hx509_query_clear (hx509_query */*q*/);
-
-int
-_hx509_query_match_cert (
- hx509_context /*context*/,
- const hx509_query */*q*/,
- hx509_cert /*cert*/);
-
-void
-_hx509_query_statistic (
- hx509_context /*context*/,
- int /*type*/,
- const hx509_query */*q*/);
-
-int
-_hx509_request_add_dns_name (
- hx509_context /*context*/,
- hx509_request /*req*/,
- const char */*hostname*/);
-
-int
-_hx509_request_add_eku (
- hx509_context /*context*/,
- hx509_request /*req*/,
- const heim_oid */*oid*/);
-
-int
-_hx509_request_add_email (
- hx509_context /*context*/,
- hx509_request /*req*/,
- const char */*email*/);
-
-int
-_hx509_request_parse (
- hx509_context /*context*/,
- const char */*path*/,
- hx509_request */*req*/);
-
-int
-_hx509_request_print (
- hx509_context /*context*/,
- hx509_request /*req*/,
- FILE */*f*/);
-
-int
-_hx509_request_to_pkcs10 (
- hx509_context /*context*/,
- const hx509_request /*req*/,
- const hx509_private_key /*signer*/,
- heim_octet_string */*request*/);
-
-hx509_revoke_ctx
-_hx509_revoke_ref (hx509_revoke_ctx /*ctx*/);
-
-void
-_hx509_sel_yyerror (const char */*s*/);
-
-int
-_hx509_self_signed_valid (
- hx509_context /*context*/,
- const AlgorithmIdentifier */*alg*/);
-
-int
-_hx509_set_cert_attribute (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- const heim_oid */*oid*/,
- const heim_octet_string */*attr*/);
-
-int
-_hx509_set_digest_alg (
- DigestAlgorithmIdentifier */*id*/,
- const heim_oid */*oid*/,
- const void */*param*/,
- size_t /*length*/);
-
-int
-_hx509_signature_is_weak (
- hx509_context /*context*/,
- const AlgorithmIdentifier */*alg*/);
-
-void
-_hx509_unmap_file_os (heim_octet_string */*os*/);
-
-int
-_hx509_unparse_Name (
- const Name */*aname*/,
- char **/*str*/);
-
-time_t
-_hx509_verify_get_time (hx509_verify_ctx /*ctx*/);
-
-int
-_hx509_verify_signature (
- hx509_context /*context*/,
- const hx509_cert /*cert*/,
- const AlgorithmIdentifier */*alg*/,
- const heim_octet_string */*data*/,
- const heim_octet_string */*sig*/);
-
-int
-_hx509_verify_signature_bitstring (
- hx509_context /*context*/,
- const hx509_cert /*signer*/,
- const AlgorithmIdentifier */*alg*/,
- const heim_octet_string */*data*/,
- const heim_bit_string */*sig*/);
-
-int
-_hx509_write_file (
- const char */*fn*/,
- const void */*data*/,
- size_t /*length*/);
-
-#endif /* __hx509_private_h__ */
diff --git a/lib/hx509/hx509-protos.h b/lib/hx509/hx509-protos.h
deleted file mode 100644
index ed9bfb552db3..000000000000
--- a/lib/hx509/hx509-protos.h
+++ /dev/null
@@ -1,3154 +0,0 @@
-/* This is a generated file */
-#ifndef __hx509_protos_h__
-#define __hx509_protos_h__
-#ifndef DOXY
-
-#include <stdarg.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef HX509_LIB
-#ifndef HX509_LIB_FUNCTION
-#if defined(_WIN32)
-#define HX509_LIB_FUNCTION __declspec(dllimport)
-#define HX509_LIB_CALL __stdcall
-#define HX509_LIB_VARIABLE __declspec(dllimport)
-#else
-#define HX509_LIB_FUNCTION
-#define HX509_LIB_CALL
-#define HX509_LIB_VARIABLE
-#endif
-#endif
-#endif
-/**
- * Print a bitstring using a hx509_vprint_func function. To print to
- * stdout use hx509_print_stdout().
- *
- * @param b bit string to print.
- * @param func hx509_vprint_func to print with.
- * @param ctx context variable to hx509_vprint_func function.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_bitstring_print (
- const heim_bit_string */*b*/,
- hx509_vprint_func /*func*/,
- void */*ctx*/);
-
-/**
- * Sign a to-be-signed certificate object with a issuer certificate.
- *
- * The caller needs to at least have called the following functions on the
- * to-be-signed certificate object:
- * - hx509_ca_tbs_init()
- * - hx509_ca_tbs_set_subject()
- * - hx509_ca_tbs_set_spki()
- *
- * When done the to-be-signed certificate object should be freed with
- * hx509_ca_tbs_free().
- *
- * When creating self-signed certificate use hx509_ca_sign_self() instead.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param signer the CA certificate object to sign with (need private key).
- * @param certificate return cerificate, free with hx509_cert_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_sign (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- hx509_cert /*signer*/,
- hx509_cert */*certificate*/);
-
-/**
- * Work just like hx509_ca_sign() but signs it-self.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param signer private key to sign with.
- * @param certificate return cerificate, free with hx509_cert_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_sign_self (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- hx509_private_key /*signer*/,
- hx509_cert */*certificate*/);
-
-/**
- * Add CRL distribution point URI to the to-be-signed certificate
- * object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param uri uri to the CRL.
- * @param issuername name of the issuer.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_crl_dp_uri (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const char */*uri*/,
- hx509_name /*issuername*/);
-
-/**
- * An an extended key usage to the to-be-signed certificate object.
- * Duplicates will detected and not added.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param oid extended key usage to add.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_eku (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const heim_oid */*oid*/);
-
-/**
- * Add a Subject Alternative Name hostname to to-be-signed certificate
- * object. A domain match starts with ., an exact match does not.
- *
- * Example of a an domain match: .domain.se matches the hostname
- * host.domain.se.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param dnsname a hostame.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_hostname (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const char */*dnsname*/);
-
-/**
- * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
- * certificate object. The jid is an UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param jid string of an a jabber id in UTF8.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_jid (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const char */*jid*/);
-
-/**
- * Add Microsoft UPN Subject Alternative Name to the to-be-signed
- * certificate object. The principal string is a UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param principal Microsoft UPN string.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_ms_upn (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const char */*principal*/);
-
-/**
- * Add Subject Alternative Name otherName to the to-be-signed
- * certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param oid the oid of the OtherName.
- * @param os data in the other name.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_otherName (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const heim_oid */*oid*/,
- const heim_octet_string */*os*/);
-
-/**
- * Add Kerberos Subject Alternative Name to the to-be-signed
- * certificate object. The principal string is a UTF8 string.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param principal Kerberos principal to add to the certificate.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_pkinit (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const char */*principal*/);
-
-/**
- * Add a Subject Alternative Name rfc822 (email address) to
- * to-be-signed certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param rfc822Name a string to a email address.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_add_san_rfc822name (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const char */*rfc822Name*/);
-
-/**
- * Free an To Be Signed object.
- *
- * @param tbs object to free.
- *
- * @ingroup hx509_ca
- */
-
-void
-hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/);
-
-/**
- * Allocate an to-be-signed certificate object that will be converted
- * into an certificate.
- *
- * @param context A hx509 context.
- * @param tbs returned to-be-signed certicate object, free with
- * hx509_ca_tbs_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_init (
- hx509_context /*context*/,
- hx509_ca_tbs */*tbs*/);
-
-/**
- * Make the to-be-signed certificate object a CA certificate. If the
- * pathLenConstraint is negative path length constraint is used.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param pathLenConstraint path length constraint, negative, no
- * constraint.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_ca (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- int /*pathLenConstraint*/);
-
-/**
- * Make the to-be-signed certificate object a windows domain controller certificate.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_domaincontroller (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/);
-
-/**
- * Set the absolute time when the certificate is valid to.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param t time when the certificate will expire
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_notAfter (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- time_t /*t*/);
-
-/**
- * Set the relative time when the certificiate is going to expire.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param delta seconds to the certificate is going to expire.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_notAfter_lifetime (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- time_t /*delta*/);
-
-/**
- * Set the absolute time when the certificate is valid from. If not
- * set the current time will be used.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param t time the certificated will start to be valid
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_notBefore (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- time_t /*t*/);
-
-/**
- * Make the to-be-signed certificate object a proxy certificate. If the
- * pathLenConstraint is negative path length constraint is used.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param pathLenConstraint path length constraint, negative, no
- * constraint.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_proxy (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- int /*pathLenConstraint*/);
-
-/**
- * Set the serial number to use for to-be-signed certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param serialNumber serial number to use for the to-be-signed
- * certificate object.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_serialnumber (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const heim_integer */*serialNumber*/);
-
-/**
- * Set signature algorithm on the to be signed certificate
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param sigalg signature algorithm to use
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_signature_algorithm (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const AlgorithmIdentifier */*sigalg*/);
-
-/**
- * Set the subject public key info (SPKI) in the to-be-signed certificate
- * object. SPKI is the public key and key related parameters in the
- * certificate.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param spki subject public key info to use for the to-be-signed certificate object.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_spki (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const SubjectPublicKeyInfo */*spki*/);
-
-/**
- * Set the subject name of a to-be-signed certificate object.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param subject the name to set a subject.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_subject (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- hx509_name /*subject*/);
-
-/**
- * Initialize the to-be-signed certificate object from a template certifiate.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param flags bit field selecting what to copy from the template
- * certifiate.
- * @param cert template certificate.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_template (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- int /*flags*/,
- hx509_cert /*cert*/);
-
-/**
- * Set the issuerUniqueID and subjectUniqueID
- *
- * These are only supposed to be used considered with version 2
- * certificates, replaced by the two extensions SubjectKeyIdentifier
- * and IssuerKeyIdentifier. This function is to allow application
- * using legacy protocol to issue them.
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param issuerUniqueID to be set
- * @param subjectUniqueID to be set
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_set_unique (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- const heim_bit_string */*subjectUniqueID*/,
- const heim_bit_string */*issuerUniqueID*/);
-
-/**
- * Expand the the subject name in the to-be-signed certificate object
- * using hx509_name_expand().
- *
- * @param context A hx509 context.
- * @param tbs object to be signed.
- * @param env environment variable to expand variables in the subject
- * name, see hx509_env_init().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_ca
- */
-
-int
-hx509_ca_tbs_subject_expand (
- hx509_context /*context*/,
- hx509_ca_tbs /*tbs*/,
- hx509_env /*env*/);
-
-/**
- * Make of template units, use to build flags argument to
- * hx509_ca_tbs_set_template() with parse_units().
- *
- * @return an units structure.
- *
- * @ingroup hx509_ca
- */
-
-const struct units *
-hx509_ca_tbs_template_units (void);
-
-/**
- * Encodes the hx509 certificate as a DER encode binary.
- *
- * @param context A hx509 context.
- * @param c the certificate to encode.
- * @param os the encode certificate, set to NULL, 0 on case of
- * error. Free the os->data with hx509_xfree().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_binary (
- hx509_context /*context*/,
- hx509_cert /*c*/,
- heim_octet_string */*os*/);
-
-/**
- * Check the extended key usage on the hx509 certificate.
- *
- * @param context A hx509 context.
- * @param cert A hx509 context.
- * @param eku the EKU to check for
- * @param allow_any_eku if the any EKU is set, allow that to be a
- * substitute.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_check_eku (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- const heim_oid */*eku*/,
- int /*allow_any_eku*/);
-
-/**
- * Compare to hx509 certificate object, useful for sorting.
- *
- * @param p a hx509 certificate object.
- * @param q a hx509 certificate object.
- *
- * @return 0 the objects are the same, returns > 0 is p is "larger"
- * then q, < 0 if p is "smaller" then q.
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_cmp (
- hx509_cert /*p*/,
- hx509_cert /*q*/);
-
-/**
- * Return a list of subjectAltNames specified by oid in the
- * certificate. On error the
- *
- * The returned list of octet string should be freed with
- * hx509_free_octet_string_list().
- *
- * @param context A hx509 context.
- * @param cert a hx509 certificate object.
- * @param oid an oid to for SubjectAltName.
- * @param list list of matching SubjectAltName.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_find_subjectAltName_otherName (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- const heim_oid */*oid*/,
- hx509_octet_string_list */*list*/);
-
-/**
- * Free reference to the hx509 certificate object, if the refcounter
- * reaches 0, the object if freed. Its allowed to pass in NULL.
- *
- * @param cert the cert to free.
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_cert_free (hx509_cert /*cert*/);
-
-/**
- * Get the SubjectPublicKeyInfo structure from the hx509 certificate.
- *
- * @param context a hx509 context.
- * @param p a hx509 certificate object.
- * @param spki SubjectPublicKeyInfo, should be freed with
- * free_SubjectPublicKeyInfo().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_SPKI (
- hx509_context /*context*/,
- hx509_cert /*p*/,
- SubjectPublicKeyInfo */*spki*/);
-
-/**
- * Get the AlgorithmIdentifier from the hx509 certificate.
- *
- * @param context a hx509 context.
- * @param p a hx509 certificate object.
- * @param alg AlgorithmIdentifier, should be freed with
- * free_AlgorithmIdentifier(). The algorithmidentifier is
- * typicly rsaEncryption, or id-ecPublicKey, or some other
- * public key mechanism.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_SPKI_AlgorithmIdentifier (
- hx509_context /*context*/,
- hx509_cert /*p*/,
- AlgorithmIdentifier */*alg*/);
-
-/**
- * Get an external attribute for the certificate, examples are
- * friendly name and id.
- *
- * @param cert hx509 certificate object to search
- * @param oid an oid to search for.
- *
- * @return an hx509_cert_attribute, only valid as long as the
- * certificate is referenced.
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert_attribute
-hx509_cert_get_attribute (
- hx509_cert /*cert*/,
- const heim_oid */*oid*/);
-
-/**
- * Return the name of the base subject of the hx509 certificate. If
- * the certiicate is a verified proxy certificate, the this function
- * return the base certificate (root of the proxy chain). If the proxy
- * certificate is not verified with the base certificate
- * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned.
- *
- * @param context a hx509 context.
- * @param c a hx509 certificate object.
- * @param name a pointer to a hx509 name, should be freed by
- * hx509_name_free(). See also hx509_cert_get_subject().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_base_subject (
- hx509_context /*context*/,
- hx509_cert /*c*/,
- hx509_name */*name*/);
-
-/**
- * Get friendly name of the certificate.
- *
- * @param cert cert to get the friendly name from.
- *
- * @return an friendly name or NULL if there is. The friendly name is
- * only valid as long as the certificate is referenced.
- *
- * @ingroup hx509_cert
- */
-
-const char *
-hx509_cert_get_friendly_name (hx509_cert /*cert*/);
-
-/**
- * Return the name of the issuer of the hx509 certificate.
- *
- * @param p a hx509 certificate object.
- * @param name a pointer to a hx509 name, should be freed by
- * hx509_name_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_issuer (
- hx509_cert /*p*/,
- hx509_name */*name*/);
-
-/**
- * Get a copy of the Issuer Unique ID
- *
- * @param context a hx509_context
- * @param p a hx509 certificate
- * @param issuer the issuer id returned, free with der_free_bit_string()
- *
- * @return An hx509 error code, see hx509_get_error_string(). The
- * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
- * doesn't have a issuerUniqueID
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_issuer_unique_id (
- hx509_context /*context*/,
- hx509_cert /*p*/,
- heim_bit_string */*issuer*/);
-
-/**
- * Get notAfter time of the certificate.
- *
- * @param p a hx509 certificate object.
- *
- * @return return not after time.
- *
- * @ingroup hx509_cert
- */
-
-time_t
-hx509_cert_get_notAfter (hx509_cert /*p*/);
-
-/**
- * Get notBefore time of the certificate.
- *
- * @param p a hx509 certificate object.
- *
- * @return return not before time
- *
- * @ingroup hx509_cert
- */
-
-time_t
-hx509_cert_get_notBefore (hx509_cert /*p*/);
-
-/**
- * Get serial number of the certificate.
- *
- * @param p a hx509 certificate object.
- * @param i serial number, should be freed ith der_free_heim_integer().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_serialnumber (
- hx509_cert /*p*/,
- heim_integer */*i*/);
-
-/**
- * Return the name of the subject of the hx509 certificate.
- *
- * @param p a hx509 certificate object.
- * @param name a pointer to a hx509 name, should be freed by
- * hx509_name_free(). See also hx509_cert_get_base_subject().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_subject (
- hx509_cert /*p*/,
- hx509_name */*name*/);
-
-/**
- * Get a copy of the Subect Unique ID
- *
- * @param context a hx509_context
- * @param p a hx509 certificate
- * @param subject the subject id returned, free with der_free_bit_string()
- *
- * @return An hx509 error code, see hx509_get_error_string(). The
- * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
- * doesn't have a subjectUniqueID
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_get_subject_unique_id (
- hx509_context /*context*/,
- hx509_cert /*p*/,
- heim_bit_string */*subject*/);
-
-int
-hx509_cert_have_private_key (hx509_cert /*p*/);
-
-/**
- * Allocate and init an hx509 certificate object from the decoded
- * certificate `c´.
- *
- * @param context A hx509 context.
- * @param c
- * @param error
- *
- * @return Returns an hx509 certificate
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert
-hx509_cert_init (
- hx509_context /*context*/,
- const Certificate */*c*/,
- heim_error_t */*error*/);
-
-/**
- * Just like hx509_cert_init(), but instead of a decode certificate
- * takes an pointer and length to a memory region that contains a
- * DER/BER encoded certificate.
- *
- * If the memory region doesn't contain just the certificate and
- * nothing more the function will fail with
- * HX509_EXTRA_DATA_AFTER_STRUCTURE.
- *
- * @param context A hx509 context.
- * @param ptr pointer to memory region containing encoded certificate.
- * @param len length of memory region.
- * @param error possibly returns an error
- *
- * @return An hx509 certificate
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert
-hx509_cert_init_data (
- hx509_context /*context*/,
- const void */*ptr*/,
- size_t /*len*/,
- heim_error_t */*error*/);
-
-/**
- * Print certificate usage for a certificate to a string.
- *
- * @param context A hx509 context.
- * @param c a certificate print the keyusage for.
- * @param s the return string with the keysage printed in to, free
- * with hx509_xfree().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_cert_keyusage_print (
- hx509_context /*context*/,
- hx509_cert /*c*/,
- char **/*s*/);
-
-int
-hx509_cert_public_encrypt (
- hx509_context /*context*/,
- const heim_octet_string */*cleartext*/,
- const hx509_cert /*p*/,
- heim_oid */*encryption_oid*/,
- heim_octet_string */*ciphertext*/);
-
-/**
- * Add a reference to a hx509 certificate object.
- *
- * @param cert a pointer to an hx509 certificate object.
- *
- * @return the same object as is passed in.
- *
- * @ingroup hx509_cert
- */
-
-hx509_cert
-hx509_cert_ref (hx509_cert /*cert*/);
-
-/**
- * Set the friendly name on the certificate.
- *
- * @param cert The certificate to set the friendly name on
- * @param name Friendly name.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_cert_set_friendly_name (
- hx509_cert /*cert*/,
- const char */*name*/);
-
-/**
- * Add a certificate to the certificiate store.
- *
- * The receiving keyset certs will either increase reference counter
- * of the cert or make a deep copy, either way, the caller needs to
- * free the cert itself.
- *
- * @param context a hx509 context.
- * @param certs certificate store to add the certificate to.
- * @param cert certificate to add.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_add (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_cert /*cert*/);
-
-/**
- * Same a hx509_certs_merge() but use a lock and name to describe the
- * from source.
- *
- * @param context a hx509 context.
- * @param to the store to merge into.
- * @param lock a lock that unlocks the certificates store, use NULL to
- * select no password/certifictes/prompt lock (see @ref page_lock).
- * @param name name of the source store
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_append (
- hx509_context /*context*/,
- hx509_certs /*to*/,
- hx509_lock /*lock*/,
- const char */*name*/);
-
-/**
- * End the iteration over certificates.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param cursor cursor that will keep track of progress, freed.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_end_seq (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_cursor /*cursor*/);
-
-/**
- * Filter certificate matching the query.
- *
- * @param context a hx509 context.
- * @param certs certificate store to search.
- * @param q query allocated with @ref hx509_query functions.
- * @param result the filtered certificate store, caller must free with
- * hx509_certs_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_filter (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- const hx509_query */*q*/,
- hx509_certs */*result*/);
-
-/**
- * Find a certificate matching the query.
- *
- * @param context a hx509 context.
- * @param certs certificate store to search.
- * @param q query allocated with @ref hx509_query functions.
- * @param r return certificate (or NULL on error), should be freed
- * with hx509_cert_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_find (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- const hx509_query */*q*/,
- hx509_cert */*r*/);
-
-/**
- * Free a certificate store.
- *
- * @param certs certificate store to free.
- *
- * @ingroup hx509_keyset
- */
-
-void
-hx509_certs_free (hx509_certs */*certs*/);
-
-/**
- * Print some info about the certificate store.
- *
- * @param context a hx509 context.
- * @param certs certificate store to print information about.
- * @param func function that will get each line of the information, if
- * NULL is used the data is printed on a FILE descriptor that should
- * be passed in ctx, if ctx also is NULL, stdout is used.
- * @param ctx parameter to func.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_info (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- int (*/*func*/)(void *, const char *),
- void */*ctx*/);
-
-/**
- * Open or creates a new hx509 certificate store.
- *
- * @param context A hx509 context
- * @param name name of the store, format is TYPE:type-specific-string,
- * if NULL is used the MEMORY store is used.
- * @param flags list of flags:
- * - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
- * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
- * @param lock a lock that unlocks the certificates store, use NULL to
- * select no password/certifictes/prompt lock (see @ref page_lock).
- * @param certs return pointer, free with hx509_certs_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_init (
- hx509_context /*context*/,
- const char */*name*/,
- int /*flags*/,
- hx509_lock /*lock*/,
- hx509_certs */*certs*/);
-
-/**
- * Iterate over all certificates in a keystore and call a block
- * for each of them.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param func block to call for each certificate. The function
- * should return non-zero to abort the iteration, that value is passed
- * back to the caller of hx509_certs_iter().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-#ifdef __BLOCKS__
-int
-hx509_certs_iter (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- int (^func)(hx509_cert));
-#endif /* __BLOCKS__ */
-
-/**
- * Iterate over all certificates in a keystore and call a function
- * for each of them.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param func function to call for each certificate. The function
- * should return non-zero to abort the iteration, that value is passed
- * back to the caller of hx509_certs_iter_f().
- * @param ctx context variable that will passed to the function.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_iter_f (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- int (*/*func*/)(hx509_context, void *, hx509_cert),
- void */*ctx*/);
-
-/**
- * Merge a certificate store into another. The from store is keep
- * intact.
- *
- * @param context a hx509 context.
- * @param to the store to merge into.
- * @param from the store to copy the object from.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_merge (
- hx509_context /*context*/,
- hx509_certs /*to*/,
- hx509_certs /*from*/);
-
-/**
- * Get next ceritificate from the certificate keystore pointed out by
- * cursor.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param cursor cursor that keeps track of progress.
- * @param cert return certificate next in store, NULL if the store
- * contains no more certificates. Free with hx509_cert_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_next_cert (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_cursor /*cursor*/,
- hx509_cert */*cert*/);
-
-hx509_certs
-hx509_certs_ref (hx509_certs /*certs*/);
-
-/**
- * Start the integration
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over
- * @param cursor cursor that will keep track of progress, free with
- * hx509_certs_end_seq().
- *
- * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is
- * returned if the certificate store doesn't support the iteration
- * operation.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_start_seq (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_cursor */*cursor*/);
-
-/**
- * Write the certificate store to stable storage.
- *
- * @param context A hx509 context.
- * @param certs a certificate store to store.
- * @param flags currently unused, use 0.
- * @param lock a lock that unlocks the certificates store, use NULL to
- * select no password/certifictes/prompt lock (see @ref page_lock).
- *
- * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if
- * the certificate store doesn't support the store operation.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_certs_store (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- int /*flags*/,
- hx509_lock /*lock*/);
-
-/**
- * Function to use to hx509_certs_iter_f() as a function argument, the
- * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor.
- *
- * @param context a hx509 context.
- * @param ctx used by hx509_certs_iter_f().
- * @param c a certificate
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_ci_print_names (
- hx509_context /*context*/,
- void */*ctx*/,
- hx509_cert /*c*/);
-
-/**
- * Resets the error strings the hx509 context.
- *
- * @param context A hx509 context.
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_clear_error_string (hx509_context /*context*/);
-
-int
-hx509_cms_create_signed (
- hx509_context /*context*/,
- int /*flags*/,
- const heim_oid */*eContentType*/,
- const void */*data*/,
- size_t /*length*/,
- const AlgorithmIdentifier */*digest_alg*/,
- hx509_certs /*certs*/,
- hx509_peer_info /*peer*/,
- hx509_certs /*anchors*/,
- hx509_certs /*pool*/,
- heim_octet_string */*signed_data*/);
-
-/**
- * Decode SignedData and verify that the signature is correct.
- *
- * @param context A hx509 context.
- * @param flags
- * @param eContentType the type of the data.
- * @param data data to sign
- * @param length length of the data that data point to.
- * @param digest_alg digest algorithm to use, use NULL to get the
- * default or the peer determined algorithm.
- * @param cert certificate to use for sign the data.
- * @param peer info about the peer the message to send the message to,
- * like what digest algorithm to use.
- * @param anchors trust anchors that the client will use, used to
- * polulate the certificates included in the message
- * @param pool certificates to use in try to build the path to the
- * trust anchors.
- * @param signed_data the output of the function, free with
- * der_free_octet_string().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_create_signed_1 (
- hx509_context /*context*/,
- int /*flags*/,
- const heim_oid */*eContentType*/,
- const void */*data*/,
- size_t /*length*/,
- const AlgorithmIdentifier */*digest_alg*/,
- hx509_cert /*cert*/,
- hx509_peer_info /*peer*/,
- hx509_certs /*anchors*/,
- hx509_certs /*pool*/,
- heim_octet_string */*signed_data*/);
-
-/**
- * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no
- * signatures).
- */
-
-int
-hx509_cms_decrypt_encrypted (
- hx509_context /*context*/,
- hx509_lock /*lock*/,
- const void */*data*/,
- size_t /*length*/,
- heim_oid */*contentType*/,
- heim_octet_string */*content*/);
-
-/**
- * Encrypt end encode EnvelopedData.
- *
- * Encrypt and encode EnvelopedData. The data is encrypted with a
- * random key and the the random key is encrypted with the
- * certificates private key. This limits what private key type can be
- * used to RSA.
- *
- * @param context A hx509 context.
- * @param flags flags to control the behavior.
- * - HX509_CMS_EV_NO_KU_CHECK - Don't check KU on certificate
- * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
- * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
- * @param cert Certificate to encrypt the EnvelopedData encryption key
- * with.
- * @param data pointer the data to encrypt.
- * @param length length of the data that data point to.
- * @param encryption_type Encryption cipher to use for the bulk data,
- * use NULL to get default.
- * @param contentType type of the data that is encrypted
- * @param content the output of the function,
- * free with der_free_octet_string().
- *
- * @return an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_envelope_1 (
- hx509_context /*context*/,
- int /*flags*/,
- hx509_cert /*cert*/,
- const void */*data*/,
- size_t /*length*/,
- const heim_oid */*encryption_type*/,
- const heim_oid */*contentType*/,
- heim_octet_string */*content*/);
-
-/**
- * Decode and unencrypt EnvelopedData.
- *
- * Extract data and parameteres from from the EnvelopedData. Also
- * supports using detached EnvelopedData.
- *
- * @param context A hx509 context.
- * @param certs Certificate that can decrypt the EnvelopedData
- * encryption key.
- * @param flags HX509_CMS_UE flags to control the behavior.
- * @param data pointer the structure the contains the DER/BER encoded
- * EnvelopedData stucture.
- * @param length length of the data that data point to.
- * @param encryptedContent in case of detached signature, this
- * contains the actual encrypted data, othersize its should be NULL.
- * @param time_now set the current time, if zero the library uses now as the date.
- * @param contentType output type oid, should be freed with der_free_oid().
- * @param content the data, free with der_free_octet_string().
- *
- * @return an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_unenvelope (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- int /*flags*/,
- const void */*data*/,
- size_t /*length*/,
- const heim_octet_string */*encryptedContent*/,
- time_t /*time_now*/,
- heim_oid */*contentType*/,
- heim_octet_string */*content*/);
-
-/**
- * Decode an ContentInfo and unwrap data and oid it.
- *
- * @param in the encoded buffer.
- * @param oid type of the content.
- * @param out data to be wrapped.
- * @param have_data since the data is optional, this flags show dthe
- * diffrence between no data and the zero length data.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_unwrap_ContentInfo (
- const heim_octet_string */*in*/,
- heim_oid */*oid*/,
- heim_octet_string */*out*/,
- int */*have_data*/);
-
-/**
- * Decode SignedData and verify that the signature is correct.
- *
- * @param context A hx509 context.
- * @param ctx a hx509 verify context.
- * @param flags to control the behaivor of the function.
- * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
- * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
- * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
- * @param data pointer to CMS SignedData encoded data.
- * @param length length of the data that data point to.
- * @param signedContent external data used for signature.
- * @param pool certificate pool to build certificates paths.
- * @param contentType free with der_free_oid().
- * @param content the output of the function, free with
- * der_free_octet_string().
- * @param signer_certs list of the cerficates used to sign this
- * request, free with hx509_certs_free().
- *
- * @return an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_verify_signed (
- hx509_context /*context*/,
- hx509_verify_ctx /*ctx*/,
- unsigned int /*flags*/,
- const void */*data*/,
- size_t /*length*/,
- const heim_octet_string */*signedContent*/,
- hx509_certs /*pool*/,
- heim_oid */*contentType*/,
- heim_octet_string */*content*/,
- hx509_certs */*signer_certs*/);
-
-/**
- * Wrap data and oid in a ContentInfo and encode it.
- *
- * @param oid type of the content.
- * @param buf data to be wrapped. If a NULL pointer is passed in, the
- * optional content field in the ContentInfo is not going be filled
- * in.
- * @param res the encoded buffer, the result should be freed with
- * der_free_octet_string().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_cms
- */
-
-int
-hx509_cms_wrap_ContentInfo (
- const heim_oid */*oid*/,
- const heim_octet_string */*buf*/,
- heim_octet_string */*res*/);
-
-/**
- * Free the context allocated by hx509_context_init().
- *
- * @param context context to be freed.
- *
- * @ingroup hx509
- */
-
-void
-hx509_context_free (hx509_context */*context*/);
-
-/**
- * Creates a hx509 context that most functions in the library
- * uses. The context is only allowed to be used by one thread at each
- * moment. Free the context with hx509_context_free().
- *
- * @param context Returns a pointer to new hx509 context.
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509
- */
-
-int
-hx509_context_init (hx509_context */*context*/);
-
-/**
- * Selects if the hx509_revoke_verify() function is going to require
- * the existans of a revokation method (OCSP, CRL) or not. Note that
- * hx509_verify_path(), hx509_cms_verify_signed(), and other function
- * call hx509_revoke_verify().
- *
- * @param context hx509 context to change the flag for.
- * @param flag zero, revokation method required, non zero missing
- * revokation method ok
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_context_set_missing_revoke (
- hx509_context /*context*/,
- int /*flag*/);
-
-/**
- * Add revoked certificate to an CRL context.
- *
- * @param context a hx509 context.
- * @param crl the CRL to add the revoked certificate to.
- * @param certs keyset of certificate to revoke.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_add_revoked_certs (
- hx509_context /*context*/,
- hx509_crl /*crl*/,
- hx509_certs /*certs*/);
-
-/**
- * Create a CRL context. Use hx509_crl_free() to free the CRL context.
- *
- * @param context a hx509 context.
- * @param crl return pointer to a newly allocated CRL context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_alloc (
- hx509_context /*context*/,
- hx509_crl */*crl*/);
-
-/**
- * Free a CRL context.
- *
- * @param context a hx509 context.
- * @param crl a CRL context to free.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_crl_free (
- hx509_context /*context*/,
- hx509_crl */*crl*/);
-
-/**
- * Set the lifetime of a CRL context.
- *
- * @param context a hx509 context.
- * @param crl a CRL context
- * @param delta delta time the certificate is valid, library adds the
- * current time to this.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_lifetime (
- hx509_context /*context*/,
- hx509_crl /*crl*/,
- int /*delta*/);
-
-/**
- * Sign a CRL and return an encode certificate.
- *
- * @param context a hx509 context.
- * @param signer certificate to sign the CRL with
- * @param crl the CRL to sign
- * @param os return the signed and encoded CRL, free with
- * free_heim_octet_string()
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_crl_sign (
- hx509_context /*context*/,
- hx509_cert /*signer*/,
- hx509_crl /*crl*/,
- heim_octet_string */*os*/);
-
-const AlgorithmIdentifier *
-hx509_crypto_aes128_cbc (void);
-
-const AlgorithmIdentifier *
-hx509_crypto_aes256_cbc (void);
-
-void
-hx509_crypto_allow_weak (hx509_crypto /*crypto*/);
-
-int
-hx509_crypto_available (
- hx509_context /*context*/,
- int /*type*/,
- hx509_cert /*source*/,
- AlgorithmIdentifier **/*val*/,
- unsigned int */*plen*/);
-
-int
-hx509_crypto_decrypt (
- hx509_crypto /*crypto*/,
- const void */*data*/,
- const size_t /*length*/,
- heim_octet_string */*ivec*/,
- heim_octet_string */*clear*/);
-
-const AlgorithmIdentifier *
-hx509_crypto_des_rsdi_ede3_cbc (void);
-
-void
-hx509_crypto_destroy (hx509_crypto /*crypto*/);
-
-int
-hx509_crypto_encrypt (
- hx509_crypto /*crypto*/,
- const void */*data*/,
- const size_t /*length*/,
- const heim_octet_string */*ivec*/,
- heim_octet_string **/*ciphertext*/);
-
-const heim_oid *
-hx509_crypto_enctype_by_name (const char */*name*/);
-
-void
-hx509_crypto_free_algs (
- AlgorithmIdentifier */*val*/,
- unsigned int /*len*/);
-
-int
-hx509_crypto_get_params (
- hx509_context /*context*/,
- hx509_crypto /*crypto*/,
- const heim_octet_string */*ivec*/,
- heim_octet_string */*param*/);
-
-int
-hx509_crypto_init (
- hx509_context /*context*/,
- const char */*provider*/,
- const heim_oid */*enctype*/,
- hx509_crypto */*crypto*/);
-
-const char *
-hx509_crypto_provider (hx509_crypto /*crypto*/);
-
-int
-hx509_crypto_random_iv (
- hx509_crypto /*crypto*/,
- heim_octet_string */*ivec*/);
-
-int
-hx509_crypto_select (
- const hx509_context /*context*/,
- int /*type*/,
- const hx509_private_key /*source*/,
- hx509_peer_info /*peer*/,
- AlgorithmIdentifier */*selected*/);
-
-int
-hx509_crypto_set_key_data (
- hx509_crypto /*crypto*/,
- const void */*data*/,
- size_t /*length*/);
-
-int
-hx509_crypto_set_key_name (
- hx509_crypto /*crypto*/,
- const char */*name*/);
-
-void
-hx509_crypto_set_padding (
- hx509_crypto /*crypto*/,
- int /*padding_type*/);
-
-int
-hx509_crypto_set_params (
- hx509_context /*context*/,
- hx509_crypto /*crypto*/,
- const heim_octet_string */*param*/,
- heim_octet_string */*ivec*/);
-
-int
-hx509_crypto_set_random_key (
- hx509_crypto /*crypto*/,
- heim_octet_string */*key*/);
-
-/**
- * Add a new key/value pair to the hx509_env.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to add
- * @param value value to add
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_env
- */
-
-int
-hx509_env_add (
- hx509_context /*context*/,
- hx509_env */*env*/,
- const char */*key*/,
- const char */*value*/);
-
-/**
- * Add a new key/binding pair to the hx509_env.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to add
- * @param list binding list to add
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_env
- */
-
-int
-hx509_env_add_binding (
- hx509_context /*context*/,
- hx509_env */*env*/,
- const char */*key*/,
- hx509_env /*list*/);
-
-/**
- * Search the hx509_env for a key.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to search for.
- *
- * @return the value if the key is found, NULL otherwise.
- *
- * @ingroup hx509_env
- */
-
-const char *
-hx509_env_find (
- hx509_context /*context*/,
- hx509_env /*env*/,
- const char */*key*/);
-
-/**
- * Search the hx509_env for a binding.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to search for.
- *
- * @return the binding if the key is found, NULL if not found.
- *
- * @ingroup hx509_env
- */
-
-hx509_env
-hx509_env_find_binding (
- hx509_context /*context*/,
- hx509_env /*env*/,
- const char */*key*/);
-
-/**
- * Free an hx509_env environment context.
- *
- * @param env the environment to free.
- *
- * @ingroup hx509_env
- */
-
-void
-hx509_env_free (hx509_env */*env*/);
-
-/**
- * Search the hx509_env for a length based key.
- *
- * @param context A hx509 context.
- * @param env environment to add the environment variable too.
- * @param key key to search for.
- * @param len length of key.
- *
- * @return the value if the key is found, NULL otherwise.
- *
- * @ingroup hx509_env
- */
-
-const char *
-hx509_env_lfind (
- hx509_context /*context*/,
- hx509_env /*env*/,
- const char */*key*/,
- size_t /*len*/);
-
-/**
- * Print error message and fatally exit from error code
- *
- * @param context A hx509 context.
- * @param exit_code exit() code from process.
- * @param error_code Error code for the reason to exit.
- * @param fmt format string with the exit message.
- * @param ... argument to format string.
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_err (
- hx509_context /*context*/,
- int /*exit_code*/,
- int /*error_code*/,
- const char */*fmt*/,
- ...);
-
-hx509_private_key_ops *
-hx509_find_private_alg (const heim_oid */*oid*/);
-
-/**
- * Free error string returned by hx509_get_error_string().
- *
- * @param str error string to free.
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_free_error_string (char */*str*/);
-
-/**
- * Free a list of octet strings returned by another hx509 library
- * function.
- *
- * @param list list to be freed.
- *
- * @ingroup hx509_misc
- */
-
-void
-hx509_free_octet_string_list (hx509_octet_string_list */*list*/);
-
-/**
- * Unparse the hx509 name in name into a string.
- *
- * @param name the name to print
- * @param str an allocated string returns the name in string form
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_general_name_unparse (
- GeneralName */*name*/,
- char **/*str*/);
-
-/**
- * Get an error string from context associated with error_code.
- *
- * @param context A hx509 context.
- * @param error_code Get error message for this error code.
- *
- * @return error string, free with hx509_free_error_string().
- *
- * @ingroup hx509_error
- */
-
-char *
-hx509_get_error_string (
- hx509_context /*context*/,
- int /*error_code*/);
-
-/**
- * Get one random certificate from the certificate store.
- *
- * @param context a hx509 context.
- * @param certs a certificate store to get the certificate from.
- * @param c return certificate, should be freed with hx509_cert_free().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
-int
-hx509_get_one_cert (
- hx509_context /*context*/,
- hx509_certs /*certs*/,
- hx509_cert */*c*/);
-
-int
-hx509_lock_add_cert (
- hx509_context /*context*/,
- hx509_lock /*lock*/,
- hx509_cert /*cert*/);
-
-int
-hx509_lock_add_certs (
- hx509_context /*context*/,
- hx509_lock /*lock*/,
- hx509_certs /*certs*/);
-
-int
-hx509_lock_add_password (
- hx509_lock /*lock*/,
- const char */*password*/);
-
-int
-hx509_lock_command_string (
- hx509_lock /*lock*/,
- const char */*string*/);
-
-void
-hx509_lock_free (hx509_lock /*lock*/);
-
-/**
- * @page page_lock Locking and unlocking certificates and encrypted data.
- *
- * See the library functions here: @ref hx509_lock
- */
-
-int
-hx509_lock_init (
- hx509_context /*context*/,
- hx509_lock */*lock*/);
-
-int
-hx509_lock_prompt (
- hx509_lock /*lock*/,
- hx509_prompt */*prompt*/);
-
-void
-hx509_lock_reset_certs (
- hx509_context /*context*/,
- hx509_lock /*lock*/);
-
-void
-hx509_lock_reset_passwords (hx509_lock /*lock*/);
-
-void
-hx509_lock_reset_promper (hx509_lock /*lock*/);
-
-int
-hx509_lock_set_prompter (
- hx509_lock /*lock*/,
- hx509_prompter_fct /*prompt*/,
- void */*data*/);
-
-/**
- * Convert a hx509_name object to DER encoded name.
- *
- * @param name name to concert
- * @param os data to a DER encoded name, free the resulting octet
- * string with hx509_xfree(os->data).
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_binary (
- const hx509_name /*name*/,
- heim_octet_string */*os*/);
-
-/**
- * Compare to hx509 name object, useful for sorting.
- *
- * @param n1 a hx509 name object.
- * @param n2 a hx509 name object.
- *
- * @return 0 the objects are the same, returns > 0 is n2 is "larger"
- * then n2, < 0 if n1 is "smaller" then n2.
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_cmp (
- hx509_name /*n1*/,
- hx509_name /*n2*/);
-
-/**
- * Copy a hx509 name object.
- *
- * @param context A hx509 cotext.
- * @param from the name to copy from
- * @param to the name to copy to
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_copy (
- hx509_context /*context*/,
- const hx509_name /*from*/,
- hx509_name */*to*/);
-
-/**
- * Expands variables in the name using env. Variables are on the form
- * ${name}. Useful when dealing with certificate templates.
- *
- * @param context A hx509 cotext.
- * @param name the name to expand.
- * @param env environment variable to expand.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_expand (
- hx509_context /*context*/,
- hx509_name /*name*/,
- hx509_env /*env*/);
-
-/**
- * Free a hx509 name object, upond return *name will be NULL.
- *
- * @param name a hx509 name object to be freed.
- *
- * @ingroup hx509_name
- */
-
-void
-hx509_name_free (hx509_name */*name*/);
-
-/**
- * Unparse the hx509 name in name into a string.
- *
- * @param name the name to check if its empty/null.
- *
- * @return non zero if the name is empty/null.
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_is_null_p (const hx509_name /*name*/);
-
-int
-hx509_name_normalize (
- hx509_context /*context*/,
- hx509_name /*name*/);
-
-/**
- * Convert a hx509_name into a Name.
- *
- * @param from the name to copy from
- * @param to the name to copy to
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_to_Name (
- const hx509_name /*from*/,
- Name */*to*/);
-
-/**
- * Convert the hx509 name object into a printable string.
- * The resulting string should be freed with free().
- *
- * @param name name to print
- * @param str the string to return
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_name_to_string (
- const hx509_name /*name*/,
- char **/*str*/);
-
-/**
- * Create an OCSP request for a set of certificates.
- *
- * @param context a hx509 context
- * @param reqcerts list of certificates to request ocsp data for
- * @param pool certificate pool to use when signing
- * @param signer certificate to use to sign the request
- * @param digest the signing algorithm in the request, if NULL use the
- * default signature algorithm,
- * @param request the encoded request, free with free_heim_octet_string().
- * @param nonce nonce in the request, free with free_heim_octet_string().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_ocsp_request (
- hx509_context /*context*/,
- hx509_certs /*reqcerts*/,
- hx509_certs /*pool*/,
- hx509_cert /*signer*/,
- const AlgorithmIdentifier */*digest*/,
- heim_octet_string */*request*/,
- heim_octet_string */*nonce*/);
-
-/**
- * Verify that the certificate is part of the OCSP reply and it's not
- * expired. Doesn't verify signature the OCSP reply or it's done by a
- * authorized sender, that is assumed to be already done.
- *
- * @param context a hx509 context
- * @param now the time right now, if 0, use the current time.
- * @param cert the certificate to verify
- * @param flags flags control the behavior
- * @param data pointer to the encode ocsp reply
- * @param length the length of the encode ocsp reply
- * @param expiration return the time the OCSP will expire and need to
- * be rechecked.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_ocsp_verify (
- hx509_context /*context*/,
- time_t /*now*/,
- hx509_cert /*cert*/,
- int /*flags*/,
- const void */*data*/,
- size_t /*length*/,
- time_t */*expiration*/);
-
-/**
- * Print a oid using a hx509_vprint_func function. To print to stdout
- * use hx509_print_stdout().
- *
- * @param oid oid to print
- * @param func hx509_vprint_func to print with.
- * @param ctx context variable to hx509_vprint_func function.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_oid_print (
- const heim_oid */*oid*/,
- hx509_vprint_func /*func*/,
- void */*ctx*/);
-
-/**
- * Print a oid to a string.
- *
- * @param oid oid to print
- * @param str allocated string, free with hx509_xfree().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_oid_sprint (
- const heim_oid */*oid*/,
- char **/*str*/);
-
-/**
- * Parse a string into a hx509 name object.
- *
- * @param context A hx509 context.
- * @param str a string to parse.
- * @param name the resulting object, NULL in case of error.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_parse_name (
- hx509_context /*context*/,
- const char */*str*/,
- hx509_name */*name*/);
-
-int
-hx509_parse_private_key (
- hx509_context /*context*/,
- const AlgorithmIdentifier */*keyai*/,
- const void */*data*/,
- size_t /*len*/,
- hx509_key_format_t /*format*/,
- hx509_private_key */*private_key*/);
-
-/**
- * Add an additional algorithm that the peer supports.
- *
- * @param context A hx509 context.
- * @param peer the peer to set the new algorithms for
- * @param val an AlgorithmsIdentier to add
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_add_cms_alg (
- hx509_context /*context*/,
- hx509_peer_info /*peer*/,
- const AlgorithmIdentifier */*val*/);
-
-/**
- * Allocate a new peer info structure an init it to default values.
- *
- * @param context A hx509 context.
- * @param peer return an allocated peer, free with hx509_peer_info_free().
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_alloc (
- hx509_context /*context*/,
- hx509_peer_info */*peer*/);
-
-/**
- * Free a peer info structure.
- *
- * @param peer peer info to be freed.
- *
- * @ingroup hx509_peer
- */
-
-void
-hx509_peer_info_free (hx509_peer_info /*peer*/);
-
-/**
- * Set the certificate that remote peer is using.
- *
- * @param peer peer info to update
- * @param cert cerificate of the remote peer.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_set_cert (
- hx509_peer_info /*peer*/,
- hx509_cert /*cert*/);
-
-/**
- * Set the algorithms that the peer supports.
- *
- * @param context A hx509 context.
- * @param peer the peer to set the new algorithms for
- * @param val array of supported AlgorithmsIdentiers
- * @param len length of array val.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_peer
- */
-
-int
-hx509_peer_info_set_cms_algs (
- hx509_context /*context*/,
- hx509_peer_info /*peer*/,
- const AlgorithmIdentifier */*val*/,
- size_t /*len*/);
-
-int
-hx509_pem_add_header (
- hx509_pem_header **/*headers*/,
- const char */*header*/,
- const char */*value*/);
-
-const char *
-hx509_pem_find_header (
- const hx509_pem_header */*h*/,
- const char */*header*/);
-
-void
-hx509_pem_free_header (hx509_pem_header */*headers*/);
-
-int
-hx509_pem_read (
- hx509_context /*context*/,
- FILE */*f*/,
- hx509_pem_read_func /*func*/,
- void */*ctx*/);
-
-int
-hx509_pem_write (
- hx509_context /*context*/,
- const char */*type*/,
- hx509_pem_header */*headers*/,
- FILE */*f*/,
- const void */*data*/,
- size_t /*size*/);
-
-/**
- * Print a simple representation of a certificate
- *
- * @param context A hx509 context, can be NULL
- * @param cert certificate to print
- * @param out the stdio output stream, if NULL, stdout is used
- *
- * @return An hx509 error code
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_print_cert (
- hx509_context /*context*/,
- hx509_cert /*cert*/,
- FILE */*out*/);
-
-/**
- * Helper function to print on stdout for:
- * - hx509_oid_print(),
- * - hx509_bitstring_print(),
- * - hx509_validate_ctx_set_print().
- *
- * @param ctx the context to the print function. If the ctx is NULL,
- * stdout is used.
- * @param fmt the printing format.
- * @param va the argumet list.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_print_stdout (
- void */*ctx*/,
- const char */*fmt*/,
- va_list /*va*/);
-
-int
-hx509_private_key2SPKI (
- hx509_context /*context*/,
- hx509_private_key /*private_key*/,
- SubjectPublicKeyInfo */*spki*/);
-
-void
-hx509_private_key_assign_rsa (
- hx509_private_key /*key*/,
- void */*ptr*/);
-
-int
-hx509_private_key_free (hx509_private_key */*key*/);
-
-int
-hx509_private_key_init (
- hx509_private_key */*key*/,
- hx509_private_key_ops */*ops*/,
- void */*keydata*/);
-
-int
-hx509_private_key_private_decrypt (
- hx509_context /*context*/,
- const heim_octet_string */*ciphertext*/,
- const heim_oid */*encryption_oid*/,
- hx509_private_key /*p*/,
- heim_octet_string */*cleartext*/);
-
-int
-hx509_prompt_hidden (hx509_prompt_type /*type*/);
-
-/**
- * Allocate an query controller. Free using hx509_query_free().
- *
- * @param context A hx509 context.
- * @param q return pointer to a hx509_query.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_alloc (
- hx509_context /*context*/,
- hx509_query **/*q*/);
-
-/**
- * Free the query controller.
- *
- * @param context A hx509 context.
- * @param q a pointer to the query controller.
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_free (
- hx509_context /*context*/,
- hx509_query */*q*/);
-
-/**
- * Set the query controller to match using a specific match function.
- *
- * @param q a hx509 query controller.
- * @param func function to use for matching, if the argument is NULL,
- * the match function is removed.
- * @param ctx context passed to the function.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_cmp_func (
- hx509_query */*q*/,
- int (*/*func*/)(hx509_context, hx509_cert, void *),
- void */*ctx*/);
-
-/**
- * Set the query controller to require an one specific EKU (extended
- * key usage). Any previous EKU matching is overwitten. If NULL is
- * passed in as the eku, the EKU requirement is reset.
- *
- * @param q a hx509 query controller.
- * @param eku an EKU to match on.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_eku (
- hx509_query */*q*/,
- const heim_oid */*eku*/);
-
-int
-hx509_query_match_expr (
- hx509_context /*context*/,
- hx509_query */*q*/,
- const char */*expr*/);
-
-/**
- * Set the query controller to match on a friendly name
- *
- * @param q a hx509 query controller.
- * @param name a friendly name to match on
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_friendly_name (
- hx509_query */*q*/,
- const char */*name*/);
-
-/**
- * Set the issuer and serial number of match in the query
- * controller. The function make copies of the isser and serial number.
- *
- * @param q a hx509 query controller
- * @param issuer issuer to search for
- * @param serialNumber the serialNumber of the issuer.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_query_match_issuer_serial (
- hx509_query */*q*/,
- const Name */*issuer*/,
- const heim_integer */*serialNumber*/);
-
-/**
- * Set match options for the hx509 query controller.
- *
- * @param q query controller.
- * @param option options to control the query controller.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_match_option (
- hx509_query */*q*/,
- hx509_query_option /*option*/);
-
-/**
- * Set a statistic file for the query statistics.
- *
- * @param context A hx509 context.
- * @param fn statistics file name
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_statistic_file (
- hx509_context /*context*/,
- const char */*fn*/);
-
-/**
- * Unparse the statistics file and print the result on a FILE descriptor.
- *
- * @param context A hx509 context.
- * @param printtype tyep to print
- * @param out the FILE to write the data on.
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_query_unparse_stats (
- hx509_context /*context*/,
- int /*printtype*/,
- FILE */*out*/);
-
-void
-hx509_request_free (hx509_request */*req*/);
-
-int
-hx509_request_get_SubjectPublicKeyInfo (
- hx509_context /*context*/,
- hx509_request /*req*/,
- SubjectPublicKeyInfo */*key*/);
-
-int
-hx509_request_get_name (
- hx509_context /*context*/,
- hx509_request /*req*/,
- hx509_name */*name*/);
-
-int
-hx509_request_init (
- hx509_context /*context*/,
- hx509_request */*req*/);
-
-int
-hx509_request_set_SubjectPublicKeyInfo (
- hx509_context /*context*/,
- hx509_request /*req*/,
- const SubjectPublicKeyInfo */*key*/);
-
-int
-hx509_request_set_name (
- hx509_context /*context*/,
- hx509_request /*req*/,
- hx509_name /*name*/);
-
-/**
- * Add a CRL file to the revokation context.
- *
- * @param context hx509 context
- * @param ctx hx509 revokation context
- * @param path path to file that is going to be added to the context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_add_crl (
- hx509_context /*context*/,
- hx509_revoke_ctx /*ctx*/,
- const char */*path*/);
-
-/**
- * Add a OCSP file to the revokation context.
- *
- * @param context hx509 context
- * @param ctx hx509 revokation context
- * @param path path to file that is going to be added to the context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_add_ocsp (
- hx509_context /*context*/,
- hx509_revoke_ctx /*ctx*/,
- const char */*path*/);
-
-/**
- * Free a hx509 revokation context.
- *
- * @param ctx context to be freed
- *
- * @ingroup hx509_revoke
- */
-
-void
-hx509_revoke_free (hx509_revoke_ctx */*ctx*/);
-
-/**
- * Allocate a revokation context. Free with hx509_revoke_free().
- *
- * @param context A hx509 context.
- * @param ctx returns a newly allocated revokation context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_init (
- hx509_context /*context*/,
- hx509_revoke_ctx */*ctx*/);
-
-/**
- * Print the OCSP reply stored in a file.
- *
- * @param context a hx509 context
- * @param path path to a file with a OCSP reply
- * @param out the out FILE descriptor to print the reply on
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_ocsp_print (
- hx509_context /*context*/,
- const char */*path*/,
- FILE */*out*/);
-
-int
-hx509_revoke_print (
- hx509_context /*context*/,
- hx509_revoke_ctx /*ctx*/,
- FILE */*out*/);
-
-/**
- * Check that a certificate is not expired according to a revokation
- * context. Also need the parent certificte to the check OCSP
- * parent identifier.
- *
- * @param context hx509 context
- * @param ctx hx509 revokation context
- * @param certs
- * @param now
- * @param cert
- * @param parent_cert
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_revoke
- */
-
-int
-hx509_revoke_verify (
- hx509_context /*context*/,
- hx509_revoke_ctx /*ctx*/,
- hx509_certs /*certs*/,
- time_t /*now*/,
- hx509_cert /*cert*/,
- hx509_cert /*parent_cert*/);
-
-/**
- * See hx509_set_error_stringv().
- *
- * @param context A hx509 context.
- * @param flags
- * - HX509_ERROR_APPEND appends the error string to the old messages
- (code is updated).
- * @param code error code related to error message
- * @param fmt error message format
- * @param ... arguments to error message format
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_set_error_string (
- hx509_context /*context*/,
- int /*flags*/,
- int /*code*/,
- const char */*fmt*/,
- ...);
-
-/**
- * Add an error message to the hx509 context.
- *
- * @param context A hx509 context.
- * @param flags
- * - HX509_ERROR_APPEND appends the error string to the old messages
- (code is updated).
- * @param code error code related to error message
- * @param fmt error message format
- * @param ap arguments to error message format
- *
- * @ingroup hx509_error
- */
-
-void
-hx509_set_error_stringv (
- hx509_context /*context*/,
- int /*flags*/,
- int /*code*/,
- const char */*fmt*/,
- va_list /*ap*/);
-
-const AlgorithmIdentifier *
-hx509_signature_ecPublicKey (void);
-
-const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha256 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_md5 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_pkcs1_x509 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_md5 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha1 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha256 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha384 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_rsa_with_sha512 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha1 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha256 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha384 (void);
-
-const AlgorithmIdentifier *
-hx509_signature_sha512 (void);
-
-/**
- * Convert a DER encoded name info a string.
- *
- * @param data data to a DER/BER encoded name
- * @param length length of data
- * @param str the resulting string, is NULL on failure.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_name
- */
-
-int
-hx509_unparse_der_name (
- const void */*data*/,
- size_t /*length*/,
- char **/*str*/);
-
-/**
- * Validate/Print the status of the certificate.
- *
- * @param context A hx509 context.
- * @param ctx A hx509 validation context.
- * @param cert the cerificate to validate/print.
-
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_validate_cert (
- hx509_context /*context*/,
- hx509_validate_ctx /*ctx*/,
- hx509_cert /*cert*/);
-
-/**
- * Add flags to control the behaivor of the hx509_validate_cert()
- * function.
- *
- * @param ctx A hx509 validation context.
- * @param flags flags to add to the validation context.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_validate_ctx_add_flags (
- hx509_validate_ctx /*ctx*/,
- int /*flags*/);
-
-/**
- * Free an hx509 validate context.
- *
- * @param ctx the hx509 validate context to free.
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/);
-
-/**
- * Allocate a hx509 validation/printing context.
- *
- * @param context A hx509 context.
- * @param ctx a new allocated hx509 validation context, free with
- * hx509_validate_ctx_free().
-
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-int
-hx509_validate_ctx_init (
- hx509_context /*context*/,
- hx509_validate_ctx */*ctx*/);
-
-/**
- * Set the printing functions for the validation context.
- *
- * @param ctx a hx509 valication context.
- * @param func the printing function to usea.
- * @param c the context variable to the printing function.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_print
- */
-
-void
-hx509_validate_ctx_set_print (
- hx509_validate_ctx /*ctx*/,
- hx509_vprint_func /*func*/,
- void */*c*/);
-
-/**
- * Set the trust anchors in the verification context, makes an
- * reference to the keyset, so the consumer can free the keyset
- * independent of the destruction of the verification context (ctx).
- * If there already is a keyset attached, it's released.
- *
- * @param ctx a verification context
- * @param set a keyset containing the trust anchors.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_attach_anchors (
- hx509_verify_ctx /*ctx*/,
- hx509_certs /*set*/);
-
-/**
- * Attach an revocation context to the verfication context, , makes an
- * reference to the revoke context, so the consumer can free the
- * revoke context independent of the destruction of the verification
- * context. If there is no revoke context, the verification process is
- * NOT going to check any verification status.
- *
- * @param ctx a verification context.
- * @param revoke_ctx a revoke context.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_attach_revoke (
- hx509_verify_ctx /*ctx*/,
- hx509_revoke_ctx /*revoke_ctx*/);
-
-void
-hx509_verify_ctx_f_allow_best_before_signature_algs (
- hx509_context /*ctx*/,
- int /*boolean*/);
-
-/**
- * Allow using the operating system builtin trust anchors if no other
- * trust anchors are configured.
- *
- * @param ctx a verification context
- * @param boolean if non zero, useing the operating systems builtin
- * trust anchors.
- *
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-void
-hx509_verify_ctx_f_allow_default_trustanchors (
- hx509_verify_ctx /*ctx*/,
- int /*boolean*/);
-
-/**
- * Free an hx509 verification context.
- *
- * @param ctx the context to be freed.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/);
-
-/**
- * Verify that the certificate is allowed to be used for the hostname
- * and address.
- *
- * @param context A hx509 context.
- * @param cert the certificate to match with
- * @param flags Flags to modify the behavior:
- * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok
- * @param type type of hostname:
- * - HX509_HN_HOSTNAME for plain hostname.
- * - HX509_HN_DNSSRV for DNS SRV names.
- * @param hostname the hostname to check
- * @param sa address of the host
- * @param sa_size length of address
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_cert
- */
-
-int
-hx509_verify_hostname (
- hx509_context /*context*/,
- const hx509_cert /*cert*/,
- int /*flags*/,
- hx509_hostname_type /*type*/,
- const char */*hostname*/,
- const struct sockaddr */*sa*/,
- int /*sa_size*/);
-
-/**
- * Allocate an verification context that is used fo control the
- * verification process.
- *
- * @param context A hx509 context.
- * @param ctx returns a pointer to a hx509_verify_ctx object.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_verify_init_ctx (
- hx509_context /*context*/,
- hx509_verify_ctx */*ctx*/);
-
-/**
- * Build and verify the path for the certificate to the trust anchor
- * specified in the verify context. The path is constructed from the
- * certificate, the pool and the trust anchors.
- *
- * @param context A hx509 context.
- * @param ctx A hx509 verification context.
- * @param cert the certificate to build the path from.
- * @param pool A keyset of certificates to build the chain from.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_verify
- */
-
-int
-hx509_verify_path (
- hx509_context /*context*/,
- hx509_verify_ctx /*ctx*/,
- hx509_cert /*cert*/,
- hx509_certs /*pool*/);
-
-/**
- * Set the maximum depth of the certificate chain that the path
- * builder is going to try.
- *
- * @param ctx a verification context
- * @param max_depth maxium depth of the certificate chain, include
- * trust anchor.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_max_depth (
- hx509_verify_ctx /*ctx*/,
- unsigned int /*max_depth*/);
-
-/**
- * Allow or deny the use of proxy certificates
- *
- * @param ctx a verification context
- * @param boolean if non zero, allow proxy certificates.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_proxy_certificate (
- hx509_verify_ctx /*ctx*/,
- int /*boolean*/);
-
-/**
- * Select strict RFC3280 verification of certificiates. This means
- * checking key usage on CA certificates, this will make version 1
- * certificiates unuseable.
- *
- * @param ctx a verification context
- * @param boolean if non zero, use strict verification.
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_strict_rfc3280_verification (
- hx509_verify_ctx /*ctx*/,
- int /*boolean*/);
-
-/**
- * Set the clock time the the verification process is going to
- * use. Used to check certificate in the past and future time. If not
- * set the current time will be used.
- *
- * @param ctx a verification context.
- * @param t the time the verifiation is using.
- *
- *
- * @ingroup hx509_verify
- */
-
-void
-hx509_verify_set_time (
- hx509_verify_ctx /*ctx*/,
- time_t /*t*/);
-
-/**
- * Verify a signature made using the private key of an certificate.
- *
- * @param context A hx509 context.
- * @param signer the certificate that made the signature.
- * @param alg algorthm that was used to sign the data.
- * @param data the data that was signed.
- * @param sig the sigature to verify.
- *
- * @return An hx509 error code, see hx509_get_error_string().
- *
- * @ingroup hx509_crypto
- */
-
-int
-hx509_verify_signature (
- hx509_context /*context*/,
- const hx509_cert /*signer*/,
- const AlgorithmIdentifier */*alg*/,
- const heim_octet_string */*data*/,
- const heim_octet_string */*sig*/);
-
-/**
- * Free a data element allocated in the library.
- *
- * @param ptr data to be freed.
- *
- * @ingroup hx509_misc
- */
-
-void
-hx509_xfree (void */*ptr*/);
-
-int
-yywrap (void);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* DOXY */
-#endif /* __hx509_protos_h__ */
diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 781f4a59cc73..6bd36e98b157 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -37,6 +37,7 @@
#define HEIMDAL_HX509_H 1
#include <rfc2459_asn1.h>
+#include <rfc4108_asn1.h>
#include <stdarg.h>
#include <stdio.h>
#include <heimbase.h>
@@ -64,6 +65,29 @@ typedef struct hx509_crl *hx509_crl;
typedef void (*hx509_vprint_func)(void *, const char *, va_list);
+typedef enum {
+ HX509_SAN_TYPE_UNSUPPORTED = 0,
+ /* The following correspond to the enum GeneralName_enum values: */
+ HX509_SAN_TYPE_EMAIL = 2,
+ HX509_SAN_TYPE_DNSNAME = 3,
+ HX509_SAN_TYPE_DN = 4,
+ HX509_SAN_TYPE_REGISTERED_ID = 7,
+ /*
+ * Missing support for:
+ * - URI SANs
+ * - IP address SANs
+ * - various otherName SANs we know about (e.g., DNSSRV)
+ *
+ * The following are otherName SAN types, and assigned manually here:
+ */
+ HX509_SAN_TYPE_XMPP = 32,
+ HX509_SAN_TYPE_PKINIT = 33,
+ HX509_SAN_TYPE_MS_UPN = 34,
+ HX509_SAN_TYPE_DNSSRV = 35, /* SRVName [RFC4985] */
+ HX509_SAN_TYPE_PERMANENT_ID = 36, /* PermanentIdentifier [RFC4043] */
+ HX509_SAN_TYPE_HW_MODULE = 37, /* HardwareModuleName [RFC4108] */
+} hx509_san_type;
+
enum {
HX509_VHN_F_ALLOW_NO_MATCH = 1
};
@@ -81,7 +105,8 @@ enum {
enum {
HX509_KEY_FORMAT_GUESS = 0,
HX509_KEY_FORMAT_DER = 1,
- HX509_KEY_FORMAT_WIN_BACKUPKEY = 2
+ HX509_KEY_FORMAT_WIN_BACKUPKEY = 2,
+ HX509_KEY_FORMAT_PKCS8 = 3,
};
typedef uint32_t hx509_key_format_t;
@@ -133,6 +158,12 @@ typedef enum {
/* flags to hx509_certs_init */
#define HX509_CERTS_CREATE 0x01
#define HX509_CERTS_UNPROTECT_ALL 0x02
+#define HX509_CERTS_NO_PRIVATE_KEYS 0x04
+
+/* flags to hx509_certs_store */
+#define HX509_CERTS_STORE_NO_PRIVATE_KEYS 0x04
+#define HX509_CERTS_STORE_NO_ROOTS 0x08
+
/* flags to hx509_set_error_string */
#define HX509_ERROR_APPEND 0x01
@@ -152,6 +183,9 @@ typedef enum {
#define HX509_CMS_VS_ALLOW_ZERO_SIGNER 0x04
#define HX509_CMS_VS_NO_VALIDATE 0x08
+/* flags from hx509_cms_verify_signed_ext (out verify_flags) */
+#define HX509_CMS_VSE_VALIDATED 0x01
+
/* selectors passed to hx509_crypto_select and hx509_crypto_available */
#define HX509_SELECT_ALL 0
#define HX509_SELECT_DIGEST 1
@@ -167,6 +201,7 @@ typedef enum {
#define HX509_CA_TEMPLATE_SPKI 16
#define HX509_CA_TEMPLATE_KU 32
#define HX509_CA_TEMPLATE_EKU 64
+#define HX509_CA_TEMPLATE_PKINIT_MAX_LIFE 128
/* flags hx509_cms_create_signed* */
#define HX509_CMS_SIGNATURE_DETACHED 0x01
diff --git a/lib/hx509/hx509_err.et b/lib/hx509/hx509_err.et
index f0a27e83620c..db81f5d294b0 100644
--- a/lib/hx509/hx509_err.et
+++ b/lib/hx509/hx509_err.et
@@ -36,6 +36,7 @@ error_code NAME_MALFORMED, "Name is malformed"
error_code CERTIFICATE_MALFORMED, "Certificate is malformed"
error_code CERTIFICATE_MISSING_EKU, "Certificate is missing a required EKU"
error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalized"
+error_code NO_ITEM, "No such item / iteration end"
# cms related errors
index 32
diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h
index 44d241f350ae..d653f7d98ece 100644
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -59,6 +59,7 @@
#include <krb5-types.h>
#include <rfc2459_asn1.h>
+#include <rfc4108_asn1.h>
#include <cms_asn1.h>
#include <pkcs8_asn1.h>
#include <pkcs9_asn1.h>
@@ -70,6 +71,13 @@
#include <der.h>
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
/*
* We use OpenSSL for EC, but to do this we need to disable cross-references
* between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC
@@ -180,6 +188,7 @@ struct hx509_keyset_ops {
void *, int (*)(void *, const char *), void *);
int (*getkeys)(hx509_context, hx509_certs, void *, hx509_private_key **);
int (*addkey)(hx509_context, hx509_certs, void *, hx509_private_key);
+ int (*destroy)(hx509_context, hx509_certs, void *);
};
struct _hx509_password {
@@ -200,6 +209,8 @@ struct hx509_context_data {
struct et_list *et_list;
char *querystat;
hx509_certs default_trust_anchors;
+ heim_context hcontext;
+ heim_config_section *cf;
};
/* _hx509_calculate_path flag field */
diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 49e392d038ef..1bd0119ad724 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -33,6 +33,13 @@
/* $Id$ */
command = {
+ name = "list-oids"
+ help = "List known OIDs"
+ function = "hxtool_list_oids"
+ min_args="0"
+ max_args="0"
+}
+command = {
name = "cms-create-sd"
name = "cms-sign"
option = {
@@ -171,6 +178,11 @@ command = {
type = "string"
help = "file containing content"
}
+ option = {
+ long = "oid-sym"
+ type = "flag"
+ help = "show symbolic name for OID"
+ }
min_args="1"
max_args="2"
argument="in-file [out-file]"
@@ -305,6 +317,11 @@ command = {
help = "print the content of the certificates"
}
option = {
+ long = "raw-json"
+ type = "flag"
+ help = "print the DER content of the certificates as JSON"
+ }
+ option = {
long = "never-fail"
type = "flag"
help = "never fail with an error code"
@@ -346,6 +363,21 @@ command = {
argument = "password"
help = "password, prompter, or environment"
}
+ option = {
+ long = "append"
+ type = "flag"
+ help = "append source to destination"
+ }
+ option = {
+ long = "root-certs"
+ type = "-flag"
+ help = "do not copy root certificates"
+ }
+ option = {
+ long = "private-keys"
+ type = "-flag"
+ help = "do not copy private keys"
+ }
min_args="2"
argument="in-certificates-1 ... out-certificate"
help = "Copy in certificates stores into out certificate store"
@@ -420,6 +452,28 @@ command = {
help = "Print the OCSP/CRL files"
}
command = {
+ name = "generate-key"
+ option = {
+ long = "type"
+ type = "string"
+ help = "keytype"
+ }
+ option = {
+ long = "key-bits"
+ type = "integer"
+ help = "number of bits in the generated key";
+ }
+ option = {
+ long = "verbose"
+ type = "flag"
+ help = "verbose status"
+ }
+ min_args="1"
+ max_args="1"
+ argument="output-file"
+ help = "Generate a private key"
+}
+command = {
name = "request-create"
option = {
long = "subject"
@@ -427,16 +481,47 @@ command = {
help = "Subject DN"
}
option = {
+ long = "eku"
+ type = "strings"
+ argument = "oid-string"
+ help = "Add Extended Key Usage OID"
+ }
+ option = {
long = "email"
type = "strings"
help = "Email address in SubjectAltName"
}
option = {
+ long = "jid"
+ type = "strings"
+ help = "XMPP (Jabber) address in SubjectAltName"
+ }
+ option = {
long = "dnsname"
type = "strings"
help = "Hostname or domainname in SubjectAltName"
}
option = {
+ long = "kerberos"
+ type = "strings"
+ help = "Kerberos principal name as SubjectAltName"
+ }
+ option = {
+ long = "ms-kerberos"
+ type = "strings"
+ help = "Kerberos principal name as SubjectAltName (Microsoft variant)"
+ }
+ option = {
+ long = "registered"
+ type = "strings"
+ help = "Registered object ID as SubjectAltName"
+ }
+ option = {
+ long = "dn"
+ type = "strings"
+ help = "Directory name as SubjectAltName"
+ }
+ option = {
long = "type"
type = "string"
help = "Type of request CRMF or PKCS10, defaults to PKCS10"
@@ -547,6 +632,11 @@ command = {
type = "string"
help = "type of CMS algorithm"
}
+ option = {
+ long = "oid-syms"
+ type = "flag"
+ help = "show symbolic names for OIDs"
+ }
name = "crypto-available"
min_args="0"
help = "Print available CMS crypto types"
@@ -567,6 +657,11 @@ command = {
type = "strings"
help = "peer limiting cmstypes"
}
+ option = {
+ long = "oid-sym"
+ type = "flag"
+ help = "show symbolic name for OID"
+ }
name = "crypto-select"
min_args="0"
help = "Print selected CMS type"
@@ -651,11 +746,27 @@ command = {
help = "Maximum path length (CA and proxy certificates), -1 no limit"
}
option = {
+ long = "eku"
+ type = "strings"
+ argument = "oid-string"
+ help = "Add Extended Key Usage OID"
+ }
+ option = {
+ long = "ku"
+ type = "strings"
+ help = "Key Usage (digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly)"
+ }
+ option = {
long = "hostname"
type = "strings"
help = "DNS names this certificate is allowed to serve"
}
option = {
+ long = "dnssrv"
+ type = "strings"
+ help = "DNS SRV names this certificate is allowed to serve"
+ }
+ option = {
long = "email"
type = "strings"
help = "email addresses assigned to this certificate"
@@ -676,6 +787,31 @@ command = {
help = "XMPP jabber id (for SAN)"
}
option = {
+ long = "permanent-id"
+ type = "string"
+ help = "PermanentIdentifier ([oid]:[serial])"
+ }
+ option = {
+ long = "hardware-module-name"
+ type = "string"
+ help = "HardwareModuleName (oid:serial)"
+ }
+ option = {
+ long = "policy"
+ type = "strings"
+ help = "Certificate Policy OID and optional URI and/or notice (OID:URI<space>notice_text)"
+ }
+ option = {
+ long = "policy-mapping"
+ type = "strings"
+ help = "Certificate Policy mapping (OID:OID)"
+ }
+ option = {
+ long = "pkinit-max-life"
+ type = "string"
+ help = "maximum Kerberos ticket lifetime extension for PKINIT"
+ }
+ option = {
long = "req"
type = "string"
help = "certificate request"
@@ -773,6 +909,160 @@ command = {
help = "Create a CRL"
}
command = {
+ option = {
+ long = "verbose"
+ short = "v"
+ type = "flag"
+ help = "verbose"
+ }
+ option = {
+ long = "end-entity"
+ type = "flag"
+ help = "check the first EE certificate in the store"
+ }
+ option = {
+ long = "ca"
+ type = "flag"
+ help = "check the first CA certificate in the store"
+ }
+ option = {
+ long = "cert-num"
+ type = "integer"
+ default = "-1"
+ help = "check the nth certificate in the store"
+ }
+ option = {
+ long = "expr"
+ type = "string"
+ argument = "expression"
+ help = "test the first certificate matching expression"
+ }
+ option = {
+ long = "has-email-san"
+ short = "M"
+ type = "strings"
+ argument = "email-address"
+ help = "check that cert has email SAN"
+ }
+ option = {
+ long = "has-xmpp-san"
+ type = "strings"
+ short = "X"
+ argument = "jabber address"
+ help = "check that cert has XMPP SAN"
+ }
+ option = {
+ long = "has-ms-upn-san"
+ short = "U"
+ type = "strings"
+ argument = "UPN"
+ help = "check that cert has UPN SAN"
+ }
+ option = {
+ long = "has-dnsname-san"
+ short = "D"
+ type = "strings"
+ argument = "domainname"
+ help = "check that cert has domainname SAN"
+ }
+ option = {
+ long = "has-pkinit-san"
+ short = "P"
+ type = "strings"
+ argument = "Kerberos principal name"
+ help = "check that cert has PKINIT SAN"
+ }
+ option = {
+ long = "has-registeredID-san"
+ short = "R"
+ type = "strings"
+ argument = "OID"
+ help = "check that cert has registeredID SAN"
+ }
+ option = {
+ long = "has-eku"
+ short = "E"
+ type = "strings"
+ argument = "OID"
+ help = "check that cert has EKU"
+ }
+ option = {
+ long = "has-ku"
+ short = "K"
+ type = "strings"
+ argument = "key usage element"
+ help = "check that cert has key usage"
+ }
+ option = {
+ long = "exact"
+ type = "flag"
+ help = "check that cert has only given SANs/EKUs/KUs"
+ }
+ option = {
+ long = "valid-now"
+ short = "n"
+ type = "flag"
+ help = "check that current time is in certicate's validity period"
+ }
+ option = {
+ long = "valid-at"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate is valid at given time"
+ }
+ option = {
+ long = "not-after-eq"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate's notAfter is as given"
+ }
+ option = {
+ long = "not-after-lt"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate's notAfter is before the given time"
+ }
+ option = {
+ long = "not-after-gt"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate's notAfter is after the given time"
+ }
+ option = {
+ long = "not-before-eq"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate's notBefore is as given"
+ }
+ option = {
+ long = "not-before-lt"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate's notBefore is before the given time"
+ }
+ option = {
+ long = "not-before-gt"
+ type = "string"
+ argument = "datetime"
+ help = "check that the certificate's notBefore is after the given time"
+ }
+ option = {
+ long = "has-private-key"
+ type = "flag"
+ help = "check that the certificate has a private key"
+ }
+ option = {
+ long = "lacks-private-key"
+ type = "flag"
+ help = "check that the certificate does not have a private key"
+ }
+ name = "acert"
+ min_args = "1"
+ max_args = "1"
+ argument = "certificate-store"
+ help = "Assert certificate content"
+}
+command = {
name = "help"
name = "?"
argument = "[command]"
diff --git a/lib/hx509/hxtool.1 b/lib/hx509/hxtool.1
new file mode 100644
index 000000000000..040573f4cde9
--- /dev/null
+++ b/lib/hx509/hxtool.1
@@ -0,0 +1,380 @@
+.\" Copyright (c) 2022 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 22, 2022
+.Dt HXTOOL 1
+.Os HEIMDAL
+.Sh NAME
+.Nm hxtool
+.Nd PKIX command-line utility
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Oo Fl Fl version Oc
+.Oo Fl Fl help Oc
+.Op Ar sub-command
+.Ek
+.Sh DESCRIPTION
+.Nm
+is a utility for making certificate sigining requests (CSRs),
+displaying CSRs, signing certificates, etc.
+are given, then the value will be parsed and displayed using just
+the self-describing nature of DER.
+.Pp
+All sub-commands have their own help message, shown when invoked
+with the
+.Fl Fl help
+or
+.Fl h
+option.
+.Pp
+Supported commands:
+.Bl -tag -width Ds -offset indent
+.It help
+.It list-oids
+.It verify
+Verify a certificate and its certification path up to a trust
+anchor, possibly checking CRLs.
+.It print
+Prints a human-readable rendering of certificates in a store.
+See
+.Sx CERTIFICATE STORES.
+.It validate
+Validate a certificate (but not a full chain).
+.It certificate-copy, cc
+Copy ceritificates and possibly private keys from one store to
+another.
+See
+.Sx CERTIFICATE STORES.
+.It ocsp-fetch
+Fetch an OCSP response.
+.It ocsp-verify
+Fetch an OCSP response chain.
+.It ocsp-print
+Prints a human-readable rendering of an OCSP response chain.
+.It revoke-print
+Prints a human-readable rendering of a CRL or OCSP response
+chain.
+.It generate-key
+Generates a private key.
+.It request-create
+Generates a Certificate Signing Request (CSR).
+.It request-print
+Prints a human-readable rendering of a CSR.
+.It query
+Queries a certificate store.
+.It info
+Prints information about supported algorithms.
+.It random-data
+Outputs entropy using a random number generator.
+.It crypto-available
+Tests if a cryptographic algorithm is available.
+.It crypto-select
+Selects a supported cryptographic algorithm given a peer's
+capabilities.
+.It hex
+Hex-encode/decode utility.
+.It certificate-sign, cert-sign, issue-certificate, ca
+Issue a certificate.
+.It crl-sign
+Sign a CRL.
+.It cms-create-sd, cms-sign
+Created a CMS SignedData.
+.It cms-verify-sd
+Verifies a CMS SignedData.
+.It cms-unenvelope
+Extracts enveloped data from a CMS SignedData.
+.It cms-envelope
+Creates an enveloped CMS SignedData.
+.El
+Other sub-commands reported by the
+.Nm help
+sub-command are not stable or fully supported at this time.
+.Sh CERTIFICATE STORES
+Stores of certificates and/or keys have string names that can be
+used with
+.Nm 's
+commands as well as in various configuration parameters and
+command-line arguments of Heimdal's Kerberos implementation (for
+PKINIT).
+.Pp
+For example,
+.Ql FILE:/path/to/file ,
+.Ql PEM-FILE:/path/to/file ,
+.Ql DER-FILE:/path/to/file ,
+etc.
+See below for a full list of store types.
+.Pp
+A certificate store name starts with a store TYPE followed by a
+colon followed by a name of form specific to that store type.
+.Pp
+Private keys can be stored in the same stores as the certificates
+that certify their public keys.
+.Pp
+Private keys can also be stored in separate files, but still be
+referenced in one certificate store name by joining two with a
+comma:
+.Ql FILE:/path/to/certificate,/path/to/private/key
+.
+.Pp
+Heimdal supports a variety of certificate and private key store
+types:
+.Bl -tag -width Ds -offset indent
+.It PEM-FILE:/path
+If writing, PEM will be written (private keys may be written in
+algorithm-specific formats or in PKCS#8).
+If reading, PEM will be expected (private keys may be in
+algorithm-specific formats or in PKCS#8).
+.It DER-FILE:/path
+If writing, DER will be written.
+If reading, DER will be expected.
+Private keys will be in algorithm-specific formats.
+.It FILE:/path
+If writing, PEM will be written as if
+.Ql PEM-FILE
+had been used.
+If reading, PEM or DER will be detected and read as if
+.Ql PEM-FILE
+or
+.Ql DER-FILE
+had been used.
+.It PKCS12:/path
+If writing, PKCS#12 will be written.
+If reading, PKCS#12 will be expected.
+Note that PKCS#12 support is currently very limited.
+.It DIR:/path
+OpenSSL-style hashed directory of trust anchors.
+.It KEYCHAIN:system-anchors
+On OS X this refers to the system's trust anchors.
+.It KEYCHAIN:FILE:/path
+On OS X this refers to an OS X keychain at the given path.
+.It PKCS11:/path/to/shared/object[,slot=NUMBER]
+Loads the given PKCS#11 provider object and uses the token at the
+given slot number, or else the first token found.
+.It NULL:
+An empty store.
+.It MEMORY:name
+An in-memory only, ephemeral store, usually never used in
+.NM 's
+commands.
+The MEMORY store name exists primarily for internal
+.Sq hx509
+APIs.
+.El
+.Pp
+Use the
+.Nm certificate-copy
+command to copy certificates from one store to another.
+This is useful for, e.g., converting DER files to PEM or
+vice-versa, removing private keys, adding certificate chains,
+and removing root certificates from chains.
+.Sh CERTIFICATES
+You can validate a certificate with the
+.Nm validate
+sub-command, or verify a certificate and its certification path
+with the
+.Nm verify
+sub-command.
+.Pp
+You can display a certificate using the
+.Nm print
+sub-command:
+.Pp
+.Nm print
+.Oo options Oc
+.Ar STORE
+.Pp
+Options:
+.Bl -tag -width Ds -offset indent
+.It Fl Fl content
+.It Fl Fl info
+.It Fl Fl never-fail
+.It Fl Fl pass=password
+.It Fl Fl raw-json
+.El
+.Pp
+The
+.Fl Fl pass=password
+option is for PKCS#8 (PEM), PKCS#12 and PKCS#11 stores, and if
+needed and not given, will be prompted for.
+Note that it's not secure to pass passwords as command-line
+arguments on multi-tenant systems.
+.Pp
+The
+.Fl Fl raw-json
+option prints the certificate(s) in the given
+.Ar STORE
+as a JSON dump of their DER using an experimental (i.e.,
+unstable) schema.
+.Sh KEYS
+The
+.Nm generate-key
+sub-command will generate a key.
+.Sh CERTIFICATE SIGNING REQUESTS
+The
+.Nm request-create
+sub-command will create a CSR, and has support for requesting
+subject alternative names and extended key usage extensions.
+See its
+.Fl Fl help
+option, and see
+.Sx EXAMPLES
+below.
+.Pp
+The
+.Nm request-print
+sub-command will display a CSR.
+.Sh CERTIFICATE ISSUANCE / CERTIFICATION AUTHORITY
+The
+.Nm certificate-sign
+sub-command will issue a certificate.
+See its usage message.
+.Sh ONLINE CERTIFICATE STATUS PROTOCOL
+The
+.Nm ocsp-fetch
+sub-command will fetch OCSP Responses for the given
+certificates.
+.Pp
+The
+.Nm ocsp-verify
+sub-command will verify OCSP Responses.
+.Pp
+The
+.Nm ocsp-print
+sub-command will display OCSP Responses.
+.Sh CERTIFICATE REVOCATION LIST
+The
+.Nm crl-sign
+sub-command will add certificates to a certificate revocation
+list.
+.Sh EXAMPLES
+Generate an RSA key:
+.Bd -literal -offset indent
+hxtool generate-key --type=rsa --key-bits=4096 PEM-FILE:key.pem
+.Ed
+.Pp
+Create a CSR (with an empty name) for some key:
+.Bd -literal -offset indent
+hxtool request-create --subject= --key=FILE:key.pem csr.der
+.Ed
+.Pp
+Generate a key and create a CSR (with an empty name) for it:
+.Bd -literal -offset indent
+hxtool request-create \\
+ --subject= \\
+ --generate-key=rsa \\
+ --key-bits=4096 \\
+ --key=FILE:key.pem \\
+ csr.der
+.Ed
+.Pp
+Generate a key and create a CSR with an empty name but also
+requesting a specific dNSName subject alternative name (SAN) for
+it:
+.Bd -literal -offset indent
+hxtool request-create \\
+ --subject= \\
+ --generate-key=rsa \\
+ --dnsname=foo.test.h5l.se \\
+ --key=FILE:key.pem \\
+ csr.der
+.Ed
+.Pp
+Print a CSR:
+.Bd -literal -offset indent
+hxtool request-print csr.der
+.Ed
+which outputs:
+.Bd -literal -offset indent
+request print
+PKCS#10 CertificationRequest:
+ name:
+ san: dNSName: foo.test.h5l.se
+.Ed
+.Pp
+Issue a end-entity certificate for an HTTPS server given a CSR:
+.Bd -literal -offset indent
+hxtool issue-certificate \\
+ --type=https-server \\
+ --subject= \\
+ --hostname=foo.test.h5l.se \\
+ --ca-certificate=FILE:cacert.pem \\
+ --ca-private-key=FILE:cakey.pem \\
+ --req=PKCS10:csr.der \\
+ --certificate=PEM-FILE:ee.pem
+.Ed
+.Pp
+Add a chain to a PEM file:
+.Bd -literal -offset indent
+hxtool copy-certificiate \\
+ --no-private-keys \\
+ --no-root-certs \\
+ FILE:ca.pem FILE:ee.pem
+.Ed
+.Pp
+Create a self-signed end-entity certificate for an HTTPS server:
+.Bd -literal -offset indent
+hxtool issue-certificate \\
+ --self-signed \\
+ --type=https-server \\
+ --subject= \\
+ --hostname=foo.test.h5l.se \\
+ --ca-private-key=FILE:key.pem \\
+ --certificate-private-key=FILE:key.pem \\
+ --certificate=PEM-FILE:cert.pem
+.Ed
+.Pp
+Create a root certification authority certificate:
+.Bd -literal -offset indent
+hxtool issue-certificate \\
+ --issue-ca \\
+ --self-signed \\
+ --subject=CN=SomeRootCA \\
+ --ca-private-key=FILE:rootkey.pem \\
+ --certificate=PEM-FILE:rootcert.pem
+.Ed
+.Pp
+Create an intermediate certification authority certificate from a
+CSR:
+.Bd -literal -offset indent
+hxtool issue-certificate \\
+ --type=https-server \\
+ --subject=CN=SomeIntermediateCA \\
+ --ca-certificate=FILE:parent-cert.pem \\
+ --ca-private-key=FILE:parent-key.pem \\
+ --req=PKCS10:csr.der \\
+ --certificate=PEM-FILE:intermediate.pem
+.Ed
+.Pp
+.Sh SEE ALSO
+.Xr openssl 1
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index af339c50acd4..9dbb5ccb1979 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -33,6 +33,7 @@
#include "hx_locl.h"
+#include <stdint.h>
#include <hxtool-commands.h>
#include <sl.h>
#include <rtbl.h>
@@ -75,6 +76,39 @@ lock_strings(hx509_lock lock, getarg_strings *pass)
}
}
+static char *
+fix_store_name(hx509_context contextp, const char *sn, const char *def_type)
+{
+ const char *residue = strchr(sn, ':');
+ char *s = NULL;
+
+ if (residue) {
+ s = estrdup(sn);
+ s[residue - sn] = '\0';
+ if (_hx509_ks_type(contextp, s)) {
+ free(s);
+ return estrdup(sn);
+ }
+ free(s);
+ s = NULL;
+ }
+ if (asprintf(&s, "%s:%s", def_type, sn) == -1 || s == NULL)
+ err(1, "Out of memory");
+ return s;
+}
+
+static char *
+fix_csr_name(const char *cn, const char *def_type)
+{
+ char *s = NULL;
+
+ if (strncmp(cn, "PKCS10:", sizeof("PKCS10:") - 1) == 0 || strchr(cn, ':'))
+ return estrdup(cn);
+ if (asprintf(&s, "%s:%s", def_type, cn) == -1 || s == NULL)
+ err(1, "Out of memory");
+ return s;
+}
+
/*
*
*/
@@ -86,10 +120,13 @@ certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
int i, ret;
for (i = 0; i < s->num_strings; i++) {
- ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
+ char *sn = fix_store_name(contextp, s->strings[i], "FILE");
+
+ ret = hx509_certs_append(contextp, certs, lock, sn);
if (ret)
hx509_err(contextp, 1, ret,
- "hx509_certs_append: %s %s", type, s->strings[i]);
+ "hx509_certs_append: %s %s", type, sn);
+ free(sn);
}
}
@@ -101,11 +138,19 @@ static void
parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
{
int ret;
- if (str)
- ret = der_parse_heim_oid (str, " .", oid);
- else
+
+ if (str) {
+ const heim_oid *found = NULL;
+
+ ret = der_find_heim_oid_by_name(str, &found);
+ if (ret == 0)
+ ret = der_copy_oid(found, oid);
+ else
+ ret = der_parse_heim_oid(str, " .", oid);
+ } else {
ret = der_copy_oid(def, oid);
- if (ret)
+ }
+ if (ret)
errx(1, "parse_oid failed for: %s", str ? str : "default oid");
}
@@ -296,7 +341,10 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
{
char *str;
- der_print_heim_oid(&type, '.', &str);
+ if (opt->oid_sym_flag)
+ der_print_heim_oid_sym(&type, '.', &str);
+ else
+ der_print_heim_oid(&type, '.', &str);
printf("type: %s\n", str);
free(str);
der_free_oid(&type);
@@ -330,7 +378,7 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
return 0;
}
-static int
+static int HX509_LIB_CALL
print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
{
hx509_pem_header **header = ctx;
@@ -365,17 +413,19 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
size_t sz;
void *p;
int ret, flags = 0;
- char *infile, *outfile = NULL;
+ const char *outfile = NULL;
+ char *infile, *freeme = NULL;
memset(&contentType, 0, sizeof(contentType));
infile = argv[0];
if (argc < 2) {
- ret = asprintf(&outfile, "%s.%s", infile,
+ ret = asprintf(&freeme, "%s.%s", infile,
opt->pem_flag ? "pem" : "cms-signeddata");
- if (ret == -1 || outfile == NULL)
+ if (ret == -1 || freeme == NULL)
errx(1, "out of memory");
+ outfile = freeme;
} else
outfile = argv[1];
@@ -502,6 +552,7 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
hx509_certs_free(&signer);
free(o.data);
+ free(freeme);
return 0;
}
@@ -669,7 +720,7 @@ print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
printf(" private key: %s\n",
_hx509_cert_private_key(cert) ? "yes" : "no");
- ret = hx509_print_cert(hxcontext, cert, NULL);
+ ret = hx509_print_cert(hxcontext, cert, stdout);
if (ret)
errx(1, "failed to print cert");
@@ -693,7 +744,7 @@ struct print_s {
int verbose;
};
-static int
+static int HX509_LIB_CALL
print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
{
struct print_s *s = ctx;
@@ -704,6 +755,24 @@ print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
return 0;
}
+static int HX509_LIB_CALL
+print_fjson(hx509_context hxcontext, void *ctx, hx509_cert cert)
+{
+ const Certificate *c = NULL;
+ char *json = NULL;
+
+ c = _hx509_get_cert(cert);
+ if (c)
+ json = print_Certificate(c, ASN1_PRINT_INDENT);
+ if (json)
+ printf("%s\n", json);
+ else
+ hx509_err(context, 1, errno, "Could not format certificate as JSON");
+ free(json);
+ return 0;
+}
+
+
int
pcert_print(struct print_options *opt, int argc, char **argv)
{
@@ -718,8 +787,11 @@ pcert_print(struct print_options *opt, int argc, char **argv)
lock_strings(lock, &opt->pass_strings);
while(argc--) {
+ char *sn = fix_store_name(context, argv[0], "FILE");
int ret;
- ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
+
+ ret = hx509_certs_init(context, sn, 0, lock, &certs);
+ free(sn);
if (ret) {
if (opt->never_fail_flag) {
printf("ignoreing failure: %d\n", ret);
@@ -727,9 +799,13 @@ pcert_print(struct print_options *opt, int argc, char **argv)
}
hx509_err(context, 1, ret, "hx509_certs_init");
}
- if (opt->info_flag)
- hx509_certs_info(context, certs, NULL, NULL);
- hx509_certs_iter_f(context, certs, print_f, &s);
+ if (opt->raw_json_flag) {
+ hx509_certs_iter_f(context, certs, print_fjson, &s);
+ } else {
+ if (opt->info_flag)
+ hx509_certs_info(context, certs, NULL, NULL);
+ hx509_certs_iter_f(context, certs, print_f, &s);
+ }
hx509_certs_free(&certs);
argv++;
}
@@ -740,7 +816,7 @@ pcert_print(struct print_options *opt, int argc, char **argv)
}
-static int
+static int HX509_LIB_CALL
validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
{
hx509_validate_cert(hxcontext, ctx, c);
@@ -762,13 +838,16 @@ pcert_validate(struct validate_options *opt, int argc, char **argv)
hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
while(argc--) {
+ char *sn = fix_store_name(context, argv[0], "FILE");
int ret;
- ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
+
+ ret = hx509_certs_init(context, sn, 0, lock, &certs);
if (ret)
errx(1, "hx509_certs_init: %d", ret);
hx509_certs_iter_f(context, certs, validate_f, ctx);
hx509_certs_free(&certs);
argv++;
+ free(sn);
}
hx509_validate_ctx_free(ctx);
@@ -782,11 +861,27 @@ certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
{
hx509_certs certs;
hx509_lock inlock, outlock = NULL;
+ char *sn;
+ int flags = 0;
+ int store_flags = 0;
int ret;
hx509_lock_init(context, &inlock);
lock_strings(inlock, &opt->in_pass_strings);
+ if (!opt->root_certs_flag)
+ /*
+ * We're probably copying an EE cert, its issuer, and all intermediates
+ * up to and excluding the root.
+ */
+ store_flags |= HX509_CERTS_STORE_NO_ROOTS;
+
+ if (!opt->private_keys_flag) {
+ /* Neither read nor store private keys */
+ store_flags |= HX509_CERTS_NO_PRIVATE_KEYS;
+ flags |= HX509_CERTS_NO_PRIVATE_KEYS;
+ }
+
if (opt->out_pass_string) {
hx509_lock_init(context, &outlock);
ret = hx509_lock_command_string(outlock, opt->out_pass_string);
@@ -795,20 +890,53 @@ certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
opt->out_pass_string, ret);
}
- ret = hx509_certs_init(context, argv[argc - 1],
- HX509_CERTS_CREATE, inlock, &certs);
+ if (argc < 2)
+ errx(1, "hxtool copy-certificate requires at least two positional "
+ "arguments");
+
+ /*
+ * The _last_ positional argument is the destination store. Because we use
+ * HX509_CERTS_CREATE we'll ignore its contents and then truncate to write
+ * it (well, if it's a file; see key store plugins).
+ *
+ * But note that the truncation doesn't happen until we call
+ * hx509_certs_store(), which means we still have a chance to _read_ this
+ * store. That means that one can write this:
+ *
+ * hxtool cc FILE:b FILE:a FILE:b
+ *
+ * to notionally append FILE:a to FILE:b. Still, we'll have an option to
+ * do the append anyways:
+ *
+ * hxtool cc --append FILE:a FILE:b
+ */
+ sn = fix_store_name(context, argv[argc - 1], "FILE");
+ ret = hx509_certs_init(context, sn,
+ HX509_CERTS_CREATE | flags, inlock, &certs);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_init");
+ hx509_err(context, 1, ret, "hx509_certs_init %s", sn);
+
+ if (opt->append_flag) {
+ /* Append == read the certs in the dst prior to doing anything else */
+ ret = hx509_certs_append(context, certs, inlock, sn);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_certs_append %s", sn);
+ }
+ free(sn);
+ /*
+ * Read all the certificate stores in all but the last positional argument.
+ */
while(argc-- > 1) {
- int retx;
- retx = hx509_certs_append(context, certs, inlock, argv[0]);
- if (retx)
- hx509_err(context, 1, retx, "hx509_certs_append");
+ sn = fix_store_name(context, argv[0], "FILE");
+ ret = hx509_certs_append(context, certs, inlock, sn);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_certs_append %s", sn);
+ free(sn);
argv++;
}
- ret = hx509_certs_store(context, certs, 0, outlock);
+ ret = hx509_certs_store(context, certs, store_flags, outlock);
if (ret)
hx509_err(context, 1, ret, "hx509_certs_store");
@@ -827,7 +955,7 @@ struct verify {
int count;
};
-static int
+static int HX509_LIB_CALL
verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
{
struct verify *v = ctx;
@@ -913,29 +1041,35 @@ pcert_verify(struct verify_options *opt, int argc, char **argv)
errx(1, "hx509_revoke_init: %d", ret);
while(argc--) {
- char *s = *argv++;
+ const char *s = *argv++;
+ char *sn = NULL;
if (strncmp(s, "chain:", 6) == 0) {
s += 6;
- ret = hx509_certs_append(context, chain, NULL, s);
+ sn = fix_store_name(context, s, "FILE");
+ ret = hx509_certs_append(context, chain, NULL, sn);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
+ hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d",
+ sn, ret);
} else if (strncmp(s, "anchor:", 7) == 0) {
s += 7;
- ret = hx509_certs_append(context, anchors, NULL, s);
+ sn = fix_store_name(context, s, "FILE");
+ ret = hx509_certs_append(context, anchors, NULL, sn);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
+ hx509_err(context, 1, ret,
+ "hx509_certs_append: anchor: %s: %d", sn, ret);
} else if (strncmp(s, "cert:", 5) == 0) {
s += 5;
- ret = hx509_certs_append(context, certs, NULL, s);
+ sn = fix_store_name(context, s, "FILE");
+ ret = hx509_certs_append(context, certs, NULL, sn);
if (ret)
hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d",
- s, ret);
+ sn, ret);
} else if (strncmp(s, "crl:", 4) == 0) {
s += 4;
@@ -944,7 +1078,7 @@ pcert_verify(struct verify_options *opt, int argc, char **argv)
if (ret)
errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
- } else if (strncmp(s, "ocsp:", 4) == 0) {
+ } else if (strncmp(s, "ocsp:", 5) == 0) {
s += 5;
ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
@@ -954,6 +1088,7 @@ pcert_verify(struct verify_options *opt, int argc, char **argv)
} else {
errx(1, "unknown option to verify: `%s'\n", s);
}
+ free(sn);
}
hx509_verify_attach_anchors(ctx, anchors);
@@ -1006,10 +1141,12 @@ query(struct query_options *opt, int argc, char **argv)
if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
while (argc > 0) {
+ char *sn = fix_store_name(context, argv[0], "FILE");
- ret = hx509_certs_append(context, certs, lock, argv[0]);
+ ret = hx509_certs_append(context, certs, lock, sn);
if (ret)
- errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
+ errx(1, "hx509_certs_append: %s: %d", sn, ret);
+ free(sn);
argc--;
argv++;
@@ -1092,9 +1229,12 @@ ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
for (i = 1; i < argc; i++) {
- ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
+ char *sn = fix_store_name(context, argv[i], "FILE");
+
+ ret = hx509_certs_append(context, reqcerts, lock, sn);
if (ret)
- errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
+ errx(1, "hx509_certs_append: req: %s: %d", sn, ret);
+ free(sn);
}
ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
@@ -1155,7 +1295,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
if (ret)
errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
- } else if (strncmp(s, "ocsp:", 4) == 0) {
+ } else if (strncmp(s, "ocsp:", 5) == 0) {
s += 5;
ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
@@ -1171,6 +1311,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
if (ret)
warnx("hx509_revoke_print: %d", ret);
+ hx509_revoke_free(&revoke_ctx);
return ret;
}
@@ -1178,7 +1319,7 @@ revoke_print(struct revoke_print_options *opt, int argc, char **argv)
*
*/
-static int
+static int HX509_LIB_CALL
verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
{
heim_octet_string *os = ctx;
@@ -1219,9 +1360,12 @@ ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv)
if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
for (i = 0; i < argc; i++) {
- ret = hx509_certs_append(context, certs, lock, argv[i]);
+ char *sn = fix_store_name(context, argv[i], "FILE");
+
+ ret = hx509_certs_append(context, certs, lock, sn);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
+ hx509_err(context, 1, ret, "hx509_certs_append: %s", sn);
+ free(sn);
}
ret = hx509_certs_iter_f(context, certs, verify_o, &os);
@@ -1238,20 +1382,22 @@ read_private_key(const char *fn, hx509_private_key *key)
{
hx509_private_key *keys;
hx509_certs certs;
+ char *sn = fix_store_name(context, fn, "FILE");
int ret;
*key = NULL;
- ret = hx509_certs_init(context, fn, 0, NULL, &certs);
+ ret = hx509_certs_init(context, sn, 0, NULL, &certs);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
+ hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
ret = _hx509_certs_keys_get(context, certs, &keys);
hx509_certs_free(&certs);
if (ret)
hx509_err(context, 1, ret, "hx509_certs_keys_get");
if (keys[0] == NULL)
- errx(1, "no keys in key store: %s", fn);
+ errx(1, "no keys in key store: %s", sn);
+ free(sn);
*key = _hx509_private_key_ref(keys[0]);
_hx509_certs_keys_free(context, keys);
@@ -1263,57 +1409,71 @@ static void
get_key(const char *fn, const char *type, int optbits,
hx509_private_key *signer)
{
- int ret;
+ int ret = 0;
if (type) {
- BIGNUM *e;
- RSA *rsa;
- unsigned char *p0, *p;
- size_t len;
- int bits = 1024;
-
- if (fn == NULL)
- errx(1, "no key argument, don't know here to store key");
+ struct hx509_generate_private_context *gen_ctx = NULL;
if (strcasecmp(type, "rsa") != 0)
errx(1, "can only handle rsa keys for now");
- e = BN_new();
- BN_set_word(e, 0x10001);
-
- if (optbits)
- bits = optbits;
-
- rsa = RSA_new();
- if(rsa == NULL)
- errx(1, "RSA_new failed");
-
- ret = RSA_generate_key_ex(rsa, bits, e, NULL);
- if(ret != 1)
- errx(1, "RSA_new failed");
-
- BN_free(e);
-
- len = i2d_RSAPrivateKey(rsa, NULL);
-
- p0 = p = malloc(len);
- if (p == NULL)
- errx(1, "out of memory");
-
- i2d_RSAPrivateKey(rsa, &p);
-
- rk_dumpdata(fn, p0, len);
- memset(p0, 0, len);
- free(p0);
-
- RSA_free(rsa);
+ ret = _hx509_generate_private_key_init(context,
+ ASN1_OID_ID_PKCS1_RSAENCRYPTION,
+ &gen_ctx);
+ if (ret == 0)
+ ret = _hx509_generate_private_key_bits(context, gen_ctx, optbits);
+ if (ret == 0)
+ ret = _hx509_generate_private_key(context, gen_ctx, signer);
+ _hx509_generate_private_key_free(&gen_ctx);
+ if (ret)
+ hx509_err(context, 1, ret, "failed to generate private key of type %s", type);
+
+ if (fn) {
+ char *sn = fix_store_name(context, fn, "FILE");
+ hx509_certs certs = NULL;
+ hx509_cert cert = NULL;
+
+ cert = hx509_cert_init_private_key(context, *signer, NULL);
+ if (cert)
+ ret = hx509_certs_init(context, sn,
+ HX509_CERTS_CREATE |
+ HX509_CERTS_UNPROTECT_ALL,
+ NULL, &certs);
+ if (ret == 0)
+ ret = hx509_certs_add(context, certs, cert);
+ if (ret == 0)
+ ret = hx509_certs_store(context, certs, 0, NULL);
+ if (ret)
+ hx509_err(context, 1, ret, "failed to store generated private "
+ "key in %s", sn);
+
+ if (certs)
+ hx509_certs_free(&certs);
+ if (cert)
+ hx509_cert_free(cert);
+ free(sn);
+ }
+ } else {
+ if (fn == NULL)
+ err(1, "no private key");
+ ret = read_private_key(fn, signer);
+ if (ret)
+ hx509_err(context, 1, ret, "failed to read private key from %s",
+ fn);
+ }
+}
- } else if (fn == NULL)
- err(1, "no private key");
+int
+generate_key(struct generate_key_options *opt, int argc, char **argv)
+{
+ hx509_private_key signer;
+ const char *type = opt->type_string ? opt->type_string : "rsa";
+ int bits = opt->key_bits_integer ? opt->key_bits_integer : 2048;
- ret = read_private_key(fn, signer);
- if (ret)
- err(1, "read_private_key");
+ memset(&signer, 0, sizeof(signer));
+ get_key(argv[0], type, bits, &signer);
+ hx509_private_key_free(&signer);
+ return 0;
}
int
@@ -1334,7 +1494,9 @@ request_create(struct request_create_options *opt, int argc, char **argv)
opt->key_bits_integer,
&signer);
- hx509_request_init(context, &req);
+ ret = hx509_request_init(context, &req);
+ if (ret)
+ hx509_err(context, 1, ret, "Could not initialize CSR context");
if (opt->subject_string) {
hx509_name name = NULL;
@@ -1348,24 +1510,66 @@ request_create(struct request_create_options *opt, int argc, char **argv)
char *s;
hx509_name_to_string(name, &s);
printf("%s\n", s);
+ free(s);
}
hx509_name_free(&name);
}
for (i = 0; i < opt->email_strings.num_strings; i++) {
- ret = _hx509_request_add_email(context, req,
- opt->email_strings.strings[i]);
+ ret = hx509_request_add_email(context, req,
+ opt->email_strings.strings[i]);
if (ret)
hx509_err(context, 1, ret, "hx509_request_add_email");
}
+ for (i = 0; i < opt->jid_strings.num_strings; i++) {
+ ret = hx509_request_add_xmpp_name(context, req,
+ opt->jid_strings.strings[i]);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_xmpp_name");
+ }
+
for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
- ret = _hx509_request_add_dns_name(context, req,
- opt->dnsname_strings.strings[i]);
+ ret = hx509_request_add_dns_name(context, req,
+ opt->dnsname_strings.strings[i]);
if (ret)
hx509_err(context, 1, ret, "hx509_request_add_dns_name");
}
+ for (i = 0; i < opt->kerberos_strings.num_strings; i++) {
+ ret = hx509_request_add_pkinit(context, req,
+ opt->kerberos_strings.strings[i]);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_pkinit");
+ }
+
+ for (i = 0; i < opt->ms_kerberos_strings.num_strings; i++) {
+ ret = hx509_request_add_ms_upn_name(context, req,
+ opt->ms_kerberos_strings.strings[i]);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_ms_upn_name");
+ }
+
+ for (i = 0; i < opt->registered_strings.num_strings; i++) {
+ heim_oid oid;
+
+ parse_oid(opt->registered_strings.strings[i], NULL, &oid);
+ ret = hx509_request_add_registered(context, req, &oid);
+ der_free_oid(&oid);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_registered");
+ }
+
+ for (i = 0; i < opt->eku_strings.num_strings; i++) {
+ heim_oid oid;
+
+ parse_oid(opt->eku_strings.strings[i], NULL, &oid);
+ ret = hx509_request_add_eku(context, req, &oid);
+ der_free_oid(&oid);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_eku");
+ }
+
ret = hx509_private_key2SPKI(context, signer, &key);
if (ret)
@@ -1378,12 +1582,12 @@ request_create(struct request_create_options *opt, int argc, char **argv)
if (ret)
hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
- ret = _hx509_request_to_pkcs10(context,
- req,
- signer,
- &request);
+ ret = hx509_request_to_pkcs10(context,
+ req,
+ signer,
+ &request);
if (ret)
- hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
+ hx509_err(context, 1, ret, "hx509_request_to_pkcs10");
hx509_private_key_free(&signer);
hx509_request_free(&req);
@@ -1404,15 +1608,17 @@ request_print(struct request_print_options *opt, int argc, char **argv)
for (i = 0; i < argc; i++) {
hx509_request req;
+ char *cn = fix_csr_name(argv[i], "PKCS10");
- ret = _hx509_request_parse(context, argv[i], &req);
+ ret = hx509_request_parse(context, cn, &req);
if (ret)
- hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
+ hx509_err(context, 1, ret, "parse_request: %s", cn);
- ret = _hx509_request_print(context, req, stdout);
+ ret = hx509_request_print(context, req, stdout);
hx509_request_free(&req);
if (ret)
- hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
+ hx509_err(context, 1, ret, "Failed to print file %s", cn);
+ free(cn);
}
return 0;
@@ -1455,13 +1661,16 @@ int
random_data(void *opt, int argc, char **argv)
{
void *ptr;
- int len, ret;
+ ssize_t len;
+ int64_t bytes;
+ int ret;
- len = parse_bytes(argv[0], "byte");
- if (len <= 0) {
+ bytes = parse_bytes(argv[0], "byte");
+ if (bytes <= 0 || bytes > SSIZE_MAX) {
fprintf(stderr, "bad argument to random-data\n");
return 1;
}
+ len = bytes;
ptr = malloc(len);
if (ptr == NULL) {
@@ -1510,7 +1719,10 @@ crypto_available(struct crypto_available_options *opt, int argc, char **argv)
for (i = 0; i < len; i++) {
char *s;
- der_print_heim_oid (&val[i].algorithm, '.', &s);
+ if (opt->oid_syms_flag)
+ der_print_heim_oid_sym(&val[i].algorithm, '.', &s);
+ else
+ der_print_heim_oid(&val[i].algorithm, '.', &s);
printf("%s\n", s);
free(s);
}
@@ -1546,7 +1758,10 @@ crypto_select(struct crypto_select_options *opt, int argc, char **argv)
if (ret)
errx(1, "hx509_crypto_available");
- der_print_heim_oid (&selected.algorithm, '.', &s);
+ if (opt->oid_sym_flag)
+ der_print_heim_oid_sym(&selected.algorithm, '.', &s);
+ else
+ der_print_heim_oid(&selected.algorithm, '.', &s);
printf("%s\n", s);
free(s);
free_AlgorithmIdentifier(&selected);
@@ -1602,6 +1817,16 @@ https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt
}
static int
+https_negotiate_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+{
+ int ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
+ if (ret == 0)
+ ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
+ opt->pkinit++;
+ return ret;
+}
+
+static int
https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
{
return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
@@ -1631,7 +1856,7 @@ pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *op
if (ret)
return ret;
- ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
+ ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_clientAuth);
if (ret)
return ret;
@@ -1675,6 +1900,11 @@ struct {
pkinit_kdc
},
{
+ "https-negotiate-server",
+ "Used for HTTPS server and many other TLS server certificate types",
+ https_negotiate_server
+ },
+ {
"peap-server",
"Certificate used for Radius PEAP (Protected EAP)",
peap_server
@@ -1761,6 +1991,14 @@ eval_types(hx509_context contextp,
hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
}
+ for (i = 0; i < opt->dnssrv_strings.num_strings; i++) {
+ const char *dnssrv = opt->dnssrv_strings.strings[i];
+
+ ret = hx509_ca_tbs_add_san_dnssrv(contextp, tbs, dnssrv);
+ if (ret)
+ hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_dnssrv");
+ }
+
for (i = 0; i < opt->email_strings.num_strings; i++) {
const char *email = opt->email_strings.strings[i];
@@ -1793,8 +2031,11 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
hx509_private_key cert_key = NULL;
hx509_name subject = NULL;
SubjectPublicKeyInfo spki;
+ heim_oid oid;
+ size_t i;
int delta = 0;
+ memset(&oid, 0, sizeof(oid));
memset(&spki, 0, sizeof(spki));
if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
@@ -1804,10 +2045,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (opt->certificate_string == NULL)
errx(1, "--certificate argument missing");
- if (opt->template_certificate_string) {
- if (opt->template_fields_string == NULL)
- errx(1, "--template-certificate not no --template-fields");
- }
+ if (opt->template_certificate_string && opt->template_fields_string == NULL)
+ errx(1, "--template-certificate used but no --template-fields given");
if (opt->lifetime_string) {
delta = parse_time(opt->lifetime_string, "day");
@@ -1818,12 +2057,11 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (opt->ca_certificate_string) {
hx509_certs cacerts = NULL;
hx509_query *q;
+ char *sn = fix_store_name(context, opt->ca_certificate_string, "FILE");
- ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
- NULL, &cacerts);
+ ret = hx509_certs_init(context, sn, 0, NULL, &cacerts);
if (ret)
- hx509_err(context, 1, ret,
- "hx509_certs_init: %s", opt->ca_certificate_string);
+ hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
ret = hx509_query_alloc(context, &q);
if (ret)
@@ -1838,6 +2076,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
hx509_certs_free(&cacerts);
if (ret)
hx509_err(context, 1, ret, "no CA certificate found");
+ free(sn);
} else if (opt->self_signed_flag) {
if (opt->generate_key_string == NULL
&& opt->ca_private_key_string == NULL)
@@ -1864,10 +2103,16 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (opt->req_string) {
hx509_request req;
+ char *cn = fix_csr_name(opt->req_string, "PKCS10");
- ret = _hx509_request_parse(context, opt->req_string, &req);
+ /*
+ * Extract the CN and other attributes we want to preserve from the
+ * requested subjectName and then set them in the hx509_env for the
+ * template.
+ */
+ ret = hx509_request_parse(context, cn, &req);
if (ret)
- hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
+ hx509_err(context, 1, ret, "parse_request: %s", cn);
ret = hx509_request_get_name(context, req, &subject);
if (ret)
hx509_err(context, 1, ret, "get name");
@@ -1875,42 +2120,37 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (ret)
hx509_err(context, 1, ret, "get spki");
hx509_request_free(&req);
+ free(cn);
}
if (opt->generate_key_string) {
- struct hx509_generate_private_context *keyctx;
+ /*
+ * Note that we used to set isCA in the key gen context. Now that we
+ * use get_key() we no longer set isCA in the key gen context. But
+ * nothing uses that field of the key gen context.
+ */
+ get_key(opt->certificate_private_key_string,
+ opt->generate_key_string,
+ opt->key_bits_integer,
+ &cert_key);
- ret = _hx509_generate_private_key_init(context,
- &asn1_oid_id_pkcs1_rsaEncryption,
- &keyctx);
+ ret = hx509_private_key2SPKI(context, cert_key, &spki);
if (ret)
- hx509_err(context, 1, ret, "generate private key");
-
- if (opt->issue_ca_flag)
- _hx509_generate_private_key_is_ca(context, keyctx);
-
- if (opt->key_bits_integer)
- _hx509_generate_private_key_bits(context, keyctx,
- opt->key_bits_integer);
+ errx(1, "hx509_private_key2SPKI: %d\n", ret);
- ret = _hx509_generate_private_key(context, keyctx,
- &cert_key);
- _hx509_generate_private_key_free(&keyctx);
+ if (opt->self_signed_flag)
+ private_key = cert_key;
+ } else if (opt->certificate_private_key_string) {
+ ret = read_private_key(opt->certificate_private_key_string, &cert_key);
if (ret)
- hx509_err(context, 1, ret, "generate private key");
+ err(1, "read_private_key for certificate");
ret = hx509_private_key2SPKI(context, cert_key, &spki);
if (ret)
errx(1, "hx509_private_key2SPKI: %d\n", ret);
- if (opt->self_signed_flag)
- private_key = cert_key;
- }
-
- if (opt->certificate_private_key_string) {
- ret = read_private_key(opt->certificate_private_key_string, &cert_key);
- if (ret)
- err(1, "read_private_key for certificate");
+ if (opt->self_signed_flag)
+ private_key = cert_key;
}
if (opt->subject_string) {
@@ -1929,6 +2169,30 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (ret)
hx509_err(context, 1, ret, "hx509_ca_tbs_init");
+ for (i = 0; i < opt->eku_strings.num_strings; i++) {
+ parse_oid(opt->eku_strings.strings[i], NULL, &oid);
+ ret = hx509_ca_tbs_add_eku(context, tbs, &oid);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_eku");
+ der_free_oid(&oid);
+ }
+ if (opt->ku_strings.num_strings) {
+ const struct units *kus = asn1_KeyUsage_units();
+ const struct units *kup;
+ uint64_t n = 0;
+
+ for (i = 0; i < opt->ku_strings.num_strings; i++) {
+ for (kup = kus; kup->name; kup++) {
+ if (strcmp(kup->name, opt->ku_strings.strings[i]))
+ continue;
+ n |= kup->mult;
+ break;
+ }
+ }
+ ret = hx509_ca_tbs_add_ku(context, tbs, int2KeyUsage(n));
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_request_add_ku");
+ }
if (opt->signature_algorithm_string) {
const AlgorithmIdentifier *sigalg;
if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
@@ -1943,13 +2207,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (opt->template_certificate_string) {
hx509_cert template;
hx509_certs tcerts;
+ char *sn = fix_store_name(context, opt->template_certificate_string,
+ "FILE");
int flags;
- ret = hx509_certs_init(context, opt->template_certificate_string, 0,
- NULL, &tcerts);
+ ret = hx509_certs_init(context, sn, 0, NULL, &tcerts);
if (ret)
- hx509_err(context, 1, ret,
- "hx509_certs_init: %s", opt->template_certificate_string);
+ hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
ret = hx509_get_one_cert(context, tcerts, &template);
@@ -1965,6 +2229,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
hx509_cert_free(template);
+ free(sn);
}
if (opt->serial_number_string) {
@@ -2001,6 +2266,62 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
eval_types(context, tbs, opt);
+ if (opt->permanent_id_string) {
+ ret = hx509_ca_tbs_add_san_permanentIdentifier_string(context, tbs,
+ opt->permanent_id_string);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_permanentIdentifier");
+ }
+
+ if (opt->hardware_module_name_string) {
+ ret = hx509_ca_tbs_add_san_hardwareModuleName_string(context, tbs,
+ opt->hardware_module_name_string);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hardwareModuleName_string");
+ }
+
+ for (i = 0; ret == 0 && i < opt->policy_strings.num_strings; i++) {
+ char *oidstr, *uri, *dt;
+
+ if ((oidstr = strdup(opt->policy_strings.strings[i])) == NULL)
+ hx509_err(context, 1, ENOMEM, "out of memory");
+ uri = strchr(oidstr, ':');
+ if (uri)
+ *(uri++) = '\0';
+ dt = strchr(uri ? uri : "", ' ');
+ if (dt)
+ *(dt++) = '\0';
+
+ parse_oid(oidstr, NULL, &oid);
+ ret = hx509_ca_tbs_add_pol(context, tbs, &oid, uri, dt);
+ der_free_oid(&oid);
+ free(oidstr);
+ }
+
+ for (i = 0; ret == 0 && i < opt->policy_mapping_strings.num_strings; i++) {
+ char *issuer_oidstr, *subject_oidstr;
+ heim_oid issuer_oid, subject_oid;
+
+ if ((issuer_oidstr =
+ strdup(opt->policy_mapping_strings.strings[i])) == NULL)
+ hx509_err(context, 1, ENOMEM, "out of memory");
+ subject_oidstr = strchr(issuer_oidstr, ':');
+ if (subject_oidstr == NULL)
+ subject_oidstr = issuer_oidstr;
+ else
+ *(subject_oidstr++) = '\0';
+
+ parse_oid(issuer_oidstr, NULL, &issuer_oid);
+ parse_oid(subject_oidstr, NULL, &subject_oid);
+ ret = hx509_ca_tbs_add_pol_mapping(context, tbs, &issuer_oid,
+ &subject_oid);
+ if (ret)
+ hx509_err(context, 1, ret, "failed to add policy mapping");
+ der_free_oid(&issuer_oid);
+ der_free_oid(&subject_oid);
+ free(issuer_oidstr);
+ }
+
if (opt->issue_ca_flag) {
ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
if (ret)
@@ -2022,6 +2343,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
if (ret)
hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
}
+ if (opt->pkinit_max_life_string) {
+ time_t t = parse_time(opt->pkinit_max_life_string, "s");
+
+ ret = hx509_ca_tbs_set_pkinit_max_life(context, tbs, t);
+ if (ret)
+ hx509_err(context, 1, ret, "hx509_ca_tbs_set_pkinit_max_life");
+ }
if (opt->self_signed_flag) {
ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
@@ -2033,7 +2361,31 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
hx509_err(context, 1, ret, "hx509_ca_sign");
}
- if (cert_key) {
+ /* Copy the private key to the output store, maybe */
+ if (cert_key && opt->generate_key_string &&
+ !opt->certificate_private_key_string) {
+ /*
+ * Yes: because we're generating the key and --certificate-private-key
+ * was not given.
+ */
+ ret = _hx509_cert_assign_key(cert, cert_key);
+ if (ret)
+ hx509_err(context, 1, ret, "_hx509_cert_assign_key");
+ } else if (opt->certificate_private_key_string && opt->certificate_string &&
+ strcmp(opt->certificate_private_key_string,
+ opt->certificate_string) == 0) {
+ /*
+ * Yes: because we're re-writing the store whence the private key. We
+ * would lose the key otherwise.
+ */
+ ret = _hx509_cert_assign_key(cert, cert_key);
+ if (ret)
+ hx509_err(context, 1, ret, "_hx509_cert_assign_key");
+ } else if (opt->self_signed_flag && opt->ca_private_key_string &&
+ opt->certificate_string &&
+ strcmp(opt->ca_private_key_string,
+ opt->certificate_string) == 0) {
+ /* Yes: same as preceding */
ret = _hx509_cert_assign_key(cert, cert_key);
if (ret)
hx509_err(context, 1, ret, "_hx509_cert_assign_key");
@@ -2041,9 +2393,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
{
hx509_certs certs;
+ char *sn = fix_store_name(context, opt->certificate_string, "FILE");
- ret = hx509_certs_init(context, opt->certificate_string,
- HX509_CERTS_CREATE, NULL, &certs);
+ ret = hx509_certs_init(context, sn, HX509_CERTS_CREATE, NULL, &certs);
if (ret)
hx509_err(context, 1, ret, "hx509_certs_init");
@@ -2056,6 +2408,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
hx509_err(context, 1, ret, "hx509_certs_store");
hx509_certs_free(&certs);
+ free(sn);
}
if (subject)
@@ -2074,7 +2427,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
return 0;
}
-static int
+static int HX509_LIB_CALL
test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
{
heim_octet_string sd, c;
@@ -2119,9 +2472,11 @@ test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
for (i = 0; i < argc; i++) {
- ret = hx509_certs_append(context, certs, lock, argv[i]);
+ char *sn = fix_store_name(context, argv[i], "FILE");
+ ret = hx509_certs_append(context, certs, lock, sn);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_append");
+ hx509_err(context, 1, ret, "hx509_certs_append %s", sn);
+ free(sn);
}
ret = hx509_verify_init_ctx(context, &vctx);
@@ -2135,6 +2490,7 @@ test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
hx509_err(context, 1, ret, "hx509_cert_iter");
hx509_certs_free(&certs);
+ hx509_verify_destroy_ctx(vctx);
return 0;
}
@@ -2180,12 +2536,11 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
{
hx509_certs certs = NULL;
hx509_query *q;
+ char *sn = fix_store_name(context, opt->signer_string, "FILE");
- ret = hx509_certs_init(context, opt->signer_string, 0,
- NULL, &certs);
+ ret = hx509_certs_init(context, sn, 0, NULL, &certs);
if (ret)
- hx509_err(context, 1, ret,
- "hx509_certs_init: %s", opt->signer_string);
+ hx509_err(context, 1, ret, "hx509_certs_init: %s", sn);
ret = hx509_query_alloc(context, &q);
if (ret)
@@ -2198,6 +2553,7 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
hx509_certs_free(&certs);
if (ret)
hx509_err(context, 1, ret, "no signer certificate found");
+ free(sn);
}
if (opt->lifetime_string) {
@@ -2221,9 +2577,12 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
"hx509_certs_init: MEMORY cert");
for (i = 0; i < argc; i++) {
- ret = hx509_certs_append(context, revoked, lock, argv[i]);
+ char *sn = fix_store_name(context, argv[i], "FILE");
+
+ ret = hx509_certs_append(context, revoked, lock, sn);
if (ret)
- hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
+ hx509_err(context, 1, ret, "hx509_certs_append: %s", sn);
+ free(sn);
}
hx509_crl_add_revoked_certs(context, crl, revoked);
@@ -2244,6 +2603,582 @@ crl_sign(struct crl_sign_options *opt, int argc, char **argv)
return 0;
}
+int
+hxtool_list_oids(void *opt, int argc, char **argv)
+{
+ const heim_oid *oid;
+ int cursor = -1;
+
+ while (der_match_heim_oid_by_name("", &cursor, &oid) == 0) {
+ char *s = NULL;
+
+ if ((errno = der_print_heim_oid_sym(oid, '.', &s)) > 0)
+ err(1, "der_print_heim_oid_sym");
+ printf("%s\n", s);
+ free(s);
+ }
+ return 0;
+}
+
+static int
+acert1_sans_utf8_other(struct acert_options *opt,
+ struct getarg_strings *wanted,
+ const char *type,
+ heim_any *san,
+ size_t *count)
+{
+ size_t k, len;
+
+ if (!wanted->num_strings)
+ return 0;
+ for (k = 0; k < wanted->num_strings; k++) {
+ len = strlen(wanted->strings[k]);
+ if (len == san->length &&
+ strncmp(san->data, wanted->strings[k], len) == 0) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched OtherName SAN %s (%s)\n",
+ wanted->strings[k], type);
+ (*count)++;
+ return 0;
+ }
+ }
+ if (opt->verbose_flag)
+ fprintf(stderr, "Did not match OtherName SAN %s (%s)\n",
+ wanted->strings[k], type);
+ return -1;
+}
+
+static int
+acert1_sans_other(struct acert_options *opt,
+ heim_oid *type_id,
+ heim_any *value,
+ size_t *count)
+{
+ heim_any pkinit;
+ size_t k, match;
+ const char *type_str = NULL;
+ char *s = NULL;
+ int ret;
+
+ (void) der_print_heim_oid_sym(type_id, '.', &s);
+ type_str = s ? s : "<unknown>";
+ if (der_heim_oid_cmp(type_id, &asn1_oid_id_pkix_on_xmppAddr) == 0) {
+ ret = acert1_sans_utf8_other(opt, &opt->has_xmpp_san_strings,
+ s ? s : "xmpp", value, count);
+ free(s);
+ return ret;
+ }
+ if (der_heim_oid_cmp(type_id, &asn1_oid_id_pkinit_san) != 0) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Ignoring OtherName SAN of type %s\n", type_str);
+ free(s);
+ return -1;
+ }
+
+ free(s);
+ type_str = s = NULL;
+
+ if (opt->has_pkinit_san_strings.num_strings == 0)
+ return 0;
+
+ for (k = 0; k < opt->has_pkinit_san_strings.num_strings; k++) {
+ const char *s2 = opt->has_pkinit_san_strings.strings[k];
+
+ if ((ret = _hx509_make_pkinit_san(context, s2, &pkinit)))
+ return ret;
+ match = (pkinit.length == value->length &&
+ memcmp(pkinit.data, value->data, pkinit.length) == 0);
+ free(pkinit.data);
+ if (match) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched PKINIT SAN %s\n", s2);
+ (*count)++;
+ return 0;
+ }
+ }
+ if (opt->verbose_flag)
+ fprintf(stderr, "Unexpected PKINIT SAN\n");
+ return -1;
+}
+
+static int
+acert1_sans(struct acert_options *opt,
+ Extension *e,
+ size_t *count,
+ size_t *found)
+{
+ heim_printable_string hps;
+ GeneralNames gns;
+ size_t i, k, sz;
+ size_t unwanted = 0;
+ int ret = 0;
+
+ memset(&gns, 0, sizeof(gns));
+ decode_GeneralNames(e->extnValue.data, e->extnValue.length, &gns, &sz);
+ for (i = 0; (ret == -1 || ret == 0) && i < gns.len; i++) {
+ GeneralName *gn = &gns.val[i];
+ const char *s;
+
+ (*found)++;
+ if (gn->element == choice_GeneralName_rfc822Name) {
+ for (k = 0; k < opt->has_email_san_strings.num_strings; k++) {
+ s = opt->has_email_san_strings.strings[k];
+ hps.data = rk_UNCONST(s);
+ hps.length = strlen(s);
+ if (der_printable_string_cmp(&gn->u.rfc822Name, &hps) == 0) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched e-mail address SAN %s\n", s);
+ (*count)++;
+ break;
+ }
+ }
+ if (k && k == opt->has_email_san_strings.num_strings) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Unexpected e-mail address SAN %.*s\n",
+ (int)gn->u.rfc822Name.length,
+ (const char *)gn->u.rfc822Name.data);
+ unwanted++;
+ }
+ } else if (gn->element == choice_GeneralName_dNSName) {
+ for (k = 0; k < opt->has_dnsname_san_strings.num_strings; k++) {
+ s = opt->has_dnsname_san_strings.strings[k];
+ hps.data = rk_UNCONST(s);
+ hps.length = strlen(s);
+ if (der_printable_string_cmp(&gn->u.dNSName, &hps) == 0) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched dNSName SAN %s\n", s);
+ (*count)++;
+ break;
+ }
+ }
+ if (k && k == opt->has_dnsname_san_strings.num_strings) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Unexpected e-mail address SAN %.*s\n",
+ (int)gn->u.dNSName.length,
+ (const char *)gn->u.dNSName.data);
+ unwanted++;
+ }
+ } else if (gn->element == choice_GeneralName_registeredID) {
+ for (k = 0; k < opt->has_registeredID_san_strings.num_strings; k++) {
+ heim_oid oid;
+
+ s = opt->has_registeredID_san_strings.strings[k];
+ memset(&oid, 0, sizeof(oid));
+ parse_oid(s, NULL, &oid);
+ if (der_heim_oid_cmp(&gn->u.registeredID, &oid) == 0) {
+ der_free_oid(&oid);
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched registeredID SAN %s\n", s);
+ (*count)++;
+ break;
+ }
+ der_free_oid(&oid);
+ }
+ if (k && k == opt->has_dnsname_san_strings.num_strings) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Unexpected registeredID SAN\n");
+ unwanted++;
+ }
+ } else if (gn->element == choice_GeneralName_otherName) {
+ ret = acert1_sans_other(opt, &gn->u.otherName.type_id,
+ &gn->u.otherName.value, count);
+ } else if (opt->verbose_flag) {
+ fprintf(stderr, "Unexpected unsupported SAN\n");
+ unwanted++;
+ }
+ }
+ free_GeneralNames(&gns);
+ if (ret == 0 && unwanted && opt->exact_flag)
+ return -1;
+ return ret;
+}
+
+static int
+acert1_ekus(struct acert_options *opt,
+ Extension *e,
+ size_t *count,
+ size_t *found)
+{
+ ExtKeyUsage eku;
+ size_t i, k, sz;
+ size_t unwanted = 0;
+ int ret = 0;
+
+ memset(&eku, 0, sizeof(eku));
+ decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length, &eku, &sz);
+ for (i = 0; (ret == -1 || ret == 0) && i < eku.len; i++) {
+ (*found)++;
+ for (k = 0; k < opt->has_eku_strings.num_strings; k++) {
+ const char *s = opt->has_eku_strings.strings[k];
+ heim_oid oid;
+
+ memset(&oid, 0, sizeof(oid));
+ parse_oid(s, NULL, &oid);
+ if (der_heim_oid_cmp(&eku.val[i], &oid) == 0) {
+ der_free_oid(&oid);
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched EKU OID %s\n", s);
+ (*count)++;
+ break;
+ }
+ der_free_oid(&oid);
+ }
+ if (k && k == opt->has_eku_strings.num_strings) {
+ char *oids = NULL;
+
+ (void) der_print_heim_oid_sym(&eku.val[i], '.', &oids);
+ if (opt->verbose_flag)
+ fprintf(stderr, "Unexpected EKU OID %s\n",
+ oids ? oids : "<could-not-format-OID>");
+ unwanted++;
+ }
+ }
+ free_ExtKeyUsage(&eku);
+ if (ret == 0 && unwanted && opt->exact_flag)
+ return -1;
+ return ret;
+}
+
+static int
+acert1_kus(struct acert_options *opt,
+ Extension *e,
+ size_t *count,
+ size_t *found)
+{
+ const struct units *u = asn1_KeyUsage_units();
+ uint64_t ku_num;
+ KeyUsage ku;
+ size_t unwanted = 0;
+ size_t wanted = opt->has_ku_strings.num_strings;
+ size_t i, k, sz;
+ int ret;
+
+ memset(&ku, 0, sizeof(ku));
+ ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length, &ku, &sz);
+ if (ret)
+ return ret;
+ ku_num = KeyUsage2int(ku);
+
+ /* Validate requested key usage values */
+ for (k = 0; k < wanted; k++) {
+ const char *s = opt->has_ku_strings.strings[k];
+
+ for (i = 0; u[i].name; i++)
+ if (strcmp(s, u[i].name) == 0)
+ break;
+
+ if (u[i].name == NULL)
+ warnx("Warning: requested key usage %s unknown", s);
+ }
+
+ for (i = 0; u[i].name; i++) {
+ if ((u[i].mult & ku_num))
+ (*found)++;
+ for (k = 0; k < wanted; k++) {
+ const char *s = opt->has_ku_strings.strings[k];
+
+ if (!(u[i].mult & ku_num) || strcmp(s, u[i].name) != 0)
+ continue;
+
+ if (opt->verbose_flag)
+ fprintf(stderr, "Matched key usage %s\n", s);
+ (*count)++;
+ break;
+ }
+ if ((u[i].mult & ku_num) && k == wanted) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Unexpected key usage %s\n", u[i].name);
+ unwanted++;
+ }
+ }
+
+ return (unwanted && opt->exact_flag) ? -1 : 0;
+}
+
+static time_t
+ptime(const char *s)
+{
+ struct tm at_tm;
+ char *rest;
+ int at_s;
+
+ if ((rest = strptime(s, "%Y-%m-%dT%H:%M:%S", &at_tm)) != NULL &&
+ rest[0] == '\0')
+ return mktime(&at_tm);
+ if ((rest = strptime(s, "%Y%m%d%H%M%S", &at_tm)) != NULL && rest[0] == '\0')
+ return mktime(&at_tm);
+ if ((at_s = parse_time(s, "s")) != -1)
+ return time(NULL) + at_s;
+ errx(1, "Could not parse time spec %s", s);
+}
+
+static int
+acert1_validity(struct acert_options *opt, hx509_cert cert)
+{
+ time_t not_before_eq = 0;
+ time_t not_before_lt = 0;
+ time_t not_before_gt = 0;
+ time_t not_after_eq = 0;
+ time_t not_after_lt = 0;
+ time_t not_after_gt = 0;
+ int ret = 0;
+
+ if (opt->valid_now_flag) {
+ time_t now = time(NULL);
+
+ if (hx509_cert_get_notBefore(cert) > now) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate not valid yet\n");
+ ret = -1;
+ }
+ if (hx509_cert_get_notAfter(cert) < now) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate currently expired\n");
+ ret = -1;
+ }
+ }
+ if (opt->valid_at_string) {
+ time_t at = ptime(opt->valid_at_string);
+
+ if (hx509_cert_get_notBefore(cert) > at) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate not valid yet at %s\n",
+ opt->valid_at_string);
+ ret = -1;
+ }
+ if (hx509_cert_get_notAfter(cert) < at) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate expired before %s\n",
+ opt->valid_at_string);
+ ret = -1;
+ }
+ }
+
+ if (opt->not_before_eq_string)
+ not_before_eq = ptime(opt->not_before_eq_string);
+ if (opt->not_before_lt_string)
+ not_before_lt = ptime(opt->not_before_lt_string);
+ if (opt->not_before_gt_string)
+ not_before_gt = ptime(opt->not_before_gt_string);
+ if (opt->not_after_eq_string)
+ not_after_eq = ptime(opt->not_after_eq_string);
+ if (opt->not_after_lt_string)
+ not_after_lt = ptime(opt->not_after_lt_string);
+ if (opt->not_after_gt_string)
+ not_after_gt = ptime(opt->not_after_gt_string);
+
+ if ((not_before_eq && hx509_cert_get_notBefore(cert) != not_before_eq) ||
+ (not_before_lt && hx509_cert_get_notBefore(cert) >= not_before_lt) ||
+ (not_before_gt && hx509_cert_get_notBefore(cert) <= not_before_gt)) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate notBefore not as requested\n");
+ ret = -1;
+ }
+ if ((not_after_eq && hx509_cert_get_notAfter(cert) != not_after_eq) ||
+ (not_after_lt && hx509_cert_get_notAfter(cert) >= not_after_lt) ||
+ (not_after_gt && hx509_cert_get_notAfter(cert) <= not_after_gt)) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate notAfter not as requested\n");
+ ret = -1;
+ }
+
+ if (opt->has_private_key_flag && !hx509_cert_have_private_key(cert)) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate does not have a private key\n");
+ ret = -1;
+ }
+
+ if (opt->lacks_private_key_flag && hx509_cert_have_private_key(cert)) {
+ if (opt->verbose_flag)
+ fprintf(stderr, "Certificate does not have a private key\n");
+ ret = -1;
+ }
+
+ return ret;
+}
+
+static int
+acert1(struct acert_options *opt, size_t cert_num, hx509_cert cert, int *matched)
+{
+ const heim_oid *misc_exts [] = {
+ &asn1_oid_id_x509_ce_authorityKeyIdentifier,
+ &asn1_oid_id_x509_ce_subjectKeyIdentifier,
+ &asn1_oid_id_x509_ce_basicConstraints,
+ &asn1_oid_id_x509_ce_nameConstraints,
+ &asn1_oid_id_x509_ce_certificatePolicies,
+ &asn1_oid_id_x509_ce_policyMappings,
+ &asn1_oid_id_x509_ce_issuerAltName,
+ &asn1_oid_id_x509_ce_subjectDirectoryAttributes,
+ &asn1_oid_id_x509_ce_policyConstraints,
+ &asn1_oid_id_x509_ce_cRLDistributionPoints,
+ &asn1_oid_id_x509_ce_deltaCRLIndicator,
+ &asn1_oid_id_x509_ce_issuingDistributionPoint,
+ &asn1_oid_id_x509_ce_inhibitAnyPolicy,
+ &asn1_oid_id_x509_ce_cRLNumber,
+ &asn1_oid_id_x509_ce_freshestCRL,
+ NULL
+ };
+ const Certificate *c;
+ const Extensions *e;
+ KeyUsage ku;
+ size_t matched_elements = 0;
+ size_t wanted, sans_wanted, ekus_wanted, kus_wanted;
+ size_t found, sans_found, ekus_found, kus_found;
+ size_t i, k;
+ int ret;
+
+ if ((c = _hx509_get_cert(cert)) == NULL)
+ errx(1, "Could not get Certificate");
+ e = c->tbsCertificate.extensions;
+
+ ret = _hx509_cert_get_keyusage(context, cert, &ku);
+ if (ret && ret != HX509_KU_CERT_MISSING)
+ hx509_err(context, 1, ret, "Could not get key usage of certificate");
+ if (ret == HX509_KU_CERT_MISSING && opt->ca_flag)
+ return 0; /* want CA cert; this isn't it */
+ if (ret == 0 && opt->ca_flag && !ku.keyCertSign)
+ return 0; /* want CA cert; this isn't it */
+ if (ret == 0 && opt->end_entity_flag && ku.keyCertSign)
+ return 0; /* want EE cert; this isn't it */
+
+ if (opt->cert_num_integer != -1 && cert_num <= INT_MAX &&
+ opt->cert_num_integer != (int)cert_num)
+ return 0;
+ if (opt->cert_num_integer == -1 || opt->cert_num_integer == (int)cert_num)
+ *matched = 1;
+
+ if (_hx509_cert_get_version(c) < 3) {
+ warnx("Certificate with version %d < 3 ignored",
+ _hx509_cert_get_version(c));
+ return 0;
+ }
+
+ sans_wanted = opt->has_email_san_strings.num_strings
+ + opt->has_xmpp_san_strings.num_strings
+ + opt->has_ms_upn_san_strings.num_strings
+ + opt->has_dnsname_san_strings.num_strings
+ + opt->has_pkinit_san_strings.num_strings
+ + opt->has_registeredID_san_strings.num_strings;
+ ekus_wanted = opt->has_eku_strings.num_strings;
+ kus_wanted = opt->has_ku_strings.num_strings;
+ wanted = sans_wanted + ekus_wanted + kus_wanted;
+ sans_found = ekus_found = kus_found = 0;
+
+ if (e == NULL) {
+ if (wanted)
+ return -1;
+ return acert1_validity(opt, cert);
+ }
+
+ for (i = 0; i < e->len; i++) {
+ if (der_heim_oid_cmp(&e->val[i].extnID,
+ &asn1_oid_id_x509_ce_subjectAltName) == 0) {
+ ret = acert1_sans(opt, &e->val[i], &matched_elements, &sans_found);
+ if (ret == -1 && sans_wanted == 0 &&
+ (!opt->exact_flag || sans_found == 0))
+ ret = 0;
+ } else if (der_heim_oid_cmp(&e->val[i].extnID,
+ &asn1_oid_id_x509_ce_extKeyUsage) == 0) {
+ ret = acert1_ekus(opt, &e->val[i], &matched_elements, &ekus_found);
+ if (ret == -1 && ekus_wanted == 0 &&
+ (!opt->exact_flag || ekus_found == 0))
+ ret = 0;
+ } else if (der_heim_oid_cmp(&e->val[i].extnID,
+ &asn1_oid_id_x509_ce_keyUsage) == 0) {
+ ret = acert1_kus(opt, &e->val[i], &matched_elements, &kus_found);
+ if (ret == -1 && kus_wanted == 0 &&
+ (!opt->exact_flag || kus_found == 0))
+ ret = 0;
+ } else {
+ char *oids = NULL;
+
+ for (k = 0; misc_exts[k]; k++) {
+ if (der_heim_oid_cmp(&e->val[i].extnID, misc_exts[k]) == 0)
+ break;
+ }
+ if (misc_exts[k])
+ continue;
+
+ (void) der_print_heim_oid(&e->val[i].extnID, '.', &oids);
+ warnx("Matching certificate has unexpected certificate "
+ "extension %s", oids ? oids : "<could not display OID>");
+ free(oids);
+ ret = -1;
+ }
+ if (ret && ret != -1)
+ hx509_err(context, 1, ret, "Error checking matching certificate");
+ if (ret == -1)
+ break;
+ }
+ if (matched_elements != wanted)
+ return -1;
+ found = sans_found + ekus_found + kus_found;
+ if (matched_elements != found && opt->exact_flag)
+ return -1;
+ if (ret)
+ return ret;
+ return acert1_validity(opt, cert);
+}
+
+int
+acert(struct acert_options *opt, int argc, char **argv)
+{
+ hx509_cursor cursor = NULL;
+ hx509_query *q = NULL;
+ hx509_certs certs = NULL;
+ hx509_cert cert = NULL;
+ char *sn = fix_store_name(context, argv[0], "FILE");
+ size_t n = 0;
+ int matched = 0;
+ int ret;
+
+ if (opt->not_after_eq_string &&
+ (opt->not_after_lt_string || opt->not_after_gt_string))
+ errx(1, "--not-after-eq should not be given with --not-after-lt/gt");
+ if (opt->not_before_eq_string &&
+ (opt->not_before_lt_string || opt->not_before_gt_string))
+ errx(1, "--not-before-eq should not be given with --not-before-lt/gt");
+
+ if ((ret = hx509_certs_init(context, sn, 0, NULL, &certs)))
+ hx509_err(context, 1, ret, "Could not load certificates from %s", sn);
+
+ if (opt->expr_string) {
+ if ((ret = hx509_query_alloc(context, &q)) ||
+ (ret = hx509_query_match_expr(context, q, opt->expr_string)))
+ hx509_err(context, 1, ret, "Could not initialize query");
+ if ((ret = hx509_certs_find(context, certs, q, &cert)) || !cert)
+ hx509_err(context, 1, ret, "No matching certificate");
+ ret = acert1(opt, -1, cert, &matched);
+ matched = 1;
+ } else {
+ ret = hx509_certs_start_seq(context, certs, &cursor);
+ while (ret == 0 &&
+ (ret = hx509_certs_next_cert(context, certs,
+ cursor, &cert)) == 0 &&
+ cert) {
+ ret = acert1(opt, n++, cert, &matched);
+ if (matched)
+ break;
+ hx509_cert_free(cert);
+ cert = NULL;
+ }
+ if (cursor)
+ (void) hx509_certs_end_seq(context, certs, cursor);
+ }
+ if (!matched && ret)
+ hx509_err(context, 1, ret, "Could not find certificate");
+ if (!matched)
+ errx(1, "Could not find certificate");
+ if (ret == -1)
+ errx(1, "Matching certificate did not meet requirements");
+ if (ret)
+ hx509_err(context, 1, ret, "Matching certificate did not meet "
+ "requirements");
+ hx509_cert_free(cert);
+ free(sn);
+ return 0;
+}
+
/*
*
*/
diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c
index ed5b22b981d3..f25cdf4e419b 100644
--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -40,7 +40,7 @@
*
* Type of certificates store:
* - MEMORY
- * In memory based format. Doesnt support storing.
+ * In memory based format. Doesn't support storing.
* - FILE
* FILE supports raw DER certicates and PEM certicates. When PEM is
* used the file can contain may certificates and match private
@@ -63,9 +63,10 @@ struct hx509_certs_data {
unsigned int ref;
struct hx509_keyset_ops *ops;
void *ops_data;
+ int flags;
};
-static struct hx509_keyset_ops *
+struct hx509_keyset_ops *
_hx509_ks_type(hx509_context context, const char *type)
{
int i;
@@ -77,7 +78,7 @@ _hx509_ks_type(hx509_context context, const char *type)
return NULL;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
{
struct hx509_keyset_ops **val;
@@ -103,6 +104,7 @@ _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
* @param flags list of flags:
* - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
* - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
+ * - HX509_CERTS_NO_PRIVATE_KEYS does not load or permit adding private keys
* @param lock a lock that unlocks the certificates store, use NULL to
* select no password/certifictes/prompt lock (see @ref page_lock).
* @param certs return pointer, free with hx509_certs_free().
@@ -112,7 +114,7 @@ _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_init(hx509_context context,
const char *name, int flags,
hx509_lock lock, hx509_certs *certs)
@@ -125,6 +127,9 @@ hx509_certs_init(hx509_context context,
*certs = NULL;
+ if (name == NULL)
+ name = "";
+
residue = strchr(name, ':');
if (residue) {
type = malloc(residue - name + 1);
@@ -155,6 +160,7 @@ hx509_certs_init(hx509_context context,
hx509_clear_error_string(context);
return ENOMEM;
}
+ c->flags = flags;
c->ops = ops;
c->ref = 1;
@@ -169,11 +175,41 @@ hx509_certs_init(hx509_context context,
}
/**
+ * Destroys and frees a hx509 certificate store.
+ *
+ * @param context A hx509 context
+ * @param certs A store to destroy
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_certs_destroy(hx509_context context,
+ hx509_certs *certs)
+{
+ int ret = 0;
+
+ if (*certs) {
+ if ((*certs)->ops->destroy)
+ ret = ((*certs)->ops->destroy)(context, *certs, (*certs)->ops_data);
+ else
+ ret = ENOTSUP;
+ }
+ hx509_certs_free(certs);
+ return ret;
+}
+
+/**
* Write the certificate store to stable storage.
*
+ * Use the HX509_CERTS_STORE_NO_PRIVATE_KEYS flag to ensure that no private
+ * keys are stored, even if added.
+ *
* @param context A hx509 context.
* @param certs a certificate store to store.
- * @param flags currently unused, use 0.
+ * @param flags currently one flag is defined: HX509_CERTS_STORE_NO_PRIVATE_KEYS
* @param lock a lock that unlocks the certificates store, use NULL to
* select no password/certifictes/prompt lock (see @ref page_lock).
*
@@ -183,7 +219,7 @@ hx509_certs_init(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_store(hx509_context context,
hx509_certs certs,
int flags,
@@ -201,7 +237,7 @@ hx509_certs_store(hx509_context context,
}
-hx509_certs
+HX509_LIB_FUNCTION hx509_certs HX509_LIB_CALL
hx509_certs_ref(hx509_certs certs)
{
if (certs == NULL)
@@ -222,7 +258,7 @@ hx509_certs_ref(hx509_certs certs)
* @ingroup hx509_keyset
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_certs_free(hx509_certs *certs)
{
if (*certs) {
@@ -252,7 +288,7 @@ hx509_certs_free(hx509_certs *certs)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_start_seq(hx509_context context,
hx509_certs certs,
hx509_cursor *cursor)
@@ -288,7 +324,7 @@ hx509_certs_start_seq(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_next_cert(hx509_context context,
hx509_certs certs,
hx509_cursor cursor,
@@ -310,7 +346,7 @@ hx509_certs_next_cert(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_end_seq(hx509_context context,
hx509_certs certs,
hx509_cursor cursor)
@@ -335,10 +371,10 @@ hx509_certs_end_seq(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_iter_f(hx509_context context,
hx509_certs certs,
- int (*func)(hx509_context, void *, hx509_cert),
+ int (HX509_LIB_CALL *func)(hx509_context, void *, hx509_cert),
void *ctx)
{
hx509_cursor cursor;
@@ -392,7 +428,7 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_iter(hx509_context context,
hx509_certs certs,
int (^func)(hx509_cert))
@@ -415,7 +451,7 @@ hx509_certs_iter(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ci_print_names(hx509_context context, void *ctx, hx509_cert c)
{
Certificate *cert;
@@ -452,9 +488,12 @@ hx509_ci_print_names(hx509_context context, void *ctx, hx509_cert c)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
{
+ hx509_cert copy = NULL;
+ int ret;
+
if (certs->ops->add == NULL) {
hx509_set_error_string(context, 0, ENOENT,
"Keyset type %s doesn't support add operation",
@@ -462,7 +501,20 @@ hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
return ENOENT;
}
- return (*certs->ops->add)(context, certs, certs->ops_data, cert);
+ if ((certs->flags & HX509_CERTS_NO_PRIVATE_KEYS) &&
+ hx509_cert_have_private_key(cert)) {
+ if ((copy = hx509_cert_copy_no_private_key(context, cert,
+ NULL)) == NULL) {
+ hx509_set_error_string(context, 0, ENOMEM,
+ "Could not add certificate to store");
+ return ENOMEM;
+ }
+ cert = copy;
+ }
+
+ ret = (*certs->ops->add)(context, certs, certs->ops_data, cert);
+ hx509_cert_free(copy);
+ return ret;
}
/**
@@ -479,7 +531,7 @@ hx509_certs_add(hx509_context context, hx509_certs certs, hx509_cert cert)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_find(hx509_context context,
hx509_certs certs,
const hx509_query *q,
@@ -509,11 +561,14 @@ hx509_certs_find(hx509_context context,
break;
if (_hx509_query_match_cert(context, q, c)) {
*r = c;
+ c = NULL;
break;
}
hx509_cert_free(c);
+ c = NULL;
}
+ hx509_cert_free(c);
hx509_certs_end_seq(context, certs, cursor);
if (ret)
return ret;
@@ -521,7 +576,7 @@ hx509_certs_find(hx509_context context,
* Return HX509_CERT_NOT_FOUND if no certificate in certs matched
* the query.
*/
- if (c == NULL) {
+ if (*r == NULL) {
hx509_clear_error_string(context);
return HX509_CERT_NOT_FOUND;
}
@@ -543,7 +598,7 @@ hx509_certs_find(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_filter(hx509_context context,
hx509_certs certs,
const hx509_query *q,
@@ -600,15 +655,14 @@ hx509_certs_filter(hx509_context context,
}
-static int
+static int HX509_LIB_CALL
certs_merge_func(hx509_context context, void *ctx, hx509_cert c)
{
return hx509_certs_add(context, (hx509_certs)ctx, c);
}
/**
- * Merge a certificate store into another. The from store is keep
- * intact.
+ * Merge one certificate store into another. The from store is kept intact.
*
* @param context a hx509 context.
* @param to the store to merge into.
@@ -619,7 +673,7 @@ certs_merge_func(hx509_context context, void *ctx, hx509_cert c)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
{
if (from == NULL)
@@ -642,7 +696,7 @@ hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_append(hx509_context context,
hx509_certs to,
hx509_lock lock,
@@ -671,7 +725,7 @@ hx509_certs_append(hx509_context context,
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_get_one_cert(hx509_context context, hx509_certs certs, hx509_cert *c)
{
hx509_cursor cursor;
@@ -714,7 +768,7 @@ certs_info_stdio(void *ctx, const char *str)
* @ingroup hx509_keyset
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_certs_info(hx509_context context,
hx509_certs certs,
int (*func)(void *, const char *),
@@ -733,7 +787,7 @@ hx509_certs_info(hx509_context context,
func, ctx);
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
const char *fmt, ...)
{
@@ -750,7 +804,7 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
free(str);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_certs_keys_get(hx509_context context,
hx509_certs certs,
hx509_private_key **keys)
@@ -762,7 +816,7 @@ _hx509_certs_keys_get(hx509_context context,
return (*certs->ops->getkeys)(context, certs, certs->ops_data, keys);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_certs_keys_add(hx509_context context,
hx509_certs certs,
hx509_private_key key)
@@ -778,11 +832,14 @@ _hx509_certs_keys_add(hx509_context context,
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_certs_keys_free(hx509_context context,
hx509_private_key *keys)
{
- int i;
+ size_t i;
+
+ if (keys == NULL)
+ return;
for (i = 0; keys[i]; i++)
hx509_private_key_free(&keys[i]);
free(keys);
diff --git a/lib/hx509/ks_dir.c b/lib/hx509/ks_dir.c
index 1740dfe42c74..3bc99f2dc6cf 100644
--- a/lib/hx509/ks_dir.c
+++ b/lib/hx509/ks_dir.c
@@ -59,6 +59,12 @@ dir_init(hx509_context context,
{
*data = NULL;
+ if (residue == NULL || residue[0] == '\0') {
+ hx509_set_error_string(context, 0, EINVAL,
+ "DIR file name not specified");
+ return EINVAL;
+ }
+
{
struct stat sb;
int ret;
@@ -214,10 +220,11 @@ static struct hx509_keyset_ops keyset_dir = {
dir_iter_end,
NULL,
NULL,
+ NULL,
NULL
};
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_dir_register(hx509_context context)
{
_hx509_ks_register(context, &keyset_dir);
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index b9c2f420d5b8..6d8c77bd2402 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -32,6 +32,9 @@
*/
#include "hx_locl.h"
+#ifndef WIN32
+#include <libgen.h>
+#endif
typedef enum { USE_PEM, USE_DER } outformat;
@@ -46,7 +49,7 @@ struct ks_file {
*/
static int
-parse_certificate(hx509_context context, const char *fn,
+parse_certificate(hx509_context context, const char *fn, int flags,
struct hx509_collector *c,
const hx509_pem_header *headers,
const void *data, size_t len,
@@ -71,6 +74,7 @@ parse_certificate(hx509_context context, const char *fn,
static int
try_decrypt(hx509_context context,
struct hx509_collector *collector,
+ int flags,
const AlgorithmIdentifier *alg,
const EVP_CIPHER *c,
const void *ivdata,
@@ -119,12 +123,9 @@ try_decrypt(hx509_context context,
EVP_CIPHER_CTX_cleanup(&ctx);
}
- ret = _hx509_collector_private_key_add(context,
- collector,
- alg,
- NULL,
- &clear,
- NULL);
+ if (!(flags & HX509_CERTS_NO_PRIVATE_KEYS))
+ ret = _hx509_collector_private_key_add(context, collector, alg, NULL,
+ &clear, NULL);
memset_s(clear.data, clear.length, 0, clear.length);
free(clear.data);
@@ -135,7 +136,7 @@ out:
}
static int
-parse_pkcs8_private_key(hx509_context context, const char *fn,
+parse_pkcs8_private_key(hx509_context context, const char *fn, int flags,
struct hx509_collector *c,
const hx509_pem_header *headers,
const void *data, size_t length,
@@ -143,28 +144,28 @@ parse_pkcs8_private_key(hx509_context context, const char *fn,
{
PKCS8PrivateKeyInfo ki;
heim_octet_string keydata;
-
int ret;
ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
if (ret)
return ret;
- keydata.data = rk_UNCONST(data);
- keydata.length = length;
-
- ret = _hx509_collector_private_key_add(context,
- c,
- &ki.privateKeyAlgorithm,
- NULL,
- &ki.privateKey,
- &keydata);
+ if (!(flags & HX509_CERTS_NO_PRIVATE_KEYS)) {
+ keydata.data = rk_UNCONST(data);
+ keydata.length = length;
+ ret = _hx509_collector_private_key_add(context,
+ c,
+ &ki.privateKeyAlgorithm,
+ NULL,
+ &ki.privateKey,
+ &keydata);
+ }
free_PKCS8PrivateKeyInfo(&ki);
return ret;
}
static int
-parse_pem_private_key(hx509_context context, const char *fn,
+parse_pem_private_key(hx509_context context, const char *fn, int flags,
struct hx509_collector *c,
const hx509_pem_header *headers,
const void *data, size_t len,
@@ -268,7 +269,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
password = pw->val[i];
passwordlen = strlen(password);
- ret = try_decrypt(context, c, ai, cipher, ivdata,
+ ret = try_decrypt(context, c, flags, ai, cipher, ivdata,
password, passwordlen, data, len);
if (ret == 0) {
decrypted = 1;
@@ -289,21 +290,21 @@ parse_pem_private_key(hx509_context context, const char *fn,
ret = hx509_lock_prompt(lock, &prompt);
if (ret == 0)
- ret = try_decrypt(context, c, ai, cipher, ivdata, password,
- strlen(password), data, len);
+ ret = try_decrypt(context, c, flags, ai, cipher, ivdata,
+ password, strlen(password), data, len);
/* XXX add password to lock password collection ? */
memset_s(password, sizeof(password), 0, sizeof(password));
}
free(ivdata);
- } else {
+ } else if (!(flags & HX509_CERTS_NO_PRIVATE_KEYS)) {
heim_octet_string keydata;
keydata.data = rk_UNCONST(data);
keydata.length = len;
- ret = _hx509_collector_private_key_add(context, c, ai, NULL,
- &keydata, NULL);
+ ret = _hx509_collector_private_key_add(context, c, ai, NULL,
+ &keydata, NULL);
}
return ret;
@@ -312,7 +313,7 @@ parse_pem_private_key(hx509_context context, const char *fn,
struct pem_formats {
const char *name;
- int (*func)(hx509_context, const char *, struct hx509_collector *,
+ int (*func)(hx509_context, const char *, int, struct hx509_collector *,
const hx509_pem_header *, const void *, size_t,
const AlgorithmIdentifier *);
const AlgorithmIdentifier *(*ai)(void);
@@ -344,11 +345,12 @@ pem_func(hx509_context context, const char *type,
const char *q = formats[j].name;
if (strcasecmp(type, q) == 0) {
const AlgorithmIdentifier *ai = NULL;
+
if (formats[j].ai != NULL)
ai = (*formats[j].ai)();
- ret = (*formats[j].func)(context, NULL, pem_ctx->c,
- header, data, len, ai);
+ ret = (*formats[j].func)(context, NULL, pem_ctx->flags, pem_ctx->c,
+ header, data, len, ai);
if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
"Failed parseing PEM format %s", type);
@@ -384,6 +386,12 @@ file_init_common(hx509_context context,
pem_ctx.flags = flags;
pem_ctx.c = NULL;
+ if (residue == NULL || residue[0] == '\0') {
+ hx509_set_error_string(context, 0, EINVAL,
+ "PEM file name not specified");
+ return EINVAL;
+ }
+
*data = NULL;
if (lock == NULL)
@@ -409,6 +417,10 @@ file_init_common(hx509_context context,
*/
if (flags & HX509_CERTS_CREATE) {
+ /*
+ * Note that the file creation is deferred until file_store() is
+ * called.
+ */
ret = hx509_certs_init(context, "MEMORY:ks-file-create",
0, lock, &ksf->certs);
if (ret)
@@ -455,10 +467,12 @@ file_init_common(hx509_context context,
for (i = 0; i < sizeof(formats)/sizeof(formats[0]); i++) {
const AlgorithmIdentifier *ai = NULL;
+
if (formats[i].ai != NULL)
ai = (*formats[i].ai)();
- ret = (*formats[i].func)(context, p, pem_ctx.c, NULL, ptr, length, ai);
+ ret = (*formats[i].func)(context, p, pem_ctx.flags, pem_ctx.c,
+ NULL, ptr, length, ai);
if (ret == 0)
break;
}
@@ -526,63 +540,148 @@ file_free(hx509_certs certs, void *data)
struct store_ctx {
FILE *f;
outformat format;
+ int store_flags;
};
-static int
+static int HX509_LIB_CALL
store_func(hx509_context context, void *ctx, hx509_cert c)
{
struct store_ctx *sc = ctx;
heim_octet_string data;
int ret = 0;
- ret = hx509_cert_binary(context, c, &data);
- if (ret)
- return ret;
+ if ((sc->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+ int self_signed = 0;
+
+ ret = hx509_cert_is_self_signed(context, c, &self_signed);
+ if (ret || self_signed)
+ return ret;
+ }
+
+ if (hx509_cert_have_private_key_only(c)) {
+ data.length = 0;
+ data.data = NULL;
+ } else {
+ ret = hx509_cert_binary(context, c, &data);
+ if (ret)
+ return ret;
+ }
switch (sc->format) {
case USE_DER:
- fwrite(data.data, data.length, 1, sc->f);
- free(data.data);
+ /* Can't store both. Well, we could, but nothing will support it */
+ if (data.data) {
+ fwrite(data.data, data.length, 1, sc->f);
+ } else if (_hx509_cert_private_key_exportable(c) &&
+ !(sc->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
+ hx509_private_key key = _hx509_cert_private_key(c);
+
+ free(data.data);
+ data.length = 0;
+ data.data = NULL;
+ ret = _hx509_private_key_export(context, key,
+ HX509_KEY_FORMAT_DER, &data);
+ if (ret == 0 && data.length)
+ fwrite(data.data, data.length, 1, sc->f);
+ }
break;
case USE_PEM:
- hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
- data.data, data.length);
- free(data.data);
- if (_hx509_cert_private_key_exportable(c)) {
+ if (_hx509_cert_private_key_exportable(c) &&
+ !(sc->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
+ heim_octet_string priv_key;
hx509_private_key key = _hx509_cert_private_key(c);
+
ret = _hx509_private_key_export(context, key,
- HX509_KEY_FORMAT_DER, &data);
- if (ret)
- break;
- ret = hx509_pem_write(context, _hx509_private_pem_name(key), NULL,
- sc->f, data.data, data.length);
- free(data.data);
+ HX509_KEY_FORMAT_DER, &priv_key);
+ if (ret == 0)
+ ret = hx509_pem_write(context, _hx509_private_pem_name(key), NULL,
+ sc->f, priv_key.data, priv_key.length);
+ free(priv_key.data);
}
+ if (ret == 0 && data.data) {
+ ret = hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
+ data.data, data.length);
+ }
break;
}
+ free(data.data);
return ret;
}
static int
+mk_temp(const char *fn, char **tfn)
+{
+ char *ds;
+ int ret = -1;
+
+#ifdef WIN32
+ char buf[PATH_MAX];
+ char *p;
+
+ *tfn = NULL;
+
+ if ((ds = _fullpath(buf, fn, sizeof(buf))) == NULL) {
+ errno = errno ? errno : ENAMETOOLONG;
+ return -1;
+ }
+
+ if ((p = strrchr(ds, '\\')) == NULL) {
+ ret = asprintf(tfn, ".%s-XXXXXX", ds); /* XXX can't happen */
+ } else {
+ *(p++) = '\0';
+ ret = asprintf(tfn, "%s/.%s-XXXXXX", ds, p);
+ }
+#else
+ *tfn = NULL;
+ if ((ds = strdup(fn)))
+ ret = asprintf(tfn, "%s/.%s-XXXXXX", dirname(ds), basename(ds));
+ free(ds);
+#endif
+
+ /*
+ * Using mkostemp() risks leaving garbage files lying around. To do better
+ * without resorting to file locks (which have their own problems) we need
+ * O_TMPFILE and linkat(2), which only Linux has.
+ */
+ return (ret == -1 || *tfn == NULL) ? -1 : mkostemp(*tfn, O_CLOEXEC);
+}
+
+static int
file_store(hx509_context context,
hx509_certs certs, void *data, int flags, hx509_lock lock)
{
struct ks_file *ksf = data;
struct store_ctx sc;
+ char *tfn;
int ret;
+ int fd;
- sc.f = fopen(ksf->fn, "w");
+ sc.f = NULL;
+ fd = mk_temp(ksf->fn, &tfn);
+ if (fd > -1)
+ sc.f = fdopen(fd, "w");
if (sc.f == NULL) {
- hx509_set_error_string(context, 0, ENOENT,
- "Failed to open file %s for writing");
- return ENOENT;
+ hx509_set_error_string(context, 0, ret = errno,
+ "Failed to open file %s for writing", ksf->fn);
+ if (fd > -1)
+ (void) close(fd);
+ return ret;
}
rk_cloexec_file(sc.f);
+ sc.store_flags = flags;
sc.format = ksf->format;
ret = hx509_certs_iter_f(context, ksf->certs, store_func, &sc);
- fclose(sc.f);
+ if (ret == 0)
+ ret = fclose(sc.f);
+ else
+ (void) fclose(sc.f);
+ if (ret)
+ (void) unlink(tfn);
+ else
+ (void) rename(tfn, ksf->fn);
+ free(tfn);
return ret;
}
@@ -639,6 +738,15 @@ file_addkey(hx509_context context,
return _hx509_certs_keys_add(context, ksf->certs, key);
}
+static int
+file_destroy(hx509_context context,
+ hx509_certs certs,
+ void *data)
+{
+ struct ks_file *ksf = data;
+ return _hx509_erase_file(context, ksf->fn);
+}
+
static struct hx509_keyset_ops keyset_file = {
"FILE",
0,
@@ -652,7 +760,8 @@ static struct hx509_keyset_ops keyset_file = {
file_iter_end,
NULL,
file_getkeys,
- file_addkey
+ file_addkey,
+ file_destroy
};
static struct hx509_keyset_ops keyset_pemfile = {
@@ -668,7 +777,8 @@ static struct hx509_keyset_ops keyset_pemfile = {
file_iter_end,
NULL,
file_getkeys,
- file_addkey
+ file_addkey,
+ file_destroy
};
static struct hx509_keyset_ops keyset_derfile = {
@@ -684,11 +794,12 @@ static struct hx509_keyset_ops keyset_derfile = {
file_iter_end,
NULL,
file_getkeys,
- file_addkey
+ file_addkey,
+ file_destroy
};
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_file_register(hx509_context context)
{
_hx509_ks_register(context, &keyset_file);
diff --git a/lib/hx509/ks_keychain.c b/lib/hx509/ks_keychain.c
index 9b8224f1d237..3243ee8b26c3 100644
--- a/lib/hx509/ks_keychain.c
+++ b/lib/hx509/ks_keychain.c
@@ -328,6 +328,13 @@ keychain_init(hx509_context context,
{
struct ks_keychain *ctx;
+ if (flags & HX509_CERTS_NO_PRIVATE_KEYS) {
+ hx509_set_error_string(context, 0, ENOTSUP,
+ "KEYCHAIN store does not support not reading "
+ "private keys");
+ return ENOTSUP;
+ }
+
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
hx509_clear_error_string(context);
@@ -599,6 +606,7 @@ struct hx509_keyset_ops keyset_keychain = {
keychain_iter_end,
NULL,
NULL,
+ NULL,
NULL
};
@@ -610,7 +618,7 @@ struct hx509_keyset_ops keyset_keychain = {
*
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_keychain_register(hx509_context context)
{
#ifdef HAVE_FRAMEWORK_SECURITY
diff --git a/lib/hx509/ks_mem.c b/lib/hx509/ks_mem.c
index 684acb0adf35..f325d12be2a0 100644
--- a/lib/hx509/ks_mem.c
+++ b/lib/hx509/ks_mem.c
@@ -213,10 +213,11 @@ static struct hx509_keyset_ops keyset_mem = {
mem_iter_end,
NULL,
mem_getkeys,
- mem_addkey
+ mem_addkey,
+ NULL
};
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_mem_register(hx509_context context)
{
_hx509_ks_register(context, &keyset_mem);
diff --git a/lib/hx509/ks_null.c b/lib/hx509/ks_null.c
index 5ac0beb7bf91..c241d30f34e3 100644
--- a/lib/hx509/ks_null.c
+++ b/lib/hx509/ks_null.c
@@ -90,10 +90,11 @@ struct hx509_keyset_ops keyset_null = {
null_iter_end,
NULL,
NULL,
+ NULL,
NULL
};
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_null_register(hx509_context context)
{
_hx509_ks_register(context, &keyset_null);
diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 1b2309e20d50..265523b38603 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -32,16 +32,13 @@
*/
#include "hx_locl.h"
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
#ifdef HAVE_DLOPEN
#include "ref/pkcs11.h"
struct p11_slot {
- int flags;
+ uint64_t flags;
#define P11_SESSION 1
#define P11_SESSION_IN_USE 2
#define P11_LOGIN_REQ 4
@@ -823,6 +820,18 @@ p11_init(hx509_context context,
*data = NULL;
+ if (flags & HX509_CERTS_NO_PRIVATE_KEYS) {
+ hx509_set_error_string(context, 0, ENOTSUP,
+ "PKCS#11 store does not support "
+ "HX509_CERTS_NO_PRIVATE_KEYS flag");
+ return ENOTSUP;
+ }
+
+ if (residue == NULL || residue[0] == '\0') {
+ hx509_set_error_string(context, 0, EINVAL,
+ "PKCS#11 store not specified");
+ return EINVAL;
+ }
list = strdup(residue);
if (list == NULL)
return ENOMEM;
@@ -849,7 +858,7 @@ p11_init(hx509_context context,
str = strnext;
}
- p->dl_handle = dlopen(list, RTLD_NOW);
+ p->dl_handle = dlopen(list, RTLD_NOW | RTLD_LOCAL | RTLD_GROUP);
if (p->dl_handle == NULL) {
ret = HX509_PKCS11_LOAD;
hx509_set_error_string(context, 0, ret,
@@ -1206,12 +1215,13 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
p11_iter_end,
p11_printinfo,
NULL,
+ NULL,
NULL
};
#endif /* HAVE_DLOPEN */
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_pkcs11_register(hx509_context context)
{
#ifdef HAVE_DLOPEN
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index b7df0be32aca..1e9a92a4ff54 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -36,10 +36,12 @@
struct ks_pkcs12 {
hx509_certs certs;
char *fn;
+ unsigned int store_no_priv_keys;
};
typedef int (*collector_func)(hx509_context,
struct hx509_collector *,
+ int,
const void *, size_t,
const PKCS12_Attributes *);
@@ -49,8 +51,9 @@ struct type {
};
static void
-parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
- const void *, size_t, const PKCS12_Attributes *);
+parse_pkcs12_type(hx509_context, struct hx509_collector *, int,
+ const heim_oid *, const void *, size_t,
+ const PKCS12_Attributes *);
static const PKCS12_Attribute *
@@ -68,6 +71,7 @@ find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
static int
keyBag_parser(hx509_context context,
struct hx509_collector *c,
+ int flags,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
@@ -76,6 +80,9 @@ keyBag_parser(hx509_context context,
const heim_octet_string *os = NULL;
int ret;
+ if (flags & HX509_CERTS_NO_PRIVATE_KEYS)
+ return 0;
+
attr = find_attribute(attrs, &asn1_oid_id_pkcs_9_at_localKeyId);
if (attr)
os = &attr->attrValues;
@@ -84,19 +91,20 @@ keyBag_parser(hx509_context context,
if (ret)
return ret;
- _hx509_collector_private_key_add(context,
- c,
- &ki.privateKeyAlgorithm,
- NULL,
- &ki.privateKey,
- os);
+ ret = _hx509_collector_private_key_add(context,
+ c,
+ &ki.privateKeyAlgorithm,
+ NULL,
+ &ki.privateKey,
+ os);
free_PKCS8PrivateKeyInfo(&ki);
- return 0;
+ return ret;
}
static int
ShroudedKeyBag_parser(hx509_context context,
struct hx509_collector *c,
+ int flags,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
@@ -119,7 +127,8 @@ ShroudedKeyBag_parser(hx509_context context,
if (ret)
return ret;
- ret = keyBag_parser(context, c, content.data, content.length, attrs);
+ ret = keyBag_parser(context, c, flags, content.data, content.length,
+ attrs);
der_free_octet_string(&content);
return ret;
}
@@ -127,6 +136,7 @@ ShroudedKeyBag_parser(hx509_context context,
static int
certBag_parser(hx509_context context,
struct hx509_collector *c,
+ int flags,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
@@ -191,6 +201,7 @@ certBag_parser(hx509_context context,
static int
parse_safe_content(hx509_context context,
struct hx509_collector *c,
+ int flags,
const unsigned char *p, size_t len)
{
PKCS12_SafeContents sc;
@@ -206,6 +217,7 @@ parse_safe_content(hx509_context context,
for (i = 0; i < sc.len ; i++)
parse_pkcs12_type(context,
c,
+ flags,
&sc.val[i].bagId,
sc.val[i].bagValue.data,
sc.val[i].bagValue.length,
@@ -218,6 +230,7 @@ parse_safe_content(hx509_context context,
static int
safeContent_parser(hx509_context context,
struct hx509_collector *c,
+ int flags,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
@@ -227,7 +240,7 @@ safeContent_parser(hx509_context context,
ret = decode_PKCS12_OctetString(data, length, &os, NULL);
if (ret)
return ret;
- ret = parse_safe_content(context, c, os.data, os.length);
+ ret = parse_safe_content(context, c, flags, os.data, os.length);
der_free_octet_string(&os);
return ret;
}
@@ -235,6 +248,7 @@ safeContent_parser(hx509_context context,
static int
encryptedData_parser(hx509_context context,
struct hx509_collector *c,
+ int flags,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
@@ -253,7 +267,8 @@ encryptedData_parser(hx509_context context,
return ret;
if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
- ret = parse_safe_content(context, c, content.data, content.length);
+ ret = parse_safe_content(context, c, flags,
+ content.data, content.length);
der_free_octet_string(&content);
der_free_oid(&contentType);
@@ -263,6 +278,7 @@ encryptedData_parser(hx509_context context,
static int
envelopedData_parser(hx509_context context,
struct hx509_collector *c,
+ int flags,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
@@ -290,7 +306,8 @@ envelopedData_parser(hx509_context context,
}
if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
- ret = parse_safe_content(context, c, content.data, content.length);
+ ret = parse_safe_content(context, c, flags,
+ content.data, content.length);
der_free_octet_string(&content);
der_free_oid(&contentType);
@@ -311,6 +328,7 @@ struct type bagtypes[] = {
static void
parse_pkcs12_type(hx509_context context,
struct hx509_collector *c,
+ int flags,
const heim_oid *oid,
const void *data, size_t length,
const PKCS12_Attributes *attrs)
@@ -319,7 +337,7 @@ parse_pkcs12_type(hx509_context context,
for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
- (*bagtypes[i].func)(context, c, data, length, attrs);
+ (*bagtypes[i].func)(context, c, flags, data, length, attrs);
}
static int
@@ -338,6 +356,12 @@ p12_init(hx509_context context,
*data = NULL;
+ if (residue == NULL || residue[0] == '\0') {
+ hx509_set_error_string(context, 0, EINVAL,
+ "PKCS#12 file not specified");
+ return EINVAL;
+ }
+
if (lock == NULL)
lock = _hx509_empty_lock;
@@ -423,6 +447,7 @@ p12_init(hx509_context context,
for (i = 0; i < as.len; i++)
parse_pkcs12_type(context,
c,
+ flags,
&as.val[i].contentType,
as.val[i].content->data,
as.val[i].content->length,
@@ -486,15 +511,28 @@ addBag(hx509_context context,
return 0;
}
-static int
-store_func(hx509_context context, void *ctx, hx509_cert c)
+struct store_func_ctx {
+ PKCS12_AuthenticatedSafe as;
+ int store_flags;
+};
+
+static int HX509_LIB_CALL
+store_func(hx509_context context, void *d, hx509_cert c)
{
- PKCS12_AuthenticatedSafe *as = ctx;
+ struct store_func_ctx *ctx = d;
PKCS12_OctetString os;
PKCS12_CertBag cb;
size_t size;
int ret;
+ if ((ctx->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+ int is_root = 0;
+
+ ret = hx509_cert_is_root(context, c, &is_root);
+ if (ret || is_root)
+ return ret;
+ }
+
memset(&os, 0, sizeof(os));
memset(&cb, 0, sizeof(cb));
@@ -522,9 +560,11 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
if (ret)
goto out;
- ret = addBag(context, as, &asn1_oid_id_pkcs12_certBag, os.data, os.length);
+ ret = addBag(context, &ctx->as, &asn1_oid_id_pkcs12_certBag, os.data,
+ os.length);
- if (_hx509_cert_private_key_exportable(c)) {
+ if (_hx509_cert_private_key_exportable(c) &&
+ !(ctx->store_flags & HX509_CERTS_STORE_NO_PRIVATE_KEYS)) {
hx509_private_key key = _hx509_cert_private_key(c);
PKCS8PrivateKeyInfo pki;
@@ -555,7 +595,8 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
if (ret)
return ret;
- ret = addBag(context, as, &asn1_oid_id_pkcs12_keyBag, os.data, os.length);
+ ret = addBag(context, &ctx->as, &asn1_oid_id_pkcs12_keyBag, os.data,
+ os.length);
if (ret)
return ret;
}
@@ -570,21 +611,22 @@ p12_store(hx509_context context,
{
struct ks_pkcs12 *p12 = data;
PKCS12_PFX pfx;
- PKCS12_AuthenticatedSafe as;
+ struct store_func_ctx ctx;
PKCS12_OctetString asdata;
size_t size;
int ret;
- memset(&as, 0, sizeof(as));
+ memset(&ctx, 0, sizeof(ctx));
memset(&pfx, 0, sizeof(pfx));
+ ctx.store_flags = flags;
- ret = hx509_certs_iter_f(context, p12->certs, store_func, &as);
+ ret = hx509_certs_iter_f(context, p12->certs, store_func, &ctx);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length,
- &as, &size, ret);
- free_PKCS12_AuthenticatedSafe(&as);
+ &ctx.as, &size, ret);
+ free_PKCS12_AuthenticatedSafe(&ctx.as);
if (ret)
return ret;
@@ -636,7 +678,7 @@ p12_store(hx509_context context,
free(asdata.data);
out:
- free_PKCS12_AuthenticatedSafe(&as);
+ free_PKCS12_AuthenticatedSafe(&ctx.as);
free_PKCS12_PFX(&pfx);
return ret;
@@ -691,6 +733,13 @@ p12_iter_end(hx509_context context,
return hx509_certs_end_seq(context, p12->certs, cursor);
}
+static int
+p12_destroy(hx509_context context, hx509_certs certs, void *data)
+{
+ struct ks_pkcs12 *p12 = data;
+ return _hx509_erase_file(context, p12->fn);
+}
+
static struct hx509_keyset_ops keyset_pkcs12 = {
"PKCS12",
0,
@@ -704,10 +753,11 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
p12_iter_end,
NULL,
NULL,
- NULL
+ NULL,
+ p12_destroy
};
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_ks_pkcs12_register(hx509_context context)
{
_hx509_ks_register(context, &keyset_pkcs12);
diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def
index f4417730158c..81783ff7c34c 100644
--- a/lib/hx509/libhx509-exports.def
+++ b/lib/hx509/libhx509-exports.def
@@ -1,6 +1,8 @@
EXPORTS
_hx509_cert_assign_key
+ _hx509_cert_get_keyusage
+ _hx509_cert_get_version
_hx509_cert_private_key
_hx509_certs_keys_free
_hx509_certs_keys_get
@@ -12,44 +14,92 @@ EXPORTS
_hx509_generate_private_key_free
_hx509_generate_private_key_init
_hx509_generate_private_key_is_ca
+ _hx509_get_cert
+ _hx509_ks_type
+ _hx509_make_pkinit_san
_hx509_map_file_os
_hx509_name_from_Name
+ _hx509_private_key_export
+ _hx509_private_key_exportable
+ _hx509_private_key_get_internal
+ _hx509_private_key_oid
+ _hx509_private_key_ref
hx509_private_key2SPKI
hx509_private_key_free
_hx509_private_key_ref
- _hx509_request_add_dns_name
- _hx509_request_add_email
+ hx509_request_add_GeneralName
+ hx509_request_add_dns_name
+ hx509_request_add_dns_srv
+ hx509_request_add_eku
+ hx509_request_add_email
+ hx509_request_add_ms_upn_name
+ hx509_request_add_pkinit
+ hx509_request_add_registered
+ hx509_request_add_xmpp_name
+ hx509_request_authorize_ku
+ hx509_request_authorize_eku
+ hx509_request_authorize_san
+ hx509_request_count_unsupported
+ hx509_request_count_unauthorized
+ _hx509_private_key_export
+ _hx509_private_key_exportable
+ _hx509_private_key_get_internal
+ _hx509_private_key_oid
+ _hx509_private_key_ref
+ hx509_request_eku_authorized_p
hx509_request_free
+ hx509_request_get_eku
+ hx509_request_get_exts
+ hx509_request_get_ku
+ hx509_request_get_name
+ hx509_request_get_san
hx509_request_get_SubjectPublicKeyInfo
hx509_request_get_name
hx509_request_init
- _hx509_request_parse
- _hx509_request_print
+ hx509_request_parse
+ hx509_request_parse_der
+ hx509_request_print
hx509_request_set_SubjectPublicKeyInfo
-; _hx509_request_set_email
+ hx509_request_add_email
+ hx509_request_reject_eku
+ hx509_request_reject_san
hx509_request_set_name
- _hx509_request_to_pkcs10
- _hx509_request_to_pkcs10
+ hx509_request_set_ku
+ hx509_request_san_authorized_p
+ hx509_request_to_pkcs10
_hx509_unmap_file_os
_hx509_write_file
hx509_bitstring_print
+ _hx509_ca_issue_certificate
hx509_ca_sign
hx509_ca_sign_self
hx509_ca_tbs_add_crl_dp_uri
hx509_ca_tbs_add_eku
+ hx509_ca_tbs_add_ku
+ hx509_ca_tbs_add_pol
+ hx509_ca_tbs_add_pol_mapping
+ hx509_ca_tbs_add_san
+ hx509_ca_tbs_add_san_dnssrv
+ hx509_ca_tbs_add_san_hardwareModuleName
+ hx509_ca_tbs_add_san_hardwareModuleName_string
hx509_ca_tbs_add_san_hostname
hx509_ca_tbs_add_san_jid
hx509_ca_tbs_add_san_ms_upn
hx509_ca_tbs_add_san_otherName
+ hx509_ca_tbs_add_san_permanentIdentifier
+ hx509_ca_tbs_add_san_permanentIdentifier_string
hx509_ca_tbs_add_san_pkinit
hx509_ca_tbs_add_san_rfc822name
hx509_ca_tbs_free
+ hx509_ca_tbs_get_name
hx509_ca_tbs_init
hx509_ca_tbs_set_ca
hx509_ca_tbs_set_domaincontroller
+ hx509_ca_tbs_set_from_csr
hx509_ca_tbs_set_notAfter
hx509_ca_tbs_set_notAfter_lifetime
hx509_ca_tbs_set_notBefore
+ hx509_ca_tbs_set_pkinit_max_life
hx509_ca_tbs_set_proxy
hx509_ca_tbs_set_serialnumber
hx509_ca_tbs_set_signature_algorithm
@@ -73,15 +123,23 @@ EXPORTS
hx509_cert_get_issuer
hx509_cert_get_notAfter
hx509_cert_get_notBefore
+ hx509_cert_get_pkinit_max_life
hx509_cert_get_serialnumber
hx509_cert_get_subject
+ hx509_cert_have_private_key
+ hx509_cert_have_private_key_only
hx509_cert_init
hx509_cert_init_data
+ hx509_cert_init_private_key
+ hx509_cert_is_ca
+ hx509_cert_is_root
+ hx509_cert_is_self_signed
hx509_cert_keyusage_print
hx509_cert_ref
hx509_cert_set_friendly_name
hx509_certs_add
hx509_certs_append
+ hx509_certs_destroy
hx509_certs_end_seq
hx509_certs_ref
hx509_certs_filter
@@ -104,6 +162,7 @@ EXPORTS
hx509_cms_unenvelope
hx509_cms_unwrap_ContentInfo
hx509_cms_verify_signed
+ hx509_cms_verify_signed_ext
hx509_cms_wrap_ContentInfo
hx509_context_free
hx509_context_init
@@ -132,6 +191,7 @@ EXPORTS
hx509_crypto_set_padding
hx509_crypto_set_params
hx509_crypto_set_random_key
+ hx509_empty_name
hx509_env_add
hx509_env_add_binding
hx509_env_find
@@ -144,6 +204,7 @@ EXPORTS
hx509_free_octet_string_list
hx509_general_name_unparse
hx509_get_error_string
+ hx509_get_instance
hx509_get_one_cert
hx509_lock_add_cert
hx509_lock_add_certs
@@ -170,6 +231,7 @@ EXPORTS
hx509_oid_print
hx509_oid_sprint
hx509_parse_name
+ hx509_parse_private_key
hx509_peer_info_add_cms_alg
hx509_peer_info_alloc
hx509_peer_info_free
diff --git a/lib/hx509/lock.c b/lib/hx509/lock.c
index 52f72dba1b71..7f767d2362a6 100644
--- a/lib/hx509/lock.c
+++ b/lib/hx509/lock.c
@@ -59,7 +59,7 @@ hx509_lock _hx509_empty_lock = &empty_lock_data;
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_init(hx509_context context, hx509_lock *lock)
{
hx509_lock l;
@@ -86,7 +86,7 @@ hx509_lock_init(hx509_context context, hx509_lock *lock)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_add_password(hx509_lock lock, const char *password)
{
void *d;
@@ -109,19 +109,19 @@ hx509_lock_add_password(hx509_lock lock, const char *password)
return 0;
}
-const struct _hx509_password *
+HX509_LIB_FUNCTION const struct _hx509_password * HX509_LIB_CALL
_hx509_lock_get_passwords(hx509_lock lock)
{
return &lock->password;
}
-hx509_certs
+HX509_LIB_FUNCTION hx509_certs HX509_LIB_CALL
_hx509_lock_unlock_certs(hx509_lock lock)
{
return lock->certs;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_lock_reset_passwords(hx509_lock lock)
{
size_t i;
@@ -132,19 +132,19 @@ hx509_lock_reset_passwords(hx509_lock lock)
lock->password.len = 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_add_cert(hx509_context context, hx509_lock lock, hx509_cert cert)
{
return hx509_certs_add(context, lock->certs, cert);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_add_certs(hx509_context context, hx509_lock lock, hx509_certs certs)
{
return hx509_certs_merge(context, lock->certs, certs);
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_lock_reset_certs(hx509_context context, hx509_lock lock)
{
hx509_certs certs = lock->certs;
@@ -161,14 +161,14 @@ hx509_lock_reset_certs(hx509_context context, hx509_lock lock)
lock->certs = certs;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_lock_find_cert(hx509_lock lock, const hx509_query *q, hx509_cert *c)
{
*c = NULL;
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_set_prompter(hx509_lock lock, hx509_prompter_fct prompt, void *data)
{
lock->prompt = prompt;
@@ -176,7 +176,7 @@ hx509_lock_set_prompter(hx509_lock lock, hx509_prompter_fct prompt, void *data)
return 0;
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_lock_reset_promper(hx509_lock lock)
{
lock->prompt = NULL;
@@ -206,7 +206,7 @@ default_prompter(void *data, const hx509_prompt *prompter)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_prompt(hx509_lock lock, hx509_prompt *prompt)
{
if (lock->prompt == NULL)
@@ -214,7 +214,7 @@ hx509_lock_prompt(hx509_lock lock, hx509_prompt *prompt)
return (*lock->prompt)(lock->prompt_data, prompt);
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_lock_free(hx509_lock lock)
{
if (lock) {
@@ -225,7 +225,7 @@ hx509_lock_free(hx509_lock lock)
}
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_prompt_hidden(hx509_prompt_type type)
{
/* default to hidden if unknown */
@@ -239,7 +239,7 @@ hx509_prompt_hidden(hx509_prompt_type type)
}
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_lock_command_string(hx509_lock lock, const char *string)
{
if (strncasecmp(string, "PASS:", 5) == 0) {
diff --git a/lib/hx509/name.c b/lib/hx509/name.c
index 5cb344b6c161..7d67716b953a 100644
--- a/lib/hx509/name.c
+++ b/lib/hx509/name.c
@@ -64,19 +64,44 @@
static const struct {
const char *n;
const heim_oid *o;
+ int type_choice; /* Preference for DirectoryString choice; 0 -> no pref */
wind_profile_flags flags;
+ /*
+ * RFC52380 imposes maximum lengths for some strings in Names. These are
+ * ASN.1 size limits. We should implement these in our copy of the PKIX
+ * ASN.1 module. For now we treat them as maximum byte counts rather than
+ * maximum character counts, and we encode and enforce them here.
+ *
+ * 0 -> no max
+ *
+ * Some of these attributes aren't of type DirectoryString, so our
+ * type_choice isn't really correct. We're not really set up for
+ * attributes whose types aren't DirectoryString or one of its choice arms'
+ * type, much less are we set up for non-string attribute value types.
+ */
+ size_t max_bytes;
} no[] = {
- { "C", &asn1_oid_id_at_countryName, 0 },
- { "CN", &asn1_oid_id_at_commonName, 0 },
- { "DC", &asn1_oid_id_domainComponent, 0 },
- { "L", &asn1_oid_id_at_localityName, 0 },
- { "O", &asn1_oid_id_at_organizationName, 0 },
- { "OU", &asn1_oid_id_at_organizationalUnitName, 0 },
- { "S", &asn1_oid_id_at_stateOrProvinceName, 0 },
- { "STREET", &asn1_oid_id_at_streetAddress, 0 },
- { "UID", &asn1_oid_id_Userid, 0 },
- { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 },
- { "serialNumber", &asn1_oid_id_at_serialNumber, 0 }
+ { "C", &asn1_oid_id_at_countryName,
+ choice_DirectoryString_printableString, 0, 2 },
+ { "CN", &asn1_oid_id_at_commonName, 0, 0, ub_common_name },
+ { "DC", &asn1_oid_id_domainComponent, choice_DirectoryString_ia5String,
+ 0, 63 }, /* DNS label */
+ { "L", &asn1_oid_id_at_localityName, 0, 0, ub_locality_name },
+ { "O", &asn1_oid_id_at_organizationName, 0, 0, ub_organization_name },
+ { "OU", &asn1_oid_id_at_organizationalUnitName, 0, 0,
+ ub_organizational_unit_name },
+ { "S", &asn1_oid_id_at_stateOrProvinceName, 0, 0, ub_state_name },
+ { "STREET", &asn1_oid_id_at_streetAddress, 0, 0, 0 }, /* ENOTSUP */
+ { "UID", &asn1_oid_id_Userid, 0, 0, ub_numeric_user_id_length },
+ { "emailAddress", &asn1_oid_id_pkcs9_emailAddress,
+ choice_DirectoryString_ia5String, 0, ub_emailaddress_length },
+ /* This is for DevID certificates and maybe others */
+ { "serialNumber", &asn1_oid_id_at_serialNumber, 0, 0, ub_serial_number },
+ /* These are for TPM 2.0 Endorsement Key Certificates (EKCerts) */
+ { "TPMManufacturer", &asn1_oid_tcg_at_tpmManufacturer, 0, 0,
+ ub_emailaddress_length },
+ { "TPMModel", &asn1_oid_tcg_at_tpmModel, 0, 0, ub_emailaddress_length },
+ { "TPMVersion", &asn1_oid_tcg_at_tpmVersion, 0, 0, ub_emailaddress_length },
};
static char *
@@ -142,20 +167,38 @@ append_string(char **str, size_t *total_len, const char *ss,
}
static char *
-oidtostring(const heim_oid *type)
+oidtostring(const heim_oid *type, int *type_choice)
{
char *s;
size_t i;
+ if (type_choice)
+ *type_choice = choice_DirectoryString_utf8String;
+
for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
- if (der_heim_oid_cmp(no[i].o, type) == 0)
+ if (der_heim_oid_cmp(no[i].o, type) == 0) {
+ if (type_choice && no[i].type_choice)
+ *type_choice = no[i].type_choice;
return strdup(no[i].n);
+ }
}
if (der_print_heim_oid(type, '.', &s) != 0)
return NULL;
return s;
}
+static size_t
+oidtomaxlen(const heim_oid *type)
+{
+ size_t i;
+
+ for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
+ if (der_heim_oid_cmp(no[i].o, type) == 0)
+ return no[i].max_bytes;
+ }
+ return 0;
+}
+
static int
stringtooid(const char *name, size_t len, heim_oid *oid)
{
@@ -191,13 +234,13 @@ stringtooid(const char *name, size_t len, heim_oid *oid)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_to_string(const hx509_name name, char **str)
{
return _hx509_Name_to_string(&name->der_name, str);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_Name_to_string(const Name *n, char **str)
{
size_t total_len = 0;
@@ -217,7 +260,7 @@ _hx509_Name_to_string(const Name *n, char **str)
char *oidname;
char *ss;
- oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
+ oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type, NULL);
switch(ds->element) {
case choice_DirectoryString_ia5String:
@@ -315,29 +358,29 @@ _hx509_Name_to_string(const Name *n, char **str)
return 0;
}
-#define COPYCHARARRAY(_ds,_el,_l,_n) \
- (_l) = strlen(_ds->u._el); \
- (_n) = malloc((_l) * sizeof((_n)[0])); \
- if ((_n) == NULL) \
- return ENOMEM; \
- for (i = 0; i < (_l); i++) \
+#define COPYCHARARRAY(_ds,_el,_l,_n) \
+ (_l) = strlen(_ds->u._el); \
+ (_n) = malloc((_l + 1) * sizeof((_n)[0])); \
+ if ((_n) == NULL) \
+ return ENOMEM; \
+ for (i = 0; i < (_l); i++) \
(_n)[i] = _ds->u._el[i]
-#define COPYVALARRAY(_ds,_el,_l,_n) \
- (_l) = _ds->u._el.length; \
- (_n) = malloc((_l) * sizeof((_n)[0])); \
- if ((_n) == NULL) \
- return ENOMEM; \
- for (i = 0; i < (_l); i++) \
+#define COPYVALARRAY(_ds,_el,_l,_n) \
+ (_l) = _ds->u._el.length; \
+ (_n) = malloc((_l + 1) * sizeof((_n)[0])); \
+ if ((_n) == NULL) \
+ return ENOMEM; \
+ for (i = 0; i < (_l); i++) \
(_n)[i] = _ds->u._el.data[i]
-#define COPYVOIDARRAY(_ds,_el,_l,_n) \
- (_l) = _ds->u._el.length; \
- (_n) = malloc((_l) * sizeof((_n)[0])); \
- if ((_n) == NULL) \
- return ENOMEM; \
- for (i = 0; i < (_l); i++) \
+#define COPYVOIDARRAY(_ds,_el,_l,_n) \
+ (_l) = _ds->u._el.length; \
+ (_n) = malloc((_l + 1) * sizeof((_n)[0])); \
+ if ((_n) == NULL) \
+ return ENOMEM; \
+ for (i = 0; i < (_l); i++) \
(_n)[i] = ((unsigned char *)_ds->u._el.data)[i]
@@ -347,7 +390,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
{
wind_profile_flags flags;
size_t i, len;
- int ret;
+ int ret = 0;
uint32_t *name;
*rname = NULL;
@@ -380,7 +423,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
ret = wind_utf8ucs4_length(ds->u.utf8String, &len);
if (ret)
return ret;
- name = malloc(len * sizeof(name[0]));
+ name = malloc((len + 1) * sizeof(name[0]));
if (name == NULL)
return ENOMEM;
ret = wind_utf8ucs4(ds->u.utf8String, name, &len);
@@ -397,7 +440,10 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
/* try a couple of times to get the length right, XXX gross */
for (i = 0; i < 4; i++) {
*rlen = *rlen * 2;
- *rname = malloc(*rlen * sizeof((*rname)[0]));
+ if ((*rname = malloc((rlen[0] + 1) * sizeof((*rname)[0]))) == NULL) {
+ ret = ENOMEM;
+ break;
+ }
ret = wind_stringprep(name, len, *rname, rlen, flags);
if (ret == WIND_ERR_OVERRUN) {
@@ -419,7 +465,7 @@ dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_name_ds_cmp(const DirectoryString *ds1,
const DirectoryString *ds2,
int *diff)
@@ -452,7 +498,7 @@ _hx509_name_ds_cmp(const DirectoryString *ds1,
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_name_cmp(const Name *n1, const Name *n2, int *c)
{
int ret;
@@ -498,7 +544,7 @@ _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_cmp(hx509_name n1, hx509_name n2)
{
int ret, diff;
@@ -509,7 +555,7 @@ hx509_name_cmp(hx509_name n1, hx509_name n2)
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_name_from_Name(const Name *n, hx509_name *name)
{
int ret;
@@ -524,49 +570,129 @@ _hx509_name_from_Name(const Name *n, hx509_name *name)
return ret;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_name_modify(hx509_context context,
Name *name,
int append,
const heim_oid *oid,
const char *str)
{
- RelativeDistinguishedName *rdn;
+ RelativeDistinguishedName rdn;
+ size_t max_len = oidtomaxlen(oid);
+ char *s = NULL;
+ int type_choice = choice_DirectoryString_printableString;
int ret;
- void *ptr;
- ptr = realloc(name->u.rdnSequence.val,
- sizeof(name->u.rdnSequence.val[0]) *
- (name->u.rdnSequence.len + 1));
- if (ptr == NULL) {
+ /*
+ * Check string length upper bounds.
+ *
+ * Because we don't have these bounds in our copy of the PKIX ASN.1 module,
+ * and because we might like to catch these early anyways, we enforce them
+ * here.
+ */
+ if (max_len && strlen(str) > max_len) {
+ char *a = oidtostring(oid, &type_choice);
+
+ ret = HX509_PARSING_NAME_FAILED;
+ hx509_set_error_string(context, 0, ret, "RDN attribute %s value too "
+ "long (max %llu): %s", a ? a : "<unknown>",
+ max_len, str);
+ free(a);
+ return ret;
+ }
+
+ memset(&rdn, 0, sizeof(rdn));
+ if ((rdn.val = malloc(sizeof(rdn.val[0]))) == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
return ENOMEM;
}
- name->u.rdnSequence.val = ptr;
-
- if (append) {
- rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
- } else {
- memmove(&name->u.rdnSequence.val[1],
- &name->u.rdnSequence.val[0],
- name->u.rdnSequence.len *
- sizeof(name->u.rdnSequence.val[0]));
+ rdn.len = 1;
+
+ /*
+ * How best to pick a type for this attribute value?
+ *
+ * Options:
+ *
+ * 1) the API deals only in UTF-8, let the callers convert to/from UTF-8
+ * and whatever the current locale wants
+ *
+ * 2) use the best type for the codeset of the current locale.
+ *
+ * We choose (1).
+ *
+ * However, for some cases we really should prefer other types when the
+ * input string is all printable ASCII.
+ */
+ rdn.val[0].value.element = type_choice;
+ if ((s = strdup(str)) == NULL ||
+ der_copy_oid(oid, &rdn.val[0].type)) {
+ free(rdn.val);
+ free(s);
+ return hx509_enomem(context);
+ }
+ switch (rdn.val[0].value.element) {
+ /* C strings: */
+ case choice_DirectoryString_utf8String:
+ rdn.val[0].value.u.utf8String = s;
+ break;
+ case choice_DirectoryString_teletexString:
+ rdn.val[0].value.u.teletexString = s;
+ break;
- rdn = &name->u.rdnSequence.val[0];
+ /* Length and pointer */
+ case choice_DirectoryString_ia5String:
+ rdn.val[0].value.u.ia5String.data = s;
+ rdn.val[0].value.u.ia5String.length = strlen(s);
+ break;
+ case choice_DirectoryString_printableString:
+ rdn.val[0].value.u.printableString.data = s;
+ rdn.val[0].value.u.printableString.length = strlen(s);
+ break;
+ case choice_DirectoryString_universalString:
+ free(s);
+ free(rdn.val);
+ hx509_set_error_string(context, 0, ENOTSUP, "UniversalString not supported");
+ return ENOTSUP;
+ case choice_DirectoryString_bmpString:
+ free(s);
+ free(rdn.val);
+ hx509_set_error_string(context, 0, ENOTSUP, "BMPString not supported");
+ return ENOTSUP;
+ default:
+ free(s);
+ free(rdn.val);
+ hx509_set_error_string(context, 0, ENOTSUP,
+ "Internal error; unknown DirectoryString choice");
+ return ENOTSUP;
}
- rdn->val = malloc(sizeof(rdn->val[0]));
- if (rdn->val == NULL)
- return ENOMEM;
- rdn->len = 1;
- ret = der_copy_oid(oid, &rdn->val[0].type);
- if (ret)
- return ret;
- rdn->val[0].value.element = choice_DirectoryString_utf8String;
- rdn->val[0].value.u.utf8String = strdup(str);
- if (rdn->val[0].value.u.utf8String == NULL)
- return ENOMEM;
- name->u.rdnSequence.len += 1;
+ /* Append RDN. If the caller wanted to prepend instead, we'll rotate. */
+ ret = add_RDNSequence(&name->u.rdnSequence, &rdn);
+ free_RelativeDistinguishedName(&rdn);
+
+ if (ret || append || name->u.rdnSequence.len < 2)
+ return ret;
+
+ /* Rotate */
+ rdn = name->u.rdnSequence.val[name->u.rdnSequence.len - 1];
+ memmove(&name->u.rdnSequence.val[1],
+ &name->u.rdnSequence.val[0],
+ (name->u.rdnSequence.len - 1) *
+ sizeof(name->u.rdnSequence.val[0]));
+ name->u.rdnSequence.val[0] = rdn;
+ return 0;
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_empty_name(hx509_context context, hx509_name *name)
+{
+ if ((*name = calloc(1, sizeof(**name))) == NULL) {
+ hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ return ENOMEM;
+ }
+ (*name)->der_name.element = choice_Name_rdnSequence;
+ (*name)->der_name.u.rdnSequence.val = 0;
+ (*name)->der_name.u.rdnSequence.len = 0;
return 0;
}
@@ -582,7 +708,7 @@ _hx509_name_modify(hx509_context context,
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
{
const char *p, *q;
@@ -686,7 +812,7 @@ out:
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
{
int ret;
@@ -714,13 +840,13 @@ hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_to_Name(const hx509_name from, Name *to)
{
return copy_Name(&from->der_name, to);
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_normalize(hx509_context context, hx509_name name)
{
return 0;
@@ -739,13 +865,14 @@ hx509_name_normalize(hx509_context context, hx509_name name)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_expand(hx509_context context,
hx509_name name,
hx509_env env)
{
Name *n = &name->der_name;
size_t i, j;
+ int bounds_check = 1;
if (env == NULL)
return 0;
@@ -768,23 +895,49 @@ hx509_name_expand(hx509_context context,
free normalized utf8 string
*/
DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
+ heim_oid *type = &n->u.rdnSequence.val[i].val[j].type;
+ const char *sval = NULL;
char *p, *p2;
+ char *s = NULL;
struct rk_strpool *strpool = NULL;
- if (ds->element != choice_DirectoryString_utf8String) {
- hx509_set_error_string(context, 0, EINVAL, "unsupported type");
- return EINVAL;
- }
- p = strstr(ds->u.utf8String, "${");
+ switch (ds->element) {
+ case choice_DirectoryString_utf8String:
+ sval = ds->u.utf8String;
+ break;
+ case choice_DirectoryString_teletexString:
+ sval = ds->u.utf8String;
+ break;
+ case choice_DirectoryString_ia5String:
+ s = strndup(ds->u.ia5String.data,
+ ds->u.ia5String.length);
+ break;
+ case choice_DirectoryString_printableString:
+ s = strndup(ds->u.printableString.data,
+ ds->u.printableString.length);
+ break;
+ case choice_DirectoryString_universalString:
+ hx509_set_error_string(context, 0, ENOTSUP, "UniversalString not supported");
+ return ENOTSUP;
+ case choice_DirectoryString_bmpString:
+ hx509_set_error_string(context, 0, ENOTSUP, "BMPString not supported");
+ return ENOTSUP;
+ }
+ if (sval == NULL && s == NULL)
+ return hx509_enomem(context);
+ if (s)
+ sval = s;
+
+ p = strstr(sval, "${");
if (p) {
- strpool = rk_strpoolprintf(strpool, "%.*s",
- (int)(p - ds->u.utf8String),
- ds->u.utf8String);
+ strpool = rk_strpoolprintf(strpool, "%.*s", (int)(p - sval), sval);
if (strpool == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ free(s);
return ENOMEM;
}
}
+
while (p != NULL) {
/* expand variables */
const char *value;
@@ -792,6 +945,7 @@ hx509_name_expand(hx509_context context,
if (p2 == NULL) {
hx509_set_error_string(context, 0, EINVAL, "missing }");
rk_strpoolfree(strpool);
+ free(s);
return EINVAL;
}
p += 2;
@@ -801,11 +955,13 @@ hx509_name_expand(hx509_context context,
"variable %.*s missing",
(int)(p2 - p), p);
rk_strpoolfree(strpool);
+ free(s);
return EINVAL;
}
strpool = rk_strpoolprintf(strpool, "%s", value);
if (strpool == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ free(s);
return ENOMEM;
}
p2++;
@@ -818,19 +974,60 @@ hx509_name_expand(hx509_context context,
strpool = rk_strpoolprintf(strpool, "%s", p2);
if (strpool == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ free(s);
return ENOMEM;
}
}
+
+ free(s);
+ s = NULL;
+
if (strpool) {
- free(ds->u.utf8String);
- ds->u.utf8String = rk_strpoolcollect(strpool);
- if (ds->u.utf8String == NULL) {
- hx509_set_error_string(context, 0, ENOMEM, "out of memory");
- return ENOMEM;
- }
+ size_t max_bytes;
+
+ if ((s = rk_strpoolcollect(strpool)) == NULL) {
+ hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+ return ENOMEM;
+ }
+
+ /* Check upper bounds! */
+ if ((max_bytes = oidtomaxlen(type)) && strlen(s) > max_bytes)
+ bounds_check = 0;
+
+ switch (ds->element) {
+ /* C strings: */
+ case choice_DirectoryString_utf8String:
+ free(ds->u.utf8String);
+ ds->u.utf8String = s;
+ break;
+ case choice_DirectoryString_teletexString:
+ free(ds->u.teletexString);
+ ds->u.teletexString = s;
+ break;
+
+ /* Length and pointer */
+ case choice_DirectoryString_ia5String:
+ free(ds->u.ia5String.data);
+ ds->u.ia5String.data = s;
+ ds->u.ia5String.length = strlen(s);
+ break;
+ case choice_DirectoryString_printableString:
+ free(ds->u.printableString.data);
+ ds->u.printableString.data = s;
+ ds->u.printableString.length = strlen(s);
+ break;
+ default:
+ break; /* Handled above */
+ }
}
}
}
+
+ if (!bounds_check) {
+ hx509_set_error_string(context, 0, HX509_PARSING_NAME_FAILED,
+ "some expanded RDNs are too long");
+ return HX509_PARSING_NAME_FAILED;
+ }
return 0;
}
@@ -842,7 +1039,7 @@ hx509_name_expand(hx509_context context,
* @ingroup hx509_name
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_name_free(hx509_name *name)
{
free_Name(&(*name)->der_name);
@@ -863,7 +1060,7 @@ hx509_name_free(hx509_name *name)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_unparse_der_name(const void *data, size_t length, char **str)
{
Name name;
@@ -891,7 +1088,7 @@ hx509_unparse_der_name(const void *data, size_t length, char **str)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_binary(const hx509_name name, heim_octet_string *os)
{
size_t size;
@@ -906,7 +1103,7 @@ hx509_name_binary(const hx509_name name, heim_octet_string *os)
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_unparse_Name(const Name *aname, char **str)
{
hx509_name name;
@@ -922,7 +1119,7 @@ _hx509_unparse_Name(const Name *aname, char **str)
}
/**
- * Unparse the hx509 name in name into a string.
+ * Check if a name is empty.
*
* @param name the name to check if its empty/null.
*
@@ -931,12 +1128,259 @@ _hx509_unparse_Name(const Name *aname, char **str)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_name_is_null_p(const hx509_name name)
{
- return name->der_name.u.rdnSequence.len == 0;
+ return name->der_name.element == choice_Name_rdnSequence &&
+ name->der_name.u.rdnSequence.len == 0;
}
+int
+_hx509_unparse_PermanentIdentifier(hx509_context context,
+ struct rk_strpool **strpool,
+ heim_any *value)
+{
+ PermanentIdentifier pi;
+ size_t len;
+ const char *pid = "";
+ char *s = NULL;
+ int ret;
+
+ ret = decode_PermanentIdentifier(value->data, value->length, &pi, &len);
+ if (ret == 0 && pi.assigner &&
+ der_print_heim_oid(pi.assigner, '.', &s) != 0)
+ ret = hx509_enomem(context);
+ if (pi.identifierValue && *pi.identifierValue)
+ pid = *pi.identifierValue;
+ if (ret == 0 &&
+ (*strpool = rk_strpoolprintf(*strpool, "%s:%s", s ? s : "", pid)) == NULL)
+ ret = hx509_enomem(context);
+ free_PermanentIdentifier(&pi);
+ free(s);
+ if (ret) {
+ rk_strpoolfree(*strpool);
+ *strpool = rk_strpoolprintf(NULL,
+ "<error-decoding-PermanentIdentifier");
+ hx509_set_error_string(context, 0, ret,
+ "Failed to decode PermanentIdentifier");
+ }
+ return ret;
+}
+
+int
+_hx509_unparse_HardwareModuleName(hx509_context context,
+ struct rk_strpool **strpool,
+ heim_any *value)
+{
+ HardwareModuleName hm;
+ size_t len;
+ char *s = NULL;
+ int ret;
+
+ ret = decode_HardwareModuleName(value->data, value->length, &hm, &len);
+ if (ret == 0 && hm.hwSerialNum.length > 256)
+ hm.hwSerialNum.length = 256;
+ if (ret == 0)
+ ret = der_print_heim_oid(&hm.hwType, '.', &s);
+ if (ret == 0) {
+ *strpool = rk_strpoolprintf(*strpool, "%s:%.*s%s", s,
+ (int)hm.hwSerialNum.length,
+ (char *)hm.hwSerialNum.data,
+ value->length == len ? "" : ", <garbage>");
+ if (*strpool == NULL)
+ ret = hx509_enomem(context);
+ }
+ free_HardwareModuleName(&hm);
+ free(s);
+ if (ret) {
+ rk_strpoolfree(*strpool);
+ *strpool = rk_strpoolprintf(NULL,
+ "<error-decoding-HardwareModuleName");
+ hx509_set_error_string(context, 0, ret,
+ "Failed to decode HardwareModuleName");
+ }
+ return ret;
+}
+
+/*
+ * This necessarily duplicates code from libkrb5, and has to unless we move
+ * common code here or to lib/roken for it. We do have slightly different
+ * needs (e.g., we want space quoted, and we want to indicate whether we saw
+ * trailing garbage, we have no need for flags, no special realm treatment,
+ * etc) than the corresponding code in libkrb5, so for now we duplicate this
+ * code.
+ *
+ * The relevant RFCs here are RFC1964 for the string representation of Kerberos
+ * principal names, and RFC4556 for the KRB5PrincipalName ASN.1 type (Kerberos
+ * lacks such a type because on the wire the name and realm are sent
+ * separately as a form of cheap compression).
+ *
+ * Note that we cannot handle embedded NULs because of Heimdal's representation
+ * of ASN.1 strings as C strings.
+ */
+int
+_hx509_unparse_KRB5PrincipalName(hx509_context context,
+ struct rk_strpool **strpool,
+ heim_any *value)
+{
+ KRB5PrincipalName kn;
+ size_t len;
+ int ret;
+
+ ret = decode_KRB5PrincipalName(value->data, value->length, &kn, &len);
+ if (ret == 0 &&
+ (*strpool = _hx509_unparse_kerberos_name(*strpool, &kn)) == NULL)
+ ret = hx509_enomem(context);
+ free_KRB5PrincipalName(&kn);
+ if (ret == 0 && (value->length != len) &&
+ (*strpool = rk_strpoolprintf(*strpool, " <garbage>")) == NULL)
+ ret = hx509_enomem(context);
+ if (ret) {
+ rk_strpoolfree(*strpool);
+ *strpool = rk_strpoolprintf(NULL,
+ "<error-decoding-PrincipalName");
+ hx509_set_error_string(context, 0, ret,
+ "Failed to decode PermanentIdentifier");
+ }
+ return ret;
+}
+
+struct rk_strpool *
+_hx509_unparse_kerberos_name(struct rk_strpool *strpool, KRB5PrincipalName *kn)
+{
+ static const char comp_quotable_chars[] = " \n\t\b\\/@";
+ static const char realm_quotable_chars[] = " \n\t\b\\@";
+ const char *s;
+ size_t i, k, len, plen;
+ int need_slash = 0;
+
+ for (i = 0; i < kn->principalName.name_string.len; i++) {
+ s = kn->principalName.name_string.val[i];
+ len = strlen(s);
+
+ if (need_slash)
+ strpool = rk_strpoolprintf(strpool, "/");
+ need_slash = 1;
+
+ for (k = 0; k < len; s += plen, k += plen) {
+ char c;
+
+ plen = strcspn(s, comp_quotable_chars);
+ if (plen)
+ strpool = rk_strpoolprintf(strpool, "%.*s", (int)plen, s);
+ if (k + plen >= len)
+ continue;
+ switch ((c = s[plen++])) {
+ case '\n': strpool = rk_strpoolprintf(strpool, "\\n"); break;
+ case '\t': strpool = rk_strpoolprintf(strpool, "\\t"); break;
+ case '\b': strpool = rk_strpoolprintf(strpool, "\\b"); break;
+ /* default -> '@', ' ', '\\', or '/' */
+ default: strpool = rk_strpoolprintf(strpool, "\\%c", c); break;
+ }
+ }
+ }
+ if (!kn->realm)
+ return strpool;
+ strpool = rk_strpoolprintf(strpool, "@");
+
+ s = kn->realm;
+ len = strlen(kn->realm);
+ for (k = 0; k < len; s += plen, k += plen) {
+ char c;
+
+ plen = strcspn(s, realm_quotable_chars);
+ if (plen)
+ strpool = rk_strpoolprintf(strpool, "%.*s", (int)plen, s);
+ if (k + plen >= len)
+ continue;
+ switch ((c = s[plen++])) {
+ case '\n': strpool = rk_strpoolprintf(strpool, "\\n"); break;
+ case '\t': strpool = rk_strpoolprintf(strpool, "\\t"); break;
+ case '\b': strpool = rk_strpoolprintf(strpool, "\\b"); break;
+ /* default -> '@', ' ', or '\\' */
+ default: strpool = rk_strpoolprintf(strpool, "\\%c", c); break;
+ }
+ }
+ return strpool;
+}
+
+int
+_hx509_unparse_utf8_string_name(hx509_context context,
+ struct rk_strpool **strpool,
+ heim_any *value)
+{
+ PKIXXmppAddr us;
+ size_t size;
+ int ret;
+
+ ret = decode_PKIXXmppAddr(value->data, value->length, &us, &size);
+ if (ret == 0 &&
+ (*strpool = rk_strpoolprintf(*strpool, "%s", us)) == NULL)
+ ret = hx509_enomem(context);
+ if (ret) {
+ rk_strpoolfree(*strpool);
+ *strpool = rk_strpoolprintf(NULL,
+ "<error-decoding-UTF8String-SAN>");
+ hx509_set_error_string(context, 0, ret,
+ "Failed to decode UTF8String SAN");
+ }
+ free_PKIXXmppAddr(&us);
+ return ret;
+}
+
+int
+_hx509_unparse_ia5_string_name(hx509_context context,
+ struct rk_strpool **strpool,
+ heim_any *value)
+{
+ SRVName us;
+ size_t size;
+ int ret;
+
+ ret = decode_SRVName(value->data, value->length, &us, &size);
+ if (ret == 0) {
+ rk_strpoolfree(*strpool);
+ *strpool = rk_strpoolprintf(NULL,
+ "<error-decoding-IA5String-SAN>");
+ hx509_set_error_string(context, 0, ret,
+ "Failed to decode UTF8String SAN");
+ return ret;
+ }
+ *strpool = rk_strpoolprintf(*strpool, "%.*s",
+ (int)us.length, (char *)us.data);
+ free_SRVName(&us);
+ return ret;
+}
+
+typedef int (*other_unparser_f)(hx509_context,
+ struct rk_strpool **,
+ heim_any *);
+
+struct {
+ const heim_oid *oid;
+ const char *friendly_name;
+ other_unparser_f f;
+} o_unparsers[] = {
+ { &asn1_oid_id_pkinit_san,
+ "KerberosPrincipalName",
+ _hx509_unparse_KRB5PrincipalName },
+ { &asn1_oid_id_pkix_on_permanentIdentifier,
+ "PermanentIdentifier",
+ _hx509_unparse_PermanentIdentifier },
+ { &asn1_oid_id_on_hardwareModuleName,
+ "HardwareModuleName",
+ _hx509_unparse_HardwareModuleName },
+ { &asn1_oid_id_pkix_on_xmppAddr,
+ "XMPPName",
+ _hx509_unparse_utf8_string_name },
+ { &asn1_oid_id_pkinit_ms_san,
+ "MSFTKerberosPrincipalName",
+ _hx509_unparse_utf8_string_name },
+ { &asn1_oid_id_pkix_on_dnsSRV,
+ "SRVName",
+ _hx509_unparse_ia5_string_name },
+};
+
/**
* Unparse the hx509 name in name into a string.
*
@@ -948,9 +1392,36 @@ hx509_name_is_null_p(const hx509_name name)
* @ingroup hx509_name
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_general_name_unparse(GeneralName *name, char **str)
{
+ hx509_context context;
+ int ret;
+
+ if ((ret = hx509_context_init(&context)))
+ return ret;
+ ret = hx509_general_name_unparse2(context, name, str);
+ hx509_context_free(&context);
+ return ret;
+}
+
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param context hx509 library context
+ * @param name the name to print
+ * @param str an allocated string returns the name in string form
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_general_name_unparse2(hx509_context context,
+ GeneralName *name,
+ char **str)
+{
struct rk_strpool *strpool = NULL;
int ret = 0;
@@ -958,21 +1429,40 @@ hx509_general_name_unparse(GeneralName *name, char **str)
switch (name->element) {
case choice_GeneralName_otherName: {
+ size_t i;
char *oid;
- hx509_oid_sprint(&name->u.otherName.type_id, &oid);
- if (oid == NULL)
- return ENOMEM;
- strpool = rk_strpoolprintf(strpool, "otherName: %s", oid);
+
+ ret = hx509_oid_sprint(&name->u.otherName.type_id, &oid);
+ if (ret == 0)
+ strpool = rk_strpoolprintf(strpool, "otherName: %s ", oid);
+ if (strpool == NULL)
+ ret = ENOMEM;
+
+ for (i = 0; ret == 0 && i < sizeof(o_unparsers)/sizeof(o_unparsers[0]); i++) {
+ if (der_heim_oid_cmp(&name->u.otherName.type_id,
+ o_unparsers[i].oid))
+ continue;
+ strpool = rk_strpoolprintf(strpool, "%s ",o_unparsers[i].friendly_name);
+ if (strpool == NULL)
+ ret = ENOMEM;
+ if (ret == 0)
+ ret = o_unparsers[i].f(context, &strpool, &name->u.otherName.value);
+ break;
+ }
+ if (ret == 0 && i == sizeof(o_unparsers)/sizeof(o_unparsers[0])) {
+ strpool = rk_strpoolprintf(strpool, "<unknown-other-name-type>");
+ ret = ENOTSUP;
+ }
free(oid);
break;
}
case choice_GeneralName_rfc822Name:
- strpool = rk_strpoolprintf(strpool, "rfc822Name: %.*s\n",
+ strpool = rk_strpoolprintf(strpool, "rfc822Name: %.*s",
(int)name->u.rfc822Name.length,
(char *)name->u.rfc822Name.data);
break;
case choice_GeneralName_dNSName:
- strpool = rk_strpoolprintf(strpool, "dNSName: %.*s\n",
+ strpool = rk_strpoolprintf(strpool, "dNSName: %.*s",
(int)name->u.dNSName.length,
(char *)name->u.dNSName.data);
break;
diff --git a/lib/hx509/ocsp.asn1 b/lib/hx509/ocsp.asn1
deleted file mode 100644
index eb090a4cc768..000000000000
--- a/lib/hx509/ocsp.asn1
+++ /dev/null
@@ -1,113 +0,0 @@
--- From rfc2560
--- $Id$
-OCSP DEFINITIONS EXPLICIT TAGS::=
-
-BEGIN
-
-IMPORTS
- Certificate, AlgorithmIdentifier, CRLReason,
- Name, GeneralName, CertificateSerialNumber, Extensions
- FROM rfc2459;
-
-OCSPVersion ::= INTEGER { ocsp-v1(0) }
-
-OCSPCertStatus ::= CHOICE {
- good [0] IMPLICIT NULL,
- revoked [1] IMPLICIT -- OCSPRevokedInfo -- SEQUENCE {
- revocationTime GeneralizedTime,
- revocationReason[0] EXPLICIT CRLReason OPTIONAL
- },
- unknown [2] IMPLICIT NULL }
-
-OCSPCertID ::= SEQUENCE {
- hashAlgorithm AlgorithmIdentifier,
- issuerNameHash OCTET STRING, -- Hash of Issuer's DN
- issuerKeyHash OCTET STRING, -- Hash of Issuers public key
- serialNumber CertificateSerialNumber }
-
-OCSPSingleResponse ::= SEQUENCE {
- certID OCSPCertID,
- certStatus OCSPCertStatus,
- thisUpdate GeneralizedTime,
- nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
- singleExtensions [1] EXPLICIT Extensions OPTIONAL }
-
-OCSPInnerRequest ::= SEQUENCE {
- reqCert OCSPCertID,
- singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
-
-OCSPTBSRequest ::= SEQUENCE {
- version [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
- requestorName [1] EXPLICIT GeneralName OPTIONAL,
- requestList SEQUENCE OF OCSPInnerRequest,
- requestExtensions [2] EXPLICIT Extensions OPTIONAL }
-
-OCSPSignature ::= SEQUENCE {
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING,
- certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
-OCSPRequest ::= SEQUENCE {
- tbsRequest OCSPTBSRequest,
- optionalSignature [0] EXPLICIT OCSPSignature OPTIONAL }
-
-OCSPResponseBytes ::= SEQUENCE {
- responseType OBJECT IDENTIFIER,
- response OCTET STRING }
-
-OCSPResponseStatus ::= ENUMERATED {
- successful (0), --Response has valid confirmations
- malformedRequest (1), --Illegal confirmation request
- internalError (2), --Internal error in issuer
- tryLater (3), --Try again later
- --(4) is not used
- sigRequired (5), --Must sign the request
- unauthorized (6) --Request unauthorized
-}
-
-OCSPResponse ::= SEQUENCE {
- responseStatus OCSPResponseStatus,
- responseBytes [0] EXPLICIT OCSPResponseBytes OPTIONAL }
-
-OCSPKeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
- --(excluding the tag and length fields)
-
-OCSPResponderID ::= CHOICE {
- byName [1] Name,
- byKey [2] OCSPKeyHash }
-
-OCSPResponseData ::= SEQUENCE {
- version [0] EXPLICIT OCSPVersion -- DEFAULT v1 -- OPTIONAL,
- responderID OCSPResponderID,
- producedAt GeneralizedTime,
- responses SEQUENCE OF OCSPSingleResponse,
- responseExtensions [1] EXPLICIT Extensions OPTIONAL }
-
-OCSPBasicOCSPResponse ::= SEQUENCE {
- tbsResponseData OCSPResponseData,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING,
- certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
-
--- ArchiveCutoff ::= GeneralizedTime
-
--- AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
-
--- Object Identifiers
-
-id-pkix-ocsp OBJECT IDENTIFIER ::= {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) mechanisms(5) pkix(7) pkix-ad(48) 1
-}
-
-id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
-id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
--- id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
--- id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
--- id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
--- id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
--- id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
-
-
-END
-
diff --git a/lib/hx509/ocsp.opt b/lib/hx509/ocsp.opt
deleted file mode 100644
index 697aa03e19e8..000000000000
--- a/lib/hx509/ocsp.opt
+++ /dev/null
@@ -1,2 +0,0 @@
---preserve-binary=OCSPTBSRequest
---preserve-binary=OCSPResponseData
diff --git a/lib/hx509/peer.c b/lib/hx509/peer.c
index 457f6c4d04b6..2501f0107430 100644
--- a/lib/hx509/peer.c
+++ b/lib/hx509/peer.c
@@ -55,7 +55,7 @@
* @ingroup hx509_peer
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer)
{
*peer = calloc(1, sizeof(**peer));
@@ -88,7 +88,7 @@ free_cms_alg(hx509_peer_info peer)
* @ingroup hx509_peer
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_peer_info_free(hx509_peer_info peer)
{
if (peer == NULL)
@@ -111,7 +111,7 @@ hx509_peer_info_free(hx509_peer_info peer)
* @ingroup hx509_peer
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_set_cert(hx509_peer_info peer,
hx509_cert cert)
{
@@ -133,7 +133,7 @@ hx509_peer_info_set_cert(hx509_peer_info peer,
* @ingroup hx509_peer
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_add_cms_alg(hx509_context context,
hx509_peer_info peer,
const AlgorithmIdentifier *val)
@@ -168,7 +168,7 @@ hx509_peer_info_add_cms_alg(hx509_context context,
* @ingroup hx509_peer
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_set_cms_algs(hx509_context context,
hx509_peer_info peer,
const AlgorithmIdentifier *val,
@@ -203,14 +203,14 @@ hx509_peer_info_set_cms_algs(hx509_context context,
* S/MIME
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_parse_smime(hx509_peer_info peer,
const heim_octet_string *data)
{
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_unparse_smime(hx509_peer_info peer,
heim_octet_string *data)
{
@@ -221,14 +221,14 @@ hx509_peer_info_unparse_smime(hx509_peer_info peer,
* For storing hx509_peer_info to be able to cache them.
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_parse(hx509_peer_info peer,
const heim_octet_string *data)
{
return 0;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_peer_info_unparse(hx509_peer_info peer,
heim_octet_string *data)
{
diff --git a/lib/hx509/pkcs10.asn1 b/lib/hx509/pkcs10.asn1
deleted file mode 100644
index f3fe37b1bf9e..000000000000
--- a/lib/hx509/pkcs10.asn1
+++ /dev/null
@@ -1,25 +0,0 @@
--- $Id$
-PKCS10 DEFINITIONS ::=
-
-BEGIN
-
-IMPORTS
- Name, SubjectPublicKeyInfo, Attribute, AlgorithmIdentifier
- FROM rfc2459;
-
-
-CertificationRequestInfo ::= SEQUENCE {
- version INTEGER { pkcs10-v1(0) },
- subject Name,
- subjectPKInfo SubjectPublicKeyInfo,
- attributes [0] IMPLICIT SET OF Attribute OPTIONAL
-}
-
-CertificationRequest ::= SEQUENCE {
- certificationRequestInfo CertificationRequestInfo,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING
-}
-
-END
-
diff --git a/lib/hx509/pkcs10.opt b/lib/hx509/pkcs10.opt
deleted file mode 100644
index 499fab2f6ba2..000000000000
--- a/lib/hx509/pkcs10.opt
+++ /dev/null
@@ -1 +0,0 @@
---preserve-binary=CertificationRequestInfo
diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index 01c275455a54..3309913f3575 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -32,6 +32,8 @@
*/
#include "hx_locl.h"
+#include <vis.h>
+#include <vis-extras.h>
/**
* @page page_print Hx509 printing functions
@@ -40,6 +42,7 @@
*/
struct hx509_validate_ctx_data {
+ hx509_context context;
int flags;
hx509_vprint_func vprint_func;
void *ctx;
@@ -93,7 +96,7 @@ Time2string(const Time *T, char **str)
* @ingroup hx509_print
*/
-void
+HX509_LIB_FUNCTION void
hx509_print_stdout(void *ctx, const char *fmt, va_list va)
{
FILE *f = ctx;
@@ -122,7 +125,7 @@ print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
* @ingroup hx509_print
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_oid_sprint(const heim_oid *oid, char **str)
{
return der_print_heim_oid(oid, '.', str);
@@ -139,7 +142,7 @@ hx509_oid_sprint(const heim_oid *oid, char **str)
* @ingroup hx509_print
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
{
char *str;
@@ -159,7 +162,7 @@ hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
* @ingroup hx509_print
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_bitstring_print(const heim_bit_string *b,
hx509_vprint_func func, void *ctx)
{
@@ -187,7 +190,7 @@ hx509_bitstring_print(const heim_bit_string *b,
* @ingroup hx509_print
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
{
KeyUsage ku;
@@ -358,6 +361,7 @@ check_authorityKeyIdentifier(hx509_validate_ctx ctx,
}
}
+ free_AuthorityKeyIdentifier(&ai);
return 0;
}
@@ -413,67 +417,6 @@ check_extKeyUsage(hx509_validate_ctx ctx,
}
static int
-check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
-{
- KRB5PrincipalName kn;
- unsigned i;
- size_t size;
- int ret;
-
- ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
- if (ret) {
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "Decoding kerberos name in SAN failed: %d", ret);
- return 1;
- }
-
- if (size != a->length) {
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "Decoding kerberos name have extra bits on the end");
- return 1;
- }
-
- /* print kerberos principal, add code to quote / within components */
- for (i = 0; i < kn.principalName.name_string.len; i++) {
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
- kn.principalName.name_string.val[i]);
- if (i + 1 < kn.principalName.name_string.len)
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
- }
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
-
- free_KRB5PrincipalName(&kn);
- return 0;
-}
-
-static int
-check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
-{
- PKIXXmppAddr jid;
- size_t size;
- int ret;
-
- ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
- if (ret) {
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "Decoding JID in SAN failed: %d", ret);
- return 1;
- }
-
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
- free_PKIXXmppAddr(&jid);
-
- return 0;
-}
-
-static int
-check_altnull(hx509_validate_ctx ctx, heim_any *a)
-{
- return 0;
-}
-
-static int
check_CRLDistributionPoints(hx509_validate_ctx ctx,
struct cert_status *status,
enum critical_flag cf,
@@ -498,18 +441,9 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
for (i = 0 ; i < dp.len; i++) {
if (dp.val[i].distributionPoint) {
- DistributionPointName dpname;
- heim_any *data = dp.val[i].distributionPoint;
+ DistributionPointName dpname = dp.val[i].distributionPoint[0];
size_t j;
- ret = decode_DistributionPointName(data->data, data->length,
- &dpname, NULL);
- if (ret) {
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "Failed to parse CRL Distribution Point Name: %d\n", ret);
- continue;
- }
-
switch (dpname.element) {
case choice_DistributionPointName_fullName:
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
@@ -518,8 +452,13 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
char *s;
GeneralName *name = &dpname.u.fullName.val[j];
- ret = hx509_general_name_unparse(name, &s);
- if (ret == 0 && s != NULL) {
+ ret = hx509_general_name_unparse2(ctx->context, name, &s);
+ if (ret) {
+ s = hx509_get_error_string(ctx->context, ret);
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "Unknown DistributionPointName: %s", s);
+ hx509_free_error_string(s);
+ } else {
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
free(s);
}
@@ -534,7 +473,6 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
"Unknown DistributionPointName");
break;
}
- free_DistributionPointName(&dpname);
}
}
free_CRLDistributionPoints(&dp);
@@ -544,19 +482,6 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
return 0;
}
-
-struct {
- const char *name;
- const heim_oid *oid;
- int (*func)(hx509_validate_ctx, heim_any *);
-} altname_types[] = {
- { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san },
- { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san },
- { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull },
- { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull },
- { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san }
-};
-
static int
check_altName(hx509_validate_ctx ctx,
struct cert_status *status,
@@ -591,48 +516,21 @@ check_altName(hx509_validate_ctx ctx,
}
for (i = 0; i < gn.len; i++) {
- switch (gn.val[i].element) {
- case choice_GeneralName_otherName: {
- unsigned j;
-
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
- "%sAltName otherName ", name);
-
- for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) {
- if (der_heim_oid_cmp(altname_types[j].oid,
- &gn.val[i].u.otherName.type_id) != 0)
- continue;
-
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
- altname_types[j].name);
- (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
- break;
- }
- if (j == sizeof(altname_types)/sizeof(altname_types[0])) {
- hx509_oid_print(&gn.val[i].u.otherName.type_id,
- validate_vprint, ctx);
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
- }
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
- break;
- }
- default: {
- char *s;
- ret = hx509_general_name_unparse(&gn.val[i], &s);
- if (ret) {
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "ret = %d unparsing GeneralName\n", ret);
- return 1;
- }
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
- free(s);
- break;
- }
- }
+ char *s;
+
+ ret = hx509_general_name_unparse2(ctx->context, &gn.val[i], &s);
+ if (ret) {
+ s = hx509_get_error_string(ctx->context, ret);
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "Error unparsing GeneralName: %s\n", s);
+ hx509_free_error_string(s);
+ return 1;
+ }
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\t%s\n", s);
+ free(s);
}
free_GeneralNames(&gn);
-
return 0;
}
@@ -679,21 +577,16 @@ check_basicConstraints(hx509_validate_ctx ctx,
printf("\tlength of der data isn't same as extension\n");
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
- "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
+ "\tis %sa CA\n", b.cA ? "" : "NOT ");
if (b.pathLenConstraint)
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
"\tpathLenConstraint: %d\n", *b.pathLenConstraint);
if (b.cA) {
- if (*b.cA) {
- if (!e->critical)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "Is a CA and not BasicConstraints CRITICAL\n");
- status->isca = 1;
- }
- else
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "cA is FALSE, not allowed to be\n");
+ if (!e->critical)
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "Is a CA and not BasicConstraints CRITICAL\n");
+ status->isca = 1;
}
free_BasicConstraints(&b);
@@ -737,13 +630,225 @@ check_authorityInfoAccess(hx509_validate_ctx ctx,
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
"\ttype: ");
hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
- hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
- "\n\tdirname: %s\n", str);
- free(str);
+ ret = hx509_general_name_unparse2(ctx->context,
+ &aia.val[i].accessLocation, &str);
+ if (ret) {
+ str = hx509_get_error_string(ctx->context, ret);
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "Error unparsing AuthorityInfoAccessSyntax "
+ "accessLocation: %s", str);
+ hx509_free_error_string(str);
+ } else {
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ "\n\tdirname: %s\n", str);
+ free(str);
+ }
}
free_AuthorityInfoAccessSyntax(&aia);
+ return ret;
+}
+
+static int
+get_display_text(DisplayText *dt, char **out)
+{
+ int r = -1;
+
+ *out = NULL;
+
+ /*
+ * XXX We're cheating with various string types here.
+ *
+ * Proper support for IA5String is a real pain, and we don't have it.
+ *
+ * We also don't have support for BMPString.
+ */
+ switch (dt->element) {
+ case choice_DisplayText_ia5String:
+ r = rk_strasvisx(out, dt->u.ia5String.data, dt->u.ia5String.length,
+ VIS_CSTYLE | VIS_TAB | VIS_NL, "");
+ break;
+ case choice_DisplayText_visibleString:
+ r = rk_strasvis(out, dt->u.visibleString,
+ VIS_CSTYLE | VIS_TAB | VIS_NL, "");
+ break;
+ case choice_DisplayText_bmpString:
+ errno = ENOTSUP; /* XXX Need a UTF-16 -> UTF-8 conversion */
+ break;
+ case choice_DisplayText_utf8String:
+ r = rk_strasvis(out, dt->u.visibleString,
+ VIS_CSTYLE | VIS_TAB | VIS_NL, "");
+ break;
+ default:
+ errno = EINVAL;
+ }
+ return r < 0 ? errno : 0;
+}
+
+static int
+check_certificatePolicies(hx509_validate_ctx ctx,
+ struct cert_status *status,
+ enum critical_flag cf,
+ const Extension *e)
+{
+ CertificatePolicies cp;
+ size_t i, size;
+ int ret = 0;
+
+ check_Null(ctx, status, cf, e);
+
+ if (e->extnValue.length == 0) {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "CertificatePolicies empty, not allowed");
+ return 1;
+ }
+ ret = decode_CertificatePolicies(e->extnValue.data, e->extnValue.length,
+ &cp, &size);
+ if (ret) {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "\tret = %d while decoding CertificatePolicies\n", ret);
+ return 1;
+ }
+ if (cp.len == 0) {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "CertificatePolicies empty, not allowed\n");
+ return 1;
+ }
+
+ for (i = 0; ret == 0 && i < cp.len; i++) {
+ size_t k;
+ char *poid = NULL;
+ char *qoid = NULL;
+ char *dt = NULL;
+
+ ret = der_print_heim_oid(&cp.val[i].policyIdentifier, '.', &poid);
+ if (ret == 0)
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tPolicy: %s", poid);
+
+ for (k = 0;
+ ret == 0 && cp.val[i].policyQualifiers &&
+ k < cp.val[i].policyQualifiers->len;
+ k++) {
+ PolicyQualifierInfo *pi = &cp.val[i].policyQualifiers->val[k];
+
+ if (der_heim_oid_cmp(&pi->policyQualifierId,
+ &asn1_oid_id_pkix_qt_cps) == 0) {
+ CPSuri cps;
+
+ ret = decode_CPSuri(pi->qualifier.data, pi->qualifier.length,
+ &cps, &size);
+ if (ret == 0) {
+ if (cps.length > 4096)
+ cps.length = 4096;
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ ":CPSuri:%.*s",
+ (int)cps.length, (char *)cps.data);
+ free_CPSuri(&cps);
+ }
+ } else if (der_heim_oid_cmp(&pi->policyQualifierId,
+ &asn1_oid_id_pkix_qt_unotice) == 0) {
+ UserNotice un;
+
+ ret = decode_UserNotice(pi->qualifier.data,
+ pi->qualifier.length, &un, &size);
+ if (ret == 0) {
+ if (un.explicitText) {
+ /*
+ * get_display_text() will strvis to make it safer to
+ * print.
+ */
+ ret = get_display_text(un.explicitText, &dt);
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ " UserNotice:DistplayText:%s", dt);
+ } else if (un.noticeRef) {
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ " UserNotice:NoticeRef:<noticeRef-not-supported>",
+ qoid);
+ } else {
+ ret = der_print_heim_oid(&pi->policyQualifierId, '.',
+ &qoid);
+ if (ret)
+ break;
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ " Unknown:%s", qoid);
+ }
+ free_UserNotice(&un);
+ }
+ } else {
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ ", qualifier %s:<unknown>", qoid);
+ }
+ free(qoid);
+ free(dt);
+ qoid = dt = 0;
+ }
+ if (ret == 0) {
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
+ } else {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "\nOut of memory formatting certificate policy");
+ ret = ENOMEM;
+ }
+ free(poid);
+ free(qoid);
+ free(dt);
+ poid = qoid = dt = 0;
+ }
+
+ free_CertificatePolicies(&cp);
+
+ return ret ? 1 : 0;
+}
+
+static int
+check_policyMappings(hx509_validate_ctx ctx,
+ struct cert_status *status,
+ enum critical_flag cf,
+ const Extension *e)
+{
+ PolicyMappings pm;
+ size_t i, size;
+ int ret = 0;
+
+ check_Null(ctx, status, cf, e);
+
+ if (e->extnValue.length == 0) {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "PolicyMappings empty, not allowed");
+ return 1;
+ }
+ ret = decode_PolicyMappings(e->extnValue.data, e->extnValue.length,
+ &pm, &size);
+ if (ret) {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "\tret = %d while decoding PolicyMappings\n", ret);
+ return 1;
+ }
+ if (pm.len == 0) {
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "PolicyMappings empty, not allowed\n");
+ return 1;
+ }
+
+ for (i = 0; ret == 0 && i < pm.len; i++) {
+ char *idpoid = NULL;
+ char *sdpoid = NULL;
+
+ ret = der_print_heim_oid(&pm.val[i].issuerDomainPolicy, '.', &idpoid);
+ if (ret == 0)
+ ret = der_print_heim_oid(&pm.val[i].subjectDomainPolicy, '.',
+ &sdpoid);
+ if (ret == 0)
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ "\tPolicy mapping %s -> %s\n", idpoid, sdpoid);
+ else
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ "ret=%d while decoding PolicyMappings\n", ret);
+ free(sdpoid);
+ free(idpoid);
+ }
+
+ free_PolicyMappings(&pm);
return 0;
}
@@ -776,8 +881,8 @@ struct {
{ ext(certificateIssuer, Null), M_C },
{ ext(nameConstraints, Null), M_C },
{ ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
- { ext(certificatePolicies, Null), 0 },
- { ext(policyMappings, Null), M_N_C },
+ { ext(certificatePolicies, certificatePolicies), 0 },
+ { ext(policyMappings, policyMappings), M_N_C },
{ ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
{ ext(policyConstraints, Null), D_C },
{ ext(extKeyUsage, extKeyUsage), D_C },
@@ -807,13 +912,13 @@ struct {
* @ingroup hx509_print
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
{
- *ctx = malloc(sizeof(**ctx));
+ *ctx = calloc(1, sizeof(**ctx));
if (*ctx == NULL)
- return ENOMEM;
- memset(*ctx, 0, sizeof(**ctx));
+ return hx509_enomem(context);
+ (*ctx)->context = context;
return 0;
}
@@ -829,7 +934,7 @@ hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
* @ingroup hx509_print
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
hx509_vprint_func func,
void *c)
@@ -850,7 +955,7 @@ hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
* @ingroup hx509_print
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
{
ctx->flags |= flags;
@@ -864,7 +969,7 @@ hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
* @ingroup hx509_print
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_validate_ctx_free(hx509_validate_ctx ctx)
{
free(ctx);
@@ -882,7 +987,7 @@ hx509_validate_ctx_free(hx509_validate_ctx ctx)
* @ingroup hx509_print
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_validate_cert(hx509_context context,
hx509_validate_ctx ctx,
hx509_cert cert)
diff --git a/lib/hx509/req.c b/lib/hx509/req.c
index e70ab4b6cce5..d0bfe91a948b 100644
--- a/lib/hx509/req.c
+++ b/lib/hx509/req.c
@@ -34,41 +34,85 @@
#include "hx_locl.h"
#include <pkcs10_asn1.h>
+typedef struct abitstring_s {
+ unsigned char *feats;
+ size_t feat_bytes;
+} *abitstring;
+
struct hx509_request_data {
+ hx509_context context;
hx509_name name;
SubjectPublicKeyInfo key;
+ KeyUsage ku;
ExtKeyUsage eku;
GeneralNames san;
+ struct abitstring_s authorized_EKUs;
+ struct abitstring_s authorized_SANs;
+ uint32_t nunsupported; /* Count of unsupported features requested */
+ uint32_t nauthorized; /* Count of supported features authorized */
+ uint32_t ku_are_authorized:1;
};
-/*
+/**
+ * Allocate and initialize an hx509_request structure representing a PKCS#10
+ * certificate signing request.
+ *
+ * @param context An hx509 context.
+ * @param req Where to put the new hx509_request object.
*
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
*/
-
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_request_init(hx509_context context, hx509_request *req)
{
*req = calloc(1, sizeof(**req));
if (*req == NULL)
return ENOMEM;
+ (*req)->context = context;
return 0;
}
-void
-hx509_request_free(hx509_request *req)
+/**
+ * Free a certificate signing request object.
+ *
+ * @param req A pointer to the hx509_request to free.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION void HX509_LIB_CALL
+hx509_request_free(hx509_request *reqp)
{
- if ((*req)->name)
- hx509_name_free(&(*req)->name);
- free_SubjectPublicKeyInfo(&(*req)->key);
- free_ExtKeyUsage(&(*req)->eku);
- free_GeneralNames(&(*req)->san);
- memset(*req, 0, sizeof(**req));
- free(*req);
- *req = NULL;
+ hx509_request req = *reqp;
+
+ *reqp = NULL;
+ if (req == NULL)
+ return;
+ if (req->name)
+ hx509_name_free(&req->name);
+ free(req->authorized_EKUs.feats);
+ free(req->authorized_SANs.feats);
+ free_SubjectPublicKeyInfo(&req->key);
+ free_ExtKeyUsage(&req->eku);
+ free_GeneralNames(&req->san);
+ memset(req, 0, sizeof(*req));
+ free(req);
}
-int
+/**
+ * Set the subjectName of the CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request to alter.
+ * @param name The subjectName.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_request_set_name(hx509_context context,
hx509_request req,
hx509_name name)
@@ -83,7 +127,18 @@ hx509_request_set_name(hx509_context context,
return 0;
}
-int
+/**
+ * Get the subject name requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param name Where to put the name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_request_get_name(hx509_context context,
hx509_request req,
hx509_name *name)
@@ -95,7 +150,18 @@ hx509_request_get_name(hx509_context context,
return hx509_name_copy(context, req->name, name);
}
-int
+/**
+ * Set the subject public key requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param key The public key.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
hx509_request req,
const SubjectPublicKeyInfo *key)
@@ -104,7 +170,18 @@ hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
return copy_SubjectPublicKeyInfo(key, &req->key);
}
-int
+/**
+ * Get the subject public key requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param key Where to put the key.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
hx509_request req,
SubjectPublicKeyInfo *key)
@@ -112,10 +189,61 @@ hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
return copy_SubjectPublicKeyInfo(&req->key, key);
}
-int
-_hx509_request_add_eku(hx509_context context,
- hx509_request req,
- const heim_oid *oid)
+/**
+ * Set the key usage requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param ku The key usage.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_set_ku(hx509_context context, hx509_request req, KeyUsage ku)
+{
+ uint64_t n = KeyUsage2int(ku);
+
+ if ((KeyUsage2int(req->ku) & n) != n)
+ req->ku_are_authorized = 0;
+ req->ku = ku;
+ return 0;
+}
+
+/**
+ * Get the key usage requested by a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param ku Where to put the key usage.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_get_ku(hx509_context context, hx509_request req, KeyUsage *ku)
+{
+ *ku = req->ku;
+ return 0;
+}
+
+/**
+ * Add an extended key usage OID to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param oid The EKU OID.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_eku(hx509_context context,
+ hx509_request req,
+ const heim_oid *oid)
{
void *val;
int ret;
@@ -134,10 +262,112 @@ _hx509_request_add_eku(hx509_context context,
return 0;
}
-int
-_hx509_request_add_dns_name(hx509_context context,
- hx509_request req,
- const char *hostname)
+/**
+ * Add a GeneralName (Jabber ID) subject alternative name to a CSR.
+ *
+ * XXX Make this take a heim_octet_string, not a GeneralName*.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param gn The GeneralName object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_GeneralName(hx509_context context,
+ hx509_request req,
+ const GeneralName *gn)
+{
+ return add_GeneralNames(&req->san, gn);
+}
+
+static int
+add_utf8_other_san(hx509_context context,
+ GeneralNames *gns,
+ const heim_oid *oid,
+ const char *s)
+{
+ const PKIXXmppAddr us = (const PKIXXmppAddr)(uintptr_t)s;
+ GeneralName gn;
+ size_t size;
+ int ret;
+
+ gn.element = choice_GeneralName_otherName;
+ gn.u.otherName.type_id.length = 0;
+ gn.u.otherName.type_id.components = 0;
+ gn.u.otherName.value.data = NULL;
+ gn.u.otherName.value.length = 0;
+ ret = der_copy_oid(oid, &gn.u.otherName.type_id);
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(PKIXXmppAddr, gn.u.otherName.value.data,
+ gn.u.otherName.value.length, &us, &size, ret);
+ if (ret == 0 && size != gn.u.otherName.value.length)
+ _hx509_abort("internal ASN.1 encoder error");
+ if (ret == 0)
+ ret = add_GeneralNames(gns, &gn);
+ free_GeneralName(&gn);
+ if (ret)
+ hx509_set_error_string(context, 0, ret, "Out of memory");
+ return ret;
+}
+
+/**
+ * Add an xmppAddr (Jabber ID) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param jid The XMPP address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_xmpp_name(hx509_context context,
+ hx509_request req,
+ const char *jid)
+{
+ return add_utf8_other_san(context, &req->san,
+ &asn1_oid_id_pkix_on_xmppAddr, jid);
+}
+
+/**
+ * Add a Microsoft UPN subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param hostname The XMPP address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_ms_upn_name(hx509_context context,
+ hx509_request req,
+ const char *upn)
+{
+ return add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san,
+ upn);
+}
+
+/**
+ * Add a dNSName (hostname) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param hostname The fully-qualified hostname.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_dns_name(hx509_context context,
+ hx509_request req,
+ const char *hostname)
{
GeneralName name;
@@ -149,33 +379,271 @@ _hx509_request_add_dns_name(hx509_context context,
return add_GeneralNames(&req->san, &name);
}
-int
-_hx509_request_add_email(hx509_context context,
- hx509_request req,
- const char *email)
+/**
+ * Add a dnsSRV (_service.hostname) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param dnssrv The DNS SRV name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_dns_srv(hx509_context context,
+ hx509_request req,
+ const char *dnssrv)
+{
+ GeneralName gn;
+ SRVName n;
+ size_t size;
+ int ret;
+
+ memset(&n, 0, sizeof(n));
+ memset(&gn, 0, sizeof(gn));
+ gn.element = choice_GeneralName_otherName;
+ gn.u.otherName.type_id.length = 0;
+ gn.u.otherName.type_id.components = 0;
+ gn.u.otherName.value.data = NULL;
+ gn.u.otherName.value.length = 0;
+ n.length = strlen(dnssrv);
+ n.data = (void *)(uintptr_t)dnssrv;
+ ASN1_MALLOC_ENCODE(SRVName,
+ gn.u.otherName.value.data,
+ gn.u.otherName.value.length, &n, &size, ret);
+ if (ret == 0)
+ ret = der_copy_oid(&asn1_oid_id_pkix_on_dnsSRV, &gn.u.otherName.type_id);
+ if (ret == 0)
+ ret = add_GeneralNames(&req->san, &gn);
+ free_GeneralName(&gn);
+ return ret;
+}
+
+/**
+ * Add an rfc822Name (e-mail address) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param email The e-mail address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_email(hx509_context context,
+ hx509_request req,
+ const char *email)
{
GeneralName name;
memset(&name, 0, sizeof(name));
name.element = choice_GeneralName_rfc822Name;
- name.u.dNSName.data = rk_UNCONST(email);
- name.u.dNSName.length = strlen(email);
+ name.u.rfc822Name.data = rk_UNCONST(email);
+ name.u.rfc822Name.length = strlen(email);
return add_GeneralNames(&req->san, &name);
}
+/**
+ * Add a registeredID (OID) subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param oid The OID.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_registered(hx509_context context,
+ hx509_request req,
+ heim_oid *oid)
+{
+ GeneralName name;
+ int ret;
+ memset(&name, 0, sizeof(name));
+ name.element = choice_GeneralName_registeredID;
+ ret = der_copy_oid(oid, &name.u.registeredID);
+ if (ret)
+ return ret;
+ ret = add_GeneralNames(&req->san, &name);
+ free_GeneralName(&name);
+ return ret;
+}
-int
-_hx509_request_to_pkcs10(hx509_context context,
- const hx509_request req,
- const hx509_private_key signer,
- heim_octet_string *request)
+/**
+ * Add a Kerberos V5 principal subject alternative name to a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param princ The Kerberos principal name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_add_pkinit(hx509_context context,
+ hx509_request req,
+ const char *princ)
{
- CertificationRequest r;
- heim_octet_string data, os;
+ KRB5PrincipalName kn;
+ GeneralName gn;
int ret;
+
+ memset(&kn, 0, sizeof(kn));
+ memset(&gn, 0, sizeof(gn));
+ gn.element = choice_GeneralName_otherName;
+ gn.u.otherName.type_id.length = 0;
+ gn.u.otherName.type_id.components = 0;
+ gn.u.otherName.value.data = NULL;
+ gn.u.otherName.value.length = 0;
+ ret = der_copy_oid(&asn1_oid_id_pkinit_san, &gn.u.otherName.type_id);
+ if (ret == 0)
+ ret = _hx509_make_pkinit_san(context, princ, &gn.u.otherName.value);
+ if (ret == 0)
+ ret = add_GeneralNames(&req->san, &gn);
+ free_GeneralName(&gn);
+ return ret;
+}
+
+/* XXX Add DNSSRV and other SANs */
+
+static int
+get_exts(hx509_context context,
+ const hx509_request req,
+ Extensions *exts)
+{
size_t size;
+ int ret = 0;
+
+ exts->val = NULL;
+ exts->len = 0;
+
+ if (KeyUsage2int(req->ku)) {
+ Extension e;
+
+ memset(&e, 0, sizeof(e));
+ /* The critical field needs to be made DEFAULT FALSE... */
+ e.critical = 1;
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(KeyUsage, e.extnValue.data, e.extnValue.length,
+ &req->ku, &size, ret);
+ if (ret == 0)
+ ret = der_copy_oid(&asn1_oid_id_x509_ce_keyUsage, &e.extnID);
+ if (ret == 0)
+ ret = add_Extensions(exts, &e);
+ free_Extension(&e);
+ }
+ if (ret == 0 && req->eku.len) {
+ Extension e;
+
+ memset(&e, 0, sizeof(e));
+ e.critical = 1;
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(ExtKeyUsage,
+ e.extnValue.data, e.extnValue.length,
+ &req->eku, &size, ret);
+ if (ret == 0)
+ ret = der_copy_oid(&asn1_oid_id_x509_ce_extKeyUsage, &e.extnID);
+ if (ret == 0)
+ ret = add_Extensions(exts, &e);
+ free_Extension(&e);
+ }
+ if (ret == 0 && req->san.len) {
+ Extension e;
+
+ memset(&e, 0, sizeof(e));
+ /*
+ * SANs are critical when the subject Name is empty.
+ *
+ * The empty DN check could probably stand to be a function we export.
+ */
+ e.critical = FALSE;
+ if (req->name &&
+ req->name->der_name.element == choice_Name_rdnSequence &&
+ req->name->der_name.u.rdnSequence.len == 0)
+ e.critical = 1;
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(GeneralNames,
+ e.extnValue.data, e.extnValue.length,
+ &req->san,
+ &size, ret);
+ if (ret == 0)
+ ret = der_copy_oid(&asn1_oid_id_x509_ce_subjectAltName, &e.extnID);
+ if (ret == 0)
+ ret = add_Extensions(exts, &e);
+ free_Extension(&e);
+ }
+
+ return ret;
+}
+
+/**
+ * Get the KU/EKUs/SANs set on a request as a DER-encoding of Extensions.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param exts_der Where to put the DER-encoded Extensions.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_get_exts(hx509_context context,
+ const hx509_request req,
+ heim_octet_string *exts_der)
+{
+ Extensions exts;
+ size_t size;
+ int ret;
+
+ exts_der->data = NULL;
+ exts_der->length = 0;
+ ret = get_exts(context, req, &exts);
+ if (ret == 0 && exts.len /* Extensions has a min size constraint of 1 */)
+ ASN1_MALLOC_ENCODE(Extensions, exts_der->data, exts_der->length,
+ &exts, &size, ret);
+ free_Extensions(&exts);
+ return ret;
+}
+
+/* XXX Add PEM */
+
+/**
+ * Encode a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param signer The private key corresponding to the CSR's subject public key.
+ * @param request Where to put the DER-encoded CSR.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_to_pkcs10(hx509_context context,
+ const hx509_request req,
+ const hx509_private_key signer,
+ heim_octet_string *request)
+{
+ CertificationRequest r;
+ Extensions exts;
+ heim_octet_string data;
+ size_t size;
+ int ret;
+
+ request->data = NULL;
+ request->length = 0;
+
+ data.length = 0;
+ data.data = NULL;
if (req->name == NULL) {
hx509_set_error_string(context, 0, EINVAL,
@@ -184,131 +652,790 @@ _hx509_request_to_pkcs10(hx509_context context,
}
memset(&r, 0, sizeof(r));
- memset(request, 0, sizeof(*request));
+ /* Setup CSR */
r.certificationRequestInfo.version = pkcs10_v1;
-
ret = copy_Name(&req->name->der_name,
&r.certificationRequestInfo.subject);
- if (ret)
- goto out;
- ret = copy_SubjectPublicKeyInfo(&req->key,
- &r.certificationRequestInfo.subjectPKInfo);
- if (ret)
- goto out;
- r.certificationRequestInfo.attributes =
- calloc(1, sizeof(*r.certificationRequestInfo.attributes));
- if (r.certificationRequestInfo.attributes == NULL) {
- ret = ENOMEM;
- goto out;
+ if (ret == 0)
+ ret = copy_SubjectPublicKeyInfo(&req->key,
+ &r.certificationRequestInfo.subjectPKInfo);
+
+ /* Encode extReq attribute with requested Certificate Extensions */
+
+ if (ret == 0)
+ ret = get_exts(context, req, &exts);
+ if (ret == 0 && exts.len) {
+ Attribute *a = NULL; /* Quiet VC */
+ heim_any extns;
+
+ extns.data = NULL;
+ extns.length = 0;
+ r.certificationRequestInfo.attributes =
+ calloc(1, sizeof(r.certificationRequestInfo.attributes[0]));
+ if (r.certificationRequestInfo.attributes == NULL)
+ ret = ENOMEM;
+ if (ret == 0) {
+ r.certificationRequestInfo.attributes[0].len = 1;
+ r.certificationRequestInfo.attributes[0].val =
+ calloc(1, sizeof(r.certificationRequestInfo.attributes[0].val[0]));
+ if (r.certificationRequestInfo.attributes[0].val == NULL)
+ ret = ENOMEM;
+ if (ret == 0)
+ a = r.certificationRequestInfo.attributes[0].val;
+ }
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(Extensions, extns.data, extns.length,
+ &exts, &size, ret);
+ if (ret == 0 && a)
+ ret = der_copy_oid(&asn1_oid_id_pkcs9_extReq, &a->type);
+ if (ret == 0)
+ ret = add_AttributeValues(&a->value, &extns);
+ free_heim_any(&extns);
}
- ASN1_MALLOC_ENCODE(CertificationRequestInfo, data.data, data.length,
- &r.certificationRequestInfo, &size, ret);
- if (ret)
- goto out;
- if (data.length != size)
+ /* Encode CSR body for signing */
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(CertificationRequestInfo, data.data, data.length,
+ &r.certificationRequestInfo, &size, ret);
+ if (ret == 0 && data.length != size)
abort();
- ret = _hx509_create_signature(context,
- signer,
- _hx509_crypto_default_sig_alg,
- &data,
- &r.signatureAlgorithm,
- &os);
+ /* Self-sign CSR body */
+ if (ret == 0) {
+ ret = _hx509_create_signature_bitstring(context, signer,
+ _hx509_crypto_default_sig_alg,
+ &data,
+ &r.signatureAlgorithm,
+ &r.signature);
+ }
free(data.data);
+
+ /* Encode CSR */
+ if (ret == 0)
+ ASN1_MALLOC_ENCODE(CertificationRequest, request->data, request->length,
+ &r, &size, ret);
+ if (ret == 0 && request->length != size)
+ abort();
+
+ free_CertificationRequest(&r);
+ free_Extensions(&exts);
+ return ret;
+}
+
+/**
+ * Parse an encoded CSR and verify its self-signature.
+ *
+ * @param context An hx509 context.
+ * @param der The DER-encoded CSR.
+ * @param req Where to put request object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_parse_der(hx509_context context,
+ heim_octet_string *der,
+ hx509_request *req)
+{
+ CertificationRequestInfo *rinfo = NULL;
+ CertificationRequest r;
+ hx509_cert signer = NULL;
+ Extensions exts;
+ size_t i, size;
+ int ret;
+
+ memset(&exts, 0, sizeof(exts));
+
+ /* Initial setup and decoding of CSR */
+ ret = hx509_request_init(context, req);
if (ret)
- goto out;
- r.signature.data = os.data;
- r.signature.length = os.length * 8;
+ return ret;
+ ret = decode_CertificationRequest(der->data, der->length, &r, &size);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret, "Failed to decode CSR");
+ free(*req);
+ *req = NULL;
+ return ret;
+ }
+ rinfo = &r.certificationRequestInfo;
- ASN1_MALLOC_ENCODE(CertificationRequest, data.data, data.length,
- &r, &size, ret);
+ /*
+ * Setup a 'signer' for verifying the self-signature for proof of
+ * possession.
+ *
+ * Sadly we need a "certificate" here because _hx509_verify_signature_*()
+ * functions want one as a signer even though all the verification
+ * functions that use the signer argument only ever use the spki of the
+ * signer certificate.
+ *
+ * FIXME Change struct signature_alg's verify_signature's prototype to use
+ * an spki instead of an hx509_cert as the signer! The we won't have
+ * to do this.
+ */
+ if (ret == 0) {
+ Certificate c;
+ memset(&c, 0, sizeof(c));
+ c.tbsCertificate.subjectPublicKeyInfo = rinfo->subjectPKInfo;
+ if ((signer = hx509_cert_init(context, &c, NULL)) == NULL)
+ ret = ENOMEM;
+ }
+
+ /* Verify the signature */
+ if (ret == 0)
+ ret = _hx509_verify_signature_bitstring(context, signer,
+ &r.signatureAlgorithm,
+ &rinfo->_save,
+ &r.signature);
if (ret)
- goto out;
- if (data.length != size)
- abort();
+ hx509_set_error_string(context, 0, ret,
+ "CSR signature verification failed");
+ hx509_cert_free(signer);
- *request = data;
+ /* Populate the hx509_request */
+ if (ret == 0)
+ ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
+ &rinfo->subjectPKInfo);
+ if (ret == 0)
+ ret = _hx509_name_from_Name(&rinfo->subject, &(*req)->name);
+
+ /* Extract KUs, EKUs, and SANs from the CSR's attributes */
+ if (ret || !rinfo->attributes || !rinfo->attributes[0].len)
+ goto out;
+
+ for (i = 0; ret == 0 && i < rinfo->attributes[0].len; i++) {
+ Attribute *a = &rinfo->attributes[0].val[i];
+ heim_any *av = NULL;
+
+ /* We only support Extensions request attributes */
+ if (der_heim_oid_cmp(&a->type, &asn1_oid_id_pkcs9_extReq) != 0) {
+ char *oidstr = NULL;
+
+ /*
+ * We need an HX509_TRACE facility for this sort of warning.
+ *
+ * We'd put the warning in the context and then allow the caller to
+ * extract and reset the warning.
+ *
+ * FIXME
+ */
+ der_print_heim_oid(&a->type, '.', &oidstr);
+ warnx("Unknown or unsupported CSR attribute %s",
+ oidstr ? oidstr : "<error decoding OID>");
+ free(oidstr);
+ continue;
+ }
+ if (!a->value.val)
+ continue;
+
+ av = a->value.val;
+ ret = decode_Extensions(av->data, av->length, &exts, NULL);
+ if (ret) {
+ hx509_set_error_string(context, 0, ret,
+ "CSR signature verification failed "
+ "due to invalid extReq attribute");
+ goto out;
+ }
+ }
+ for (i = 0; ret == 0 && i < exts.len; i++) {
+ const char *what = "";
+ Extension *e = &exts.val[i];
+
+ if (der_heim_oid_cmp(&e->extnID,
+ &asn1_oid_id_x509_ce_keyUsage) == 0) {
+ ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length,
+ &(*req)->ku, NULL);
+ what = "keyUsage";
+ /*
+ * Count all KUs as one requested extension to be authorized,
+ * though the caller will have to check the KU values individually.
+ */
+ if (KeyUsage2int((*req)->ku) & ~KeyUsage2int(int2KeyUsage(~0)))
+ (*req)->nunsupported++;
+ } else if (der_heim_oid_cmp(&e->extnID,
+ &asn1_oid_id_x509_ce_extKeyUsage) == 0) {
+ ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length,
+ &(*req)->eku, NULL);
+ what = "extKeyUsage";
+
+ /*
+ * Count each EKU as a separate requested extension to be
+ * authorized.
+ */
+ } else if (der_heim_oid_cmp(&e->extnID,
+ &asn1_oid_id_x509_ce_subjectAltName) == 0) {
+ ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
+ &(*req)->san, NULL);
+ what = "subjectAlternativeName";
+
+ /*
+ * Count each SAN as a separate requested extension to be
+ * authorized.
+ */
+ } else {
+ char *oidstr = NULL;
+
+ (*req)->nunsupported++;
+
+ /*
+ * We need an HX509_TRACE facility for this sort of warning.
+ *
+ * We'd put the warning in the context and then allow the caller to
+ * extract and reset the warning.
+ *
+ * FIXME
+ */
+ der_print_heim_oid(&e->extnID, '.', &oidstr);
+ warnx("Unknown or unsupported CSR extension request %s",
+ oidstr ? oidstr : "<error decoding OID>");
+ free(oidstr);
+ }
+ if (ret) {
+ hx509_set_error_string(context, 0, ret,
+ "CSR signature verification failed "
+ "due to invalid %s extension", what);
+ break;
+ }
+ }
out:
free_CertificationRequest(&r);
-
+ free_Extensions(&exts);
+ if (ret)
+ hx509_request_free(req);
return ret;
}
-int
-_hx509_request_parse(hx509_context context,
- const char *path,
- hx509_request *req)
+/**
+ * Parse an encoded CSR and verify its self-signature.
+ *
+ * @param context An hx509 context.
+ * @param csr The name of a store containing the CSR ("PKCS10:/path/to/file")
+ * @param req Where to put request object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_parse(hx509_context context,
+ const char *csr,
+ hx509_request *req)
{
- CertificationRequest r;
- CertificationRequestInfo *rinfo;
- hx509_name subject;
- size_t len, size;
- void *p;
+ heim_octet_string d;
int ret;
- if (strncmp(path, "PKCS10:", 7) != 0) {
+ /* XXX Add support for PEM */
+ if (strncmp(csr, "PKCS10:", 7) != 0) {
hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
- "unsupport type in %s", path);
+ "CSR location does not start with \"PKCS10:\": %s",
+ csr);
return HX509_UNSUPPORTED_OPERATION;
}
- path += 7;
-
- /* XXX PEM request */
- ret = rk_undumpdata(path, &p, &len);
+ ret = rk_undumpdata(csr + 7, &d.data, &d.length);
if (ret) {
- hx509_set_error_string(context, 0, ret, "Failed to map file %s", path);
+ hx509_set_error_string(context, 0, ret, "Could not read %s", csr);
return ret;
}
- ret = decode_CertificationRequest(p, len, &r, &size);
- rk_xfree(p);
- if (ret) {
- hx509_set_error_string(context, 0, ret, "Failed to decode %s", path);
- return ret;
+ ret = hx509_request_parse_der(context, &d, req);
+ free(d.data);
+ if (ret)
+ hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+ " (while parsing CSR from %s)", csr);
+ return ret;
+}
+
+/**
+ * Get some EKU from a CSR. Usable as an iterator.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param idx The index of the EKU (0 for the first) to return
+ * @param out A pointer to a char * variable where the OID will be placed
+ * (caller must free with free())
+ *
+ * @return Zero on success, HX509_NO_ITEM if no such item exists (denoting
+ * iteration end), or an error.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_get_eku(hx509_request req,
+ size_t idx,
+ char **out)
+{
+ *out = NULL;
+ if (idx >= req->eku.len)
+ return HX509_NO_ITEM;
+ return der_print_heim_oid(&req->eku.val[idx], '.', out);
+}
+
+static int
+abitstring_check(abitstring a, size_t n, int idx)
+{
+ size_t bytes;
+
+ if (idx >= n)
+ return HX509_NO_ITEM;
+
+ bytes = (idx + 1) / CHAR_BIT + (((idx + 1) % CHAR_BIT) ? 1 : 0);
+ if (a->feat_bytes < bytes)
+ return 0;
+
+ return !!(a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)));
+}
+
+/*
+ * Sets and returns 0 if not already set, -1 if already set. Positive return
+ * values are system errors.
+ */
+static int
+abitstring_set(abitstring a, size_t n, int idx)
+{
+ size_t bytes;
+
+ if (idx >= n)
+ return HX509_NO_ITEM;
+
+ bytes = n / CHAR_BIT + ((n % CHAR_BIT) ? 1 : 0);
+ if (a->feat_bytes < bytes) {
+ unsigned char *tmp;
+
+ if ((tmp = realloc(a->feats, bytes)) == NULL)
+ return ENOMEM;
+ memset(tmp + a->feat_bytes, 0, bytes - a->feat_bytes);
+ a->feats = tmp;
+ a->feat_bytes = bytes;
}
- ret = hx509_request_init(context, req);
- if (ret) {
- free_CertificationRequest(&r);
- return ret;
+ if (!(a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)))) {
+ a->feats[idx / CHAR_BIT] |= 1UL<<(idx % CHAR_BIT);
+ return 0;
}
+ return -1;
+}
- rinfo = &r.certificationRequestInfo;
+/*
+ * Resets and returns 0 if not already reset, -1 if already reset. Positive
+ * return values are system errors.
+ */
+static int
+abitstring_reset(abitstring a, size_t n, int idx)
+{
+ size_t bytes;
- ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
- &rinfo->subjectPKInfo);
- if (ret) {
- free_CertificationRequest(&r);
- hx509_request_free(req);
- return ret;
+ if (idx >= n)
+ return HX509_NO_ITEM;
+
+ bytes = (idx + 1) / CHAR_BIT + (((idx + 1) % CHAR_BIT) ? 1 : 0);
+ if (a->feat_bytes >= bytes &&
+ (a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)))) {
+ a->feats[idx / CHAR_BIT] &= ~(1UL<<(idx % CHAR_BIT));
+ return 0;
}
+ return -1;
+}
- ret = _hx509_name_from_Name(&rinfo->subject, &subject);
- if (ret) {
- free_CertificationRequest(&r);
- hx509_request_free(req);
- return ret;
+static int
+authorize_feat(hx509_request req, abitstring a, size_t n, int idx)
+{
+ int ret;
+
+ ret = abitstring_set(a, n, idx);
+ switch (ret) {
+ case 0:
+ req->nauthorized++;
+ HEIM_FALLTHROUGH;
+ case -1:
+ return 0;
+ default:
+ return ret;
}
- ret = hx509_request_set_name(context, *req, subject);
- hx509_name_free(&subject);
- free_CertificationRequest(&r);
- if (ret) {
- hx509_request_free(req);
- return ret;
+}
+
+static int
+reject_feat(hx509_request req, abitstring a, size_t n, int idx)
+{
+ int ret;
+
+ ret = abitstring_reset(a, n, idx);
+ switch (ret) {
+ case 0:
+ req->nauthorized--;
+ HEIM_FALLTHROUGH;
+ case -1:
+ return 0;
+ default:
+ return ret;
}
+}
- return 0;
+/**
+ * Filter the requested KeyUsage and mark it authorized.
+ *
+ * @param req The hx509_request object.
+ * @param ku Permitted KeyUsage
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION void HX509_LIB_CALL
+hx509_request_authorize_ku(hx509_request req, KeyUsage ku)
+{
+ (void) hx509_request_set_ku(NULL, req, ku);
+ req->ku = int2KeyUsage(KeyUsage2int(req->ku) & KeyUsage2int(ku));
+ if (KeyUsage2int(ku))
+ req->ku_are_authorized = 1;
+}
+
+/**
+ * Mark a requested EKU as authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of an EKU that can be fetched with
+ * hx509_request_get_eku()
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_authorize_eku(hx509_request req, size_t idx)
+{
+ return authorize_feat(req, &req->authorized_EKUs, req->eku.len, idx);
}
+/**
+ * Mark a requested EKU as not authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of an EKU that can be fetched with
+ * hx509_request_get_eku()
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_reject_eku(hx509_request req, size_t idx)
+{
+ return reject_feat(req, &req->authorized_EKUs, req->eku.len, idx);
+}
-int
-_hx509_request_print(hx509_context context, hx509_request req, FILE *f)
+/**
+ * Check if an EKU has been marked authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of an EKU that can be fetched with
+ * hx509_request_get_eku()
+ *
+ * @return Non-zero if authorized, zero if not.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_eku_authorized_p(hx509_request req, size_t idx)
{
- int ret;
+ return abitstring_check(&req->authorized_EKUs, req->eku.len, idx);
+}
+
+/**
+ * Mark a requested SAN as authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The cursor as modified by a SAN iterator.
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_authorize_san(hx509_request req, size_t idx)
+{
+ return authorize_feat(req, &req->authorized_SANs, req->san.len, idx);
+}
+
+/**
+ * Mark a requested SAN as not authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The cursor as modified by a SAN iterator.
+ *
+ * @return Zero on success, an error otherwise.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_reject_san(hx509_request req, size_t idx)
+{
+ return reject_feat(req, &req->authorized_SANs, req->san.len, idx);
+}
+
+/**
+ * Check if a SAN has been marked authorized.
+ *
+ * @param req The hx509_request object.
+ * @param idx The index of a SAN that can be fetched with
+ * hx509_request_get_san()
+ *
+ * @return Non-zero if authorized, zero if not.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_san_authorized_p(hx509_request req, size_t idx)
+{
+ return abitstring_check(&req->authorized_SANs, req->san.len, idx);
+}
+
+/**
+ * Return the count of unsupported requested certificate extensions.
+ *
+ * @param req The hx509_request object.
+ * @return The number of unsupported certificate extensions requested.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION size_t HX509_LIB_CALL
+hx509_request_count_unsupported(hx509_request req)
+{
+ return req->nunsupported;
+}
+
+/**
+ * Return the count of as-yet unauthorized certificate extensions requested.
+ *
+ * @param req The hx509_request object.
+ * @return The number of as-yet unauthorized certificate extensions requested.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION size_t HX509_LIB_CALL
+hx509_request_count_unauthorized(hx509_request req)
+{
+ size_t nrequested = req->eku.len + req->san.len +
+ (KeyUsage2int(req->ku) ? 1 : 0) + req->nunsupported;
+
+ return nrequested - (req->nauthorized + req->ku_are_authorized);
+}
+
+static hx509_san_type
+san_map_type(GeneralName *san)
+{
+ static const struct {
+ const heim_oid *oid;
+ hx509_san_type type;
+ } map[] = {
+ { &asn1_oid_id_pkix_on_dnsSRV, HX509_SAN_TYPE_DNSSRV },
+ { &asn1_oid_id_pkinit_san, HX509_SAN_TYPE_PKINIT },
+ { &asn1_oid_id_pkix_on_xmppAddr, HX509_SAN_TYPE_XMPP },
+ { &asn1_oid_id_pkinit_ms_san, HX509_SAN_TYPE_MS_UPN },
+ { &asn1_oid_id_pkix_on_permanentIdentifier, HX509_SAN_TYPE_PERMANENT_ID },
+ { &asn1_oid_id_on_hardwareModuleName, HX509_SAN_TYPE_HW_MODULE },
+ };
+ size_t i;
+
+ switch (san->element) {
+ case choice_GeneralName_rfc822Name: return HX509_SAN_TYPE_EMAIL;
+ case choice_GeneralName_dNSName: return HX509_SAN_TYPE_DNSNAME;
+ case choice_GeneralName_directoryName: return HX509_SAN_TYPE_DN;
+ case choice_GeneralName_registeredID: return HX509_SAN_TYPE_REGISTERED_ID;
+ case choice_GeneralName_otherName: {
+ for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
+ if (der_heim_oid_cmp(&san->u.otherName.type_id, map[i].oid) == 0)
+ return map[i].type;
+ }
+ HEIM_FALLTHROUGH;
+ default: return HX509_SAN_TYPE_UNSUPPORTED;
+ }
+}
+
+/**
+ * Return the count of as-yet unauthorized certificate extensions requested.
+ *
+ * @param req The hx509_request object.
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION size_t HX509_LIB_CALL
+hx509_request_get_san(hx509_request req,
+ size_t idx,
+ hx509_san_type *type,
+ char **out)
+{
+ struct rk_strpool *pool = NULL;
+ GeneralName *san;
+
+ *out = NULL;
+ if (idx >= req->san.len)
+ return HX509_NO_ITEM;
+
+ san = &req->san.val[idx];
+ switch ((*type = san_map_type(san))) {
+ case HX509_SAN_TYPE_UNSUPPORTED: return 0;
+ case HX509_SAN_TYPE_EMAIL:
+ *out = strndup(san->u.rfc822Name.data,
+ san->u.rfc822Name.length);
+ break;
+ case HX509_SAN_TYPE_DNSNAME:
+ *out = strndup(san->u.dNSName.data,
+ san->u.dNSName.length);
+ break;
+ case HX509_SAN_TYPE_DNSSRV: {
+ SRVName name;
+ size_t size;
+ int ret;
+
+ ret = decode_SRVName(san->u.otherName.value.data,
+ san->u.otherName.value.length, &name, &size);
+ if (ret)
+ return ret;
+ *out = strndup(name.data, name.length);
+ break;
+ }
+ case HX509_SAN_TYPE_PERMANENT_ID: {
+ PermanentIdentifier pi;
+ size_t size;
+ char *s = NULL;
+ int ret;
+
+ ret = decode_PermanentIdentifier(san->u.otherName.value.data,
+ san->u.otherName.value.length,
+ &pi, &size);
+ if (ret == 0 && pi.assigner) {
+ ret = der_print_heim_oid(pi.assigner, '.', &s);
+ if (ret == 0 &&
+ (pool = rk_strpoolprintf(NULL, "%s", s)) == NULL)
+ ret = ENOMEM;
+ } else if (ret == 0) {
+ pool = rk_strpoolprintf(NULL, "-");
+ }
+ if (ret == 0 &&
+ (pool = rk_strpoolprintf(pool, "%s%s",
+ *pi.identifierValue ? " " : "",
+ *pi.identifierValue ? *pi.identifierValue : "")) == NULL)
+ ret = ENOMEM;
+ if (ret == 0 && (*out = rk_strpoolcollect(pool)) == NULL)
+ ret = ENOMEM;
+ free_PermanentIdentifier(&pi);
+ free(s);
+ return ret;
+ }
+ case HX509_SAN_TYPE_HW_MODULE: {
+ HardwareModuleName hn;
+ size_t size;
+ char *s = NULL;
+ int ret;
+
+ ret = decode_HardwareModuleName(san->u.otherName.value.data,
+ san->u.otherName.value.length,
+ &hn, &size);
+ if (ret == 0 && hn.hwSerialNum.length > 256)
+ hn.hwSerialNum.length = 256;
+ if (ret == 0)
+ ret = der_print_heim_oid(&hn.hwType, '.', &s);
+ if (ret == 0)
+ pool = rk_strpoolprintf(NULL, "%s", s);
+ if (ret == 0 && pool)
+ pool = rk_strpoolprintf(pool, " %.*s",
+ (int)hn.hwSerialNum.length,
+ (char *)hn.hwSerialNum.data);
+ if (ret == 0 &&
+ (pool == NULL || (*out = rk_strpoolcollect(pool)) == NULL))
+ ret = ENOMEM;
+ free_HardwareModuleName(&hn);
+ return ret;
+ }
+ case HX509_SAN_TYPE_DN: {
+ Name name;
+
+ if (san->u.directoryName.element == choice_Name_rdnSequence) {
+ name.element = choice_Name_rdnSequence;
+ name.u.rdnSequence = san->u.directoryName.u.rdnSequence;
+ return _hx509_Name_to_string(&name, out);
+ }
+ *type = HX509_SAN_TYPE_UNSUPPORTED;
+ return 0;
+ }
+ case HX509_SAN_TYPE_REGISTERED_ID:
+ return der_print_heim_oid(&san->u.registeredID, '.', out);
+ case HX509_SAN_TYPE_XMPP:
+ HEIM_FALLTHROUGH;
+ case HX509_SAN_TYPE_MS_UPN: {
+ int ret;
+
+ ret = _hx509_unparse_utf8_string_name(req->context, &pool,
+ &san->u.otherName.value);
+ if ((*out = rk_strpoolcollect(pool)) == NULL)
+ return hx509_enomem(req->context);
+ return ret;
+ }
+ case HX509_SAN_TYPE_PKINIT: {
+ int ret;
+
+ ret = _hx509_unparse_KRB5PrincipalName(req->context, &pool,
+ &san->u.otherName.value);
+ if ((*out = rk_strpoolcollect(pool)) == NULL)
+ return hx509_enomem(req->context);
+ return ret;
+ }
+ default:
+ *type = HX509_SAN_TYPE_UNSUPPORTED;
+ return 0;
+ }
+ if (*out == NULL)
+ return ENOMEM;
+ return 0;
+}
+
+/**
+ * Display a CSR.
+ *
+ * @param context An hx509 context.
+ * @param req The hx509_request object.
+ * @param f A FILE * to print the CSR to.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_request
+ */
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_request_print(hx509_context context, hx509_request req, FILE *f)
+{
+ uint64_t ku_num;
+ size_t i;
+ char *s = NULL;
+ int ret = 0;
+
+ /*
+ * It's really unformatunate that we can't reuse more of the
+ * lib/hx509/print.c infrastructure here, as it's too focused on
+ * Certificates.
+ *
+ * For that matter, it's really annoying that CSRs don't more resemble
+ * Certificates. Indeed, an ideal CSR would look like this:
+ *
+ * CSRInfo ::= {
+ * desiredTbsCertificate TBSCertificate,
+ * attributes [1] SEQUENCE OF Attribute OPTIONAL,
+ * }
+ * CSR :: = {
+ * csrInfo CSRInfo,
+ * sigAlg AlgorithmIdentifier,
+ * signature BIT STRING
+ * }
+ *
+ * with everything related to the desired certificate in
+ * desiredTbsCertificate and anything not related to the CSR's contents in
+ * the 'attributes' field.
+ *
+ * That wouldn't allow one to have optional desired TBSCertificate
+ * features, but hey. One could express "gimme all or gimme nothing" as an
+ * attribute, or "gimme what you can", then check what one got.
+ */
+ fprintf(f, "PKCS#10 CertificationRequest:\n");
if (req->name) {
char *subject;
@@ -317,10 +1444,79 @@ _hx509_request_print(hx509_context context, hx509_request req, FILE *f)
hx509_set_error_string(context, 0, ret, "Failed to print name");
return ret;
}
- fprintf(f, "name: %s\n", subject);
+ fprintf(f, " name: %s\n", subject);
free(subject);
}
+ /* XXX Use hx509_request_get_ku() accessor */
+ if ((ku_num = KeyUsage2int(req->ku))) {
+ const struct units *u;
+ const char *first = " ";
- return 0;
-}
+ fprintf(f, " key usage:");
+ for (u = asn1_KeyUsage_units(); u->name; ++u) {
+ if ((ku_num & u->mult)) {
+ fprintf(f, "%s%s", first, u->name);
+ first = ", ";
+ ku_num &= ~u->mult;
+ }
+ }
+ if (ku_num)
+ fprintf(f, "%s<unknown-KeyUsage-value(s)>", first);
+ fprintf(f, "\n");
+ }
+ if (req->eku.len) {
+ const char *first = " ";
+ fprintf(f, " eku:");
+ for (i = 0; ret == 0; i++) {
+ free(s); s = NULL;
+ ret = hx509_request_get_eku(req, i, &s);
+ if (ret)
+ break;
+ fprintf(f, "%s{%s}", first, s);
+ first = ", ";
+ }
+ fprintf(f, "\n");
+ }
+ free(s); s = NULL;
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+ for (i = 0; ret == 0; i++) {
+ hx509_san_type san_type;
+
+ free(s); s = NULL;
+ ret = hx509_request_get_san(req, i, &san_type, &s);
+ if (ret)
+ break;
+ switch (san_type) {
+ case HX509_SAN_TYPE_EMAIL:
+ fprintf(f, " san: rfc822Name: %s\n", s);
+ break;
+ case HX509_SAN_TYPE_DNSNAME:
+ fprintf(f, " san: dNSName: %s\n", s);
+ break;
+ case HX509_SAN_TYPE_DN:
+ fprintf(f, " san: dn: %s\n", s);
+ break;
+ case HX509_SAN_TYPE_REGISTERED_ID:
+ fprintf(f, " san: registeredID: %s\n", s);
+ break;
+ case HX509_SAN_TYPE_XMPP:
+ fprintf(f, " san: xmpp: %s\n", s);
+ break;
+ case HX509_SAN_TYPE_PKINIT:
+ fprintf(f, " san: pkinit: %s\n", s);
+ break;
+ case HX509_SAN_TYPE_MS_UPN:
+ fprintf(f, " san: ms-upn: %s\n", s);
+ break;
+ default:
+ fprintf(f, " san: <SAN type not supported>\n");
+ break;
+ }
+ }
+ free(s); s = NULL;
+ if (ret == HX509_NO_ITEM)
+ ret = 0;
+ return ret;
+}
diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c
index a777226db29e..4cfdaaee48c4 100644
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -40,7 +40,7 @@
* revocation for destroyed private keys too (smartcard broken), but
* that should not be a problem.
*
- * CRL is a list of certifiates that have expired.
+ * CRL is a list of certificates that have expired.
*
* OCSP is an online checking method where the requestor sends a list
* of certificates to the OCSP server to return a signed reply if they
@@ -91,7 +91,7 @@ struct hx509_revoke_ctx_data {
* @ingroup hx509_revoke
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_revoke_init(hx509_context context, hx509_revoke_ctx *ctx)
{
*ctx = calloc(1, sizeof(**ctx));
@@ -107,7 +107,7 @@ hx509_revoke_init(hx509_context context, hx509_revoke_ctx *ctx)
return 0;
}
-hx509_revoke_ctx
+HX509_LIB_FUNCTION hx509_revoke_ctx HX509_LIB_CALL
_hx509_revoke_ref(hx509_revoke_ctx ctx)
{
if (ctx == NULL)
@@ -137,7 +137,7 @@ free_ocsp(struct revoke_ocsp *ocsp)
* @ingroup hx509_revoke
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_revoke_free(hx509_revoke_ctx *ctx)
{
size_t i ;
@@ -202,6 +202,8 @@ verify_ocsp(hx509_context context,
ret = hx509_certs_find(context, certs, &q, &signer);
if (ret && ocsp->certs)
ret = hx509_certs_find(context, ocsp->certs, &q, &signer);
+ if (ret == 0 && signer == NULL)
+ ret = HX509_CERT_NOT_FOUND;
if (ret)
goto out;
@@ -217,7 +219,7 @@ verify_ocsp(hx509_context context,
ret = _hx509_cert_is_parent_cmp(s, p, 0);
if (ret != 0) {
ret = HX509_PARENT_NOT_CA;
- hx509_set_error_string(context, 0, ret, "Revoke OCSP signer is "
+ hx509_set_error_string(context, 0, ret, "Revoke OCSP signer "
"doesn't have CA as signer certificate");
goto out;
}
@@ -399,7 +401,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
* @ingroup hx509_revoke
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_revoke_add_ocsp(hx509_context context,
hx509_revoke_ctx ctx,
const char *path)
@@ -500,6 +502,8 @@ verify_crl(hx509_context context,
q.subject_name = &crl->tbsCertList.issuer;
ret = hx509_certs_find(context, certs, &q, &signer);
+ if (ret == 0 && signer == NULL)
+ ret = HX509_CERT_NOT_FOUND;
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
"Failed to find certificate for CRL");
@@ -550,7 +554,7 @@ verify_crl(hx509_context context,
signer = crl_parent;
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
- "Failed to verify revoke "
+ "Failed to verify revocation "
"status of CRL signer");
goto out;
}
@@ -596,18 +600,15 @@ load_crl(hx509_context context, const char *path, time_t *t, CRLCertificateList
FILE *f;
int ret;
+ *t = 0;
memset(crl, 0, sizeof(*crl));
-
- ret = stat(path, &sb);
- if (ret)
- return errno;
-
- *t = sb.st_mtime;
if ((f = fopen(path, "r")) == NULL)
return errno;
rk_cloexec_file(f);
+ if (fstat(fileno(f), &sb) == 0)
+ *t = sb.st_mtime;
ret = hx509_pem_read(context, f, crl_parser, crl);
fclose(f);
@@ -636,7 +637,7 @@ load_crl(hx509_context context, const char *path, time_t *t, CRLCertificateList
* @ingroup hx509_revoke
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_revoke_add_crl(hx509_context context,
hx509_revoke_ctx ctx,
const char *path)
@@ -647,7 +648,7 @@ hx509_revoke_add_crl(hx509_context context,
if (strncmp(path, "FILE:", 5) != 0) {
hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
- "unsupport type in %s", path);
+ "unsupported type in %s", path);
return HX509_UNSUPPORTED_OPERATION;
}
@@ -706,7 +707,7 @@ hx509_revoke_add_crl(hx509_context context,
* @ingroup hx509_revoke
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_revoke_verify(hx509_context context,
hx509_revoke_ctx ctx,
hx509_certs certs,
@@ -879,8 +880,7 @@ hx509_revoke_verify(hx509_context context,
return 0;
hx509_set_error_string(context, HX509_ERROR_APPEND,
HX509_REVOKE_STATUS_MISSING,
- "No revoke status found for "
- "certificates");
+ "No revocation status found for certificates");
return HX509_REVOKE_STATUS_MISSING;
}
@@ -891,7 +891,7 @@ struct ocsp_add_ctx {
hx509_cert parent;
};
-static int
+static int HX509_LIB_CALL
add_to_req(hx509_context context, void *ptr, hx509_cert cert)
{
struct ocsp_add_ctx *ctx = ptr;
@@ -994,7 +994,7 @@ out:
* @ingroup hx509_revoke
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ocsp_request(hx509_context context,
hx509_certs reqcerts,
hx509_certs pool,
@@ -1194,7 +1194,7 @@ print_crl(hx509_context context, struct revoke_crl *crl, FILE *out)
*
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_revoke_print(hx509_context context,
hx509_revoke_ctx ctx,
FILE *out)
@@ -1241,7 +1241,7 @@ hx509_revoke_print(hx509_context context,
* @ingroup hx509_revoke
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
{
struct revoke_ocsp ocsp;
@@ -1287,7 +1287,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_ocsp_verify(hx509_context context,
time_t now,
hx509_cert cert,
@@ -1396,7 +1396,7 @@ struct hx509_crl {
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crl_alloc(hx509_context context, hx509_crl *crl)
{
int ret;
@@ -1429,7 +1429,7 @@ hx509_crl_alloc(hx509_context context, hx509_crl *crl)
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crl_add_revoked_certs(hx509_context context,
hx509_crl crl,
hx509_certs certs)
@@ -1450,7 +1450,7 @@ hx509_crl_add_revoked_certs(hx509_context context,
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crl_lifetime(hx509_context context, hx509_crl crl, int delta)
{
crl->expire = time(NULL) + delta;
@@ -1466,7 +1466,7 @@ hx509_crl_lifetime(hx509_context context, hx509_crl crl, int delta)
* @ingroup hx509_verify
*/
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
hx509_crl_free(hx509_context context, hx509_crl *crl)
{
if (*crl == NULL)
@@ -1477,7 +1477,7 @@ hx509_crl_free(hx509_context context, hx509_crl *crl)
*crl = NULL;
}
-static int
+static int HX509_LIB_CALL
add_revoked(hx509_context context, void *ctx, hx509_cert cert)
{
TBSCRLCertList *c = ctx;
@@ -1525,7 +1525,7 @@ add_revoked(hx509_context context, void *ctx, hx509_cert cert)
* @ingroup hx509_verify
*/
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
hx509_crl_sign(hx509_context context,
hx509_cert signer,
hx509_crl crl,
diff --git a/lib/hx509/sel-gram.c b/lib/hx509/sel-gram.c
deleted file mode 100644
index c09d1c188bd7..000000000000
--- a/lib/hx509/sel-gram.c
+++ /dev/null
@@ -1,1546 +0,0 @@
-/* A Bison parser, made by GNU Bison 3.8.2. */
-
-/* Bison implementation for Yacc-like parsers in C
-
- Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
- Inc.
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <https://www.gnu.org/licenses/>. */
-
-/* As a special exception, you may create a larger work that contains
- part or all of the Bison parser skeleton and distribute that work
- under terms of your choice, so long as that work isn't itself a
- parser generator using the skeleton or a modified version thereof
- as a parser skeleton. Alternatively, if you modify or redistribute
- the parser skeleton itself, you may (at your option) remove this
- special exception, which will cause the skeleton and the resulting
- Bison output files to be licensed under the GNU General Public
- License without this special exception.
-
- This special exception was added by the Free Software Foundation in
- version 2.2 of Bison. */
-
-/* C LALR(1) parser skeleton written by Richard Stallman, by
- simplifying the original so-called "semantic" parser. */
-
-/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
- especially those whose name start with YY_ or yy_. They are
- private implementation details that can be changed or removed. */
-
-/* All symbols defined below should begin with yy or YY, to avoid
- infringing on user name space. This should be done even for local
- variables, as they might otherwise be expanded by user macros.
- There are some unavoidable exceptions within include files to
- define necessary library symbols; they are noted "INFRINGES ON
- USER NAME SPACE" below. */
-
-/* Identify Bison output, and Bison version. */
-#define YYBISON 30802
-
-/* Bison version string. */
-#define YYBISON_VERSION "3.8.2"
-
-/* Skeleton name. */
-#define YYSKELETON_NAME "yacc.c"
-
-/* Pure parsers. */
-#define YYPURE 0
-
-/* Push parsers. */
-#define YYPUSH 0
-
-/* Pull parsers. */
-#define YYPULL 1
-
-
-
-
-/* First part of user prologue. */
-#line 34 "sel-gram.y"
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-#include <stdio.h>
-#include <stdlib.h>
-#include <hx_locl.h>
-
-#if !defined(yylex)
-#define yylex _hx509_sel_yylex
-#define yywrap _hx509_sel_yywrap
-#endif
-#if !defined(yyparse)
-#define yyparse _hx509_sel_yyparse
-#define yyerror _hx509_sel_yyerror
-#define yylval _hx509_sel_yylval
-#define yychar _hx509_sel_yychar
-#define yydebug _hx509_sel_yydebug
-#define yynerrs _hx509_sel_yynerrs
-#endif
-
-
-#line 94 "sel-gram.c"
-
-# ifndef YY_CAST
-# ifdef __cplusplus
-# define YY_CAST(Type, Val) static_cast<Type> (Val)
-# define YY_REINTERPRET_CAST(Type, Val) reinterpret_cast<Type> (Val)
-# else
-# define YY_CAST(Type, Val) ((Type) (Val))
-# define YY_REINTERPRET_CAST(Type, Val) ((Type) (Val))
-# endif
-# endif
-# ifndef YY_NULLPTR
-# if defined __cplusplus
-# if 201103L <= __cplusplus
-# define YY_NULLPTR nullptr
-# else
-# define YY_NULLPTR 0
-# endif
-# else
-# define YY_NULLPTR ((void*)0)
-# endif
-# endif
-
-/* Use api.header.include to #include this header
- instead of duplicating it here. */
-#ifndef YY_YY_SEL_GRAM_H_INCLUDED
-# define YY_YY_SEL_GRAM_H_INCLUDED
-/* Debug traces. */
-#ifndef YYDEBUG
-# define YYDEBUG 0
-#endif
-#if YYDEBUG
-extern int yydebug;
-#endif
-
-/* Token kinds. */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
- enum yytokentype
- {
- YYEMPTY = -2,
- YYEOF = 0, /* "end of file" */
- YYerror = 256, /* error */
- YYUNDEF = 257, /* "invalid token" */
- kw_TRUE = 258, /* kw_TRUE */
- kw_FALSE = 259, /* kw_FALSE */
- kw_AND = 260, /* kw_AND */
- kw_OR = 261, /* kw_OR */
- kw_IN = 262, /* kw_IN */
- kw_TAILMATCH = 263, /* kw_TAILMATCH */
- NUMBER = 264, /* NUMBER */
- STRING = 265, /* STRING */
- IDENTIFIER = 266 /* IDENTIFIER */
- };
- typedef enum yytokentype yytoken_kind_t;
-#endif
-/* Token kinds. */
-#define YYEMPTY -2
-#define YYEOF 0
-#define YYerror 256
-#define YYUNDEF 257
-#define kw_TRUE 258
-#define kw_FALSE 259
-#define kw_AND 260
-#define kw_OR 261
-#define kw_IN 262
-#define kw_TAILMATCH 263
-#define NUMBER 264
-#define STRING 265
-#define IDENTIFIER 266
-
-/* Value type. */
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-union YYSTYPE
-{
-#line 57 "sel-gram.y"
-
- char *string;
- struct hx_expr *expr;
-
-#line 174 "sel-gram.c"
-
-};
-typedef union YYSTYPE YYSTYPE;
-# define YYSTYPE_IS_TRIVIAL 1
-# define YYSTYPE_IS_DECLARED 1
-#endif
-
-
-extern YYSTYPE yylval;
-
-
-int yyparse (void);
-
-
-#endif /* !YY_YY_SEL_GRAM_H_INCLUDED */
-/* Symbol kind. */
-enum yysymbol_kind_t
-{
- YYSYMBOL_YYEMPTY = -2,
- YYSYMBOL_YYEOF = 0, /* "end of file" */
- YYSYMBOL_YYerror = 1, /* error */
- YYSYMBOL_YYUNDEF = 2, /* "invalid token" */
- YYSYMBOL_kw_TRUE = 3, /* kw_TRUE */
- YYSYMBOL_kw_FALSE = 4, /* kw_FALSE */
- YYSYMBOL_kw_AND = 5, /* kw_AND */
- YYSYMBOL_kw_OR = 6, /* kw_OR */
- YYSYMBOL_kw_IN = 7, /* kw_IN */
- YYSYMBOL_kw_TAILMATCH = 8, /* kw_TAILMATCH */
- YYSYMBOL_NUMBER = 9, /* NUMBER */
- YYSYMBOL_STRING = 10, /* STRING */
- YYSYMBOL_IDENTIFIER = 11, /* IDENTIFIER */
- YYSYMBOL_12_ = 12, /* '!' */
- YYSYMBOL_13_ = 13, /* '(' */
- YYSYMBOL_14_ = 14, /* ')' */
- YYSYMBOL_15_ = 15, /* ',' */
- YYSYMBOL_16_ = 16, /* '=' */
- YYSYMBOL_17_ = 17, /* '%' */
- YYSYMBOL_18_ = 18, /* '{' */
- YYSYMBOL_19_ = 19, /* '}' */
- YYSYMBOL_20_ = 20, /* '.' */
- YYSYMBOL_YYACCEPT = 21, /* $accept */
- YYSYMBOL_start = 22, /* start */
- YYSYMBOL_expr = 23, /* expr */
- YYSYMBOL_words = 24, /* words */
- YYSYMBOL_comp = 25, /* comp */
- YYSYMBOL_word = 26, /* word */
- YYSYMBOL_number = 27, /* number */
- YYSYMBOL_string = 28, /* string */
- YYSYMBOL_function = 29, /* function */
- YYSYMBOL_variable = 30, /* variable */
- YYSYMBOL_variables = 31 /* variables */
-};
-typedef enum yysymbol_kind_t yysymbol_kind_t;
-
-
-
-
-#ifdef short
-# undef short
-#endif
-
-/* On compilers that do not define __PTRDIFF_MAX__ etc., make sure
- <limits.h> and (if available) <stdint.h> are included
- so that the code can choose integer types of a good width. */
-
-#ifndef __PTRDIFF_MAX__
-# include <limits.h> /* INFRINGES ON USER NAME SPACE */
-# if defined __STDC_VERSION__ && 199901 <= __STDC_VERSION__
-# include <stdint.h> /* INFRINGES ON USER NAME SPACE */
-# define YY_STDINT_H
-# endif
-#endif
-
-/* Narrow types that promote to a signed type and that can represent a
- signed or unsigned integer of at least N bits. In tables they can
- save space and decrease cache pressure. Promoting to a signed type
- helps avoid bugs in integer arithmetic. */
-
-#ifdef __INT_LEAST8_MAX__
-typedef __INT_LEAST8_TYPE__ yytype_int8;
-#elif defined YY_STDINT_H
-typedef int_least8_t yytype_int8;
-#else
-typedef signed char yytype_int8;
-#endif
-
-#ifdef __INT_LEAST16_MAX__
-typedef __INT_LEAST16_TYPE__ yytype_int16;
-#elif defined YY_STDINT_H
-typedef int_least16_t yytype_int16;
-#else
-typedef short yytype_int16;
-#endif
-
-/* Work around bug in HP-UX 11.23, which defines these macros
- incorrectly for preprocessor constants. This workaround can likely
- be removed in 2023, as HPE has promised support for HP-UX 11.23
- (aka HP-UX 11i v2) only through the end of 2022; see Table 2 of
- <https://h20195.www2.hpe.com/V2/getpdf.aspx/4AA4-7673ENW.pdf>. */
-#ifdef __hpux
-# undef UINT_LEAST8_MAX
-# undef UINT_LEAST16_MAX
-# define UINT_LEAST8_MAX 255
-# define UINT_LEAST16_MAX 65535
-#endif
-
-#if defined __UINT_LEAST8_MAX__ && __UINT_LEAST8_MAX__ <= __INT_MAX__
-typedef __UINT_LEAST8_TYPE__ yytype_uint8;
-#elif (!defined __UINT_LEAST8_MAX__ && defined YY_STDINT_H \
- && UINT_LEAST8_MAX <= INT_MAX)
-typedef uint_least8_t yytype_uint8;
-#elif !defined __UINT_LEAST8_MAX__ && UCHAR_MAX <= INT_MAX
-typedef unsigned char yytype_uint8;
-#else
-typedef short yytype_uint8;
-#endif
-
-#if defined __UINT_LEAST16_MAX__ && __UINT_LEAST16_MAX__ <= __INT_MAX__
-typedef __UINT_LEAST16_TYPE__ yytype_uint16;
-#elif (!defined __UINT_LEAST16_MAX__ && defined YY_STDINT_H \
- && UINT_LEAST16_MAX <= INT_MAX)
-typedef uint_least16_t yytype_uint16;
-#elif !defined __UINT_LEAST16_MAX__ && USHRT_MAX <= INT_MAX
-typedef unsigned short yytype_uint16;
-#else
-typedef int yytype_uint16;
-#endif
-
-#ifndef YYPTRDIFF_T
-# if defined __PTRDIFF_TYPE__ && defined __PTRDIFF_MAX__
-# define YYPTRDIFF_T __PTRDIFF_TYPE__
-# define YYPTRDIFF_MAXIMUM __PTRDIFF_MAX__
-# elif defined PTRDIFF_MAX
-# ifndef ptrdiff_t
-# include <stddef.h> /* INFRINGES ON USER NAME SPACE */
-# endif
-# define YYPTRDIFF_T ptrdiff_t
-# define YYPTRDIFF_MAXIMUM PTRDIFF_MAX
-# else
-# define YYPTRDIFF_T long
-# define YYPTRDIFF_MAXIMUM LONG_MAX
-# endif
-#endif
-
-#ifndef YYSIZE_T
-# ifdef __SIZE_TYPE__
-# define YYSIZE_T __SIZE_TYPE__
-# elif defined size_t
-# define YYSIZE_T size_t
-# elif defined __STDC_VERSION__ && 199901 <= __STDC_VERSION__
-# include <stddef.h> /* INFRINGES ON USER NAME SPACE */
-# define YYSIZE_T size_t
-# else
-# define YYSIZE_T unsigned
-# endif
-#endif
-
-#define YYSIZE_MAXIMUM \
- YY_CAST (YYPTRDIFF_T, \
- (YYPTRDIFF_MAXIMUM < YY_CAST (YYSIZE_T, -1) \
- ? YYPTRDIFF_MAXIMUM \
- : YY_CAST (YYSIZE_T, -1)))
-
-#define YYSIZEOF(X) YY_CAST (YYPTRDIFF_T, sizeof (X))
-
-
-/* Stored state numbers (used for stacks). */
-typedef yytype_int8 yy_state_t;
-
-/* State numbers in computations. */
-typedef int yy_state_fast_t;
-
-#ifndef YY_
-# if defined YYENABLE_NLS && YYENABLE_NLS
-# if ENABLE_NLS
-# include <libintl.h> /* INFRINGES ON USER NAME SPACE */
-# define YY_(Msgid) dgettext ("bison-runtime", Msgid)
-# endif
-# endif
-# ifndef YY_
-# define YY_(Msgid) Msgid
-# endif
-#endif
-
-
-#ifndef YY_ATTRIBUTE_PURE
-# if defined __GNUC__ && 2 < __GNUC__ + (96 <= __GNUC_MINOR__)
-# define YY_ATTRIBUTE_PURE __attribute__ ((__pure__))
-# else
-# define YY_ATTRIBUTE_PURE
-# endif
-#endif
-
-#ifndef YY_ATTRIBUTE_UNUSED
-# if defined __GNUC__ && 2 < __GNUC__ + (7 <= __GNUC_MINOR__)
-# define YY_ATTRIBUTE_UNUSED __attribute__ ((__unused__))
-# else
-# define YY_ATTRIBUTE_UNUSED
-# endif
-#endif
-
-/* Suppress unused-variable warnings by "using" E. */
-#if ! defined lint || defined __GNUC__
-# define YY_USE(E) ((void) (E))
-#else
-# define YY_USE(E) /* empty */
-#endif
-
-/* Suppress an incorrect diagnostic about yylval being uninitialized. */
-#if defined __GNUC__ && ! defined __ICC && 406 <= __GNUC__ * 100 + __GNUC_MINOR__
-# if __GNUC__ * 100 + __GNUC_MINOR__ < 407
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN \
- _Pragma ("GCC diagnostic push") \
- _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"")
-# else
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN \
- _Pragma ("GCC diagnostic push") \
- _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"") \
- _Pragma ("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
-# endif
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END \
- _Pragma ("GCC diagnostic pop")
-#else
-# define YY_INITIAL_VALUE(Value) Value
-#endif
-#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END
-#endif
-#ifndef YY_INITIAL_VALUE
-# define YY_INITIAL_VALUE(Value) /* Nothing. */
-#endif
-
-#if defined __cplusplus && defined __GNUC__ && ! defined __ICC && 6 <= __GNUC__
-# define YY_IGNORE_USELESS_CAST_BEGIN \
- _Pragma ("GCC diagnostic push") \
- _Pragma ("GCC diagnostic ignored \"-Wuseless-cast\"")
-# define YY_IGNORE_USELESS_CAST_END \
- _Pragma ("GCC diagnostic pop")
-#endif
-#ifndef YY_IGNORE_USELESS_CAST_BEGIN
-# define YY_IGNORE_USELESS_CAST_BEGIN
-# define YY_IGNORE_USELESS_CAST_END
-#endif
-
-
-#define YY_ASSERT(E) ((void) (0 && (E)))
-
-#if !defined yyoverflow
-
-/* The parser invokes alloca or malloc; define the necessary symbols. */
-
-# ifdef YYSTACK_USE_ALLOCA
-# if YYSTACK_USE_ALLOCA
-# ifdef __GNUC__
-# define YYSTACK_ALLOC __builtin_alloca
-# elif defined __BUILTIN_VA_ARG_INCR
-# include <alloca.h> /* INFRINGES ON USER NAME SPACE */
-# elif defined _AIX
-# define YYSTACK_ALLOC __alloca
-# elif defined _MSC_VER
-# include <malloc.h> /* INFRINGES ON USER NAME SPACE */
-# define alloca _alloca
-# else
-# define YYSTACK_ALLOC alloca
-# if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS
-# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
- /* Use EXIT_SUCCESS as a witness for stdlib.h. */
-# ifndef EXIT_SUCCESS
-# define EXIT_SUCCESS 0
-# endif
-# endif
-# endif
-# endif
-# endif
-
-# ifdef YYSTACK_ALLOC
- /* Pacify GCC's 'empty if-body' warning. */
-# define YYSTACK_FREE(Ptr) do { /* empty */; } while (0)
-# ifndef YYSTACK_ALLOC_MAXIMUM
- /* The OS might guarantee only one guard page at the bottom of the stack,
- and a page size can be as small as 4096 bytes. So we cannot safely
- invoke alloca (N) if N exceeds 4096. Use a slightly smaller number
- to allow for a few compiler-allocated temporary stack slots. */
-# define YYSTACK_ALLOC_MAXIMUM 4032 /* reasonable circa 2006 */
-# endif
-# else
-# define YYSTACK_ALLOC YYMALLOC
-# define YYSTACK_FREE YYFREE
-# ifndef YYSTACK_ALLOC_MAXIMUM
-# define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
-# endif
-# if (defined __cplusplus && ! defined EXIT_SUCCESS \
- && ! ((defined YYMALLOC || defined malloc) \
- && (defined YYFREE || defined free)))
-# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-# ifndef EXIT_SUCCESS
-# define EXIT_SUCCESS 0
-# endif
-# endif
-# ifndef YYMALLOC
-# define YYMALLOC malloc
-# if ! defined malloc && ! defined EXIT_SUCCESS
-void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
-# endif
-# endif
-# ifndef YYFREE
-# define YYFREE free
-# if ! defined free && ! defined EXIT_SUCCESS
-void free (void *); /* INFRINGES ON USER NAME SPACE */
-# endif
-# endif
-# endif
-#endif /* !defined yyoverflow */
-
-#if (! defined yyoverflow \
- && (! defined __cplusplus \
- || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
-
-/* A type that is properly aligned for any stack member. */
-union yyalloc
-{
- yy_state_t yyss_alloc;
- YYSTYPE yyvs_alloc;
-};
-
-/* The size of the maximum gap between one aligned stack and the next. */
-# define YYSTACK_GAP_MAXIMUM (YYSIZEOF (union yyalloc) - 1)
-
-/* The size of an array large to enough to hold all stacks, each with
- N elements. */
-# define YYSTACK_BYTES(N) \
- ((N) * (YYSIZEOF (yy_state_t) + YYSIZEOF (YYSTYPE)) \
- + YYSTACK_GAP_MAXIMUM)
-
-# define YYCOPY_NEEDED 1
-
-/* Relocate STACK from its old location to the new one. The
- local variables YYSIZE and YYSTACKSIZE give the old and new number of
- elements in the stack, and YYPTR gives the new location of the
- stack. Advance YYPTR to a properly aligned location for the next
- stack. */
-# define YYSTACK_RELOCATE(Stack_alloc, Stack) \
- do \
- { \
- YYPTRDIFF_T yynewbytes; \
- YYCOPY (&yyptr->Stack_alloc, Stack, yysize); \
- Stack = &yyptr->Stack_alloc; \
- yynewbytes = yystacksize * YYSIZEOF (*Stack) + YYSTACK_GAP_MAXIMUM; \
- yyptr += yynewbytes / YYSIZEOF (*yyptr); \
- } \
- while (0)
-
-#endif
-
-#if defined YYCOPY_NEEDED && YYCOPY_NEEDED
-/* Copy COUNT objects from SRC to DST. The source and destination do
- not overlap. */
-# ifndef YYCOPY
-# if defined __GNUC__ && 1 < __GNUC__
-# define YYCOPY(Dst, Src, Count) \
- __builtin_memcpy (Dst, Src, YY_CAST (YYSIZE_T, (Count)) * sizeof (*(Src)))
-# else
-# define YYCOPY(Dst, Src, Count) \
- do \
- { \
- YYPTRDIFF_T yyi; \
- for (yyi = 0; yyi < (Count); yyi++) \
- (Dst)[yyi] = (Src)[yyi]; \
- } \
- while (0)
-# endif
-# endif
-#endif /* !YYCOPY_NEEDED */
-
-/* YYFINAL -- State number of the termination state. */
-#define YYFINAL 21
-/* YYLAST -- Last index in YYTABLE. */
-#define YYLAST 50
-
-/* YYNTOKENS -- Number of terminals. */
-#define YYNTOKENS 21
-/* YYNNTS -- Number of nonterminals. */
-#define YYNNTS 11
-/* YYNRULES -- Number of rules. */
-#define YYNRULES 26
-/* YYNSTATES -- Number of states. */
-#define YYNSTATES 50
-
-/* YYMAXUTOK -- Last valid token kind. */
-#define YYMAXUTOK 266
-
-
-/* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM
- as returned by yylex, with out-of-bounds checking. */
-#define YYTRANSLATE(YYX) \
- (0 <= (YYX) && (YYX) <= YYMAXUTOK \
- ? YY_CAST (yysymbol_kind_t, yytranslate[YYX]) \
- : YYSYMBOL_YYUNDEF)
-
-/* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
- as returned by yylex. */
-static const yytype_int8 yytranslate[] =
-{
- 0, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 12, 2, 2, 2, 17, 2, 2,
- 13, 14, 2, 2, 15, 2, 20, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 16, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 18, 2, 19, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 1, 2, 3, 4,
- 5, 6, 7, 8, 9, 10, 11
-};
-
-#if YYDEBUG
-/* YYRLINE[YYN] -- Source line where rule number YYN was defined. */
-static const yytype_int8 yyrline[] =
-{
- 0, 85, 85, 87, 88, 89, 90, 91, 92, 93,
- 96, 97, 100, 101, 102, 103, 104, 107, 108, 109,
- 110, 113, 114, 116, 119, 122, 124
-};
-#endif
-
-/** Accessing symbol of state STATE. */
-#define YY_ACCESSING_SYMBOL(State) YY_CAST (yysymbol_kind_t, yystos[State])
-
-#if YYDEBUG || 0
-/* The user-facing name of the symbol whose (internal) number is
- YYSYMBOL. No bounds checking. */
-static const char *yysymbol_name (yysymbol_kind_t yysymbol) YY_ATTRIBUTE_UNUSED;
-
-/* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM.
- First, the terminals, then, starting at YYNTOKENS, nonterminals. */
-static const char *const yytname[] =
-{
- "\"end of file\"", "error", "\"invalid token\"", "kw_TRUE", "kw_FALSE",
- "kw_AND", "kw_OR", "kw_IN", "kw_TAILMATCH", "NUMBER", "STRING",
- "IDENTIFIER", "'!'", "'('", "')'", "','", "'='", "'%'", "'{'", "'}'",
- "'.'", "$accept", "start", "expr", "words", "comp", "word", "number",
- "string", "function", "variable", "variables", YY_NULLPTR
-};
-
-static const char *
-yysymbol_name (yysymbol_kind_t yysymbol)
-{
- return yytname[yysymbol];
-}
-#endif
-
-#define YYPACT_NINF (-31)
-
-#define yypact_value_is_default(Yyn) \
- ((Yyn) == YYPACT_NINF)
-
-#define YYTABLE_NINF (-1)
-
-#define yytable_value_is_error(Yyn) \
- 0
-
-/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
- STATE-NUM. */
-static const yytype_int8 yypact[] =
-{
- 22, -31, -31, -31, -31, -1, 22, 22, -11, 27,
- 11, -31, -6, -31, -31, -31, -31, 19, 11, 9,
- 26, -31, 22, 22, -4, 19, 24, 25, 28, 23,
- -31, 29, 31, 11, 11, 19, -31, -31, 19, 19,
- -31, 19, 26, -31, 30, -31, -31, -31, -31, -31
-};
-
-/* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
- Performed when YYTABLE does not specify something else to do. Zero
- means the default is an error. */
-static const yytype_int8 yydefact[] =
-{
- 0, 3, 4, 21, 22, 0, 0, 0, 0, 0,
- 2, 9, 0, 17, 18, 19, 20, 0, 5, 0,
- 0, 1, 0, 0, 0, 0, 0, 0, 0, 10,
- 8, 26, 0, 6, 7, 0, 16, 14, 0, 0,
- 23, 0, 0, 24, 0, 13, 12, 11, 25, 15
-};
-
-/* YYPGOTO[NTERM-NUM]. */
-static const yytype_int8 yypgoto[] =
-{
- -31, -31, -3, -30, -31, -17, -31, -31, -31, 21,
- 1
-};
-
-/* YYDEFGOTO[NTERM-NUM]. */
-static const yytype_int8 yydefgoto[] =
-{
- 0, 9, 10, 28, 11, 12, 13, 14, 15, 16,
- 32
-};
-
-/* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM. If
- positive, shift that token. If negative, reduce the rule whose
- number is the opposite. If YYTABLE_NINF, syntax error. */
-static const yytype_int8 yytable[] =
-{
- 29, 24, 25, 18, 19, 44, 26, 20, 37, 35,
- 27, 47, 17, 8, 22, 23, 22, 23, 29, 33,
- 34, 45, 46, 30, 29, 1, 2, 21, 3, 4,
- 5, 3, 4, 5, 6, 7, 8, 31, 41, 8,
- 38, 39, 40, 48, 49, 36, 0, 0, 0, 42,
- 43
-};
-
-static const yytype_int8 yycheck[] =
-{
- 17, 7, 8, 6, 7, 35, 12, 18, 25, 13,
- 16, 41, 13, 17, 5, 6, 5, 6, 35, 22,
- 23, 38, 39, 14, 41, 3, 4, 0, 9, 10,
- 11, 9, 10, 11, 12, 13, 17, 11, 15, 17,
- 16, 16, 14, 42, 14, 24, -1, -1, -1, 20,
- 19
-};
-
-/* YYSTOS[STATE-NUM] -- The symbol kind of the accessing symbol of
- state STATE-NUM. */
-static const yytype_int8 yystos[] =
-{
- 0, 3, 4, 9, 10, 11, 12, 13, 17, 22,
- 23, 25, 26, 27, 28, 29, 30, 13, 23, 23,
- 18, 0, 5, 6, 7, 8, 12, 16, 24, 26,
- 14, 11, 31, 23, 23, 13, 30, 26, 16, 16,
- 14, 15, 20, 19, 24, 26, 26, 24, 31, 14
-};
-
-/* YYR1[RULE-NUM] -- Symbol kind of the left-hand side of rule RULE-NUM. */
-static const yytype_int8 yyr1[] =
-{
- 0, 21, 22, 23, 23, 23, 23, 23, 23, 23,
- 24, 24, 25, 25, 25, 25, 25, 26, 26, 26,
- 26, 27, 28, 29, 30, 31, 31
-};
-
-/* YYR2[RULE-NUM] -- Number of symbols on the right-hand side of rule RULE-NUM. */
-static const yytype_int8 yyr2[] =
-{
- 0, 2, 1, 1, 1, 2, 3, 3, 3, 1,
- 1, 3, 4, 4, 3, 5, 3, 1, 1, 1,
- 1, 1, 1, 4, 4, 3, 1
-};
-
-
-enum { YYENOMEM = -2 };
-
-#define yyerrok (yyerrstatus = 0)
-#define yyclearin (yychar = YYEMPTY)
-
-#define YYACCEPT goto yyacceptlab
-#define YYABORT goto yyabortlab
-#define YYERROR goto yyerrorlab
-#define YYNOMEM goto yyexhaustedlab
-
-
-#define YYRECOVERING() (!!yyerrstatus)
-
-#define YYBACKUP(Token, Value) \
- do \
- if (yychar == YYEMPTY) \
- { \
- yychar = (Token); \
- yylval = (Value); \
- YYPOPSTACK (yylen); \
- yystate = *yyssp; \
- goto yybackup; \
- } \
- else \
- { \
- yyerror (YY_("syntax error: cannot back up")); \
- YYERROR; \
- } \
- while (0)
-
-/* Backward compatibility with an undocumented macro.
- Use YYerror or YYUNDEF. */
-#define YYERRCODE YYUNDEF
-
-
-/* Enable debugging if requested. */
-#if YYDEBUG
-
-# ifndef YYFPRINTF
-# include <stdio.h> /* INFRINGES ON USER NAME SPACE */
-# define YYFPRINTF fprintf
-# endif
-
-# define YYDPRINTF(Args) \
-do { \
- if (yydebug) \
- YYFPRINTF Args; \
-} while (0)
-
-
-
-
-# define YY_SYMBOL_PRINT(Title, Kind, Value, Location) \
-do { \
- if (yydebug) \
- { \
- YYFPRINTF (stderr, "%s ", Title); \
- yy_symbol_print (stderr, \
- Kind, Value); \
- YYFPRINTF (stderr, "\n"); \
- } \
-} while (0)
-
-
-/*-----------------------------------.
-| Print this symbol's value on YYO. |
-`-----------------------------------*/
-
-static void
-yy_symbol_value_print (FILE *yyo,
- yysymbol_kind_t yykind, YYSTYPE const * const yyvaluep)
-{
- FILE *yyoutput = yyo;
- YY_USE (yyoutput);
- if (!yyvaluep)
- return;
- YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
- YY_USE (yykind);
- YY_IGNORE_MAYBE_UNINITIALIZED_END
-}
-
-
-/*---------------------------.
-| Print this symbol on YYO. |
-`---------------------------*/
-
-static void
-yy_symbol_print (FILE *yyo,
- yysymbol_kind_t yykind, YYSTYPE const * const yyvaluep)
-{
- YYFPRINTF (yyo, "%s %s (",
- yykind < YYNTOKENS ? "token" : "nterm", yysymbol_name (yykind));
-
- yy_symbol_value_print (yyo, yykind, yyvaluep);
- YYFPRINTF (yyo, ")");
-}
-
-/*------------------------------------------------------------------.
-| yy_stack_print -- Print the state stack from its BOTTOM up to its |
-| TOP (included). |
-`------------------------------------------------------------------*/
-
-static void
-yy_stack_print (yy_state_t *yybottom, yy_state_t *yytop)
-{
- YYFPRINTF (stderr, "Stack now");
- for (; yybottom <= yytop; yybottom++)
- {
- int yybot = *yybottom;
- YYFPRINTF (stderr, " %d", yybot);
- }
- YYFPRINTF (stderr, "\n");
-}
-
-# define YY_STACK_PRINT(Bottom, Top) \
-do { \
- if (yydebug) \
- yy_stack_print ((Bottom), (Top)); \
-} while (0)
-
-
-/*------------------------------------------------.
-| Report that the YYRULE is going to be reduced. |
-`------------------------------------------------*/
-
-static void
-yy_reduce_print (yy_state_t *yyssp, YYSTYPE *yyvsp,
- int yyrule)
-{
- int yylno = yyrline[yyrule];
- int yynrhs = yyr2[yyrule];
- int yyi;
- YYFPRINTF (stderr, "Reducing stack by rule %d (line %d):\n",
- yyrule - 1, yylno);
- /* The symbols being reduced. */
- for (yyi = 0; yyi < yynrhs; yyi++)
- {
- YYFPRINTF (stderr, " $%d = ", yyi + 1);
- yy_symbol_print (stderr,
- YY_ACCESSING_SYMBOL (+yyssp[yyi + 1 - yynrhs]),
- &yyvsp[(yyi + 1) - (yynrhs)]);
- YYFPRINTF (stderr, "\n");
- }
-}
-
-# define YY_REDUCE_PRINT(Rule) \
-do { \
- if (yydebug) \
- yy_reduce_print (yyssp, yyvsp, Rule); \
-} while (0)
-
-/* Nonzero means print parse trace. It is left uninitialized so that
- multiple parsers can coexist. */
-int yydebug;
-#else /* !YYDEBUG */
-# define YYDPRINTF(Args) ((void) 0)
-# define YY_SYMBOL_PRINT(Title, Kind, Value, Location)
-# define YY_STACK_PRINT(Bottom, Top)
-# define YY_REDUCE_PRINT(Rule)
-#endif /* !YYDEBUG */
-
-
-/* YYINITDEPTH -- initial size of the parser's stacks. */
-#ifndef YYINITDEPTH
-# define YYINITDEPTH 200
-#endif
-
-/* YYMAXDEPTH -- maximum size the stacks can grow to (effective only
- if the built-in stack extension method is used).
-
- Do not make this value too large; the results are undefined if
- YYSTACK_ALLOC_MAXIMUM < YYSTACK_BYTES (YYMAXDEPTH)
- evaluated with infinite-precision integer arithmetic. */
-
-#ifndef YYMAXDEPTH
-# define YYMAXDEPTH 10000
-#endif
-
-
-
-
-
-
-/*-----------------------------------------------.
-| Release the memory associated to this symbol. |
-`-----------------------------------------------*/
-
-static void
-yydestruct (const char *yymsg,
- yysymbol_kind_t yykind, YYSTYPE *yyvaluep)
-{
- YY_USE (yyvaluep);
- if (!yymsg)
- yymsg = "Deleting";
- YY_SYMBOL_PRINT (yymsg, yykind, yyvaluep, yylocationp);
-
- YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
- YY_USE (yykind);
- YY_IGNORE_MAYBE_UNINITIALIZED_END
-}
-
-
-/* Lookahead token kind. */
-int yychar;
-
-/* The semantic value of the lookahead symbol. */
-YYSTYPE yylval;
-/* Number of syntax errors so far. */
-int yynerrs;
-
-
-
-
-/*----------.
-| yyparse. |
-`----------*/
-
-int
-yyparse (void)
-{
- yy_state_fast_t yystate = 0;
- /* Number of tokens to shift before error messages enabled. */
- int yyerrstatus = 0;
-
- /* Refer to the stacks through separate pointers, to allow yyoverflow
- to reallocate them elsewhere. */
-
- /* Their size. */
- YYPTRDIFF_T yystacksize = YYINITDEPTH;
-
- /* The state stack: array, bottom, top. */
- yy_state_t yyssa[YYINITDEPTH];
- yy_state_t *yyss = yyssa;
- yy_state_t *yyssp = yyss;
-
- /* The semantic value stack: array, bottom, top. */
- YYSTYPE yyvsa[YYINITDEPTH];
- YYSTYPE *yyvs = yyvsa;
- YYSTYPE *yyvsp = yyvs;
-
- int yyn;
- /* The return value of yyparse. */
- int yyresult;
- /* Lookahead symbol kind. */
- yysymbol_kind_t yytoken = YYSYMBOL_YYEMPTY;
- /* The variables used to return semantic value and location from the
- action routines. */
- YYSTYPE yyval;
-
-
-
-#define YYPOPSTACK(N) (yyvsp -= (N), yyssp -= (N))
-
- /* The number of symbols on the RHS of the reduced rule.
- Keep to zero when no symbol should be popped. */
- int yylen = 0;
-
- YYDPRINTF ((stderr, "Starting parse\n"));
-
- yychar = YYEMPTY; /* Cause a token to be read. */
-
- goto yysetstate;
-
-
-/*------------------------------------------------------------.
-| yynewstate -- push a new state, which is found in yystate. |
-`------------------------------------------------------------*/
-yynewstate:
- /* In all cases, when you get here, the value and location stacks
- have just been pushed. So pushing a state here evens the stacks. */
- yyssp++;
-
-
-/*--------------------------------------------------------------------.
-| yysetstate -- set current state (the top of the stack) to yystate. |
-`--------------------------------------------------------------------*/
-yysetstate:
- YYDPRINTF ((stderr, "Entering state %d\n", yystate));
- YY_ASSERT (0 <= yystate && yystate < YYNSTATES);
- YY_IGNORE_USELESS_CAST_BEGIN
- *yyssp = YY_CAST (yy_state_t, yystate);
- YY_IGNORE_USELESS_CAST_END
- YY_STACK_PRINT (yyss, yyssp);
-
- if (yyss + yystacksize - 1 <= yyssp)
-#if !defined yyoverflow && !defined YYSTACK_RELOCATE
- YYNOMEM;
-#else
- {
- /* Get the current used size of the three stacks, in elements. */
- YYPTRDIFF_T yysize = yyssp - yyss + 1;
-
-# if defined yyoverflow
- {
- /* Give user a chance to reallocate the stack. Use copies of
- these so that the &'s don't force the real ones into
- memory. */
- yy_state_t *yyss1 = yyss;
- YYSTYPE *yyvs1 = yyvs;
-
- /* Each stack pointer address is followed by the size of the
- data in use in that stack, in bytes. This used to be a
- conditional around just the two extra args, but that might
- be undefined if yyoverflow is a macro. */
- yyoverflow (YY_("memory exhausted"),
- &yyss1, yysize * YYSIZEOF (*yyssp),
- &yyvs1, yysize * YYSIZEOF (*yyvsp),
- &yystacksize);
- yyss = yyss1;
- yyvs = yyvs1;
- }
-# else /* defined YYSTACK_RELOCATE */
- /* Extend the stack our own way. */
- if (YYMAXDEPTH <= yystacksize)
- YYNOMEM;
- yystacksize *= 2;
- if (YYMAXDEPTH < yystacksize)
- yystacksize = YYMAXDEPTH;
-
- {
- yy_state_t *yyss1 = yyss;
- union yyalloc *yyptr =
- YY_CAST (union yyalloc *,
- YYSTACK_ALLOC (YY_CAST (YYSIZE_T, YYSTACK_BYTES (yystacksize))));
- if (! yyptr)
- YYNOMEM;
- YYSTACK_RELOCATE (yyss_alloc, yyss);
- YYSTACK_RELOCATE (yyvs_alloc, yyvs);
-# undef YYSTACK_RELOCATE
- if (yyss1 != yyssa)
- YYSTACK_FREE (yyss1);
- }
-# endif
-
- yyssp = yyss + yysize - 1;
- yyvsp = yyvs + yysize - 1;
-
- YY_IGNORE_USELESS_CAST_BEGIN
- YYDPRINTF ((stderr, "Stack size increased to %ld\n",
- YY_CAST (long, yystacksize)));
- YY_IGNORE_USELESS_CAST_END
-
- if (yyss + yystacksize - 1 <= yyssp)
- YYABORT;
- }
-#endif /* !defined yyoverflow && !defined YYSTACK_RELOCATE */
-
-
- if (yystate == YYFINAL)
- YYACCEPT;
-
- goto yybackup;
-
-
-/*-----------.
-| yybackup. |
-`-----------*/
-yybackup:
- /* Do appropriate processing given the current state. Read a
- lookahead token if we need one and don't already have one. */
-
- /* First try to decide what to do without reference to lookahead token. */
- yyn = yypact[yystate];
- if (yypact_value_is_default (yyn))
- goto yydefault;
-
- /* Not known => get a lookahead token if don't already have one. */
-
- /* YYCHAR is either empty, or end-of-input, or a valid lookahead. */
- if (yychar == YYEMPTY)
- {
- YYDPRINTF ((stderr, "Reading a token\n"));
- yychar = yylex ();
- }
-
- if (yychar <= YYEOF)
- {
- yychar = YYEOF;
- yytoken = YYSYMBOL_YYEOF;
- YYDPRINTF ((stderr, "Now at end of input.\n"));
- }
- else if (yychar == YYerror)
- {
- /* The scanner already issued an error message, process directly
- to error recovery. But do not keep the error token as
- lookahead, it is too special and may lead us to an endless
- loop in error recovery. */
- yychar = YYUNDEF;
- yytoken = YYSYMBOL_YYerror;
- goto yyerrlab1;
- }
- else
- {
- yytoken = YYTRANSLATE (yychar);
- YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
- }
-
- /* If the proper action on seeing token YYTOKEN is to reduce or to
- detect an error, take that action. */
- yyn += yytoken;
- if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
- goto yydefault;
- yyn = yytable[yyn];
- if (yyn <= 0)
- {
- if (yytable_value_is_error (yyn))
- goto yyerrlab;
- yyn = -yyn;
- goto yyreduce;
- }
-
- /* Count tokens shifted since error; after three, turn off error
- status. */
- if (yyerrstatus)
- yyerrstatus--;
-
- /* Shift the lookahead token. */
- YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
- yystate = yyn;
- YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
- *++yyvsp = yylval;
- YY_IGNORE_MAYBE_UNINITIALIZED_END
-
- /* Discard the shifted token. */
- yychar = YYEMPTY;
- goto yynewstate;
-
-
-/*-----------------------------------------------------------.
-| yydefault -- do the default action for the current state. |
-`-----------------------------------------------------------*/
-yydefault:
- yyn = yydefact[yystate];
- if (yyn == 0)
- goto yyerrlab;
- goto yyreduce;
-
-
-/*-----------------------------.
-| yyreduce -- do a reduction. |
-`-----------------------------*/
-yyreduce:
- /* yyn is the number of a rule to reduce with. */
- yylen = yyr2[yyn];
-
- /* If YYLEN is nonzero, implement the default value of the action:
- '$$ = $1'.
-
- Otherwise, the following line sets YYVAL to garbage.
- This behavior is undocumented and Bison
- users should not rely upon it. Assigning to YYVAL
- unconditionally makes the parser a bit smaller, and it avoids a
- GCC warning that YYVAL may be used uninitialized. */
- yyval = yyvsp[1-yylen];
-
-
- YY_REDUCE_PRINT (yyn);
- switch (yyn)
- {
- case 2: /* start: expr */
-#line 85 "sel-gram.y"
- { _hx509_expr_input.expr = (yyvsp[0].expr); }
-#line 1204 "sel-gram.c"
- break;
-
- case 3: /* expr: kw_TRUE */
-#line 87 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(op_TRUE, NULL, NULL); }
-#line 1210 "sel-gram.c"
- break;
-
- case 4: /* expr: kw_FALSE */
-#line 88 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(op_FALSE, NULL, NULL); }
-#line 1216 "sel-gram.c"
- break;
-
- case 5: /* expr: '!' expr */
-#line 89 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(op_NOT, (yyvsp[0].expr), NULL); }
-#line 1222 "sel-gram.c"
- break;
-
- case 6: /* expr: expr kw_AND expr */
-#line 90 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(op_AND, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1228 "sel-gram.c"
- break;
-
- case 7: /* expr: expr kw_OR expr */
-#line 91 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(op_OR, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1234 "sel-gram.c"
- break;
-
- case 8: /* expr: '(' expr ')' */
-#line 92 "sel-gram.y"
- { (yyval.expr) = (yyvsp[-1].expr); }
-#line 1240 "sel-gram.c"
- break;
-
- case 9: /* expr: comp */
-#line 93 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(op_COMP, (yyvsp[0].expr), NULL); }
-#line 1246 "sel-gram.c"
- break;
-
- case 10: /* words: word */
-#line 96 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[0].expr), NULL); }
-#line 1252 "sel-gram.c"
- break;
-
- case 11: /* words: word ',' words */
-#line 97 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1258 "sel-gram.c"
- break;
-
- case 12: /* comp: word '=' '=' word */
-#line 100 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(comp_EQ, (yyvsp[-3].expr), (yyvsp[0].expr)); }
-#line 1264 "sel-gram.c"
- break;
-
- case 13: /* comp: word '!' '=' word */
-#line 101 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(comp_NE, (yyvsp[-3].expr), (yyvsp[0].expr)); }
-#line 1270 "sel-gram.c"
- break;
-
- case 14: /* comp: word kw_TAILMATCH word */
-#line 102 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(comp_TAILEQ, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1276 "sel-gram.c"
- break;
-
- case 15: /* comp: word kw_IN '(' words ')' */
-#line 103 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[-4].expr), (yyvsp[-1].expr)); }
-#line 1282 "sel-gram.c"
- break;
-
- case 16: /* comp: word kw_IN variable */
-#line 104 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[-2].expr), (yyvsp[0].expr)); }
-#line 1288 "sel-gram.c"
- break;
-
- case 17: /* word: number */
-#line 107 "sel-gram.y"
- { (yyval.expr) = (yyvsp[0].expr); }
-#line 1294 "sel-gram.c"
- break;
-
- case 18: /* word: string */
-#line 108 "sel-gram.y"
- { (yyval.expr) = (yyvsp[0].expr); }
-#line 1300 "sel-gram.c"
- break;
-
- case 19: /* word: function */
-#line 109 "sel-gram.y"
- { (yyval.expr) = (yyvsp[0].expr); }
-#line 1306 "sel-gram.c"
- break;
-
- case 20: /* word: variable */
-#line 110 "sel-gram.y"
- { (yyval.expr) = (yyvsp[0].expr); }
-#line 1312 "sel-gram.c"
- break;
-
- case 21: /* number: NUMBER */
-#line 113 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(expr_NUMBER, (yyvsp[0].string), NULL); }
-#line 1318 "sel-gram.c"
- break;
-
- case 22: /* string: STRING */
-#line 114 "sel-gram.y"
- { (yyval.expr) = _hx509_make_expr(expr_STRING, (yyvsp[0].string), NULL); }
-#line 1324 "sel-gram.c"
- break;
-
- case 23: /* function: IDENTIFIER '(' words ')' */
-#line 116 "sel-gram.y"
- {
- (yyval.expr) = _hx509_make_expr(expr_FUNCTION, (yyvsp[-3].string), (yyvsp[-1].expr)); }
-#line 1331 "sel-gram.c"
- break;
-
- case 24: /* variable: '%' '{' variables '}' */
-#line 119 "sel-gram.y"
- { (yyval.expr) = (yyvsp[-1].expr); }
-#line 1337 "sel-gram.c"
- break;
-
- case 25: /* variables: IDENTIFIER '.' variables */
-#line 122 "sel-gram.y"
- {
- (yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[-2].string), (yyvsp[0].expr)); }
-#line 1344 "sel-gram.c"
- break;
-
- case 26: /* variables: IDENTIFIER */
-#line 124 "sel-gram.y"
- {
- (yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[0].string), NULL); }
-#line 1351 "sel-gram.c"
- break;
-
-
-#line 1355 "sel-gram.c"
-
- default: break;
- }
- /* User semantic actions sometimes alter yychar, and that requires
- that yytoken be updated with the new translation. We take the
- approach of translating immediately before every use of yytoken.
- One alternative is translating here after every semantic action,
- but that translation would be missed if the semantic action invokes
- YYABORT, YYACCEPT, or YYERROR immediately after altering yychar or
- if it invokes YYBACKUP. In the case of YYABORT or YYACCEPT, an
- incorrect destructor might then be invoked immediately. In the
- case of YYERROR or YYBACKUP, subsequent parser actions might lead
- to an incorrect destructor call or verbose syntax error message
- before the lookahead is translated. */
- YY_SYMBOL_PRINT ("-> $$ =", YY_CAST (yysymbol_kind_t, yyr1[yyn]), &yyval, &yyloc);
-
- YYPOPSTACK (yylen);
- yylen = 0;
-
- *++yyvsp = yyval;
-
- /* Now 'shift' the result of the reduction. Determine what state
- that goes to, based on the state we popped back to and the rule
- number reduced by. */
- {
- const int yylhs = yyr1[yyn] - YYNTOKENS;
- const int yyi = yypgoto[yylhs] + *yyssp;
- yystate = (0 <= yyi && yyi <= YYLAST && yycheck[yyi] == *yyssp
- ? yytable[yyi]
- : yydefgoto[yylhs]);
- }
-
- goto yynewstate;
-
-
-/*--------------------------------------.
-| yyerrlab -- here on detecting error. |
-`--------------------------------------*/
-yyerrlab:
- /* Make sure we have latest lookahead translation. See comments at
- user semantic actions for why this is necessary. */
- yytoken = yychar == YYEMPTY ? YYSYMBOL_YYEMPTY : YYTRANSLATE (yychar);
- /* If not already recovering from an error, report this error. */
- if (!yyerrstatus)
- {
- ++yynerrs;
- yyerror (YY_("syntax error"));
- }
-
- if (yyerrstatus == 3)
- {
- /* If just tried and failed to reuse lookahead token after an
- error, discard it. */
-
- if (yychar <= YYEOF)
- {
- /* Return failure if at end of input. */
- if (yychar == YYEOF)
- YYABORT;
- }
- else
- {
- yydestruct ("Error: discarding",
- yytoken, &yylval);
- yychar = YYEMPTY;
- }
- }
-
- /* Else will try to reuse lookahead token after shifting the error
- token. */
- goto yyerrlab1;
-
-
-/*---------------------------------------------------.
-| yyerrorlab -- error raised explicitly by YYERROR. |
-`---------------------------------------------------*/
-yyerrorlab:
- /* Pacify compilers when the user code never invokes YYERROR and the
- label yyerrorlab therefore never appears in user code. */
- if (0)
- YYERROR;
- ++yynerrs;
-
- /* Do not reclaim the symbols of the rule whose action triggered
- this YYERROR. */
- YYPOPSTACK (yylen);
- yylen = 0;
- YY_STACK_PRINT (yyss, yyssp);
- yystate = *yyssp;
- goto yyerrlab1;
-
-
-/*-------------------------------------------------------------.
-| yyerrlab1 -- common code for both syntax error and YYERROR. |
-`-------------------------------------------------------------*/
-yyerrlab1:
- yyerrstatus = 3; /* Each real token shifted decrements this. */
-
- /* Pop stack until we find a state that shifts the error token. */
- for (;;)
- {
- yyn = yypact[yystate];
- if (!yypact_value_is_default (yyn))
- {
- yyn += YYSYMBOL_YYerror;
- if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYSYMBOL_YYerror)
- {
- yyn = yytable[yyn];
- if (0 < yyn)
- break;
- }
- }
-
- /* Pop the current state because it cannot handle the error token. */
- if (yyssp == yyss)
- YYABORT;
-
-
- yydestruct ("Error: popping",
- YY_ACCESSING_SYMBOL (yystate), yyvsp);
- YYPOPSTACK (1);
- yystate = *yyssp;
- YY_STACK_PRINT (yyss, yyssp);
- }
-
- YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
- *++yyvsp = yylval;
- YY_IGNORE_MAYBE_UNINITIALIZED_END
-
-
- /* Shift the error token. */
- YY_SYMBOL_PRINT ("Shifting", YY_ACCESSING_SYMBOL (yyn), yyvsp, yylsp);
-
- yystate = yyn;
- goto yynewstate;
-
-
-/*-------------------------------------.
-| yyacceptlab -- YYACCEPT comes here. |
-`-------------------------------------*/
-yyacceptlab:
- yyresult = 0;
- goto yyreturnlab;
-
-
-/*-----------------------------------.
-| yyabortlab -- YYABORT comes here. |
-`-----------------------------------*/
-yyabortlab:
- yyresult = 1;
- goto yyreturnlab;
-
-
-/*-----------------------------------------------------------.
-| yyexhaustedlab -- YYNOMEM (memory exhaustion) comes here. |
-`-----------------------------------------------------------*/
-yyexhaustedlab:
- yyerror (YY_("memory exhausted"));
- yyresult = 2;
- goto yyreturnlab;
-
-
-/*----------------------------------------------------------.
-| yyreturnlab -- parsing is finished, clean up and return. |
-`----------------------------------------------------------*/
-yyreturnlab:
- if (yychar != YYEMPTY)
- {
- /* Make sure we have latest lookahead translation. See comments at
- user semantic actions for why this is necessary. */
- yytoken = YYTRANSLATE (yychar);
- yydestruct ("Cleanup: discarding lookahead",
- yytoken, &yylval);
- }
- /* Do not reclaim the symbols of the rule whose action triggered
- this YYABORT or YYACCEPT. */
- YYPOPSTACK (yylen);
- YY_STACK_PRINT (yyss, yyssp);
- while (yyssp != yyss)
- {
- yydestruct ("Cleanup: popping",
- YY_ACCESSING_SYMBOL (+*yyssp), yyvsp);
- YYPOPSTACK (1);
- }
-#ifndef yyoverflow
- if (yyss != yyssa)
- YYSTACK_FREE (yyss);
-#endif
-
- return yyresult;
-}
-
diff --git a/lib/hx509/sel-gram.h b/lib/hx509/sel-gram.h
deleted file mode 100644
index 04880d2492ff..000000000000
--- a/lib/hx509/sel-gram.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/* A Bison parser, made by GNU Bison 3.8.2. */
-
-/* Bison interface for Yacc-like parsers in C
-
- Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
- Inc.
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <https://www.gnu.org/licenses/>. */
-
-/* As a special exception, you may create a larger work that contains
- part or all of the Bison parser skeleton and distribute that work
- under terms of your choice, so long as that work isn't itself a
- parser generator using the skeleton or a modified version thereof
- as a parser skeleton. Alternatively, if you modify or redistribute
- the parser skeleton itself, you may (at your option) remove this
- special exception, which will cause the skeleton and the resulting
- Bison output files to be licensed under the GNU General Public
- License without this special exception.
-
- This special exception was added by the Free Software Foundation in
- version 2.2 of Bison. */
-
-/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
- especially those whose name start with YY_ or yy_. They are
- private implementation details that can be changed or removed. */
-
-#ifndef YY_YY_SEL_GRAM_H_INCLUDED
-# define YY_YY_SEL_GRAM_H_INCLUDED
-/* Debug traces. */
-#ifndef YYDEBUG
-# define YYDEBUG 0
-#endif
-#if YYDEBUG
-extern int yydebug;
-#endif
-
-/* Token kinds. */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
- enum yytokentype
- {
- YYEMPTY = -2,
- YYEOF = 0, /* "end of file" */
- YYerror = 256, /* error */
- YYUNDEF = 257, /* "invalid token" */
- kw_TRUE = 258, /* kw_TRUE */
- kw_FALSE = 259, /* kw_FALSE */
- kw_AND = 260, /* kw_AND */
- kw_OR = 261, /* kw_OR */
- kw_IN = 262, /* kw_IN */
- kw_TAILMATCH = 263, /* kw_TAILMATCH */
- NUMBER = 264, /* NUMBER */
- STRING = 265, /* STRING */
- IDENTIFIER = 266 /* IDENTIFIER */
- };
- typedef enum yytokentype yytoken_kind_t;
-#endif
-/* Token kinds. */
-#define YYEMPTY -2
-#define YYEOF 0
-#define YYerror 256
-#define YYUNDEF 257
-#define kw_TRUE 258
-#define kw_FALSE 259
-#define kw_AND 260
-#define kw_OR 261
-#define kw_IN 262
-#define kw_TAILMATCH 263
-#define NUMBER 264
-#define STRING 265
-#define IDENTIFIER 266
-
-/* Value type. */
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-union YYSTYPE
-{
-#line 57 "sel-gram.y"
-
- char *string;
- struct hx_expr *expr;
-
-#line 94 "sel-gram.h"
-
-};
-typedef union YYSTYPE YYSTYPE;
-# define YYSTYPE_IS_TRIVIAL 1
-# define YYSTYPE_IS_DECLARED 1
-#endif
-
-
-extern YYSTYPE yylval;
-
-
-int yyparse (void);
-
-
-#endif /* !YY_YY_SEL_GRAM_H_INCLUDED */
diff --git a/lib/hx509/sel-gram.y b/lib/hx509/sel-gram.y
index 7e9d4f26d9c2..09f641d7c051 100644
--- a/lib/hx509/sel-gram.y
+++ b/lib/hx509/sel-gram.y
@@ -78,6 +78,10 @@
%token <string> STRING
%token <string> IDENTIFIER
+%left '!'
+%left kw_AND
+%left kw_OR
+
%start start
%%
diff --git a/lib/hx509/sel-lex.c b/lib/hx509/sel-lex.c
deleted file mode 100644
index 44bd8d3f5213..000000000000
--- a/lib/hx509/sel-lex.c
+++ /dev/null
@@ -1,1941 +0,0 @@
-
-#line 2 "sel-lex.c"
-
-#define YY_INT_ALIGNED short int
-
-/* A lexical scanner generated by flex */
-
-#define FLEX_SCANNER
-#define YY_FLEX_MAJOR_VERSION 2
-#define YY_FLEX_MINOR_VERSION 6
-#define YY_FLEX_SUBMINOR_VERSION 4
-#if YY_FLEX_SUBMINOR_VERSION > 0
-#define FLEX_BETA
-#endif
-
-/* First, we deal with platform-specific or compiler-specific issues. */
-
-/* begin standard C headers. */
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-/* end standard C headers. */
-
-/* flex integer type definitions */
-
-#ifndef FLEXINT_H
-#define FLEXINT_H
-
-/* C99 systems have <inttypes.h>. Non-C99 systems may or may not. */
-
-#if defined (__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
-
-/* C99 says to define __STDC_LIMIT_MACROS before including stdint.h,
- * if you want the limit (max/min) macros for int types.
- */
-#ifndef __STDC_LIMIT_MACROS
-#define __STDC_LIMIT_MACROS 1
-#endif
-
-#include <inttypes.h>
-typedef int8_t flex_int8_t;
-typedef uint8_t flex_uint8_t;
-typedef int16_t flex_int16_t;
-typedef uint16_t flex_uint16_t;
-typedef int32_t flex_int32_t;
-typedef uint32_t flex_uint32_t;
-#else
-typedef signed char flex_int8_t;
-typedef short int flex_int16_t;
-typedef int flex_int32_t;
-typedef unsigned char flex_uint8_t;
-typedef unsigned short int flex_uint16_t;
-typedef unsigned int flex_uint32_t;
-
-/* Limits of integral types. */
-#ifndef INT8_MIN
-#define INT8_MIN (-128)
-#endif
-#ifndef INT16_MIN
-#define INT16_MIN (-32767-1)
-#endif
-#ifndef INT32_MIN
-#define INT32_MIN (-2147483647-1)
-#endif
-#ifndef INT8_MAX
-#define INT8_MAX (127)
-#endif
-#ifndef INT16_MAX
-#define INT16_MAX (32767)
-#endif
-#ifndef INT32_MAX
-#define INT32_MAX (2147483647)
-#endif
-#ifndef UINT8_MAX
-#define UINT8_MAX (255U)
-#endif
-#ifndef UINT16_MAX
-#define UINT16_MAX (65535U)
-#endif
-#ifndef UINT32_MAX
-#define UINT32_MAX (4294967295U)
-#endif
-
-#ifndef SIZE_MAX
-#define SIZE_MAX (~(size_t)0)
-#endif
-
-#endif /* ! C99 */
-
-#endif /* ! FLEXINT_H */
-
-/* begin standard C++ headers. */
-
-/* TODO: this is always defined, so inline it */
-#define yyconst const
-
-#if defined(__GNUC__) && __GNUC__ >= 3
-#define yynoreturn __attribute__((__noreturn__))
-#else
-#define yynoreturn
-#endif
-
-/* Returned upon end-of-file. */
-#define YY_NULL 0
-
-/* Promotes a possibly negative, possibly signed char to an
- * integer in range [0..255] for use as an array index.
- */
-#define YY_SC_TO_UI(c) ((YY_CHAR) (c))
-
-/* Enter a start condition. This macro really ought to take a parameter,
- * but we do it the disgusting crufty way forced on us by the ()-less
- * definition of BEGIN.
- */
-#define BEGIN (yy_start) = 1 + 2 *
-/* Translate the current start state into a value that can be later handed
- * to BEGIN to return to the state. The YYSTATE alias is for lex
- * compatibility.
- */
-#define YY_START (((yy_start) - 1) / 2)
-#define YYSTATE YY_START
-/* Action number for EOF rule of a given start state. */
-#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE yyrestart( yyin )
-#define YY_END_OF_BUFFER_CHAR 0
-
-/* Size of default input buffer. */
-#ifndef YY_BUF_SIZE
-#ifdef __ia64__
-/* On IA-64, the buffer size is 16k, not 8k.
- * Moreover, YY_BUF_SIZE is 2*YY_READ_BUF_SIZE in the general case.
- * Ditto for the __ia64__ case accordingly.
- */
-#define YY_BUF_SIZE 32768
-#else
-#define YY_BUF_SIZE 16384
-#endif /* __ia64__ */
-#endif
-
-/* The state buf must be large enough to hold one state per character in the main buffer.
- */
-#define YY_STATE_BUF_SIZE ((YY_BUF_SIZE + 2) * sizeof(yy_state_type))
-
-#ifndef YY_TYPEDEF_YY_BUFFER_STATE
-#define YY_TYPEDEF_YY_BUFFER_STATE
-typedef struct yy_buffer_state *YY_BUFFER_STATE;
-#endif
-
-#ifndef YY_TYPEDEF_YY_SIZE_T
-#define YY_TYPEDEF_YY_SIZE_T
-typedef size_t yy_size_t;
-#endif
-
-extern int yyleng;
-
-extern FILE *yyin, *yyout;
-
-#define EOB_ACT_CONTINUE_SCAN 0
-#define EOB_ACT_END_OF_FILE 1
-#define EOB_ACT_LAST_MATCH 2
-
- #define YY_LESS_LINENO(n)
- #define YY_LINENO_REWIND_TO(ptr)
-
-/* Return all but the first "n" matched characters back to the input stream. */
-#define yyless(n) \
- do \
- { \
- /* Undo effects of setting up yytext. */ \
- int yyless_macro_arg = (n); \
- YY_LESS_LINENO(yyless_macro_arg);\
- *yy_cp = (yy_hold_char); \
- YY_RESTORE_YY_MORE_OFFSET \
- (yy_c_buf_p) = yy_cp = yy_bp + yyless_macro_arg - YY_MORE_ADJ; \
- YY_DO_BEFORE_ACTION; /* set up yytext again */ \
- } \
- while ( 0 )
-#define unput(c) yyunput( c, (yytext_ptr) )
-
-#ifndef YY_STRUCT_YY_BUFFER_STATE
-#define YY_STRUCT_YY_BUFFER_STATE
-struct yy_buffer_state
- {
- FILE *yy_input_file;
-
- char *yy_ch_buf; /* input buffer */
- char *yy_buf_pos; /* current position in input buffer */
-
- /* Size of input buffer in bytes, not including room for EOB
- * characters.
- */
- int yy_buf_size;
-
- /* Number of characters read into yy_ch_buf, not including EOB
- * characters.
- */
- int yy_n_chars;
-
- /* Whether we "own" the buffer - i.e., we know we created it,
- * and can realloc() it to grow it, and should free() it to
- * delete it.
- */
- int yy_is_our_buffer;
-
- /* Whether this is an "interactive" input source; if so, and
- * if we're using stdio for input, then we want to use getc()
- * instead of fread(), to make sure we stop fetching input after
- * each newline.
- */
- int yy_is_interactive;
-
- /* Whether we're considered to be at the beginning of a line.
- * If so, '^' rules will be active on the next match, otherwise
- * not.
- */
- int yy_at_bol;
-
- int yy_bs_lineno; /**< The line count. */
- int yy_bs_column; /**< The column count. */
-
- /* Whether to try to fill the input buffer when we reach the
- * end of it.
- */
- int yy_fill_buffer;
-
- int yy_buffer_status;
-
-#define YY_BUFFER_NEW 0
-#define YY_BUFFER_NORMAL 1
- /* When an EOF's been seen but there's still some text to process
- * then we mark the buffer as YY_EOF_PENDING, to indicate that we
- * shouldn't try reading from the input source any more. We might
- * still have a bunch of tokens to match, though, because of
- * possible backing-up.
- *
- * When we actually see the EOF, we change the status to "new"
- * (via yyrestart()), so that the user can continue scanning by
- * just pointing yyin at a new input file.
- */
-#define YY_BUFFER_EOF_PENDING 2
-
- };
-#endif /* !YY_STRUCT_YY_BUFFER_STATE */
-
-/* Stack of input buffers. */
-static size_t yy_buffer_stack_top = 0; /**< index of top of stack. */
-static size_t yy_buffer_stack_max = 0; /**< capacity of stack. */
-static YY_BUFFER_STATE * yy_buffer_stack = NULL; /**< Stack as an array. */
-
-/* We provide macros for accessing buffer states in case in the
- * future we want to put the buffer states in a more general
- * "scanner state".
- *
- * Returns the top of the stack, or NULL.
- */
-#define YY_CURRENT_BUFFER ( (yy_buffer_stack) \
- ? (yy_buffer_stack)[(yy_buffer_stack_top)] \
- : NULL)
-/* Same as previous macro, but useful when we know that the buffer stack is not
- * NULL or when we need an lvalue. For internal use only.
- */
-#define YY_CURRENT_BUFFER_LVALUE (yy_buffer_stack)[(yy_buffer_stack_top)]
-
-/* yy_hold_char holds the character lost when yytext is formed. */
-static char yy_hold_char;
-static int yy_n_chars; /* number of characters read into yy_ch_buf */
-int yyleng;
-
-/* Points to current character in buffer. */
-static char *yy_c_buf_p = NULL;
-static int yy_init = 0; /* whether we need to initialize */
-static int yy_start = 0; /* start state number */
-
-/* Flag which is used to allow yywrap()'s to do buffer switches
- * instead of setting up a fresh yyin. A bit of a hack ...
- */
-static int yy_did_buffer_switch_on_eof;
-
-void yyrestart ( FILE *input_file );
-void yy_switch_to_buffer ( YY_BUFFER_STATE new_buffer );
-YY_BUFFER_STATE yy_create_buffer ( FILE *file, int size );
-void yy_delete_buffer ( YY_BUFFER_STATE b );
-void yy_flush_buffer ( YY_BUFFER_STATE b );
-void yypush_buffer_state ( YY_BUFFER_STATE new_buffer );
-void yypop_buffer_state ( void );
-
-static void yyensure_buffer_stack ( void );
-static void yy_load_buffer_state ( void );
-static void yy_init_buffer ( YY_BUFFER_STATE b, FILE *file );
-#define YY_FLUSH_BUFFER yy_flush_buffer( YY_CURRENT_BUFFER )
-
-YY_BUFFER_STATE yy_scan_buffer ( char *base, yy_size_t size );
-YY_BUFFER_STATE yy_scan_string ( const char *yy_str );
-YY_BUFFER_STATE yy_scan_bytes ( const char *bytes, int len );
-
-void *yyalloc ( yy_size_t );
-void *yyrealloc ( void *, yy_size_t );
-void yyfree ( void * );
-
-#define yy_new_buffer yy_create_buffer
-#define yy_set_interactive(is_interactive) \
- { \
- if ( ! YY_CURRENT_BUFFER ){ \
- yyensure_buffer_stack (); \
- YY_CURRENT_BUFFER_LVALUE = \
- yy_create_buffer( yyin, YY_BUF_SIZE ); \
- } \
- YY_CURRENT_BUFFER_LVALUE->yy_is_interactive = is_interactive; \
- }
-#define yy_set_bol(at_bol) \
- { \
- if ( ! YY_CURRENT_BUFFER ){\
- yyensure_buffer_stack (); \
- YY_CURRENT_BUFFER_LVALUE = \
- yy_create_buffer( yyin, YY_BUF_SIZE ); \
- } \
- YY_CURRENT_BUFFER_LVALUE->yy_at_bol = at_bol; \
- }
-#define YY_AT_BOL() (YY_CURRENT_BUFFER_LVALUE->yy_at_bol)
-
-/* Begin user sect3 */
-typedef flex_uint8_t YY_CHAR;
-
-FILE *yyin = NULL, *yyout = NULL;
-
-typedef int yy_state_type;
-
-extern int yylineno;
-int yylineno = 1;
-
-extern char *yytext;
-#ifdef yytext_ptr
-#undef yytext_ptr
-#endif
-#define yytext_ptr yytext
-
-static yy_state_type yy_get_previous_state ( void );
-static yy_state_type yy_try_NUL_trans ( yy_state_type current_state );
-static int yy_get_next_buffer ( void );
-static void yynoreturn yy_fatal_error ( const char* msg );
-
-/* Done after the current pattern has been matched and before the
- * corresponding action - sets up yytext.
- */
-#define YY_DO_BEFORE_ACTION \
- (yytext_ptr) = yy_bp; \
- yyleng = (int) (yy_cp - yy_bp); \
- (yy_hold_char) = *yy_cp; \
- *yy_cp = '\0'; \
- (yy_c_buf_p) = yy_cp;
-#define YY_NUM_RULES 12
-#define YY_END_OF_BUFFER 13
-/* This struct is not used in this scanner,
- but its presence is necessary. */
-struct yy_trans_info
- {
- flex_int32_t yy_verify;
- flex_int32_t yy_nxt;
- };
-static const flex_int16_t yy_accept[36] =
- { 0,
- 0, 0, 13, 12, 11, 9, 10, 8, 7, 7,
- 7, 7, 7, 7, 7, 7, 7, 5, 4, 7,
- 7, 3, 7, 7, 7, 7, 7, 1, 2, 7,
- 7, 7, 7, 6, 0
- } ;
-
-static const YY_CHAR yy_ec[256] =
- { 0,
- 1, 1, 1, 1, 1, 1, 1, 1, 2, 3,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 2, 4, 5, 1, 1, 4, 1, 1, 4,
- 4, 1, 1, 4, 6, 4, 1, 6, 6, 6,
- 6, 6, 6, 6, 6, 6, 6, 1, 1, 1,
- 4, 1, 1, 1, 7, 8, 9, 10, 11, 12,
- 8, 13, 14, 8, 8, 15, 16, 17, 18, 8,
- 8, 19, 20, 21, 22, 8, 8, 8, 8, 8,
- 1, 1, 1, 1, 6, 1, 8, 8, 8, 8,
-
- 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
- 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
- 8, 8, 4, 1, 4, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1
- } ;
-
-static const YY_CHAR yy_meta[23] =
- { 0,
- 1, 1, 1, 1, 1, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2
- } ;
-
-static const flex_int16_t yy_base[37] =
- { 0,
- 0, 0, 43, 44, 44, 44, 44, 44, 25, 0,
- 34, 23, 20, 16, 0, 28, 22, 0, 0, 22,
- 12, 0, 13, 17, 20, 19, 13, 0, 0, 21,
- 6, 17, 12, 0, 44, 22
- } ;
-
-static const flex_int16_t yy_def[37] =
- { 0,
- 35, 1, 35, 35, 35, 35, 35, 35, 36, 36,
- 36, 36, 36, 36, 36, 36, 36, 36, 36, 36,
- 36, 36, 36, 36, 36, 36, 36, 36, 36, 36,
- 36, 36, 36, 36, 0, 35
- } ;
-
-static const flex_int16_t yy_nxt[67] =
- { 0,
- 4, 5, 6, 7, 8, 4, 9, 10, 10, 10,
- 10, 11, 10, 12, 10, 10, 10, 13, 10, 10,
- 14, 10, 20, 15, 34, 33, 32, 31, 30, 29,
- 28, 27, 26, 25, 21, 24, 23, 22, 19, 18,
- 17, 16, 35, 3, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35
- } ;
-
-static const flex_int16_t yy_chk[67] =
- { 0,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 14, 36, 33, 32, 31, 30, 27, 26,
- 25, 24, 23, 21, 14, 20, 17, 16, 13, 12,
- 11, 9, 3, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35
- } ;
-
-static yy_state_type yy_last_accepting_state;
-static char *yy_last_accepting_cpos;
-
-extern int yy_flex_debug;
-int yy_flex_debug = 0;
-
-/* The intent behind this definition is that it'll catch
- * any uses of REJECT which flex missed.
- */
-#define REJECT reject_used_but_not_detected
-#define yymore() yymore_used_but_not_detected
-#define YY_MORE_ADJ 0
-#define YY_RESTORE_YY_MORE_OFFSET
-char *yytext;
-#line 1 "sel-lex.l"
-#line 2 "sel-lex.l"
-/*
- * Copyright (c) 2004 - 2017 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id$ */
-
-#ifdef __GNUC__
-#pragma GCC diagnostic ignored "-Wunused-function"
-#endif
-
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#undef ECHO
-
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include "sel.h"
-#include "sel-gram.h"
-unsigned lineno = 1;
-
-static char * handle_string(void);
-static int lex_input(char *, int);
-
-struct hx_expr_input _hx509_expr_input;
-
-#ifndef YY_NULL
-#define YY_NULL 0
-#endif
-
-#define YY_NO_UNPUT 1
-
-#undef YY_INPUT
-#define YY_INPUT(buf,res,maxsize) (res = lex_input(buf, maxsize))
-
-#undef ECHO
-
-#line 534 "sel-lex.c"
-#line 535 "sel-lex.c"
-
-#define INITIAL 0
-
-#ifndef YY_NO_UNISTD_H
-/* Special case for "unistd.h", since it is non-ANSI. We include it way
- * down here because we want the user's section 1 to have been scanned first.
- * The user has a chance to override it with an option.
- */
-#include <unistd.h>
-#endif
-
-#ifndef YY_EXTRA_TYPE
-#define YY_EXTRA_TYPE void *
-#endif
-
-static int yy_init_globals ( void );
-
-/* Accessor methods to globals.
- These are made visible to non-reentrant scanners for convenience. */
-
-int yylex_destroy ( void );
-
-int yyget_debug ( void );
-
-void yyset_debug ( int debug_flag );
-
-YY_EXTRA_TYPE yyget_extra ( void );
-
-void yyset_extra ( YY_EXTRA_TYPE user_defined );
-
-FILE *yyget_in ( void );
-
-void yyset_in ( FILE * _in_str );
-
-FILE *yyget_out ( void );
-
-void yyset_out ( FILE * _out_str );
-
- int yyget_leng ( void );
-
-char *yyget_text ( void );
-
-int yyget_lineno ( void );
-
-void yyset_lineno ( int _line_number );
-
-/* Macros after this point can all be overridden by user definitions in
- * section 1.
- */
-
-#ifndef YY_SKIP_YYWRAP
-#ifdef __cplusplus
-extern "C" int yywrap ( void );
-#else
-extern int yywrap ( void );
-#endif
-#endif
-
-#ifndef YY_NO_UNPUT
-
- static void yyunput ( int c, char *buf_ptr );
-
-#endif
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy ( char *, const char *, int );
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen ( const char * );
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput ( void );
-#else
-static int input ( void );
-#endif
-
-#endif
-
-/* Amount of stuff to slurp up with each read. */
-#ifndef YY_READ_BUF_SIZE
-#ifdef __ia64__
-/* On IA-64, the buffer size is 16k, not 8k */
-#define YY_READ_BUF_SIZE 16384
-#else
-#define YY_READ_BUF_SIZE 8192
-#endif /* __ia64__ */
-#endif
-
-/* Copy whatever the last rule matched to the standard output. */
-#ifndef ECHO
-/* This used to be an fputs(), but since the string might contain NUL's,
- * we now use fwrite().
- */
-#define ECHO do { if (fwrite( yytext, (size_t) yyleng, 1, yyout )) {} } while (0)
-#endif
-
-/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL,
- * is returned in "result".
- */
-#ifndef YY_INPUT
-#define YY_INPUT(buf,result,max_size) \
- if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
- { \
- int c = '*'; \
- int n; \
- for ( n = 0; n < max_size && \
- (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
- buf[n] = (char) c; \
- if ( c == '\n' ) \
- buf[n++] = (char) c; \
- if ( c == EOF && ferror( yyin ) ) \
- YY_FATAL_ERROR( "input in flex scanner failed" ); \
- result = n; \
- } \
- else \
- { \
- errno=0; \
- while ( (result = (int) fread(buf, 1, (yy_size_t) max_size, yyin)) == 0 && ferror(yyin)) \
- { \
- if( errno != EINTR) \
- { \
- YY_FATAL_ERROR( "input in flex scanner failed" ); \
- break; \
- } \
- errno=0; \
- clearerr(yyin); \
- } \
- }\
-\
-
-#endif
-
-/* No semi-colon after return; correct usage is to write "yyterminate();" -
- * we don't want an extra ';' after the "return" because that will cause
- * some compilers to complain about unreachable statements.
- */
-#ifndef yyterminate
-#define yyterminate() return YY_NULL
-#endif
-
-/* Number of entries by which start-condition stack grows. */
-#ifndef YY_START_STACK_INCR
-#define YY_START_STACK_INCR 25
-#endif
-
-/* Report a fatal error. */
-#ifndef YY_FATAL_ERROR
-#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
-#endif
-
-/* end tables serialization structures and prototypes */
-
-/* Default declaration of generated scanner - a define so the user can
- * easily add parameters.
- */
-#ifndef YY_DECL
-#define YY_DECL_IS_OURS 1
-
-extern int yylex (void);
-
-#define YY_DECL int yylex (void)
-#endif /* !YY_DECL */
-
-/* Code executed at the beginning of each rule, after yytext and yyleng
- * have been set up.
- */
-#ifndef YY_USER_ACTION
-#define YY_USER_ACTION
-#endif
-
-/* Code executed at the end of each rule. */
-#ifndef YY_BREAK
-#define YY_BREAK /*LINTED*/break;
-#endif
-
-#define YY_RULE_SETUP \
- YY_USER_ACTION
-
-/** The main scanner function which does all the work.
- */
-YY_DECL
-{
- yy_state_type yy_current_state;
- char *yy_cp, *yy_bp;
- int yy_act;
-
- if ( !(yy_init) )
- {
- (yy_init) = 1;
-
-#ifdef YY_USER_INIT
- YY_USER_INIT;
-#endif
-
- if ( ! (yy_start) )
- (yy_start) = 1; /* first start state */
-
- if ( ! yyin )
- yyin = stdin;
-
- if ( ! yyout )
- yyout = stdout;
-
- if ( ! YY_CURRENT_BUFFER ) {
- yyensure_buffer_stack ();
- YY_CURRENT_BUFFER_LVALUE =
- yy_create_buffer( yyin, YY_BUF_SIZE );
- }
-
- yy_load_buffer_state( );
- }
-
- {
-#line 73 "sel-lex.l"
-
-
-#line 755 "sel-lex.c"
-
- while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
- {
- yy_cp = (yy_c_buf_p);
-
- /* Support of yytext. */
- *yy_cp = (yy_hold_char);
-
- /* yy_bp points to the position in yy_ch_buf of the start of
- * the current run.
- */
- yy_bp = yy_cp;
-
- yy_current_state = (yy_start);
-yy_match:
- do
- {
- YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)] ;
- if ( yy_accept[yy_current_state] )
- {
- (yy_last_accepting_state) = yy_current_state;
- (yy_last_accepting_cpos) = yy_cp;
- }
- while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
- {
- yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 36 )
- yy_c = yy_meta[yy_c];
- }
- yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
- ++yy_cp;
- }
- while ( yy_base[yy_current_state] != 44 );
-
-yy_find_action:
- yy_act = yy_accept[yy_current_state];
- if ( yy_act == 0 )
- { /* have to back up */
- yy_cp = (yy_last_accepting_cpos);
- yy_current_state = (yy_last_accepting_state);
- yy_act = yy_accept[yy_current_state];
- }
-
- YY_DO_BEFORE_ACTION;
-
-do_action: /* This label is used only to access EOF actions. */
-
- switch ( yy_act )
- { /* beginning of action switch */
- case 0: /* must back up */
- /* undo the effects of YY_DO_BEFORE_ACTION */
- *yy_cp = (yy_hold_char);
- yy_cp = (yy_last_accepting_cpos);
- yy_current_state = (yy_last_accepting_state);
- goto yy_find_action;
-
-case 1:
-YY_RULE_SETUP
-#line 75 "sel-lex.l"
-{ return kw_TRUE; }
- YY_BREAK
-case 2:
-YY_RULE_SETUP
-#line 76 "sel-lex.l"
-{ return kw_FALSE; }
- YY_BREAK
-case 3:
-YY_RULE_SETUP
-#line 77 "sel-lex.l"
-{ return kw_AND; }
- YY_BREAK
-case 4:
-YY_RULE_SETUP
-#line 78 "sel-lex.l"
-{ return kw_OR; }
- YY_BREAK
-case 5:
-YY_RULE_SETUP
-#line 79 "sel-lex.l"
-{ return kw_IN; }
- YY_BREAK
-case 6:
-YY_RULE_SETUP
-#line 80 "sel-lex.l"
-{ return kw_TAILMATCH; }
- YY_BREAK
-case 7:
-YY_RULE_SETUP
-#line 82 "sel-lex.l"
-{
- yylval.string = strdup ((const char *)yytext);
- return IDENTIFIER;
- }
- YY_BREAK
-case 8:
-YY_RULE_SETUP
-#line 86 "sel-lex.l"
-{ yylval.string = handle_string(); return STRING; }
- YY_BREAK
-case 9:
-/* rule 9 can match eol */
-YY_RULE_SETUP
-#line 87 "sel-lex.l"
-{ ++lineno; }
- YY_BREAK
-case 10:
-YY_RULE_SETUP
-#line 88 "sel-lex.l"
-{ return *yytext; }
- YY_BREAK
-case 11:
-YY_RULE_SETUP
-#line 89 "sel-lex.l"
-;
- YY_BREAK
-case 12:
-YY_RULE_SETUP
-#line 90 "sel-lex.l"
-ECHO;
- YY_BREAK
-#line 876 "sel-lex.c"
-case YY_STATE_EOF(INITIAL):
- yyterminate();
-
- case YY_END_OF_BUFFER:
- {
- /* Amount of text matched not including the EOB char. */
- int yy_amount_of_matched_text = (int) (yy_cp - (yytext_ptr)) - 1;
-
- /* Undo the effects of YY_DO_BEFORE_ACTION. */
- *yy_cp = (yy_hold_char);
- YY_RESTORE_YY_MORE_OFFSET
-
- if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_NEW )
- {
- /* We're scanning a new file or input source. It's
- * possible that this happened because the user
- * just pointed yyin at a new source and called
- * yylex(). If so, then we have to assure
- * consistency between YY_CURRENT_BUFFER and our
- * globals. Here is the right place to do so, because
- * this is the first action (other than possibly a
- * back-up) that will match for the new input source.
- */
- (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
- YY_CURRENT_BUFFER_LVALUE->yy_input_file = yyin;
- YY_CURRENT_BUFFER_LVALUE->yy_buffer_status = YY_BUFFER_NORMAL;
- }
-
- /* Note that here we test for yy_c_buf_p "<=" to the position
- * of the first EOB in the buffer, since yy_c_buf_p will
- * already have been incremented past the NUL character
- * (since all states make transitions on EOB to the
- * end-of-buffer state). Contrast this with the test
- * in input().
- */
- if ( (yy_c_buf_p) <= &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
- { /* This was really a NUL. */
- yy_state_type yy_next_state;
-
- (yy_c_buf_p) = (yytext_ptr) + yy_amount_of_matched_text;
-
- yy_current_state = yy_get_previous_state( );
-
- /* Okay, we're now positioned to make the NUL
- * transition. We couldn't have
- * yy_get_previous_state() go ahead and do it
- * for us because it doesn't know how to deal
- * with the possibility of jamming (and we don't
- * want to build jamming into it because then it
- * will run more slowly).
- */
-
- yy_next_state = yy_try_NUL_trans( yy_current_state );
-
- yy_bp = (yytext_ptr) + YY_MORE_ADJ;
-
- if ( yy_next_state )
- {
- /* Consume the NUL. */
- yy_cp = ++(yy_c_buf_p);
- yy_current_state = yy_next_state;
- goto yy_match;
- }
-
- else
- {
- yy_cp = (yy_c_buf_p);
- goto yy_find_action;
- }
- }
-
- else switch ( yy_get_next_buffer( ) )
- {
- case EOB_ACT_END_OF_FILE:
- {
- (yy_did_buffer_switch_on_eof) = 0;
-
- if ( yywrap( ) )
- {
- /* Note: because we've taken care in
- * yy_get_next_buffer() to have set up
- * yytext, we can now set up
- * yy_c_buf_p so that if some total
- * hoser (like flex itself) wants to
- * call the scanner after we return the
- * YY_NULL, it'll still work - another
- * YY_NULL will get returned.
- */
- (yy_c_buf_p) = (yytext_ptr) + YY_MORE_ADJ;
-
- yy_act = YY_STATE_EOF(YY_START);
- goto do_action;
- }
-
- else
- {
- if ( ! (yy_did_buffer_switch_on_eof) )
- YY_NEW_FILE;
- }
- break;
- }
-
- case EOB_ACT_CONTINUE_SCAN:
- (yy_c_buf_p) =
- (yytext_ptr) + yy_amount_of_matched_text;
-
- yy_current_state = yy_get_previous_state( );
-
- yy_cp = (yy_c_buf_p);
- yy_bp = (yytext_ptr) + YY_MORE_ADJ;
- goto yy_match;
-
- case EOB_ACT_LAST_MATCH:
- (yy_c_buf_p) =
- &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)];
-
- yy_current_state = yy_get_previous_state( );
-
- yy_cp = (yy_c_buf_p);
- yy_bp = (yytext_ptr) + YY_MORE_ADJ;
- goto yy_find_action;
- }
- break;
- }
-
- default:
- YY_FATAL_ERROR(
- "fatal flex scanner internal error--no action found" );
- } /* end of action switch */
- } /* end of scanning one token */
- } /* end of user's declarations */
-} /* end of yylex */
-
-/* yy_get_next_buffer - try to read in a new buffer
- *
- * Returns a code representing an action:
- * EOB_ACT_LAST_MATCH -
- * EOB_ACT_CONTINUE_SCAN - continue scanning from current position
- * EOB_ACT_END_OF_FILE - end of file
- */
-static int yy_get_next_buffer (void)
-{
- char *dest = YY_CURRENT_BUFFER_LVALUE->yy_ch_buf;
- char *source = (yytext_ptr);
- int number_to_move, i;
- int ret_val;
-
- if ( (yy_c_buf_p) > &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] )
- YY_FATAL_ERROR(
- "fatal flex scanner internal error--end of buffer missed" );
-
- if ( YY_CURRENT_BUFFER_LVALUE->yy_fill_buffer == 0 )
- { /* Don't try to fill the buffer, so this is an EOF. */
- if ( (yy_c_buf_p) - (yytext_ptr) - YY_MORE_ADJ == 1 )
- {
- /* We matched a single character, the EOB, so
- * treat this as a final EOF.
- */
- return EOB_ACT_END_OF_FILE;
- }
-
- else
- {
- /* We matched some text prior to the EOB, first
- * process it.
- */
- return EOB_ACT_LAST_MATCH;
- }
- }
-
- /* Try to read more data. */
-
- /* First move last chars to start of buffer. */
- number_to_move = (int) ((yy_c_buf_p) - (yytext_ptr) - 1);
-
- for ( i = 0; i < number_to_move; ++i )
- *(dest++) = *(source++);
-
- if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
- /* don't do the read, it's not guaranteed to return an EOF,
- * just force an EOF
- */
- YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars) = 0;
-
- else
- {
- int num_to_read =
- YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
-
- while ( num_to_read <= 0 )
- { /* Not enough room in the buffer - grow it. */
-
- /* just a shorter name for the current buffer */
- YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
-
- int yy_c_buf_p_offset =
- (int) ((yy_c_buf_p) - b->yy_ch_buf);
-
- if ( b->yy_is_our_buffer )
- {
- int new_size = b->yy_buf_size * 2;
-
- if ( new_size <= 0 )
- b->yy_buf_size += b->yy_buf_size / 8;
- else
- b->yy_buf_size *= 2;
-
- b->yy_ch_buf = (char *)
- /* Include room in for 2 EOB chars. */
- yyrealloc( (void *) b->yy_ch_buf,
- (yy_size_t) (b->yy_buf_size + 2) );
- }
- else
- /* Can't grow it, we don't own it. */
- b->yy_ch_buf = NULL;
-
- if ( ! b->yy_ch_buf )
- YY_FATAL_ERROR(
- "fatal error - scanner input buffer overflow" );
-
- (yy_c_buf_p) = &b->yy_ch_buf[yy_c_buf_p_offset];
-
- num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size -
- number_to_move - 1;
-
- }
-
- if ( num_to_read > YY_READ_BUF_SIZE )
- num_to_read = YY_READ_BUF_SIZE;
-
- /* Read in more data. */
- YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
- (yy_n_chars), num_to_read );
-
- YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
- }
-
- if ( (yy_n_chars) == 0 )
- {
- if ( number_to_move == YY_MORE_ADJ )
- {
- ret_val = EOB_ACT_END_OF_FILE;
- yyrestart( yyin );
- }
-
- else
- {
- ret_val = EOB_ACT_LAST_MATCH;
- YY_CURRENT_BUFFER_LVALUE->yy_buffer_status =
- YY_BUFFER_EOF_PENDING;
- }
- }
-
- else
- ret_val = EOB_ACT_CONTINUE_SCAN;
-
- if (((yy_n_chars) + number_to_move) > YY_CURRENT_BUFFER_LVALUE->yy_buf_size) {
- /* Extend the array by 50%, plus the number we really need. */
- int new_size = (yy_n_chars) + number_to_move + ((yy_n_chars) >> 1);
- YY_CURRENT_BUFFER_LVALUE->yy_ch_buf = (char *) yyrealloc(
- (void *) YY_CURRENT_BUFFER_LVALUE->yy_ch_buf, (yy_size_t) new_size );
- if ( ! YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
- YY_FATAL_ERROR( "out of dynamic memory in yy_get_next_buffer()" );
- /* "- 2" to take care of EOB's */
- YY_CURRENT_BUFFER_LVALUE->yy_buf_size = (int) (new_size - 2);
- }
-
- (yy_n_chars) += number_to_move;
- YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] = YY_END_OF_BUFFER_CHAR;
- YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars) + 1] = YY_END_OF_BUFFER_CHAR;
-
- (yytext_ptr) = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[0];
-
- return ret_val;
-}
-
-/* yy_get_previous_state - get the state just before the EOB char was reached */
-
- static yy_state_type yy_get_previous_state (void)
-{
- yy_state_type yy_current_state;
- char *yy_cp;
-
- yy_current_state = (yy_start);
-
- for ( yy_cp = (yytext_ptr) + YY_MORE_ADJ; yy_cp < (yy_c_buf_p); ++yy_cp )
- {
- YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
- if ( yy_accept[yy_current_state] )
- {
- (yy_last_accepting_state) = yy_current_state;
- (yy_last_accepting_cpos) = yy_cp;
- }
- while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
- {
- yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 36 )
- yy_c = yy_meta[yy_c];
- }
- yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
- }
-
- return yy_current_state;
-}
-
-/* yy_try_NUL_trans - try to make a transition on the NUL character
- *
- * synopsis
- * next_state = yy_try_NUL_trans( current_state );
- */
- static yy_state_type yy_try_NUL_trans (yy_state_type yy_current_state )
-{
- int yy_is_jam;
- char *yy_cp = (yy_c_buf_p);
-
- YY_CHAR yy_c = 1;
- if ( yy_accept[yy_current_state] )
- {
- (yy_last_accepting_state) = yy_current_state;
- (yy_last_accepting_cpos) = yy_cp;
- }
- while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
- {
- yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 36 )
- yy_c = yy_meta[yy_c];
- }
- yy_current_state = yy_nxt[yy_base[yy_current_state] + yy_c];
- yy_is_jam = (yy_current_state == 35);
-
- return yy_is_jam ? 0 : yy_current_state;
-}
-
-#ifndef YY_NO_UNPUT
-
- static void yyunput (int c, char * yy_bp )
-{
- char *yy_cp;
-
- yy_cp = (yy_c_buf_p);
-
- /* undo effects of setting up yytext */
- *yy_cp = (yy_hold_char);
-
- if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
- { /* need to shift things up to make room */
- /* +2 for EOB chars. */
- int number_to_move = (yy_n_chars) + 2;
- char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[
- YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2];
- char *source =
- &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move];
-
- while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf )
- *--dest = *--source;
-
- yy_cp += (int) (dest - source);
- yy_bp += (int) (dest - source);
- YY_CURRENT_BUFFER_LVALUE->yy_n_chars =
- (yy_n_chars) = (int) YY_CURRENT_BUFFER_LVALUE->yy_buf_size;
-
- if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 )
- YY_FATAL_ERROR( "flex scanner push-back overflow" );
- }
-
- *--yy_cp = (char) c;
-
- (yytext_ptr) = yy_bp;
- (yy_hold_char) = *yy_cp;
- (yy_c_buf_p) = yy_cp;
-}
-
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
- static int yyinput (void)
-#else
- static int input (void)
-#endif
-
-{
- int c;
-
- *(yy_c_buf_p) = (yy_hold_char);
-
- if ( *(yy_c_buf_p) == YY_END_OF_BUFFER_CHAR )
- {
- /* yy_c_buf_p now points to the character we want to return.
- * If this occurs *before* the EOB characters, then it's a
- * valid NUL; if not, then we've hit the end of the buffer.
- */
- if ( (yy_c_buf_p) < &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[(yy_n_chars)] )
- /* This was really a NUL. */
- *(yy_c_buf_p) = '\0';
-
- else
- { /* need more input */
- int offset = (int) ((yy_c_buf_p) - (yytext_ptr));
- ++(yy_c_buf_p);
-
- switch ( yy_get_next_buffer( ) )
- {
- case EOB_ACT_LAST_MATCH:
- /* This happens because yy_g_n_b()
- * sees that we've accumulated a
- * token and flags that we need to
- * try matching the token before
- * proceeding. But for input(),
- * there's no matching to consider.
- * So convert the EOB_ACT_LAST_MATCH
- * to EOB_ACT_END_OF_FILE.
- */
-
- /* Reset buffer status. */
- yyrestart( yyin );
-
- /*FALLTHROUGH*/
-
- case EOB_ACT_END_OF_FILE:
- {
- if ( yywrap( ) )
- return 0;
-
- if ( ! (yy_did_buffer_switch_on_eof) )
- YY_NEW_FILE;
-#ifdef __cplusplus
- return yyinput();
-#else
- return input();
-#endif
- }
-
- case EOB_ACT_CONTINUE_SCAN:
- (yy_c_buf_p) = (yytext_ptr) + offset;
- break;
- }
- }
- }
-
- c = *(unsigned char *) (yy_c_buf_p); /* cast for 8-bit char's */
- *(yy_c_buf_p) = '\0'; /* preserve yytext */
- (yy_hold_char) = *++(yy_c_buf_p);
-
- return c;
-}
-#endif /* ifndef YY_NO_INPUT */
-
-/** Immediately switch to a different input stream.
- * @param input_file A readable stream.
- *
- * @note This function does not reset the start condition to @c INITIAL .
- */
- void yyrestart (FILE * input_file )
-{
-
- if ( ! YY_CURRENT_BUFFER ){
- yyensure_buffer_stack ();
- YY_CURRENT_BUFFER_LVALUE =
- yy_create_buffer( yyin, YY_BUF_SIZE );
- }
-
- yy_init_buffer( YY_CURRENT_BUFFER, input_file );
- yy_load_buffer_state( );
-}
-
-/** Switch to a different input buffer.
- * @param new_buffer The new input buffer.
- *
- */
- void yy_switch_to_buffer (YY_BUFFER_STATE new_buffer )
-{
-
- /* TODO. We should be able to replace this entire function body
- * with
- * yypop_buffer_state();
- * yypush_buffer_state(new_buffer);
- */
- yyensure_buffer_stack ();
- if ( YY_CURRENT_BUFFER == new_buffer )
- return;
-
- if ( YY_CURRENT_BUFFER )
- {
- /* Flush out information for old buffer. */
- *(yy_c_buf_p) = (yy_hold_char);
- YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
- YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
- }
-
- YY_CURRENT_BUFFER_LVALUE = new_buffer;
- yy_load_buffer_state( );
-
- /* We don't actually know whether we did this switch during
- * EOF (yywrap()) processing, but the only time this flag
- * is looked at is after yywrap() is called, so it's safe
- * to go ahead and always set it.
- */
- (yy_did_buffer_switch_on_eof) = 1;
-}
-
-static void yy_load_buffer_state (void)
-{
- (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_n_chars;
- (yytext_ptr) = (yy_c_buf_p) = YY_CURRENT_BUFFER_LVALUE->yy_buf_pos;
- yyin = YY_CURRENT_BUFFER_LVALUE->yy_input_file;
- (yy_hold_char) = *(yy_c_buf_p);
-}
-
-/** Allocate and initialize an input buffer state.
- * @param file A readable stream.
- * @param size The character buffer size in bytes. When in doubt, use @c YY_BUF_SIZE.
- *
- * @return the allocated buffer state.
- */
- YY_BUFFER_STATE yy_create_buffer (FILE * file, int size )
-{
- YY_BUFFER_STATE b;
-
- b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) );
- if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
- b->yy_buf_size = size;
-
- /* yy_ch_buf has to be 2 characters longer than the size given because
- * we need to put in 2 end-of-buffer characters.
- */
- b->yy_ch_buf = (char *) yyalloc( (yy_size_t) (b->yy_buf_size + 2) );
- if ( ! b->yy_ch_buf )
- YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
- b->yy_is_our_buffer = 1;
-
- yy_init_buffer( b, file );
-
- return b;
-}
-
-/** Destroy the buffer.
- * @param b a buffer created with yy_create_buffer()
- *
- */
- void yy_delete_buffer (YY_BUFFER_STATE b )
-{
-
- if ( ! b )
- return;
-
- if ( b == YY_CURRENT_BUFFER ) /* Not sure if we should pop here. */
- YY_CURRENT_BUFFER_LVALUE = (YY_BUFFER_STATE) 0;
-
- if ( b->yy_is_our_buffer )
- yyfree( (void *) b->yy_ch_buf );
-
- yyfree( (void *) b );
-}
-
-/* Initializes or reinitializes a buffer.
- * This function is sometimes called more than once on the same buffer,
- * such as during a yyrestart() or at EOF.
- */
- static void yy_init_buffer (YY_BUFFER_STATE b, FILE * file )
-
-{
- int oerrno = errno;
-
- yy_flush_buffer( b );
-
- b->yy_input_file = file;
- b->yy_fill_buffer = 1;
-
- /* If b is the current buffer, then yy_init_buffer was _probably_
- * called from yyrestart() or through yy_get_next_buffer.
- * In that case, we don't want to reset the lineno or column.
- */
- if (b != YY_CURRENT_BUFFER){
- b->yy_bs_lineno = 1;
- b->yy_bs_column = 0;
- }
-
- b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
-
- errno = oerrno;
-}
-
-/** Discard all buffered characters. On the next scan, YY_INPUT will be called.
- * @param b the buffer state to be flushed, usually @c YY_CURRENT_BUFFER.
- *
- */
- void yy_flush_buffer (YY_BUFFER_STATE b )
-{
- if ( ! b )
- return;
-
- b->yy_n_chars = 0;
-
- /* We always need two end-of-buffer characters. The first causes
- * a transition to the end-of-buffer state. The second causes
- * a jam in that state.
- */
- b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
- b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
-
- b->yy_buf_pos = &b->yy_ch_buf[0];
-
- b->yy_at_bol = 1;
- b->yy_buffer_status = YY_BUFFER_NEW;
-
- if ( b == YY_CURRENT_BUFFER )
- yy_load_buffer_state( );
-}
-
-/** Pushes the new state onto the stack. The new state becomes
- * the current state. This function will allocate the stack
- * if necessary.
- * @param new_buffer The new state.
- *
- */
-void yypush_buffer_state (YY_BUFFER_STATE new_buffer )
-{
- if (new_buffer == NULL)
- return;
-
- yyensure_buffer_stack();
-
- /* This block is copied from yy_switch_to_buffer. */
- if ( YY_CURRENT_BUFFER )
- {
- /* Flush out information for old buffer. */
- *(yy_c_buf_p) = (yy_hold_char);
- YY_CURRENT_BUFFER_LVALUE->yy_buf_pos = (yy_c_buf_p);
- YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
- }
-
- /* Only push if top exists. Otherwise, replace top. */
- if (YY_CURRENT_BUFFER)
- (yy_buffer_stack_top)++;
- YY_CURRENT_BUFFER_LVALUE = new_buffer;
-
- /* copied from yy_switch_to_buffer. */
- yy_load_buffer_state( );
- (yy_did_buffer_switch_on_eof) = 1;
-}
-
-/** Removes and deletes the top of the stack, if present.
- * The next element becomes the new top.
- *
- */
-void yypop_buffer_state (void)
-{
- if (!YY_CURRENT_BUFFER)
- return;
-
- yy_delete_buffer(YY_CURRENT_BUFFER );
- YY_CURRENT_BUFFER_LVALUE = NULL;
- if ((yy_buffer_stack_top) > 0)
- --(yy_buffer_stack_top);
-
- if (YY_CURRENT_BUFFER) {
- yy_load_buffer_state( );
- (yy_did_buffer_switch_on_eof) = 1;
- }
-}
-
-/* Allocates the stack if it does not exist.
- * Guarantees space for at least one push.
- */
-static void yyensure_buffer_stack (void)
-{
- yy_size_t num_to_alloc;
-
- if (!(yy_buffer_stack)) {
-
- /* First allocation is just for 2 elements, since we don't know if this
- * scanner will even need a stack. We use 2 instead of 1 to avoid an
- * immediate realloc on the next call.
- */
- num_to_alloc = 1; /* After all that talk, this was set to 1 anyways... */
- (yy_buffer_stack) = (struct yy_buffer_state**)yyalloc
- (num_to_alloc * sizeof(struct yy_buffer_state*)
- );
- if ( ! (yy_buffer_stack) )
- YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
-
- memset((yy_buffer_stack), 0, num_to_alloc * sizeof(struct yy_buffer_state*));
-
- (yy_buffer_stack_max) = num_to_alloc;
- (yy_buffer_stack_top) = 0;
- return;
- }
-
- if ((yy_buffer_stack_top) >= ((yy_buffer_stack_max)) - 1){
-
- /* Increase the buffer to prepare for a possible push. */
- yy_size_t grow_size = 8 /* arbitrary grow size */;
-
- num_to_alloc = (yy_buffer_stack_max) + grow_size;
- (yy_buffer_stack) = (struct yy_buffer_state**)yyrealloc
- ((yy_buffer_stack),
- num_to_alloc * sizeof(struct yy_buffer_state*)
- );
- if ( ! (yy_buffer_stack) )
- YY_FATAL_ERROR( "out of dynamic memory in yyensure_buffer_stack()" );
-
- /* zero only the new slots.*/
- memset((yy_buffer_stack) + (yy_buffer_stack_max), 0, grow_size * sizeof(struct yy_buffer_state*));
- (yy_buffer_stack_max) = num_to_alloc;
- }
-}
-
-/** Setup the input buffer state to scan directly from a user-specified character buffer.
- * @param base the character buffer
- * @param size the size in bytes of the character buffer
- *
- * @return the newly allocated buffer state object.
- */
-YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
-{
- YY_BUFFER_STATE b;
-
- if ( size < 2 ||
- base[size-2] != YY_END_OF_BUFFER_CHAR ||
- base[size-1] != YY_END_OF_BUFFER_CHAR )
- /* They forgot to leave room for the EOB's. */
- return NULL;
-
- b = (YY_BUFFER_STATE) yyalloc( sizeof( struct yy_buffer_state ) );
- if ( ! b )
- YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
-
- b->yy_buf_size = (int) (size - 2); /* "- 2" to take care of EOB's */
- b->yy_buf_pos = b->yy_ch_buf = base;
- b->yy_is_our_buffer = 0;
- b->yy_input_file = NULL;
- b->yy_n_chars = b->yy_buf_size;
- b->yy_is_interactive = 0;
- b->yy_at_bol = 1;
- b->yy_fill_buffer = 0;
- b->yy_buffer_status = YY_BUFFER_NEW;
-
- yy_switch_to_buffer( b );
-
- return b;
-}
-
-/** Setup the input buffer state to scan a string. The next call to yylex() will
- * scan from a @e copy of @a str.
- * @param yystr a NUL-terminated string to scan
- *
- * @return the newly allocated buffer state object.
- * @note If you want to scan bytes that may contain NUL values, then use
- * yy_scan_bytes() instead.
- */
-YY_BUFFER_STATE yy_scan_string (const char * yystr )
-{
-
- return yy_scan_bytes( yystr, (int) strlen(yystr) );
-}
-
-/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
- * scan from a @e copy of @a bytes.
- * @param yybytes the byte buffer to scan
- * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
- *
- * @return the newly allocated buffer state object.
- */
-YY_BUFFER_STATE yy_scan_bytes (const char * yybytes, int _yybytes_len )
-{
- YY_BUFFER_STATE b;
- char *buf;
- yy_size_t n;
- int i;
-
- /* Get memory for full buffer, including space for trailing EOB's. */
- n = (yy_size_t) (_yybytes_len + 2);
- buf = (char *) yyalloc( n );
- if ( ! buf )
- YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
-
- for ( i = 0; i < _yybytes_len; ++i )
- buf[i] = yybytes[i];
-
- buf[_yybytes_len] = buf[_yybytes_len+1] = YY_END_OF_BUFFER_CHAR;
-
- b = yy_scan_buffer( buf, n );
- if ( ! b )
- YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
-
- /* It's okay to grow etc. this buffer, and we should throw it
- * away when we're done.
- */
- b->yy_is_our_buffer = 1;
-
- return b;
-}
-
-#ifndef YY_EXIT_FAILURE
-#define YY_EXIT_FAILURE 2
-#endif
-
-static void yynoreturn yy_fatal_error (const char* msg )
-{
- fprintf( stderr, "%s\n", msg );
- exit( YY_EXIT_FAILURE );
-}
-
-/* Redefine yyless() so it works in section 3 code. */
-
-#undef yyless
-#define yyless(n) \
- do \
- { \
- /* Undo effects of setting up yytext. */ \
- int yyless_macro_arg = (n); \
- YY_LESS_LINENO(yyless_macro_arg);\
- yytext[yyleng] = (yy_hold_char); \
- (yy_c_buf_p) = yytext + yyless_macro_arg; \
- (yy_hold_char) = *(yy_c_buf_p); \
- *(yy_c_buf_p) = '\0'; \
- yyleng = yyless_macro_arg; \
- } \
- while ( 0 )
-
-/* Accessor methods (get/set functions) to struct members. */
-
-/** Get the current line number.
- *
- */
-int yyget_lineno (void)
-{
-
- return yylineno;
-}
-
-/** Get the input stream.
- *
- */
-FILE *yyget_in (void)
-{
- return yyin;
-}
-
-/** Get the output stream.
- *
- */
-FILE *yyget_out (void)
-{
- return yyout;
-}
-
-/** Get the length of the current token.
- *
- */
-int yyget_leng (void)
-{
- return yyleng;
-}
-
-/** Get the current token.
- *
- */
-
-char *yyget_text (void)
-{
- return yytext;
-}
-
-/** Set the current line number.
- * @param _line_number line number
- *
- */
-void yyset_lineno (int _line_number )
-{
-
- yylineno = _line_number;
-}
-
-/** Set the input stream. This does not discard the current
- * input buffer.
- * @param _in_str A readable stream.
- *
- * @see yy_switch_to_buffer
- */
-void yyset_in (FILE * _in_str )
-{
- yyin = _in_str ;
-}
-
-void yyset_out (FILE * _out_str )
-{
- yyout = _out_str ;
-}
-
-int yyget_debug (void)
-{
- return yy_flex_debug;
-}
-
-void yyset_debug (int _bdebug )
-{
- yy_flex_debug = _bdebug ;
-}
-
-static int yy_init_globals (void)
-{
- /* Initialization is the same as for the non-reentrant scanner.
- * This function is called from yylex_destroy(), so don't allocate here.
- */
-
- (yy_buffer_stack) = NULL;
- (yy_buffer_stack_top) = 0;
- (yy_buffer_stack_max) = 0;
- (yy_c_buf_p) = NULL;
- (yy_init) = 0;
- (yy_start) = 0;
-
-/* Defined in main.c */
-#ifdef YY_STDINIT
- yyin = stdin;
- yyout = stdout;
-#else
- yyin = NULL;
- yyout = NULL;
-#endif
-
- /* For future reference: Set errno on error, since we are called by
- * yylex_init()
- */
- return 0;
-}
-
-/* yylex_destroy is for both reentrant and non-reentrant scanners. */
-int yylex_destroy (void)
-{
-
- /* Pop the buffer stack, destroying each element. */
- while(YY_CURRENT_BUFFER){
- yy_delete_buffer( YY_CURRENT_BUFFER );
- YY_CURRENT_BUFFER_LVALUE = NULL;
- yypop_buffer_state();
- }
-
- /* Destroy the stack itself. */
- yyfree((yy_buffer_stack) );
- (yy_buffer_stack) = NULL;
-
- /* Reset the globals. This is important in a non-reentrant scanner so the next time
- * yylex() is called, initialization will occur. */
- yy_init_globals( );
-
- return 0;
-}
-
-/*
- * Internal utility routines.
- */
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy (char* s1, const char * s2, int n )
-{
-
- int i;
- for ( i = 0; i < n; ++i )
- s1[i] = s2[i];
-}
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen (const char * s )
-{
- int n;
- for ( n = 0; s[n]; ++n )
- ;
-
- return n;
-}
-#endif
-
-void *yyalloc (yy_size_t size )
-{
- return malloc(size);
-}
-
-void *yyrealloc (void * ptr, yy_size_t size )
-{
-
- /* The cast to (char *) in the following accommodates both
- * implementations that use char* generic pointers, and those
- * that use void* generic pointers. It works with the latter
- * because both ANSI C and C++ allow castless assignment from
- * any pointer type to void*, and deal with argument conversions
- * as though doing an assignment.
- */
- return realloc(ptr, size);
-}
-
-void yyfree (void * ptr )
-{
- free( (char *) ptr ); /* see yyrealloc() for (char *) cast */
-}
-
-#define YYTABLES_NAME "yytables"
-
-#line 90 "sel-lex.l"
-
-
-static char *
-handle_string(void)
-{
- char x[1024];
- int i = 0;
- int c;
- int quote = 0;
- while((c = input()) != EOF){
- if(quote) {
- x[i++] = '\\';
- x[i++] = c;
- quote = 0;
- continue;
- }
- if(c == '\n'){
- _hx509_sel_yyerror("unterminated string");
- lineno++;
- break;
- }
- if(c == '\\'){
- quote++;
- continue;
- }
- if(c == '\"')
- break;
- x[i++] = c;
- }
- x[i] = '\0';
- return strdup(x);
-}
-
-#if !defined(yywrap)
-#define yywrap _hx509_sel_yywrap
-#endif
-
-int
-yywrap ()
-{
- return 1;
-}
-
-static int
-lex_input(char *buf, int max_size)
-{
- int n;
-
- n = _hx509_expr_input.length - _hx509_expr_input.offset;
- if (max_size < n)
- n = max_size;
- if (n <= 0)
- return YY_NULL;
-
- memcpy(buf, _hx509_expr_input.buf + _hx509_expr_input.offset, n);
- _hx509_expr_input.offset += n;
-
- return n;
-}
-
diff --git a/lib/hx509/sel.c b/lib/hx509/sel.c
index 6930b50f7cda..bfd55e938fc0 100644
--- a/lib/hx509/sel.c
+++ b/lib/hx509/sel.c
@@ -33,7 +33,7 @@
#include "hx_locl.h"
-struct hx_expr *
+HX509_LIB_FUNCTION struct hx_expr * HX509_LIB_CALL
_hx509_make_expr(enum hx_expr_op op, void *arg1, void *arg2)
{
struct hx_expr *expr;
@@ -155,7 +155,7 @@ eval_comp(hx509_context context, hx509_env env, struct hx_expr *expr)
return FALSE;
}
-int
+HX509_LIB_FUNCTION int HX509_LIB_CALL
_hx509_expr_eval(hx509_context context, hx509_env env, struct hx_expr *expr)
{
switch (expr->op) {
@@ -179,7 +179,7 @@ _hx509_expr_eval(hx509_context context, hx509_env env, struct hx_expr *expr)
}
}
-void
+HX509_LIB_FUNCTION void HX509_LIB_CALL
_hx509_expr_free(struct hx_expr *expr)
{
switch (expr->op) {
@@ -204,7 +204,8 @@ _hx509_expr_free(struct hx_expr *expr)
free(expr);
}
-struct hx_expr *
+/* XXX Horrible, no good cause not thread-safe */
+HX509_LIB_FUNCTION struct hx_expr * HX509_LIB_CALL
_hx509_expr_parse(const char *buf)
{
_hx509_expr_input.buf = buf;
@@ -222,6 +223,12 @@ _hx509_expr_parse(const char *buf)
return _hx509_expr_input.expr;
}
+const char *
+_hx509_expr_parse_error(void)
+{
+ return _hx509_expr_input.error;
+}
+
void
_hx509_sel_yyerror (const char *s)
{
diff --git a/lib/hx509/sel.h b/lib/hx509/sel.h
index 52a84d31c5ae..daa471e25ec8 100644
--- a/lib/hx509/sel.h
+++ b/lib/hx509/sel.h
@@ -67,6 +67,20 @@ struct hx_expr_input {
extern struct hx_expr_input _hx509_expr_input;
+/*
+ * With bison/flex, the more modern way to allow multiple yacc/lex grammars to
+ * be linked into a single executable is to use the
+ *
+ * bison: -p, --name-prefix=,PREFIX/, -Dapi.prefix=PREFIX
+ * flex: -Pprefix, --prefix=STRING
+ *
+ * options, these take care of renaming all the machine-generated global entry
+ * points, some of which are new. When these options are used "yylex",
+ * "yyparse", ... are already defined and our (potentially incomplete) attempt
+ * to do the same conflicts with the "right" new way to handle this. The below
+ * logic gets us out of the way when the job has already been taken care of by
+ * the parser-generator.
+ */
#if !defined(yylex)
#define yylex _hx509_sel_yylex
#define yywrap _hx509_sel_yywrap
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index eeb9ae373425..75f675579c77 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -311,7 +311,7 @@ add_st_object(void)
return NULL;
for (i = 0; i < soft_token.object.num_objs; i++) {
- if (soft_token.object.objs == NULL) {
+ if (soft_token.object.objs[i] == NULL) {
soft_token.object.objs[i] = o;
break;
}
@@ -422,7 +422,7 @@ struct foo {
char *id;
};
-static int
+static int HX509_LIB_CALL
add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
{
static char empty[] = "";
@@ -822,48 +822,26 @@ func_not_supported(void)
static char *
get_config_file_for_user(void)
{
- char *fn = NULL;
-
-#ifndef _WIN32
- char *home = NULL;
+ char *fn;
int ret;
- if (!issuid()) {
- fn = getenv("SOFTPKCS11RC");
- if (fn)
- fn = strdup(fn);
- home = getenv("HOME");
- }
- if (fn == NULL && home == NULL) {
- struct passwd *pw = getpwuid(getuid());
- if(pw != NULL)
- home = pw->pw_dir;
- }
+ fn = secure_getenv("SOFTPKCS11RC");
+ if (fn)
+ fn = strdup(fn);
if (fn == NULL) {
+ char homebuf[MAX_PATH];
+ const char *home = roken_get_appdatadir(homebuf, sizeof(homebuf));
+
if (home) {
ret = asprintf(&fn, "%s/.soft-token.rc", home);
if (ret == -1)
fn = NULL;
- } else
+ } else {
+#ifndef WIN32
fn = strdup("/etc/soft-token.rc");
+#endif
+ }
}
-#else /* Windows */
-
- char appdatafolder[MAX_PATH];
-
- fn = getenv("SOFTPKCS11RC");
-
- /* Retrieve the roaming AppData folder for the current user. The
- current user is the user account represented by the current
- thread token. */
-
- if (fn == NULL &&
- SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA, NULL, SHGFP_TYPE_CURRENT, appdatafolder))) {
-
- asprintf(&fn, "%s\\.soft-token.rc", appdatafolder);
- }
-
-#endif /* _WIN32 */
return fn;
}
diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index 0264116bbe69..cf739a1f90e9 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -89,6 +89,8 @@ ${hxtool} verify \
crl:FILE:crl.crl \
anchor:FILE:$srcdir/data/ca.crt > /dev/null && exit 1
+# XXX Check that the certs issued below have the requested content
+
echo "issue crl (with cert)"
${hxtool} crl-sign \
--crl-file=crl.crl \
@@ -108,7 +110,14 @@ ${hxtool} issue-certificate \
--subject="cn=foo" \
--lifetime="10years 1 month" \
--req="PKCS10:pkcs10-request.der" \
+ --permanent-id=1.2.3.4.5.6.6:SomeVendor:A0B1C2D3 \
+ --hardware-module-name=tcg-tpm20:SomeVendor:Z0Y1X2W3 \
+ --policy="1.2.3.4.5.6:data:foo this is a warning" \
+ --policy="id-x509-ce-certificatePolicies-anyPolicy" \
+ --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.6" \
+ --policy-mapping="1.2.3.4.5.6:1.2.3.4.5.7" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (with https ekus)"
${hxtool} issue-certificate \
@@ -118,6 +127,7 @@ ${hxtool} issue-certificate \
--type="https-client" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (pkinit KDC)"
${hxtool} issue-certificate \
@@ -127,6 +137,7 @@ ${hxtool} issue-certificate \
--pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (pkinit client)"
${hxtool} issue-certificate \
@@ -136,6 +147,7 @@ ${hxtool} issue-certificate \
--pk-init-principal="lha@TEST.H5L.SE" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (hostnames)"
${hxtool} issue-certificate \
@@ -146,6 +158,7 @@ ${hxtool} issue-certificate \
--hostname="ftp.test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "verify certificate hostname (ok)"
${hxtool} verify --missing-revoke \
@@ -172,6 +185,7 @@ ${hxtool} issue-certificate \
--type="https-server" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "verify certificate hostname (ok)"
${hxtool} verify --missing-revoke \
@@ -193,6 +207,7 @@ ${hxtool} issue-certificate \
--email="test@test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue certificate (email, null subject DN)"
${hxtool} issue-certificate \
@@ -201,6 +216,7 @@ ${hxtool} issue-certificate \
--email="lha@test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-null.pem" || exit 1
+${hxtool} print --content FILE:cert-null.pem || exit 1
echo "issue certificate (jabber)"
${hxtool} issue-certificate \
@@ -209,6 +225,7 @@ ${hxtool} issue-certificate \
--jid="lha@test.h5l.se" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue self-signed cert"
${hxtool} issue-certificate \
@@ -216,6 +233,7 @@ ${hxtool} issue-certificate \
--ca-private-key=FILE:$srcdir/data/key.der \
--subject="cn=test" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue ca cert"
${hxtool} issue-certificate \
@@ -224,6 +242,7 @@ ${hxtool} issue-certificate \
--subject="cn=ca-cert" \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-ca.der" || exit 1
+${hxtool} print --content FILE:cert-ca.der || exit 1
echo "issue self-signed ca cert"
${hxtool} issue-certificate \
@@ -232,6 +251,7 @@ ${hxtool} issue-certificate \
--ca-private-key=FILE:$srcdir/data/key.der \
--subject="cn=ca-root" \
--certificate="FILE:cert-ca.der" || exit 1
+${hxtool} print --content FILE:cert-ca.der || exit 1
echo "issue proxy certificate"
${hxtool} issue-certificate \
@@ -239,6 +259,7 @@ ${hxtool} issue-certificate \
--issue-proxy \
--req="PKCS10:pkcs10-request.der" \
--certificate="FILE:cert-proxy.der" || exit 1
+${hxtool} print --content FILE:cert-proxy.der || exit 1
echo "verify proxy cert"
${hxtool} verify --missing-revoke \
@@ -256,6 +277,7 @@ ${hxtool} issue-certificate \
--path-length=-1 \
--subject="cn=ca2-cert" \
--certificate="FILE:cert-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-ca.pem || exit 1
echo "issue sub-ca cert (generate rsa key)"
${hxtool} issue-certificate \
@@ -265,6 +287,7 @@ ${hxtool} issue-certificate \
--generate-key=rsa \
--subject="cn=sub-ca2-cert" \
--certificate="FILE:cert-sub-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-sub-ca.pem || exit 1
echo "issue ee cert (generate rsa key)"
${hxtool} issue-certificate \
@@ -272,6 +295,7 @@ ${hxtool} issue-certificate \
--generate-key=rsa \
--subject="cn=cert-ee2" \
--certificate="FILE:cert-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-ee.pem || exit 1
echo "issue sub-ca ee cert (generate rsa key)"
${hxtool} issue-certificate \
@@ -279,6 +303,7 @@ ${hxtool} issue-certificate \
--generate-key=rsa \
--subject="cn=cert-sub-ee2" \
--certificate="FILE:cert-sub-ee.pem" || exit 1
+${hxtool} print --content FILE:cert-sub-ee.pem || exit 1
echo "verify certificate (ee)"
${hxtool} verify --missing-revoke \
@@ -313,6 +338,7 @@ ${hxtool} issue-certificate \
--ca-private-key=FILE:cert-ca.pem \
--subject="cn=ca2-cert" \
--certificate="FILE:cert-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-ca.pem || exit 1
echo "verify certificate generated by previous ca"
${hxtool} verify --missing-revoke \
@@ -329,6 +355,7 @@ ${hxtool} issue-certificate \
--path-length=-1 \
--ca-private-key=FILE:cert-ca.pem \
--certificate="FILE:cert-ca.pem" || exit 1
+${hxtool} print --content FILE:cert-ca.pem || exit 1
echo "verify certificate generated by previous ca"
${hxtool} verify --missing-revoke \
@@ -343,6 +370,7 @@ ${hxtool} issue-certificate \
--template-certificate="FILE:cert-sub-ca.pem" \
--template-fields="serialNumber,notBefore,subject,SPKI" \
--certificate="FILE:cert-sub-ca2.pem" || exit 1
+${hxtool} print --content FILE:cert-sub-ca2.pem || exit 1
echo "verify certificate (sub-ee) with extended chain"
${hxtool} verify --missing-revoke \
diff --git a/lib/hx509/test_name.c b/lib/hx509/test_name.c
index 9d21a7f65b03..ba4cbaac85d8 100644
--- a/lib/hx509/test_name.c
+++ b/lib/hx509/test_name.c
@@ -349,6 +349,74 @@ test_compare(hx509_context context)
return 0;
}
+static int
+test_pkinit_san(hx509_context context, const char *p, const char *realm, ...)
+{
+ KRB5PrincipalName kn;
+ GeneralName gn;
+ va_list ap;
+ size_t i, sz;
+ char *round_trip;
+ int ret;
+
+ memset(&kn, 0, sizeof(kn));
+ memset(&gn, 0, sizeof(gn));
+
+ ret = _hx509_make_pkinit_san(context, p, &gn.u.otherName.value);
+ if (ret == 0)
+ ret = decode_KRB5PrincipalName(gn.u.otherName.value.data,
+ gn.u.otherName.value.length, &kn, &sz);
+ if (ret)
+ return 1;
+ if (strcmp(realm, kn.realm) != 0)
+ return 1;
+
+ va_start(ap, realm);
+ for (i = 0; i < kn.principalName.name_string.len; i++) {
+ const char *s = va_arg(ap, const char *);
+
+ if (s == NULL || strcmp(kn.principalName.name_string.val[i], s) != 0)
+ return 1;
+ }
+ if (va_arg(ap, const char *) != NULL)
+ return 1;
+ va_end(ap);
+
+ gn.element = choice_GeneralName_otherName;
+ gn.u.otherName.type_id.length = 0;
+ gn.u.otherName.type_id.components = 0;
+ ret = der_copy_oid(&asn1_oid_id_pkinit_san, &gn.u.otherName.type_id);
+ if (ret == 0)
+ ret = hx509_general_name_unparse(&gn, &round_trip);
+ if (ret)
+ return 1;
+ if (strncmp(round_trip, "otherName: 1.3.6.1.5.2.2 KerberosPrincipalName ",
+ sizeof("otherName: 1.3.6.1.5.2.2 KerberosPrincipalName ") - 1))
+ return 1;
+ if (ret || strcmp(round_trip + sizeof("otherName: 1.3.6.1.5.2.2 KerberosPrincipalName ") - 1, p) != 0)
+ return 1;
+ free_KRB5PrincipalName(&kn);
+ free_GeneralName(&gn);
+ free(round_trip);
+ return 0;
+}
+
+static int
+test_pkinit_san_fail(hx509_context context, const char *p)
+{
+ heim_octet_string os;
+ KRB5PrincipalName kn;
+ int ret;
+
+ memset(&kn, 0, sizeof(kn));
+ ret = _hx509_make_pkinit_san(context, p, &os);
+ if (ret == 0) {
+ free(os.data);
+ return 1;
+ }
+ return 0;
+}
+
int
main(int argc, char **argv)
@@ -376,7 +444,25 @@ main(int argc, char **argv)
ret += test_compare(context);
+ ret += test_pkinit_san(context, "foo@BAR.H5L.SE",
+ "BAR.H5L.SE", "foo", NULL);
+ ret += test_pkinit_san(context, "foo\\ bar@BAR.H5L.SE",
+ "BAR.H5L.SE", "foo bar", NULL);
+ ret += test_pkinit_san(context, "foo\\/bar@BAR.H5L.SE",
+ "BAR.H5L.SE", "foo/bar", NULL);
+ ret += test_pkinit_san(context, "foo/bar@BAR.H5L.SE",
+ "BAR.H5L.SE", "foo", "bar", NULL);
+ ret += test_pkinit_san(context, "foo\\tbar@BAR.H5L.SE",
+ "BAR.H5L.SE", "foo\tbar", NULL);
+ ret += test_pkinit_san(context, "foo\\nbar@BAR.H5L.SE",
+ "BAR.H5L.SE", "foo\nbar", NULL);
+ ret += test_pkinit_san(context, "foo@\\ BAR.H5L.SE",
+ " BAR.H5L.SE", "foo", NULL);
+ ret += test_pkinit_san(context, "foo@\\nBAR.H5L.SE",
+ "\nBAR.H5L.SE", "foo", NULL);
+ ret += test_pkinit_san_fail(context, "foo\\0bar@BAR.H5L.SE");
+
hx509_context_free(&context);
- return ret;
+ return !!ret;
}
diff --git a/lib/hx509/test_nist.in b/lib/hx509/test_nist.in
index 9dffbe69177c..09034fe629b5 100644
--- a/lib/hx509/test_nist.in
+++ b/lib/hx509/test_nist.in
@@ -60,6 +60,7 @@ if [ ! -d "$nistdir" ] ; then
{ rm -rf "$nistdir" ; exit 1; }
fi
+ec=0
while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do
expr "$id" : "#" > /dev/null && continue
@@ -98,14 +99,14 @@ while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do
if ${hxtool} verify --time=2008-05-20 $args > /dev/null; then
if test "$verify" = "f"; then
+ echo ${hxtool} verify --time=2008-05-20 $args
echo "verify passed on fail: $id $cert"
- exit 1
- fi
- else
- if test "$verify" = "p"; then
- echo "verify failed on pass: $id $cert"
- exit 1
+ ec=1
fi
+ elif test "$verify" = "p"; then
+ echo ${hxtool} verify --time=2008-05-20 $args
+ echo "verify failed on pass: $id $cert"
+ ec=1
fi
done < $srcdir/data/nist-data
@@ -113,4 +114,4 @@ done < $srcdir/data/nist-data
echo "done!"
-exit 0
+exit $ec
diff --git a/lib/hx509/test_req.in b/lib/hx509/test_req.in
index 49919d918fa3..9288df6738f3 100644
--- a/lib/hx509/test_req.in
+++ b/lib/hx509/test_req.in
@@ -50,14 +50,114 @@ fi
${hxtool} request-create \
--subject="CN=Love,DC=it,DC=su,DC=se" \
- --key=FILE:$srcdir/data/key.der \
- request.out || exit 1
+ --key="FILE:$srcdir/data/key.der" \
+ "${objdir}/request.out" || exit 1
${hxtool} request-print \
PKCS10:request.out > /dev/null || exit 1
${hxtool} request-create \
--subject="CN=Love,DC=it,DC=su,DC=se" \
- --dnsname=nutcracker.it.su.se \
- --key=FILE:$srcdir/data/key.der \
- request.out || exit 1
+ --eku=1.2.3.4.5.6.7 --eku=1.2.3.4.5.6.8 \
+ --registered=1.2.3.4.5.6.9 --eku=1.2.3.4.5.6.10 \
+ --dnsname=nutcracker.test.h5l.se \
+ --dnsname=foo.nutcracker.test.h5l.se \
+ --kerberos=HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE \
+ --kerberos=host/foo.nutcracker.it.su.se@TEST.H5L.SE \
+ --email=foo@test.h5l.se \
+ --key="FILE:$srcdir/data/key.der" \
+ "${objdir}/request.out" || exit 1
+
+cat > "$objdir/expected" <<EOF
+request print
+PKCS#10 CertificationRequest:
+ name: CN=Love,DC=it,DC=su,DC=se
+ eku: {1.2.3.4.5.6.7}, {1.2.3.4.5.6.8}, {1.2.3.4.5.6.10}
+ san: rfc822Name: foo@test.h5l.se
+ san: dNSName: nutcracker.test.h5l.se
+ san: dNSName: foo.nutcracker.test.h5l.se
+ san: pkinit: HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE
+ san: pkinit: host/foo.nutcracker.it.su.se@TEST.H5L.SE
+ san: registeredID: 1.2.3.4.5.6.9
+EOF
+
+# Check that we got what we wanted:
+${hxtool} request-print \
+ PKCS10:request.out > "${objdir}/actual" || exit 1
+
+diff "$objdir/expected" "${objdir}/actual" || exit 1
+
+# Check that OpenSSL can parse our request:
+if openssl version > /dev/null; then
+ openssl req -inform DER -in "${objdir}/request.out" -text | head -25 > "${objdir}/actual"
+
+ # Various versions of openssl differ slightly in their text output for our
+ # CSR. Figure out what to expect:
+ if grep "Version: 0" "${objdir}/actual" > /dev/null; then
+ v=0
+ else
+ v=1
+ fi
+ if grep "RSA Public-Key:" "${objdir}/actual" > /dev/null; then
+ k="RSA "
+ else
+ k=""
+ fi
+ # Note interpolation of $v and $k in the here doc below:
+ cat > "$objdir/expected" <<EOF
+Certificate Request:
+ Data:
+ Version: $v (0x0)
+ Subject: DC = se, DC = su, DC = it, CN = Love
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ ${k}Public-Key: (1024 bit)
+ Modulus:
+ 00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
+ ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
+ 79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
+ 15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
+ 58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
+ c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
+ ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
+ 8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
+ 79:39:5c:c7:11:6c:b9:e7:2b
+ Exponent: 65537 (0x10001)
+ Attributes:
+ Requested Extensions:
+ X509v3 Extended Key Usage: critical
+ 1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
+ X509v3 Subject Alternative Name:
+ email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername:<unsupported>, othername:<unsupported>, Registered ID:1.2.3.4.5.6.9
+ Signature Algorithm: sha256WithRSAEncryption
+EOF
+ if ! diff -u -w "${objdir}/expected" "${objdir}/actual"; then
+ cat > "$objdir/expected" <<EOF
+Certificate Request:
+ Data:
+ Version: $v (0x0)
+ Subject: DC = se, DC = su, DC = it, CN = Love
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ ${k}Public-Key: (1024 bit)
+ Modulus:
+ 00:c2:aa:a2:42:b7:5b:99:a3:fd:ba:f0:9b:75:db:
+ ef:3c:9b:8c:cf:63:5f:46:d8:95:be:09:4a:a7:76:
+ 79:77:61:30:ef:0b:98:d2:47:ea:9c:09:b9:b9:b7:
+ 15:ac:4b:9c:2d:3f:f0:d9:99:9d:4d:5a:68:67:24:
+ 58:5e:65:60:13:9f:4d:dc:2f:03:1d:cd:e9:b6:33:
+ c2:5c:c6:de:c9:93:6c:ec:8d:9a:67:0e:dd:31:20:
+ ac:91:39:7a:c1:8f:39:65:ff:b3:1f:cf:7a:aa:79:
+ 8b:ed:eb:ad:a0:be:01:10:4c:5a:a7:47:1d:c6:ee:
+ 79:39:5c:c7:11:6c:b9:e7:2b
+ Exponent: 65537 (0x10001)
+ Attributes:
+ Requested Extensions:
+ X509v3 Extended Key Usage: critical
+ 1.2.3.4.5.6.7, 1.2.3.4.5.6.8, 1.2.3.4.5.6.10
+ X509v3 Subject Alternative Name:
+ email:foo@test.h5l.se, DNS:nutcracker.test.h5l.se, DNS:foo.nutcracker.test.h5l.se, othername: 1.3.6.1.5.2.2::<unsupported>, othername: 1.3.6.1.5.2.2::<unsupported>, Registered ID:1.2.3.4.5.6.9
+ Signature Algorithm: sha256WithRSAEncryption
+EOF
+ fi
+fi
diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map
index f040cd834496..8f46b0ac051a 100644
--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -3,6 +3,8 @@
HEIMDAL_X509_1.2 {
global:
_hx509_cert_assign_key;
+ _hx509_cert_get_keyusage;
+ _hx509_cert_get_version;
_hx509_cert_private_key;
_hx509_certs_keys_free;
_hx509_certs_keys_get;
@@ -14,35 +16,70 @@ HEIMDAL_X509_1.2 {
_hx509_generate_private_key_free;
_hx509_generate_private_key_init;
_hx509_generate_private_key_is_ca;
+ _hx509_get_cert;
+ _hx509_ks_type;
+ _hx509_make_pkinit_san;
_hx509_map_file_os;
_hx509_name_from_Name;
+ _hx509_ossl_oid2nid;
+ _hx509_private_key_export;
+ _hx509_private_key_exportable;
+ _hx509_private_key_get_internal;
+ _hx509_private_key_oid;
_hx509_private_key_ref;
- _hx509_request_add_dns_name;
- _hx509_request_add_email;
- _hx509_request_parse;
- _hx509_request_print;
- _hx509_request_set_email;
- _hx509_request_to_pkcs10;
+ hx509_request_add_GeneralName;
+ hx509_request_add_dns_name;
+ hx509_request_add_dns_srv;
+ hx509_request_add_eku;
+ hx509_request_add_email;
+ hx509_request_add_ms_upn_name;
+ hx509_request_add_pkinit;
+ hx509_request_add_registered;
+ hx509_request_add_xmpp_name;
+ hx509_request_authorize_ku;
+ hx509_request_authorize_eku;
+ hx509_request_authorize_san;
+ hx509_request_count_unsupported;
+ hx509_request_count_unauthorized;
+ hx509_request_eku_authorized_p;
+ hx509_request_print;
+ hx509_request_reject_eku;
+ hx509_request_reject_san;
+ hx509_request_san_authorized_p;
+ hx509_request_to_pkcs10;
_hx509_unmap_file_os;
_hx509_write_file;
hx509_bitstring_print;
+ _hx509_ca_issue_certificate;
hx509_ca_sign;
hx509_ca_sign_self;
hx509_ca_tbs_add_crl_dp_uri;
hx509_ca_tbs_add_eku;
+ hx509_ca_tbs_add_ku;
+ hx509_ca_tbs_add_pol;
+ hx509_ca_tbs_add_pol_mapping;
+ hx509_ca_tbs_add_san;
+ hx509_ca_tbs_add_san_dnssrv;
+ hx509_ca_tbs_add_san_hardwareModuleName;
+ hx509_ca_tbs_add_san_hardwareModuleName_string;
hx509_ca_tbs_add_san_hostname;
hx509_ca_tbs_add_san_jid;
hx509_ca_tbs_add_san_ms_upn;
hx509_ca_tbs_add_san_otherName;
+ hx509_ca_tbs_add_san_permanentIdentifier;
+ hx509_ca_tbs_add_san_permanentIdentifier_string;
hx509_ca_tbs_add_san_pkinit;
hx509_ca_tbs_add_san_rfc822name;
hx509_ca_tbs_free;
+ hx509_ca_tbs_get_name;
hx509_ca_tbs_init;
hx509_ca_tbs_set_ca;
hx509_ca_tbs_set_domaincontroller;
+ hx509_ca_tbs_set_from_csr;
hx509_ca_tbs_set_notAfter;
hx509_ca_tbs_set_notAfter_lifetime;
hx509_ca_tbs_set_notBefore;
+ hx509_ca_tbs_set_pkinit_max_life;
hx509_ca_tbs_set_proxy;
hx509_ca_tbs_set_serialnumber;
hx509_ca_tbs_set_spki;
@@ -66,12 +103,19 @@ HEIMDAL_X509_1.2 {
hx509_cert_get_issuer;
hx509_cert_get_notAfter;
hx509_cert_get_notBefore;
+ hx509_cert_get_pkinit_max_life;
hx509_cert_get_serialnumber;
hx509_cert_get_subject;
hx509_cert_get_issuer_unique_id;
hx509_cert_get_subject_unique_id;
+ hx509_cert_have_private_key;
+ hx509_cert_have_private_key_only;
hx509_cert_init;
hx509_cert_init_data;
+ hx509_cert_init_private_key;
+ hx509_cert_is_ca;
+ hx509_cert_is_root;
+ hx509_cert_is_self_signed;
hx509_cert_keyusage_print;
hx509_cert_public_encrypt;
hx509_cert_ref;
@@ -79,6 +123,7 @@ HEIMDAL_X509_1.2 {
hx509_certs_add;
hx509_certs_append;
hx509_certs_end_seq;
+ hx509_certs_destroy;
hx509_certs_ref;
hx509_certs_filter;
hx509_certs_find;
@@ -100,6 +145,7 @@ HEIMDAL_X509_1.2 {
hx509_cms_unenvelope;
hx509_cms_unwrap_ContentInfo;
hx509_cms_verify_signed;
+ hx509_cms_verify_signed_ext;
hx509_cms_wrap_ContentInfo;
hx509_context_free;
hx509_context_init;
@@ -128,6 +174,7 @@ HEIMDAL_X509_1.2 {
hx509_crypto_set_padding;
hx509_crypto_set_params;
hx509_crypto_set_random_key;
+ hx509_empty_name;
hx509_env_add;
hx509_env_add_binding;
hx509_env_find;
@@ -141,6 +188,7 @@ HEIMDAL_X509_1.2 {
hx509_find_private_alg;
hx509_general_name_unparse;
hx509_get_error_string;
+ hx509_get_instance;
hx509_get_one_cert;
hx509_lock_add_cert;
hx509_lock_add_certs;
@@ -196,10 +244,17 @@ HEIMDAL_X509_1.2 {
hx509_query_match_option;
hx509_query_statistic_file;
hx509_query_unparse_stats;
+ hx509_request_get_eku;
+ hx509_request_get_exts;
+ hx509_request_get_ku;
hx509_request_get_name;
+ hx509_request_get_san;
hx509_request_get_SubjectPublicKeyInfo;
hx509_request_free;
hx509_request_init;
+ hx509_request_parse;
+ hx509_request_parse_der;
+ hx509_request_set_ku;
hx509_request_set_name;
hx509_request_set_SubjectPublicKeyInfo;
hx509_revoke_add_crl;
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-18 18:26:21 +0000