pathfinder-1.1.3/0000755000175200017520000000000011324134167014134 5ustar ppattersppatterspathfinder-1.1.3/pathfinder-nss.pc.in0000644000175200017520000000055510734024624020017 0ustar ppattersppattersprefix=@CMAKE_INSTALL_PREFIX@ exec_prefix=${prefix} libdir=${exec_prefix}/lib includedir=${prefix}/include Name: NSS Pathfinder Plugin Library Description: Library that allows NSS to use PathFinder for certificate validation Version: @PACKAGE_VERSION@ Requires: nss >= 2.0.0, dbus-1 >= 1.0 Libs: -L${libdir} -lpathfinder-nss-1 Cflags: -I${includedir}/pathfinder-1 pathfinder-1.1.3/AUTHORS0000644000175200017520000000112411245314401015173 0ustar ppattersppatters=== Primary authors === William Lachance Dave Coombs === Contributors === Patrick Patterson === Copyright === All code copyright (C) 2007-2009 Carillon Information Security Inc. Licensed under the LGPL, see LICENSE for details, including the exception to the LGPL for linking to OpenSSL. This product uses cryptographic software written by Eric Young (eay@cryptsoft.com). This produce links against, and uses DBUS, which is a project overseen by the Freedesktop.Org project, and used here under the Academic Free License. pathfinder-1.1.3/pathserver.h0000644000175200017520000000207411130276200016461 0ustar ppattersppatters/* * pathserver.h * * Copyright (C) 2007-2009 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include "pathvalidator.h" #include "wvx509store.h" class PathServer { public: PathServer(boost::shared_ptr _trusted_store, boost::shared_ptr _intermediate_store, boost::shared_ptr _crlcache, UniConf &cfg); bool incoming(WvDBusConn *conn, WvDBusMsg &msg); private: void path_validated_cb(boost::shared_ptr &cert, bool valid, WvError err, WvDBusConn *conn, WvDBusMsg *reply); typedef std::map > ValidatorMap; ValidatorMap validatormap; boost::shared_ptr trusted_store; boost::shared_ptr intermediate_store; boost::shared_ptr crlcache; UniConf cfg; WvLog log; }; pathfinder-1.1.3/version.h.in0000644000175200017520000000033610652446340016403 0ustar ppattersppatters#ifndef __VERSION_H #define __VERSION_H #define PATHFINDER_NAME "@PACKAGE_NAME@" #define PATHFINDER_STRING "@PACKAGE_STRING@" #define PATHFINDER_VERSION "@PACKAGE_VERSION@" #define BUGREPORT "@PACKAGE_BUGREPORT@" #endif pathfinder-1.1.3/pathfinder-nss-uninstalled.pc.in0000644000175200017520000000047310734024624022336 0ustar ppattersppatterstop_builddir=@PROJECT_SOURCE_DIR@ Name: NSS Pathfinder Plugin Library Description: Library that allows NSS to use PathFinder for certificate validation Version: @PACKAGE_VERSION@ Requires: nss >= 2.0.0, dbus-1 >= 1.0 Libs: -L${top_builddir}/libpathfinder -lpathfinder-nss-1 Cflags: -I${top_builddir}/libpathfinder pathfinder-1.1.3/pathclient.30000644000175200017520000000215210733576701016362 0ustar ppattersppatters.TH "PATHCLIENT" "3" "December 23, 2007" "" "" .SH "NAME" pathclient \- pathfinder command line Certificate Validation tool. .SH "SYNOPSIS" .B pathclient .RI [ options ] " files" ... .br .SH "DESCRIPTION" \fBpathclient\fP provides a command line interface to connect to a pathfinder daemon, and validate an X.509 Certificate. .SH "OPTIONS" \fBpathclient\fR understands the following options: .TP .B \-e, \-\-initial\-explicit\-policy Set initial explicit policy when validating .TP .B \-p, \-\-initial\-policy\-mapping\-inhibit Inhibit policy mapping when validating .TP .B \-\-session Listen on the session bus (instead of the system bus) .TP .B \-t, \-\-type=type Certificate type: der or pem (default: pem) .TP .B \-\-usage Give a short usage message .TP .B \-?, \-\-help Show summary of options. .TP .B \-v, \-\-version Show version of program. .SH "SEE ALSO" .BR pathfinderd (8), .BR pathfinderd.conf (3). .br .SH "AUTHOR" pathfinder was written by Carillon Information Security Inc. .PP This manual page was written by Patrick Patterson , for the Debian project (but may be used by others). pathfinder-1.1.3/pathvalidator.cc0000644000175200017520000000625511076136227017320 0ustar ppattersppatters/* * pathvalidator.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include "pathvalidator.h" #include "wvx509policytree.h" using namespace boost; using namespace std; PathValidator::PathValidator(shared_ptr &_cert, WvStringParm _initial_policy_set_tcl, uint32_t _validation_flags, shared_ptr &_trusted_store, shared_ptr &_intermediate_store, shared_ptr &_crlcache, UniConf &_cfg, ValidatedCb _cb) : cert_to_be_validated(_cert), validation_flags(_validation_flags), trusted_store(_trusted_store), intermediate_store(_intermediate_store), crlcache(_crlcache), cfg(_cfg), validated_cb(_cb), log(WvString("Path validator for certificate %s", _cert->get_subject())) { wvtcl_decode(initial_policy_set, _initial_policy_set_tcl); certs_to_be_validated.push_back(_cert); } void PathValidator::validate(bool check_ocsp) { shared_ptr cert(certs_to_be_validated.front()); certs_to_be_validated.pop_front(); PathFoundCb cb = wv::bind(&PathValidator::path_found_cb, this, _1, _2, cert); shared_ptr pathfinder(new PathFinder(cert, trusted_store, intermediate_store, crlcache, validation_flags, check_ocsp, cfg, cb)); pathfinder_list.push_front(pathfinder); // just to keep a reference to it pathfinder->find(); } void PathValidator::path_found_cb(shared_ptr &path, WvError err, shared_ptr &cert) { if (!err.isok()) { log("Encountered error (%s) during path discovery. Aborting.\n", err.errstr()); // FIXME: abort all pathfinding activities. validated_cb(cert_to_be_validated, false, err); return; } WvX509List extra_certs; bool valid = path->validate(trusted_store, intermediate_store, initial_policy_set, validation_flags, extra_certs, err); log("Path validated for certificate %s, certificate is %svalid.\n", cert->get_subject(), valid ? "" : "NOT "); if (!extra_certs.empty()) { log("Additional certificates must be validated before the path can " "be said to be valid.\n"); while (!extra_certs.empty()) { certs_to_be_validated.push_back(extra_certs.front()); extra_certs.pop_front(); } validate(false); // not checking OCSP, as that can get circular return; } validated_cb(cert_to_be_validated, valid, err); } pathfinder-1.1.3/pathvalidator.h0000644000175200017520000000311011076136227017145 0ustar ppattersppatters/* * pathvalidator.h * * Copyright (C) 2007 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #ifndef __PATHVALIDATOR_H #define __PATHVALIDATOR_H #include "pathfinder.h" class PathValidator { public: typedef wv::function &, bool, WvError)> ValidatedCb; PathValidator(boost::shared_ptr &_cert, WvStringParm _initial_policy_set_tcl, uint32_t _validation_flags, boost::shared_ptr &_trusted_store, boost::shared_ptr &_intermediate_store, boost::shared_ptr &_crlcache, UniConf &_cfg, ValidatedCb _cb); void validate(bool check_ocsp = true); private: void path_found_cb(boost::shared_ptr &path, WvError err, boost::shared_ptr &cert); boost::shared_ptr cert_to_be_validated; WvX509List certs_to_be_validated; WvStringList initial_policy_set; uint32_t validation_flags; // keep a list of pathfinder objects we create, for reference counting // purposes std::list > pathfinder_list; boost::shared_ptr trusted_store; boost::shared_ptr intermediate_store; boost::shared_ptr crlcache; UniConf cfg; ValidatedCb validated_cb; WvLog log; }; #endif // __PATHVALIDATOR_H pathfinder-1.1.3/downloader.h0000644000175200017520000000210711212243307016434 0ustar ppattersppatters/* * downloader.h * * Copyright (C) 2007-2009 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #ifndef __DOWNLOADER_H #define __DOWNLOADER_H #include #include #include #include #include #include typedef wv::function DownloadFinishedCb; class Downloader { public: Downloader(WvStringParm _url, WvHttpPool *_pool, DownloadFinishedCb _cb, WvStringParm _method = "GET", WvStringParm _headers = "", WvStream *content_source = NULL); virtual ~Downloader(); bool is_done() { return done; } private: WvDynBuf downloadbuf; void download_cb(WvStream &s); void download_closed_cb(WvStream &s); void download_ldap(); WvString url; WvHttpPool *pool; xplc_ptr stream; DownloadFinishedCb finished_cb; bool done; WvLog log; }; #endif pathfinder-1.1.3/t/0000755000175200017520000000000011324134134014371 5ustar ppattersppatterspathfinder-1.1.3/t/inhibitpolicymapping.t.cc0000644000175200017520000001430110652446340021373 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.11.1 Invalid inhibitPolicyMapping Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping0CACert.crt"); tester.add_crl("inhibitPolicyMapping0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping0subCACert.crt"); tester.add_crl("inhibitPolicyMapping0subCACert.crt", "inhibitPolicyMapping0CACRL.crl"); tester.add_untrusted_cert("InvalidinhibitPolicyMappingTest1EE.crt"); tester.add_crl("InvalidinhibitPolicyMappingTest1EE.crt", "inhibitPolicyMapping0subCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.11.2 Valid inhibitPolicyMapping Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping1P12CACert.crt"); tester.add_crl("inhibitPolicyMapping1P12CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subCACert.crt"); tester.add_crl("inhibitPolicyMapping1P12subCACert.crt", "inhibitPolicyMapping1P12CACRL.crl"); tester.add_untrusted_cert("ValidinhibitPolicyMappingTest2EE.crt"); tester.add_crl("ValidinhibitPolicyMappingTest2EE.crt", "inhibitPolicyMapping1P12subCACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.11.3 Invalid inhibitPolicyMapping Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping1P12CACert.crt"); tester.add_crl("inhibitPolicyMapping1P12CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subCACert.crt"); tester.add_crl("inhibitPolicyMapping1P12subCACert.crt", "inhibitPolicyMapping1P12CACRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subsubCACert.crt"); tester.add_crl("inhibitPolicyMapping1P12subsubCACert.crt", "inhibitPolicyMapping1P12subCACRL.crl"); tester.add_untrusted_cert("InvalidinhibitPolicyMappingTest3EE.crt"); tester.add_crl("InvalidinhibitPolicyMappingTest3EE.crt", "inhibitPolicyMapping1P12subsubCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.11.4 Valid inhibitPolicyMapping Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping1P12CACert.crt"); tester.add_crl("inhibitPolicyMapping1P12CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subCACert.crt"); tester.add_crl("inhibitPolicyMapping1P12subCACert.crt", "inhibitPolicyMapping1P12CACRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subsubCACert.crt"); tester.add_crl("inhibitPolicyMapping1P12subsubCACert.crt", "inhibitPolicyMapping1P12subCACRL.crl"); tester.add_untrusted_cert("ValidinhibitPolicyMappingTest4EE.crt"); tester.add_crl("ValidinhibitPolicyMappingTest4EE.crt", "inhibitPolicyMapping1P12subsubCACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.11.5 Invalid inhibitPolicyMapping Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping5CACert.crt"); tester.add_crl("inhibitPolicyMapping5CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping5subCACert.crt"); tester.add_crl("inhibitPolicyMapping5subCACert.crt", "inhibitPolicyMapping5CACRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping5subsubCACert.crt"); tester.add_crl("inhibitPolicyMapping5subsubCACert.crt", "inhibitPolicyMapping5subCACRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping5subsubsubCACert.crt"); tester.add_crl("inhibitPolicyMapping5subsubsubCACert.crt", "inhibitPolicyMapping5subsubCACRL.crl"); tester.add_untrusted_cert("InvalidinhibitPolicyMappingTest5EE.crt"); tester.add_crl("InvalidinhibitPolicyMappingTest5EE.crt", "inhibitPolicyMapping5subsubsubCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.11.6 Invalid inhibitPolicyMapping Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping1P12CACert.crt"); tester.add_crl("inhibitPolicyMapping1P12CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subCAIPM5Cert.crt"); tester.add_crl("inhibitPolicyMapping1P12subCAIPM5Cert.crt", "inhibitPolicyMapping1P12CACRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P12subsubCAIPM5Cert.crt"); tester.add_crl("inhibitPolicyMapping1P12subsubCAIPM5Cert.crt", "inhibitPolicyMapping1P12subCAIPM5CRL.crl"); tester.add_untrusted_cert("InvalidinhibitPolicyMappingTest6EE.crt"); tester.add_crl("InvalidinhibitPolicyMappingTest6EE.crt", "inhibitPolicyMapping1P12subsubCAIPM5CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.11.7 Valid Self-Issued inhibitPolicyMapping Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("inhibitPolicyMapping1P1CACert.crt"); tester.add_crl("inhibitPolicyMapping1P1CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P1SelfIssuedCACert.crt"); tester.add_crl("inhibitPolicyMapping1P1SelfIssuedCACert.crt", "inhibitPolicyMapping1P1CACRL.crl"); tester.add_untrusted_cert("inhibitPolicyMapping1P1subCACert.crt"); tester.add_crl("inhibitPolicyMapping1P1subCACert.crt", "inhibitPolicyMapping1P1CACRL.crl"); tester.add_untrusted_cert("ValidSelfIssuedinhibitPolicyMappingTest7EE.crt"); tester.add_crl("ValidSelfIssuedinhibitPolicyMappingTest7EE.crt", "inhibitPolicyMapping1P1subCACRL.crl"); WVPASS(tester.validate()); } pathfinder-1.1.3/t/pathvalidator.t.cc0000644000175200017520000000431011076136227020013 0ustar ppattersppatters#include #include #include #include #include #include "wvx509policytree.h" // for ANY_POLICY_OID #include "pathvalidator.h" #include "testdefuns.t.h" #include "wvcrlcache.h" using namespace boost; static void validated_cb(shared_ptr &cert, bool valid, WvError err, int &validated_count, bool &validated_ok) { wvcon->print("Validated cb for %s\n", cert->get_ski()); validated_count++; validated_ok = valid; } WVTEST_MAIN("lookup in crlcache") { const char *CRL_URI = "http://joeyjoejoejuniorshabadoo.invalid/mycrl.crl"; WvString CRLSTORE_DIRNAME("/tmp/pathfinder-crlcache-%s", getpid()); UniConfRoot cfg("temp:"); shared_ptr trusted_store(new WvX509Store); shared_ptr intermediate_store(new WvX509Store); shared_ptr crlcache(new WvCRLCache(CRLSTORE_DIRNAME)); WvX509Mgr ca("CN=test.foo.com,DC=foo,DC=com", DEFAULT_KEYLEN, true); shared_ptr cacert(new WvX509(ca)); trusted_store->add_cert(cacert); WvRSAKey rsakey(DEFAULT_KEYLEN); WvString certreq = WvX509Mgr::certreq("cn=test.signed.com,dc=signed,dc=com", rsakey); shared_ptr cert(new WvX509); WvString certpem = ca.signreq(certreq); cert->decode(WvX509Mgr::CertPEM, certpem); WvStringList crl_urls; crl_urls.append(CRL_URI); cert->set_crl_urls(crl_urls); ca.signcert(*cert); // create the crl, add it to the crlcache mkdirp(CRLSTORE_DIRNAME); WvCRL crl(ca); WvString s = crl.encode(WvCRL::CRLPEM); WvConstStringBuffer buf(s); crlcache->add(CRL_URI, buf); int validated_count = 0; bool validated_ok = false; PathValidator p(cert, ANY_POLICY_OID, 0, trusted_store, intermediate_store, crlcache, cfg, wv::bind(&validated_cb, _1, _2, _3, wv::ref(validated_count), wv::ref(validated_ok))); p.validate(); // should all have validated ok, certificate not revoked. WVPASSEQ(validated_count, 1); WVPASSEQ(validated_ok, true); rm_rf(CRLSTORE_DIRNAME); } pathfinder-1.1.3/t/basicconstraints.t.cc0000644000175200017520000003215510652446340020531 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.6.1 Invalid Missing basicConstraints Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("MissingbasicConstraintsCACert.crt"); tester.add_crl("MissingbasicConstraintsCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidMissingbasicConstraintsTest1EE.crt"); tester.add_crl("InvalidMissingbasicConstraintsTest1EE.crt", "MissingbasicConstraintsCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.2 Invalid cA False Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("basicConstraintsCriticalcAFalseCACert.crt"); tester.add_crl("basicConstraintsCriticalcAFalseCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidcAFalseTest2EE.crt"); tester.add_crl("InvalidcAFalseTest2EE.crt", "basicConstraintsCriticalcAFalseCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.3 Invalid cA False Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("basicConstraintsNotCriticalcAFalseCACert.crt"); tester.add_crl("basicConstraintsNotCriticalcAFalseCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidcAFalseTest3EE.crt"); tester.add_crl("InvalidcAFalseTest3EE.crt", "basicConstraintsNotCriticalcAFalseCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.4 Valid basicConstraints Not Critical Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("basicConstraintsNotCriticalCACert.crt"); tester.add_crl("basicConstraintsNotCriticalCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidbasicConstraintsNotCriticalTest4EE.crt"); tester.add_crl("ValidbasicConstraintsNotCriticalTest4EE.crt", "basicConstraintsNotCriticalCACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.6.5 Invalid pathLenConstraint Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint0CACert.crt"); tester.add_crl("pathLenConstraint0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint0subCACert.crt"); tester.add_crl("pathLenConstraint0subCACert.crt", "pathLenConstraint0CACRL.crl"); tester.add_untrusted_cert("InvalidpathLenConstraintTest5EE.crt"); tester.add_crl("InvalidpathLenConstraintTest5EE.crt", "pathLenConstraint0subCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.6 Invalid pathLenConstraint Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint0CACert.crt"); tester.add_crl("pathLenConstraint0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint0subCACert.crt"); tester.add_crl("pathLenConstraint0subCACert.crt", "pathLenConstraint0CACRL.crl"); tester.add_untrusted_cert("InvalidpathLenConstraintTest6EE.crt"); tester.add_crl("InvalidpathLenConstraintTest6EE.crt", "pathLenConstraint0subCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.7 Valid pathLenConstraint Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint0CACert.crt"); tester.add_crl("pathLenConstraint0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidpathLenConstraintTest7EE.crt"); tester.add_crl("ValidpathLenConstraintTest7EE.crt", "pathLenConstraint0CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.6.8 Valid pathLenConstraint Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint0CACert.crt"); tester.add_crl("pathLenConstraint0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidpathLenConstraintTest8EE.crt"); tester.add_crl("ValidpathLenConstraintTest8EE.crt", "pathLenConstraint0CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.6.9 Invalid pathLenConstraint Test9") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint6CACert.crt"); tester.add_crl("pathLenConstraint6CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subCA0Cert.crt"); tester.add_crl("pathLenConstraint6subCA0Cert.crt", "pathLenConstraint6CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubCA00Cert.crt"); tester.add_crl("pathLenConstraint6subsubCA00Cert.crt", "pathLenConstraint6subCA0CRL.crl"); tester.add_untrusted_cert("InvalidpathLenConstraintTest9EE.crt"); tester.add_crl("InvalidpathLenConstraintTest9EE.crt", "pathLenConstraint6subsubCA00CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.10 Invalid pathLenConstraint Test10") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint6CACert.crt"); tester.add_crl("pathLenConstraint6CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subCA0Cert.crt"); tester.add_crl("pathLenConstraint6subCA0Cert.crt", "pathLenConstraint6CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubCA00Cert.crt"); tester.add_crl("pathLenConstraint6subsubCA00Cert.crt", "pathLenConstraint6subCA0CRL.crl"); tester.add_untrusted_cert("InvalidpathLenConstraintTest10EE.crt"); tester.add_crl("InvalidpathLenConstraintTest10EE.crt", "pathLenConstraint6subsubCA00CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.11 Invalid pathLenConstraint Test11") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint6CACert.crt"); tester.add_crl("pathLenConstraint6CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subCA1Cert.crt"); tester.add_crl("pathLenConstraint6subCA1Cert.crt", "pathLenConstraint6CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubCA11Cert.crt"); tester.add_crl("pathLenConstraint6subsubCA11Cert.crt", "pathLenConstraint6subCA1CRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubsubCA11XCert.crt"); tester.add_crl("pathLenConstraint6subsubsubCA11XCert.crt", "pathLenConstraint6subsubCA11CRL.crl"); tester.add_untrusted_cert("InvalidpathLenConstraintTest11EE.crt"); tester.add_crl("InvalidpathLenConstraintTest11EE.crt", "pathLenConstraint6subsubsubCA11XCRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.12 Invalid pathLenConstraint Test12") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint6CACert.crt"); tester.add_crl("pathLenConstraint6CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subCA1Cert.crt"); tester.add_crl("pathLenConstraint6subCA1Cert.crt", "pathLenConstraint6CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubCA11Cert.crt"); tester.add_crl("pathLenConstraint6subsubCA11Cert.crt", "pathLenConstraint6subCA1CRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubsubCA11XCert.crt"); tester.add_crl("pathLenConstraint6subsubsubCA11XCert.crt", "pathLenConstraint6subsubCA11CRL.crl"); tester.add_untrusted_cert("InvalidpathLenConstraintTest12EE.crt"); tester.add_crl("InvalidpathLenConstraintTest12EE.crt", "pathLenConstraint6subsubsubCA11XCRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.13 Valid pathLenConstraint Test13") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint6CACert.crt"); tester.add_crl("pathLenConstraint6CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subCA4Cert.crt"); tester.add_crl("pathLenConstraint6subCA4Cert.crt", "pathLenConstraint6CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubCA41Cert.crt"); tester.add_crl("pathLenConstraint6subsubCA41Cert.crt", "pathLenConstraint6subCA4CRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubsubCA41XCert.crt"); tester.add_crl("pathLenConstraint6subsubsubCA41XCert.crt", "pathLenConstraint6subsubCA41CRL.crl"); tester.add_untrusted_cert("ValidpathLenConstraintTest13EE.crt"); tester.add_crl("ValidpathLenConstraintTest13EE.crt", "pathLenConstraint6subsubsubCA41XCRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.6.14 Valid pathLenConstraint Test14") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint6CACert.crt"); tester.add_crl("pathLenConstraint6CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subCA4Cert.crt"); tester.add_crl("pathLenConstraint6subCA4Cert.crt", "pathLenConstraint6CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubCA41Cert.crt"); tester.add_crl("pathLenConstraint6subsubCA41Cert.crt", "pathLenConstraint6subCA4CRL.crl"); tester.add_untrusted_cert("pathLenConstraint6subsubsubCA41XCert.crt"); tester.add_crl("pathLenConstraint6subsubsubCA41XCert.crt", "pathLenConstraint6subsubCA41CRL.crl"); tester.add_untrusted_cert("ValidpathLenConstraintTest14EE.crt"); tester.add_crl("ValidpathLenConstraintTest14EE.crt", "pathLenConstraint6subsubsubCA41XCRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.6.15 Valid Self-Issued pathLenConstraint Test15") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint0CACert.crt"); tester.add_crl("pathLenConstraint0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint0SelfIssuedCACert.crt"); tester.add_crl("pathLenConstraint0SelfIssuedCACert.crt", "pathLenConstraint0CACRL.crl"); tester.add_untrusted_cert("ValidSelfIssuedpathLenConstraintTest15EE.crt"); tester.add_crl("ValidSelfIssuedpathLenConstraintTest15EE.crt", "pathLenConstraint0CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.6.16 Invalid Self-Issued pathLenConstraint Test16") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint0CACert.crt"); tester.add_crl("pathLenConstraint0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint0SelfIssuedCACert.crt"); tester.add_crl("pathLenConstraint0SelfIssuedCACert.crt", "pathLenConstraint0CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint0subCA2Cert.crt"); tester.add_crl("pathLenConstraint0subCA2Cert.crt", "pathLenConstraint0CACRL.crl"); tester.add_untrusted_cert("InvalidSelfIssuedpathLenConstraintTest16EE.crt"); tester.add_crl("InvalidSelfIssuedpathLenConstraintTest16EE.crt", "pathLenConstraint0subCA2CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.6.17 Valid Self-Issued pathLenConstraint Test17") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("pathLenConstraint1CACert.crt"); tester.add_crl("pathLenConstraint1CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pathLenConstraint1SelfIssuedCACert.crt"); tester.add_crl("pathLenConstraint1SelfIssuedCACert.crt", "pathLenConstraint1CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint1subCACert.crt"); tester.add_crl("pathLenConstraint1subCACert.crt", "pathLenConstraint1CACRL.crl"); tester.add_untrusted_cert("pathLenConstraint1SelfIssuedsubCACert.crt"); tester.add_crl("pathLenConstraint1SelfIssuedsubCACert.crt", "pathLenConstraint1subCACRL.crl"); tester.add_untrusted_cert("ValidSelfIssuedpathLenConstraintTest17EE.crt"); tester.add_crl("ValidSelfIssuedpathLenConstraintTest17EE.crt", "pathLenConstraint1subCACRL.crl"); WVPASS(tester.validate()); } pathfinder-1.1.3/t/crldistpoint.t.cc0000644000175200017520000000513010652446340017667 0ustar ppattersppatters#include "testmethods.t.h" // basically none of the tests in section 4.14 will validate properly. A small // selection of tests is provided to ensure that we fail gracefully given our // current limitations WVTEST_MAIN("4.14.1 Valid distributionPoint Test1") { // this path should validate, but we don't yet handle the // issuingDistributionPoint extension in WvCRL (due to a limitation in // OpenSSL 0.9.8) Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("distributionPoint1CACert.crt"); tester.add_crl("distributionPoint1CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValiddistributionPointTest1EE.crt"); tester.add_crl("ValiddistributionPointTest1EE.crt", "distributionPoint1CACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.14.2 Invalid distributionPoint Test2") { // this path shouldn't validate, but not for the reason it currently does // (see the comment in 4.14.1) Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("distributionPoint1CACert.crt"); tester.add_crl("distributionPoint1CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvaliddistributionPointTest2EE.crt"); tester.add_crl("InvaliddistributionPointTest2EE.crt", "distributionPoint1CACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.14.3 Invalid distributionPoint Test3") { // this path shouldn't validate, but not for the reason it currently does // (see the comment in 4.14.1) Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("distributionPoint1CACert.crt"); tester.add_crl("distributionPoint1CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvaliddistributionPointTest3EE.crt"); tester.add_crl("InvaliddistributionPointTest3EE.crt", "distributionPoint1CACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.14.4 Valid distributionPoint Test4") { // this path should validate, but doesn't yet (see the comment in 4.14.1) Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("distributionPoint1CACert.crt"); tester.add_crl("distributionPoint1CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValiddistributionPointTest4EE.crt"); tester.add_crl("ValiddistributionPointTest4EE.crt", "distributionPoint1CACRL.crl"); WVFAIL(tester.validate()); } pathfinder-1.1.3/t/certpolicies.t.cc0000644000175200017520000002224710652446340017646 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.8.1 All Certificates Same Policy Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidCertificatePathTest1EE.crt"); tester.add_crl("ValidCertificatePathTest1EE.crt", "GoodCACRL.crl"); WVPASS(tester.validate()); WVPASS(tester.validate(NIST_TESTPOLICY_1, WVX509_INITIAL_EXPLICIT_POLICY)); WVFAIL(tester.validate(NIST_TESTPOLICY_2, WVX509_INITIAL_EXPLICIT_POLICY)); WVPASS(tester.validate(NIST_TESTPOLICY_1 " " NIST_TESTPOLICY_2, WVX509_INITIAL_EXPLICIT_POLICY)); } WVTEST_MAIN("4.8.2 All Certificates No Policies Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("NoPoliciesCACert.crt"); tester.add_crl("NoPoliciesCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("AllCertificatesNoPoliciesTest2EE.crt"); tester.add_crl("AllCertificatesNoPoliciesTest2EE.crt", "NoPoliciesCACRL.crl"); WVPASS(tester.validate()); WVFAIL(tester.validate(ANY_POLICY_OID, WVX509_INITIAL_EXPLICIT_POLICY)); } WVTEST_MAIN("4.8.3 Different Policies Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("PoliciesP2subCACert.crt"); tester.add_crl("PoliciesP2subCACert.crt", "GoodCACRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest3EE.crt"); tester.add_crl("DifferentPoliciesTest3EE.crt", "PoliciesP2subCACRL.crl"); WVPASS(tester.validate()); WVFAIL(tester.validate(ANY_POLICY_OID, WVX509_INITIAL_EXPLICIT_POLICY)); WVFAIL(tester.validate(NIST_TESTPOLICY_1 " " NIST_TESTPOLICY_2, WVX509_INITIAL_EXPLICIT_POLICY)); } WVTEST_MAIN("4.8.4 Different Policies Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodsubCACert.crt"); tester.add_crl("GoodsubCACert.crt", "GoodCACRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest4EE.crt"); tester.add_crl("DifferentPoliciesTest4EE.crt", "GoodsubCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.8.5 Different Policies Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("PoliciesP2subCA2Cert.crt"); tester.add_crl("PoliciesP2subCA2Cert.crt", "GoodCACRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest5EE.crt"); tester.add_crl("DifferentPoliciesTest5EE.crt", "PoliciesP2subCA2CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.8.6 Overlapping Policies Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP1234CACert.crt"); tester.add_crl("PoliciesP1234CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("PoliciesP1234subCAP123Cert.crt"); tester.add_crl("PoliciesP1234subCAP123Cert.crt", "PoliciesP1234CACRL.crl"); tester.add_untrusted_cert("PoliciesP1234subsubCAP123P12Cert.crt"); tester.add_crl("PoliciesP1234subsubCAP123P12Cert.crt", "PoliciesP1234subCAP123CRL.crl"); tester.add_untrusted_cert("OverlappingPoliciesTest6EE.crt"); tester.add_crl("OverlappingPoliciesTest6EE.crt", "PoliciesP1234subsubCAP123P12CRL.crl"); WVPASS(tester.validate()); WVPASS(tester.validate(NIST_TESTPOLICY_1, WVX509_INITIAL_EXPLICIT_POLICY)); WVFAIL(tester.validate(NIST_TESTPOLICY_2, WVX509_INITIAL_EXPLICIT_POLICY)); } WVTEST_MAIN("4.8.7 Different Policies Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP123CACert.crt"); tester.add_crl("PoliciesP123CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("PoliciesP123subCAP12Cert.crt"); tester.add_crl("PoliciesP123subCAP12Cert.crt", "PoliciesP123CACRL.crl"); tester.add_untrusted_cert("PoliciesP123subsubCAP12P1Cert.crt"); tester.add_crl("PoliciesP123subsubCAP12P1Cert.crt", "PoliciesP123subCAP12CRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest7EE.crt"); tester.add_crl("DifferentPoliciesTest7EE.crt", "PoliciesP123subsubCAP12P1CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.8.8 Different Policies Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP12CACert.crt"); tester.add_crl("PoliciesP12CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("PoliciesP12subCAP1Cert.crt"); tester.add_crl("PoliciesP12subCAP1Cert.crt", "PoliciesP12CACRL.crl"); tester.add_untrusted_cert("PoliciesP12subsubCAP1P2Cert.crt"); tester.add_crl("PoliciesP12subsubCAP1P2Cert.crt", "PoliciesP12subCAP1CRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest8EE.crt"); tester.add_crl("DifferentPoliciesTest8EE.crt", "PoliciesP12subsubCAP1P2CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.8.9 Different Policies Test9") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP123CACert.crt"); tester.add_crl("PoliciesP123CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("PoliciesP123subCAP12Cert.crt"); tester.add_crl("PoliciesP123subCAP12Cert.crt", "PoliciesP123CACRL.crl"); tester.add_untrusted_cert("PoliciesP123subsubCAP12P2Cert.crt"); tester.add_crl("PoliciesP123subsubCAP12P2Cert.crt", "PoliciesP123subCAP12CRL.crl"); tester.add_untrusted_cert("PoliciesP123subsubsubCAP12P2P1Cert.crt"); tester.add_crl("PoliciesP123subsubsubCAP12P2P1Cert.crt", "PoliciesP123subsubCAP2P2CRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest9EE.crt"); tester.add_crl("DifferentPoliciesTest9EE.crt", "PoliciesP123subsubsubCAP12P2P1CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.8.10 All Certificates Same Policies Test10") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP12CACert.crt"); tester.add_crl("PoliciesP12CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("AllCertificatesSamePoliciesTest10EE.crt"); tester.add_crl("AllCertificatesSamePoliciesTest10EE.crt", "PoliciesP12CACRL.crl"); WVPASS(tester.validate()); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVPASS(tester.validate(NIST_TESTPOLICY_2)); } WVTEST_MAIN("4.8.11 All Certificates AnyPolicy Test11") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("anyPolicyCACert.crt"); tester.add_crl("anyPolicyCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("AllCertificatesanyPolicyTest11EE.crt"); tester.add_crl("AllCertificatesanyPolicyTest11EE.crt", "anyPolicyCACRL.crl"); WVPASS(tester.validate()); WVPASS(tester.validate(NIST_TESTPOLICY_1)); } WVTEST_MAIN("4.8.12 Different Policies Test12") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP3CACert.crt"); tester.add_crl("PoliciesP3CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("DifferentPoliciesTest12EE.crt"); tester.add_crl("DifferentPoliciesTest12EE.crt", "PoliciesP3CACRL.crl"); WVFAIL(tester.validate(ANY_POLICY_OID)); } WVTEST_MAIN("4.8.13 All Certificates Same Policies Test13") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PoliciesP123CACert.crt"); tester.add_crl("PoliciesP123CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("AllCertificatesSamePoliciesTest13EE.crt"); tester.add_crl("AllCertificatesSamePoliciesTest13EE.crt", "PoliciesP123CACRL.crl"); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVPASS(tester.validate(NIST_TESTPOLICY_2)); WVPASS(tester.validate(NIST_TESTPOLICY_3)); } WVTEST_MAIN("4.8.14 AnyPolicy Test14") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("anyPolicyCACert.crt"); tester.add_crl("anyPolicyCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("AnyPolicyTest14EE.crt"); tester.add_crl("AnyPolicyTest14EE.crt", "anyPolicyCACRL.crl"); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVFAIL(tester.validate(NIST_TESTPOLICY_2)); } pathfinder-1.1.3/t/pathfinder.t.cc0000644000175200017520000000403511076136254017301 0ustar ppattersppatters#include #include #define private public #include "pathfinder.h" #undef private #include "testmethods.t.h" using namespace boost; using namespace std; // currently disabled because carillon's ocsp server is still in testing #if 0 static void path_found_cb_ocsp(shared_ptr &path, WvError err, shared_ptr &cert, int &found_count) { found_count++; WVFAIL(err.geterr()); if (err.geterr()) { wvcon->print("ERROR: %s\n", err.errstr()); return; } pair iterpair = path->ocsp_map.equal_range(cert->get_ski().cstr()); WVFAIL(iterpair.first == iterpair.second); // WVFAILEQ doesn't work here if (iterpair.first != iterpair.second) { shared_ptr resp = (*iterpair.first).second; WVPASS(resp->isok()); } } WVTEST_MAIN("ocsp checking") { WvHttpStream::global_enable_pipelining = false; UniConfRoot cfg("temp:"); shared_ptr trusted_store(new WvX509Store); shared_ptr intermediate_store(new WvX509Store); shared_ptr crlcache(new WvCRLCache("/tmp/does-not-exist-no")); shared_ptr cert(new WvX509); cert->decode(WvX509::CertFilePEM, WvString("%s%s", CERTS_PATH, "carillon-invalid-ocsp.pem")); shared_ptr cacert(new WvX509); cacert->decode(WvX509::CertFilePEM, WvString("%s%s", CERTS_PATH, "carillon-root-ca.pem")); trusted_store->add_cert(cacert); int found_count = 0; PathFinder p(cert, trusted_store, intermediate_store, crlcache, 0, true, cfg, wv::bind(&path_found_cb_ocsp, _1, _2, wv::ref(cert), wv::ref(found_count))); p.find(); while (!found_count) WvIStreamList::globallist.runonce(); WVPASSEQ(found_count, 1); } #endif pathfinder-1.1.3/t/testdefuns.t.h0000644000175200017520000000067411073205275017205 0ustar ppattersppatters#ifndef __TESTDEFUNS_H #define __TESTDEFUNS_H // most of these are defines so we can concatenate them easily #define CERTS_PATH "testdata/certs/" #define CRLS_PATH "testdata/crls/" #define NIST_TESTPOLICY_1 "2.16.840.1.101.3.2.1.48.1" #define NIST_TESTPOLICY_2 "2.16.840.1.101.3.2.1.48.2" #define NIST_TESTPOLICY_3 "2.16.840.1.101.3.2.1.48.3" #define NIST_TESTPOLICY_6 "2.16.840.1.101.3.2.1.48.6" const int DEFAULT_KEYLEN = 512; #endif // pathfinder-1.1.3/t/testmethods.t.cc0000644000175200017520000001053111254750337017520 0ustar ppattersppatters#include "testmethods.t.h" #include "wvx509policytree.h" #include #include using namespace boost; Tester::Tester() : trusted_store(new WvX509Store), intermediate_store(new WvX509Store), log("Pathfinder Test Harness", WvLog::Debug5) { validated = false; ERR_load_ERR_strings(); } Tester::~Tester() { } void Tester::add_trusted_cert(WvStringParm certname) { trusted_store->add_file(WvString("%s%s", CERTS_PATH, certname)); // note: we don't add trusted certificates to the path, whether or not // a trusted certificate has signed the first certificate in the path // is one of the things that determines whether or not the path is valid // see RFC3280 for more details } void Tester::add_trusted_cert(shared_ptr &_cert) { trusted_store->add_cert(_cert); } void Tester::add_untrusted_cert(WvStringParm certname) { shared_ptr x(new WvX509); x->decode(WvX509::CertFileDER, WvString("%s%s", CERTS_PATH, certname)); intermediate_store->add_cert(x); path.append_cert(x); } void Tester::add_untrusted_cert(shared_ptr &_cert) { intermediate_store->add_cert(_cert); path.append_cert(_cert); } void Tester::add_intermediate_cert(WvStringParm certname) { shared_ptr x(new WvX509); x->decode(WvX509::CertFileDER, WvString("%s%s", CERTS_PATH, certname)); intermediate_store->add_cert(x); } void Tester::add_crl(WvStringParm certname, WvStringParm crlname) { WvX509 x; x.decode(WvX509::CertFileDER, WvString("%s%s", CERTS_PATH, certname)); shared_ptr crl(new WvCRL); crl->decode(WvCRL::CRLFileDER, WvString("%s%s", CRLS_PATH, crlname)); path.add_crl(x.get_subject(), crl); crl_map.insert(CRLPair(x.get_subject().cstr(), crl)); } void Tester::add_crl(shared_ptr &cert, shared_ptr &crl) { if (!!cert->get_ski()) { path.add_crl(cert->get_ski(), crl); crl_map.insert(CRLPair(cert->get_ski().cstr(), crl)); } else { path.add_crl(cert->get_subject(), crl); crl_map.insert(CRLPair(cert->get_subject().cstr(), crl)); } } bool Tester::validate() { return validate(wvtcl_escape(ANY_POLICY_OID), 0); } bool Tester::validate(WvStringParm initial_policy_set_tcl, uint32_t flags) { return _validate(initial_policy_set_tcl, flags, path); } bool Tester::_validate(WvStringParm initial_policy_set_tcl, uint32_t flags, WvX509Path &path) { WvStringList initial_policy_set; wvtcl_decode(initial_policy_set, initial_policy_set_tcl); WvX509List extra_certs; WvError err; validated = path.validate(trusted_store, intermediate_store, initial_policy_set, flags, extra_certs, err); log("Initial path validated, certificate is %svalid (reason: %s).\n", validated ? "" : "NOT ", err.errstr()); for (WvX509List::iterator i = extra_certs.begin(); i != extra_certs.end(); i++) { log("Validating extra path %s\n", (*i)->get_subject()); WvX509Path extra_path; for (CRLMap::iterator j = crl_map.begin(); j != crl_map.end(); j++) { extra_path.add_crl((*j).first.c_str(), (*j).second); } extra_path.prepend_cert((*i)); shared_ptr cur((*i)); while (!trusted_store->exists(cur->get_aki())) { shared_ptr next = intermediate_store->get(cur->get_aki()); if (!next) { log("Couldn't find cert with aki %s to build extra path!\n"); return false; } extra_path.prepend_cert(next); cur = next; } validated &= _validate(wvtcl_escape(ANY_POLICY_OID), 0, extra_path); if (!validated) return false; } return validated; } void strip_ski_aki(WvX509 &cert) { X509 *x509 = cert.get_cert(); int idx[2]; idx[0] = X509_get_ext_by_NID(x509, NID_subject_key_identifier, -1); idx[1] = X509_get_ext_by_NID(x509, NID_authority_key_identifier, -1); for (int i=0; i<2; i++) { if (idx[i] >= 0) { wvcon->print("Deleting extension at idx %s\n", idx[i]); X509_EXTENSION *tmpex = X509_delete_ext(x509, idx[i]); X509_EXTENSION_free(tmpex); } } } pathfinder-1.1.3/t/pathserver.t.cc0000644000175200017520000001405111076136157017341 0ustar ppattersppatters#include #include #include #include "testmethods.t.h" #include "pathserver.h" using namespace boost; // these tests are meant to test that the D-Bus interface to pathfinder // are working as expected // the following class is shamelessly copied from wvdbusserver.t.cc in // wvstreams class TestDBusServer { public: WvString moniker; WvDBusServer *s; TestDBusServer() { fprintf(stderr, "Creating a test DBus server.\n"); // We might prefer to use a unix: moniker, but get_addr() only // supports tcp: monikers just now. WvString smoniker("tcp:0.0.0.0"); s = new WvDBusServer(); s->listen(smoniker); moniker = s->get_addr(); fprintf(stderr, "Server address is '%s'\n", moniker.cstr()); WvIStreamList::globallist.append(s, false, "dbus server"); } ~TestDBusServer() { WVRELEASE(s); /* Flush connections out of the globallist, necessary to trigger * the actual killing of the WvDBusServer object (it's ref- * counted based on #connections). No self-respecting program would * need to do this, but we don't want Valgrind thinking we're leaking * memory, or the open file descriptor checker freaking out. */ for (int i = 0; i < 1; ++i) WvIStreamList::globallist.runonce(); WVPASS(WvIStreamList::globallist.isempty()); } }; class PathServerTester { public: TestDBusServer serv; WvDBusConn *conn; UniConfRoot cfg; shared_ptr trusted_store; shared_ptr intermediate_store; shared_ptr crlcache; PathServer pathserver; PathServerTester() : cfg("temp:"), trusted_store(new WvX509Store), intermediate_store(new WvX509Store), crlcache(new WvCRLCache("/tmp/crlcache")), pathserver(trusted_store, intermediate_store, crlcache, cfg) { } ~PathServerTester() { WVRELEASE(conn); } void init() { conn = new WvDBusConn(serv.moniker); WvIStreamList::globallist.append(conn, false, "dbus connection"); conn->request_name("ca.carillon.pathfinder"); conn->add_callback(WvDBusConn::PriNormal, wv::bind(&PathServer::incoming, pathserver, conn, _1), &pathserver); } void add_trusted_cert(WvStringParm certname) { trusted_store->add_file(WvString("%s%s", CERTS_PATH, certname)); } void add_untrusted_cert(WvStringParm certname) { intermediate_store->add_file(WvString("%s%s", CERTS_PATH, certname)); } bool myreply(WvDBusMsg &msg, int &myreply_count, bool &myreply_ok) { myreply_count++; WvDBusMsg::Iter args(msg); myreply_ok = args.getnext(); wvcon->print("got reply: ok %s count %s\n", myreply_ok, myreply_count); return true; } bool test(WvStringParm certname, WvStringParm policy_set_tcl, bool initial_explicit_policy, bool initial_policy_mapping_inhibit) { WvX509 x509; x509.decode(WvX509::CertFileDER, WvString("%s%s", CERTS_PATH, certname)); WvDBusMsg msg("ca.carillon.pathfinder", "/ca/carillon/pathfinder", "ca.carillon.pathfinder", "validate"); msg.append(x509.encode(WvX509::CertHex)); msg.append(policy_set_tcl); msg.append(initial_explicit_policy); msg.append(initial_policy_mapping_inhibit); msg.append("tester"); int myreply_count = 0; bool myreply_ok = false; conn->send(msg, wv::bind(&PathServerTester::myreply, this, _1, wv::ref(myreply_count), wv::ref(myreply_ok))); while (myreply_count < 1) WvIStreamList::globallist.runonce(); return myreply_ok; } }; WVTEST_MAIN("pathserver basic") { PathServerTester tester; tester.init(); tester.cfg["verification options"].xsetint("skip revocation check", 1); // first test: don't have signing certificate in trusted store, should // fail WVFAIL(tester.test("GoodCACert.crt", ANY_POLICY_OID, false, false)); // second test: DO have signing cert in trusted store, should pass // (note that we skip the CRL check in this test, otherwise it would // fail because no CRL dp is specified in the certificate) tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); WVPASS(tester.test("GoodCACert.crt", ANY_POLICY_OID, false, false)); } WVTEST_MAIN("pathserver policies and appnames") { // we re-use the suggested path from the path validation test 4.8.1 // (certpolicies.t.cc) here PathServerTester tester; tester.init(); tester.cfg["verification options"].xsetint("skip revocation check", 1); tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); // first test: any policy oid, no override, no initial explicit policy, // should pass WVPASS(tester.test("ValidCertificatePathTest1EE.crt", ANY_POLICY_OID, false, false)); // second test: nist tespolicy 1, should pass WVPASS(tester.test("ValidCertificatePathTest1EE.crt", NIST_TESTPOLICY_1, true, false)); // third test: nist tespolicy 2, should fail WVFAIL(tester.test("ValidCertificatePathTest1EE.crt", NIST_TESTPOLICY_2, true, false)); // test using NIST_TESTPOLICY_1 as an override and any policy oid, should // pass tester.cfg["policy"].xset("tester", NIST_TESTPOLICY_1); WVPASS(tester.test("ValidCertificatePathTest1EE.crt", ANY_POLICY_OID, true, false)); // test using NIST_TESTPOLICY_2 as an override and any policy oid, should // fail tester.cfg["policy"].xset("tester", NIST_TESTPOLICY_2); WVFAIL(tester.test("ValidCertificatePathTest1EE.crt", ANY_POLICY_OID, true, false)); } pathfinder-1.1.3/t/CMakeLists.txt0000644000175200017520000000141311207556402017136 0ustar ppattersppattersPKGCONFIG(libwvtest WVTEST_INCLUDEDIR WVTEST_LIBDIR WVTEST_LINKFLAGS WVTEST_CFLAGS) ADD_EXECUTABLE(all.t pathserver.t.cc sigverif.t.cc certrevoke.t.cc testmethods.t.cc namechaining.t.cc validityperiods.t.cc certpolicies.t.cc requireexplicitpolicy.t.cc policymapping.t.cc inhibitpolicymapping.t.cc basicconstraints.t.cc crldistpoint.t.cc wvcrlcache.t.cc pathvalidator.t.cc revocationfinder.t.cc pathfinder.t.cc wvx509path.t.cc util.t.cc) TARGET_LINK_LIBRARIES(all.t pathology x509path) SET_TARGET_PROPERTIES(all.t PROPERTIES COMPILE_FLAGS "${WVDBUS_CFLAGS} ${WVTEST_CFLAGS} ${EXTRA_CFLAGS}" LINK_FLAGS "${WVDBUS_LINKFLAGS} ${WVTEST_LINKFLAGS} ${OPENSSL_LINKFLAGS} ${LDAP_LINKFLAGS}") ADD_CUSTOM_TARGET(test COMMAND t/testrun.sh DEPENDS all.t WORKING_DIRECTORY .)pathfinder-1.1.3/t/requireexplicitpolicy.t.cc0000644000175200017520000002044410652446340021614 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.9.1 Valid RequireExplicitPolicy Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy10CACert.crt"); tester.add_crl("requireExplicitPolicy10CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy10subCACert.crt"); tester.add_crl("requireExplicitPolicy10subCACert.crt", "requireExplicitPolicy10CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy10subsubCACert.crt"); tester.add_crl("requireExplicitPolicy10subsubCACert.crt", "requireExplicitPolicy10subCACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy10subsubsubCACert.crt"); tester.add_crl("requireExplicitPolicy10subsubsubCACert.crt", "requireExplicitPolicy10subsubCACRL.crl"); tester.add_untrusted_cert("ValidrequireExplicitPolicyTest1EE.crt"); tester.add_crl("ValidrequireExplicitPolicyTest1EE.crt", "requireExplicitPolicy10subsubsubCACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.9.2 Valid RequireExplicitPolicy Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy5CACert.crt"); tester.add_crl("requireExplicitPolicy5CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy5subCACert.crt"); tester.add_crl("requireExplicitPolicy5subCACert.crt", "requireExplicitPolicy5CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy5subsubCACert.crt"); tester.add_crl("requireExplicitPolicy5subsubCACert.crt", "requireExplicitPolicy5subCACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy5subsubsubCACert.crt"); tester.add_crl("requireExplicitPolicy5subsubsubCACert.crt", "requireExplicitPolicy5subsubCACRL.crl"); tester.add_untrusted_cert("ValidrequireExplicitPolicyTest2EE.crt"); tester.add_crl("ValidrequireExplicitPolicyTest2EE.crt", "requireExplicitPolicy5subsubsubCACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.9.3 Invalid RequireExplicitPolicy Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy4CACert.crt"); tester.add_crl("requireExplicitPolicy4CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy4subCACert.crt"); tester.add_crl("requireExplicitPolicy4subCACert.crt", "requireExplicitPolicy4CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy4subsubCACert.crt"); tester.add_crl("requireExplicitPolicy4subsubCACert.crt", "requireExplicitPolicy4subCACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy4subsubsubCACert.crt"); tester.add_crl("requireExplicitPolicy4subsubsubCACert.crt", "requireExplicitPolicy4subsubCACRL.crl"); tester.add_untrusted_cert("InvalidrequireExplicitPolicyTest3EE.crt"); tester.add_crl("InvalidrequireExplicitPolicyTest3EE.crt", "requireExplicitPolicy4subsubsubCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.9.4 Valid RequireExplicitPolicy Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy0CACert.crt"); tester.add_crl("requireExplicitPolicy0CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy0subCACert.crt"); tester.add_crl("requireExplicitPolicy0subCACert.crt", "requireExplicitPolicy0CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy0subsubCACert.crt"); tester.add_crl("requireExplicitPolicy0subsubCACert.crt", "requireExplicitPolicy0subCACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy0subsubsubCACert.crt"); tester.add_crl("requireExplicitPolicy0subsubsubCACert.crt", "requireExplicitPolicy0subsubCACRL.crl"); tester.add_untrusted_cert("ValidrequireExplicitPolicyTest4EE.crt"); tester.add_crl("ValidrequireExplicitPolicyTest4EE.crt", "requireExplicitPolicy0subsubsubCACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.9.5 Invalid RequireExplicitPolicy Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy7CACert.crt"); tester.add_crl("requireExplicitPolicy7CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy7subCARE2Cert.crt"); tester.add_crl("requireExplicitPolicy7subCARE2Cert.crt", "requireExplicitPolicy7CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy7subsubCARE2RE4Cert.crt"); tester.add_crl("requireExplicitPolicy7subsubCARE2RE4Cert.crt", "requireExplicitPolicy7subCARE2CRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy7subsubsubCARE2RE4Cert.crt"); tester.add_crl("requireExplicitPolicy7subsubsubCARE2RE4Cert.crt", "requireExplicitPolicy7subsubCARE2RE4CRL.crl"); tester.add_untrusted_cert("InvalidrequireExplicitPolicyTest5EE.crt"); tester.add_crl("InvalidrequireExplicitPolicyTest5EE.crt", "requireExplicitPolicy7subsubsubCARE2RE4CRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.9.6 Valid Self-Issued requireExplicitPolicy Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy2CACert.crt"); tester.add_crl("requireExplicitPolicy2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy2SelfIssuedCACert.crt"); tester.add_crl("requireExplicitPolicy2SelfIssuedCACert.crt", "requireExplicitPolicy2CACRL.crl"); tester.add_untrusted_cert("ValidSelfIssuedrequireExplicitPolicyTest6EE.crt"); tester.add_crl("ValidSelfIssuedrequireExplicitPolicyTest6EE.crt", "requireExplicitPolicy2CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.9.7 Invalid Self-Issued requireExplicitPolicy Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy2CACert.crt"); tester.add_crl("requireExplicitPolicy2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy2SelfIssuedCACert.crt"); tester.add_crl("requireExplicitPolicy2SelfIssuedCACert.crt", "requireExplicitPolicy2CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy2subCACert.crt"); tester.add_crl("requireExplicitPolicy2subCACert.crt", "requireExplicitPolicy2CACRL.crl"); tester.add_untrusted_cert("InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt"); tester.add_crl("InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt", "requireExplicitPolicy2subCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.9.8 Invalid Self-Issued requireExplicitPolicy Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("requireExplicitPolicy2CACert.crt"); tester.add_crl("requireExplicitPolicy2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy2SelfIssuedCACert.crt"); tester.add_crl("requireExplicitPolicy2SelfIssuedCACert.crt", "requireExplicitPolicy2CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy2subCACert.crt"); tester.add_crl("requireExplicitPolicy2subCACert.crt", "requireExplicitPolicy2CACRL.crl"); tester.add_untrusted_cert("requireExplicitPolicy2SelfIssuedsubCACert.crt"); tester.add_crl("requireExplicitPolicy2SelfIssuedsubCACert.crt", "requireExplicitPolicy2subCACRL.crl"); tester.add_untrusted_cert("InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt"); tester.add_crl("InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt", "requireExplicitPolicy2subCACRL.crl"); WVFAIL(tester.validate()); } pathfinder-1.1.3/t/sigverif.t.cc0000644000175200017520000000606310652446340016775 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.1.1: Valid Signatures Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidCertificatePathTest1EE.crt"); tester.add_crl("ValidCertificatePathTest1EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.1.2: Invalid CA Signature Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("BadSignedCACert.crt"); tester.add_crl("BadSignedCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidCASignatureTest2EE.crt"); tester.add_crl("InvalidCASignatureTest2EE.crt", "BadSignedCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.1.3: Invalid EE Signature Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidEESignatureTest3EE.crt"); tester.add_crl("InvalidEESignatureTest3EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } #if 0 WVTEST_MAIN("4.1.4: Valid DSA Signatures Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("DSACACert.crt"); tester.add_crl("DSACACert.crt", "DSACACRL.crl"); tester.add_untrusted_cert("ValidDSASignaturesTest4EE.crt"); tester.validate(); WVPASS(tester.validated); } // this doesn't currently pass because we only recognize crls // that are signed with rsa keys in wvcrl. probably easy to fix. WVTEST_MAIN("4.1.5: Valid DSA Parameter Inheritance Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("DSACACert.crt"); tester.add_crl("DSACACert.crt", "DSACACRL.crl"); tester.add_untrusted_cert("DSAParametersInheritedCACert.crt"); tester.add_crl("DSAParametersInheritedCACert.crt", "DSAParametersInheritedCACRL.crl"); tester.add_untrusted_cert("ValidDSAParameterInheritanceTest5EE.crt"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.1.6 Invalid DSA Signature Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("DSACACert.crt"); tester.add_crl("DSACACert.crt", "DSACACRL.crl"); tester.add_untrusted_cert("InvalidDSASignatureTest6EE.crt"); tester.validate(); WVFAIL(tester.validated); } #endif pathfinder-1.1.3/t/testmethods.t.h0000644000175200017520000000324111073706260017355 0ustar ppattersppatters#ifndef __TESTMETHODS_H #define __TESTMETHODS_H #include #include #include #include #include #include #include #include "testdefuns.t.h" #include "pathfinder.h" #include "wvx509policytree.h" // for ANY_POLICY_OID class Tester { public: Tester(); ~Tester(); void add_trusted_cert(WvStringParm certname); void add_trusted_cert(boost::shared_ptr &_cert); void add_untrusted_cert(WvStringParm certname); void add_untrusted_cert(boost::shared_ptr &_cert); void add_intermediate_cert(WvStringParm certname); void add_crl(WvStringParm certname, WvStringParm crlname); void add_crl(boost::shared_ptr &_cert, boost::shared_ptr &_crl); bool validate(); bool validate(WvStringParm initial_policy_oids, uint32_t flags = 0); bool _validate(WvStringParm initial_policy_set_tcl, uint32_t flags, WvX509Path &path); void path_found_cb(WvX509 *_cert, WvX509Path *_path, WvError err, void *); boost::shared_ptr trusted_store; boost::shared_ptr intermediate_store; WvX509Path path; // copy-pasted from wvx509path typedef std::multimap< std::string, boost::shared_ptr > CRLMap; CRLMap crl_map; typedef std::pair< std::string, boost::shared_ptr > CRLPair; bool validated; WvLog log; }; // utility method to strip ski/aki info from certificate, useful for tests // where we want to make sure that path discovery and validation works // without them void strip_ski_aki(WvX509 &cert); #endif // __TESTMETHODS_H pathfinder-1.1.3/t/wvcrlcache.t.cc0000644000175200017520000000371311076174074017302 0ustar ppattersppatters#include #include #include #include #include #include "wvcrlcache.h" #include "wvstrutils.h" #include "testmethods.t.h" using namespace boost; WVTEST_MAIN("crlcache basic") { WvString dirname("/tmp/pathfinder-crlcache-%s", getpid()); WvString crlloc = WvString("%s/%s", dirname, url_encode("http://foohost/Trust.crl")); mkdirp(dirname); fcopy(CRLS_PATH "TrustAnchorRootCRL.crl", crlloc); WvCRLCache store(dirname); WVPASS(store.get_url("http://foohost/Trust.crl")); WVFAIL(store.get_url("http://foohost/Trust2.crl")); WVPASS(store.get_file(crlloc)); WVFAIL(store.get_file(WvString("/%s/my-imaginary-non-existent-file", dirname))); WVPASSEQ(store.get_url("http://foohost/Trust.crl")->get_aki(), "FB:6C:D4:2D:81:9E:CA:27:7A:9E:0D:B0:3C:EA:9A:BC:87:FF:49:EA"); // replace the crl with something completely different fcopy(CRLS_PATH "GoodCACRL.crl", crlloc); time_t real_new_file_time = time(NULL) + 5000; utimbuf buf; buf.actime = real_new_file_time; buf.modtime = real_new_file_time; utime(crlloc, &buf); WVPASSEQ(store.get_url("http://foohost/Trust.crl")->get_aki(), "B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7"); WVPASSEQ(store.get_file(crlloc)->get_aki(), "B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7"); // set the crl back to what it was, but make sure the modtime is the same: // wvcrlcache should use the previous version fcopy(CRLS_PATH "TrustAnchorRootCRL.crl", crlloc); utime(crlloc, &buf); WVPASSEQ(store.get_url("http://foohost/Trust.crl")->get_aki(), "B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7"); WVPASSEQ(store.get_file(crlloc)->get_aki(), "B7:2E:A6:82:CB:C2:C8:BC:A8:7B:27:44:D7:35:33:DF:9A:15:94:C7"); rm_rf(dirname); } pathfinder-1.1.3/t/testrun.sh0000755000175200017520000000070511063502736016445 0ustar ppattersppatters#!/bin/sh # stupid script to execute WvStreams unit test stuff. right now only set up to # run tests with in-tree version of wvstreams, but should be extendable to # do so out of tree as well WVTESTHELPER="$WVSTREAMS_SRC/wvtestrunner.pl" SUPPRESSIONS="$WVSTREAMS_SRC/wvstreams.supp" VALGRIND="valgrind --tool=memcheck --leak-check=yes --num-callers=10 --log-file=valgrind.log --suppressions=$SUPPRESSIONS" $WVTESTHELPER $VALGRIND t/all.t $TESTNAME pathfinder-1.1.3/t/namechaining.t.cc0000644000175200017520000001533410734030170017570 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.3.1 Invalid Name Chaining EE Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidNameChainingTest1EE.crt"); tester.add_crl("InvalidNameChainingTest1EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.3.2 Invalid Name Chaining Order Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("NameOrderingCACert.crt"); tester.add_crl("NameOrderingCACert.crt", "NameOrderCACRL.crl"); tester.add_untrusted_cert("InvalidNameChainingOrderTest2EE.crt"); tester.add_crl("InvalidNameChainingOrderTest2EE.crt", "NameOrderCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.3.3 Valid Name Chaining Whitespace Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidNameChainingWhitespaceTest3EE.crt"); tester.add_crl("ValidNameChainingWhitespaceTest3EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.3.4 Valid Name Chaining Whitespace Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidNameChainingWhitespaceTest4EE.crt"); tester.add_crl("ValidNameChainingWhitespaceTest4EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.3.5 Valid Name Chaining Capitalization Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidNameChainingCapitalizationTest5EE.crt"); tester.add_crl("ValidNameChainingCapitalizationTest5EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.3.6 Valid Name Chaining UIDs Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("UIDCACert.crt"); tester.add_crl("UIDCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidNameUIDsTest6EE.crt"); tester.add_crl("ValidNameUIDsTest6EE.crt", "UIDCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.3.7 Valid RFC3280 Mandatory Attribute Types Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("RFC3280MandatoryAttributeTypesCACert.crt"); tester.add_crl("RFC3280MandatoryAttributeTypesCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidRFC3280MandatoryAttributeTypesTest7EE.crt"); tester.add_crl("ValidRFC3280MandatoryAttributeTypesTest7EE.crt", "RFC3280MandatoryAttributeTypesCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.3.8 Valid RFC3280 Optional Attribute Types Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("RFC3280OptionalAttributeTypesCACert.crt"); tester.add_crl("RFC3280OptionalAttributeTypesCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidRFC3280OptionalAttributeTypesTest8EE.crt"); tester.add_crl("ValidRFC3280OptionalAttributeTypesTest8EE.crt", "RFC3280OptionalAttributeTypesCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.3.9 Valid UTF8String Encoded Names Test9") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("UTF8StringEncodedNamesCACert.crt"); tester.add_crl("UTF8StringEncodedNamesCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidUTF8StringEncodedNamesTest9EE.crt"); tester.add_crl("ValidUTF8StringEncodedNamesTest9EE.crt", "UTF8StringEncodedNamesCACRL.crl"); tester.validate(); WVPASS(tester.validated); } #if 0 // Fails on Fedora for no apparent reason. WVTEST_MAIN("4.3.10 Valid Rollover from PrintableString to UTF8String Test10") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("RolloverfromPrintableStringtoUTF8StringCACert.c" "rt"); tester.add_crl("RolloverfromPrintableStringtoUTF8StringCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidRolloverfromPrintableStringtoUTF8StringTes" "t10EE.crt"); tester.add_crl("ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt", "RolloverfromPrintableStringtoUTF8StringCACRL.crl"); tester.validate(); WVPASS(tester.validated); } // fails -- probably an openssl bug WVTEST_MAIN("4.3.11 Valid UTF8String Case Insensitive Match Test11") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("UTF8StringCaseInsensitiveMatchCACert.crt"); tester.add_crl("UTF8StringCaseInsensitiveMatchCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidUTF8StringCaseInsensitiveMatchTest11EE.crt"); tester.add_crl("ValidUTF8StringCaseInsensitiveMatchTest11EE.crl", "UTF8StringCaseInsensitiveMatchCACRL.crl"); tester.validate(); WVPASS(tester.validated); } #endif pathfinder-1.1.3/t/all.t.cc0000644000175200017520000000015110652446340015717 0ustar ppattersppatters /* * This is a dummy file, so we can generate all.t (and link it with all * other tests) easily. */ pathfinder-1.1.3/t/policymapping.t.cc0000644000175200017520000002112210652446340020023 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.10.1 Valid Policy Mapping Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("Mapping1to2CACert.crt"); tester.add_crl("Mapping1to2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest1EE.crt"); tester.add_crl("ValidPolicyMappingTest1EE.crt", "Mapping1to2CACRL.crl"); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVFAIL(tester.validate(NIST_TESTPOLICY_2)); WVFAIL(tester.validate(ANY_POLICY_OID, WVX509_INITIAL_POLICY_MAPPING_INHIBIT)); } WVTEST_MAIN("4.10.2 Invalid Policy Mapping Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("Mapping1to2CACert.crt"); tester.add_crl("Mapping1to2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidPolicyMappingTest2EE.crt"); tester.add_crl("InvalidPolicyMappingTest2EE.crt", "Mapping1to2CACRL.crl"); WVFAIL(tester.validate()); WVFAIL(tester.validate(ANY_POLICY_OID, WVX509_INITIAL_POLICY_MAPPING_INHIBIT)); } WVTEST_MAIN("4.10.3 Valid Policy Mapping Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P12Mapping1to3CACert.crt"); tester.add_crl("P12Mapping1to3CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("P12Mapping1to3subCACert.crt"); tester.add_crl("P12Mapping1to3subCACert.crt", "P12Mapping1to3CACRL.crl"); tester.add_untrusted_cert("P12Mapping1to3subsubCACert.crt"); tester.add_crl("P12Mapping1to3subsubCACert.crt", "P12Mapping1to3subCACRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest3EE.crt"); tester.add_crl("ValidPolicyMappingTest3EE.crt", "P12Mapping1to3subsubCACRL.crl"); WVFAIL(tester.validate(NIST_TESTPOLICY_1)); WVPASS(tester.validate(NIST_TESTPOLICY_2)); } WVTEST_MAIN("4.10.4 Invalid Policy Mapping Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P12Mapping1to3CACert.crt"); tester.add_crl("P12Mapping1to3CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("P12Mapping1to3subCACert.crt"); tester.add_crl("P12Mapping1to3subCACert.crt", "P12Mapping1to3CACRL.crl"); tester.add_untrusted_cert("P12Mapping1to3subsubCACert.crt"); tester.add_crl("P12Mapping1to3subsubCACert.crt", "P12Mapping1to3subCACRL.crl"); tester.add_untrusted_cert("InvalidPolicyMappingTest4EE.crt"); tester.add_crl("InvalidPolicyMappingTest4EE.crt", "P12Mapping1to3subsubCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.10.5 Valid Policy Mapping Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P1Mapping1to234CACert.crt"); tester.add_crl("P1Mapping1to234CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("P1Mapping1to234subCACert.crt"); tester.add_crl("P1Mapping1to234subCACert.crt", "P1Mapping1to234CACRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest5EE.crt"); tester.add_crl("ValidPolicyMappingTest5EE.crt", "P1Mapping1to234subCACRL.crl"); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVFAIL(tester.validate(NIST_TESTPOLICY_6)); } WVTEST_MAIN("4.10.6 Valid Policy Mapping Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P1Mapping1to234CACert.crt"); tester.add_crl("P1Mapping1to234CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("P1Mapping1to234subCACert.crt"); tester.add_crl("P1Mapping1to234subCACert.crt", "P1Mapping1to234CACRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest6EE.crt"); tester.add_crl("ValidPolicyMappingTest6EE.crt", "P1Mapping1to234subCACRL.crl"); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVFAIL(tester.validate(NIST_TESTPOLICY_6)); } WVTEST_MAIN("4.10.7 Invalid Mapping From anyPolicy Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("MappingFromanyPolicyCACert.crt"); tester.add_crl("MappingFromanyPolicyCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidMappingFromanyPolicyTest7EE.crt"); tester.add_crl("InvalidMappingFromanyPolicyTest7EE.crt", "MappingFromanyPolicyCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.10.8 Invalid Mapping To anyPolicy Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("MappingToanyPolicyCACert.crt"); tester.add_crl("MappingToanyPolicyCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidMappingToanyPolicyTest8EE.crt"); tester.add_crl("InvalidMappingToanyPolicyTest8EE.crt", "MappingToanyPolicyCACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.10.9 Valid Policy Mapping Test9") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("PanyPolicyMapping1to2CACert.crt"); tester.add_crl("PanyPolicyMapping1to2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest9EE.crt"); tester.add_crl("ValidPolicyMappingTest9EE.crt", "PanyPolicyMapping1to2CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.10.10 Invalid Policy Mapping Test10") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodsubCAPanyPolicyMapping1to2CACert.crt"); tester.add_crl("GoodsubCAPanyPolicyMapping1to2CACert.crt", "GoodCACRL.crl"); tester.add_untrusted_cert("InvalidPolicyMappingTest10EE.crt"); tester.add_crl("InvalidPolicyMappingTest10EE.crt", "GoodsubCAPanyPolicyMapping1to2CACRL.crl"); WVFAIL(tester.validate()); } WVTEST_MAIN("4.10.11 Valid Policy Mapping Test11") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodsubCAPanyPolicyMapping1to2CACert.crt"); tester.add_crl("GoodsubCAPanyPolicyMapping1to2CACert.crt", "GoodCACRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest11EE.crt"); tester.add_crl("ValidPolicyMappingTest11EE.crt", "GoodsubCAPanyPolicyMapping1to2CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.10.12 Valid Policy Mapping Test12") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P12Mapping1to3CACert.crt"); tester.add_crl("P12Mapping1to3CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest12EE.crt"); tester.add_crl("ValidPolicyMappingTest12EE.crt", "P12Mapping1to3CACRL.crl"); WVPASS(tester.validate()); WVPASS(tester.validate(NIST_TESTPOLICY_1)); WVPASS(tester.validate(NIST_TESTPOLICY_2)); } WVTEST_MAIN("4.10.13 Valid Policy Mapping Test13") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P1anyPolicyMapping1to2CACert.crt"); tester.add_crl("P1anyPolicyMapping1to2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest13EE.crt"); tester.add_crl("ValidPolicyMappingTest13EE.crt", "P1anyPolicyMapping1to2CACRL.crl"); WVPASS(tester.validate()); } WVTEST_MAIN("4.10.14 Valid Policy Mapping Test14") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("P1anyPolicyMapping1to2CACert.crt"); tester.add_crl("P1anyPolicyMapping1to2CACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidPolicyMappingTest14EE.crt"); tester.add_crl("ValidPolicyMappingTest14EE.crt", "P1anyPolicyMapping1to2CACRL.crl"); WVPASS(tester.validate()); } pathfinder-1.1.3/t/util.t.cc0000644000175200017520000001207511127740007016127 0ustar ppattersppatters#include #include #include #include #include #include "testmethods.t.h" #include "util.h" WVTEST_MAIN("guess encoding") { WvX509Mgr ca("CN=test.foo.com,DC=foo,DC=com", DEFAULT_KEYLEN, true); WvString fname = wvtmpfilename("pathfinder-encoding-"); WvDynBuf buf; ca.encode(WvX509::CertDER, buf); size_t old_used = buf.used(); WVPASSEQ(guess_encoding(buf), WvX509::CertDER); WVPASSEQ(old_used, buf.used()); { WvFile f(fname, O_CREAT|O_WRONLY); f.write(buf); } WVPASSEQ(guess_encoding(fname), WvX509::CertFileDER); ::unlink(fname); buf.zap(); ca.encode(WvX509::CertPEM, buf); old_used = buf.used(); WVPASSEQ(guess_encoding(buf), WvX509::CertPEM); WVPASSEQ(old_used, buf.used()); { WvFile f(fname, O_CREAT|O_WRONLY); f.write(buf); } WVPASSEQ(guess_encoding(fname), WvX509::CertFilePEM); ::unlink(fname); } WVTEST_MAIN("check MD5 or not") { char md2cert[] = "-----BEGIN CERTIFICATE-----\n" "MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzEL\n" "MAkGA1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMu\n" "MS4wLAYDVQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9y\n" "aXR5MB4XDTk0MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UE\n" "BhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD\n" "VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGb\n" "MA0GCSqGSIb3DQEBAQUAA4GJADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6O\n" "LDfO6zV4ZFQD5YRAUcm/jwjiioII0haGN1XpsSECrXZogZoFokvJSyVmIlZs\n" "iAeP94FZbYQHZXATcXY+m3dM41CJVphIuR2nKRoTLkoRWZweFdVJVCxzOmmC\n" "sZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZIhvcNAQECBQADfgBl3X7hsuyw\n" "4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3YQO2WxZpO8ZECAyIUwxr\n" "l0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc1/p3yjkWWW8O6tO1\n" "g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==\n" "-----END CERTIFICATE-----"; char md5cert[] = "-----BEGIN CERTIFICATE-----\n" "MIICtzCCAiACAQAwDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkVTMRIw\n" "EAYDVQQIEwlCQVJDRUxPTkExEjAQBgNVBAcTCUJBUkNFTE9OQTEZMBcGA1UE\n" "ChMQSVBTIFNlZ3VyaWRhZCBDQTEYMBYGA1UECxMPQ2VydGlmaWNhY2lvbmVz\n" "MRcwFQYDVQQDEw5JUFMgU0VSVklET1JFUzEeMBwGCSqGSIb3DQEJARYPaXBz\n" "QG1haWwuaXBzLmVzMB4XDTk4MDEwMTIzMjEwN1oXDTA5MTIyOTIzMjEwN1ow\n" "gaMxCzAJBgNVBAYTAkVTMRIwEAYDVQQIEwlCQVJDRUxPTkExEjAQBgNVBAcT\n" "CUJBUkNFTE9OQTEZMBcGA1UEChMQSVBTIFNlZ3VyaWRhZCBDQTEYMBYGA1UE\n" "CxMPQ2VydGlmaWNhY2lvbmVzMRcwFQYDVQQDEw5JUFMgU0VSVklET1JFUzEe\n" "MBwGCSqGSIb3DQEJARYPaXBzQG1haWwuaXBzLmVzMIGfMA0GCSqGSIb3DQEB\n" "AQUAA4GNADCBiQKBgQCsT1J0nznqjtwlxLyYXZhkJAk8IbPMGbWOlI6H0fg3\n" "PqHILVikgDVboXVsHUUMH2Fjal5vmwpMwci4YSM1gf/+rHhwLWjhOgeYlQJU\n" "3c0jt4BT18g3RXIGJBK6E2Ehim51KODFDzT9NthFf+G4Nu+z4cYgjui0OLzh\n" "PvYR3oydAQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACzzw3lYJN7GO9HgQmm4\n" "7mSzPWIBubOE3yN93ZjPEKn+ANgilgUTB1RXxafey9m4iEL2mdsUdx+2/iU9\n" "4aI+A6mB0i1sR/WWRowiq8jMDQ6XXotBtDvECgZAHd1G9AHduoIuPD14cJ58\n" "GNCr+Lh3B0Zx8coLY1xq+XKU1QFPoNtC\n" "-----END CERTIFICATE-----"; char sha1cert[] = "-----BEGIN CERTIFICATE-----\n" "MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHK\n" "MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV\n" "BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5\n" "IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD\n" "BgNVBAMTPFZlcmlTaWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlm\n" "aWNhdGlvbiBBdXRob3JpdHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3\n" "MTYyMzU5NTlaMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24s\n" "IEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNV\n" "BAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQg\n" "dXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDQgUHVibGljIFBy\n" "aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI\n" "hvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1GQ9Wzsy1HyDkniYl\n" "S+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ+mGuqPKljYXC\n" "KtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0GbdU6LM8BDc\n" "VHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLmNxdL\n" "MEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY\n" "ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDD\n" "Zq3/ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1Wr\n" "IhVZPMq1CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXtt\n" "mhwwjIDLk5Mqg6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csK\n" "vE+MW8VLADsfKoKmfjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluP\n" "QSjA1egtTaRezarZ7c7c2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kP\n" "mF6Z6PDQpLv1U70qzlmwr25/bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr\n" "9Xgn2uf3ZkPznoM+IKrDNWCRzg==\n" "-----END CERTIFICATE-----"; boost::shared_ptr cert(new WvX509()); cert->decode(WvX509::CertPEM, md2cert); WVPASSEQ(is_md(cert), true); cert->decode(WvX509::CertPEM, md5cert); WVPASSEQ(is_md(cert), true); cert->decode(WvX509::CertPEM, sha1cert); WVPASSEQ(is_md(cert), false); } pathfinder-1.1.3/t/revocationfinder.t.cc0000644000175200017520000001010311212243307020475 0ustar ppattersppatters#include #include #include #include #include #include #include #include "testdefuns.t.h" #include "util.h" #define private public #include "revocationfinder.h" #undef private using namespace boost; static void accept_callback_crl(IWvStream *_conn, WvBuf &stuff) { WvDynBuf header; header.putstr(WvString("HTTP/1.1 200 OK\n" "Content-Length: %s\n" "Content-Type: text/html\n\n", stuff.used())); _conn->write(header); _conn->write(stuff); _conn->close(); WvIStreamList::globallist.append(_conn, true, "http server conn"); } static void found_revocation_info(WvError &err, int &found_info_cb_count) { found_info_cb_count++; } WVTEST_MAIN("multiple lookups required") { srandom(time(NULL)); WvHttpStream::global_enable_pipelining = false; UniConfRoot cfg("temp:"); WvString crlcache_dir("/tmp/pathfinder-crlcache-%s", getpid()); rm_rf(crlcache_dir); shared_ptr crlcache(new WvCRLCache(crlcache_dir)); // FIXME: dumb assumption that these ports will be free... const int portstart = 8000; WvX509Mgr ca("CN=test.foo.com,DC=foo,DC=com", DEFAULT_KEYLEN, true); WvCRL crl(ca); WvDynBuf buf; crl.encode(WvCRL::CRLPEM, buf); WvRSAKey rsakey(DEFAULT_KEYLEN); WvString certreq = WvX509Mgr::certreq("cn=test.signed.com,dc=signed,dc=com", rsakey); shared_ptr cert(new WvX509); WvString certpem = ca.signreq(certreq); cert->decode(WvX509Mgr::CertPEM, certpem); WvStringList crl_urls; for (int port = portstart; port < portstart + 3; port++) crl_urls.append(WvString("http://localhost:%s/foo.crl", port)); cert->set_crl_urls(crl_urls); ca.signcert(*cert); WvTCPListener sock(WvString("localhost:%s", portstart + 2)); sock.onaccept(wv::bind(accept_callback_crl, _1, wv::ref(buf))); WvIStreamList::globallist.append(&sock, false, "http listener"); wvcon->print("Listening for requests on port %s\n", *sock.src()); shared_ptr path(new WvX509Path); int found_info_cb_count = 0; shared_ptr cacert(new WvX509(ca)); RevocationFinder finder(cert, cacert, path, crlcache, false, cfg, wv::bind(&found_revocation_info, _1, wv::ref(found_info_cb_count))); finder.find(); while (!found_info_cb_count) WvIStreamList::globallist.runonce(); WVPASSEQ(path->crl_map.count(cert->get_subject().cstr()), 1); WvIStreamList::globallist.zap(); } WVTEST_MAIN("explicit crls") { WvString crlcache_dir("/tmp/pathfinder-crlcache-%s", getpid()); rm_rf(crlcache_dir); shared_ptr crlcache(new WvCRLCache(crlcache_dir)); UniConfRoot cfg("temp:"); WvX509Mgr ca("CN=test.foo.com,DC=foo,DC=com", DEFAULT_KEYLEN, true); WvCRL crl(ca); WvString crl_filename = wvtmpfilename("crltest"); { WvDynBuf buf; crl.encode(WvCRL::CRLPEM, buf); WvFile f(crl_filename, O_CREAT|O_WRONLY); f.write(buf); } WvRSAKey rsakey(DEFAULT_KEYLEN); WvString certreq = WvX509Mgr::certreq("cn=test.signed.com,dc=signed,dc=com", rsakey); shared_ptr cert(new WvX509); WvString certpem = ca.signreq(certreq); cert->decode(WvX509Mgr::CertPEM, certpem); cfg["CRL Location"].xset(url_encode(cert->get_issuer(), "/"), crl_filename); shared_ptr path(new WvX509Path); int found_info_cb_count = 0; shared_ptr cacert(new WvX509(ca)); RevocationFinder finder(cert, cacert, path, crlcache, false, cfg, wv::bind(&found_revocation_info, _1, wv::ref(found_info_cb_count))); finder.find(); WVPASSEQ(path->crl_map.count(cert->get_subject().cstr()), 1); ::unlink(crl_filename); } // FIXME: would be nice to have some OCSP tests, but setting up a working // responder locally is a pain... pathfinder-1.1.3/t/validityperiods.t.cc0000644000175200017520000001056710652446340020376 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.2.1 Invalid CA notBefore Date Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("BadnotBeforeDateCACert.crt"); tester.add_crl("BadnotBeforeDateCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidCAnotBeforeDateTest1EE.crt"); tester.add_crl("InvalidCAnotBeforeDateTest1EE.crt", "BadnotBeforeDateCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.2.2 Invalid EE notBefore Date Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidEEnotBeforeDateTest2EE.crt"); tester.add_crl("InvalidEEnotBeforeDateTest2EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.2.3 Valid pre2000 UTC notBefore Date Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("Validpre2000UTCnotBeforeDateTest3EE.crt"); tester.add_crl("Validpre2000UTCnotBeforeDateTest3EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.2.4 Valid GeneralizedTime notBefore Date Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidGeneralizedTimenotBeforeDateTest4EE.crt"); tester.add_crl("ValidGeneralizedTimenotBeforeDateTest4EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.2.5 Invalid CA notAfter Date Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("BadnotAfterDateCACert.crt"); tester.add_crl("BadnotAfterDateCACert.crt", "BadnotAfterDateCACRL.crl"); tester.add_untrusted_cert("InvalidCAnotAfterDateTest5EE.crt"); tester.add_crl("InvalidCAnotAfterDateTest5EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.2.6 Invalid EE notAfter Date Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidEEnotAfterDateTest6EE.crt"); tester.add_crl("InvalidEEnotAfterDateTest6EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.2.7 Invalid pre2000 UTC EE notAfter Date Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("Invalidpre2000UTCEEnotAfterDateTest7EE.crt"); tester.add_crl("Invalidpre2000UTCEEnotAfterDateTest7EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.2.8 Valid GeneralizedTime notAfter Date Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidGeneralizedTimenotAfterDateTest8EE.crt"); tester.add_crl("ValidGeneralizedTimenotAfterDateTest8EE.crt", "GoodCACRL.crl"); tester.validate(); WVPASS(tester.validated); } pathfinder-1.1.3/t/wvx509path.t.cc0000644000175200017520000000260211106055521017101 0ustar ppattersppatters#include #include #include "testmethods.t.h" #include "wvx509path.h" using namespace boost; // the NIST tests mostly give this class a good work-out. we only add in a // quick test for certificates without ski/aki info WVTEST_MAIN("no ski/aki") { WvX509Mgr ca("CN=test.foo.com,DC=foo,DC=com", DEFAULT_KEYLEN, true); strip_ski_aki(ca); ca.signcert(ca); shared_ptr cacert(new WvX509(ca)); WvRSAKey rsakey(DEFAULT_KEYLEN); WvString certreq = WvX509Mgr::certreq( "cn=test.signed.com,dc=signed,dc=com", rsakey); shared_ptr cert(new WvX509); WvString certpem = ca.signreq(certreq); cert->decode(WvX509Mgr::CertPEM, certpem); strip_ski_aki(*cert); ca.signcert(*cert); WVFAIL(cert->get_ski()); WVFAIL(cert->get_aki()); WVFAIL(cacert->get_ski()); WVFAIL(cacert->get_aki()); Tester tester; tester.add_trusted_cert(cacert); tester.add_untrusted_cert(cert); WVPASS(tester.validate(wvtcl_escape(ANY_POLICY_OID), WVX509_SKIP_REVOCATION_CHECK)); // add a crl to the mix and see what happens shared_ptr crl(new WvCRL(ca)); tester.add_crl(cert, crl); WVPASS(tester.validate(wvtcl_escape(ANY_POLICY_OID), 0)); crl->addcert(*cert); WVPASS(ca.signcrl(*crl)); WVFAIL(tester.validate(wvtcl_escape(ANY_POLICY_OID), 0)); } pathfinder-1.1.3/t/certrevoke.t.cc0000644000175200017520000003231110652446340017323 0ustar ppattersppatters#include "testmethods.t.h" WVTEST_MAIN("4.4.1 Missing CRL Test1") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("NoCRLCACert.crt"); tester.add_crl("NoCRLCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidMissingCRLTest1EE.crt"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.2 Invalid Revoked CA Test2") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("RevokedsubCACert.crt"); tester.add_crl("RevokedsubCACert.crt", "GoodCACRL.crl"); tester.add_untrusted_cert("InvalidRevokedCATest2EE.crt"); tester.add_crl("InvalidRevokedCATest2EE.crt", "RevokedsubCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.3 Invalid Revoked EE Test3") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GoodCACert.crt"); tester.add_crl("GoodCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidRevokedEETest3EE.crt"); tester.add_crl("InvalidRevokedEETest3EE.crt", "GoodCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.4 Invalid Bad CRL Signature Test4") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("BadCRLSignatureCACert.crt"); tester.add_crl("BadCRLSignatureCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidBadCRLSignatureTest4EE.crt"); tester.add_crl("InvalidBadCRLSignatureTest4EE.crt", "BadCRLSignatureCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.5 Invalid Bad CRL Issuer Name Test5") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("BadCRLIssuerNameCACert.crt"); tester.add_crl("BadCRLIssuerNameCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidBadCRLIssuerNameTest5EE.crt"); tester.add_crl("InvalidBadCRLIssuerNameTest5EE.crt", "BadCRLIssuerNameCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.6 Invalid Wrong CRL Test6") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("WrongCRLCACert.crt"); tester.add_crl("WrongCRLCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidWrongCRLTest6EE.crt"); tester.add_crl("InvalidWrongCRLTest6EE.crt", "WrongCRLCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.7 Valid Two CRLs Test7") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("TwoCRLsCACert.crt"); tester.add_crl("TwoCRLsCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidTwoCRLsTest7EE.crt"); tester.add_crl("ValidTwoCRLsTest7EE.crt", "TwoCRLsCABadCRL.crl"); tester.add_crl("ValidTwoCRLsTest7EE.crt", "TwoCRLsCAGoodCRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.4.8 Invalid Unknown CRL Entry Extension Test8") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("UnknownCRLEntryExtensionCACert.crt"); tester.add_crl("UnknownCRLEntryExtensionCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidUnknownCRLEntryExtensionTest8EE.crt"); tester.add_crl("InvalidUnknownCRLEntryExtensionTest8EE.crt", "UnknownCRLEntryExtensionCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.9 Invalid Unknown CRL Extension Test9") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("UnknownCRLExtensionCACert.crt"); tester.add_crl("UnknownCRLExtensionCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidUnknownCRLExtensionTest9EE.crt"); tester.add_crl("InvalidUnknownCRLExtensionTest9EE.crt", "UnknownCRLExtensionCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.10 Invalid Unknown CRL Extension Test10") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("UnknownCRLExtensionCACert.crt"); tester.add_crl("UnknownCRLExtensionCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidUnknownCRLExtensionTest10EE.crt"); tester.add_crl("InvalidUnknownCRLExtensionTest10EE.crt", "UnknownCRLExtensionCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.11 Invalid Old CRL nextUpdate Test11") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("OldCRLnextUpdateCACert.crt"); tester.add_crl("OldCRLnextUpdateCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidOldCRLnextUpdateTest11EE.crt"); tester.add_crl("InvalidOldCRLnextUpdateTest11EE.crt", "OldCRLnextUpdateCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.12 Invalid pre2000 CRL nextUpdate Test12") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("pre2000CRLnextUpdateCACert.crt"); tester.add_crl("pre2000CRLnextUpdateCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("Invalidpre2000CRLnextUpdateTest12EE.crt"); tester.add_crl("Invalidpre2000CRLnextUpdateTest12EE.crt", "pre2000CRLnextUpdateCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.13 Valid GeneralizedTime CRL nextUpdate Test13") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("GeneralizedTimeCRLnextUpdateCACert.crt"); tester.add_crl("GeneralizedTimeCRLnextUpdateCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidGeneralizedTimeCRLnextUpdateTest13EE.crt"); tester.add_crl("ValidGeneralizedTimeCRLnextUpdateTest13EE.crt", "GeneralizedTimeCRLnextUpdateCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.4.14 Valid Negative Serial Number Test14") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("NegativeSerialNumberCACert.crt"); tester.add_crl("NegativeSerialNumberCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidNegativeSerialNumberTest14EE.crt"); tester.add_crl("ValidNegativeSerialNumberTest14EE.crt", "NegativeSerialNumberCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.4.15 Invalid Negative Serial Number Test15") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("NegativeSerialNumberCACert.crt"); tester.add_crl("NegativeSerialNumberCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidNegativeSerialNumberTest15EE.crt"); tester.add_crl("InvalidNegativeSerialNumberTest15EE.crt", "NegativeSerialNumberCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.16 Valid Long Serial Number Test16") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("LongSerialNumberCACert.crt"); tester.add_crl("LongSerialNumberCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidLongSerialNumberTest16EE.crt"); tester.add_crl("ValidLongSerialNumberTest16EE.crt", "LongSerialNumberCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.4.17 Valid Long Serial Number Test17") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("LongSerialNumberCACert.crt"); tester.add_crl("LongSerialNumberCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidLongSerialNumberTest17EE.crt"); tester.add_crl("ValidLongSerialNumberTest17EE.crt", "LongSerialNumberCACRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.4.18 Invalid Long Serial Number Test18") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("LongSerialNumberCACert.crt"); tester.add_crl("LongSerialNumberCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidLongSerialNumberTest18EE.crt"); tester.add_crl("InvalidLongSerialNumberTest18EE.crt", "LongSerialNumberCACRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.19 Valid Separate Certificate and CRL Keys Test19") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("SeparateCertificateandCRLKeysCertificateSigningCACert.crt"); tester.add_crl("SeparateCertificateandCRLKeysCertificateSigningCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_intermediate_cert("SeparateCertificateandCRLKeysCRLSigningCert.crt"); tester.add_crl("SeparateCertificateandCRLKeysCRLSigningCert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("ValidSeparateCertificateandCRLKeysTest19EE.crt"); tester.add_crl("ValidSeparateCertificateandCRLKeysTest19EE.crt", "SeparateCertificateandCRLKeysCRL.crl"); tester.validate(); WVPASS(tester.validated); } WVTEST_MAIN("4.4.20 Invalid Separate Certificate and CRL Keys Test20") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_crl("TrustAnchorRootCertificate.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("SeparateCertificateandCRLKeysCertificateSigningCACert.crt"); tester.add_crl("SeparateCertificateandCRLKeysCertificateSigningCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_intermediate_cert("SeparateCertificateandCRLKeysCRLSigningCert.crt"); tester.add_crl("SeparateCertificateandCRLKeysCA2CRLSigningCert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidSeparateCertificateandCRLKeysTest20EE.crt"); tester.add_crl("InvalidSeparateCertificateandCRLKeysTest20EE.crt", "SeparateCertificateandCRLKeysCRL.crl"); tester.validate(); WVFAIL(tester.validated); } WVTEST_MAIN("4.4.21 Invalid Separate Certificate and CRL Keys Test21") { Tester tester; tester.add_trusted_cert("TrustAnchorRootCertificate.crt"); tester.add_untrusted_cert("SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt"); tester.add_crl("SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt", "TrustAnchorRootCRL.crl"); tester.add_intermediate_cert("SeparateCertificateandCRLKeysCA2CRLSigningCert.crt"); tester.add_crl("SeparateCertificateandCRLKeysCA2CRLSigningCert.crt", "TrustAnchorRootCRL.crl"); tester.add_untrusted_cert("InvalidSeparateCertificateandCRLKeysTest21EE.crt"); tester.add_crl("InvalidSeparateCertificateandCRLKeysTest21EE.crt", "SeparateCertificateandCRLKeysCA2CRL.crl"); tester.validate(); WVFAIL(tester.validated); } pathfinder-1.1.3/README0000644000175200017520000002143011254501137015011 0ustar ppattersppatters=== About Pathfinder === Pathfinder is designed to provide a mechanism for any program to perform RFC3280-compliant path validation of X509 certificates, even when some of the intermediate certificates are not present on the local machine. It will automatically download any such certificates (and their CRLs or OCSP information) from the Internet as needed using the AIA and CRL distribution point extensions of the certificates it is processing. === Building Pathfinder === Pathfinder uses the CMake build environment, which is analagous to the standard autoconf/automake system. Building proceeds in two steps: First, run "cmake .". This will create a set of makefiles which enables you to actually build pathfinder (this is analagous to running "./configure" with an AutoConf-based system). Next, run "make". This will actually build the executables and libraries that form Pathfinder. To install Pathfinder, run "make install". This will install all files needed to use Pathfinder into "/usr/local". If you wish to install Pathfinder into a different prefix, you must specify this at configure time: cmake -D CMAKE_INSTALL_PREFIX:PATH= . For example, running cmake as follows would build and install everything into /home/wlach/tmp: cmake -D CMAKE_INSTALL_PREFIX:PATH=/home/wlach/tmp . make install Pathfinder only has three dependancies: D-Bus (to provide interprocess communication), WvStreams (to provide for downloading of certificates over HTTP), and OpenSSL (to provide the relevant X509 and cryptographic functions for path validation). However, in order to run the self tests (see below), you will also need to have valgrind. In order to build the pathfinder client libraries, you will need the OpenSSL and LibNSS devel files. === Testing Pathfinder after building === To run the self tests on Pathfinder after building, you can run: make test which will run all of the various tests in the /t directory. These tests are designed to ensure that Pathfinder can pass the NIST PKITS tests for PDVal. If it fails, the failure can be viewed by running: cat Testing/Temporary/LastTest.log Please report any failures to: http://code.google.com/p/pathfinder-pki/issues/list === Using Pathfinder === The heart of Pathfinder is a central daemon, "pathfinderd". This is the program that actually does all the work of checking whether a certificate is valid or not (by discovering a path and verifying it). Programs interface with pathfinder by calling a D-Bus method which contacts the daemon with a hexified DER-encoded representation of the certificate they wish to validate. How to set up a simple test case: Say you had three certificates: 1. CACert.der (self-signed trust anchor; trusted, present on local machine) 2. SubCACert.der (signed by CACert; existing only on a remote server) 3. ClientCert.der (signed by SubCACert; the certificate to be validated) How would we set up pathfinder to validate them? First, you would create a directory to store the trusted certificates. In this case, we only have one. For the sake of example, we'll put it in '/tmp/trusted': mkdir -p /tmp/trusted cp CACert.der /tmp/trusted Now, we want to create a configuration file for the pathfinder daemon which specifies the trusted location. An example is contained within the pathfinder distribution: [Trusted directories] Extra certs = /tmp/trusted You may opt to use this config file by referring to it via a command-line option. You want to run the pathfinder daemon as root, so it can listen on the D-Bus system bus. It is also possible to listen on the session bus, for testing purposes: just specify --session when running pathfinderd: for the sake of example, let's do that: ./pathfinderd -c ini:pathfinderd.ini.sample --session Now that we have pathfinderd running, we'll want to validate our certificate. This can be done using the pathclient program, which will connect to the pathfinder daemon via D-Bus and attempt to validate the client certificate: ./pathclient --session -t der ClientCert.der If everything is set up correctly, you should receive a message stating the certificate is valid. === Configuring Pathfinder === The pathfinder configuration file is in ini-style format with the following sections and keys. [General]: This section contains keys that pertain to the general operation of pathfinder. - CRL Cache Location: This specifies where CRLs previously downloaded from the internet will be stored for later retrieval. - Example: CRL Cache Location = /var/cache/pathfinder/crls/ [Trusted directories]: This section is used to specify directories containing trusted certificates, in format "identifier" = "value" - Example: Trusted certs = /tmp/trusted [Policy]: This section is used to specify policies to use for application names sent to the pathfinder daemon in a validate request (see below). - Example: apache = 1.2.3.4 [Verification Options]: This section is used to specify options for altering the way that pathfinder verifies certificates. This is intended primarily for debugging and troubleshooting purposes, and in general users shouldn't try to modify it. - Skip Revocation Check: If not set to 0 (or blank), disable revocation checking for the pathfinder daemon. - Example: Skip Revocation Check = 0 [Bridges]: Specifies bundles that can be used to bridge trust between PKIs (from an untrusted PKI, across the bridge, to a trusted anchor). Typically such a bundle is published by a bridge, and contains 2 cross-certificates for each bridged PKI: one issued by the bridge and one issued *to* the bridge. Specify one bundle per line. - Example: My bridge = /var/pathfinder/bridges/mybridge.p7c [Intermediate CAs]: Specifies the AKIs of intermediate CA that may be preferable when constructing a path or examining a bridge bundle. This is *not* essential for bridging to work, but it can improve performance by choosing "your" CA certificate first when evaluating a bridge bundle instead of iterating through other untrusted ones first. For this section, the AKI is the key, the value should simply be 1. - Example: E0:26:A2:10:00:7D:D5:96:95:14:0C:F2:2E:54:63:F1:65:66:D9:0E = 1 [CRL Location]: Specifies a location on disk which should be used to find a CRL associated with a particular CA. For client certificates of this CA, this CRL will simply be loaded off of disk, instead of going over the network for download. Note that the keys for the specified CA names should have slashes escaped as %2f, and = signs escaped as %3d. Names should be specified with fields delimited by a (escaped) slash. - Example: %2FC%3DCA%2FO%3DSigning CA%2FCN%3DSubscriber Cert Signing Authority = /var/pathfinder/crls/mycrl.crl [CA Location]: Specifies a location on disk which should be used to find a specific CA (instead of looking in the AIA extension of the client certicate). Note that the keys for the specified CA names should have slashes escaped as %2f, and = signs escaped as %3d. Names should be specified with fields delimited by a (escaped) slash. - Example: %2FC%3DCA%2FO%3DRoot CA%2FCN%3DCA Cert Signing Authority = /var/pathfinder/cas/myca.ca === Adding support for Pathfinder to your program === Pathfinder provides a D-Bus interface that allows you to contact the pathfinder daemon and request validation of a certificate. Currently, the interface only contains one method "validate". Interface name: ca.carillon.pathfinder Object name: /ca/carillon/pathfinder Method name: validate Method parameters: String, String, Bool, Bool, (String) - String1: The certificate, in hexified der-encoded format. - String2: The set of policies that you wish to enforce, in tcl-list format. Examples: "2.5.29.32.0" (the anyPolicy OID), "{ 1.2.3.4 1.2.3.5 }" (two policies: 1.2.3.4 and 1.2.3.5) - Bool1: Whether or not the initial explicit policy should be set as a verification parameter. This demands a valid policy tree at the end of validation. Except in the case that very strict validation is desired, it is recommended to set this value to 'false'. - Bool2: Whether to inhibit policy mapping: this will disallow policy mapping at the very beginning of the validation process. Except in the case that very strict validation is desired, it is recommended to set this value to 'false'. - String3 (optional): If present, this will tell the pathfinder daemon to use a security policy associated with a particular application or name, if it is specified in the configuration file. For example, you might specify a particular policy with "apache". You can specify these security policies in the main configuration file, see above. For the convenience of those using OpenSSL or NSS (Netscape Security Services), two libraries containing a callback suitable for use with an SSL connection are provided. The "nsstest" and "openssltest" programs provided with the pathfinder distribution provide examples of their use. pathfinder-1.1.3/revocationfinder.cc0000644000175200017520000001705611271361204020010 0ustar ppattersppatters/* * revocationfinder.cc * * Copyright (C) 2008 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include "revocationfinder.h" #include "util.h" using namespace boost; RevocationFinder::RevocationFinder(shared_ptr &_cert, shared_ptr &_issuer, shared_ptr &_path, shared_ptr &_crlcache, bool _check_ocsp, UniConf &_cfg, FoundRevocationInfoCb _cb) : check_ocsp(_check_ocsp), cfg(_cfg), log(WvString("Revocation Finder for %s", _cert->get_subject()), WvLog::Debug1) { pool = new WvHttpPool(); WvIStreamList::globallist.append(pool, false, "revocation finder http pool"); cert = _cert; issuer = _issuer; path = _path; crlcache = _crlcache; cb = _cb; done = false; //find(); } RevocationFinder::~RevocationFinder() { WvIStreamList::globallist.unlink(pool); WVRELEASE(pool); } void RevocationFinder::find() { // first, check to see if we have a CRL explicitly defined for this // certificate's issuer WvString hardcoded_crl_loc = cfg["CRL Location"].xget( url_encode(cert->get_issuer(), "/=")); if (!!hardcoded_crl_loc) { shared_ptr crl = crlcache->get_file(hardcoded_crl_loc); if (crl && !crl->expired()) { path->add_crl(cert->get_subject(), crl); done = true; log("Got CRL from hardcoded location.\n"); cb(err); return; } } // try to grab both crl and OCSP info (the latter only if we're checking // ocsp) if (check_ocsp) cert->get_ocsp(ocsp_urls); cert->get_crl_urls(crl_urls); if (!crl_urls.count() && !ocsp_urls.count()) { log("No revocation info for certificate %s.\n", cert->get_subject()); failed("No revocation info"); return; } WvStringList::Iter i(crl_urls); for (i.rewind(); i.next();) { WvUrl url(i()); shared_ptr crl = crlcache->get_url(url); if (crl && !crl->expired()) { path->add_crl(cert->get_subject(), crl); done = true; log("Got CRL from cache.\n"); cb(err); return; } } // otherwise, we gotta download stuff log("No ready revocation info in cache for certificate %s. Proceeding to " "download...\n", cert->get_subject()); try_download_next(); } void RevocationFinder::failed(WvStringParm reason) { err.seterr(reason); failed(); } void RevocationFinder::failed() { done = true; cb(err); } void RevocationFinder::try_download_next() { while (ocsp_urls.count()) { // create ocsp request, put it in a stream so we can send it to // the server shared_ptr req(new WvOCSPReq(*cert, *issuer)); WvDynBuf reqbuf; req->encode(reqbuf); WvBufStream *input_stream = new WvBufStream; input_stream->write(reqbuf, reqbuf.used()); WvIStreamList::globallist.append(input_stream, true, "OCSP Request Buffer Stream"); DownloadFinishedCb cb = wv::bind( &RevocationFinder::ocsp_download_finished_cb, this, _1, _2, _3, _4, req); if (retrieve_object_http(ocsp_urls.popstr(), cb, "POST", "Content-Type: application/ocsp-request\r\n", input_stream)) return; } while (crl_urls.count()) { DownloadFinishedCb cb = wv::bind( &RevocationFinder::crl_download_finished_cb, this, _1, _2, _3, _4); if (retrieve_object_http(crl_urls.popstr(), cb)) return; } failed("Couldn't retrieve revocation info"); } bool RevocationFinder::retrieve_object_http(WvStringParm _url, DownloadFinishedCb _cb, WvStringParm _method, WvStringParm _headers, WvStream *_content_source) { log("Attempting to retrieve revocation object at URL %s.\n", _url); WvUrl url(_url); if (url.getproto() == "http" || url.getproto() == "https" || url.getproto() == "ldap" || url.getproto() == "ldaps") { shared_ptr d(new Downloader(url, pool, _cb, _method, _headers, _content_source)); downloaders.push_back(d); return true; } else log("Protocol %s not supported for getting object.\n", url.getproto()); return false; } void RevocationFinder::crl_download_finished_cb(WvStringParm urlstr, WvStringParm mimetype, WvBuf &buf, WvError _err) { if (_err.geterr()) { log("Couldn't download CRL at url %s\n", urlstr); try_download_next(); return; } log("Got CRL with mimetype %s.\n", mimetype); shared_ptr crl(new WvCRL); if (guess_encoding(buf) == WvX509::CertPEM) crl->decode(WvCRL::CRLPEM, buf); else crl->decode(WvCRL::CRLDER, buf); if (!crl->isok()) { log("CRL downloaded from url %s is not ok!", urlstr); try_download_next(); return; } // we could check to see if the CRL is signed by the appropriate // person and that it hasn't expired here, but that seems like overkill // to me. if you're putting up a CRL somewhere, make sure that it's valid! // crl is ok, (re) add it to our store buf.unget(buf.ungettable()); crlcache->add(urlstr, buf); path->add_crl(cert->get_subject(), crl); done = true; cb(err); } void RevocationFinder::ocsp_download_finished_cb(WvStringParm urlstr, WvStringParm mimetype, WvBuf &buf, WvError _err, shared_ptr &req) { if (_err.geterr()) { log("Couldn't download OCSP response at url %s\n", urlstr); try_download_next(); return; } log("Got OCSP with mimetype %s.\n", mimetype); shared_ptr resp(new WvOCSPResp); resp->decode(buf); if (!resp->isok()) { log("OCSP response downloaded from %s is not ok!\n", urlstr); try_download_next(); return; } WvOCSPResp::Status status = resp->get_status(*cert, *issuer); if (status == WvOCSPResp::Error || status == WvOCSPResp::Unknown) { log("OCSP response isn't canonical (status: %s). Falling back " "to CRL, if available.\n", WvOCSPResp::status_str(status)); try_download_next(); return; } if (!resp->check_nonce(*req)) { log("OCSP nonce for response downloaded from %s not ok!\n", urlstr); try_download_next(); return; } path->add_ocsp_resp(cert->get_subject(), resp); done = true; cb(err); } pathfinder-1.1.3/revocationfinder.h0000644000175200017520000000471211212243307017643 0ustar ppattersppatters/* * revocationfinder.h * * Copyright (C) 2008 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #ifndef __REVOCATIONFINDER_H #define __REVOCATIONFINDER_H #include #include #include #include #include #include "downloader.h" #include "wvx509path.h" #include "wvcrlcache.h" typedef wv::function FoundRevocationInfoCb; // FIXME: this class has a ton of duplication with PathFinder and Downloader. // Need to find a way of factoring out all the commonalities into a seperate // class. class RevocationFinder { public: RevocationFinder(boost::shared_ptr &_cert, boost::shared_ptr &_issuer, boost::shared_ptr &_path, boost::shared_ptr &_crlcache, bool _check_ocsp, UniConf &_cfg, FoundRevocationInfoCb _cb); virtual ~RevocationFinder(); bool is_done() { return done; } void find(); private: void failed(WvStringParm reason); void failed(); void try_download_next(); bool retrieve_object_http(WvStringParm _url, DownloadFinishedCb _cb, WvStringParm _method = "GET", WvStringParm _headers = "", WvStream *content_source = NULL); void crl_download_finished_cb(WvStringParm urlstr, WvStringParm mimetype, WvBuf &buf, WvError _err); void ocsp_download_finished_cb(WvStringParm urlstr, WvStringParm mimetype, WvBuf &buf, WvError _err, boost::shared_ptr &req); boost::shared_ptr cert; boost::shared_ptr issuer; boost::shared_ptr crlcache; WvStringList ocsp_urls; WvStringList crl_urls; boost::shared_ptr path; WvHttpPool *pool; typedef std::vector > DownloaderList; DownloaderList downloaders; bool done; bool check_ocsp; UniConf cfg; FoundRevocationInfoCb cb; WvError err; WvLog log; }; #endif // _REVOCATIONFINDER_H pathfinder-1.1.3/util.h0000644000175200017520000000106211130276200015247 0ustar ppattersppatters/* * util.h * * Copyright (C) 2008-2009 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #ifndef __UTIL_H #define __UTIL_H #include #include #include #include // various little utility functions which are useful for pathfinder WvX509::DumpMode guess_encoding(WvBuf &buf); WvX509::DumpMode guess_encoding(WvStringParm fname); bool is_md(boost::shared_ptr &x509); #endif // __UTIL_H pathfinder-1.1.3/nsstest.cc0000644000175200017520000002340610734023314016146 0ustar ppattersppatters/* * nsstest.cc * * Copyright (C) 2007 Carillon Information Security Inc. * Portions copyright (C) The Mozilla Foundation * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include #include #include #include #include #include #include #include "libpathfinder-nss.h" #define RD_BUF_SIZE (60 * 1024) char *certnick = NULL; char *hostname = NULL; char *password = NULL; unsigned short port = 0; /************************************************************************** ** ** SSL callback routines. ** **************************************************************************/ char * get_passwd_cb(PK11SlotInfo *info, PRBool retry, void *arg) { char * passwd = NULL; if ( (!retry) && arg ) passwd = PORT_Strdup((char *)arg); return passwd; } SECStatus get_client_authdata_cb(void *arg, PRFileDesc *socket, struct CERTDistNamesStr *caNames, struct CERTCertificateStr **retcert, struct SECKEYPrivateKeyStr **retkey) { CERTCertificate * cert; SECKEYPrivateKey * privkey; char * chosen_nick = (char *)arg; void * proto_win = NULL; proto_win = SSL_RevealPinArg(socket); if (!chosen_nick) { fprintf(stderr, "No chosen nickname: Can't get client certificate " "info.\n"); return SECFailure; } cert = PK11_FindCertFromNickname(chosen_nick, proto_win); if (!cert) { fprintf(stderr, "No certificate corresponding to nickname.\n"); return SECFailure; } privkey = PK11_FindKeyByAnyCert(cert, proto_win); if (!privkey) { fprintf(stderr, "No private key corresponding to certificate.\n"); return SECFailure; } *retcert = cert; *retkey = privkey; return SECSuccess; } /************************************************************************** ** ** Error and information routines. ** **************************************************************************/ void err_warn(const char *function) { PRErrorCode errorNumber = PR_GetError(); fprintf(stderr, "Error in function %s: %d\n", function, errorNumber); } void err_exit(const char *function) { err_warn(function); /* Exit gracefully. */ /* ignoring return value of NSS_Shutdown as code exits with 1*/ (void) NSS_Shutdown(); PR_Cleanup(); exit(1); } static void usage(const char *progname) { fprintf(stderr, "Usage: %s [-n rsa_nickname] [-p port] [-d dbdir]\n" " [-w dbpasswd] hostname\n", progname); exit(1); } /************************************************************************** ** ** Connection management routines. ** **************************************************************************/ PRFileDesc * setup_ssl(PRNetAddr *addr) { PRFileDesc *tcpsock; PRFileDesc *sslsock; PRSocketOptionData socketOption; PRStatus prstatus; SECStatus secstatus; tcpsock = PR_NewTCPSocket(); if (tcpsock == NULL) err_warn("PR_NewTCPSocket"); /* Make the socket blocking. */ socketOption.option = PR_SockOpt_Nonblocking; socketOption.value.non_blocking = PR_FALSE; prstatus = PR_SetSocketOption(tcpsock, &socketOption); if (prstatus != PR_SUCCESS) { err_warn("PR_SetSocketOption"); goto loser; } /* Import the socket into the SSL layer. */ sslsock = SSL_ImportFD(NULL, tcpsock); if (!sslsock) { err_warn("SSL_ImportFD"); goto loser; } /* Set configuration options. */ secstatus = SSL_OptionSet(sslsock, SSL_SECURITY, PR_TRUE); if (secstatus != SECSuccess) { err_warn("SSL_OptionSet:SSL_SECURITY"); goto loser; } secstatus = SSL_OptionSet(sslsock, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); if (secstatus != SECSuccess) { err_warn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT"); goto loser; } /* Set SSL callback routines. */ secstatus = SSL_GetClientAuthDataHook( sslsock, (SSLGetClientAuthData)get_client_authdata_cb, (void *)certnick); if (secstatus != SECSuccess) { err_warn("SSL_GetClientAuthDataHook"); goto loser; } secstatus = SSL_AuthCertificateHook(sslsock, (SSLAuthCertificate)nss_verify_cb, (void *)CERT_GetDefaultCertDB()); if (secstatus != SECSuccess) { err_warn("SSL_AuthCertificateHook"); goto loser; } return sslsock; loser: PR_Close(tcpsock); return NULL; } const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" }; SECStatus handle_connection(PRFileDesc *sslsock, int connection) { int numread = 0; PRInt32 numbytes; char *buf; buf = (char *)PORT_Alloc(RD_BUF_SIZE); if (!buf) err_exit("PORT_Alloc"); /* compose the http request here. */ numbytes = PR_Write(sslsock, requestString, strlen(requestString)); if (numbytes <= 0) { fprintf(stderr, "Error writing http request.\n"); PR_Free(buf); buf = NULL; return SECFailure; } /* read until EOF */ while (PR_TRUE) { numbytes = PR_Read(sslsock, buf, RD_BUF_SIZE); if (numbytes == 0) { break; /* EOF */ } if (numbytes < 0) { fprintf(stderr, "Error reading bytes from socket.\n"); break; } numread += numbytes; fprintf(stderr, "***** Connection %d read %d bytes (%d total).\n", connection, numbytes, numread); buf[numbytes] = '\0'; fprintf(stderr, "************\n%s\n************\n", buf); } PR_Free(buf); buf = NULL; /* Caller closes the socket. */ fprintf(stderr, "***** Connection %d read %d bytes total.\n", connection, numread); return SECSuccess; } SECStatus do_connect(void *a, int connection) { PRNetAddr *addr = (PRNetAddr *)a; PRFileDesc *sslsock; PRHostEnt host_entry; char buffer[PR_NETDB_BUF_SIZE]; PRStatus prstatus; PRIntn hostenum; SECStatus secstatus; /* Set up SSL secure socket. */ sslsock = setup_ssl(addr); if (sslsock == NULL) { err_warn("setup_ssl"); return SECFailure; } secstatus = SSL_SetPKCS11PinArg(sslsock, password); if (secstatus != SECSuccess) { err_warn("SSL_SetPKCS11PinArg"); return secstatus; } secstatus = SSL_SetURL(sslsock, hostname); if (secstatus != SECSuccess) { err_warn("SSL_SetURL"); return secstatus; } /* Prepare and setup network connection. */ prstatus = PR_GetHostByName(hostname, buffer, sizeof(buffer), &host_entry); if (prstatus != PR_SUCCESS) { err_warn("PR_GetHostByName"); return SECFailure; } hostenum = PR_EnumerateHostEnt(0, &host_entry, port, addr); if (hostenum == -1) { err_warn("PR_EnumerateHostEnt"); return SECFailure; } prstatus = PR_Connect(sslsock, addr, PR_INTERVAL_NO_TIMEOUT); if (prstatus != PR_SUCCESS) { err_warn("PR_Connect"); return SECFailure; } /* Established SSL connection, ready to send data. */ secstatus = SSL_ResetHandshake(sslsock, /* asServer */ PR_FALSE); if (secstatus != SECSuccess) { err_warn("SSL_ResetHandshake"); prstatus = PR_Close(sslsock); if (prstatus != PR_SUCCESS) err_warn("PR_Close"); return secstatus; } secstatus = handle_connection(sslsock, connection); if (secstatus != SECSuccess) { err_warn("handle_connection"); return secstatus; } PR_Close(sslsock); return SECSuccess; } void client_main(unsigned short port, const char * hostname) { PRStatus prstatus; PRInt32 rv; PRNetAddr addr; PRHostEnt host_entry; char buf[256]; /* Setup network connection. */ prstatus = PR_GetHostByName(hostname, buf, 256, &host_entry); if (prstatus != PR_SUCCESS) err_exit("PR_GetHostByName"); rv = PR_EnumerateHostEnt(0, &host_entry, port, &addr); if (rv < 0) err_exit("PR_EnumerateHostEnt"); do_connect(&addr, 1); } /************************************************************************** ** ** Main program. ** **************************************************************************/ int main(int argc, char *argv[]) { const char * certdir = "."; SECStatus secstatus; PLOptState * optstate; PLOptStatus optstatus; PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); hostname = NULL; optstate = PL_CreateOptState(argc, argv, "C:c:d:n:p:w:"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 'd' : certdir = PL_strdup(optstate->value); break; case 'n' : certnick = PL_strdup(optstate->value); break; case 'p' : port = PORT_Atoi(optstate->value); break; case 'w' : password = PL_strdup(optstate->value); break; case '\0': hostname = PL_strdup(optstate->value); break; default : usage(argv[1]); } } if (port == 0 || hostname == NULL) usage(argv[1]); if (certdir == NULL) certdir = PR_smprintf("%s/.netscape", getenv("HOME")); PK11_SetPasswordFunc(get_passwd_cb); secstatus = NSS_Init(certdir); if (secstatus != SECSuccess) { fprintf(stderr, "Error initializing NSS.\n"); return 1; } NSS_SetDomesticPolicy(); client_main(port, hostname); if (NSS_Shutdown() != SECSuccess) { exit(1); } PR_Cleanup(); return 0; } pathfinder-1.1.3/libpathfinder/0000755000175200017520000000000011324134133016740 5ustar ppattersppatterspathfinder-1.1.3/libpathfinder/libpathfinder-openssl.cc0000644000175200017520000000251311063502612023545 0ustar ppattersppatters/* * libpathfinder-openssl.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE * for details. */ #include "libpathfinder-openssl.h" #include "libpathfinder.h" #include #include #include extern "C" { static const char* hex = "0123456789ABCDEF"; int openssl_verify_cb(X509_STORE_CTX *ctx, void *arg) { size_t size = i2d_X509(ctx->cert, NULL); unsigned char *keybuf, *iend; iend = keybuf = new unsigned char[size]; i2d_X509(ctx->cert, &iend); char *certdata_str = new char[(size * 2 + 1)]; unsigned char *cp = keybuf; char *certdata_str_i = certdata_str; while (cp < iend) { unsigned char ch = *cp++; *certdata_str_i++ = hex[(ch >> 4) & 0xf]; *certdata_str_i++ = hex[ch & 0xf]; } *certdata_str_i = 0; delete [] keybuf; const char *policy = "2.5.29.32.0"; // anyPolicy char *errmsg; int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg); // This is horrible - we need to pass back the error message to the // application somehow... perhaps with void *arg, though that's pretty // horrible too. free(errmsg); delete[] certdata_str; return validated; } } pathfinder-1.1.3/libpathfinder/libpathfinder-nss.h0000644000175200017520000000102110745206334022530 0ustar ppattersppatters/* * libpathfinder-nss.h * * Copyright (C) 2007 Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #ifndef __LIBPATHFINDER_NSS_H #define __LIBPATHFINDER_NSS_H #include #include #include #include #ifdef __cplusplus extern "C" { #endif SECStatus nss_verify_cb(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); #ifdef __cplusplus } #endif #endif // __LIBPATHFINDER_NSS_H pathfinder-1.1.3/libpathfinder/CMakeLists.txt0000644000175200017520000000464311243264175021521 0ustar ppattersppattersIF (NSS_CFLAGS) ADD_LIBRARY(pathfinder-nss-1 SHARED libpathfinder.cc libpathfinder-nss.cc) ADD_LIBRARY(pathfinder-nss-1-static STATIC libpathfinder.cc libpathfinder-nss.cc) ENDIF (NSS_CFLAGS) ADD_LIBRARY(pathfinder-openssl-1 SHARED libpathfinder.cc libpathfinder-openssl.cc) ADD_LIBRARY(pathfinder-openssl-1-static STATIC libpathfinder.cc libpathfinder-openssl.cc) IF (NSS_CFLAGS) SET(LIBPATHFINDER_NSS_CFLAGS "${DBUS_CFLAGS} ${NSS_CFLAGS}") SET_TARGET_PROPERTIES(pathfinder-nss-1 PROPERTIES COMPILE_FLAGS "${LIBPATHFINDER_NSS_CFLAGS}") SET_TARGET_PROPERTIES(pathfinder-nss-1 PROPERTIES VERSION 1.0.0 SOVERSION 1 ) SET_TARGET_PROPERTIES(pathfinder-nss-1 PROPERTIES CLEAN_DIRECT_OUTPUT 1) SET_TARGET_PROPERTIES(pathfinder-nss-1-static PROPERTIES CLEAN_DIRECT_OUTPUT 1) SET_TARGET_PROPERTIES(pathfinder-nss-1-static PROPERTIES OUTPUT_NAME "pathfinder-nss-1") SET_TARGET_PROPERTIES(pathfinder-nss-1-static PROPERTIES COMPILE_FLAGS "${DBUS_CFLAGS} ${NSS_CFLAGS} -fPIC") ENDIF(NSS_CFLAGS) SET(LIBPATHFINDER_OPENSSL_CFLAGS "${DBUS_CFLAGS} ${OPENSSL_CFLAGS}") SET_TARGET_PROPERTIES(pathfinder-openssl-1 PROPERTIES COMPILE_FLAGS "${LIBPATHFINDER_OPENSSL_CFLAGS}") SET_TARGET_PROPERTIES(pathfinder-openssl-1 PROPERTIES VERSION 1.0.0 SOVERSION 1 ) SET_TARGET_PROPERTIES(pathfinder-openssl-1 PROPERTIES CLEAN_DIRECT_OUTPUT 1) SET_TARGET_PROPERTIES(pathfinder-openssl-1 PROPERTIES LINK_FLAGS "${DBUS_LINKFLAGS} ${OPENSSL_LINKFLAGS} -fPIC") SET_TARGET_PROPERTIES(pathfinder-openssl-1-static PROPERTIES CLEAN_DIRECT_OUTPUT 1) SET_TARGET_PROPERTIES(pathfinder-openssl-1-static PROPERTIES OUTPUT_NAME "pathfinder-openssl-1") SET_TARGET_PROPERTIES(pathfinder-openssl-1-static PROPERTIES COMPILE_FLAGS "${DBUS_CFLAGS} ${OPENSSL_CFLAGS} -fPIC") IF (APPLE) SET_TARGET_PROPERTIES(pathfinder-openssl-1-static PROPERTIES LINK_FLAGS "${DBUS_LINKFLAGS} ${OPENSSL_LINKFLAGS} -fPIC") ENDIF (APPLE) IF(NOT DEFINED CMAKE_INSTALL_LIBDIR) SET(CMAKE_INSTALL_LIBDIR "lib") ENDIF(NOT DEFINED CMAKE_INSTALL_LIBDIR) IF (NSS_CFLAGS) INSTALL(TARGETS pathfinder-nss-1 pathfinder-nss-1-static LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}") ENDIF(NSS_CFLAGS) INSTALL(TARGETS pathfinder-openssl-1 pathfinder-openssl-1-static LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}") INSTALL(FILES libpathfinder-nss.h libpathfinder-openssl.h libpathfinder.h DESTINATION include/pathfinder-1) pathfinder-1.1.3/libpathfinder/libpathfinder.cc0000644000175200017520000001002511256215314022065 0ustar ppattersppatters/* * libpathfinder.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #include #include #include #include #include extern "C" { int pathfinder_app_dbus_verify(const char *appname, const char *certhex, const char *policy, const int initial_explicit_policy, const int initial_policy_mapping_inhibit, char **errmsg) { *errmsg = NULL; // sometimes we can't return a proper error if (!certhex || !policy) { *errmsg = strdup("Invalid arguments to verification call"); return 0; } DBusConnection* conn = NULL; DBusError err; int ret; dbus_error_init(&err); DBusBusType bustype = DBUS_BUS_SYSTEM; if (getenv("PATHFINDER_USE_SESSION_BUS")) bustype = DBUS_BUS_SESSION; conn = dbus_bus_get(bustype, &err); if (!conn || dbus_error_is_set(&err)) { dbus_error_free(&err); *errmsg = strdup("Can't get connection to bus"); return 0; } DBusMessage* msg = NULL; DBusPendingCall* pending; msg = dbus_message_new_method_call("ca.carillon.pathfinder", "/ca/carillon/pathfinder", "ca.carillon.pathfinder", "validate"); if (!msg) return 0; if (appname && appname[0]) { if (!dbus_message_append_args(msg, DBUS_TYPE_STRING, &certhex, DBUS_TYPE_STRING, &policy, DBUS_TYPE_BOOLEAN, &initial_explicit_policy, DBUS_TYPE_BOOLEAN, &initial_policy_mapping_inhibit, DBUS_TYPE_STRING, &appname, DBUS_TYPE_INVALID)) return 0; } else { if (!dbus_message_append_args(msg, DBUS_TYPE_STRING, &certhex, DBUS_TYPE_STRING, &policy, DBUS_TYPE_BOOLEAN, &initial_explicit_policy, DBUS_TYPE_BOOLEAN, &initial_policy_mapping_inhibit, DBUS_TYPE_INVALID)) return 0; } if (!dbus_connection_send_with_reply(conn, msg, &pending, -1) || !pending) return 0; dbus_connection_flush(conn); dbus_message_unref(msg); dbus_pending_call_block(pending); msg = dbus_pending_call_steal_reply(pending); dbus_pending_call_unref(pending); if (!msg) return 0; if (dbus_message_get_type(msg) == DBUS_MESSAGE_TYPE_ERROR) { *errmsg = strdup("Could not contact Pathfinder daemon"); return 0; } DBusMessageIter args; dbus_bool_t validated = 0; if (!dbus_message_iter_init(msg, &args)) { return 0; } if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_BOOLEAN) { *errmsg = strdup("Invalid argument in Pathfinder reply"); return 0; } dbus_message_iter_get_basic(&args, &validated); if (!validated) { dbus_message_iter_next(&args); char *s; if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING) { *errmsg = strdup("Invalid argument in Pathfinder reply"); return 0; } dbus_message_iter_get_basic(&args, &s); *errmsg = strdup(s); } dbus_connection_unref(conn); return validated; } int pathfinder_dbus_verify(const char *certhex, const char *policy, const int initial_explicit_policy, const int initial_policy_mapping_inhibit, char **errmsg) { return pathfinder_app_dbus_verify(NULL, certhex, policy, initial_explicit_policy, initial_policy_mapping_inhibit, errmsg); } } pathfinder-1.1.3/libpathfinder/libpathfinder-openssl.h0000644000175200017520000000066710745206334023427 0ustar ppattersppatters/* * libpathfinder-openssl.h * * Copyright (C) 2007 Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #ifndef __LIBPATHFINDER_OPENSSL_H #define __LIBPATHFINDER_OPENSSL_H #include #ifdef __cplusplus extern "C" { #endif int openssl_verify_cb(X509_STORE_CTX *ctx, void *arg); #ifdef __cplusplus } #endif #endif // __LIBPATHFINDER_OPENSSL_H pathfinder-1.1.3/libpathfinder/libpathfinder.h0000644000175200017520000000156211256215314021735 0ustar ppattersppatters/* * libpathfinder.h * * Copyright (C) 2007 Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #ifndef __LIBPATHFINDER_H #define __LIBPATHFINDER_H #ifdef __cplusplus extern "C" { #endif int pathfinder_app_dbus_verify(const char *appname, const char *certhex, const char *policy, const int initial_explicit_policy, const int initial_policy_mapping_inhibit, char **errmsg); int pathfinder_dbus_verify(const char *certhex, const char *policy, const int initial_explicit_policy, const int initial_policy_mapping_inhibit, char **errmsg); #ifdef __cplusplus } #endif #endif // __LIBPATHFINDER_H pathfinder-1.1.3/libpathfinder/libpathfinder-nss.cc0000644000175200017520000000212610652446340022675 0ustar ppattersppatters/* * libpathfinder-nss.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #include "libpathfinder-nss.h" #include "libpathfinder.h" extern "C" { SECStatus nss_verify_cb(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer) { if (!socket || !arg) { fprintf(stderr, "Error in nss_verify_cb: No socket.\n"); return SECFailure; } CERTCertificate * cert = SSL_PeerCertificate(socket); if (!cert) { fprintf(stderr, "Error in nss_verify_cb: No certificate " "corresponding to socket.\n"); return SECFailure; } char * certdata_str = CERT_Hexify(&(cert->derCert), 0); const char *policy = "2.5.29.32.0"; // anyPolicy char *errmsg; int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg); free(errmsg); PORT_Free(certdata_str); if (validated) return SECSuccess; return SECFailure; } } pathfinder-1.1.3/LICENSE0000644000175200017520000006513010746174223015152 0ustar ppattersppatters GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! Note: This software links against OpenSSL and therefore: In addition to the above license, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU Lesser General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. pathfinder-1.1.3/pathfinder-openssl.pc.in0000644000175200017520000000057510652446340020703 0ustar ppattersppattersprefix=@CMAKE_INSTALL_PREFIX@ exec_prefix=${prefix} libdir=${exec_prefix}/lib includedir=${prefix}/include Name: OpenSSL Pathfinder Plugin Library Description: Library that allows OpenSSL to use PathFinder for certificate validation Version: @PACKAGE_VERSION@ Requires: openssl >= 0.9.8, dbus-1 >= 1.0 Libs: -L${libdir} -lpathfinder-openssl-1 Cflags: -I${includedir}/pathfinder-1 pathfinder-1.1.3/openssltest.cc0000644000175200017520000001001411254750337017027 0ustar ppattersppatters/* * openssltest.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include #include #include #include #include #include #include #include #include #ifdef APPLE #include #endif #include "libpathfinder-openssl.h" struct CertPair { X509 *x509; rsa_st *rsa; }; static void read_pkcs12(const char *fname, const char *passwd, CertPair &certpair) { certpair.x509 = NULL; certpair.rsa = NULL; FILE *fp = fopen(fname, "r"); if (!fp) { fprintf(stderr, "Couldn't open file %s.\n", fname); exit(1); } PKCS12 *pkg = d2i_PKCS12_fp(fp, NULL); if (!pkg) { fprintf(stderr, "File %s does not seem to be a valid pkcs12 " "bundle.\n", fname); exit(1); } EVP_PKEY *pk = NULL; PKCS12_parse(pkg, passwd, &pk, &(certpair.x509), NULL); if (!pk || !certpair.x509) { fprintf(stderr, "Could not retrieve certificate + rsa key pair from " "pkcs12 file %s.\n", fname); exit(1); } certpair.rsa = EVP_PKEY_get1_RSA(pk); assert(certpair.rsa); EVP_PKEY_free(pk); fclose(fp); } static void parse_addr(const char *host, uint32_t &addr, unsigned short &port) { const char *portstr = strchr(host, ':'); assert(portstr); port = strtol(portstr+1, NULL, 10); // shamelessly stolen from wvaddr in wvstreams const char *iptr, *nptr; unsigned char ip[4]; nptr = host; for (int count=0; count < 4; count++) { iptr = nptr; nptr = strchr(iptr, '.'); assert(nptr || count==3); if (nptr) nptr++; ip[count] = strtol(iptr, NULL, 10); } addr = *(uint32_t *)ip; } int main(int argc, char *argv[]) { if (argc < 3) { printf("USAGE: %s HOST:PORT CERTPAIR.p12\n", argv[0]); return 1; } uint32_t addr; unsigned short port; parse_addr(argv[1], addr, port); SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); CertPair certpair; read_pkcs12(argv[2], "123", certpair); SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method()); if (!ctx) { fprintf(stderr, "Could not create SSL context.\n"); exit(1); } if (SSL_CTX_use_certificate(ctx, certpair.x509) <= 0 || SSL_CTX_use_RSAPrivateKey(ctx, certpair.rsa) <= 0) { fprintf(stderr, "Could not set up SSL context.\n"); exit(1); } SSL *ssl = SSL_new(ctx); SSL_CTX_set_cert_verify_callback(ctx, &openssl_verify_cb, NULL); SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); struct sockaddr_in them; memset((char *)&them,0,sizeof(them)); them.sin_family=AF_INET; them.sin_port=htons((unsigned short)port); them.sin_addr.s_addr=addr; int fd = socket(AF_INET, SOCK_STREAM, 0); if (!fd) { fprintf(stderr, "Error setting up socket.\n"); exit(1); } if (connect(fd, (struct sockaddr *)&them, sizeof(them)) != 0) { fprintf(stderr, "Error initializing connection on socket.\n"); exit(1); } SSL_set_fd(ssl, fd); if (SSL_connect(ssl) < 0) { fprintf(stderr, "Error initializing SSL connection on socket.\n"); exit(1); } // oh god this is hacky const char *data = "GET /testfile HTTP/1.0\r\n\r\n"; SSL_write(ssl, data, strlen(data)); while (1) { char buf[80]; int numread; numread = SSL_read(ssl, buf, 79); if (numread > 0) { buf[numread] = '\0'; fprintf(stderr, "SSL Read: %s\n", buf); } } } pathfinder-1.1.3/x509path/0000755000175200017520000000000011324134132015506 5ustar ppattersppatterspathfinder-1.1.3/x509path/wvcrlcache.cc0000644000175200017520000000303211244554247020152 0ustar ppattersppatters#include "wvcrlcache.h" #include "util.h" #include #include #include #include #include using namespace boost; WvCRLCache::WvCRLCache(WvStringParm _dir) : log("CRL Cache", WvLog::Debug5) { dir = _dir; } shared_ptr WvCRLCache::get_file(WvStringParm fname) { return get(fname); } shared_ptr WvCRLCache::get_url(WvStringParm crldp) { WvString path("%s/%s", dir, url_encode(crldp)); return get(path); } shared_ptr WvCRLCache::get(WvStringParm rawpath) { struct stat st; if (stat(rawpath, &st) != 0 || !S_ISREG(st.st_mode)) return shared_ptr(); if (crlmap.count(rawpath.cstr()) && crlmap[rawpath.cstr()].mtime == st.st_mtime) return crlmap[rawpath.cstr()].crl; shared_ptr crl(new WvCRL); if (guess_encoding(rawpath) == WvX509::CertFilePEM) crl->decode(WvCRL::CRLFilePEM, rawpath); else crl->decode(WvCRL::CRLFileDER, rawpath); if (!crl->isok()) { log(WvLog::Warning, "WARNING: Tried to add CRL from file %s, " "but loaded CRL not ok!\n", rawpath); return shared_ptr(); } crlmap[rawpath.cstr()] = CRLCacheEntry(st.st_mtime, crl); return crl; } void WvCRLCache::add(WvStringParm url, WvBuf &buf) { WvString path("%s/%s", dir, url_encode(url)); // FIXME: blocking operation log("Writing %s (uri: %s) to crlcache.\n", path, url); WvFile f(path, O_CREAT|O_WRONLY); f.write(buf); } pathfinder-1.1.3/x509path/wvx509policytree.h0000644000175200017520000000445110652446340021057 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #ifndef __WVX509POLICYTREE_H #define __WVX509POLICYTREE_H #include #include #include #include #include #define ANY_POLICY_OID "2.5.29.32.0" class WvX509PolicyNode { public: WvX509PolicyNode(WvStringParm _valid_policy); WvX509PolicyNode(); void append_child(WvStringParm oid); //std::vector qualifier_set; //bool criticality_indicator; WvString valid_policy; WvStringList expected_policy_set; typedef std::vector > List; List children; WvLog log; }; class WvX509PolicyTree { public: WvX509PolicyTree(); bool contains_any_policy(int level); bool remove(boost::shared_ptr &curnode, boost::shared_ptr &node_to_remove); void intersection(WvStringList &initial_policy_set, int level); void get_valid_policy_node_set( boost::shared_ptr &node, WvX509PolicyNode::List &valid_policy_node_set); void prune(int level); bool link(WvStringParm oid, int level, bool any_policy); void remove(WvStringParm oid, int level); void extend_any_policy(int level); void append_mapping(WvX509::PolicyMapList &list, int level); bool isnull(); private: bool prune_internal(boost::shared_ptr &node, int level); bool link_internal(WvStringParm oid, boost::shared_ptr &node, int level, bool any_policy); bool remove_internal(WvStringParm oid, boost::shared_ptr &node, int level); void extend_any_policy_internal(boost::shared_ptr &node, int level); void append_mapping_internal(WvX509::PolicyMapList &list, boost::shared_ptr &node, int level); boost::shared_ptr root; WvLog log; }; #endif // __WVX509POLICYTREE_H pathfinder-1.1.3/x509path/wvx509policytree.cc0000644000175200017520000002314410652446340021215 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #include "wvx509policytree.h" using namespace boost; WvX509PolicyNode::WvX509PolicyNode(WvStringParm _valid_policy) : log("X509 Policy Node", WvLog::Debug5) { valid_policy = _valid_policy; expected_policy_set.append(_valid_policy); } WvX509PolicyNode::WvX509PolicyNode() : log("X509 Policy Node", WvLog::Debug5) { valid_policy = ANY_POLICY_OID; expected_policy_set.append(valid_policy); } void WvX509PolicyNode::append_child(WvStringParm oid) { log("Appending child with OID %s to node with OID %s\n", oid, valid_policy); shared_ptr node(new WvX509PolicyNode(oid)); children.push_back(node); } WvX509PolicyTree::WvX509PolicyTree() : root(new WvX509PolicyNode), log("X509 Policy Tree", WvLog::Debug5) { } bool WvX509PolicyTree::isnull() { if (!root) return true; return false; } void WvX509PolicyTree::remove(WvStringParm oid, int level) { if (isnull()) return; if (remove_internal(oid, root, level)) { shared_ptr nullnode; root = nullnode; } } bool WvX509PolicyTree::remove_internal(WvStringParm oid, shared_ptr &node, int level) { if (level == 0) { if (node->valid_policy == oid) return true; } for (WvX509PolicyNode::List::iterator i = node->children.begin(); i != node->children.end(); i++) { if (remove_internal(oid, (*i), (level - 1))) { node->children.erase(i); return false; } } return false; } bool WvX509PolicyTree::remove(shared_ptr &curnode, shared_ptr &node_to_remove) { // base case: root node should be removed (this should never happen, // presently) assert(root != node_to_remove); // other case: a child of the root node should be removed... as we call // this function recursively for (WvX509PolicyNode::List::iterator i = curnode->children.begin(); i != curnode->children.end(); i++) { if ((*i) == node_to_remove) { curnode->children.erase(i); return true; } if (remove((*i), node_to_remove)) return true; } return false; } void WvX509PolicyTree::intersection(WvStringList &initial_policy_set, int level) { if (isnull()) return; // (1) Calculate the valid policy node set WvX509PolicyNode::List valid_policy_node_set; get_valid_policy_node_set(root, valid_policy_node_set); // (2) remove any nodes in the valid_policy_node_set which are not // in the expected policy set and are not anyPolicy WvX509PolicyNode::List::iterator end = valid_policy_node_set.end(); WvX509PolicyNode::List::iterator i = valid_policy_node_set.begin(); while (i != end) { bool match = false; WvStringList::Iter j(initial_policy_set); for (j.rewind(); j.next();) { if (j() == (*i)->valid_policy) { match = true; break; } } if (!match && (*i)->valid_policy != ANY_POLICY_OID) { log("Removing node with valid policy %s because it's not in " "the initial policy set.\n", (*i)->valid_policy); remove(root, (*i)); valid_policy_node_set.erase(i); i = valid_policy_node_set.begin(); end = valid_policy_node_set.end(); } else i++; } // (3) FIXME: Implement the algorithm for replacing leaf nodes with // anyPolicy as valid_policy // (4) prune prune(level); } void WvX509PolicyTree::get_valid_policy_node_set( shared_ptr &node, WvX509PolicyNode::List &valid_policy_node_set) { if (node->valid_policy == ANY_POLICY_OID) { for (WvX509PolicyNode::List::iterator i = node->children.begin(); i != node->children.end(); i++) valid_policy_node_set.push_back((*i)); } for (WvX509PolicyNode::List::iterator i = node->children.begin(); i != node->children.end(); i++) get_valid_policy_node_set((*i), valid_policy_node_set); } void WvX509PolicyTree::prune(int level) { if (isnull()) return; // prune the root if it has no children if (!prune_internal(root, level)) { log("Root has no children after pruning. Removing.\n"); shared_ptr nullnode; root = nullnode; } } bool WvX509PolicyTree::prune_internal(shared_ptr &node, int level) { log("prune internal. level: %s\n", level); // expected level: ok, any parent node of this node should be kept if (level == 0) return true; bool one_valid_child = false; WvX509PolicyNode::List::iterator end = node->children.end(); WvX509PolicyNode::List::iterator i = node->children.begin(); while (i != end) { if (!prune_internal((*i), (level - 1))) { log("Removing node with valid policy %s.\n", (*i)->valid_policy); node->children.erase(i); i = node->children.begin(); end = node->children.end(); } else { one_valid_child = true; log("Not removing node %s because it has children.\n", (*i)->valid_policy); i++; } } return one_valid_child; } bool WvX509PolicyTree::link(WvStringParm oid, int level, bool any_policy) { return link_internal(oid, root, level, any_policy); } bool WvX509PolicyTree::link_internal(WvStringParm oid, shared_ptr &node, int level, bool any_policy) { if (!node) return false; if (level == 0) { if (node->valid_policy == ANY_POLICY_OID) { if (any_policy) { node->append_child(oid); return true; } } else { WvStringList::Iter i(node->expected_policy_set); for (i.rewind(); i.next();) { if (i() == oid) { node->append_child(oid); return true; } } } return false; } bool found_link = false; for (WvX509PolicyNode::List::iterator i = node->children.begin(); i != node->children.end(); i++) { found_link |= link_internal(oid, (*i), (level - 1), any_policy); } return found_link; } void WvX509PolicyTree::extend_any_policy(int level) { extend_any_policy_internal(root, level); } void WvX509PolicyTree::extend_any_policy_internal( shared_ptr &node, int level) { if (!node) return; if (level == 0) { log("Checking for extension at node %s.\n", node->valid_policy); WvStringList::Iter i(node->expected_policy_set); for (i.rewind(); i.next();) { bool node_exists = false; for (WvX509PolicyNode::List::iterator j = node->children.begin(); j != node->children.end(); j++) { if ((*j)->valid_policy == i()) { log("Node exists. Not extending.\n"); node_exists = true; break; } } log("Trying to extend via anyPolicy and no child node with " "expected OID %s. Extending.\n", i()); if (!node_exists) node->append_child(i()); } return; } for (WvX509PolicyNode::List::iterator i = node->children.begin(); i != node->children.end(); i++) { extend_any_policy_internal((*i), (level - 1)); } } void WvX509PolicyTree::append_mapping(WvX509::PolicyMapList &list, int level) { append_mapping_internal(list, root, level); } void WvX509PolicyTree::append_mapping_internal(WvX509::PolicyMapList &list, shared_ptr &node, int level) { if (!node) return; if (level == 0) { WvX509::PolicyMapList::Iter i(list); for (i.rewind(); i.next();) { if (node->valid_policy == i().issuer_domain) { // ok, we have at least one mapping here // we replace the expected policy set with the mappings // (6.1.4 b in RFC3280) node->expected_policy_set.zap(); log("Replacing expected policy set with mappings.\n"); for (i.rewind(); i.next();) { node->expected_policy_set.append(i().subject_domain); log("Appending %s to expected policy set.\n", i().subject_domain); } return; } } return; } for (WvX509PolicyNode::List::iterator i = node->children.begin(); i != node->children.end(); i++) { append_mapping_internal(list, (*i), (level - 1)); } } pathfinder-1.1.3/x509path/wvx509store.cc0000644000175200017520000001140111212243307020152 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for * details. */ #include "wvx509store.h" #include "util.h" #include #include #include using namespace std; using namespace boost; WvX509Store::WvX509Store() : log("WvX509Store", WvLog::Debug5) { } WvX509Store::~WvX509Store() { } void WvX509Store::load(WvStringParm _dir) { log("Loading store from directory %s.\n", _dir); WvDirIter d(_dir, false); for (d.rewind(); d.next();) { if (S_ISREG(d().st_mode)) add_file(d().fullname); } } void WvX509Store::add_cert(shared_ptr &x) { if (!!x->get_ski()) certmap.insert(CertPair(x->get_ski().cstr(), x)); certmap.insert(CertPair(x->get_subject().cstr(), x)); } void WvX509Store::add_file(WvStringParm _fname) { shared_ptr x(new WvX509); x->decode(guess_encoding(_fname), _fname); if (!x->isok()) { log(WvLog::Warning, "WARNING: Tried to add certificate from file %s, " "but loaded certificate not ok!\n", _fname); return; } add_cert(x); } void WvX509Store::add_pkcs7(WvStringParm _fname) { log("Opening pkcs7 %s.\n", _fname); FILE *fp = fopen(_fname, "r"); if (!fp) { log(WvLog::Warning, "Could not open file %s.\n", _fname); return; } log("Loading bridgefile.\n"); PKCS7 *pkcs7 = NULL; pkcs7 = d2i_PKCS7_fp(fp, &pkcs7); fclose(fp); log("Loaded bridgefile.\n"); if (!pkcs7) { log(WvLog::Warning, WvString("Could not open PKCS7 bridge from file %s.", _fname)); return; } STACK_OF(X509) *certs=NULL; int i = OBJ_obj2nid(pkcs7->type); if (i == NID_pkcs7_signed) certs = pkcs7->d.sign->cert; else if (i == NID_pkcs7_signedAndEnveloped) certs = pkcs7->d.signed_and_enveloped->cert; else { log(WvLog::Warning, "Bridge not a valid PKCS7 type."); return; } if (certs != NULL) { int numcerts = sk_X509_num(certs); for (int i = 0; i x(new WvX509(X509_dup(sk_X509_value(certs, i)))); certmap.insert(CertPair(x->get_ski().cstr(), x)); } } else { log(WvLog::Warning, "No valid certificates in PKCS7 blob."); } } shared_ptr WvX509Store::get(WvStringParm key) { if (!!key) { pair iterpair = certmap.equal_range(key.cstr()); for (CertMap::iterator i = iterpair.first; i != iterpair.second; i++) return((*i).second); } return shared_ptr(); } void WvX509Store::get(WvStringParm key, WvX509List &certlist) { if (!!key) { pair iterpair = certmap.equal_range(key.cstr()); for (CertMap::iterator i = iterpair.first; i != iterpair.second; i++) certlist.push_back((*i).second); } } bool WvX509Store::exists(WvX509 * cert) { shared_ptr cacert; cacert = get(cert->get_subject()); if (!cacert) cacert = get(cert->get_ski()); if (!cacert) { log("No certificate corresponding to %s (with ski: %s) in store.\n", cert->get_subject(), cert->get_ski()); return false; } // otherwise check that the cert is signed if (!cert->validate(cacert.get())) { log("Certificate with subject %s does not validate!\n", cert->get_subject()); return false; } log("Certificate %s seems to exist in store (as %s).\n", cert->get_subject(), cacert->get_subject()); return true; } bool WvX509Store::exists(WvStringParm key) { return (get(key)); } void WvX509Store::get_cross_certs(shared_ptr &cert, WvX509List &certlist) { for (CertMap::iterator i = certmap.begin(); i != certmap.end(); i++) { log("Checking %s (ski:%s aki:%s issuer:%s) against %s (ski:%s aki:%s)\n", (*i).second->get_subject(), (*i).second->get_issuer(), (*i).second->get_ski(), (*i).second->get_aki(), cert->get_subject(), cert->get_ski(), cert->get_aki()); if ((*i).second->get_subject() == cert->get_subject() && (*i).second->get_aki() != cert->get_aki() && (*i).second->get_aki() != (*i).second->get_ski()) { log("%s matches.\n", (*i).second->get_subject()); certlist.push_back((*i).second); } } } int WvX509Store::count() { return certmap.size(); } pathfinder-1.1.3/x509path/CMakeLists.txt0000644000175200017520000000035311130277047020257 0ustar ppattersppattersADD_LIBRARY(x509path STATIC wvcrlcache.cc wvx509path.cc wvx509store.cc wvx509policytree.cc) SET_TARGET_PROPERTIES(x509path PROPERTIES COMPILE_FLAGS "${EXTRA_CFLAGS} ${OPENSSL_CFLAGS}" LINK_FLAGS "${OPENSSL_LINKFLAGS}") pathfinder-1.1.3/x509path/wvcrlcache.h0000644000175200017520000000220211076174074020011 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for * details. */ /* -*- Mode: C++ -*- * CRL store management classes. */ #ifndef __WVCRLSTORE_H #define __WVCRLSTORE_H #include #include #include #include class WvCRLCache { public: WvCRLCache(WvStringParm _dir); boost::shared_ptr get_url(WvStringParm crldp); boost::shared_ptr get_file(WvStringParm fname); void add(WvStringParm uri, WvBuf &buf); private: boost::shared_ptr get(WvStringParm rawpath); struct CRLCacheEntry { CRLCacheEntry(time_t _mtime, boost::shared_ptr _crl) { mtime = _mtime; crl = _crl; } CRLCacheEntry() { mtime = 0; } time_t mtime; boost::shared_ptr crl; }; typedef std::map< std::string, CRLCacheEntry > CRLMap; CRLMap crlmap; WvString dir; WvLog log; }; #endif pathfinder-1.1.3/x509path/wvx509path.h0000644000175200017520000000502011271402624017620 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ #ifndef __WVX509PATH_H #define __WVX509PATH_H #include #include #include #include #include #include #include "wvx509store.h" #define WVX509_SKIP_REVOCATION_CHECK 0x2 #define WVX509_IGNORE_MISSING_CRLS 0x4 #define WVX509_SKIP_POLICY_CHECK 0x8 #define WVX509_INITIAL_EXPLICIT_POLICY 0x10 #define WVX509_INITIAL_POLICY_MAPPING_INHIBIT 0x20 class WvX509Path { public: WvX509Path(); virtual ~WvX509Path(); bool validate(boost::shared_ptr &trusted_store, boost::shared_ptr &intermediate_store, WvStringList &initial_policy_set, uint32_t flags, WvX509List &extra_certs_to_be_validated, WvError &err); WvString get_end_entity_ski(); WvString subject_at_front() const { return x509_list.front()->get_subject(); } void pop_front() { x509_list.pop_front(); } void prepend_cert(boost::shared_ptr &cert); void append_cert(boost::shared_ptr &cert); void add_crl(WvStringParm subject, boost::shared_ptr &crl); void add_ocsp_resp(WvStringParm subject, boost::shared_ptr &ocsp); WvX509List::iterator begin() { return x509_list.begin(); } WvX509List::iterator end() { return x509_list.end(); } size_t pathsize() const { return x509_list.size(); } private: // used when validation fails: logs an error message AND sets the error void validate_failed(WvStringParm errstring, WvError &err); // a list of X509 certificates, to be validated WvX509List x509_list; // CRL map: map of associations between CRLs and SKIs // of the ca certificates they apply to (which need not be the // CRL signer or issuer!) typedef std::multimap< std::string, boost::shared_ptr > CRLMap; CRLMap crl_map; typedef std::pair< std::string, boost::shared_ptr > CRLPair; // OCSPResp map: same as CRL map, but for OCSP responses typedef std::multimap< std::string, boost::shared_ptr > OCSPRespMap; OCSPRespMap ocsp_map; typedef std::pair< std::string, boost::shared_ptr > OCSPRespPair; WvLog log; }; #endif pathfinder-1.1.3/x509path/wvx509store.h0000644000175200017520000000357711242331636020041 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for details. */ /* -*- Mode: C++ -*- * X.509 certificate store management classes. */ #ifndef __WVX509STORE_H #define __WVX509STORE_H #include #include #include #include #include typedef std::list< boost::shared_ptr > WvX509List; class WvX509Store : public WvErrorBase { public: WvX509Store(); virtual ~WvX509Store(); /// Returns true if a certificate matches a certificate in the store (by // checking for matching SKI's (or subjects, if no SKI) and // self-signature). bool exists(WvX509 *cert); // Returns true if key matches a certificate in the store bool exists(WvStringParm key); // Retuns the cert in the store corresponding to key (null if none exists) // if there is more than one cert corresponding to the key, there are no // guarantees which one you will get... boost::shared_ptr get(WvStringParm key); // Returns the certificates in the store corresponding to key void get(WvStringParm key, WvX509List &certlist); // Returns all certificates that match the subject, but not the ski of // a certificate, and which are not self-signed. void get_cross_certs(boost::shared_ptr &cert, WvX509List &certlist); void load(WvStringParm _dir); void add_file(WvStringParm _fname); void add_cert(boost::shared_ptr &_cert); void add_pkcs7(WvStringParm _fname); int count(); private: typedef std::multimap< std::string, boost::shared_ptr > CertMap; typedef std::pair< std::string, boost::shared_ptr > CertPair; CertMap certmap; WvLog log; }; #endif pathfinder-1.1.3/x509path/wvx509path.cc0000644000175200017520000005336511271645137020005 0ustar ppattersppatters/* -*- Mode: C++ -*- * X.509 certificate path management classes. * * Copyright (C) 2007-2008, Carillon Information Security Inc. * * This library is covered by the LGPL v2.1 or later, please read LICENSE for * details. */ #include #include "wvx509path.h" #include "wvx509policytree.h" using namespace boost; using namespace std; WvX509Path::WvX509Path() : log("X509 Path", WvLog::Debug5) { } WvX509Path::~WvX509Path() { } WvString WvX509Path::get_end_entity_ski() { if (x509_list.size() > 0) return x509_list.back()->get_ski(); return WvString::null; } void WvX509Path::prepend_cert(shared_ptr &x509) { log("Prepending cert %s to path.\n", x509->get_subject()); x509_list.push_front(x509); } void WvX509Path::append_cert(shared_ptr &x509) { log("Appending cert %s to path.\n", x509->get_subject()); x509_list.push_back(x509); } void WvX509Path::add_crl(WvStringParm subject, shared_ptr &crl) { log("Adding a CRL for %s.\n", subject); crl_map.insert(CRLPair(subject.cstr(), crl)); } void WvX509Path::add_ocsp_resp(WvStringParm subject, shared_ptr &ocsp) { log("Adding an OCSP response for %s.\n", subject); ocsp_map.insert(OCSPRespPair(subject.cstr(), ocsp)); } void validate_crl(WvX509Store *store, shared_ptr &x509) { WvX509Path crlpath; } void WvX509Path::validate_failed(WvStringParm errstring, WvError &err) { log(WvLog::Error, "%s. Failed.\n", errstring); err.seterr(errstring); } bool WvX509Path::validate(shared_ptr &trusted_store, shared_ptr &intermediate_store, WvStringList &initial_policy_set, uint32_t flags, WvX509List &extra_certs_to_be_validated, WvError &err) { if (x509_list.size() == 0) return true; bool check_revocation = !(flags & WVX509_SKIP_REVOCATION_CHECK); bool ignore_missing_crls = (flags & WVX509_IGNORE_MISSING_CRLS); bool check_policy = !(flags & WVX509_SKIP_POLICY_CHECK); bool initial_explicit_policy = (flags & WVX509_INITIAL_EXPLICIT_POLICY); bool initial_inhibit_policy_mapping = (flags & WVX509_INITIAL_POLICY_MAPPING_INHIBIT); int explicit_policy = 0; if (!initial_explicit_policy) explicit_policy = x509_list.size() + 1; int policy_mapping = 0; if (!initial_inhibit_policy_mapping) policy_mapping = x509_list.size() + 1; int inhibit_any_policy = x509_list.size() + 1; int max_path_length = x509_list.size(); // first, find the trust anchor associated with the path. if we can't // find one, we can't continue WvString trusted_aki = (*(x509_list.begin()))->get_aki(); WvString trusted_issuer = (*(x509_list.begin()))->get_issuer(); shared_ptr prev; if (!!trusted_aki) // look up with aki if we can, more reliable prev = trusted_store->get(trusted_aki); else prev = trusted_store->get(trusted_issuer); if (!prev) { validate_failed(WvString("Trusted root for path (%s/%s) not in store", trusted_aki, trusted_issuer), err); return false; } // initialize the policy tree (we won't use it if we're not checking // policy) WvX509PolicyTree policy_tree; int policy_level = 0; shared_ptr cur; bool was_self_issued = false; WvX509List::iterator i = x509_list.begin(); int count = 0; while (i != x509_list.end()) { cur = (*i); log("Verifying certificate %s\n", cur->get_subject()); // the requirements for a certificate to be self-issued are less // stringent that the checks provided by WvX509::issuedbyca, // so we calculate this by hand. // FIXME: should we normalize the subject and issuer names for this // check? was_self_issued = (cur->get_subject() == cur->get_issuer()); if (!cur->validate()) { validate_failed(WvString("Certificate '%s' not valid", cur->get_subject()), err); return false; } if (!cur->issuedbyca(*(prev.get()))) { validate_failed(WvString("Certificate's issuer (%s) does not " "match working issuer name (%s)", cur->get_issuer(), prev->get_subject()), err); return false; } if (!cur->signedbyca(*(prev.get()))) { validate_failed(WvString("Certificate '%s' not signed by working " "certificate (%s)", cur->get_subject(), prev->get_subject()), err); return false; } // OCSP validation is pretty simple: look it up in the map, make // sure our current certificate is not revoked, then add the OCSP // responder certificate to our list of extra certificates to be // validated. note that we also need aki info to make it work. bool validated_ocsp = false; bool have_aki = !!cur->get_aki(); bool have_ski = !!cur->get_ski(); if (check_revocation) { pair iterpair = ocsp_map.equal_range(cur->get_subject().cstr()); if (iterpair.first != iterpair.second) { shared_ptr resp = (*iterpair.first).second; WvX509 resp_signer = resp->get_signing_cert(); WvOCSPResp::Status status = resp->get_status(*cur, *prev); if (status != WvOCSPResp::Good) { validate_failed(WvString("Certificate %s's OCSP response " "does not check out (status: %s)", cur->get_subject(), WvOCSPResp::status_str(status)), err); return false; } if (!resp_signer) { validate_failed(WvString("Certificate %s's OCSP response " "does not have a signing " "certificate", cur->get_subject()), err); return false; } if (!resp->signedbycert(resp_signer)) { validate_failed(WvString("Certificate %s's OCSP response " "is not properly signed by OCSP " "response signer", cur->get_subject()), err); return false; } bool responder_has_ocsp_signing_key_usage = false; WvStringList ext_key_usage; ext_key_usage.split(resp_signer.get_ext_key_usage(), ";\n"); WvStringList::Iter i(ext_key_usage); for (i.rewind(); i.next();) { if (i() == "OCSP Signing") { responder_has_ocsp_signing_key_usage = true; break; } } if (!responder_has_ocsp_signing_key_usage) { validate_failed(WvString("Certificate %s's OCSP responder " "does not have OCSP Signing in " "its extended key usage", cur->get_subject()), err); return false; } if ((have_ski && resp_signer.get_aki() == cur->get_ski()) || (resp_signer.get_issuer() == cur->get_subject())) { // this is somewhat questionable, but allow it for now: // some certificates in the wild are the signer of their // own OCSP responder log(WvLog::Warning, "Certificate %s's OCSP responder's " "seems to be signed by the current certificate. This " "is somewhat questionable.\n"); } else if ((have_aki && resp_signer.get_aki() != cur->get_aki()) || (resp_signer.get_issuer() != cur->get_issuer())) { if (have_aki) validate_failed(WvString("Certificate %s's OCSP " "responder's AKI (%s) does not " "match own (%s)", cur->get_subject(), resp_signer.get_aki(), cur->get_aki()), err); else validate_failed(WvString("Certificate %s's OCSP " "responder's issuer (%s) does " "not match own (%s)", cur->get_subject(), resp_signer.get_issuer(), cur->get_issuer()), err); return false; } // validate the cert *UNLESS* the id-pkix-ocsp-nocheck // extension is present. (sigh) if (X509_get_ext_by_NID(resp_signer.get_cert(), NID_id_pkix_OCSP_noCheck, -1) < 0) { extra_certs_to_be_validated.push_back( shared_ptr(new WvX509(resp_signer))); } else { log(WvLog::Info, "Not validating the OCSP signing " "certificate (%s) since it asserts the " "id-pkix-ocsp-nocheck extension.\n", resp_signer.get_subject()); } validated_ocsp = true; } } // CRL validation is much more involved... we try to follow what's // laid out in rfc3280 to the letter if (check_revocation && !validated_ocsp) { pair iterpair = crl_map.equal_range(cur->get_subject().cstr()); bool one_valid_crl = false; for (CRLMap::iterator j = iterpair.first; j != iterpair.second; j++) { shared_ptr crl = (*j).second; // we need to trim spaces and convert to lower case: // differences in spacing or case shouldn't make a difference // for validation WvString crl_issuer = strreplace(crl->get_issuer(), " ", ""); strlwr(crl_issuer.edit()); WvString cert_issuer = strreplace(cur->get_issuer(), " ", ""); strlwr(cert_issuer.edit()); WvString crl_aki = crl->get_aki(); bool crl_signer_untrusted = false; shared_ptr crl_signer; if (prev->get_ski() == crl_aki) crl_signer = prev; if (!crl_signer && prev->get_subject() == crl_issuer) crl_signer = prev; if (!crl_signer) crl_signer = trusted_store->get(crl_aki); // as a last resort, search in the intermediate store for a // crl signer. this crl signer will need to be validated // seperately if (!crl_signer) { crl_signer = intermediate_store->get(crl_aki); crl_signer_untrusted = true; } if (!crl_signer) { log(WvLog::Info, "CRL signer is not the certificate's " "signer, nor can we find it in the trusted store.\n", cur->get_subject()); continue; } if (crl->validate(*(crl_signer.get())) != WvCRL::VALID) { log(WvLog::Info, "Certificate revocation list for %s is " "not valid.\n", cur->get_subject()); continue; } // we don't support indirect crls yet, so in addition to // the CRL needing to be validated by its issuer, the // issuer's name of the crl should match the issuer name // of the certificate we are processing. if (crl_issuer != cert_issuer) { log(WvLog::Info, "CRL's issuer (%s) does not match " "certificate's issuer (%s).\n", crl_issuer, cert_issuer); continue; } // if we got this far, our CRL is valid. however, we may need // to validate our CRL signer if it's untrusted one_valid_crl = true; if (crl_signer_untrusted) extra_certs_to_be_validated.push_back(crl_signer); if (crl->isrevoked(*(cur.get()))) { log(WvLog::Error, "Certificate %s is revoked according to " "CRL.\n", cur->get_subject()); return false; } } if (!one_valid_crl) { WvStringList crl_urls; cur->get_crl_urls(crl_urls); if (ignore_missing_crls && !crl_urls.count()) { log("No crl specified for certificate %s, but ignoring " "missing CRLs.\n", cur->get_subject()); } else { validate_failed(WvString("No valid crl for certificate " "%s", cur->get_subject()), err); return false; } } } if (check_policy) { ++policy_level; WvStringList policies; cur->get_policies(policies); // FIXME: we should really be checking whether the policies // extension is present, not how many policies we got out of // a possible existent policies extension if (policies.count()) { bool linked_policy = false; bool contains_any_policy = false; WvStringList::Iter j(policies); for (j.rewind(); j.next();) { if (j() != ANY_POLICY_OID) linked_policy |= policy_tree.link(j(), (policy_level-1), false); else contains_any_policy = true; } // if we didn't succeed, try to extend via a last node with the // expected policy "any policy" if (!linked_policy) { for (j.rewind(); j.next();) { policy_tree.link(j(), (policy_level-1), true); } } // if the certificate to be processed has a policy of anyPolicy // and certain conditions are met, we further extend the tree if (contains_any_policy && (inhibit_any_policy > 0 || (count < (x509_list.size() - 1) && was_self_issued))) { policy_tree.extend_any_policy(policy_level-1); } // prune the policy tree (remove any nodes below the current policy // level without any children) policy_tree.prune(policy_level); } else // no policies extension: set policy tree to null (by pruning) policy_tree.prune(policy_level); } // prepare for next certificate (i+1) if ((++i) != x509_list.end()) { WvX509::PolicyMapList list; if (cur->get_policy_mapping(list)) { // verify that anyPolicy does not exist in policy mapping WvX509::PolicyMapList::Iter j(list); for (j.rewind(); j.next();) { if (j().issuer_domain == ANY_POLICY_OID || j().subject_domain == ANY_POLICY_OID) { validate_failed(WvString("Issuer domain (%s) or " "subject domain (%s) is " "anyPolicy", j().issuer_domain, j().subject_domain), err); return false; } } // if not, and we're not inhibiting policy mapping // append the mapping to our policy tree if (policy_mapping > 0) policy_tree.append_mapping(list, policy_level); else { log("Policy mapping is 0. Removing all policies with " "issuer domain in policy mapping.\n"); for (j.rewind(); j.next();) policy_tree.remove(j().issuer_domain, policy_level); policy_tree.prune(policy_level); } } if (!was_self_issued) { log("Decrementing explicit policy and policy mapping.\n"); if (explicit_policy > 0) explicit_policy--; if (policy_mapping > 0) policy_mapping--; } int require_explicit_policy; int inhibit_policy_mapping; if (cur->get_policy_constraints(require_explicit_policy, inhibit_policy_mapping)) { if (require_explicit_policy >= 0 && require_explicit_policy < explicit_policy) { log("Policy constraints found. Setting explicit policy to %s\n", require_explicit_policy); explicit_policy = require_explicit_policy; } if (inhibit_policy_mapping >= 0 && inhibit_policy_mapping < policy_mapping) { log("Policy constraints found. Setting policy mapping to %s\n", inhibit_policy_mapping); policy_mapping = inhibit_policy_mapping; } } // step (k) bool is_ca; int pathlen_constraint; if (cur->get_basic_constraints(is_ca, pathlen_constraint)) { if (!is_ca) { validate_failed("Certificate is not a CA according to " "basicConstraints extension", err); return false; } } else return false; // step (l) if (!was_self_issued) { if (max_path_length > 0) max_path_length--; else { validate_failed("Maximum path length exceeded", err); return false; } } // step (m) if (pathlen_constraint >= 0 && pathlen_constraint < max_path_length) { log("Path length constraint set and is less than " "max_path_length. Setting max_path_length to %s.\n", max_path_length); max_path_length = pathlen_constraint; } count++; } prev = cur; } // wrap up procedure if (check_policy) { if (!was_self_issued && explicit_policy > 0) explicit_policy--; if (explicit_policy > 0) { log("Explicit policy is greater than 0 (%s), not checking policy " "tree.\n", explicit_policy); return true; } log("Explicit policy is 0. Checking policy tree.\n"); if (policy_tree.isnull()) { validate_failed("Policy tree is null at beginning of policy " "checking", err); return false; } // check for any policy in initial policy, if it's not there, // we need to check the intersection. if it is, we simply // return true. bool any_policy_in_initial_policy = false; WvStringList::Iter i(initial_policy_set); for (i.rewind(); i.next();) { if (i() == ANY_POLICY_OID) { any_policy_in_initial_policy = true; break; } } if (any_policy_in_initial_policy) return true; policy_tree.intersection(initial_policy_set, policy_level); if (policy_tree.isnull()) { validate_failed("Policy tree is null during policy " "checking", err); return false; } } return true; } pathfinder-1.1.3/pathclient.cc0000644000175200017520000001064511100417652016577 0ustar ppattersppatters/* * pathclient.cc * * Copyright (C) 2007-2008 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include #include #include #include #include "wvx509policytree.h" // for ANY_POLICY_OID #include "util.h" static WvLog::LogLevel log_level = WvLog::Info; static bool done = false; static bool reply(WvDBusMsg &msg) { if (msg.iserror()) { wvout->print("Error response (%s) to validation request.\n", msg.get_error()); done = true; return true; } WvDBusMsg::Iter args(msg); bool ok = args.getnext(); WvString errstr = args.getnext(); if (ok) wvout->print("Pathfinder daemon says certificate is ok.\n"); else { wvout->print("Certificate is NOT ok. Error: %s.\n", errstr); } done = true; return true; } static bool dec_log_level(void *) { if ((int)log_level > (int)WvLog::Critical) log_level = (WvLog::LogLevel)((int)log_level - 1); return true; } static bool inc_log_level(void *) { if ((int)log_level < (int)WvLog::Debug5) log_level = (WvLog::LogLevel)((int)log_level + 1); return true; } int main(int argc, char *argv[]) { wvcrash_setup(argv[0]); WvStringList remaining_args; WvString certtype; WvString moniker("dbus:system"); bool initial_explicit_policy = false; bool initial_policy_mapping_inhibit = false; WvArgs args; args.add_required_arg("CERTIFICATE"); args.add_option('m', "moniker", "Specify the dbus moniker to use " "(default: dbus:system)", "MONIKER", moniker); args.add_option('t', "type", "Certificate type: der or pem " "(default: autodetect)", "type", certtype); args.add_set_bool_option('e', "initial-explicit-policy", "Set initial " "explicit policy when validating", initial_explicit_policy); args.add_set_bool_option('p', "initial-policy-mapping-inhibit", "Inhibit " "policy mapping when validating", initial_policy_mapping_inhibit); args.add_option('q', "quiet", "Decrease log level (can be used multiple times)", WvArgs::NoArgCallback(&dec_log_level)); args.add_option('v', "verbose", "Increase log level (can be used multiple times)", WvArgs::NoArgCallback(&inc_log_level)); if (!args.process(argc, argv, &remaining_args)) { args.print_help(argc, argv); return 1; } WvLogConsole console_log(1, log_level); WvString certname = remaining_args.popstr(); WvX509 x509; if (certtype == "der") x509.decode(WvX509::CertFileDER, certname); else if (certtype == "pem") x509.decode(WvX509::CertFilePEM, certname); else if (!certtype) x509.decode(guess_encoding(certname), certname); else { wverr->print("Invalid certificate type '%s'\n", certtype); return -1; } if (!x509.isok()) { wverr->print("Certificate is NOT ok. Not doing path validation.\n"); return -1; } // HACK: dbus:system doesn't correspond to anything useful most of the // time, use a hardcoded value instead that should be valid for most // systems if (moniker == "dbus:system") moniker = "unix:/var/run/dbus/system_bus_socket"; WvDBusConn conn(moniker); WvIStreamList::globallist.append(&conn, false, "wvdbus conn"); WvDBusMsg msg("ca.carillon.pathfinder", "/ca/carillon/pathfinder", "ca.carillon.pathfinder", "validate"); msg.append(x509.encode(WvX509::CertHex)); msg.append(WvString(ANY_POLICY_OID)); msg.append(initial_explicit_policy); msg.append(initial_policy_mapping_inhibit); #if 0 wvout->print("Message sent to daemon: busname: ca.carillon.pathfinder\n"); wvout->print("object: /ca/carillon/pathfinder method: validate\n"); wvout->print("parameter1: %s\n", x509.encode(WvX509::CertHex)); wvout->print("parameter2: %s\n", WvString(ANY_POLICY_OID)); #endif conn.send(msg, &reply); while (WvIStreamList::globallist.isok() && !done) WvIStreamList::globallist.runonce(); return 0; } pathfinder-1.1.3/pathfinderd.80000644000175200017520000000272110746174223016523 0ustar ppattersppatters.TH "PATHFINDERD" "8" "December 23, 2007" "Patrick Patterson" "" .SH "NAME" pathfinderd \- RFC3280 Path Discover and Validation Daemon .SH "SYNOPSIS" .B pathfinderd .RI [ options ] .br .SH "DESCRIPTION" .PP \fBpathfinderd\fP is a fully RFC 3280 compliant path discovery and validation daemon, designed to be a centrally manageable point for PKI trust anchors and configuration. .SH "OPTIONS" \fBpathfinderd\fR support the following options: .TP .B \-c, \-\-config=ini:filename.ini UniConf config moniker (default: ini:/etc/pathfinderd.conf) .TP .B \-d, \-\-daemonize Fork into background and return (implies \-\-syslog) .TP .B \-\-no\-syslog Do not write log entries to syslog .TP .B \-q, \-\-quiet Decrease log level (can be used multiple times) .TP .B \-s, \-\-syslog Write log entries to syslog .TP .B \-\-session Listen on the session bus (instead of the system bus) .TP .B \-v, \-\-verbose Increase log level (can be used multiple times) .TP .B \-?, \-\-help Show summary of options. .TP .B \-\-usage Show a short usage message. .TP .B \-v, \-\-version Show version of program. .SH "SEE ALSO" .BR pathfinderd.conf (3), uniconf.conf (3) .br .SH "AUTHOR" pathfinder was written by Carillon Information Security Inc. .PP This manual page was written by Patrick Patterson , for the Debian project (but may be used by others). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) pathfinder-1.1.3/pathverify.30000644000175200017520000000235110733576701016411 0ustar ppattersppatters.TH "PATHVERIFY" "3" "December 23, 2007" "" "" .SH "NAME" pathverify \- stand alone RFC3280 path validation and discovery tool. .SH "SYNOPSIS" .B pathverify .RI [ options ] " files" ... .br .SH "DESCRIPTION" \fBpathverify\fP is for validating the configuration of pathfinderd, as well as providing a simple, command line program to verify X.509 certificates. .SH "OPTIONS" \fBpathverify\fR supports the following options: .TP .B \-c, \-\-config=ini:filename.ini Config moniker (default: ini:/etc/pathfinderd.ini) .TP .B \-p, \-\-policy=POLICY Initial policy set to use for validation, in tcl\-encoded form (default: 2.5.29.32.0) .TP .B \-q, \-\-quiet Decrease log level (can be used multiple times) .TP .B \-\-skip\-crl\-check Skips any CRL checking. .TP .B \-t, \-\-type=TYPE Certificate type: der or pem (default: pem) .TP .B \-v, \-\-verbose Increase log level (can be used multiple times) .TP .B \-\-usage Give a short usage message .TP .B \-?, \-\-help Show summary of options. .SH "SEE ALSO" .BR pathclient (3), .BR pathfinderd (8). .br .SH "AUTHOR" pathfinder was written by Carillon Information Security Inc. .PP This manual page was written by Patrick Patterson , for the Debian project (but may be used by others). pathfinder-1.1.3/CMakeLists.txt0000644000175200017520000001262711324133216016676 0ustar ppattersppattersINCLUDE(UsePkgConfig) find_package(PkgConfig) cmake_minimum_required(VERSION 2.5) PROJECT(PATHFINDER) SET(PACKAGE_VERSION 1.1.3) pkg_check_modules(UNICONF libuniconf) #PKGCONFIG(libuniconf UNICONF_INCLUDEDIR UNICONF_LIBDIR UNICONF_LINKFLAGS UNICONF_CFLAGS) PKGCONFIG(libwvdbus WVDBUS_INCLUDEDIR WVDBUS_LIBDIR WVDBUS_LINKFLAGS WVDBUS_CFLAGS) PKGCONFIG(dbus-1 DBUS_INCLUDEDIR DBUS_LIBDIR DBUS_LINKFLAGS DBUS_CFLAGS) PKGCONFIG(openssl OPENSSL_INCLUDEDIR OPENSSL_LIBDIR OPENSSL_LINKFLAGS OPENSSL_CFLAGS) PKGCONFIG(nss NSS_INCLUDEDIR NSS_LIBDIR NSS_LINKFLAGS NSS_CFLAGS) IF (NOT DBUS_CFLAGS) MESSAGE(FATAL_ERROR, "You need to have DBUS Development packages installed to build Pathfinder.") ENDIF(NOT DBUS_CFLAGS) IF (NOT WVDBUS_CFLAGS) MESSAGE(FATAL_ERROR, "You must have the WvStreams DBus Development packages installed to build Pathfinder.") ENDIF (NOT WVDBUS_CFLAGS) FIND_PATH(LDAP_INCLUDEDIR ldap.h) if(APPLE) FIND_LIBRARY(LDAP_LIBS NAMES LDAP PATHS /System/Library/Frameworks /Library/Frameworks ) else(APPLE) FIND_LIBRARY(LDAP_LIBS NAMES ldap) FIND_LIBRARY(LBER_LIBS NAMES lber) endif(APPLE) if(LDAP_INCLUDEDIR AND LDAP_LIBS) if(LBER_LIBS) set(LDAP_FOUND TRUE) set(LDAP_LIBRARIES ${LDAP_LIBS} ${LBER_LIBS}) endif(LBER_LIBS) endif(LDAP_INCLUDEDIR AND LDAP_LIBS) if(LDAP_FOUND) # One of these days, properly parse out what may be an alternate -L # linker directive. Until then, hacky hacky. message(STATUS "${LDAP_LIBS}") set(LDAP_LINKFLAGS "-lldap") if(${LDAP_INCLUDEDIR} STREQUAL "/usr/include") set(LDAP_CFLAGS "") else(${LDAP_INCLUDEDIR} STREQUAL "/usr/include") set(LDAP_CFLAGS "-I${LDAP_INCLUDEDIR}") endif(${LDAP_INCLUDEDIR} STREQUAL "/usr/include") else(LDAP_FOUND) message(FATAL_ERROR "You need to have the LDAP Development packages installed to build Pathfinder.") endif(LDAP_FOUND) # wvdiriter in wvstreams will assert if we don't have these set... since this is how wvstreams # is normally compiled. can't we do something simpler? Also, take advantage # of this silliness to add in an Apple specific compiler flag. We should # find out the RIGHT way to do this, but for now, this works. if(APPLE) SET(EXTRA_CFLAGS "${WVDBUS_CFLAGS} -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -DAPPLE -I/sw/include") else(APPLE) SET(EXTRA_CFLAGS "${WVDBUS_CFLAGS} -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g") endif(APPLE) SET(EXTRA_LINKFLAGS "${WVDBUS_LINKFLAGS} ${LDAP_LINKFLAGS}") INCLUDE_DIRECTORIES(${PATHFINDER_SOURCE_DIR} ${PATHFINDER_SOURCE_DIR}/x509path ${PATHFINDER_SOURCE_DIR}/libpathfinder) ADD_LIBRARY(pathology STATIC pathfinder.cc revocationfinder.cc pathvalidator.cc downloader.cc pathserver.cc util.cc) SET_TARGET_PROPERTIES(pathology PROPERTIES COMPILE_FLAGS "${EXTRA_CFLAGS}") ADD_EXECUTABLE(pathverify pathverify.cc) TARGET_LINK_LIBRARIES(pathverify pathology x509path) SET_TARGET_PROPERTIES(pathverify PROPERTIES COMPILE_FLAGS "${EXTRA_CFLAGS}" LINK_FLAGS "${EXTRA_LINKFLAGS}") ADD_EXECUTABLE(pathfinderd pathfinderd.cc) TARGET_LINK_LIBRARIES(pathfinderd pathology x509path) SET_TARGET_PROPERTIES(pathfinderd PROPERTIES COMPILE_FLAGS "${EXTRA_CFLAGS}" LINK_FLAGS "${EXTRA_LINKFLAGS}") ADD_EXECUTABLE(pathclient pathclient.cc util.cc) TARGET_LINK_LIBRARIES(pathclient) SET_TARGET_PROPERTIES(pathclient PROPERTIES COMPILE_FLAGS "${EXTRA_CFLAGS}" LINK_FLAGS "${EXTRA_LINKFLAGS}") INSTALL(TARGETS pathverify pathclient RUNTIME DESTINATION bin) INSTALL(TARGETS pathfinderd RUNTIME DESTINATION sbin) INSTALL(FILES README AUTHORS LICENSE pathfinderd.ini.sample DESTINATION share/doc/pathfinder) ADD_EXECUTABLE(openssltest openssltest.cc) TARGET_LINK_LIBRARIES(openssltest pathfinder-openssl-1) SET_TARGET_PROPERTIES(openssltest PROPERTIES COMPILE_FLAGS "${DBUS_CFLAGS} ${EXTRA_CFLAGS}" LINK_FLAGS "${OPENSSL_LINKFLAGS} ${DBUS_LINKFLAGS}") IF(NSS_CFLAGS) ADD_EXECUTABLE(nsstest nsstest.cc) TARGET_LINK_LIBRARIES(nsstest pathfinder-nss-1) SET_TARGET_PROPERTIES(nsstest PROPERTIES COMPILE_FLAGS "${DBUS_CFLAGS} ${NSS_CFLAGS}" LINK_FLAGS "${DBUS_LINKFLAGS} ${NSS_LINKFLAGS}") ENDIF(NSS_CFLAGS) SUBDIRS(t x509path libpathfinder) IF(NOT DEFINED CMAKE_INSTALL_LIBDIR) SET(CMAKE_INSTALL_LIBDIR "/usr/lib") ENDIF(NOT DEFINED CMAKE_INSTALL_LIBDIR) CONFIGURE_FILE(version.h.in version.h) CONFIGURE_FILE(pathfinder-nss-uninstalled.pc.in pathfinder-nss-uninstalled.pc @ONLY) CONFIGURE_FILE(pathfinder-openssl-uninstalled.pc.in pathfinder-openssl-uninstalled.pc @ONLY) CONFIGURE_FILE(pathfinder-nss.pc.in pathfinder-nss.pc @ONLY) CONFIGURE_FILE(pathfinder-openssl.pc.in pathfinder-openssl.pc @ONLY) INSTALL(FILES pathfinder-nss.pc pathfinder-openssl.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") INSTALL (FILES pathclient.3 pathverify.3 DESTINATION share/man/man3) INSTALL (FILES pathfinderd.8 DESTINATION share/man/man8) INSTALL (FILES pathfinderd-dbus.conf DESTINATION /etc/dbus-1/system.d RENAME pathfinderd.conf) SET(CPACK_PACKAGE_NAME "pathfinder") SET(CPACK_PACKAGE_DESCRIPTION_SUMMARY "pathfinder") SET(CPACK_PACKAGE_VERSION_MAJOR "1") SET(CPACK_PACKAGE_VERSION_MINOR "1") SET(CPACK_PACKAGE_VERSION_PATCH "3") SET(CPACK_SOURCE_IGNORE_FILES "/.git/;.gitignore;.*~;/.svn/;CMakeFiles/;CMakeCache.txt;/Testing/;DartTestfile.txt;.pc$;.cmake;/_CPack_Packages/;version.h$;.tar.gz;.tar.Z;.*#.*";/pathviewer-0.1.0-Source/;Makefile) INCLUDE(CPack) pathfinder-1.1.3/pathserver.cc0000644000175200017520000001107411256437157016642 0ustar ppattersppatters/* * pathserver.cc * * Copyright (C) 2007-2008 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include "pathserver.h" #include "wvx509policytree.h" using namespace boost; using namespace std; PathServer::PathServer(shared_ptr _trusted_store, shared_ptr _intermediate_store, shared_ptr _crlcache, UniConf &_cfg) : log("PathFinder"), cfg(_cfg) { trusted_store = _trusted_store; intermediate_store = _intermediate_store; crlcache = _crlcache; } bool PathServer::incoming(WvDBusConn *conn, WvDBusMsg &msg) { if (msg.get_dest() != "ca.carillon.pathfinder" || msg.get_path() != "/ca/carillon/pathfinder") return false; // I guess it's for us! WvString method(msg.get_member()); if (method != "validate") { log(WvLog::Warning, "Got a message asking for unknown method " "'%s'.\n", method); return true; } WvDBusMsg::Iter args(msg); WvString certhex = args.getnext(); WvString initial_policy_set_tcl = args.getnext(); bool initial_explicit_policy = args.getnext(); bool initial_policy_mapping_inhibit = args.getnext(); // appname is strictly optional, as pathfinder did not always support // the option WvString appname = args.getnext(); shared_ptr cert(new WvX509()); cert->decode(WvX509::CertHex, certhex); if (!cert->isok()) { log(WvLog::Warning, "Received a request to validate an invalid " "certificate. Aborting.\n"); conn->send(msg.reply().append(false)); return true; } log("Received a request to validate certificate with subject %s.\n", cert->get_subject()); WvDBusMsg *reply = new WvDBusMsg(msg.reply()); uint32_t flags = 0; if (cfg["verification options"].xgetint("skip revocation check", 0)) { log("Skipping revocation checking as specified in configuration.\n"); flags |= WVX509_SKIP_REVOCATION_CHECK; } if (initial_explicit_policy) flags |= WVX509_INITIAL_EXPLICIT_POLICY; if (initial_policy_mapping_inhibit) flags |= WVX509_INITIAL_POLICY_MAPPING_INHIBIT; // check policy input: if it's anyPolicy, we want to use the default // policy for the "app" (falling back again to ANY_POLICY if there // is nothing specified) WvStringList initial_policy_set; wvtcl_decode(initial_policy_set, initial_policy_set_tcl); if (initial_policy_set.count() == 1 && initial_policy_set.popstr() == ANY_POLICY_OID && !!appname) { initial_policy_set_tcl = cfg["policy"].xget(appname, ANY_POLICY_OID); log("Using special policy %s for appname %s.\n", initial_policy_set_tcl, appname); if (!initial_explicit_policy) { WvStringList new_initial_policy_set; wvtcl_decode(new_initial_policy_set, initial_policy_set_tcl); if (new_initial_policy_set.count() != 1 || new_initial_policy_set.popstr() != ANY_POLICY_OID) { log("Setting initial_explicit_policy, even though it was " "previously unset, to force that specify policy to " "match."); initial_explicit_policy = true; flags |= WVX509_INITIAL_EXPLICIT_POLICY; } } } PathValidator::ValidatedCb cb = wv::bind( &PathServer::path_validated_cb, this, _1, _2, _3, conn, reply); PathValidator *pv = new PathValidator(cert, initial_policy_set_tcl, flags, trusted_store, intermediate_store, crlcache, cfg, cb); shared_ptr validator(pv); validatormap.insert( pair< WvDBusMsg *, shared_ptr >(reply, validator)); validator->validate(); return true; } void PathServer::path_validated_cb(shared_ptr &cert, bool valid, WvError err, WvDBusConn *conn, WvDBusMsg *reply) { uint32_t flags = 0; log("Path validated for certificate %s. Result: %svalid\n", cert->get_subject(), valid ? "" : "NOT "); validatormap.erase(reply); // send reply reply->append(valid); reply->append(err.errstr()); conn->send(*reply); WVDELETE(reply); } pathfinder-1.1.3/pathfinder.cc0000644000175200017520000004154411324114624016573 0ustar ppattersppatters/* * pathfinder.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include "pathfinder.h" #include "util.h" using namespace boost; using namespace std; PathFinder::PathFinder(shared_ptr &_cert, shared_ptr &_trusted_store, shared_ptr &_intermediate_store, shared_ptr &_crlcache, uint32_t _validation_flags, bool _check_ocsp, UniConf &_cfg, PathFoundCb _cb) : cert_to_be_validated(_cert), trusted_store(_trusted_store), intermediate_store(_intermediate_store), crlcache(_crlcache), validation_flags(_validation_flags), path(new WvX509Path), check_ocsp(_check_ocsp), check_bridges(false), cfg(_cfg), got_cert_path(false), path_found_cb(_cb), log("PathFinder") { pool = new WvHttpPool(); WvIStreamList::globallist.append(pool, false, "pathfinder http pool"); } PathFinder::~PathFinder() { WvIStreamList::globallist.unlink(pool); WVRELEASE(pool); } void PathFinder::wouldfail(WvStringParm str) { log("%s\n", str); //err.seterr(str); } void PathFinder::find() { check_bridges = false; // go for direct trust first... check_cert(cert_to_be_validated); if (!got_cert_path) { if (intermediate_store->count() == 0) { log("Trust anchor for cert not found in store, and no bridges " "defined. Giving up.\n"); if (!err.geterr()) err.seterr("Couldn't build path. " "Check the logs to find out why."); path_found_cb(path, err); return; } log("Trust anchor for cert not in store. Starting over, but looking " "for bridges this time.\n"); while (path->pathsize() > 0) { log("Popping off %s\n", path->subject_at_front()); added_certs.erase(path->subject_at_front().cstr()); path->pop_front(); } check_bridges = true; // go for bridged trust this time... check_cert(cert_to_be_validated); if (!got_cert_path) { log("Trust anchor for cert not in store, and couldn't build " "a bridge either. Giving up.\n"); if (!err.geterr()) err.seterr("Couldn't build path. " "Check the logs to find out why."); path_found_cb(path, err); } } } void PathFinder::check_cert(shared_ptr &cert) { if (!cert->isok()) { wouldfail(WvString("Certificate not valid (%s).", cert->get_subject())); return; } log("Checked certificate (%s). Seems to be ok.\n", cert->get_subject()); log("Is this certificate signed with MD5 or MD2? "); bool md = is_md(cert); log(md ? "Yes\n" : "No\n"); if (md && (cfg["Defaults"].xgetint("Allow MD5", 0) == 0)) { wouldfail("Certificate signed using a disallowed Hash algorithm."); return; } // complain if self-signed certs don't have SKI if (cert->get_issuer() == cert->get_subject()) { if (!cert->get_ski()) log(WvLog::Warning, "Self-signed certificate doesn't have " "SKI! (%s)\n", cert->get_subject()); } // complain if anyn other certs don't have AKI else { if (!cert->get_aki()) log(WvLog::Warning, "Certificate doesn't have AKI! (%s)\n", cert->get_subject()); } // we allow at most one certificate of the same name that is not self // signed in the path if (cert->get_subject() != cert->get_issuer()) added_certs[cert->get_subject().cstr()] = true; // check if we need to get more signers if ((!!cert->get_aki() && cert->get_aki() != cert->get_ski()) || cert->get_subject() != cert->get_issuer()) { log("Certificate (%s) we just got has an issuer (%s). We continue " "building the path.\n", cert->get_subject(), cert->get_issuer()); path->prepend_cert(cert); get_signer(cert); return; } else if (!trusted_store->exists(cert.get())) { log("Got a self-signed root that I don't trust.\n"); return; } else { log("Certificate has no non-self signers (and should be a trust " "anchor). Stop, perform path validation.\n"); got_cert_path = true; } // otherwise, we've hit a self-signed certificate and are done fetching // files to build the path remotely... log("Done building path.\n"); if (!(validation_flags & WVX509_SKIP_REVOCATION_CHECK)) { log("Getting revocation information for path of length %s.\n", path->pathsize()); shared_ptr prev = cert; bool made_revocationfinder=false; for (WvX509List::iterator i = path->begin(); i != path->end(); i++) { get_revocation_info((*i), prev); // populates rfs prev = (*i); made_revocationfinder=true; } for (RevocationFinderList::iterator i = rfs.begin(); i != rfs.end(); i++) { (*i)->find(); } if (made_revocationfinder == false) check_done(); // won't get a callback from it, then! } else { log("Not getting revocation information: checking disabled.\n"); check_done(); // we check this in got_revocation_info in std. case } } WvString PathFinder::storename() const { if (check_bridges) return "trusted or intermediate store"; else return "trusted store"; } void PathFinder::get_signer(shared_ptr &cert) { log("Attempting to get signer.\n"); // first, check if we don't have the certificate explicitly defined // somewhere (FIXME: tons of duplication between this and similar code // in revocationfinder) WvString hardcoded_loc = cfg["CA Location"].xget( url_encode(cert->get_issuer(), "/=")); if (!!hardcoded_loc) { shared_ptr cacert(new WvX509); cacert->decode(guess_encoding(hardcoded_loc), hardcoded_loc); if (!cacert->isok()) { wouldfail(WvString("Explicitly defined CA for certificate %s (in " "file %s, but certificate not ok", cert->get_subject(), hardcoded_loc)); return; } check_cert(cacert); return; } // next, check to see if the certificate is in the trusted store, and // (if we're checking for bridges) the intermediate store. WvX509List certlist; trusted_store->get(cert->get_aki(), certlist); if (check_bridges) intermediate_store->get(cert->get_aki(), certlist); if (!certlist.empty()) { log("Evaluating %s: Issuer's Certificate (%s) may be in %s " "%s times. Checking.\n", cert->get_ski(), cert->get_aki(), storename(), certlist.size()); // prefer one that is self-signed if we have more than one... // also disallow certificates whose issuer matches our subject // (we don't want to go around in circles!) if (certlist.size() > 1) { for (WvX509List::iterator i=certlist.begin(); i != certlist.end(); i++) { //log("Taking a look at %s issued by %s\n", // (*i)->get_subject(), (*i)->get_issuer()); if ((*i)->get_issuer() == (*i)->get_subject() && (*i)->get_subject() == cert->get_issuer() && (*i)->get_issuer() != cert->get_subject() && added_certs.count((*i)->get_subject().cstr()) == 0) { //log("Found a self-signed cert! subj=%s, issuer=%s, " // "ski=%s, aki=%s\n", // (*i)->get_subject(), (*i)->get_issuer(), // (*i)->get_ski(), (*i)->get_aki()); check_cert((*i)); return; } } } // ... but if we don't have a self-signed cert, or we only // have one, then loop through anything that matches. If it turns // out we've taken a wrong branch, pop back down to a saved state // and take the next branch. // again, disallow certificates whose issuer matches our subject // (we don't want to go around in circles!) // for efficiency, sort the list so that entries corresponding to // an [Intermediate CAs] entry are first. for (WvX509List::iterator i=certlist.begin(); i != certlist.end(); i++) { if (!!cfg["Intermediate CAs"].xget((*i)->get_aki())) { log("Moving %s to the front of the list.\n", (*i)->get_issuer()); certlist.push_front(*i); i = certlist.erase(i); i--; } } for (WvX509List::iterator i=certlist.begin(); i != certlist.end(); i++) { //log("Taking a look (2) at %s issued by %s\n", // (*i)->get_subject(), (*i)->get_issuer()); examine_signer((*i), cert); if (got_cert_path) return; // done! } log("Could not find certificate in %s " "matching issuer name that may not have been previously added.\n", storename()); } WvStringList ca_urls; cert->get_ca_urls(ca_urls); DownloadFinishedCb cb = wv::bind(&PathFinder::signer_download_finished_cb, this, cert, _1, _2, _3, _4); retrieve_object(ca_urls, cb); } // examines a potential certificate 'i' to see if it is a valid issuer of // 'cert'. If it is, and we haven't used it before, then try building a // path through it. If that fails, pop back down to the same place and // return. void PathFinder::examine_signer(shared_ptr &i, shared_ptr &cert) { if (i->get_subject() == cert->get_issuer() && i->get_issuer() != cert->get_subject() && added_certs.count(i->get_subject().cstr()) == 0) { //log("Found a cert! subj=%s, issuer=%s, ski=%s, aki=%s\n", // i->get_subject(), i->get_issuer(), i->get_ski(), i->get_aki()); WvString curfront = path->subject_at_front(); check_cert(i); if (!got_cert_path) { log("Path discovery hit a dead end.\n"); while (path->subject_at_front() != curfront) { log("Popping off %s\n", path->subject_at_front()); added_certs.erase(path->subject_at_front().cstr()); path->pop_front(); } } } } void PathFinder::signer_download_finished_cb(shared_ptr &cert, WvStringParm urlstr, WvStringParm mimetype, WvBuf &buf, WvError _err) { if (_err.geterr()) { wouldfail(WvString("Couldn't download certificate signer at url %s", urlstr)); return; } log("Got certificate with mimetype %s.\n", mimetype); // eugh, big hack to handle certificates bundled inside a pkcs7 if (strstr(urlstr, ".p7c") || strstr(urlstr, ".p7b")) { log("Certificate from url %s is encoded in pkcs7. Decoding.\n", urlstr); PKCS7 *pkcs7; STACK_OF(X509) *certs = NULL; int i,j; int len = buf.used(); if (guess_encoding(buf) == WvX509::CertPEM) { log("PKCS7 file appears to be in PEM format, but is probably " "not supposed to be. Decoding anyway.\n"); BIO *membuf = BIO_new(BIO_s_mem()); BIO_write(membuf, buf.get(buf.used()), buf.used()); pkcs7 = PEM_read_bio_PKCS7(membuf, NULL, NULL, NULL); BIO_free_all(membuf); } else { #if OPENSSL_VERSION_NUMBER >= 0x0090800fL const unsigned char *p = buf.get(buf.used()); #else const unsigned char *q = buf.get(buf.used()); unsigned char *p = const_cast(q); #endif pkcs7 = d2i_PKCS7(NULL, &p, len); } // If this isn't a valid PKCS7 object... don't return anything if (!pkcs7) { wouldfail(WvString("%s is not a valid pkcs7 object!", urlstr)); return; } i = OBJ_obj2nid(pkcs7->type); if (i == NID_pkcs7_signed) certs = pkcs7->d.sign->cert; else if (i == NID_pkcs7_signedAndEnveloped) certs = pkcs7->d.signed_and_enveloped->cert; else { wouldfail("The PKCS7 bundle does not appear to have any certificates!"); return; } if (certs != NULL && sk_X509_num(certs) > 0) { for (j = 0; j < sk_X509_num(certs); j++) { shared_ptr x; X509 *_x = sk_X509_value(certs, j); x = shared_ptr(new WvX509(X509_dup(_x))); //log("Taking a look (3) at %s issued by %s\n", // x->get_subject(), x->get_issuer()); log("Extracting cert for %s from bundle.\n", x->get_subject().cstr()); examine_signer(x, cert); if (got_cert_path) return; // done! } } return; } shared_ptr cert2(new WvX509); if (guess_encoding(buf) == WvX509::CertPEM) cert2->decode(WvX509::CertPEM, buf); else cert2->decode(WvX509::CertDER, buf); check_cert(cert2); } void PathFinder::get_revocation_info(shared_ptr &cert, shared_ptr &signer) { shared_ptr rf( new RevocationFinder(cert, signer, path, crlcache, check_ocsp, cfg, wv::bind(&PathFinder::got_revocation_info, this, _1, cert))); rfs.push_back(rf); return; } void PathFinder::got_revocation_info(WvError &err, shared_ptr &cert) { if (err.geterr()) { wouldfail(WvString("Failed to download revocation info for certificate %s", cert->get_subject())); } check_done(); } void PathFinder::retrieve_object(WvStringList &_urls, DownloadFinishedCb _cb) { if (!_urls.count()) { wouldfail("No urls to download object needed to perform validation"); return; } while (_urls.count()) { WvUrl url(_urls.popstr()); if (url.isok() && (url.getproto() == "http" || url.getproto() == "https")) /*|| url.getproto() == "ldap" || url.getproto() == "ldaps")*/ // LDAP downloads don't // actually work properly yet. WvURL doesn't understand these // particular protocol identifiers. Removing these for now... // ANOTHER problem we'll have is what to do when the HTTP // download succeeds, but we hit a root we don't trust? Do we // then rewind and try the LDAP? I'm not sure that'll work as // written. When re-enabling the ldap download code, // definitely keep that in mind... { shared_ptr d(new Downloader(url, pool, _cb)); downloaders.push_back(d); // do NOT return until our downloader is done and the callback // has been run, or else a get_signer() somewhere farther up // the stack can proceed to validate other paths before we know // if this one is any good! while (!d->is_done() && WvIStreamList::globallist.isok()) WvIStreamList::globallist.runonce(); if (!got_cert_path) wouldfail("Downloaded signer did not lead to a valid " "trust path."); //if (got_cert_path) // we don't deal well with going on to try the next URL... return; } else if (!!url.getproto()) log("Protocol %s not supported for getting object.\n", url.getproto()); } wouldfail("Couldn't find valid URI to get object needed to perform " "validation."); return; } void PathFinder::check_done() { if (!got_cert_path) return; for (DownloaderList::iterator i = downloaders.begin(); i != downloaders.end(); i++) { if (!(*i)->is_done()) return; } for (RevocationFinderList::iterator i = rfs.begin(); i != rfs.end(); i++) { if (!(*i)->is_done()) return; } log("All objects needed to validate path have been put into place. We " "are done\n"); path_found_cb(path, err); } pathfinder-1.1.3/pathfinder.h0000644000175200017520000000547011242331636016436 0ustar ppattersppatters/* * pathfinder.h * * Copyright (C) 2007-2009 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #ifndef __PATHFINDER_H #define __PATHFINDER_H #include #include #include #include #include #include #include #include #include "downloader.h" #include "revocationfinder.h" #include "wvcrlcache.h" #include "wvx509path.h" #include "wvx509store.h" typedef wv::function &, WvError)> PathFoundCb; class PathFinder { public: PathFinder(boost::shared_ptr &_cert, boost::shared_ptr &_trusted_store, boost::shared_ptr &_intermediate_store, boost::shared_ptr &_crlcache, uint32_t _validation_flags, bool _check_ocsp, UniConf &_cfg, PathFoundCb _cb); virtual ~PathFinder(); WvString cert_ski() { return cert_to_be_validated->get_ski(); } void find(); private: void check_cert(boost::shared_ptr &cert); void wouldfail(WvStringParm str); void get_signer(boost::shared_ptr &cert); void examine_signer(boost::shared_ptr &i, boost::shared_ptr &cert); void signer_download_finished_cb(boost::shared_ptr &cert, WvStringParm urlstr, WvStringParm mimetype, WvBuf &buf, WvError _err); void get_revocation_info(boost::shared_ptr &cert, boost::shared_ptr &signer); void got_revocation_info(WvError &err, boost::shared_ptr &cert); void retrieve_object(WvStringList &_urls, DownloadFinishedCb _cb); WvString storename() const; void check_done(); boost::shared_ptr cert_to_be_validated; boost::shared_ptr trusted_store; boost::shared_ptr intermediate_store; boost::shared_ptr crlcache; uint32_t validation_flags; boost::shared_ptr curcert; // cert we are currently working on boost::shared_ptr path; std::map added_certs; typedef std::vector > DownloaderList; DownloaderList downloaders; typedef std::vector > RevocationFinderList; RevocationFinderList rfs; WvHttpPool *pool; bool got_cert_path; PathFoundCb path_found_cb; bool check_ocsp; bool check_bridges; UniConf cfg; WvError err; WvLog log; }; #endif // __PATHFINDER_H pathfinder-1.1.3/pathfinderd-dbus.conf0000644000175200017520000000115011254751676020237 0ustar ppattersppatters pathfinder-1.1.3/downloader.cc0000644000175200017520000001531211271402164016577 0ustar ppattersppatters/* * downloader.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include #include "downloader.h" Downloader::Downloader(WvStringParm _url, WvHttpPool *_pool, DownloadFinishedCb _cb, WvStringParm _method, WvStringParm _headers, WvStream *_content_source) : url(_url), pool(_pool), finished_cb(_cb), done(false), log(WvString("Pathfinder Download:", url), WvLog::Info) { log("Downloading: %s\n", url); WvStringList l; strcoll_split(l, url, ":"); WvString proto = l.popstr(); log("Protocol is: %s\n", proto); if (proto == "http" || proto == "https") { log("Kicking off download of %s.\n", url); stream = pool->addurl(url, _method, _headers, _content_source); stream->setcallback(wv::bind(&Downloader::download_cb, this, wv::ref(*stream))); stream->setclosecallback(wv::bind(&Downloader::download_closed_cb, this, wv::ref(*stream))); WvIStreamList::globallist.append(stream, true, WvString("download url %s", url)); } else if (proto == "ldap" || proto == "ldaps") { download_ldap(); } else { WvError err; WvString mimetype = WvString::null; err.seterr("Unrecognised protocol... dying"); done = true; finished_cb(url, mimetype, downloadbuf, err); } } Downloader::~Downloader() { if (stream) { stream->setcallback(0); stream->setclosecallback(0); } } void Downloader::download_cb(WvStream &s) { char buf[1024]; size_t numread = 0; size_t totalread = 0; while (s.isreadable() && totalread < 32768) { numread = s.read(buf, 1024); if (numread) downloadbuf.put(buf, numread); totalread += numread; } } void Downloader::download_closed_cb(WvStream &s) { WvError err; WvString mimetype = WvString::null; // as of this writing, errors are not properly set on a urlstream // when there's a problem, so we have to resort to hacks to validate stuff #if WVHTTPPOOLFIXED if (!s.isok() && s.geterr()) #else if (0) #endif { log("Didn't download %s successfully (%s).\n", url, s.errstr()); err.seterr_both(s.geterr(), s.errstr()); finished_cb(url, mimetype, downloadbuf, err); return; } WvHTTPHeaderDict::Iter i(stream->headers); for (i.rewind(); i.next(); ) { if (!strcasecmp(i->name, "Content-Type")) { mimetype = i->value; break; } } #ifndef WVHTTPPOOLFIXED if (!downloadbuf.used()) err.seterr("Didn't download %s successfully.", url); #endif done = true; finished_cb(url, mimetype, downloadbuf, err); } void Downloader::download_ldap() { WvDynBuf buf; WvError err; WvString mimetype = WvString::null; log("Found an LDAP URI: %s\n", url); if (url == "ldaps") { log("Sorry, don't know how to handle LDAP over SSL yet.\n"); } else { LDAP *ldap = NULL; int retval = ldap_initialize(&ldap, WvString(url)); if (retval == LDAP_SUCCESS) { log("LDAP initialized..\n"); LDAPURLDesc *lurl = NULL; retval = ldap_url_parse(WvString(url), &lurl); if (retval == LDAP_SUCCESS) { LDAPMessage *res = NULL; retval = ldap_search_ext_s(ldap, lurl->lud_dn, lurl->lud_scope, lurl->lud_filter, lurl->lud_attrs, 0, NULL, NULL, NULL, 0, &res); if (retval == LDAP_SUCCESS) { retval = ldap_count_messages(ldap, res); if (retval == 1) { // Something about ldap_get_values() here and calling the callba // make sure to free everything... WvString attr(lurl->lud_attrs[0]); struct berval **val = NULL; if (attr == "cACertificate;binary" || attr == "certificateRevocationList") { val = ldap_get_values_len(ldap, res, attr); buf.put(val[0]->bv_val, val[0]->bv_len); ldap_value_free_len(val); ldap_msgfree(res); ldap_free_urldesc(lurl); ldap_unbind_ext(ldap, NULL, NULL); done = true; finished_cb(url, mimetype, buf, err); return; } else { ldap_msgfree(res); ldap_free_urldesc(lurl); ldap_unbind_ext(ldap, NULL, NULL); log("I don't know how to process the attribute: %s\n", attr); } } else { ldap_msgfree(res); ldap_free_urldesc(lurl); ldap_unbind_ext(ldap, NULL, NULL); log("LDAP Search returned more than one value, which is not permitted.\n"); } } else { ldap_msgfree(res); ldap_free_urldesc(lurl); ldap_unbind_ext(ldap, NULL, NULL); log("LDAP Search failed: %s\n", ldap_err2string(retval)); } } else { ldap_free_urldesc(lurl); ldap_unbind_ext(ldap, NULL, NULL); log("LDAP URL could not be parsed.\n"); } } else { ldap_unbind_ext(ldap, NULL, NULL); log("LDAP could not initialize: %s\n", ldap_err2string(retval)); } } err.seterr("LDAP download failed!"); done = true; finished_cb(url, mimetype, buf, err); return; } pathfinder-1.1.3/pathfinder-openssl-uninstalled.pc.in0000644000175200017520000000051310652446340023213 0ustar ppattersppatterstop_builddir=@PROJECT_SOURCE_DIR@ Name: OpenSSL Pathfinder Plugin Library Description: Library that allows OpenSSL to use PathFinder for certificate validation Version: @PACKAGE_VERSION@ Requires: openssl >= 0.9.8, dbus-1 >= 1.0 Libs: -L${top_builddir}/libpathfinder -lpathfinder-openssl-1 Cflags: -I${top_builddir}/libpathfinder pathfinder-1.1.3/.gitignore0000644000175200017520000000120311066506051016116 0ustar ppattersppatters*~ *CMakeFiles* CMakeCache.txt CPack* DartTestfile.txt Makefile Testing cmake_install.cmake libpathfinder/libpathfinder-nss-1.a libpathfinder/libpathfinder-nss-1.so libpathfinder/libpathfinder-nss-1.so.1 libpathfinder/libpathfinder-nss-1.so.1.0.0 libpathfinder/libpathfinder-openssl-1.a libpathfinder/libpathfinder-openssl-1.so libpathfinder/libpathfinder-openssl-1.so.1 libpathfinder/libpathfinder-openssl-1.so.1.0.0 libpathology.a nsstest openssltest pathclient pathfinder-nss-uninstalled.pc pathfinder-nss.pc pathfinder-openssl-uninstalled.pc pathfinder-openssl.pc pathfinderd pathverify t/all.t version.h wvcrash.txt x509path/libx509path.apathfinder-1.1.3/testdata/0000755000175200017520000000000011324134167015745 5ustar ppattersppatterspathfinder-1.1.3/testdata/certs/0000755000175200017520000000000011324134161017057 5ustar ppattersppatterspathfinder-1.1.3/testdata/certs/InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt0000644000175200017520000000124110652446340027515 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitAnyPolicy1 subsubCA20 010419145720Z 110419145720Z0m1 0 UUS10U Test Certificates1B0@U9Invalid Self-Issued inhibitAnyPolicy EE Certificate Test800  *H 0׻9N,gu xu)sVk2^sU']O.w1'r JbՃ`S۸OACgڞfkM@pTk0i0U#0"1vܒ0U8ߊ 4jHoL Td^0U0U 00  `He00  *H q룞'< f\h Zf*tlYg+zcr+O2< Ҭ1VQqɂ܆@:r_jxn06x~>>Z8tpathfinder-1.1.3/testdata/certs/InvalidinhibitAnyPolicyTest5EE.crt0000644000175200017520000000121610652446340025525 0ustar ppattersppatters000  *H 0N1 0 UUS10U Test Certificates1#0!UinhibitAnyPolicy5 subsubCA0 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid inhibitAnyPolicy EE Certificate Test500  *H 0qɻȟ:zv= cD'ܣ1HLlY1s6Ot'}\H(jAZ ˻=)"ZemGӃ (fbߺˮxӾ޶aG1bIRwg@e0c0U#0s dU0URz5TQ:0U0U  00U 0  *H JzC˪#>H>F6xm[ an"YScju.N V ;6ES3_?@CgbzxkX*~@1hۭ]~0F7 ;$Ǯ;pathfinder-1.1.3/testdata/certs/keyUsageCriticalkeyCertSignFalseCACert.crt0000644000175200017520000000122010652446340027171 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0Z1 0 UUS10U Test Certificates1/0-U&keyUsage Critical keyCertSign False CA00  *H 0/Utw%oxO3ڎ*SFK=êg| H U]ڳ21u E7|ӆYJ6qP?bPKF7v-I'UzX }|0z0U#0l-'z <ꚼI0U|?蒶Mr1N:70U0U 00  `He00U00  *H \bB\"=ߜ1mo|(њ'2WȫLB`xnਲP8&#ls1ߗ _b\['mǢV=$w.˕kySapkpathfinder-1.1.3/testdata/certs/onlySomeReasonsCA3Cert.crt0000644000175200017520000000117510652446340024052 0ustar ppattersppatters0y0R0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0G1 0 UUS10U Test Certificates10U onlySomeReasons CA300  *H 03|3XokZ;!X V C|TkMt SB:PDL=ίZz,!5a ׁ(C7Ht,  Y{͡&D36jD:K|0z0U#0l-'z <ꚼI0UI{Oi~#ZVj00U0U 00  `He00U00  *H 7ɼ7"0Þ|$EBle}oUI3,:#):s}#Ƅ+BVÜT\>"KOVU(?p_4\)&qC{'(B,ǥm0LuP.¸pathfinder-1.1.3/testdata/certs/requireExplicitPolicy5CACert.crt0000644000175200017520000000122610652446340025247 0ustar ppattersppatters00+0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy5 CA00  *H 0M{f[%O*Z2HiiZ!F'e5:qMfJoiRflj6Hg̗vti噽\87aEK֝fgL"%EH/eEi00U#0l-'z <ꚼI0U-+h^+fC0U0U 00  `He00U00U$00  *H 1ׂ.#Mf ^y M"PjgtIvhjIgEO-BY.i\TGҲ'+3d"erRfM !Q9O޾ˊ.oU,pathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P12subCACert.crt0000644000175200017520000000135310652446340026025 0ustar ppattersppatters00P0  *H 0P1 0 UUS10U Test Certificates1%0#UinhibitPolicyMapping1 P12 CA0 010419145720Z 110419145720Z0S1 0 UUS10U Test Certificates1(0&UinhibitPolicyMapping1 P12 subCA00  *H 0.%īeq|1s 1(G<YOJ36-j:K? ZW y;w9hˤOڨgqZ{;ӳ?4*JKa ᯊ ڢ.`00U#0v0_K{7 &f0Uz0\6@ ؟R0U0%U 00  `He00  `He00@U!6040 `He0 `He00 `He0 `He00U00  *H M~RQ*{lY"H.O9S|w^匡)Zehhq՗]}3Г .6IzT%:kC'Z%A?aN \I1Mx6u؎V}|pathfinder-1.1.3/testdata/certs/indirectCRLCA6Cert.crt0000644000175200017520000000117110652446340023053 0ustar ppattersppatters0u0ޠY0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0C1 0 UUS10U Test Certificates10UindirectCRL CA600  *H 0xBbm3 *@ksXpZmbZ57vMAVo8gloD86 )fxg('wE1LJ@ؚ{ 2 |0z0U#0l-'z <ꚼI0U>N3YIf}0U0U 00  `He00U00  *H #.u&Τ@0OĝPjOѱ 3ob9-rJX'ˍr#+JR]ʄIZ|;v|0z0U#0l-'z <ꚼI0U\83EAЊ{0U0U 00  `He00U00  *H '*D!v'eT-7^= Ym Dž 8sUb=QVZΛ"itb%Q /qn  _pD3Z }PSʗpathfinder-1.1.3/testdata/certs/inhibitPolicyMapping5subsubsubCACert.crt0000644000175200017520000000130710652446340026771 0ustar ppattersppatters00,0  *H 0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping5 subsubCA0 010419145720Z 110419145720Z0U1 0 UUS10U Test Certificates1*0(U!inhibitPolicyMapping5 subsubsubCA00  *H 0;4vB8:1G=\kdNCU-&tKH8WYz٣Q wTRY`71 zDժ.!9a|efSW|;KzϾͮ00U#0jkGKwTR&0U$qWVHl10U0U 00  `He00&U!00 `He0 `He00U00  *H |'=tH9wt>cD0-vmܬji/j >| >"+= Wnevҝ*N@m7ȠDbNUi; _yA+[:m7=X<pathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P12subsubCACert.crt0000644000175200017520000000132710652446340026540 0ustar ppattersppatters00<0  *H 0S1 0 UUS10U Test Certificates1(0&UinhibitPolicyMapping1 P12 subCA0 010419145720Z 110419145720Z0V1 0 UUS10U Test Certificates1+0)U"inhibitPolicyMapping1 P12 subsubCA00  *H 0\>ӯ}3W˄EqV! "-7/Mzv40n0g?0Ds᧣npϬaA'Bͣw T"4?~ltSR200U#0z0\6@ ؟R0UZK>C&y!0U0%U 00  `He00  `He00&U!00 `He0 `He00U00  *H ;b;yU!ceN4NqC& QLzYh3d\pGZ+w dRÉelE.^8,k yi6eܣ=%Qh>Gκթc8{(Ypathfinder-1.1.3/testdata/certs/ValidRFC3280OptionalAttributeTypesTest8EE.crt0000644000175200017520000000135710652446340027277 0ustar ppattersppatters00T0  *H 01 0 UUS10U Test Certificates10U Gaithersburg1 0 U*John1 0U+Q10UA Fictitious1 0 UCA1 0 U,III1 0 U M.D.0 010419145720Z 110419145720Z0o1 0 UUS10U Test Certificates1D0BU;Valid RFC3280 Optional Attribute Types EE Certificate Test800  *H 0&r|ȩV:Bm[Nd/uvr5OK?I 1E h^Fz"0u--?N(leG{ۛE~ΫB IiϽ(ngwP% k0i0U#0,cBWWWc_s0UsnqRp 0U0U 00  `He00  *H pvb._C8B;>tO(Dzib=YI 4LO-lǘÜHg =C+͎ n>~Y#[ʓoCg@1a0U@}5\2xQH( 0U0U 00  `He00  *H -ܢey>fz9bHH6B{o|.a\-|u;社PV7{T2.*0?:9zVz:̈́!g] 9:nh1-稐pathfinder-1.1.3/testdata/certs/ValidDSASignaturesTest4EE.crt0000644000175200017520000000147210652446340024377 0ustar ppattersppatters0600 *H80:1 0 UUS10U Test Certificates10 UDSA CA0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Valid DSA Signatures EE Certificate Test400+*H80䋯@=|h ʞteKT*x3ڥr4hBwBd1Fzi̘-V^#_(ib\*^sI~"UVr)'wC EyMS_ ~?L> *Tlgl ;f 2w?l)ؼ!ݚwMڢuZfC쩈nLL?5g)NkPV/*"G%xk!?A^D].iȏ?;>OS(8/=aA=z2!q>M=A ̢GzV첋9ʠhkeD1"/SAO/,C$~+ddyHm669}'Go3~M$Wk0i0U3Q D@bqSi 0U#0t$^e ~HNa0U 00  `He00U0 *H800-ҙ@!h'& sYL0pNvٝ@pathfinder-1.1.3/testdata/certs/ValidUTF8StringCaseInsensitiveMatchTest11EE.crt0000644000175200017520000000126310652446340027706 0ustar ppattersppatters000  *H 0]1 0 UUS10U  test certificates 1.0,U %utf8string case insensitive match CA0 010419145720Z 110419145720Z0q1 0 UUS10U Test Certificates1F0DU =Valid UTF8String Case Insensitive Match EE Certificate Test1100  *H 0^6g2YLgToL݃wĀ6K?KߚgP RuMS0} z X 'FŮUϣ $[i%L{S-v+aQNy6Mk0i0U#06b)|Є^'ߩDb0U߹ K0U0U 00  `He00  *H dWeykf!p.B .^s]>N  A'uzNVs*1hgKY0fPKt2ܢn#c+zn@)Zس)pathfinder-1.1.3/testdata/certs/inhibitAnyPolicy1subCAIAP5Cert.crt0000644000175200017520000000123610652446340025315 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy1 CA0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UinhibitAnyPolicy1 subCAIAP500  *H 0ս_\=\^KnA͓(0[tP)Kࢻc8 Mq>%eUl,i<>ԃ_VS9ڋ$Z']Qe3taV^|n!700U#0f۵ij>+ȨM+4D0U)c‚={_t soh0U0U 00  `He00U00 U60  *H |ů#zU$m%p]/*A&h;VdcԕH ;{#hƻ!sy@ű LS 't+BV{KhY‹sSkиa$Jʳ:39=({:yDpathfinder-1.1.3/testdata/certs/PoliciesP2subCACert.crt0000644000175200017520000000116610652446340023312 0ustar ppattersppatters0r0۠0  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0E1 0 UUS10U Test Certificates10UPolicies P2 subCA00  *H 0ź?xC!yѩTjCi.%ߵ+׌G{]jAɷjZ4G 0hd!6g-.Xk{OLQ.'"PH5e{43WXߺK!|0z0U#0.ȼ{'D53ߚ0UXJh#n 40U0U 00  `He00U00  *H h605qzL@ T5?}; Cmexu\-mQ&IJ5X'LG|S0KdR}qg4YSeRp(E|_24HlQ=pathfinder-1.1.3/testdata/certs/InvalidSeparateCertificateandCRLKeysTest21EE.crt0000644000175200017520000000126110652446340030114 0ustar ppattersppatters000  *H 0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA20 010419145720Z 110419145720Z0s1 0 UUS10U Test Certificates1H0FU?Invalid Separate Certificate and CRL Keys EE Certificate Test2100  *H 0ϒ ^ !SY :tQYs 2ZrNm2r-"G]CY3P2{f -dURdճ.7:pJ<竝iQR{k0i0U#0|x4$ލZ0USi]?hR.eUqA0U0U 00  `He00  *H _Ȧ!Z#X]sG|\)RQP}A F4/Ү7oVmrt4s\nwd]p]%mY G`3>蠍dǘ! [ ,X`Ipathfinder-1.1.3/testdata/certs/ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt0000644000175200017520000000125510652446340027265 0ustar ppattersppatters000  *H 0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA0 010419145720Z 110419145720Z0p1 0 UUS10U Test Certificates1E0CU oohtZ8\ُ6׹Oͽ%ٻn,UAT k0i0U#0q/QI|K0ULm}C'0U0U 00  `He00  *H 0g(@rD'd5cmm,M9/Dl&0xW%b*g`RB $Qf"w%2/~-Ohn؇X' +ܒRŽy7e bP@0>F;pathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P1SelfIssuedCACert.crt0000644000175200017520000000122410652446340027215 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping1 P1 CA0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping1 P1 CA00  *H 0T\! .?T'7@6U~vAD]bCHŐ z[N:ŵzDI>M:rzc6p:vdީ_&+"W-L"<:(S|0z0U#0idRc j? Դ0Ul\l[`wSZ550U0U 00  `He00U00  *H O;2D=NQU(Yqgj \1KbiɌ sڝspvp-IxDkP x<C8w ޸n)ݲ=iǞ4>̚)pathfinder-1.1.3/testdata/certs/ValidLongSerialNumberTest16EE.crt0000644000175200017520000000124310652446340025212 0ustar ppattersppatters00 0  *H 0I1 0 UUS10U Test Certificates10ULong Serial Number CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Valid Long Serial Number EE Certificate Test1600  *H 0Nݫ9FuOISղr4c "G䜷r5Ý$4`h_B~ϾS~ ܨA?#ܞF.v+G66T5hk(<:k>S! Ik0i0U#0=H2&R Oߦ0Uɺy)f8C4z^R/0U0U 00  `He00  *H CD< /I9秳/ Tծm2E1 oBl1m#!9"N羜+ΠV~h2Myԫ a&I+نftҬb5zĀ:Ѵ͆ebbpathfinder-1.1.3/testdata/certs/ValidNameUIDsTest6EE.crt0000644000175200017520000000116610652446340023332 0ustar ppattersppatters0r0۠0  *H 0:1 0 UUS10U Test Certificates10 UUID CA0 010419145720Z 110419145720Z0S1 0 UUS10U Test Certificates1(0&UValid UIDs EE Certificate Test600  *H 0\XE> u) +l˰ݵkYE!pcKtӈ+w&#tFl0þq45=\1e-%[u'_H7[S2]=\ k0i0U#0e|AXDx0ULefujP'o0U0U 00  `He00  *H bI |-=1[[piu2xg.y}j׆y˾!@4VK.bg!X6;ZI=T+#94ok6+(ȵ`]ڢ=5:nwpathfinder-1.1.3/testdata/certs/InvalidEEnotBeforeDateTest2EE.crt0000644000175200017520000000120210652446340025172 0ustar ppattersppatters0~00  *H 0;1 0 UUS10U Test Certificates10UGood CA0 470101120100Z 490101120100Z0b1 0 UUS10U Test Certificates1705U.Invalid EE notBefore Date EE Certificate Test200  *H 0ίiMv2v$`M~XF,f"ePzxG@ܹ8+sL s~g7o_\+I~`d= adrСI&";(PNڞ}Hu*5k0i0U#0.ȼ{'D53ߚ0UOu>q'xAn+vv0U0U 00  `He00  *H f2&r.:rOrj`ts1z,?jv駼mÁCgӤ k0i0U#0bP[Ip9n0U1azm#}90U0U 00  `He00  *H  0/v8=;?>@6: 78.=U!>AVy6^^yx a^y,ZK뗦 B c.Sw_6G[ѽ_Dk"!;znOopathfinder-1.1.3/testdata/certs/InvalidcRLIssuerTest35EE.crt0000644000175200017520000000151710652446340024211 0ustar ppattersppatters0K0 0  *H 0C1 0 UUS10U Test Certificates10U indirectCRL CA50 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Invalid cRLIssuer EE Certificate Test3500  *H 0iݻ1MŒ|߰'cR3nsoQ.DFvYx0`bHoaՀ̀T5010U#0~û7KA=mY?DWm0UqǨRпwvTڌ0U0U 00  `He00U00ljh0f1 0 UUS10U Test Certificates10U indirectCRL CA51!0UCRL1 for indirectCRL CA5GE0C1 0 UUS10U Test Certificates10UindirectCRL CA60  *H ڔWOsYK@aL9ߋ`~-@ L Ga 2MGXKBNʬ3paZ ]>aұܵvTB˭ pathfinder-1.1.3/testdata/certs/InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt0000644000175200017520000000125710652446340027617 0ustar ppattersppatters000  *H 0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA0 010419145720Z 110419145720Z0r1 0 UUS10U Test Certificates1G0EU>Invalid Basic Self-Issued CRL Signing Key EE Certificate Test700  *H 0ס`OQGKHxS~P?COC6iSh}ih}d* _j%;9cFNGϳ^/ Y02] m'SesZ"5aWk0i0U#0IN9s}~ P@ <}b3D&-l߳:͖?.5#OqCQ0uCr̆/uypCms!1둡ϱpNh[@k0i0U#03)茀L'%gv0U-XLԳhg(h0U0U 00  `He00  *H ձ@QtFс<1xmz]TS:E4NN A3~u$ңlehL}w2R6tl=d{gL6V1#Huۥǐ?WԠXEJRmpathfinder-1.1.3/testdata/certs/ValidNameChainingWhitespaceTest4EE.crt0000644000175200017520000000121510652446340026254 0ustar ppattersppatters00 0  *H 0A1 0 UUS10U Test Certificates 10U Good CA0 010419145720Z 110419145720Z0g1 0 UUS10U Test Certificates1<0:U3Valid Name Chaining Whitespace EE Certificate Test400  *H 0Us/ME}t}w*s1v .t5}(ݷw(*BI=rqP^ʩh7Xz!lF,L2!m:(|۰`_p"ޛ_$[wzQk0i0U#0.ȼ{'D53ߚ0Uw6_gn"!|X0U0U 00  `He00  *H [$kb K}'wL){cto=J$b`NJ+rk@g-{O;u*(>}+~ђʓG&<j(0<˰\Xr#pathfinder-1.1.3/testdata/certs/InvalidrequireExplicitPolicyTest3EE.crt0000644000175200017520000000121010652446340026575 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy4 subsubsubCA0 010419145720Z 110419145720Z0f1 0 UUS10U Test Certificates1;09U2Invalid requireExplicitPolicy EE Certificate Test300  *H 0l@iU8!#u5(TmF 0-R@? 0l2yMx=L?Gyd)eBם۷fu<iNG<.\I@ba^^ ,st&a7R0P0U#0+ݱzZbs1*y0UO"!KUݼ0U0  *H $H@DP`ܑk|mJ#e y<ݽq,ζ!hq>pmE ct8f-+Lm" :>+_:CO4|%i,d6pathfinder-1.1.3/testdata/certs/UTF8StringEncodedNamesCACert.crt0000644000175200017520000000116710652446340025013 0ustar ppattersppatters0s0ܠb0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0A1 0 UUS10U Test Certificates10U UTF8String CA00  *H 0ܦR5<Bmlo'A +)-Qz;.糖jF/U0҂\rqglRbۣ8F_'nmlx'ͅ[O_.QB?ô/1*b]VײuP bRs-K{!Z [愁ýӫ9A Tf3foq_5F_{SD*JVϹqV Bݳb1PZKzGM4: 00U#0O@3]"Vp0U@*,/_0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA30SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA30  *H (5,7}V Nwi{L51bS\[ DƊ6 s& G%5DŽ1N톾0!c[j %Ф) A`iDItS~pathfinder-1.1.3/testdata/certs/inhibitPolicyMapping0subCACert.crt0000644000175200017520000000127310652446340025542 0ustar ppattersppatters00 0  *H 0L1 0 UUS10U Test Certificates1!0UinhibitPolicyMapping0 CA0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping0 subCA00  *H 0֑ 9>jc_`W/-_`#b*C2 lytJ$>Ovo=He$Ivd]a9{@vx!q4KGja0Ȣ! u6pbkj<'^R)00U#0l B@ApR^7Z0U0ܮ0 9,!80U0U 00  `He00&U!00 `He0 `He00U00  *H N/r ~Z #Ycݓ44, Ehї_u k!NQYS$#ʺ,uQlϚeDe DJ(1T^U\%ȥ HL,Apathfinder-1.1.3/testdata/certs/ValidpathLenConstraintTest14EE.crt0000644000175200017520000000125410652446340025442 0ustar ppattersppatters000  *H 0U1 0 UUS10U Test Certificates1*0(U!pathLenConstraint6 subsubsubCA41X0 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Valid pathLenConstraint EE Certificate Test1400  *H 0s,_=hH\?38 ̩@sCſ×xGݫ\= H<]!$Qat#`q>ZnIE='-u=VpٳIX*Yk[db|0z0U#0犖t<I?p0UIo 1'M1ӡ}0U0U 00  `He00U00  *H _7Ŷ3 :Fz[[Q-k? c*d?~0IEGqNgVƢڡD!ByC6{@W06h 0*eLpathfinder-1.1.3/testdata/certs/pathLenConstraint0CACert.crt0000644000175200017520000000120210652446340024336 0ustar ppattersppatters0~00  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA00  *H 0]ul1M8 ?>?@d(gN̜Y 'JKr>E wFް,k@xP, ?"Ts7(>9ڪILSSeMuDŭj/5S~0}0U#0l-'z <ꚼI0U! vvӳ*&O֡oK0U0U 00  `He00U00  *H |J<_hlu0"57"ČYp$p1Z | ď޼aPil݋xq5d~=`OI 0ճ`.>d Lm-8Y?jvtpathfinder-1.1.3/testdata/certs/ValidcRLIssuerTest28EE.crt0000644000175200017520000000155110652446340023662 0ustar ppattersppatters0e0Π0  *H 0C1 0 UUS10U Test Certificates10U indirectCRL CA30 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Valid cRLIssuer EE Certificate Test2800  *H 0j bs+!ɌFuUÁ HNʘCk> KOL$|}D9+ x1.,@ܘt݄VO]ی{Ρ ÁVОQ3-wQ0M0U#0()Xg.:(0Uc)wW֭j#&0U0U 00  `He00U00Ӡ~|z0x1 0 UUS10U Test Certificates1"0 U indirectCRL CA3 cRLIssuer1)0'U indirect CRL for indirectCRL CA3QO0M1 0 UUS10U Test Certificates1"0 U indirectCRL CA3 cRLIssuer0  *H 9+a(ylf0 &,??S$Z\NɗPY<H/8tCm<5`#7^uetсFa]ݶ\=/< pathfinder-1.1.3/testdata/certs/nameConstraintsDNS2CACert.crt0000644000175200017520000000125610652446340024426 0ustar ppattersppatters00G0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS2 CA00  *H 0ٞ|TEH+jLȇ󉻏׿VdsNǀPbTech洉nz2.ouo"c̤{v)S$ir?k{3@*MiSەb39~00U#0l-'z <ꚼI0U~;ޜқBD{n0U0U 00  `He00U00)U00invalidcertificates.gov0  *H zL)q1Өٍ0i&2ehMhB2Y@JYJX!Av۝$:`@Cb˪*7N8J6ӜHX֦I}i'+=`nn13. sO!htv-(cEވs;{#.|J>`^~h  w=x~Ae0 s駏` =|0z0U#0l-'z <ꚼI0Ul_ا-\ I%[0U0U 00  `He00U00  *H 6MfV,j3@pqҘ8Ġc0EYYmneF, t0ԯ)W ­ yìSTt)m-i8ac14\rLpathfinder-1.1.3/testdata/certs/nameConstraintsURI2CACert.crt0000644000175200017520000000125610652446340024441 0ustar ppattersppatters00I0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0K1 0 UUS10U Test Certificates1 0UnameConstraints URI2 CA00  *H 0ЮR\Qs8mMC 3.=M)ǔUT6,O UijvzK{KWE0]$"(M#f8QXZ楐9ǃ|r;\*?+f?(3$MdCP( UOiVvIlܬ&ȥ7LTٽLRRwQIm$k0i0U#0#MKꡲ3X˂0Ua l۵bϒܞ%80U0U 00  `He00  *H %䡯m=vZDOkvA\2߁ GyM7wj-1Q 5 9H2n6*|wڐ+@x mhPB#JOxxp#BXy"pathfinder-1.1.3/testdata/certs/InvalidDNSnameConstraintsTest38EE.crt0000644000175200017520000000127210652446340026054 0ustar ppattersppatters000  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS1 CA0 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1Invalid DNS nameConstraints EE Certificate Test3800  *H 0Ԋf>Ka}ƈ^`Ъs _s`6P!’O[pSTεJ0RjM9 ,x‡n]LC-9CgٿH͉8#VWY5PN)ǘJd}sҬPW--{V\GOpathfinder-1.1.3/testdata/certs/ValidIDPwithindirectCRLTest22EE.crt0000644000175200017520000000121410652446340025370 0ustar ppattersppatters000  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA10 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Valid IDP with indirectCRL EE Certificate Test2200  *H 0(8?1++q qS_uh)4Zy{m"mV72R\Мg>=Q@uJ=UPAsjUZ݃÷ .9UQ`3!>-7rOk0i0U#0l_ا-\ I%[0Ufʆ2]CȠy-0U0U 00  `He00  *H j* c@2r{39} Q.f>jLl x;%c%{ ?X[8 9 sU.[WNhOO -ELV+8!vopathfinder-1.1.3/testdata/certs/carillon-invalid-ocsp.pem0000644000175200017520000000405211073205345023760 0ustar ppattersppatters-----BEGIN CERTIFICATE----- MIIF2zCCBMOgAwIBAgIBGDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJDQTEr MCkGA1UECgwiQ2FyaWxsb24gSW5mb3JtYXRpb24gU2VjdXJpdHkgSW5jLjEkMCIG A1UECwwbREVNTyBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzMRwwGgYDVQQDDBNURVNU IFJTQSBTaWduaW5nIENBMB4XDTA4MDkxODIzMTkxMloXDTExMDkxODIzMTkxMlow gYIxCzAJBgNVBAYTAkNBMSswKQYDVQQKDCJDYXJpbGxvbiBJbmZvcm1hdGlvbiBT ZWN1cml0eSBJbmMuMQ8wDQYDVQQLDAZQZW9wbGUxEzARBgNVBAMMClRlc3QgVXNl cjExIDAeBgkqhkiG9w0BCQEWEXRlc3QxQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw6Tu65wKNS+Vh0SIEG/5wgCUBnuedtdfW7el +mLB5If8SANG5bLaOyhvgICyzVT2GwXxk61Akgj54fE7bzv6iOpRucEmjvr/hJYv LgZhmIXzePixbxYCagze00MT7iYkeFub11DtAaCZSu9WlskQO+SjzuH9ehhr3xrH 8cWy1CNXOHgqNoW65v20KQK7FMbornt5+ZLPC+MctAJI4SBTwuq3kn2NHppBWp8e pwRh4oImB13N6hJK1kI71QGzVyuEMY6NQYIRa6j7Hu7LdKkAVrcJswTPadRj09Ek IbYqIZiGNRNLXg54uFeKJaKoK66qhI0rH23nk8CTdPAsVh4hxwIDAQABo4ICXTCC AlkwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwUAYJYIZIAYb4QgENBEMWQURv IE5vdCB0cnVzdCAtIENlcnRpUGF0aCBjb21wbGlhbnQgSUQgQ2VydCBmb3IgVEVT VCBwdXJwb3NlcyBvbmx5MB0GA1UdDgQWBBSmvO6P9pC5E1bsRytE+qP6PI0tPzAf BgNVHSMEGDAWgBQ8tMjtdo9zkhzr+m19ReuV80Vf6zCBgQYIKwYBBQUHAQEEdTBz MEgGCCsGAQUFBzAChjxodHRwOi8vd3d3LmNhcmlsbG9uLmNhL2Nhb3BzL0Nhcmls bG9uLW1lZGl1bS10ZXN0LWJ1bmRsZS5wN2MwJwYIKwYBBQUHMAGGG2h0dHA6Ly93 d3cuY2FyaWxsb24uY2Evb2NzcDA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3 LmNhcmlsbG9uLmNhL2Nhb3BzL3Rlc3QtY3JsMS5jcmwwgegGA1UdIASB4DCB3TBu BgsrBgEEAYHDXgECZTBfMF0GCCsGAQUFBwICMFEwKRoiQ2FyaWxsb24gSW5mb3Jt YXRpb24gU2VjdXJpdHkgSW5jLjADAgEBGiRURVNUIG1lZGl1bSBzdyBwb2xpY3kg LSBkbyBub3QgdHJ1c3QwawYLKwYBBAGBw14BAWUwXDBaBggrBgEFBQcCAjBOMCka IkNhcmlsbG9uIEluZm9ybWF0aW9uIFNlY3VyaXR5IEluYy4wAwIBARohVEVTVCBs b3cgc3cgcG9saWN5IC0gZG8gbm90IHRydXN0MA0GCSqGSIb3DQEBBQUAA4IBAQB8 cAV/0euIWrG2dH11EVgKVPZWjpST9xX+7fesN/GOWaiU3tZE7JsdDXzQF4DUvVB3 CRNSC/rRxnEAVtvT7EGxH4kJBhbawer2pHdnxnLYeWlilNYg4rEcdQ74+4F8gYMk PzVFws3KuOGthrsWTf3ul9HJUxRF68tAdnZ8uSBO9/8CEeo5vofxRECDx3oFWHRn Noj95jlejAUwBWALrxLUdiryx0xzB51nMgGVtOFw4XPXa5FjMxopPUSi7Dap4rzF NPGGpiEgsJ4VZwa75oqfCbA0QZ/Ilkxs6Wyh4nbKoSxmbXS+yNFgEv/UKDqaukTk A/k0vBKRPIkqPsdn3zOw -----END CERTIFICATE----- pathfinder-1.1.3/testdata/certs/ValidrequireExplicitPolicyTest4EE.crt0000644000175200017520000000123710652446340026260 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy0 subsubsubCA0 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Valid requireExplicitPolicy EE Certificate Test400  *H 0αwb{x%J7n:]|8acQe1m]ȔEuDj6D2esJ*n5+ԮIZlriL{APR9zsc=f6.8k0i0U#0YnypaRI*0UA#iqZ-J* 0U0U 00  `He00  *H VʎŊȷ\9#sײL^ҩ{FỎF5&U? lxr`-'&'ou&U3esAi"Չxu<pathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P12subCAIPM5Cert.crt0000644000175200017520000000127610652446340026464 0ustar ppattersppatters00#0  *H 0P1 0 UUS10U Test Certificates1%0#UinhibitPolicyMapping1 P12 CA0 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#inhibitPolicyMapping1 P12 subCAIPM500  *H 0k$,fpD~z)#uQB|uFsY2 0ihey8ڿJn.H Hs D/sX rk|ug5q500U#0v0_K{7 &f0UގVĪN p>0U0%U 00  `He00  `He00U00U$00  *H H ,q9{Z׬3U-JinGx{Rx#p`ٜ+]TЌqEIŹ 4b W9Gٽp* 4,O4p|y5pathfinder-1.1.3/testdata/certs/DifferentPoliciesTest3EE.crt0000644000175200017520000000120510652446340024332 0ustar ppattersppatters000  *H 0E1 0 UUS10U Test Certificates10UPolicies P2 subCA0 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Different Policies EE Certificate Test300  *H 04tŇs#gV0.VǼK p M$~kV-cx6H(#v=!#劌 #m9lnb`p}i[r-Q0!W`k0i0U#0XJh#n 40Ur:{w1FզB"~j>0U0U 00  `He00  *H %4 eD1Z &=~j@Z:)f~+< $ zCkHw 7.\|Qi9@iᚂF"9/rc$i0rrtF'P&pathfinder-1.1.3/testdata/certs/indirectCRLCA4Cert.crt0000644000175200017520000000117110652446340023051 0ustar ppattersppatters0u0ޠW0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0C1 0 UUS10U Test Certificates10U indirectCRL CA400  *H 0΢bYeWFE%ōH&ȃ?.:Z#:*(n83:9rPsp)]q\"YkSL=?eh8zOI|0z0U#0l-'z <ꚼI0UCTxP 4@'0U0U 00  `He00U00  *H UB鳷LYP6ZnYjd^&e9?܉ZRlLCảdz^ʲ"dεhOr˿|Q 7AaN_nѝpathfinder-1.1.3/testdata/certs/InvalidBadCRLIssuerNameTest5EE.crt0000644000175200017520000000122310652446340025270 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UBad CRL Issuer Name CA0 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Invalid Bad CRL Issuer Name EE Certificate Test500  *H 0l# )Q)A`/Kbº=Tߤ0}j!?+m̳2Tt^y%%-P·57NgKKvM>@'IˆK!!Vɯ{hy'2nEck0i0U#04cQP2YCg0U( P93.g0U0U 00  `He00  *H awWk{/{+,'O%OV,޹#TCnxUJ)͛V'aw2D*l/*>o(5Ѩj0pVmN1SS Q]c1cZ F.pathfinder-1.1.3/testdata/certs/InvalidIDPwithindirectCRLTest23EE.crt0000644000175200017520000000121610652446340025722 0ustar ppattersppatters000  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA10 010419145720Z 110419145720Z0f1 0 UUS10U Test Certificates1;09U2Invalid IDP with indirectCRL EE Certificate Test2300  *H 0u: ݹvsOlH+d5d $< NPU݌ӆ/7rˡl0FXh8)"~tkjAХ &&3o8n2ovk0i0U#0l_ا-\ I%[0UF:VH:7#0U0U 00  `He00  *H lp!e@qXSixm`5\rRVA&5_Np"q KN0S8怢.r'vAyh2rtREX Z2"NL`[G{]&k6{a.Xpathfinder-1.1.3/testdata/certs/PoliciesP123subsubsubCAP12P2P1Cert.crt0000644000175200017520000000123110652446340025561 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UPolicies P123 subsubCAP12P20 010419145720Z 110419145720Z0T1 0 UUS10U Test Certificates1)0'U Policies P123 subsubsubCAP12P2P100  *H 0ƽ [&9иScqω%g"[ ofwRJ,EZەǻ]vjYI%ECZncuV9'CSV:%HCL'x`Dk}|0z0U#09n9pdh+MT,0U*WARϨns0U0U 00  `He00U00  *H OA$Ԅx<:z*ʴ귝Y^ & rc2i6'\Vj^JVks"{$ lݵga'w> +l1??ݐ˷ EhATpathfinder-1.1.3/testdata/certs/InvalidUnknownCriticalCertificateExtensionTest2EE.crt0000644000175200017520000000125310652446340031417 0ustar ppattersppatters00_0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0p1 0 UUS10U Test Certificates1E0CUer;_$y^%WGhɁmsIpathfinder-1.1.3/testdata/certs/PoliciesP12subCAP1Cert.crt0000644000175200017520000000120110652446340023562 0ustar ppattersppatters0}00  *H 0C1 0 UUS10U Test Certificates10UPolicies P12 CA0 010419145720Z 110419145720Z0H1 0 UUS10U Test Certificates10UPolicies P12 subCAP100  *H 0V J79R;oU LSt^>f̃x/ q QObtqn&FD{QvO917>٧;A#2Hۊ@(:|0z0U#0eԆ39^L0UBxC޺Ca0U0U 00  `He00U00  *H `YS]WbS cxܭp7Ў .S~Hk]7yCTCk|趁 DK|FL|okL,Y<xh93 }gkj:+Qpathfinder-1.1.3/testdata/certs/InvaliddeltaCRLTest9EE.crt0000644000175200017520000000145410652446340023711 0ustar ppattersppatters0(00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA20 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Invalid deltaCRL EE Certificate Test900  *H 0o1ԾY@u]jft Ep8ڏS_/=#44%5QyHs,"]8K|ʴRpGum4S<jI6 ]wa*5@o"n  00U#0Wf&mr:le C 0UI)߳-bû3Ck0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA20SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA20  *H cI-,.=XF @D51*h-x͹ xwz T16Oucҽm l+}MjjVܷlL)9 M~/'Mz[m}t$>E@iR;~/>$Epathfinder-1.1.3/testdata/certs/nameConstraintsDN4CACert.crt0000644000175200017520000000145410652446340024305 0ustar ppattersppatters0(0A0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UnameConstraints DN4 CA00  *H 0>?"B4-AD 3 p 6d"_w[`-3\>mM  ^3 #r/qp)t^ 5s p*Ӟc:J/_gXqEr"&0"0U#0l-'z <ꚼI0U3)茀L'%gv0U0U 00  `He00U00U00HF0D1 0 UUS10U Test Certificates10U excludedSubtree10HF0D1 0 UUS10U Test Certificates10U excludedSubtree20  *H w4ޝ m}P.(a>B8B8?,FH'k%tנ?qv\Я0 EBY"3cwr<)HVzoXb؋pathfinder-1.1.3/testdata/certs/InvalidWrongCRLTest6EE.crt0000644000175200017520000000117710652446340023713 0ustar ppattersppatters0{00  *H 0@1 0 UUS10U Test Certificates10U Wrong CRL CA0 010419145720Z 110419145720Z0Z1 0 UUS10U Test Certificates1/0-U&Invalid Wrong CRL EE Certificate Test600  *H 0aß8oJ}$>Uo/,MNJ!"Y钑۾~!􍘷8S: Z\QBLGDʗ&0ng6Y6N(!X_k0i0U#0mŸ}\ 'KTiw0UOb6D=so}0U0U 00  `He00  *H =^zH4V\y5 lko"1Aљ_85fD%c@_\U+"y Dh/N#HX'. S =sBRp.7%]EμlUN$&pathfinder-1.1.3/testdata/certs/ValidGeneralizedTimeCRLnextUpdateTest13EE.crt0000644000175200017520000000124610652446340027455 0ustar ppattersppatters00 0  *H 0S1 0 UUS10U Test Certificates1(0&UGenerizedTime CRL nextUpdate CA0 010419145720Z 110419145720Z0n1 0 UUS10U Test Certificates1C0AU:Valid GeneralizedTime CRL nextUpdate EE Certificate Test1300  *H 0[aƄ$r]-L"RW8Ndx\ KSֹT<XYEIϧ7.h{8-~SeI0eD΃ͧ%Sxtf\!W(zq%k0i0U#0.`b㊫x00U@\=ͥTE4/0U0U 00  `He00  *H rLa - CS~S(>(hTuc?A Kږj~F/ J dW2Lm拦h H$?@ʪ3&3Ƅj vk0i0U#0[愈l[ΓiM0U({͹F T7s`^OV0U0U 00  `He00  *H 8p\i@NU7Valid No issuingDistributionPoint EE Certificate Test1000  *H 03+M8l/S/3%59ZJ1V6-U_&ƀ-4ǴvE"LiT8ݡt3-`SKE%};#eR1؇gG?&>MXL83y00U#0,'#AaO210UZYbUYJh0U0U 00  `He00sUl0j0hfdb0`1 0 UUS10U Test Certificates1'0%U No issuingDistributionPoint CA1 0 UCRL0  *H ';kk BE#?]#]cM=yt.CXy,ƀƫi <e[DUKO]1.G/5oOIH7Nxpathfinder-1.1.3/testdata/certs/InvalidinhibitPolicyMappingTest5EE.crt0000644000175200017520000000123710652446340026374 0ustar ppattersppatters000  *H 0U1 0 UUS10U Test Certificates1*0(U!inhibitPolicyMapping5 subsubsubCA0 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1Invalid inhibitPolicyMapping EE Certificate Test500  *H 0Mcyj !$8OLR*DUӍj89ߧKiagn(: K;Gfwɞ`zQUۿ%WI{H:=WHMpky(c/Sk0i0U#0$qWVHl10UJ9,_Yڼ)0U0U 00  `He00  *H H 57\bB=˛.kӎЉ O}ܪB~vdMyiv[c??Ot9Pw |r;=t>ZM)V}b[%EE:7§ C&y!0UZXj٪*D;dK>0U0U 00  `He00  *H 3~LúI1zn2eT1@Gr~ JZ:cCP _J2eAC+)6Jm u i+{w_ɪi觻#>iSYV -XWpathfinder-1.1.3/testdata/certs/TwoCRLsCACert.crt0000644000175200017520000000116510652446340022123 0ustar ppattersppatters0q0ڠ 0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0?1 0 UUS10U Test Certificates10U Two CRLs CA00  *H 0utʸVfmKܩA3"ks< G[.O"sNwjֳwDFR2}$ Ӎl Q &6CML]XUiէ"=]ԧ1|0z0U#0l-'z <ꚼI0U0JC&A#SSG0U0U 00  `He00U00  *H [N6737vƛN5*ym|Wc75HdVQ.SE#(4=H q#hV9+]}_A3qS҇tN3\e2ǚpathfinder-1.1.3/testdata/certs/P1anyPolicyMapping1to2CACert.crt0000644000175200017520000000204210652446340025013 0ustar ppattersppatters0060  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UP1anyPolicy Mapping 1to2 CA00  *H 0$PTEKo%?]{ǚ|0QU/0.yď&Ww-3|ue7iB8@#m`o))'>gZ=Y$6P:[ _U`qIq]r/_bݸ57'00U#0PWjoA^z0~0UjI bK0U0U 00  `He00U}0{0ywus0q1 0 UUS10U Test Certificates10U distributionPoint1 CA1&0$UCRL1 of distributionPoint1 CA0  *H h'M#2jd(g*WH/& RV) -,1[.FD l5* ̎ЏvNRTޔWq\^o `X([#Jo~9pathfinder-1.1.3/testdata/certs/NoCRLCACert.crt0000644000175200017520000000116310652446340021541 0ustar ppattersppatters0o0ؠ0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0=1 0 UUS10U Test Certificates10U No CRL CA00  *H 0oơg)Ȯ% N@<'A '7&f|0z0U#0l-'z <ꚼI0UNhE}x?$0U0U 00  `He00U00  *H *^֞/f$ox}`; T~Eu]ݕ8Q8 fH [[ik:vb9vy/dC0#R$nCY>uoK$jtpathfinder-1.1.3/testdata/certs/ValidNameChainingCapitalizationTest5EE.crt0000644000175200017520000000121310652446340027132 0ustar ppattersppatters00 0  *H 0;1 0 UUS10U Test Certificates10UGOOD CA0 010419145720Z 110419145720Z0k1 0 UUS10U Test Certificates1@0>U7Valid Name Chaining Capitalization EE Certificate Test500  *H 06$eSCx*`s+HKo`2[#O`]:RMaHA'ь~Y$Nm^K.RNR#:崀"7틯U`8h,X;|3 ENkk0i0U#0.ȼ{'D53ߚ0ULod:xQ0U0U 00  `He00  *H Uո2K [l{d@VBtL:ՃXN i{l| #bm vӘ؁-a]C ocnSf[8ϿdX'\3epathfinder-1.1.3/testdata/certs/DifferentPoliciesTest4EE.crt0000644000175200017520000000117610652446340024342 0ustar ppattersppatters0z00  *H 0>1 0 UUS10U Test Certificates10U Good subCA0 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Different Policies EE Certificate Test400  *H 09Iz!HwΧCߓ̛gL1p݋Nb$e<$VKo}΄BXLqoqG' G_Q*q+օT*,%k0i0U#0|\i|U")C{}0U2ZprlD0U0U 00  `He00  *H VV0c`lҗ=e()ߺKBS ISHQB ϶҅7|7C.W`1@:DW0 BD2gtv)x0-{5u-eF4Y<(ޓ$yyMpathfinder-1.1.3/testdata/certs/UserNoticeQualifierTest16EE.crt0000644000175200017520000000155210652446340024747 0ustar ppattersppatters0f0Ϡ0  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+User Notice Qualifier EE Certificate Test1600  *H 02ذWn-hv%/$XQ*UNM?+HB ̝ksO{^̯y0)obI5~M[u0!)0rϱsT0P0U#0.ȼ{'D53ߚ0U@WsvD:Aeo!00U0U 00x `He00j0h+0\Zq1: This is the user notice from qualifier 1. This certificate is for test purposes only0v `He00h0f+0ZXq2: This is the user notice from qualifier 2. This user notice should not be displayed0  *H cb@v|Z wV^: q`Xd+NG%J!1rder~U*&HapSuJ~7źd*(cg.|"T(QŽ%XR>pathfinder-1.1.3/testdata/certs/ValidIDPwithindirectCRLTest24EE.crt0000644000175200017520000000134410652446340025376 0ustar ppattersppatters00I0  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA20 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Valid IDP with indirectCRL EE Certificate Test2400  *H 0>6:'6EzfDzX!-11~٘{\z^%ej}) $͑665(5v1Σ /2D鸀 -O)oe 00U#0O1b; G@dΆpathfinder-1.1.3/testdata/certs/InvalidEEnotAfterDateTest6EE.crt0000644000175200017520000000120110652446340025034 0ustar ppattersppatters0}00  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 020101120100Z0a1 0 UUS10U Test Certificates1604U-Invalid EE notAfter Date EE Certificate Test600  *H 0# /E§ !Z?"sTAdM/k\vT3o|()Ԉ>EkYXHi}ARh=Ql m?l4}U8>Gk0i0U#0.ȼ{'D53ߚ0U"k@"kj 6O0U0U 00  `He00  *H  l(p{Q6GP=]An҈>rZh&>͹pN/lt-Ʉ˕r 1UsN?B.fۘnN밬iQND|KOy!F:邇?pathfinder-1.1.3/testdata/certs/InvalidUnknownCRLExtensionTest9EE.crt0000644000175200017520000000122710652446340026152 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UUnknown CRL Extension CA0 010419145720Z 110419145720Z0f1 0 UUS10U Test Certificates1;09U2Invalid Unknown CRL Extension EE Certificate Test900  *H 0aƱݺꌓ_sGL4>[lC('_uy .7OX2Fz{t?ƨG>4Uy޴I.P!9Rph.XGX6f4W=P=k0i0U#0j7L'naU0U?2k'^\3 g0U0U 00  `He00  *H 1aW V <0hmQ2S҇X<u{(H7DG^QAֽ>h=VA{>xJ ĊyY,Z (ulX>Na5NJ|4ПQ~pathfinder-1.1.3/testdata/certs/InvalidRFC822nameConstraintsTest22EE.crt0000644000175200017520000000130710652446340026266 0ustar ppattersppatters00,0  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA10 010419145720Z 110419145720Z0h1 0 UUS10U Test Certificates1=0;U4Invalid RFC822 nameConstraints EE Certificate Test2200  *H 0L?B^NBAMo[^z5]yRnRD#~gCM/Ed{z1~9{|0z0U#0BxC޺Ca0Ug l*Um-"Ks+*0U0U 00  `He00U00  *H D`,$w LuJC( ZUn̢{h!b2iYR4tz6g8k(JLa,-S> qO'zƔR۸yFw!fM pathfinder-1.1.3/testdata/certs/ValidDNnameConstraintsTest6EE.crt0000644000175200017520000000125410652446340025315 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN3 CA0 010419145720Z 110419145720Z0}1 0 UUS10U Test Certificates10U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test600  *H 0o$0="wA_~Q;9`!|14 p;AHXQ&?]eꪅ&_x1n!+$M`enS jϜ8%:PzUk0i0U#0XVj=;6˶0U腛31(d,dmPٯ0U0U 00  `He00  *H  ZX}K!_I/.F27T bgDs:BpĈIɴk2^2}uuO}TeLpmWmXVYHuպͷ'=^@vT_u'lR2FlC 5F oG+ڮ85[k!42D {!7}Ri00U#0ugG ۞Rsx0U/X7r!0U0U 00  `He00-U&0$"testserver.invalidcertificates.gov0  *H KO8V%Huzx2Hsg* vMްJSYPŸ6#c.dXʦ L(t5n>K|u-V'Yl^ Su?b@Gc(逝:Dr3/ yg9&pathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest17EE.crt0000644000175200017520000000126210652446340025725 0ustar ppattersppatters000  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints DN3 subCA20 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U excludedSubtree11907U0Invalid DN nameConstraints EE Certificate Test1700  *H 09êq%rDE&!/+L+'xo~B 'n*Y * nN8\u.>j.>b&عd/ Ml.$ ]ya풥uk0i0U#0 H(qjH$ Tz.lk;Ekf6R*kPn~ZP\Ypathfinder-1.1.3/testdata/certs/InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt0000644000175200017520000000125110652446340030433 0ustar ppattersppatters000  *H 0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping1 P1 subCA0 010419145720Z 110419145720Z0r1 0 UUS10U Test Certificates1G0EU>Invalid Self-Issued inhibitPolicyMapping EE Certificate Test1000  *H 0eGED"bO@6fqpsGkg,3[guppYէ`RjyȥI4ܹim}V&Nv*tQMdIyE vPUs{_k0i0U#0A$KFʍNbEDEփ0UC(~n3[w7F0U0U 00  `He00  *H {to}]03@x rfL ܩS66D)G޴OQX7'oD+ Z^0L,!oŢcem!# oekrKbʵ AK+e .bP<`pathfinder-1.1.3/testdata/certs/PoliciesP123CACert.crt0000644000175200017520000000124610652446340022743 0ustar ppattersppatters00 $0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0D1 0 UUS10U Test Certificates10UPolicies P123 CA00  *H 0kUDWHW2&QbQ]@+9`.ʖĜ&8}Z/U+nQѢPS8oQqa@@aj^E>XjjIxJu~>(#00U#0l-'z <ꚼI0Uп͛Zϐ0U03U ,0*0  `He00  `He00  `He00U00 U$00  *H wT!yys!Y%y ̍VbTMxRSG.>lI)/&qJd*-\mp5h9u-r_cKA!ꡁhM~JvؒJ5KVpathfinder-1.1.3/testdata/certs/NoissuingDistributionPointCACert.crt0000644000175200017520000000121010652446340026205 0ustar ppattersppatters00L0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0R1 0 UUS10U Test Certificates1'0%U No issuingDistributionPoint CA00  *H 0#C\UZHԙDmY{oe]l6`ȑ qP3l ϿVKo3;{i(iGsONfƘܜػrϋM֔O|0z0U#0l-'z <ꚼI0U,'#AaO210U0U 00  `He00U00  *H orޔ e_2+LGc.*%;-iQHFviܺKi`,x3K^e`@s WabwSRpathfinder-1.1.3/testdata/certs/InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt0000644000175200017520000000125310652446340030365 0ustar ppattersppatters000  *H 0U1 0 UUS10U Test Certificates1*0(U!inhibitPolicyMapping1 P1 subsubCA0 010419145720Z 110419145720Z0q1 0 UUS10U Test Certificates1F0DU=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test900  *H 0\^BA>н녇P=*ܘJޟf;cKx;\1a_AˁR9V0rmk*(nYd? ZCԷ l)z+#J$Q'k0i0U#0~C}e;7}'У0U߅A6?/j)50U0U 00  `He00  *H (L"RM_:!d'n$SpP+c zk*(h(@7dDʼC Lo\DpT3T/Aܨ.ϰ{(erqR\O pathfinder-1.1.3/testdata/certs/ValiddistributionPointTest4EE.crt0000644000175200017520000000130710652446340025451 0ustar ppattersppatters00,0  *H 0I1 0 UUS10U Test Certificates10U distributionPoint1 CA0 010419145720Z 110419145720Z0`1 0 UUS10U Test Certificates1503U,Valid distributionPoint EE Certificate Test400  *H 0HYG|Q9y#00ESBamOz uFEkRpathfinder-1.1.3/testdata/certs/InvalidpathLenConstraintTest12EE.crt0000644000175200017520000000125610652446340025771 0ustar ppattersppatters000  *H 0U1 0 UUS10U Test Certificates1*0(U!pathLenConstraint6 subsubsubCA11X0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Invalid pathLenConstraint EE Certificate Test1200  *H 0<;Ζt V51K|'(mOwɕJcnà Z}vFDž3NW3tqE 60]Rt%Uy1Eg1EL253bIl?"|0z0U#0j6Wu?BP(7ŭ0U 泖, m.0U0U 00  `He00U00  *H ͢t|/U)_hvXj7[W w%ðG'hT 1Cۿt!uhI=YeQ^${w6IR:69IX:/s0 Q1+w&G9Opathfinder-1.1.3/testdata/certs/InvalidDNSnameConstraintsTest33EE.crt0000644000175200017520000000127310652446340026050 0ustar ppattersppatters00 0  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS2 CA0 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1Invalid DNS nameConstraints EE Certificate Test3300  *H 0/[|-b ӠF=^I*JNXxp T(eNnF ,p s-Ёoף?kĩ舍wT=Aԧ"pathfinder-1.1.3/testdata/certs/requireExplicitPolicy10subCACert.crt0000644000175200017520000000122510652446340026034 0ustar ppattersppatters000  *H 0N1 0 UUS10U Test Certificates1#0!UrequireExplicitPolicy10 CA0 010419145720Z 110419145720Z0Q1 0 UUS10U Test Certificates1&0$UrequireExplicitPolicy10 subCA00  *H 0g 6-6] Bo^cիވЩ"A:pathfinder-1.1.3/testdata/certs/UnknownCRLExtensionCACert.crt0000644000175200017520000000120210652446340024513 0ustar ppattersppatters0~0 0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UUnknown CRL Extension CA00  *H 0 ?$ 6%,{RG?m@\rSrO!$}Iz9 FT= En) ⭶m7GHZ @ NCHhVq)ܘIZ؁Me#|0z0U#0l-'z <ꚼI0Uj7L'naU0U0U 00  `He00U00  *H Z"p aX0D.*۬I;$S*s|te:QN+RW?㣜<ʅy3M˦QCY xwb4p'V,9(}(2`Uo+ʹpathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest13EE.crt0000644000175200017520000000122210652446340024547 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UP1anyPolicy Mapping 1to2 CA0 010419145720Z 110419145720Z0^1 0 UUS10U Test Certificates1301U*Valid Policy Mapping EE Certificate Test1300  *H 0ʠ`^2"Am7֣h/cY3_ %&]/-9q-^y6=ŜZh:dۡ iWf_,ns#!^ H,>k0i0U#0-7?YWk0UݚQbk4kQ0U0U 00  `He00  *H 7a+tG{ĺR8Bu9E?b}*Q:jf iB^饆0{0uo!Z1YES72iQBd 嚓.}Qӭpathfinder-1.1.3/testdata/certs/InvalidCAnotBeforeDateTest1EE.crt0000644000175200017520000000122010652446340025163 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UBad notBefore Date CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid CA notBefore Date EE Certificate Test100  *H 0?H߉`YȒU;aiU}lՒ~Ɨ: dM;ݒN`.M\|ID.چZCڂ4uHܧ[~J[Ênkk0i0U#0z3#*lO8"}X0UiY=egf[~u7SY0U0U 00  `He00  *H m"3Ow :\h 3ԁLt4O2Ω=|F̤f AVR Upժ>)Ohh݄e 0i"QaW]= ,pathfinder-1.1.3/testdata/certs/BasicSelfIssuedNewKeyCACert.crt0000644000175200017520000000120610652446340024755 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued New Key CA00  *H 0)2 췋ze]S%8C$GUvGQq h)'}8(ޛ5|-A| I KIGȳ;R$(˄6D-=ⳆܯQ  `*jA|0z0U#0l-'z <ꚼI0UE̸!GIx(0U0U 00  `He00U00  *H Dh>e~"i+BR{,c!I_yUi 0}0U#0l-'z <ꚼI0UvdzJ0U0U 00  `He00U00  *H efH-6tӬEMlHFGJ8e53S| .g #-soSvVG B%z8q!4AOj=]ݛ*J) oމBpathfinder-1.1.3/testdata/certs/ValidSelfIssuedrequireExplicitPolicyTest6EE.crt0000644000175200017520000000121110652446340030241 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy2 CA0 010419145720Z 110419145720Z0p1 0 UUS10U Test Certificates1E0CU F. $oPl,)?4N`˦pathfinder-1.1.3/testdata/certs/ValidBasicSelfIssuedOldWithNewTest1EE.crt0000644000175200017520000000124210652446340026670 0ustar ppattersppatters000  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued New Key CA0 010419145720Z 110419145720Z0m1 0 UUS10U Test Certificates1B0@U9Valid Basic Self-Issued Old With New EE Certificate Test100  *H 0aڳX dO%z65ʋT+b ߴf lew/*V\3C5|%;b6m1#5FSk(zLu&!N1:g.k0i0U#0[ѿy\s LF-0U! tMK:%0U0U 00  `He00  *H fO\!h~qBC+vXX ;{<7k04?5Tq(b'33`bI .Qrc}yQ#ŀD_/]2fDvT pathfinder-1.1.3/testdata/certs/PoliciesP1234CACert.crt0000644000175200017520000000126510652446340023030 0ustar ppattersppatters00#0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0E1 0 UUS10U Test Certificates10UPolicies P1234 CA00  *H 02 V}(,a厸f!9:߁sK]&4֡!,&}yģ4DC}fkxl*>Xo)C.0vr**ߺ}9hSY +:C9000U#0l-'z <ꚼI0U0yOozhCL@q 0U0AU :080  `He00  `He00  `He00  `He00U00 U$00  *H #u1kIyݗcFq:Lz ? (f*= (>q]A&4@S:|Ok' ƭe/10ัڌgCa2a1̈~pathfinder-1.1.3/testdata/certs/SeparateCertificateandCRLKeysCRLSigningCert.crt0000644000175200017520000000117610652446340030073 0ustar ppattersppatters0z0f0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA100  *H 0Ε[A~I[Jl$))/n/aBşۢc0($N58w \_`00U#0l-'z <ꚼI0U+6ftK1U16co50U0U 00  `He00U00&U00testcertificates.gov0  *H 1NqPC3*}j‡5nh(:ozNwLJy}oh%TD[X@-~7PB0 ]QS?p7ޫPb͎;ÉTʝ)"LG3,kpathfinder-1.1.3/testdata/certs/ValidTwoCRLsTest7EE.crt0000644000175200017520000000117310652446340023221 0ustar ppattersppatters0w00  *H 0?1 0 UUS10U Test Certificates10U Two CRLs CA0 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#Valid Two CRLs EE Certificate Test700  *H 0dꁾlx#BY if-vw޽MwҐnƍ%X /)EՉB+ FCM[˽JɉogF19IR%7'$mqk0i0U#00JC&A#SSG0UrdOjF *gmE HO0U0U 00  `He00  *H oymY/^UۭL1p;% S [H! ƾhP' Fe~q+ˈ-5< M@p`iu$I&a{A#0 n],PߑApathfinder-1.1.3/testdata/certs/basicConstraintsNotCriticalcAFalseCACert.crt0000644000175200017520000000121510652446340027506 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)basicConstraints Not Critical cA False CA00  *H 0* t]W%ohޞr!חg u8| ~CU=$p0JuȯSm-dSȲ<JH͈k|8әqjv0t0U#0l-'z <ꚼI0UĕvlKhBET[0U0U 00  `He00 U00  *H 8+η*\cЯSW]⼊kaT4pDG[IJauće1=ۉgϨM7¶Ƌqw f>P0ڪ42JLQRg>n'y$?Dڌj4oq:5 #hs=&HN|d`JZJ|MTu2[ߓ^eÂ5`пw9SDebSĐ,?|H^9Gpk Npathfinder-1.1.3/testdata/certs/InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt0000644000175200017520000000125710652446340027620 0ustar ppattersppatters000  *H 0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA0 010419145720Z 110419145720Z0r1 0 UUS10U Test Certificates1G0EU>Invalid Basic Self-Issued CRL Signing Key EE Certificate Test800  *H 0"{,j-JjH{"c9ѸG3зj4_{ ( L:sp6 $L'3\C$q\@#ŝ8/?%t uů90 k0i0U#0r3CQcDaG0UqFY<-0U0U 00  `He00  *H hW#7iA[MkB=zmP Nz2XX BH!trօxymS2)0 ܠgI|t=@a!OG-c%peXE ź8IMpathfinder-1.1.3/testdata/certs/UserNoticeQualifierTest18EE.crt0000644000175200017520000000171110652446340024746 0ustar ppattersppatters00.0  *H 0C1 0 UUS10U Test Certificates10UPolicies P12 CA0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+User Notice Qualifier EE Certificate Test1800  *H 0CwѱJoW+ȨM+4D0U,nT#jw0U0U 00  `He00U00  *H ƹi._;.ci3'Y#l ٠>tCX?-}S.y5zRCnM˧݊+jPcb-`$ oXw@<0 F P E_{fypathfinder-1.1.3/testdata/certs/DifferentPoliciesTest9EE.crt0000644000175200017520000000122410652446340024341 0ustar ppattersppatters000  *H 0T1 0 UUS10U Test Certificates1)0'U Policies P123 subsubsubCAP12P2P10 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Different Policies EE Certificate Test900  *H 0#g/#,.UlPIX-]^Ze& ن%ڟ@%S_ַ$=RONGe~|F{t{Oe#a bBG}eL[iS qq׿d i00U#0l-'z <ꚼI0U@p.8ZٲCYL0U0U 00  `He00U00U$00  *H - of"Ӝ% O߯2*es).ByUĉ#xbޅpvfު9CEҼ s.Zd^|ɱ^!S7>O^5Sipathfinder-1.1.3/testdata/certs/inhibitAnyPolicy5subCACert.crt0000644000175200017520000000123210652446340024676 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy5 CA0 010419145720Z 110419145720Z0K1 0 UUS10U Test Certificates1 0UinhibitAnyPolicy5 subCA00  *H 05#x>S$ӴQ]M'1i[" ZMt|Hjb> tԁO*~2\ͿGEr-5TH8HZ]Nl040`dLMy 5FzBV00U#0qbTon0:0UJwbX#ùnMo0U0U 00  `He00U00 U60  *H |Bo_[n1M~box«X+9|4}Q'Pbٟ ǬJX&M$,Ͻ,g4Ȇqt'T]lWQHe.E#wň6sDepathfinder-1.1.3/testdata/certs/InvalidSeparateCertificateandCRLKeysTest20EE.crt0000644000175200017520000000126110652446340030113 0ustar ppattersppatters000  *H 0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA10 010419145720Z 110419145720Z0s1 0 UUS10U Test Certificates1H0FU?Invalid Separate Certificate and CRL Keys EE Certificate Test2000  *H 0ڛ5w\N"ʙ-edf*R WÄAJyj|ZW^$t,^T\CA @> }ΦG 㹱;!3k0i0U#0\Q"'1"@ %σy0U7th;|{)$!]0U0U 00  `He00  *H ĮaޭBwOM4-0T2קغ-"G<U+&[=.@^U@Ԍ)VH 󨷠rlTJ];k[rIJTݰzrpathfinder-1.1.3/testdata/certs/InvalidrequireExplicitPolicyTest5EE.crt0000644000175200017520000000121610652446340026605 0ustar ppattersppatters000  *H 0\1 0 UUS10U Test Certificates110/U(requireExplicitPolicy7 subsubsubCARE2RE40 010419145720Z 110419145720Z0f1 0 UUS10U Test Certificates1;09U2Invalid requireExplicitPolicy EE Certificate Test500  *H 0YQJW3[Ćj4ՁVLp+cՁ@z1{pj^UpBZPm˩&"?2xkjf.(+nr R0P0U#0(hji>)6cp0UR?* ֺzJm: 0U0  *H N5Vha+8~5`n#}e!V\lh0‭kl0C> D<ѠE*RY7캃^1ۯ_Fwmbp[ǂ٫64MrRn-7:V?Nhx#x'+h-pathfinder-1.1.3/testdata/certs/InvalidcAFalseTest3EE.crt0000644000175200017520000000123310652446340023542 0ustar ppattersppatters000  *H 0]1 0 UUS10U Test Certificates1200U)basicConstraints Not Critical cA False CA0 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Invalid cA False EE Certificate Test300  *H 0$JOPHQC/M9IS\?d>Ҭ`)d Fgҵz#Fqt[,_Ia|}0 '7*1Yם"08k0i0U#0ĕvlKhBET[0U-8G!:6NycX]0U0U 00  `He00  *H 'XJx vW M XpNԝ7^plD4A, pH@3i)X縊-PQnHml 9О ɼe'_,uиjG-1FFX pathfinder-1.1.3/testdata/certs/InvaliddeltaCRLTest4EE.crt0000644000175200017520000000145410652446340023704 0ustar ppattersppatters0(00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA10 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Invalid deltaCRL EE Certificate Test400  *H 0]6lNDDYCu !0O}VOb I$!2& :%Z8 SWiak6ґ!%Qtm|Dr?"z"φTh;f00U#0M H2 0Ut%׿&Upaa0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10  *H U2P*56_2Hz U a(+hK>KZb,r_y0c VIVT`oPZ$Yɬ~VX4 uY=' ^pathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest11EE.crt0000644000175200017520000000123110652446340024545 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"Good subCA PanyPolicy Mapping 1to20 010419145720Z 110419145720Z0^1 0 UUS10U Test Certificates1301U*Valid Policy Mapping EE Certificate Test1100  *H 0u7ҾYuEpS#q_i=SBt?z@i/()RA>HUH?Wo'УA3~Qf!R֥ M^2,?Wiv&#~f:_%Hxkk0i0U#0ᵤq/f'{J0U?-osKR CmPm@0U0U 00  `He00  *H #^gK۷EGkj'wYQ||7TPقJ@WO0ǒ!ŖPbqbh_㗃B0 2-Te)*R{l%pathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest2EE.crt0000644000175200017520000000125510652446340025641 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z0~1 0 UUS10U Test Certificates10U excludedSubtree11806U/Invalid DN nameConstraints EE Certificate Test200  *H 0Y+i!fT >l8XoUd, k0i0U#0bP[Ip9n0UP( lvz>Y0U0U 00  `He00  *H αo](`Wײn X\2_8dcSuQ7nW [gN7t$\[d{ ̿TjMGgX/` ڸ775\qoͤpathfinder-1.1.3/testdata/certs/ValidNameChainingWhitespaceTest3EE.crt0000644000175200017520000000121410652446340026252 0ustar ppattersppatters00 0  *H 0@1 0 UUS10U Test Certificates10U Good CA0 010419145720Z 110419145720Z0g1 0 UUS10U Test Certificates1<0:U3Valid Name Chaining Whitespace EE Certificate Test300  *H 0:R5Jҿi US这riE C4\94Pm+7Z=畈AqNBpw9D;J',"7B^yg=,k0i0U#0.ȼ{'D53ߚ0U"ZlM!;d PRda0U0U 00  `He00  *H X nj sH)+QT-.Uq)nk861.ZJ&ė& en3|cN]?,>u|9'cuSOB:esoPA]`ٻсBJsB&@lq,pathfinder-1.1.3/testdata/certs/MappingToanyPolicyCACert.crt0000644000175200017520000000126610652446340024416 0ustar ppattersppatters0040  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0K1 0 UUS10U Test Certificates1 0UMapping To anyPolicy CA00  *H 0fQ)lJ,xbI{u00U#0l-'z <ꚼI0Uz,cZN?SU i0U0U 00  `He00 U!00 `He0U 0U00U$00  *H WL~v+)( IG2q'YjSf3@t`@~r@9lk)GLcg[ aBdx{'cX:y'm'" S{XAeD:(LQpathfinder-1.1.3/testdata/certs/ValidinhibitAnyPolicyTest2EE.crt0000644000175200017520000000122410652446340025172 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy0 CA0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+Valid inhibitAnyPolicy EE Certificate Test200  *H 0+SZ낀!WP]YfbS,wK=;ЖL?<4Ec,Ϊa$A5[%Qlcъ0l8nZ^g{`WAZ2_c@ks0q0U#0@`\/ E0U>_Ss-k*&0U0U 00U 0  `He00  *H (݊N: $v Nu6Dax> & ]wPuh}2{$b>h|sRCcfu. J}n_Nm ьs>o0 pathfinder-1.1.3/testdata/certs/keyUsageNotCriticalcRLSignFalseCACert.crt0000644000175200017520000000121510652446340026730 0ustar ppattersppatters00!0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0Z1 0 UUS10U Test Certificates1/0-U&keyUsage Not Critical cRLSign False CA00  *H 0Λft3K*(;+n!=nժ2`Q\s  nGݣ)Ov>Zp胡[}p5.k>imy; L&вsy0w0U#0l-'z <ꚼI0U["XV."0 U0U 00  `He00U00  *H ]D`oF>ݢvI(G݄ٝfNM2.[͙D7<4Ԇy5Š*x^Bwt<5!O\r=w'ιJB%%[(opathfinder-1.1.3/testdata/certs/P12Mapping1to3subsubCACert.crt0000644000175200017520000000130510652446340024433 0ustar ppattersppatters00*0  *H 0J1 0 UUS10U Test Certificates10UP12 Mapping 1to3 subCA0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UP12 Mapping 1to3 subsubCA00  *H 0zJ;cxIhEVUai9,zZ6)pj5eTfSZ3\[+bc|gi!/o/ i3L3 gRN00U#0]ĺxy4&rWYT(q0U,)9AS-.0U0%U 00  `He00  `He00&U!00 `He0 `He00U00  *H $ڒueRM+DJ6#,wn;/ l_j_?fvy~6+۾ظc/Fܚȡ+dQfUXzm&:|uE?w7(Y7}apathfinder-1.1.3/testdata/certs/InvalidUnknownCRLExtensionTest10EE.crt0000644000175200017520000000123010652446340026214 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UUnknown CRL Extension CA0 010419145720Z 110419145720Z0g1 0 UUS10U Test Certificates1<0:U3Invalid Unknown CRL Extension EE Certificate Test1000  *H 0y"mTU9*o$G}B6Prj3Rl0kITȭ3  bK *$( v4tlSi(V';k0i0U#0j7L'naU0UmH ۾~;0U0U 00  `He00  *H a"i:0#kyM}+4y׻) W>pдMg_) g\Vc/ma64J˳.59\f{>+鱻8E#bwh5,kޟV pathfinder-1.1.3/testdata/certs/requireExplicitPolicy2CACert.crt0000644000175200017520000000122610652446340025244 0ustar ppattersppatters00/0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy2 CA00  *H 0BxL&UuB.sSE Le6uM ^ᡬ{uhٓ./ Z1ty&0TB}ꭦzݽ_1i;d:u?ʂ&LSkh_!00U#0l-'z <ꚼI0Uq=fº uI,K L2+e\6HV -QSpathfinder-1.1.3/testdata/certs/InvalidBadCRLSignatureTest4EE.crt0000644000175200017520000000121710652446340025160 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UBad CRL Signature CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid Bad CRL Signature EE Certificate Test400  *H 0 rj:9X@k\(08cgē KjasdTI }ʕ3haUU`WGAoeY\uI&!/K:ԬAܞSCkw 2k0i0U#0 {8HZ`UP6lC0U+RV e^vdoO &0U0U 00  `He00  *H 9*+4%K?*z 4Q!)6y%غaw._v_KCCU*caaNg%;Y2GVߵػzG١)e[ :g+7_ʭApathfinder-1.1.3/testdata/certs/requireExplicitPolicy4subsubCACert.crt0000644000175200017520000000123110652446340026466 0ustar ppattersppatters000  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy4 subCA0 010419145720Z 110419145720Z0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy4 subsubCA00  *H 0wfv_~N>8JL9+tU2фhwJnP~pumխZ5G@ ʏ^Quغmw&,zS0Ul LS#c0U0U 00  `He00U00  *H _j5:툛%hbsNhYwxw?yߣf^_ -uw[avp+OR $o_+M& \JⲳS <&#XХ?ԿIH&GDpathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P12subsubCAIPM5Cert.crt0000644000175200017520000000133710652446340027174 0ustar ppattersppatters00D0  *H 0W1 0 UUS10U Test Certificates1,0*U#inhibitPolicyMapping1 P12 subCAIPM50 010419145720Z 110419145720Z0Z1 0 UUS10U Test Certificates1/0-U&inhibitPolicyMapping1 P12 subsubCAIPM500  *H 0kCK'Uz4 >Z×ݷ<dr:=B^4>"q_g/A=8DBlM|p09Iʀ6)i8!C |00U#0ގVĪN p>0U$UD~0U0%U 00  `He00  `He00&U!00 `He0 `He00U00  *H 9ӽC͂n&o46h+$H 6XuNB#kܔ_e>kNT-Hq7`q8isE*RDdZ1sL,A`9L{pathfinder-1.1.3/testdata/certs/InvalidpathLenConstraintTest10EE.crt0000644000175200017520000000125210652446340025763 0ustar ppattersppatters000  *H 0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA000 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Invalid pathLenConstraint EE Certificate Test1000  *H 0DDJDKߌ@q29MgtK|- ;gѢNksjV~{RT) |;txhF樘mrBw;@|ӈZ)ALv[|0z0U#0jAm>ܰ]P 0U K;u`'s1Em;[L 0U0U 00  `He00U00  *H 8^-4t /z x; V~ѬF$eg?]ZL5yYFtiq{hԙ8:)zm2Kz[fۨ#`J>/YBOߘ.OT Glpathfinder-1.1.3/testdata/certs/inhibitAnyPolicyTest3EE.crt0000644000175200017520000000121210652446340024210 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA10 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%inhibitAnyPolicy EE Certificate Test300  *H 0斓ޛ6v/Zf)cޔx EůZ=:T82D <ؒ=M 棜^;k0i0U#0) x)BK|*5[<0UU詏dۓoA10U0U 00  `He00  *H F@:>S e%UiԂ]+ %5uՄ 6>q:͛0&|g!Cj1)J{{SH~^rn=#k" lܦspathfinder-1.1.3/testdata/certs/ValidRFC3280MandatoryAttributeTypesTest7EE.crt0000644000175200017520000000134410652446340027443 0ustar ppattersppatters00I0  *H 01 0 UUS10U Test Certificates10 &,dgov1 0 &,dtestcertificates10UMaryland1 0 U3451 0 U.CA0 010419145720Z 110419145720Z0p1 0 UUS10U Test Certificates1E0CUo 4iv/͖_lTْN8m9{\w' äzM^ VQZPS}Hx<6R~SjTD>4:=HEh{pathfinder-1.1.3/testdata/certs/deltaCRLCA1Cert.crt0000644000175200017520000000116610652446340022342 0ustar ppattersppatters0r0۠[0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0@1 0 UUS10U Test Certificates10U deltaCRL CA100  *H 0fJ}({)Cb~Rx0 wrL&:NxH:xBp0(~ͱ'K [5 }Ϝ4IRPymc;?@-gtkj|0z0U#0l-'z <ꚼI0UM H2 0U0U 00  `He00U00  *H b( Z/Ob "W9$0 +t}d&_H<^p\f} <'BU&x\ahSP;L/~rIێypathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P12CACert.crt0000644000175200017520000000125210652446340025311 0ustar ppattersppatters0080  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UinhibitPolicyMapping1 P12 CA00  *H 0 JT|đ+^%.eXzd=*:ǧ/C&t͹gJ%9aA}03"۰t0G2u q:r&nͻƇo74D @y#*:t%e?*O2N-\ʷ `{?$E֌pathfinder-1.1.3/testdata/certs/ValidrequireExplicitPolicyTest2EE.crt0000644000175200017520000000120610652446340026252 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy5 subsubsubCA0 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Valid requireExplicitPolicy EE Certificate Test200  *H 0[\rIrKc8A =("1#2ի@]&eQ[WRn3a7VNY=){^޸^#'X/VɻAJD3MӁYR0P0U#0>0f/%gɭ0U2]ov;Ҁ:ge0U0  *H fn߃ ^sM1o 9;OK!.a5* Lu!9i"RXDOrq'ݍd7(+J{CBNÀfyzf*9L:pathfinder-1.1.3/testdata/certs/InvalidBasicSelfIssuedOldWithNewTest2EE.crt0000644000175200017520000000124410652446340027222 0ustar ppattersppatters00 0  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued New Key CA0 010419145720Z 110419145720Z0o1 0 UUS10U Test Certificates1D0BU;Invalid Basic Self-Issued Old With New EE Certificate Test200  *H 0oeDd,u;1$6 !(j Z3:Fxzlc g5ʜ$=?2w;}ZQU<HiJ^ ڰ۠=%fJR?Ҍ^oB}J S kuOBL1{2Zs00U#0l-'z <ꚼI0UeԆ39^L0U0%U 00  `He00  `He00U00 U$00  *H ̀ osa " sD yHJn+CR{;rEeM]@sK$ɋpXn"bo*=_:4O矄%æpathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P1subCACert.crt0000644000175200017520000000130110652446340025734 0ustar ppattersppatters00&0  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping1 P1 CA0 010419145720Z 110419145720Z0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping1 P1 subCA00  *H 0P&;Fu4]M t3Dix|5Lʤ!x,qq-pa&G;OkLd5E_=ʢ!=j|HFtVR"a00U#0l\l[`wSZ550URS߆fIFc3 0U0U 00  `He00&U!00 `He0 `He00U00  *H Ϛߏ+~UJ|nR2Fn7FF2xO}.ӵ:΀vIE'V{`BRCw4%vZ{w$^̿dzsHj)¥X,'G |0z0U#0l-'z <ꚼI0Ue|AXDx0U0U 00  `He00U00  *H %5b?7iP". +032EnPjD^1ɎZzfZL d4RUg`T = sF#w,h! E܊i&`G(Ftℭ B?5k0i0U#0Bo #yW: 0U|\0+}3^0U0U 00  `He00  *H `>aBkN%>ùg+;-f )+{ƛ;;دjUr2 S&Z^ekbG-NQ&ojG߮i/[Џ98pathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest12EE.crt0000644000175200017520000000132010652446340025713 0ustar ppattersppatters0050  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA10 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree11907U0Invalid DN nameConstraints EE Certificate Test1200  *H 0$D;DKLFb/k/DJ`AiZ"4K}6{M *WlZaGJ du5_=(0ir=D^,᧗ޙ0$k#L(E1M Ak0i0U#0/ȅPXB00UeYF%Eᅾz (0U0U 00  `He00  *H Ư*7k{iPDyG pcFp _ TfJ( ޔ1ˎOom-Ϋ_bG.\tf6=RB^xN0 /-(8VDduvHLmUUpathfinder-1.1.3/testdata/certs/pathLenConstraint6subsubCA00Cert.crt0000644000175200017520000000122710652446340025737 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA00 010419145720Z 110419145720Z0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA0000  *H 0~|pNb)rc,k07ie؈QTv1c;)]!Lڶ"`I[f ֦?, 3`=.gPKBm-ֵz*S0}0U#0HxQ1t9*7D~i0UjAm>ܰ]P 0U0U 00  `He00U00  *H 9DͫnڞE &:3gF4e ȕ%R.A3{ڞk8d)%B'&̃x ;\BOƻ38\˾i5+=pathfinder-1.1.3/testdata/certs/PoliciesP3CACert.crt0000644000175200017520000000121010652446340022567 0ustar ppattersppatters00'0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0B1 0 UUS10U Test Certificates10UPolicies P3 CA00  *H 0r"[ƺ>2 EZ:+'8 Lzs~MDSӮRrA>|C}&jʛ{]Rוkvz,+=xHgJoh t`e00U#0l-'z <ꚼI0UfUeQY*b0U0U 00  `He00U00 U$00  *H be|JsrYD+mx8ѥ; KXɒjV0bRW~UBСYpԔZTOL+&3'?8gpathfinder-1.1.3/testdata/certs/InvalidDNandRFC822nameConstraintsTest28EE.crt0000644000175200017520000000141210652446340027176 0ustar ppattersppatters00o0  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA30 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree11D0BU;Invalid DN and RFC822 nameConstraints EE Certificate Test2800  *H 0 Ov^|*zj6$H@G!'3I`'RiH $VV4Wɰ;S{3"U/ȃV?uw{/>Lzudzm*r@>ȳYU^00U#0W'o 5g$k0U͠'l7fc(˩T0U0U 00  `He00+U$0" Test28EE@invalidcertificates.gov0  *H mfGp3Zc:wx!>*̋&mzGPzky30-Td1Qyƛ dbD EmƼ½/3:LuU[bTHtLrI0o-_Bpathfinder-1.1.3/testdata/certs/InvalidonlyContainsAttributeCertsTest14EE.crt0000644000175200017520000000124210652446340027673 0ustar ppattersppatters000  *H 0Q1 0 UUS10U Test Certificates1&0$UonlyContainsAttributeCerts CA0 010419145720Z 110419145720Z0l1 0 UUS10U Test Certificates1A0?U8Invalid onlyContainsAttirubteCerts EE Certificate Test1400  *H 0nM~&{QU w+ʳBS 8hw c8B~<uJf"0[-^ꊛf1ETU7䐐?d.VDŻBe(3 Vd;Qk0i0U#0(ٸmS"0U~*e3gY1O{Uu0U0U 00  `He00  *H r{"h}¹[ o9ovC 81[5û#׉,}B[*R =՚n1Y|$:zA^:!0/EYVk8LAb*Aشpathfinder-1.1.3/testdata/certs/requireExplicitPolicy7subsubCARE2RE4Cert.crt0000644000175200017520000000126510652446340027324 0ustar ppattersppatters000  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy7 subCARE20 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%requireExplicitPolicy7 subsubCARE2RE400  *H 0yÁu@l䱿:B@^[g~FHlS&xuDE$ 5s/Fúaz̸(?y-hfii^/eh[e9m00U#0h / QKXs9?K0U 2DPP`5 jE&0U0U 00  `He00U00U$00  *H , xc[g}d5U$\'շZ ¿Jqy^.>KKNQ礦xu-?ýV-Y~y8B&JO OhX `.}i5y{-pathfinder-1.1.3/testdata/certs/requireExplicitPolicy4subsubsubCACert.crt0000644000175200017520000000123710652446340027206 0ustar ppattersppatters000  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy4 subsubCA0 010419145720Z 110419145720Z0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy4 subsubsubCA00  *H 0ث$㝀ZA䟟1sT wW*xE%qwQw9C7`Z[6rLBj:uAlMpZf5ԣ;=Aed1it,RTn,}p|0z0U#0l LS#c0U+ݱzZbs1*y0U0U 00  `He00U00  *H ';1Yʓ;`،qjjLLE p}$fN{ŶDYO4ո=%v8:u?31tDz 5C\q~اe( Ma$}pathfinder-1.1.3/testdata/certs/InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt0000644000175200017520000000125310652446340027674 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"keyUsage Critical cRLSign False CA0 010419145720Z 110419145720Z0p1 0 UUS10U Test Certificates1E0CUD5$PC 1xuH5K tMŤa+^-(,yq2$GЇ^=Aq߲#[󝪪כYb m j ܂ܯ00U#0:4vXXć}~]N0U\;L_%*Xd50U0U 00  `He00U}0{0ywus0q1 0 UUS10U Test Certificates10U distributionPoint2 CA1&0$UCRL1 of distributionPoint2 CA0  *H 8| ],H]6~+Ძn9;AfƁ؂P@uw 55c5hnJKǽE^_q<"_UqՎ̧y׸+gX}]Rpathfinder-1.1.3/testdata/certs/ValidDNnameConstraintsTest1EE.crt0000644000175200017520000000125410652446340025310 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z0}1 0 UUS10U Test Certificates10U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test100  *H 0A nR#uLj9 >v[a䫏}'9A2#5hҵ E6yG"dOe"T*t̞o_Wj2!𕨄k0i0U#0N.݋;AJÞ|Y#WNS0UE>x$g4VH0U0U 00  `He00  *H ii}:I\PRC8At-w2_a//dV\g0/NUmiK sŅbi8dA}Z)c(ŌE2v0q| ɖTg'Y/pathfinder-1.1.3/testdata/certs/requireExplicitPolicy0subCACert.crt0000644000175200017520000000122310652446340025751 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy0 CA0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy0 subCA00  *H 0UPTSWF8hm K:UK>*7 n)F$5\/ø36gV-r 5&Vv )oV|f堋`qhy- 2"7Vy!ja!|0z0U#0wjdQz-e~ J'0UpGbсTm)0U0U 00  `He00U00  *H  iؔll)gMRg*K|95MַlNF(^AtM2qeJd`|&D /&kvO: J3.n.˫o60 ~䫷0,vpathfinder-1.1.3/testdata/certs/InvaliddistributionPointTest2EE.crt0000644000175200017520000000143110652446340025774 0ustar ppattersppatters00~0  *H 0I1 0 UUS10U Test Certificates10U distributionPoint1 CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid distributionPoint EE Certificate Test200  *H 0~;ų[}mX=WB#([J7ȁM1I9Tѽ h0U0  *H d{sp~ɲ~&[hnD<75tOPлG NVHu" L]h0WR֭_ˈ_͏t iTA*&-y~=h5 +(R4pathfinder-1.1.3/testdata/certs/requireExplicitPolicy0subsubsubCACert.crt0000644000175200017520000000123710652446340027202 0ustar ppattersppatters000  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy0 subsubCA0 010419145720Z 110419145720Z0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy0 subsubsubCA00  *H 04b*Ƴq M[ڶbSȢ ѥx-Z$ ;YM|5#1Zw `ް2H-B܅__chπOW22UN&ApqG7}AaO|0z0U#0BI3h*T!]bpΥ#@0UYnypaRI*0U0U 00  `He00U00  *H *SB t'˗N( HYaB{'Sjϡ)u}"vEų7U֕gb֥K(u*+ fBL?R ]\%42`q9x8pathfinder-1.1.3/testdata/certs/ValidcRLIssuerTest29EE.crt0000644000175200017520000000142410652446340023662 0ustar ppattersppatters00y0  *H 0C1 0 UUS10U Test Certificates10U indirectCRL CA30 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Valid cRLIssuer EE Certificate Test2900  *H 0')6Ry`gvH,t^leVF!3TRb,c}dY'J`|GPQuҳ"ƏsP-եj8ܚ-XjcceU00U#0()Xg.:(0Uݘm5b5՟عX -1rS0U0U 00  `He00U00+)0'U indirect CRL for indirectCRL CA3QO0M1 0 UUS10U Test Certificates1"0 U indirectCRL CA3 cRLIssuer0  *H BV/œqSZ]:d J%9CJO\@w !JEֱ3yrs?U3AEjBu^3]߂0zk7>HkQ_1upathfinder-1.1.3/testdata/certs/ValidDNandRFC822nameConstraintsTest27EE.crt0000644000175200017520000000140510652446340026650 0ustar ppattersppatters00j0  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA30 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree11B0@U9Valid DN and RFC822 nameConstraints EE Certificate Test2700  *H 0"l&NG,tPk|pu1[<3Q?60+c.Jۄ9yLjAK {sQ4&tëc8SC}Q?*y{t '>gh/00U#0W'o 5g$k0U FTI&Z4OEn0U0U 00  `He00(U!0Test27EE@testcertificates.gov0  *H %Eg 5MyV"7)eSdIɒ7ă\b>, BJQ51݃ \ko"X1Q3f9 ŵ+iAXNJq{k5"WXTpathfinder-1.1.3/testdata/certs/requireExplicitPolicy4CACert.crt0000644000175200017520000000122610652446340025246 0ustar ppattersppatters00,0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy4 CA00  *H 0|>);6y]f`QMӊRږXY0PHAn"=kyjeCz0pN ʴ8.ҝ=rܷsLJ0 5֖ 16 2"RߚbPg00U#0l-'z <ꚼI0U%~ вGAyB50U0U 00  `He00U00U$00  *H =CF1>rӏ@?xiOΣ @.m%:U 1qwe}AN?QQ*)9ZC<ЫF  "P8$ ΨT# +srk˵ĕpathfinder-1.1.3/testdata/certs/InvalidIDPwithindirectCRLTest26EE.crt0000644000175200017520000000134710652446340025732 0ustar ppattersppatters00L0  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA20 010419145720Z 110419145720Z0f1 0 UUS10U Test Certificates1;09U2Invalid IDP with indirectCRL EE Certificate Test2600  *H 0@5"!mKiw\-nZ M:n# WBlBڕémMJ7Xĕ#Upu/m_]^goCڹbFމv6lNӫiRxVl'c_]ٱ/00U#0O1b*Nv\۷j3s ݕG5ѱo7e<>s#7LLUhC5&S$Q'|0=WmA2Gpathfinder-1.1.3/testdata/certs/ValiddeltaCRLTest8EE.crt0000644000175200017520000000145210652446340023357 0ustar ppattersppatters0&00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA20 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#Valid deltaCRL EE Certificate Test800  *H 0WAkumh~0݆' ԨĎ8}y{sM+u9Bueݨ}Qbb"y,؀kth8!O)qCo8>-js;'C00U#0Wf&mr:le C 0U6H zcL;3טV0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA20SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA20  *H (|#VΖ~Fl%VCS۴p3sr`\zOmDkגD77VRT(fӷZbW-*9LR5X_G\2rVm\1H[tpathfinder-1.1.3/testdata/certs/RFC3280OptionalAttributeTypesCACert.crt0000644000175200017520000000132110652446340026166 0ustar ppattersppatters006a0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U Gaithersburg1 0 U*John1 0U+Q10UA Fictitious1 0 UCA1 0 U,III1 0 U M.D.00  *H 0ֶlE怼2 Sk JI%63duzҟķn% O~!Д`!cs:\Lh8%ڒC6n0U0U  00U 0&U!00 `He0 `He00U00 U$00  *H Kn1t-KgyTڭ5IgU&8ݛ(MHxqFpBa2?v Kq: /bʌH$j  [ޯJ:pathfinder-1.1.3/testdata/certs/UserNoticeQualifierTest19EE.crt0000644000175200017520000000174010652446340024751 0ustar ppattersppatters00E)0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+User Notice Qualifier EE Certificate Test1900  *H 0Jtz*F)v49ɼP ӋNH \w&$ 3WpNl`Yu%90Un\[{H]C !.[00U#0l-'z <ꚼI0Uv40% 0U0mU d0`0\ `He00L0H+0:6q6: Section 4.2.1.5 of RFC 3280 states the maximum size of explicitText is 200 characters, but warns that some non-conforming CAs exceed this limit. Thus RFC 3280 states that certificate users SHOULD gracefully handle explicitText with more than 200 characters. This explicitText is over 200 characters long0  *H '}'4!qru1vRB@+D~e#9*e1JNy{?tWpG6y]G3῿OMOZLM0{K~`ptjpathfinder-1.1.3/testdata/certs/inhibitPolicyMapping5subsubCACert.crt0000644000175200017520000000122710652446340026260 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping5 subCA0 010419145720Z 110419145720Z0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping5 subsubCA00  *H 0C,y6* Urj;YR`'Y޿4G J(&Ҝ|y'4V3B7q;Wθ>Ik`Xqgq#bcQ|0z0U#0t]'!\mwD&mܿck 0UjkGKwTR&0U0U 00  `He00U00  *H 9Wׁ&ǿiǿpˍغޔxtT;M8RA U+RF"sy㠝xD3{xwY85!QVZ+v%=8Z r#apathfinder-1.1.3/testdata/certs/inhibitPolicyMapping1P1SelfIssuedsubCACert.crt0000644000175200017520000000130410652446340027726 0ustar ppattersppatters00)0  *H 0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping1 P1 subCA0 010419145720Z 110419145720Z0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping1 P1 subCA00  *H 0vˇ?(wtGDl(V&OVp}!@~0Haۃ.!/ IZ= Gc٦tO4aP$\Yq̦GІ2,ET^j'00U#0RS߆fIFc3 0UA$KFʍNbEDEփ0U0U 00  `He00&U!00 `He0 `He00U00  *H `5P FO_K$Gi ( hd11S26? "G>k.rC\ 1=X+UNWըlTiTadH&@zN褅zp_M)?oHBpathfinder-1.1.3/testdata/certs/inhibitAnyPolicy1subsubCA2Cert.crt0000644000175200017520000000121310652446340025465 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA20 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UinhibitAnyPolicy1 subsubCA200  *H 0ZZTBlLL0\3M-`nڇ/sqTZeD6Y#^i꽁ma9=]2.*QMΦc4d#s{dw{+yngO8P(v0t0U#0A&L+VgU0U"1vܒ0U0U  00U 0U00  *H 7ظ)ަlu'Pl`7{'Z3d07cjM%I_{g-"&,m/k䗊4!+.o]HHͿ$]u%oSpathfinder-1.1.3/testdata/certs/ValidbasicConstraintsNotCriticalTest4EE.crt0000644000175200017520000000124510652446340027366 0ustar ppattersppatters00 0  *H 0T1 0 UUS10U Test Certificates1)0'U basicConstraints Not Critical CA0 010419145720Z 110419145720Z0l1 0 UUS10U Test Certificates1A0?U8Valid basicConstraints Not Critical EE Certificate Test400  *H 03 .tN BA o^IYᇹy7)hK Z\HYyJݾ|\Μ_\%2bf?|ZHQJuJTƅ#\z;@ +/Ychk0i0U#0ظ+ V\>zϑ0U4N8Ftrr=8> q^~K :b㭳c<" 8%Q׾Dp$rW@_~]MW{։W-0}0U#0vdzJ0UD4P&<# N{ H0U0U 00  `He00U00  *H .dIWI>E* T}sܝp/"=6*_ H}׎#HE%uav'CWW^ODK?}Uʗ ΋ޞ2%FqtADwpathfinder-1.1.3/testdata/certs/PoliciesP123subsubCAP12P2Cert.crt0000644000175200017520000000121710652446340024652 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UPolicies P123 subCAP120 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UPolicies P123 subsubCAP12P200  *H 0 5LY։&}3@7Z-L 9Fy:n_R`&5nafeV(,UjˌW:"VP b}3o_kwC0JEwtXl/dla||0z0U#0Z!ܓm |jhKU0U9n9pdh+MT,0U0U 00  `He00U00  *H T ΎүJf . tql %B H֛ۏžE菲*dEWȺ>ZOohi3ќf.5M/ kB5_9ZUdtQ?=H'/]k0i0U#0RS߆fIFc3 0UEzř{us"xX)$a0U0U 00  `He00  *H MZ@UɑtgMdVi>'BI}@0VԚ۾?HbjirI͐]㭅z򨸄rd pd:5/|8oN䆷pathfinder-1.1.3/testdata/certs/InvalidpathLenConstraintTest9EE.crt0000644000175200017520000000123010652446340025707 0ustar ppattersppatters000  *H 0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA000 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid pathLenConstraint EE Certificate Test900  *H 0:i9Js3z~c]!.:.PV޷HjٻlF ŋ=jJjL$9^$߶`C>ѩsJm_Q<VcAX۞dXT|DIuk0i0U#0jAm>ܰ]P 0U>0wu0U0U 00  `He00  *H oYؾ2UnT3Ұ@y}y]`IOeQ~6 _Ԟ"X0EVmc['o2#OAxviz.Hmru(@:#dgQ[pathfinder-1.1.3/testdata/certs/requireExplicitPolicy5subsubCACert.crt0000644000175200017520000000123110652446340026467 0ustar ppattersppatters000  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy5 subCA0 010419145720Z 110419145720Z0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy5 subsubCA00  *H 0 Β:U`J:_=im;<:5E0N(Ne@4jUrz0:O&@g+j"[g#K[BR[/ ]6,/?S|0z0U#06zoE'k0U bO/?'ȣ_{Fk0U0U 00  `He00U00  *H 'U3n_Y+{9L0/`Խ|E4ʼnK tlIhJbKLt VP}ߋUG6o ~ңL~$ rSڬ{2t6[J qNpathfinder-1.1.3/testdata/certs/inhibitPolicyMapping0CACert.crt0000644000175200017520000000123010652446340025021 0ustar ppattersppatters0070  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UinhibitPolicyMapping0 CA00  *H 0#<|19:oJ:pۏ,+g |%<}^X);=/UȲ-dUU6}yx3qIr F*NcGfo6m2E]j00U#0l-'z <ꚼI0Ul B@ApR^7Z0U0U 00  `He00U00U$00  *H ,~7;w.nfb"Dj}e@ ~Ͼw\v3{YGW湯7trT][8h*M)=[FjT^M}2;';[v,pathfinder-1.1.3/testdata/certs/requireExplicitPolicy5subCACert.crt0000644000175200017520000000122310652446340025756 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy5 CA0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy5 subCA00  *H 0a)̕eME| \Jr*;OEoXE[SM}ȅR [mΞ-7:qzLpv|Kz-p.iC'չ jQqK%bB9EQ|0z0U#0-+h^+fC0U6zoE'k0U0U 00  `He00U00  *H yD/Uz4=y\<]bk2m!B韜F(42ji}snjڦj!uÿ7ΦU8iU?J"Gbt`/P#pathfinder-1.1.3/testdata/certs/inhibitAnyPolicy5CACert.crt0000644000175200017520000000123510652446340024167 0ustar ppattersppatters00=0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy5 CA00  *H 0|~ 2:p6,!cWNm峘9>7 }{gQ H5]QVjb#6U)Sc@ kJx= P*.Jku *ZJEŭzS,00U#0l-'z <ꚼI0UqbTon0:0U0U 00  `He00U00 U$00 U60  *H k~31 %𣃍EZ1 xΧoti Sڥ'9$qXJ/٫9+j+젩.CHLιwp*ow(=zpathfinder-1.1.3/testdata/certs/ValidkeyUsageNotCriticalTest3EE.crt0000644000175200017520000000122510652446340025627 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UkeyUsage Not Critical CA0 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Valid keyUsage Not Critical EE Certificate Test300  *H 0Θ,^HÍՀXØj!8X%ŠAz9)@>g?Bxlcuvvaۯ,Jŷf'5 ZVb_uNp 4Ik0i0U#0*B33*MsU0U|b>coU$%K9R0U0U 00  `He00  *H UvQfᡆv@<;ARj/ML jL Ѯy6$-R_2*ȡbg9/B]Fy*vs=Y(0?Z=KfVpathfinder-1.1.3/testdata/certs/nameConstraintsDN1subCA3Cert.crt0000644000175200017520000000132410652446340025073 0ustar ppattersppatters009 0  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA300  *H 0߶^c- :~S;_>M<@$e4tb"R83d'J*Z)%+vT{cqNwŋ`e1/Ev^]r* ]zlKjGWI`,~ױPiBV$grg pathfinder-1.1.3/testdata/certs/P1Mapping1to234CACert.crt0000644000175200017520000000135210652446340023275 0ustar ppattersppatters00O20  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0H1 0 UUS10U Test Certificates10UP1 Mapping 1to234 CA00  *H 0i )'goCH$V U,_&r7@oB:E @p6ÁSJX3=]˗iԳ*D]Bݛ hg`ɾ Sh)h9k~A00U#0l-'z <ꚼI0U̧҆!cDԐ0U0U 00  `He00ZU!P0N0 `He0 `He00 `He0 `He00 `He0 `He00U00 U$00  *H ^=ǻfeOeSF%6ǴwbwJ9ERꥑI&A\Oh+c WR%Y;GCTcȪD7/y5ɼ5 :pathfinder-1.1.3/testdata/certs/wvcrash.txt0000644000175200017520000000214410652446340021306 0ustar ppattersppattersprintcert dying on signal 6 (Aborted) Process ID: 16187 Parent's process ID: 5470 Last real stack frame: 0xBF9A7CBC Top of stack: 0xBF9A8290 Stack size: 1492 Stack size rlimit: 8388608 Assert: printcert: crypto/wvx509.cc:1722: time_t WvX509Mgr::get_notvalid_before(): Assertion `cert' failed. Backtrace: /home/wlach/svn/branches/crypto_refactoring1/wvstreams/libwvutils.so.4.4[0xb7cf03b7] /home/wlach/svn/branches/crypto_refactoring1/wvstreams/libwvutils.so.4.4(_Z7wvcrashi+0x17f)[0xb7cf05f5] [0xb7ef9420] /lib/tls/i686/cmov/libc.so.6(abort+0x109)[0xb7b32fb9] /home/wlach/svn/branches/crypto_refactoring1/wvstreams/libwvbase.so.4.4(__assert+0x0)[0xb7cb95ec] /home/wlach/svn/branches/crypto_refactoring1/wvstreams/libwvstreams.so.4.4(_ZN9WvX509Mgr19get_notvalid_beforeEv+0x34)[0xb7e62ab6] /home/wlach/svn/branches/crypto_refactoring1/wvstreams/crypto/tests/printcert[0x8049c96] /home/wlach/svn/branches/crypto_refactoring1/wvstreams/crypto/tests/printcert[0x804a73c] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8)[0xb7b1dea8] /home/wlach/svn/branches/crypto_refactoring1/wvstreams/crypto/tests/printcert[0x80498a1] pathfinder-1.1.3/testdata/certs/InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt0000644000175200017520000000126310652446340030357 0ustar ppattersppatters000  *H 0Z1 0 UUS10U Test Certificates1/0-U&keyUsage Not Critical cRLSign False CA0 010419145720Z 110419145720Z0t1 0 UUS10U Test Certificates1I0GU@Invalid keyUsage Not Critical cRLSign False EE Certificate Test500  *H 0wCY-{11%nI??Av@9 d>КnLgsdHgX L*2)H"5"+`24 űk0i0U#0["XV."0U;~I&{tdHY.0U0U 00  `He00  *H zZp_}b>o &p8@khZ]E\P=f ~iTMjP(w( l`S\00U#0I{Oi~#ZVj00Ud$db0U0U 00  `He00hUa0_0][YW0U1 0 UUS10U Test Certificates10U onlySomeReasons CA31 0 UCRL0  *H @кwhJ[ɗX[l6e)Wb2 `(%c)1|ׅh kk#y)sَaԈ`ڶp2+"SN>h1J~-8>zb KjMpathfinder-1.1.3/testdata/certs/indirectCRLCA5Cert.crt0000644000175200017520000000117110652446340023052 0ustar ppattersppatters0u0ޠX0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0C1 0 UUS10U Test Certificates10U indirectCRL CA500  *H 0Y_6%&+/ZnꀌABOOITѲ+C> )߆Ѵz$mz\t>mՕQ$Ri Kș(mW 2S ;^|0z0U#0l-'z <ꚼI0U~û7KA=mY?DWm0U0U 00  `He00U00  *H !GP6Q2?g4B;.dytмwZf ћ#3w3mڒ8k5[dv`Tk Uy-ZP 2o3/ޢ=ǰ߰-)Mpathfinder-1.1.3/testdata/certs/indirectCRLCA3Cert.crt0000644000175200017520000000117110652446340023050 0ustar ppattersppatters0u0ޠV0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0C1 0 UUS10U Test Certificates10U indirectCRL CA300  *H 0٬g4zZ{z)jҰUR}UOSoV>"3E c YaL`HVyaQq2~N?uL\,m'7]܃Fw|0z0U#0l-'z <ꚼI0U()Xg.:(0U0U 00  `He00U00  *H kOwd{4UAУ;t td|&H`YWHL*dTqdۉ_IÒÅ_wMrއziGP机pathfinder-1.1.3/testdata/certs/requireExplicitPolicy4subCACert.crt0000644000175200017520000000122310652446340025755 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy4 CA0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy4 subCA00  *H 0OwIR۱l'mrmT@ch^Nmxw١IFPVDjB(cYSDXN@W5_Mb6CRdK^mdZ0C}tf8|͜^|0z0U#0%~ вGAyB50U#a8q, aՉP>0U0U 00  `He00U00  *H \x̧Ou5IK6SMH3[*6HIwxϘ (&l"_7n|URȊ tPY~_:eCJ uEMUfQV2cAVzZcpathfinder-1.1.3/testdata/certs/InvalidNegativeSerialNumberTest15EE.crt0000644000175200017520000000123210652446340026401 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UNegative Serial Number CA0 010419145720Z 110419145720Z0h1 0 UUS10U Test Certificates1=0;U4Invalid Negative Serial Number EE Certificate Test1500  *H 0Ҝ̾?7,#ӻޥko r e.Nک)fC×kzh^OD-B3p韛R[-;PLm]]3,:gIzLQh4o*9Jm BzH^gMF~ҷMnVQDih&)TJ+S#-(q_U \TX[9pathfinder-1.1.3/testdata/certs/InvalidcAFalseTest2EE.crt0000644000175200017520000000122710652446340023544 0ustar ppattersppatters000  *H 0Y1 0 UUS10U Test Certificates1.0,U%basicConstraints Critical cA False CA0 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Invalid cA False EE Certificate Test200  *H 0r */]M#U8 )xhPdwn܅/͐+'ޫF"Ҕ-*yuڀ!bÒ{gE(e[FEէ)Y"SM^-yL2#-;-kdGz5d3k0i0U#0GOt"ECu60U70U0U 00  `He00  *H ?8&)TMPRC/` 9'[gs? N]HTE r# ˅/ irsP9R^T`I7y }CZAïBntd,+xpathfinder-1.1.3/testdata/certs/nameConstraintsDN1subCA1Cert.crt0000644000175200017520000000144310652446340025073 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA100  *H 0QiĠ оD(МRwTHJէ36*lVel5棚|iq Z SȔ!}0µc-@4}D5xw1mU6-)TT070t|`U}pܡyYؿQ0\LB5h^{1hBrpathfinder-1.1.3/testdata/certs/inhibitPolicyMapping5subCACert.crt0000644000175200017520000000124410652446340025545 0ustar ppattersppatters00 0  *H 0L1 0 UUS10U Test Certificates1!0UinhibitPolicyMapping5 CA0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping5 subCA00  *H 0km)SMҬ\A&X lvkTxv#lX)֙Εm(a,}]4ܐXjŤEqr(!A00U#0PWjoA^z0~0Uᴊփ"2/ݘb60U0U 00  `He00U}0{0ywus0q1 0 UUS10U Test Certificates10U distributionPoint1 CA1&0$UCRLx of distributionPoint1 CA0  *H c|FAJHaR_ӒND]y6ըzW(Hkib6EER|]'V^-)UHͮ3rɵp6@[ 9ĉtpathfinder-1.1.3/testdata/certs/ValidCertificatePathTest1EE.crt0000644000175200017520000000115610652446340024756 0ustar ppattersppatters0j0Ӡ0  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0N1 0 UUS10U Test Certificates1#0!UValid EE Certificate Test100  *H 0k ;)@>2h(%OWqSɨv/Dnǔߴ񍵶-̢ %c0$n5cv$GkHDZ 4qUP}kǯ;M*LL҈z@8IsK%D`++2 6 ݠi.!@CDUc4y0pathfinder-1.1.3/testdata/certs/ValidBasicSelfIssuedNewWithOldTest3EE.crt0000644000175200017520000000124210652446340026672 0ustar ppattersppatters000  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued Old Key CA0 010419145720Z 110419145720Z0m1 0 UUS10U Test Certificates1B0@U9Valid Basic Self-Issued New With Old EE Certificate Test300  *H 0~oR ̐MXcR3G0B9f>yߑ6qio ^cxYQoy|ye9qԯ z׺$(/mZ2.'g[Z%`AAoYk0i0U#0!soAEՆ0U@㧔 x /8B0U0U 00  `He00  *H "7QzXV W{' ri`jFӒdARCD]FB /n(!z8?2t,M7:9a[(yYH#@ ȷbpathfinder-1.1.3/testdata/certs/requireExplicitPolicy7CACert.crt0000644000175200017520000000122610652446340025251 0ustar ppattersppatters00.0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy7 CA00  *H 0RēR5IqFI u.@Z?(ɔ"Ŗ&X'5rv2(}yOi[SalbX ߹WirS~cX2??ts!@BAHrJh G gy#00U#0l-'z <ꚼI0U"pNb/p˵NM0U0U 00  `He00U00U$00  *H /a-&;͞K_%̚MMj5t#C'CUrX03):gMY=cբV L&ciEu$kn0*HQupathfinder-1.1.3/testdata/certs/P1Mapping1to234subCACert.crt0000644000175200017520000000133310652446340024006 0ustar ppattersppatters00@0  *H 0H1 0 UUS10U Test Certificates10UP1 Mapping 1to234 CA0 010419145720Z 110419145720Z0K1 0 UUS10U Test Certificates1 0UP1 Mapping 1to234 subCA00  *H 0EӐYY^z[(BzyᇼqzKZ!s2y%`TCmhbn3qHp? lYAgB??TZl%h_e;BFIu00U#0̧҆!cDԐ0UW}hsҦ0U0%U 00  `He00  `He00@U!6040 `He0 `He00 `He0 `He00U00  *H  >[VZ7.'x܊!O?3j\H!vpw[&@}6)^-OGвD;KVQ2MkeUS䙎 n_ AАM0apathfinder-1.1.3/testdata/certs/PoliciesP2subCA2Cert.crt0000644000175200017520000000120710652446340023370 0ustar ppattersppatters000  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0F1 0 UUS10U Test Certificates10UPolicies P2 subCA200  *H 0"]Xt8L9dJ*f4$tZ&}]kNPc7**#/}xпɪNdE0Ry&4_N{Y_3'(wuJٻ00U#0.ȼ{'D53ߚ0Uq/QI|K0U0U 00  `He00U00 U$00  *H mG+E}P~1x~ݦ10m>co`l iRYņ),催 +];`̓0j=-"Ey=mud*{XJNpathfinder-1.1.3/testdata/certs/InvalidEESignatureTest3EE.crt0000644000175200017520000000115610652446340024423 0ustar ppattersppatters0j0Ӡ0  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0N1 0 UUS10U Test Certificates1#0!UInvalid EE Signature Test300  *H 0J,dhr,\p(R"BgJwB 7KYsA Ĝ4~ #'Qk;sJ-Z#T2ߠ&j<؁)n:unsk0i0U#0.ȼ{'D53ߚ0USprOyS?Ly0U0U 00  `He00  *H Gcg&SF:jo(W&Wݪ?`*aիJܘHFY"?!fpھ <ºw`hd @z)<8pA:}VߍգG m>߂O|0z0U#0l-'z <ꚼI0UjOruKzm\9$0U0U 00  `He00U00  *H sB_aaMC?~QDX C|6hD?,:۵{S_- b[MJX\鉸H{Y V='Z_sNh3QBZa֋UЁ(pathfinder-1.1.3/testdata/certs/nameConstraintsDNS1CACert.crt0000644000175200017520000000125310652446340024422 0ustar ppattersppatters00F0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS1 CA00  *H 0xpex!fO{o c_ oC|}> 1[_^b[kg-xy\~?/^Cނj,=M@.Q'm*Iv5X1u~)aȡI*ū00U#0l-'z <ꚼI0UugG ۞Rsx0U0U 00  `He00U00&U00testcertificates.gov0  *H Eyjz"8?0A ޴\ ktZ7bPpfM[Ӵ;VfpV>,Pdk$3 PQ6qcg?#II/WEb[My:Npvc@,)pathfinder-1.1.3/testdata/certs/pathLenConstraint0subCA2Cert.crt0000644000175200017520000000121410652446340025135 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint0 subCA200  *H 0TX%!Ƞ"P#%ʧd@L "DKݽQPOb 9|t"Sǭ`Dx۳Fџ6,"HEn(I]kσ83yˆh/\x|0z0U#08%BZ J,SPL0URzkBN͂cn#50U0U 00  `He00U00  *H -Bۡ0,`Sܗ`3_ }Bg#lٲFYP$-$jl4,OYuwVxTmoClG yjt:e] Wg666Rpathfinder-1.1.3/testdata/certs/Validpre2000UTCnotBeforeDateTest3EE.crt0000644000175200017520000000121110652446340026017 0ustar ppattersppatters000  *H 0;1 0 UUS10U Test Certificates10UGood CA0 500101120100Z 110419145720Z0i1 0 UUS10U Test Certificates1>0<U5Valid pre2000 UTC notBefore Date EE Certificate Test300  *H 0; N]@F P:_aAdil (B4~x F5`Dv۪Hi*;AL׫cWOaȵ\(40"^H㶽\\W5k0i0U#0.ȼ{'D53ߚ0UK2 , $Jt0U0U 00  `He00  *H ->рS{ I axK[-SO_5P3dJz1'+k"E+ IܑLL8XT5I*`}nLfa%jpathfinder-1.1.3/testdata/certs/deltaCRLIndicatorNoBaseCACert.crt0000644000175200017520000000120610652446340025201 0ustar ppattersppatters00Z0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UdeltaCRLIndicator No Base CA00  *H 0n+x'󙍶WcAr@j_T'~ sTЋ@Wb*#FPDu(+s#eu+c0%Yg%wvrq'1g/,i%|0z0U#0l-'z <ꚼI0U),P#y]e`p0U0U 00  `He00U00  *H 4F8.2|y\iYћ]7tjmq6M\a`Q_$G@ۄW-$5=Ёgi]R>Z+lΫ,̓IPpathfinder-1.1.3/testdata/certs/ValidinhibitPolicyMappingTest4EE.crt0000644000175200017520000000123610652446340026043 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"inhibitPolicyMapping1 P12 subsubCA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid inhibitPolicyMapping EE Certificate Test400  *H 03Fttw&)tmdm=x tE"Y kzq`+oޤ[Ig!-w v k%%ӛ\1# If-P9>Uf!k0i0U#0ZK>C&y!0U g؄4Y-Y- 0U0U 00  `He00  *H ?pE$0&Eœ܈Ej#j봙 ʇKK!̦XB"uVb/wȸVf@ ,+`\学-F͓Z!t?6T˵)m(/oϯc+-pathfinder-1.1.3/testdata/certs/requireExplicitPolicy2SelfIssuedsubCACert.crt0000644000175200017520000000122610652446340027745 0ustar ppattersppatters000  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy2 subCA0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy2 subCA00  *H 0ҝ*Q\/Ӽ'vzkiKs֍|5yeQׯ8ޥivJ3Uii@pnwI좜M jư<;(_<kkTCMX|0z0U#0)O:MF_00U ib6g00U0U 00  `He00U00  *H }5{vNvJwrXcMͤi^z8`/bx'U,ciGP͟"4|1]y;7'p8jǗHGD9|F~pathfinder-1.1.3/testdata/certs/requireExplicitPolicy0CACert.crt0000644000175200017520000000122610652446340025242 0ustar ppattersppatters00-0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy0 CA00  *H 0El,N}( tO|БpC:ˆog!oxwHS;iRpԨ+%ȭq1XMH'S`%4@vO_VGNrf FQO'00U#0l-'z <ꚼI0UwjdQz-e~ J'0U0U 00  `He00U00U$00  *H Z[btboHk8iq'lKڏU0C?"I,#6xf0 yE:neenkTuAgOqk%Ub$&&/mpathfinder-1.1.3/testdata/certs/ValidURInameConstraintsTest36EE.crt0000644000175200017520000000132610652446340025536 0ustar ppattersppatters00;0  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints URI2 CA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid URI nameConstraints EE Certificate Test3600  *H 0N*/\bG+jB2wX„bu8릫$DhY[$ݪ{)1E)?K>HV` )>R YDBO+GP4's=>GY-`'y00U#0Uc#lmZZ0U~*nQ4XmZy0U0U 00  `He00?U8064http://testserver.invalidcertificates.gov/index.html0  *H mNaXGٕz9?2H>]h K}V-aoK%[u_WY3ږpZHuzHXn8M@޾b0q@/Љ^ĜB']r?qpathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest12EE.crt0000644000175200017520000000205410652446340024552 0ustar ppattersppatters0(00  *H 0G1 0 UUS10U Test Certificates10UP12 Mapping 1to3 CA0 010419145720Z 110419145720Z0^1 0 UUS10U Test Certificates1301U*Valid Policy Mapping EE Certificate Test1200  *H 01xYPkDq3ܺ[hnyLu lə%13%_6' wq ERl`0$bdkq\Pl> Su6WϿdQ 00U#0 Rm%ͩ hr0U˜~40U0U 00 `He000+0q7: This is the user notice from qualifier 7 associated with NIST-test-policy-3. This user notice should be displayed when NIST-test-policy-1 is in the user-constrained-policy-set0U 00+0q8: This is the user notice from qualifier 8 associated with anyPolicy. This user notice should be displayed when NIST-test-policy-2 is in the user-constrained-policy-set0  *H ,G9#Bk*;l[a=͋fmnuNn %Rp%ڝ,1RbAqȚĤ1L#Z"4$ 4\5 I?>*ˠވ>pathfinder-1.1.3/testdata/certs/InvalidPolicyMappingTest4EE.crt0000644000175200017520000000122110652446340025015 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UP12 Mapping 1to3 subsubCA0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+Invalid Policy Mapping EE Certificate Test400  *H 0k*a&L/ MԆ-1]D>lz*)\ n)^LuF~#:8RO\i B嗢Og@0BsnP IS;U/Kћ;0'pMk0i0U#0,)9AS-.0Uc 2[i*8Fsv0U0U 00  `He00  *H g;jPJ,K@86~ksj;z8+EsC_z, יy6AtSԺq]r8+ws ݦwzf="2ޞGpathfinder-1.1.3/testdata/certs/pathLenConstraint1SelfIssuedsubCACert.crt0000644000175200017520000000121610652446340027045 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UpathLenConstraint1 subCA0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UpathLenConstraint1 subCA00  *H 0YcYT쳩:-A`3Q-hPs%R ӌJ `/V䍜U$XaIJEaλ=cS+WV4a܅:;;O05`V {|0z0U#0as b5j[bH#+WRķ~|0z0U#0l-'z <ꚼI0U- &>a#.72Q20U0U 00  `He00U00  *H 09mkX+W3醯ti8 "Y-C,D;~!.l8?JxpUd@Ν^>T3iosp~}{\Hi U6ޓ;RyzIo~7PoF6)H=Lpathfinder-1.1.3/testdata/certs/ValidURInameConstraintsTest34EE.crt0000644000175200017520000000132310652446340025531 0ustar ppattersppatters0080  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints URI1 CA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid URI nameConstraints EE Certificate Test3400  *H 0QL$[8\'"hڻBʂ?ʴ N'ۧoZYNGa xqupI1#z˰1:A\mL^e\0hnv8~hMДxu00U#0K _adZyE0Um(1=&>' m*0U0U 00  `He00<U5031http://testserver.testcertificates.gov/index.html0  *H 'rѼ>AW(>9^YnْLk|>O&k LYT]RkXj:.}9\Їx џ=$5޳v\dLRl6j 3pathfinder-1.1.3/testdata/certs/DifferentPoliciesTest7EE.crt0000644000175200017520000000124010652446340024335 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UPolicies P123 subsubCAP12P10 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Different Policies EE Certificate Test700  *H 0AIVyg@*,÷sd,Fl?GB Y'fRC9l|l.=_něKGI+qRû)3վx"#@\lAc)Om|0z0U#0##aB5j0^0UCӽjq6 D0U0U 00  `He00U00  *H (yӷz  v!Z&Ҭ凉%sVE5T?a$M{(+mˏOQIC?&G+LqHuwEЄ`%#6Tžh*JW;̦|pathfinder-1.1.3/testdata/certs/inhibitAnyPolicy1subCA1Cert.crt0000644000175200017520000000120410652446340024752 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy1 CA0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA100  *H 03nV^Ǔ[ƕokB#utMES4+A ~ - / H:$mH}z{q%NE૩tA7h18M?]]壥v0t0U#0f۵ij>+ȨM+4D0U) x)BK|*5[<0U0U  00U 0U00  *H TOoe?ruPsv@a$j皦6ɇ_&áAJ,5|c4 +T;_Mr,Ux̋(+ٱEL{= PJ7"|!t';upathfinder-1.1.3/testdata/certs/DifferentPoliciesTest8EE.crt0000644000175200017520000000123610652446340024343 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UPolicies P12 subsubCAP1P20 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Different Policies EE Certificate Test800  *H 0ĚcnX__[Z'_ ˙E͕SCזּ򬲦\Rѕ.F2ޕD gU( :؝E02"u}BF:8ϻ ^MkV6$|0z0U#0g l*Um-"Ks+*0UIw2+Q r0U0U 00  `He00U00  *H $W'_{*>WĹu{Ǽ)E}c@E~ svLu< mV!/h ox[݊םA#-4Jp'fRWÆpgVbQeX`K4x2ta+h83T`ѨGZ~T ϧ٤pathfinder-1.1.3/testdata/certs/ValiddistributionPointTest5EE.crt0000644000175200017520000000130710652446340025452 0ustar ppattersppatters00,0  *H 0I1 0 UUS10U Test Certificates10U distributionPoint2 CA0 010419145720Z 110419145720Z0`1 0 UUS10U Test Certificates1503U,Valid distributionPoint EE Certificate Test500  *H 0&Nph6ŧؕlLUO NAxy#*V϶Z~Z_&FbFD)\OĦqa,B359,>A M8Y thP~rŠT00U#0:4vXXć}~]N0U %tǙҸ0U0U 00  `He005U.0,0*(&0$UCRL1 of distributionPoint2 CA0  *H s|8r0>-, ⪏A K P 1G?ȥ;gVѶ!Pv@;»xCRY(F iZ>Ak|s0*uґ|m `RWpathfinder-1.1.3/testdata/certs/basicConstraintsCriticalcAFalseCACert.crt0000644000175200017520000000121410652446340027024 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%basicConstraints Critical cA False CA00  *H 0j{H-:Ɓ)'e=%ق}bX(¥ߗbR%{@tZ~8.G6EDYFiFcPX 4|oC>匼0}"Nߥ/A_y0w0U#0l-'z <ꚼI0UGOt"ECu60U0U 00  `He00 U00  *H [o X" C<"faRŊϚ(ʤe5O*o).l ]!9 rC^V \Ξ7$?>sN_:4iH\pathfinder-1.1.3/testdata/certs/OldCRLnextUpdateCACert.crt0000644000175200017520000000117710652446340023752 0ustar ppattersppatters0{00  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0I1 0 UUS10U Test Certificates10UOld CRL nextUpdate CA00  *H 0ka.@SGq!mQO5;G7)Ӥ,D57HmHFAr0q:A}}$548(O{CA'.{}$IBBKy|0z0U#0l-'z <ꚼI0Uj#GDPCQ|^10U0U 00  `He00U00  *H 3N&v9`/DzTPD_tT_be1c,9 *-h&i۾ ntSU(x E܏ (aR ָ"cf#pathfinder-1.1.3/testdata/certs/distributionPoint1CACert.crt0000644000175200017520000000117710652446340024443 0ustar ppattersppatters0{0J0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0I1 0 UUS10U Test Certificates10U distributionPoint1 CA00  *H 0T_S)ijvsveh.N%F:`L( 8[Um}V"Y{Hʊ]>T/D?ٸޜ:~Q}, qd6 \O|0z0U#0l-'z <ꚼI0UPWjoA^z0~0U0U 00  `He00U00  *H :V{<;SVXy=ƫjƟ%F=F˓u9Be?E|Q V>θzW=Q,H= PK(q)[Z2E,Jپo8Dnb<pathfinder-1.1.3/testdata/certs/InvalidMappingToanyPolicyTest8EE.crt0000644000175200017520000000121710652446340026041 0ustar ppattersppatters000  *H 0K1 0 UUS10U Test Certificates1 0UMapping To anyPolicy CA0 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1Invalid Mapping To anyPolicy EE Certificate Test800  *H 0n_N[g_qWM>g0 Ζ`w ێ֛ Մ)AH7ݞ0I6٪u=4<[o5i9dCA+}Jqe0c0U#0z,cZN?SU i0U w CàkV{0U0U  00U 0  *H ݤHpa;%EZ$$,ȃ<ʹS{jԖږg^J]p MC[I'hBE} J1~sDe#q}Nsn>B_SxC~pathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest5EE.crt0000644000175200017520000000121510652446340024472 0ustar ppattersppatters000  *H 0K1 0 UUS10U Test Certificates1 0UP1 Mapping 1to234 subCA0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Valid Policy Mapping EE Certificate Test500  *H 0@oD[SpbPWyfkB[ĥY|&#XOCéz\$|e4Cl6pmY~]ٯ YC=p k0i0U#0W}hsҦ0UlxdQئ<ݙ0U0U 00  `He00  *H :/zf䆴P4/qڿ*Y] %O3s@):b.嗜\Ԫ;ӎ*>f"Em”bҍ(vژ)eu)Z 7<pathfinder-1.1.3/testdata/certs/onlySomeReasonsCA4Cert.crt0000644000175200017520000000117510652446340024053 0ustar ppattersppatters0y0S0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0G1 0 UUS10U Test Certificates10U onlySomeReasons CA400  *H 01L>Sn+K{%w Ch&w4|Ҩ JVpRv5DTJ'CKWR@,J!G| e8ƈ,0xE+wJC&K|0z0U#0l-'z <ꚼI0U?@kYZT0U0U 00  `He00U00  *H 3ʓ In>đi1% %aJt/P6W{G \ Оo> pkyTKlDlohPPSd%huB?gp5r$Cx*ُpathfinder-1.1.3/testdata/certs/InvalidpathLenConstraintTest6EE.crt0000644000175200017520000000124410652446340025711 0ustar ppattersppatters00 0  *H 0L1 0 UUS10U Test Certificates1!0UpathLenConstraint0 subCA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid pathLenConstraint EE Certificate Test600  *H 0{ƕՑh"C[Ǟ,cTyÕ!\#K~L-pdTĀ{y\: jh€GԿK~sFid3<Z#]|0z0U#0FKnW ''0U,<+P(\0U0U 00  `He00U00  *H [}AK[`h@WmTb͖s^=\!9[;OPrU?pvZ]hHzeJ;s-:=H&dn-3 kWdrDs8Z06&Gpathfinder-1.1.3/testdata/certs/GoodsubCAPanyPolicyMapping1to2CACert.crt0000644000175200017520000000127110652446340026464 0ustar ppattersppatters000  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0V1 0 UUS10U Test Certificates1+0)U"Good subCA PanyPolicy Mapping 1to200  *H 0јJ'ܩ֏VVߟTȰO/ kbFoy3N%P50ê4i-J5%ӡ .uw0 a͸EḓQrj,ȼ$u00U#0.ȼ{'D53ߚ0Uᵤq/f'{J0U0U  00U 0&U!00 `He0 `He00U00 U$00  *H Mv 'eV,d O)+9H$lKj]dr{SܛJ9s*}K˹Pg?IOjf? OsÕichWʟ!$pathfinder-1.1.3/testdata/certs/pathLenConstraint6subCA0Cert.crt0000644000175200017520000000121710652446340025144 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint6 CA0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA000  *H 0~_*筂,=/^g#&4c ~F C0E|TywjEc#+):"@ȱyE;qh%*X ^).?dY;>%AbsIsX=9dt[ ؘG$i8[]zepathfinder-1.1.3/testdata/certs/UTF8StringCaseInsensitiveMatchCACert.crt0000644000175200017520000000121610652446340026532 0ustar ppattersppatters00d0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0X1 0 UUS10U Test Certificates1-0+U $UTF8String Case Insensitive Match CA00  *H 0 ĥO#3NrԗyٽU$ w˞">hp\c%!N#fHre8`B;!(Gxw3_P]%7$GӇec/ wɦC|0z0U#0l-'z <ꚼI0U6b)|Є^'ߩDb0U0U 00  `He00U00  *H vkk7Jz7l&U;q=ڥVSV9>R|[ DnP>rR/+Ho=ww6XP6yϚ}uRs彲+Dl#Opathfinder-1.1.3/testdata/certs/inhibitAnyPolicy0CACert.crt0000644000175200017520000000123510652446340024162 0ustar ppattersppatters00;0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy0 CA00  *H 0ΆFצM λ~#_ %(.4z|,3:7P_&Us>ؾzY8xsqQf]"15&[nh02@8F<k0& tb,@in[Z8[FyYpпOA;YPHpathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest6EE.crt0000644000175200017520000000121510652446340024473 0ustar ppattersppatters000  *H 0K1 0 UUS10U Test Certificates1 0UP1 Mapping 1to234 subCA0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Valid Policy Mapping EE Certificate Test600  *H 0FޫdWzT2)kR ׳ءLysTu&E+#%nwmݿ|U'ߐkr m +`V(ph0}󈆮&&is>"DЗ31! 'GyB]mdxgcX6^!89f_y%q!yPpathfinder-1.1.3/testdata/certs/InvaliddistributionPointTest6EE.crt0000644000175200017520000000131110652446340025775 0ustar ppattersppatters00.0  *H 0I1 0 UUS10U Test Certificates10U distributionPoint2 CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid distributionPoint EE Certificate Test600  *H 0 x'>h2 u(&=6",,ψlTp^ꉉVt9{!iC_Sl{[XYK ~9,`ěN~\ /HM`c nо3Rm /W'uI\{ipathfinder-1.1.3/testdata/certs/RFC3280MandatoryAttributeTypesCACert.crt0000644000175200017520000000130510652446340026341 0ustar ppattersppatters00*`0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10 &,dgov1 0 &,dtestcertificates10UMaryland1 0 U3451 0 U.CA00  *H 0ۋC;j٧V~9v=px떬OM҃AfIzZ&=\w܏Sk5zlT~`γPJ!w*د̔`D<"{p,|0z0U#0l-'z <ꚼI0U-\b*6MR,P}+0U0U 00  `He00U00  *H p 8uSy#932Ӱ癔X;4 34$n1Ǚ@hFD`UC/n*c+ ~t02!Mh/f@'%wNpathfinder-1.1.3/testdata/certs/requireExplicitPolicy5subsubsubCACert.crt0000644000175200017520000000123710652446340027207 0ustar ppattersppatters000  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy5 subsubCA0 010419145720Z 110419145720Z0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy5 subsubsubCA00  *H 0;& {S, qK~Z\TlJ 4tp,Q0AVht7‚.Jr5QܣgkF(10f/%gɭ0U0U 00  `He00U00  *H  Ep`Q/j*kpmFDRL6XՁPS9])|ol5^jaaІU:<w7Wzc$=F`%o>b1:E3pathfinder-1.1.3/testdata/certs/InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt0000644000175200017520000000121010652446340027562 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA20 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA200  *H 06͉XV]kAoK: $Kb9 S3Y!iv>~"{yOwBJ>j]y<<1,N䤤X(Wx$F P i#V,q6M~!܄VRqؽLv-<ךӄ(z~zȪ:/Ijd"e}zͣ<}T00U#0z;yĽ.Y0U B͕cO;0U0U 00  `He003U,0*(Test21EE@mailserver.testcertificates.gov0  *H jC=̩" >+N. _8n?MF!'dYlA>;إ%{K+OB 5xC+ZdwQnC\FnubR2n˩LX5٢pathfinder-1.1.3/testdata/certs/InvalidMissingCRLTest1EE.crt0000644000175200017520000000117610652446340024222 0ustar ppattersppatters0z00  *H 0=1 0 UUS10U Test Certificates10U No CRL CA0 010419145720Z 110419145720Z0\1 0 UUS10U Test Certificates110/U(Invalid Missing CRL EE Certificate Test100  *H 0åZKd@N~x 7;Wkq_UNqA^V#}vxzL<xF~dZ<&o+7)-iLb- "`(ck0i0U#0NhE}x?$0U /Z^$$86> -60U0U 00  `He00  *H K ,ETͯ^/b\Rn:F#Cv{xk]P)UW#~oe44I\G0ƣb!َokqA:h\_#l!c @X^!A4pathfinder-1.1.3/testdata/certs/InvalidRFC822nameConstraintsTest24EE.crt0000644000175200017520000000132210652446340026265 0ustar ppattersppatters0070  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA20 010419145720Z 110419145720Z0h1 0 UUS10U Test Certificates1=0;U4Invalid RFC822 nameConstraints EE Certificate Test2400  *H 0=n0lෝhff`=/m < Hxf㾵 {~E(Z{<o,)׿fz.o¿!Yet [eׁ-9pathfinder-1.1.3/testdata/certs/InvalidPolicyMappingTest10EE.crt0000644000175200017520000000123310652446340025075 0ustar ppattersppatters000  *H 0V1 0 UUS10U Test Certificates1+0)U"Good subCA PanyPolicy Mapping 1to20 010419145720Z 110419145720Z0`1 0 UUS10U Test Certificates1503U,Invalid Policy Mapping EE Certificate Test1000  *H 0דbZYRQ:v 晝, 8 Ä<8l$ʎ 悙@nj{*[7'u% dk_ ojD,J?dȒ[֪HfY8.R +k0i0U#0ᵤq/f'{J0UZS8ޑ蟹uz0U0U 00  `He00  *H  ϸ#ֿ0Yq4PbrYׅ@44ߗ"bkI v$.AXe_qd|ţDE)dz MgN]Ljr#߀F[9@b \V:%YZpathfinder-1.1.3/testdata/certs/MappingFromanyPolicyCACert.crt0000644000175200017520000000126210652446340024733 0ustar ppattersppatters0030  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UMapping From anyPolicy CA00  *H 0LNº.Gj@_w׋9kro<;5|־'̆a&6eIUOŇ>&rx4KSg,m=߈ɧr) 8rh00U#0l-'z <ꚼI0U5/Z67YomH0U0U  00U 0 U!00U  `He00U00U$00  *H _e" a{Jqp6&F~y{},оXfnrlX/ ǘ#*8S~gfr4'ptFu/ I{f2IJ;=H@o@Izk|Ϣ'qTWh~;wck8v bJ pathfinder-1.1.3/testdata/certs/InvalidinhibitAnyPolicyTest6EE.crt0000644000175200017520000000121710652446340025527 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitAnyPolicy1 subCAIAP50 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid inhibitAnyPolicy EE Certificate Test600  *H 0o7)͏0,m?A#0`?14Wkil(^eƬlH*&f'<ܳ }>W lЕ';iie0c0U#0)c‚={_t soh0U 䮮`a9e=7a0U0U  00U 0  *H e5(自M Hr=S a & dʊ@Nq :GhBBXdWi`. ˛kGbM_qn"u 6S:W%KzJfwd_@͌jN#U{)]HQ~8pathfinder-1.1.3/testdata/certs/InvalidcRLIssuerTest32EE.crt0000644000175200017520000000152710652446340024207 0ustar ppattersppatters0S0 0  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA60 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Invalid cRLIssuer EE Certificate Test3200  *H 04XFntj@|ԇIskzv:k "L!mg Nɖ߾>Dh feaRw?/u'ЄnI<Џ8a,;.CrE% EiPޑ=090U#0>N3YIf}0U!D3ERf n+gx0U0U 00  `He00U00trp0n1 0 UUS10U Test Certificates10U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6GE0C1 0 UUS10U Test Certificates10U indirectCRL CA50  *H uxhBVJgW[~Wn΋!B@6F}-W tZv5p6$r8`0hSZxod Q.Ih (H}*CV\Q.ĚmySR"Pzpathfinder-1.1.3/testdata/certs/DSACACert.crt0000644000175200017520000000161210652446340021232 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0:1 0 UUS10U Test Certificates10 UDSA CA00,*H80>n:GDVn3VG5=T­u/3 1gm)nWr4࣬d<JH0^v& s3ų7> ԡ.1 wBn½.{4 \se:/|Β_c8Dݒ4^e{qwf|;ζRUN]./nVpj"  !&D bp1h Jny6Z8oNSgYb\`~9ؾB+ń2rl!׈0eu=iez{S`g.2j8ǑN;< qm'ItؽFQS]%O u㉧Awc@_+,qx kW 29|0z0Ut$^e ~HNa0U#0l-'z <ꚼI0U 00  `He00U0U00  *H :;rw,[E?? \~c:Ȱ(!0vF=tRPܥr}3}C a $TE](%~!ފC%>eBR~`Ȋb6pathfinder-1.1.3/testdata/certs/InvaliddistributionPointTest9EE.crt0000644000175200017520000000122010652446340025777 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10U distributionPoint2 CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid distributionPoint EE Certificate Test900  *H 0.T;ie~tbm p.$y3aQWH CbeZ2‡L?Wl΂+Ib]C)sOնRd S&UQ H:ʯS(2+*)k0i0U#0:4vXXć}~]N0U0U0U 00  `He00  *H  a0q\&*6t|.!k~^;nE{)VH4m-cU~Saq70ޖ4`>~-ŭ7I iGf4es_Bqz22Q{pathfinder-1.1.3/testdata/certs/DSAParametersInheritedCACert.crt0000644000175200017520000000103010652446340025104 0ustar ppattersppatters00Ӡ0 *H80:1 0 UUS10U Test Certificates10 UDSA CA0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UDSA Parameters Inherited CA00 *H8gG 6d97 g=@Ȝ:Tpd|' eߠ>bk WO])Y _u dW{lVSC <2]V`: +A|lc|0z0U]$Uɲ¿IO:0U#0t$^e ~HNa0U 00  `He00U0U00 *H800-Yo1w 6Ka Dr)m"M'.;םY^%"pathfinder-1.1.3/testdata/certs/GoodsubCACert.crt0000644000175200017520000000117710652446340022233 0ustar ppattersppatters0{00  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0>1 0 UUS10U Test Certificates10U Good subCA00  *H 0Â#h73O{j}X麀buQ,'$*ɧ+z* 3J;ΆEx"t`C! {,yָOv=?Q6kme$żq00U#0.ȼ{'D53ߚ0U|\i|U")C{}0U0U 00  `He00U00 U$00  *H 2!Z5@^JYLM)}UlJ(Kl] ćE(ʦc [8#ٯ+9)s E+Vz?00U#0n+ 6gi5=)x0Uy$"h. ޸n=70U0U 00  `He003U,0*(Test25EE@mailserver.testcertificates.gov0  *H L2yoʦISe|vHEF@g!aX{w]r̠I='FH:؄8dIr9̓ӒH!E*-8BXr?Zy{I@Bmڤa^xRYYsKE[lpathfinder-1.1.3/testdata/certs/ValidRFC822nameConstraintsTest23EE.crt0000644000175200017520000000130510652446340025736 0ustar ppattersppatters00*0  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA20 010419145720Z 110419145720Z0f1 0 UUS10U Test Certificates1;09U2Valid RFC822 nameConstraints EE Certificate Test2300  *H 0ʮBTRT9ᄇ^^CL$k!f(MI; v&P"e8}vyoYH ƹN* 1J2k2 o߷i^h_il6빱*iFTC00U#0+6ftK1U16co50U FlH$\$ޤݣ=0U0U 00  `He00(U!0Test23EE@testcertificates.gov0  *H x5B Cx4r$=i EqQL$C p|goʝpb&ELkZ%[7{6k2= "p'Ncx#%BDu-nC{߬ 3W.Y>pathfinder-1.1.3/testdata/certs/AllCertificatesanyPolicyTest11EE.crt0000644000175200017520000000120310652446340025737 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U anyPolicy CA0 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0All Certificates anyPolicy EE Certificate Test1100  *H 0#C NgtDCg@1a0U 'kj`ZЖ0U0U  00U 0  *H &#I4ɾw`O"NƼ*[#21+aO 53.6Jaʣ@BUyi5_*Eja*s柦 {WLP m?vy&B=deZoipathfinder-1.1.3/testdata/certs/ValiddeltaCRLTest7EE.crt0000644000175200017520000000145210652446340023356 0ustar ppattersppatters0&00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA10 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#Valid deltaCRL EE Certificate Test700  *H 0 _haEFb?~#jg* gU^S.@ey,`eQ&n7I뺃"LU#apathfinder-1.1.3/testdata/certs/ValidpathLenConstraintTest8EE.crt0000644000175200017520000000123710652446340025366 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA0 010419145720Z 110419145720Z0`1 0 UUS10U Test Certificates1503U,Valid pathLenConstraint EE Certificate Test800  *H 06o.1/\lO!᨝|eum[Oi"yyCÑݧڛE5 Za Pa &w)ࣳU`{ !ߣs9|0z0U#0! vvӳ*&O֡oK0UT)pMnCqgiAۜ0U0U 00  `He00U00  *H #.<6=4fXWPE?:iQ }Ҳ@PeeO7w8EoMMc/#S֯a䵣֖$_{pathfinder-1.1.3/testdata/certs/InvalidNameChainingTest1EE.crt0000644000175200017520000000120310652446340024560 0ustar ppattersppatters00 0  *H 0@1 0 UUS10U Test Certificates10U Good CA Root0 010419145720Z 110419145720Z0^1 0 UUS10U Test Certificates1301U*Invalid Name Chaining EE Certificate Test100  *H 0__ 8+ }W h:[];MzcyHA Wf"o9zQ(p䏾Xj-P3?WHqU>Y~p&tSCmJf[/ p0l^[k0i0U#0.ȼ{'D53ߚ0UB_ %(^ކ"0U0U 00  `He00  *H |r&SN}!=l GK훧HrUO]EfzXγq-`}pΒc(Ӫbx͡ l"B3[zYT%Hfx21*Vn2i>pathfinder-1.1.3/testdata/certs/BadnotBeforeDateCACert.crt0000644000175200017520000000117710652446340023761 0ustar ppattersppatters0{00  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 470101120100Z 490101120100Z0I1 0 UUS10U Test Certificates10UBad notBefore Date CA00  *H 0ɧm L反A69z5a&棥̅qB& Ŏ]z-${D nFtHg2S *QwV8L sOx,%dՈ /4;/|0z0U#0l-'z <ꚼI0Uz3#*lO8"}X0U0U 00  `He00U00  *H B(齎bZ^9Z$YT3/,f9 `'^7Cw`H#D GxUu'}HHjݛğ#!-d_h?z@ظ/@.wLnpathfinder-1.1.3/testdata/certs/InvalidinhibitAnyPolicyTest1EE.crt0000644000175200017520000000121010652446340025513 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy0 CA0 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid inhibitAnyPolicy EE Certificate Test100  *H 0;J ָ_}S~Sx&H>S?SA2j78/>27Jockd/Nb> qR(D${1hP05,ؒm[c\0|&Qd$e0c0U#0@`\/ E0U`%/@T W"0U0U  00U 0  *H [ò0>C ])= Q/M )+pg5S&s7b [ϏPZ9V뭯 + S Wv cGx4T pathfinder-1.1.3/testdata/certs/ValidDNSnameConstraintsTest32EE.crt0000644000175200017520000000130110652446340025510 0ustar ppattersppatters00&0  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS2 CA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid DNS nameConstraints EE Certificate Test3200  *H 0߾( WsT|j ;[ןH1Eh=ȤT,m4UգB8=53^-2U><][QSǵ:]ys,B;͸g900U#0~;ޜқBD{n0U9*ޑݹg%g0U0U 00  `He00*U#0!testserver.testcertificates.gov0  *H Kcog8>H.hU~98XPu!̰:wO)Z2RL{Q j5.jOD#V5_b_h=Ku l!G79RJ@dZ,Kpathfinder-1.1.3/testdata/certs/InvalidRFC822nameConstraintsTest26EE.crt0000644000175200017520000000130710652446340026272 0ustar ppattersppatters00,0  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA30 010419145720Z 110419145720Z0h1 0 UUS10U Test Certificates1=0;U4Invalid RFC822 nameConstraints EE Certificate Test2600  *H 0]̘09١׿ sK$Bb`)>GU褶m"T%tTx~s7U:x(iSDn#M 6# #B?r"BZ[#&3K00U#0n+ 6gi5=)x0UAh8Fg*0U0U 00  `He00(U!0Test26EE@testcertificates.gov0  *H M '=z\qݗ)4P+=w<(B1GƁ㿝 &"Z̲|MץY!2Q:AEJ}y/Hb XN'2,%[~yeIk4Zpathfinder-1.1.3/testdata/certs/InvalidinhibitAnyPolicyTest4EE.crt0000644000175200017520000000121410652446340025522 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA10 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid inhibitAnyPolicy EE Certificate Test400  *H 0&fVB7%%mzl2v[O.ġ U:vme>r ӄ`?eDΉ̅TOaS)<f4b{+bS(M9 @a>SPR9|0z0U#0 2DPP`5 jE&0U(hji>)6cp0U0U 00  `He00U00  *H G r]O뚗v*z/g*CD>00U#0N.݋;AJÞ|Y#WNS0UB4 ۏ +!> 0U0U 00  `He008U10/-DNnameConstraintsTest4EE@testcertificates.gov0  *H ]źG`L^:=q81CBj)kyΑ^N5Fjh[xsK5 fQ7u]Dr?m"k%sE /?EՒpathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest14EE.crt0000644000175200017520000000122210652446340024550 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UP1anyPolicy Mapping 1to2 CA0 010419145720Z 110419145720Z0^1 0 UUS10U Test Certificates1301U*Valid Policy Mapping EE Certificate Test1400  *H 0-LƩ!1DQ.N :t+l~Nd˞8E-4U{`m> \K*xDx=ͯEn 0 7iIpathfinder-1.1.3/testdata/certs/inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt0000644000175200017520000000121010652446340026737 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA20 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA200  *H 0W]Г#e_v9-SEp!M!0# Gm8Si%RIWe^>IrErh#>-;̐_k4m5qG!"v0t0U#0A&L+VgU0U݉fwƦz0U0U  00U 0U00  *H oe:~V!~|؇͕dFZ{s27ղÌPJqW>JnoaovG̟fSr$[J2km59eRsֻb{pathfinder-1.1.3/testdata/certs/GoodCACert.crt0000644000175200017520000000116110652446340021512 0ustar ppattersppatters0m0֠0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0;1 0 UUS10U Test Certificates10UGood CA00  *H 05 +JCE tⲋ#}-s a$1޽0YXIقۿ 6!Bo7Rmly\joH1O\Hl\jJ )-!i?z|0z0U#0l-'z <ꚼI0U.ȼ{'D53ߚ0U0U 00  `He00U00  *H ~AKp- Ԙ`dr̚pC,٦4rm{v7t6 FhǛ97]0k 4 *}jh&%~@:; jpathfinder-1.1.3/testdata/certs/deltaCRLCA3Cert.crt0000644000175200017520000000116610652446340022344 0ustar ppattersppatters0r0۠]0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0@1 0 UUS10U Test Certificates10U deltaCRL CA300  *H 0c܇T)sb Q@7D/=<,۾^iHTx`i}<>h3-oͺ(bKK2SZ-,ȩaB*h{|0z0U#0l-'z <ꚼI0UO@3]"Vp0U0U 00  `He00U00  *H OGtf>ݢD`Ey |Gk Sto )=l% {m7eZ~PT(AnoH -Ip2~r(Y4YH4.#:Sy%"$Ƭ-H(̜pathfinder-1.1.3/testdata/certs/UnknownCRLEntryExtensionCACert.crt0000644000175200017520000000121010652446340025534 0ustar ppattersppatters00 0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0R1 0 UUS10U Test Certificates1'0%UUnknown CRL Entry Extension CA00  *H 07wT vpt=nAClRA:gfuUj뼓ā+ n C+W 輀{NaRN*bwO׈ɴRj (PF( Yl\ Bs|0z0U#0l-'z <ꚼI0U[愈l[ΓiM0U0U 00  `He00U00  *H  y=3-zP Z2'KTYoXR"IS~;Jwj.[~å8OWML^DS6}r{xѡPʯpathfinder-1.1.3/testdata/certs/ValidinhibitPolicyMappingTest2EE.crt0000644000175200017520000000123310652446340026036 0ustar ppattersppatters000  *H 0S1 0 UUS10U Test Certificates1(0&UinhibitPolicyMapping1 P12 subCA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid inhibitPolicyMapping EE Certificate Test200  *H 0X֩@ƕP50y+G;EԠ=*Z޾93q~~PUޏ(27M6щBw`f zxǠnRjGFhřL a_Hvqk0i0U#0z0\6@ ؟R0Uhtp[onX46U>0U0U 00  `He00  *H ~3dwsB0+_kc,Xkl^ øP:4F&IL42L1VNK@\DYvJ>h$umn&z;&f0|pathfinder-1.1.3/testdata/certs/nameConstraintsRFC822CA3Cert.crt0000644000175200017520000000125610652446340024651 0ustar ppattersppatters00E0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA300  *H 0ȢևE0$4>ַ!CzFYf=Es$OT H$ ;=YQYm2N4 ciU$W˲Xi(mӥ"QZk E%  ?|N}00U#0l-'z <ꚼI0Un+ 6gi5=)x0U0U 00  `He00U00&U00testcertificates.gov0  *H s vGHxzRaCJrcʼnK ŎZ!?{B+ϴh@p$U7# ](yw>M]JMbYX-*2w:.ÎL=(1=)9pathfinder-1.1.3/testdata/certs/ValidDNnameConstraintsTest5EE.crt0000644000175200017520000000147510652446340025321 0ustar ppattersppatters0900  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN2 CA0 010419145720Z 110419145720Z0}1 0 UUS10U Test Certificates10U permittedSubtree11604U-Valid DN nameConstraints EE Certificate Test500  *H 0l».;-;D(#J[baL==jAg/?IVH8qFZ -BR.D_,ͦUqlR&/XV¼xŖI!-DZвz|00U#0|{ &Qvb0UC1c0U0U 00  `He00U00}1 0 UUS10U Test Certificates10U permittedSubtree21604U-Valid DN nameConstraints EE Certificate Test50  *H V*v>[}+!{s&'&6uˠJ|>?ɦ[]t?~#p%w?l%Hu*5|w(ˏ6Z.hoMʬYpathfinder-1.1.3/testdata/certs/PoliciesP123subCAP12Cert.crt0000644000175200017520000000122410652446340023734 0ustar ppattersppatters000  *H 0D1 0 UUS10U Test Certificates10UPolicies P123 CA0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UPolicies P123 subCAP1200  *H 0e'mVP]8s&n"M9q' RmP&$uI>6Y H+bɮ9UYHhk<ƃp K5`4 x685 O'/BnP00U#0п͛Zϐ0UZ!ܓm |jhKU0U0%U 00  `He00  `He00U00  *H ?@26֕9EXu8rA#/ハqw$Ԯɏ*KzImӾje%,%Q2 2Y)pg^cƹEH4[_# wgq ~&;$p-.pathfinder-1.1.3/testdata/certs/InvalidonlyContainsCACertsTest12EE.crt0000644000175200017520000000122410652446340026211 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UonlyContainsCACerts CA0 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1Invalid onlyContainsCACerts EE Certificate Test1200  *H 0f.,o,_AS&A5 ˥bE2čmFYIJxh00A4vR`zk p{w^!nWR_@ ,ص|8\v^9.1߭߯k0i0U#0Fg{YUȬU0UVy_ө}[\0U0U 00  `He00  *H Z\}-3P $#Dp7ǿ'\&9K#SA#,A`,lm{oA$L0iMm+d'K (_ O0;uH0^.Xpathfinder-1.1.3/testdata/certs/ValidcRLIssuerTest33EE.crt0000644000175200017520000000152510652446340023657 0ustar ppattersppatters0Q00  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA60 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Valid cRLIssuer EE Certificate Test3300  *H 0X`'&ơb)[BA }g:A~l'{6Oq:|z'CIsw` `~ļ=XNbLImmz9s[]d6(n>^`~+v؇=090U#0>N3YIf}0U|Az< # s;8G0U0U 00  `He00U00trp0n1 0 UUS10U Test Certificates10U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6GE0C1 0 UUS10U Test Certificates10U indirectCRL CA50  *H g|VmCjN`Y#%w|9j<Mt []Ĺ[l!8*Rjt@QlRqP[ϼB9eJqy2Z7>R&dX햶/Hpathfinder-1.1.3/testdata/certs/pathLenConstraint6subsubsubCA11XCert.crt0000644000175200017520000000123410652446340026601 0ustar ppattersppatters000  *H 0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA110 010419145720Z 110419145720Z0U1 0 UUS10U Test Certificates1*0(U!pathLenConstraint6 subsubsubCA11X00  *H 0ͶC ]Dr-{6ɧ8o!V=k9) JS 0&2lVx^ I)e1 d>˼"/oRFИNqLV5R em ?E|0z0U#0Q\N,PQX[+0Uj6Wu?BP(7ŭ0U0U 00  `He00U00  *H ^V!= 1t` ~5$"֡A~GKoQ>cҏx~V`&v3KNLlr^mz0@]ZZYGlEfS@r`+["jaTtpathfinder-1.1.3/testdata/certs/InvalidRevokedCATest2EE.crt0000644000175200017520000000117610652446340024054 0ustar ppattersppatters0z00  *H 0A1 0 UUS10U Test Certificates10U Revoked subCA0 010419145720Z 110419145720Z0X1 0 UUS10U Test Certificates1-0+U$Invalid Revoked CA Certificate Test200  *H 0٩-B*bҾюoT !6Aݭ5^n!Z=PHf̤32z䠳:#\;;E×%GαqB HzV00U#0.ȼ{'D53ߚ0Uܚ\"p Hs0U0SU L0J0H `He00:08+,http://csrc.nist.gov/csor/pkireg.htm#pkitest0  *H |:=])7ӽLև#}85aO?l>|l#QJӊ5'U7GҖzUk\Tq*ЇL9p2#=*AѼxȩԏ0K\%e,Zwo Cpathfinder-1.1.3/testdata/certs/ValidSeparateCertificateandCRLKeysTest19EE.crt0000644000175200017520000000125710652446340027601 0ustar ppattersppatters000  *H 0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA10 010419145720Z 110419145720Z0q1 0 UUS10U Test Certificates1F0DU=Valid Separate Certificate and CRL Keys EE Certificate Test1900  *H 0 ?^\X b>NxZy`i%}%6ȷ*§H'+r`#v[*pEm#)W!nM"ȅhxc Ʉ(!ݵ?*6vGTsk0i0U#0\Q"'1"@ %σy0Uq_Wh40U0U 00  `He00  *H RsB .Hn1YJiqZjw͞j!(Y[&-ϷhqD"XS&91Na -0D*k9Ykk:][8ȅv`A#nipathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest13EE.crt0000644000175200017520000000132010652446340025714 0ustar ppattersppatters0050  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA20 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree11907U0Invalid DN nameConstraints EE Certificate Test1300  *H 0S 89e4aW%;̖V}Qk5-+=i)O'n}Jz}Co2n dC{Bgnΰ̤PBPU}<lDoG u5M\1,[|_k0i0U#0կk( Hl *h /mW0U$ٺ+aeN0U0U 00  `He00  *H =v>̂$>h'J]7G Ϲ^x}md6)[5l[2;X\8=YZ ֓(xO [Bqm<^b"pathfinder-1.1.3/testdata/certs/onlyContainsUserCertsCACert.crt0000644000175200017520000000120210652446340025136 0ustar ppattersppatters0~0M0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UonlyContainsUserCerts CA00  *H 0.{2:`!v|Nww@ZѶI#mGmt0tȎI# 8Ѽ'PPQGh&!G#2`0/!Hm#o4njg:yp |0z0U#0l-'z <ꚼI0UZ7F\߸:@0U0U 00  `He00U00  *H ), {h%tG+ʂ@w.%Θv] Wv@|Qӱs$?0[QZƌ%IOrY3mKqpgxipathfinder-1.1.3/testdata/certs/keyUsageCriticalcRLSignFalseCACert.crt0000644000175200017520000000121410652446340026246 0ustar ppattersppatters00 0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0V1 0 UUS10U Test Certificates1+0)U"keyUsage Critical cRLSign False CA00  *H 0,xx/LXf@09 q V}E7xO A@4/ٸ5{u tVzs@6UϺdhS70LJc``U|0z0U#0l-'z <ꚼI0UP p&<0.?t0U0U 00  `He00U00  *H oQދ: 4Xؖab=+l#4"- Nv Wd\7Qc,J 6 Q#X>ך6{pErk]=1ޯv܄pP4_g:Upathfinder-1.1.3/testdata/certs/InvalidinhibitPolicyMappingTest6EE.crt0000644000175200017520000000124410652446340026373 0ustar ppattersppatters00 0  *H 0Z1 0 UUS10U Test Certificates1/0-U&inhibitPolicyMapping1 P12 subsubCAIPM50 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1Invalid inhibitPolicyMapping EE Certificate Test600  *H 0|Fێg>.'ߛ%a>+ QsW?7X:Yg?&k#!O$ۑ0u/?򦇖_8 3lf;$_Qf.9?FoKڪZR0uTBHΒ1;'eG;ZkB7nVsjvٙ 5y0w0U#0l-'z <ꚼI0U*B33*MsU0 U0U 00  `He00U00  *H 9g;7b; Q_'e%["i=ԛ)L>ުjB5EB!^(ZVuA ȥ*AF[SҦdOtITiMpathfinder-1.1.3/testdata/certs/ValidGeneralizedTimenotBeforeDateTest4EE.crt0000644000175200017520000000121710652446340027432 0ustar ppattersppatters000  *H 0;1 0 UUS10U Test Certificates10UGood CA0 20020101120100Z 110419145720Z0m1 0 UUS10U Test Certificates1B0@U9Valid GeneralizedTime notBefore Date EE Certificate Test400  *H 0Ez?b`ءkյZFDIa%BW>7?Q6[\+ҩHit=c9 p>W\z8 W]Znɗ >Y lv:*t1]Fuk0i0U#0.ȼ{'D53ߚ0UxR8 y+l0U0U 00  `He00  *H "M;H Z#^nL#MYs1gqxFV;Ǣ@U'a1O@ְxH0.|5I\Ò`$gmF50NEuq'nG%UBpathfinder-1.1.3/testdata/certs/requireExplicitPolicy7subCARE2Cert.crt0000644000175200017520000000125110652446340026272 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy7 CA0 010419145720Z 110419145720Z0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy7 subCARE200  *H 0.? |=p*HH+INHwRR;yBYuWI,1wF$\&-o1cdtN3 r+?L.sԽ _t00U#0"pNb/p˵NM0Uh / QKXs9?K0U0U 00  `He00U00U$00  *H !G~};\[C"OEۀ~h`~FY!G'Rno/ *T8pkX˟EI>`w HM؊$2l܂T ^(-$G~{B0Xbqpathfinder-1.1.3/testdata/certs/ValidSelfIssuedinhibitAnyPolicyTest9EE.crt0000644000175200017520000000123410652446340027171 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA20 010419145720Z 110419145720Z0k1 0 UUS10U Test Certificates1@0>U7Valid Self-Issued inhibitAnyPolicy EE Certificate Test900  *H 0IWX.9;FYh;M7[;:rtΦceOGTa/peN)(;d'߻)GP ?#@Ф\2{k_RnȐl9(U M>`A@Du)e\k0i0U#0݉fwƦz0UA|8Q2S{0U0U 00  `He00  *H ۾KRA\p-gP*vԍ$ZML +}γ$0˓kf|`a` dT枂y Gŗ%+{giAΚʟw.)ia~;"ChTpathfinder-1.1.3/testdata/certs/InvalidonlySomeReasonsTest20EE.crt0000644000175200017520000000155010652446340025465 0ustar ppattersppatters0d0͠0  *H 0G1 0 UUS10U Test Certificates10U onlySomeReasons CA40 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid onlySomeReasons EE Certificate Test2000  *H 0yi?[^,ч{~Q)i9׵DO$̬Dh@Ke^!ņȻALpdӈ!|gotƒ/)v5p3G|T{/aDz\HDD0@0U#0?@kYZT0U/gӤ˓t3_20U0U 00  `He00U00b\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL1`0c\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL20  *H "jGdnht%)s@=(wPbpDnY;vذ_W+ cRR6OGN=7ƌ<~9p%hY&&6Zij4Yb9ڬώ1^epathfinder-1.1.3/testdata/certs/anyPolicyCACert.crt0000644000175200017520000000120010652446340022563 0ustar ppattersppatters0|0&0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0@1 0 UUS10U Test Certificates10U anyPolicy CA00  *H 08f uʣCg6.~e b_ Y'a=4Ч//d1WB9]{?+rYi*[gvNup YBxQ(%ʼnw҆00U#0l-'z <ꚼI0U>Cg@1a0U0U  00U 0U00 U$00  *H <'3*/ bGã`CfYףI͵O|ʘΖ9APĢɼt'Ow>D6?6sW qzHܮ{ i_Y0D()pathfinder-1.1.3/testdata/certs/NoPoliciesCACert.crt0000644000175200017520000000113710652446340022671 0ustar ppattersppatters0[0Ġ"0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0B1 0 UUS10U Test Certificates10UNo Policies CA00  *H 0l@,q:Ni3 @j:rH Teen(pIk~5ĔmX<"-oF:}:TJ5γi\;;Kc0a0U#0l-'z <ꚼI0US%}[>W]%0U0U00  *H kV U܀-Iq"5/yx *FUBE8e$MS| q)圂F.B#<ܦỤP<[% ΅hU+V)WfwHpathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest20EE.crt0000644000175200017520000000117110652446340025716 0ustar ppattersppatters0u0ޠ 0  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA00  *H 0-%/ws.uS'N`t^T+VĂ&?'1p4V;ҶȌmV4݄S)q1mLRjJ~2*[Ed.~`=[^GCk0i0U#0N.݋;AJÞ|Y#WNS0UT\ A PgO!0U0U 00  `He00  *H Iki񨑛,f1]3aHq&%pA䅰~ɽt,hHICA-# A4#r brܲ)3E4{l';0,.$8T &)@=7,pathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest3EE.crt0000644000175200017520000000150110652446340025634 0ustar ppattersppatters0=00  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree11806U/Invalid DN nameConstraints EE Certificate Test300  *H 0EUGYw6O9$2BlAFo S^DN0U0U 00  `He00U00~1 0 UUS10U Test Certificates10U excludedSubtree11806U/Invalid DN nameConstraints EE Certificate Test30  *H F-lB{R09_,n9Dy-B'oΈenJwxIR KOSPˠAvq k'zMB8}✮W }1)M!"-rߟMelpathfinder-1.1.3/testdata/certs/ValidLongSerialNumberTest17EE.crt0000644000175200017520000000124310652446340025213 0ustar ppattersppatters00~ 0  *H 0I1 0 UUS10U Test Certificates10ULong Serial Number CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Valid Long Serial Number EE Certificate Test1700  *H 0Ʉ#;DX+4jS(6C%M݃n^ tWf5u Eb ^?StqZC6r> ,h=,UNBOQ M[.E`t'{8]پQk0i0U#0=H2&R Oߦ0U{Ű5E(=Be0U0U 00  `He00  *H aj"G\,1nv#"cg? jg!7]3 (b؀1"|[;1N5KQu>-&ϋ :|O,_ (3Jepathfinder-1.1.3/testdata/certs/ValidDNSnameConstraintsTest30EE.crt0000644000175200017520000000130110652446340025506 0ustar ppattersppatters00&0  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS1 CA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid DNS nameConstraints EE Certificate Test3000  *H 0ٛL9B;za=W`|O^H9^ Uiy=WSI)y\վݲ#1ոԈ5{Zz0sg|9_$ 55!,u/VTFBU|3g0Z sdl+00U#0ugG ۞Rsx0Ubi^4uK݇aM 0U0U 00  `He00*U#0!testserver.testcertificates.gov0  *H T gafCjѩ/ R]/X^R W*?bM>v@)Rؙ.ZvzrçVم`7&`9oa4o1UAǽ[1 HZ7AMpathfinder-1.1.3/testdata/certs/DifferentPoliciesTest12EE.crt0000644000175200017520000000120310652446340024410 0ustar ppattersppatters000  *H 0B1 0 UUS10U Test Certificates10UPolicies P3 CA0 010419145720Z 110419145720Z0\1 0 UUS10U Test Certificates110/U(Different Policies EE Certificate Test1200  *H 0 7S@< X5bĵ/XkOǞ¾VΰoF#KbYJJR/m}4ඖ /#^8㫝pd_~eCNq-}Jm SQ$ _,u#ڀ}Ok0i0U#0fUeQY*b0Ue* f̧q%qTP>0U0U 00  `He00  *H >d.1xܧEP?Y5'Rُ6a() qD~aL$p.d^ Zg%c h4Xy7+˂QyRAHIߑ݊pathfinder-1.1.3/testdata/certs/InvalidonlySomeReasonsTest21EE.crt0000644000175200017520000000155010652446340025466 0ustar ppattersppatters0d0͠0  *H 0G1 0 UUS10U Test Certificates10U onlySomeReasons CA40 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid onlySomeReasons EE Certificate Test2100  *H 0yk7cQVK<1s' 6`zl/BR)U;b^\3HH~KH7.7p>園0sN 7W 5t=k/Λh#/uʅ$G]cSD0@0U#0?@kYZT0U$ r;O\0U0U 00  `He00U00b\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL1`0c\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL20  *H 6Rj{kR%7:#n{{cm|t|C>uP]CCEn*ҟx0@8탛?)=+$^.E2>'i2+Km=VaV$@pathfinder-1.1.3/testdata/certs/nameConstraintsRFC822CA1Cert.crt0000644000175200017520000000125710652446340024650 0ustar ppattersppatters00C0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA100  *H 0wa2HT̪ BT8FMU{VFX#5$܁fH _޽z_5yDTl)"FbVL'?\P銉믋V -as,o6Ox))6y00U#0l-'z <ꚼI0Uz;yĽ.Y0U0U 00  `He00U00'U00.testcertificates.gov0  *H iC_̺~5q#Ur>ۢ.gki\JM ]#m$aLV+X`_/;jK0P@MR[m=6jniحx# i-A/pathfinder-1.1.3/testdata/certs/AllCertificatesNoPoliciesTest2EE.crt0000644000175200017520000000116310652446340025761 0ustar ppattersppatters0o0ؠ0  *H 0B1 0 UUS10U Test Certificates10UNo Policies CA0 010419145720Z 110419145720Z0e1 0 UUS10U Test Certificates1:08U1All Certificates No Policies EE Certificate Test200  *H 0rD^KVq}#{.e!ybYAJr_*2'/&P)=oB1jBj[I $c]iaج;6˒[O@;IE]i1C+8^1DR0P0U#0S%}[>W]%0Uːgk%G!0U0  *H i6M=wLy]< å(RdyȻ%x/CWoj /qqiO%sh wn)zHVR=_r?'@v_O/d Upathfinder-1.1.3/testdata/certs/InvalidcRLIssuerTest31EE.crt0000644000175200017520000000152710652446340024206 0ustar ppattersppatters0S00  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA60 010419145720Z 110419145720Z0[1 0 UUS10U Test Certificates100.U'Invalid cRLIssuer EE Certificate Test3100  *H 0oj d?;@/;i_T2H pPՈr I9!-$CwV؊ဢx 31b17OsljC_ .5%}1 =090U#0>N3YIf}0U4I\羝.QXI&R!uO0U0U 00  `He00U00trp0n1 0 UUS10U Test Certificates10U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6GE0C1 0 UUS10U Test Certificates10U indirectCRL CA50  *H -P.K HRN:3=e-nѤ[ mɲPF3/v8yL) +"g65=Zܧ !Y4aOپ"vM?wXz-%W\Glpathfinder-1.1.3/testdata/certs/RolloverfromPrintableStringtoUTF8StringCACert.crt0000644000175200017520000000123010652446340030540 0ustar ppattersppatters00c0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Rollover from PrintableString to UTF8String CA00  *H 0)YR0h5{|!>*7@N䤠j4CѪxlh|򉕭ˆ8lEM=&YDŽͰ5ɚZfK8[:EK[.WUtgV#O5 >/|0z0U#0l-'z <ꚼI0U74U5ɴM~K褉<0U0U 00  `He00U00  *H _IJꄱ3ȲB9/RUWdvK^Ân"๟|LKk5Q fb7ɔDKg$CK+dgupathfinder-1.1.3/testdata/certs/onlyContainsCACertsCACert.crt0000644000175200017520000000120010652446340024501 0ustar ppattersppatters0|0N0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UonlyContainsCACerts CA00  *H 03ݍ/P%W!U¥uhdXQ^9WWz mQ;kc;33hsU6Ͻl+ܟ1l{q6@M'=mES |0z0U#0l-'z <ꚼI0UFg{YUȬU0U0U 00  `He00U00  *H Ɛ#@Wv|zvv~$?!3#)C7.}#fi ׋_I|t"~/E/0ps&yd/zOde0A:/--p0\pathfinder-1.1.3/testdata/certs/nameConstraintsDN2CACert.crt0000644000175200017520000000145610652446340024305 0ustar ppattersppatters0*0?0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UnameConstraints DN2 CA00  *H 0^B2oD-Yݡq>vM{rg00U#0M H2 0U,^/ۢ5M1L(J-0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10  *H dT<O')c3FC9c%zi7=_c̯ eQ]~< 9+@Vm:pFlXZ$!Ia5[_n V8u[Hpathfinder-1.1.3/testdata/certs/requireExplicitPolicy2subCACert.crt0000644000175200017520000000122310652446340025753 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy2 CA0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy2 subCA00  *H 0:6Xp… 6\%Qg?l+ﮘ>jB`lKΗ܂7-ħ2kiuZ1m͞PhE"}ϝzc\䋞:ABg!gXo&jB|0z0U#0l-'z <ꚼI0UWf&mr:le C 0U0U 00  `He00U00  *H Yl$:ڠd7tPڻܱ$nb(qߦ;5=&8` eNe%2zbg,Ȏ:r{B1v;k) x ;?d/$6pathfinder-1.1.3/testdata/certs/OverlappingPoliciesTest6EE.crt0000644000175200017520000000124510652446340024721 0ustar ppattersppatters00 0  *H 0R1 0 UUS10U Test Certificates1'0%UPolicies P1234 subsubCAP123P120 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Overlapping Policies EE Certificate Test600  *H 0$뉓پ+nfk<˂f3I/̶+5? # ܄/P#LiƴjU"H< ^1wX(Qi+3:>tέ9|iK qJPꂀd5|0z0U#0̴\7PU1.䑤h0U 1Tk Kt05܀SU?Y# Hv?ſ?TS/ץ8b2a$+38Npathfinder-1.1.3/testdata/certs/ValiddeltaCRLTest2EE.crt0000644000175200017520000000145210652446340023351 0ustar ppattersppatters0&00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA10 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#Valid deltaCRL EE Certificate Test200  *H 0JWWBl5;8rɷeeW`t^?<*-%i@SWxIiQ #riw$+ c I"n\TT Ei]鿪) 00U#0M H2 0UΎcߋr,|h0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10  *H b!rsHprm.@A+(UD秭uu΅OJ\n<kuBȀ6c^U~Wped"4y}`_W}I?ֳ%C 'xDt36pathfinder-1.1.3/testdata/certs/UserNoticeQualifierTest15EE.crt0000644000175200017520000000136310652446340024746 0ustar ppattersppatters00X(0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+User Notice Qualifier EE Certificate Test1500  *H 0Ҡ_smrWA A @UeIĺ@k푷P<8,)L NXBο-}pELL>V j}sݩI/'P4=Y.ǻ/hG}00U#0l-'z <ꚼI0U1򊒁RJ0U0U |0z0x `He00j0h+0\Zq1: This is the user notice from qualifier 1. This certificate is for test purposes only0  *H Il%5hg-l 5RZwDy|RWWLʶȂ&y5Cc~=@ o?k m̶,,SagE /lʗi{n+ yJq(8R~tήpathfinder-1.1.3/testdata/certs/ValidDNnameConstraintsTest19EE.crt0000644000175200017520000000125510652446340025402 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA0 010419145720Z 110419145720Z0~1 0 UUS10U Test Certificates10U permittedSubtree11705U.Valid DN nameConstraints EE Certificate Test1900  *H 0,sf˜G.%Rmlۡ~j5"ϐ؝}k;N pEi*HDqf}֏5NAQD|G C\pe8lmk0i0U#0 g9qbۭ530U}{ 촭0U0U 00  `He00  *H Wز~~L7KyVЉ֫W(rcֵ4M7ɔ 2ȯ{q_3{aEYRGZݛlUmHYN6PH?!s *ʦ8Stfpathfinder-1.1.3/testdata/certs/inhibitAnyPolicy5subsubCACert.crt0000644000175200017520000000121710652446340025413 0ustar ppattersppatters000  *H 0K1 0 UUS10U Test Certificates1 0UinhibitAnyPolicy5 subCA0 010419145720Z 110419145720Z0N1 0 UUS10U Test Certificates1#0!UinhibitAnyPolicy5 subsubCA00  *H 0*G((ߧ{  N9ߋR9_Ϲ;r9;4 Mt/vMu+JS-בB{(gdvbx<@9ۜ,x_dڀ Rpc|0z0U#0JwbX#ùnMo0Us dU0U0U 00  `He00U00  *H -ɒ W y P`Si@O_Ξ{L<@qXfwxʊrٍD4"` P[`1Ex/'Gn&cHԨsxu lh8Sk Wpathfinder-1.1.3/testdata/certs/InvalidMissingbasicConstraintsTest1EE.crt0000644000175200017520000000123510652446340027107 0ustar ppattersppatters000  *H 0O1 0 UUS10U Test Certificates1$0"UMissing basicConstraints CA0 010419145720Z 110419145720Z0i1 0 UUS10U Test Certificates1>0<U5Invalid Missing basicConstraints EE Certificate Test100  *H 0slL]. 罏1`]ubzכZypXC+c(h/rV;ϯGǀR<& 9 $#B//_}6SFnff^A'k0i0U#0F]7ҩE\10U7UεnX0U0U 00  `He00  *H Wzb1~,cbĴ@,Mf|), )zd-s?*fu"$aG.35 O`ڷVTd|G~wj2t=8 pathfinder-1.1.3/testdata/certs/pathLenConstraint6subsubsubCA41XCert.crt0000644000175200017520000000123410652446340026604 0ustar ppattersppatters000  *H 0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA410 010419145720Z 110419145720Z0U1 0 UUS10U Test Certificates1*0(U!pathLenConstraint6 subsubsubCA41X00  *H 0iY=#d)z:P{ )^Ҡ_߫B̾Qj@$0.qW!N6Q\|y )=$ӌ8/ {YSl39q*|0z0U#0=tC@Ъ ց40U犖t<I?p0U0U 00  `He00U00  *H 1Gkdl2Ǿit3 0G7gj*W eB]dݫVWl0kO̲jmQ\;@.ɇK]Pkt[e Yŗ*ﰐ+_KA|qMK$2fX%pathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest9EE.crt0000644000175200017520000000125510652446340025650 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN4 CA0 010419145720Z 110419145720Z0~1 0 UUS10U Test Certificates10U excludedSubtree21806U/Invalid DN nameConstraints EE Certificate Test900  *H 0ߏQ );rSQq,1TFV#I){Z'"4fT^Ū/ x+WԹy[L\Y1g&\zQCk0i0U#03)茀L'%gv0UYWnc 1CPŝuֵ0U0U 00  `He00  *H j/.fN㺠t Լ7'ۀ$rL$tn\JJx}իhЪ>0(TT[k|jSj -(w1WREd5$Uw?o{c [[e8&$gzPIJ.d:xiRǭS~EO|eiQpathfinder-1.1.3/testdata/certs/requireExplicitPolicy10subsubsubCACert.crt0000644000175200017520000000124110652446340027256 0ustar ppattersppatters000  *H 0T1 0 UUS10U Test Certificates1)0'U requireExplicitPolicy10 subsubCA0 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#requireExplicitPolicy10 subsubsubCA00  *H 0=PyF_X,vf}D -Z;}A1B#2!'FCU؅X-2, !Bgj_Yүpf"8> $ Sv^5y|0z0U#0mh1_R.D{6)0Uwq*oQ ڬ20U0U 00  `He00U00  *H '{& z1TY ?[Y[S+|MHidΟqD|EÁV4ZV Z[cջC8fiZBRs_ _4VG#>&v$ Қk0ơXKpathfinder-1.1.3/testdata/certs/Mapping1to2CACert.crt0000644000175200017520000000126110652446340022724 0ustar ppattersppatters0000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0C1 0 UUS10U Test Certificates10UMapping 1to2 CA00  *H 01kR{UWBaw:0|}۞!Us+\caqrkd4QEh[}!;&M00U#0l-'z <ꚼI0U7;t9! V}0U0U 00  `He00&U!00 `He0 `He00U00 U$00  *H  r% kf̶t!&N[J|aRF `kިT[Y6sx\Fgޢ7Nh-e[0\׋=b$"z8{o8Z1vpathfinder-1.1.3/testdata/certs/InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt0000644000175200017520000000125110652446340030434 0ustar ppattersppatters000  *H 0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping1 P1 subCA0 010419145720Z 110419145720Z0r1 0 UUS10U Test Certificates1G0EU>Invalid Self-Issued inhibitPolicyMapping EE Certificate Test1100  *H 08)c>ߘ[FR!?%ςȮ9l36Wɤ?6$z׵~,vOT_4Ԛ<|mlU˷njjInvalid Self-Issued requireExplicitPolicy EE Certificate Test700  *H 0׉x]t (gutj A~Q]y"%ЃC&֞.D5yY 9 F2ZSK]%`'/b‚%  UaVط HN[ 6 #R0P0U#0)O:MF_00U2 o̪쟿0U0  *H 7RF5L4=^Ñd0?u B˴s7xK!xJHߺܠnUӣ%YL44_<鍳g|Ie(j'pathfinder-1.1.3/testdata/certs/ValidSelfIssuedpathLenConstraintTest15EE.crt0000644000175200017520000000123310652446340027427 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA0 010419145720Z 110419145720Z0m1 0 UUS10U Test Certificates1B0@U9Valid Self-Issued pathLenConstraint EE Certificate Test1500  *H 0Rӻ5AWub\ h>0Z:}NBP'?-KIBir&OLE=_fܓ+AߣZE?]#< +JXXC ׉ ^XuE֮ڙT߻uPWu֭lJk0i0U#08%BZ J,SPL0UKa@7>[I&Ơ0U0U 00  `He00  *H a rƲN+Ir~:+> .G)arBV^}*ܯD˧lKIJWgl԰}-)mR6owA9YiST'Awr w17:tpathfinder-1.1.3/testdata/certs/Invalidpre2000CRLnextUpdateTest12EE.crt0000644000175200017520000000123210652446340026016 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 Upre2000 CRL nextUpdate CA0 010419145720Z 110419145720Z0h1 0 UUS10U Test Certificates1=0;U4Invalid pre2000 CRL nextUpdate EE Certificate Test1200  *H 0hq#RmGDG_ev`0AnEm:5XSO=4Ҽ \|@5T(l%.J_2J,j9li ĭDUW0͓ykZck0i0U#0 H(qjH$ / uO9D T%䴩% 3. 2Ɲx=Wj}[wW*uoNѣmz8U|0z0U#0l-'z <ꚼI0U(ٸmS"0U0U 00  `He00U00  *H #ٙſlU?:\gyU'B׽L3Wwz9Ak(s;|zӹ̗H% VʩHK aXBP1>5"TU3MIf &^9 ȿO1^4kpathfinder-1.1.3/testdata/certs/ValidUnknownNotCriticalCertificateExtensionTest1EE.crt0000644000175200017520000000125110652446340031546 0ustar ppattersppatters00^0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0r1 0 UUS10U Test Certificates1G0EU>Valid Unknown Not Critical Certificate Extension EE Cert Test100  *H 0nȚ̮ eq K,#SpA.;jh (f7[LFP:r5xHC " qIײD`\8d׎ɯ7OxSm1?ގ,}0{0U#0l-'z <ꚼI0UQT^5oYlit0U0U 00  `He00 `He 0  *H 7j#m_]Z@9 mEc6mC]|t8wNt*5Dpi[LkAgXe+@!bgU|dRጙʮd P]+' pathfinder-1.1.3/testdata/certs/InvalidBasicSelfIssuedNewWithOldTest5EE.crt0000644000175200017520000000124410652446340027225 0ustar ppattersppatters00 0  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued Old Key CA0 010419145720Z 110419145720Z0o1 0 UUS10U Test Certificates1D0BU;Invalid Basic Self-Issued New With Old EE Certificate Test500  *H 0t.YH3г>)Db0|VK&B5RSikۼ ,nV GDL`JVfh 6P!- ` ?Ռ^rSqil&y8%k0i0U#0jOruKzm\9$0USCz]c80U0U 00  `He00  *H 3*Ѐ {23t;W TX z Wk ef!|_ Rqm8h#x0r"0q2ou#eT n9 9z˴3bo2_bDpathfinder-1.1.3/testdata/certs/InvalidCAnotAfterDateTest5EE.crt0000644000175200017520000000121610652446340025033 0ustar ppattersppatters000  *H 0H1 0 UUS10U Test Certificates10UBad notAfter Date CA0 010419145720Z 110419145720Z0a1 0 UUS10U Test Certificates1604U-Invalid CA notAfter Date EE Certificate Test500  *H 0f7yփ)o_1 hq!mtu_j1G׈5[|:mb V=`aU~ ).8n#ej6PJ=Sje!$pNEll9k0i0U#0- &>a#.72Q20Ul[v?WO0U0U 00  `He00  *H VJP-:JOd,ы"UJs3Ozcȫ;,nd,1 [;tOFdtGMO鰸kꟶ>^g&2DgZiݷb#G*pathfinder-1.1.3/testdata/certs/BasicSelfIssuedOldKeyNewWithOldCACert.crt0000644000175200017520000000142510652446340026712 0ustar ppattersppatters00z0  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued Old Key CA0 010419145720Z 110419145720Z0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued Old Key CA00  *H 08kB nm'8پ@DJfǴ2%:'KQ /ޱ u#9?BA#\b "Drߠ .ZM _.rJ`eKW!J N esl}>At00U#0jOruKzm\9$0U!soAEՆ0U0U 00  `He00U00{Ut0r0pnlj0h1 0 UUS10U Test Certificates1=0;U4Self-Issued Cert DP for Basic Self-Issued Old Key CA0  *H p՝(2p Õvt&utsux59"MGsIpmL@F~h:5F{ fC[M}TߨS΁D9X.^FP65ݖv7୵ 'pathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest9EE.crt0000644000175200017520000000122010652446340024472 0ustar ppattersppatters000  *H 0N1 0 UUS10U Test Certificates1#0!UPanyPolicy Mapping 1to2 CA0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Valid Policy Mapping EE Certificate Test900  *H 0Tk&,-WGxķ H^$'YT`$_Xu\I$Qu1TT΍͗rP<*F>Qfn<TnA^LR l٨ 4 3ؠTfA*QCV%k0i0U#0ҺO>h8%ڒC6n0UHJM6G!WMrQh0U0U 00  `He00  *H >缵 O&C鍌f; q/F.~$.,ݻ/*W\~j{cW}$ /IþIגXNŅ/!b=.̼a)֙yS$pathfinder-1.1.3/testdata/certs/pathLenConstraint0subCACert.crt0000644000175200017520000000121310652446340025052 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UpathLenConstraint0 subCA00  *H 0ʫLR'H.@r!5 _ٹYR;̈ flPʞM(v[`yXV{1!:+b)&N굮a|<"Fzn/ r:|0z0U#0! vvӳ*&O֡oK0UFKnW ''0U0U 00  `He00U00  *H 5vݝC~6| ]"1%0Sr!qX̜[+hB̴$RAdQ13{\̮L2]=~`Qyŕopathfinder-1.1.3/testdata/certs/inhibitAnyPolicy1CACert.crt0000644000175200017520000000123510652446340024163 0ustar ppattersppatters00<0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy1 CA00  *H 0{X\H$ "">!Z "!Q5ݖ̗爆/ Esnƕڱ9ο2߼?rʻ쥠vNܶס<s;[1hA/ZRV:00U#0l-'z <ꚼI0Uf۵ij>+ȨM+4D0U0U 00  `He00U00 U$00 U60  *H ꖵ-,5Z:˞OwlKE,:bx,1GJaZwخC-i?{9. +0`F)Z> ]agc(nHŧX)>pathfinder-1.1.3/testdata/certs/InvaliddistributionPointTest8EE.crt0000644000175200017520000000136010652446340026003 0ustar ppattersppatters00U0  *H 0I1 0 UUS10U Test Certificates10U distributionPoint2 CA0 010419145720Z 110419145720Z0b1 0 UUS10U Test Certificates1705U.Invalid distributionPoint EE Certificate Test800  *H 0 dpNt85d0d9EqXZI_ =l@K(=-leݠeb{TzB2;fS;D{y1Z ILũ.[4!500U#0:4vXXć}~]N0UlvIj{zcV0U0U 00  `He00\UU0S0QOMK0I1 0 UUS10U Test Certificates10U distributionPoint2 CA0  *H ѷzqSlڨ^rVͩe0./ \f]폹S I{U0}5`'m?Jsp#YoQkF ]y[<7fbFp유_ cb-pathfinder-1.1.3/testdata/certs/pathLenConstraint6subsubCA41Cert.crt0000644000175200017520000000122710652446340025744 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA40 010419145720Z 110419145720Z0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA4100  *H 0đa[!4WIe!EXVIqhfFިBXS @Vc.:^ppG]8Xɬ}au;h19(# f#{$$j0}0U#0H4TO٘!c#oy>0U=tC@Ъ ց40U0U 00  `He00U00  *H uHWw޿cG>ZBO00<nD|HxN`Ӿu:SZӺqNҜ5ఆ\ bcr m#Ik2UTM<҃`B0\)^U#pathfinder-1.1.3/testdata/certs/InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt0000644000175200017520000000125310652446340030364 0ustar ppattersppatters000  *H 0U1 0 UUS10U Test Certificates1*0(U!inhibitPolicyMapping1 P1 subsubCA0 010419145720Z 110419145720Z0q1 0 UUS10U Test Certificates1F0DU=Invalid Self-Issued inhibitPolicyMapping EE Certificate Test800  *H 0ٙR fBwnyyk0i0U#0(Ad \~ V0(e0USo엶?3Y0U0U 00  `He00  *H OcVB/kEF#UQ}Yܘ_Ow83cJ'UɫZMHkNc2\ >6LA%K!ؤ/aR,!HXu-gepathfinder-1.1.3/testdata/certs/InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt0000644000175200017520000000121610652446340030577 0ustar ppattersppatters000  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy2 subCA0 010419145720Z 110419145720Z0r1 0 UUS10U Test Certificates1G0EU>Invalid Self-Issued requireExplicitPolicy EE Certificate Test800  *H 0ɰ[ n=dVꦭ̺[Gz7ȘvʳSm Rz0U0U 00  `He00  *H 9(Na<lQs@C1[*MeYnVȸNR,CaM we{ ZesDz>$73sfD2- x_zI:@t4f/m{}wf{43Y9@pathfinder-1.1.3/testdata/certs/InvalidLongSerialNumberTest18EE.crt0000644000175200017520000000124510652446340025545 0ustar ppattersppatters00  0  *H 0I1 0 UUS10U Test Certificates10ULong Serial Number CA0 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Invalid Long Serial Number EE Certificate Test1800  *H 05]+IdO܏St(憖HHQmbdyG#Ԗ]:fc㶮IS@$9!sg$t.w}u: Ȉ 3aTa1;̻=wADŽ8LV*,ҼE+k0i0U#0=H2&R Oߦ0U[՞=@&A>8Z0U0U 00  `He00  *H fNE$xZBkw!*N&} oևQIiCAy^/O1/Tg49]{Q0M0U#0CTxP 4@'0Uߜj.Yvx9 Zc0U0U 00  `He00U00Ӡ~|z0x1 0 UUS10U Test Certificates1"0 U indirectCRL CA4 cRLIssuer1)0'U indirect CRL for indirectCRL CA4QO0M1 0 UUS10U Test Certificates1"0 U indirectCRL CA4 cRLIssuer0  *H RBڰ2Qn5@~^cjJ G`9=S(͝ N{ O7WӺDY(t< A.a}àDpathfinder-1.1.3/testdata/certs/MissingbasicConstraintsCACert.crt0000644000175200017520000000116410652446340025470 0ustar ppattersppatters0p0٠0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UMissing basicConstraints CA00  *H 0" v E`ödg罸Luso<͆ b Ix|peH $́+[=ڑ|a\ j49}`r @Y,]#"Jj;ik0i0U#0l-'z <ꚼI0UF]7ҩE\10U0U 00  `He00  *H 0'Ovrɲ}ѩp* /Ђ?F, /{}d<'󙩾[u&@-f#{|[jHkԌ5dOkV'U|PF Ipathfinder-1.1.3/testdata/certs/P12Mapping1to3subCACert.crt0000644000175200017520000000133110652446340023720 0ustar ppattersppatters00>0  *H 0G1 0 UUS10U Test Certificates10UP12 Mapping 1to3 CA0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UP12 Mapping 1to3 subCA00  *H 0 'cPdyɇ8vOc x~]njh7mrZAsCd˫jBvr;]Xq=^3Q.[YFKϙ90?v\hP]r."")>:GD Yj9),lbEՆOw|0z0U#0Cazet0:0Umh1_R.D{6)0U0U 00  `He00U00  *H 8sP Z,lh|l"Xr].RA >Y ܌,WzCw5Bޝ3ߝpٻlKm0|!9+,g<%|IMeap> pathfinder-1.1.3/testdata/certs/ValidpathLenConstraintTest7EE.crt0000644000175200017520000000121610652446340025362 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA0 010419145720Z 110419145720Z0`1 0 UUS10U Test Certificates1503U,Valid pathLenConstraint EE Certificate Test700  *H 0Æ|R㋤r2dXKMN$@́#/߯HP y# -Cz7,i↭} ̣9qD:{-T*To|UBE+ޣuy9C{k0i0U#0! vvӳ*&O֡oK0Ulr8FCk`/i0U0U 00  `He00  *H 'P2WjGC,B%>aG*S"z}G:+Mi| Y2H>Ir=&z's-udh7s~1P ֬{[xXI`V  De{/srpathfinder-1.1.3/testdata/certs/nameConstraintsDN5CACert.crt0000644000175200017520000000151210652446340024301 0ustar ppattersppatters0F0B0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UnameConstraints DN5 CA00  *H 0c2|{QQew* ~;j[M*<Kҏ";7`4 1ؿ{(eF͝)/uppA'6[:{KVB64Tw)cI>2h{4]|)d{4dc Bʟ ~:3.[`_mCF<~F:@n-Մfx0Mh n:ٝ)An;$Ttf NK"܊}n"X9,ljSh!I7/XMJ-i0+[C`^ L9ö'tʳ݂F'?wg N*ɘ)h_o5k2Ӛ{PM*Q΅WRA2$l`Q-z Bl|w9M.ق7E Уk0i0Ufi9r:}0N~0U#0t$^e ~HNa0U 00  `He00U0 *H800-n&9V|Q޳ ^ KM!v9lpathfinder-1.1.3/testdata/certs/InvalidDNandRFC822nameConstraintsTest29EE.crt0000644000175200017520000000141410652446340027201 0ustar ppattersppatters00q0  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA30 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree11D0BU;Invalid DN and RFC822 nameConstraints EE Certificate Test291/0- *H   Test29EE@invalidcertificates.gov00  *H 0iƢ'nuLL\mo: :&9pFG:7 P~$V;M~RNoXD|\y3'VM6I@ nVN/'-CE< B)C"24n.Wk0i0U#0W'o 5g$k0U&04|270U0U 00  `He00  *H x"8 ߫cquAU]8U9>uE:'}PaԪDi[_6%uc{gv[Hȴ5oؙZV6>r `,m3FزrIIJYMpathfinder-1.1.3/testdata/certs/SeparateCertificateandCRLKeysCertificateSigningCACert.crt0000644000175200017520000000121710652446340032075 0ustar ppattersppatters00e0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA100  *H 0l:yag)tg$p<@/YjPAQwc[iXeĈJ: H>fQTݟ1,{̬D'W!@I@+|0z0U#0l-'z <ꚼI0U\Q"'1"@ %σy0U0U 00  `He00U00  *H l1Ed֬wmD꩕eP}t{.`/|6w%|yײg 3; O^謠Ж`$* 0`?_# Q-IaW$_$joVjcpathfinder-1.1.3/testdata/certs/BadCRLSignatureCACert.crt0000644000175200017520000000117610652446340023541 0ustar ppattersppatters0z00  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0H1 0 UUS10U Test Certificates10UBad CRL Signature CA00  *H 0hks_ :ol;{bɼyV*>J@bG.)U՚>Uk3`z%wYjT Zk,]0EDi_bє >;+L3Is|0z0U#0l-'z <ꚼI0U {8HZ`UP6lC0U0U 00  `He00U00  *H >yzPgDh!<\ī H`xG(ޞzAeTr MHQ 5Ӄg$d bŷ5 zl VU0 /pathfinder-1.1.3/testdata/certs/PoliciesP123subsubCAP12P1Cert.crt0000644000175200017520000000121710652446340024651 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UPolicies P123 subCAP120 010419145720Z 110419145720Z0O1 0 UUS10U Test Certificates1$0"UPolicies P123 subsubCAP12P100  *H 0ܑɪ_F!ʂ|o$fE eUDl'*魡?M1Cn[?WFK,GeFkMs:72p\ gDtb*vE(?H(-zi&V"w|0z0U#0Z!ܓm |jhKU0U##aB5j0^0U0U 00  `He00U00  *H D {д/cC>1qvh}qڐT#'AVIR @ \}% &%/.V_H|J!b̚ np"t*I}j8G"Zōy(Ny_7pathfinder-1.1.3/testdata/certs/ValidonlyContainsCACertsTest13EE.crt0000644000175200017520000000124310652446340025664 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UonlyContainsCACerts CA0 010419145720Z 110419145720Z0c1 0 UUS10U Test Certificates1806U/Valid onlyContainsCACerts EE Certificate Test1300  *H 0yP֎#r|JɱlG]R^>{;4{T{A3vى S.6#U4.\,Rce5T I{`A\ cG-c|0z0U#0Fg{YUȬU0UB=$̥GEXKv 0U0U 00  `He00U00  *H ,{}р< s>]M('%פ5a><I^޿ t=Uϲ[̰i Mߑ?7}ַ jN=4cay.`)"yDӭWW{ QG!#KXR͸,B3Kԏ8.51k6٬pathfinder-1.1.3/testdata/certs/basicConstraintsNotCriticalCACert.crt0000644000175200017520000000120710652446340026270 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0T1 0 UUS10U Test Certificates1)0'U basicConstraints Not Critical CA00  *H 0C_PϕicNRX)k45cM =w.6SܳpI*տ*ZuPzϑ0U0U 00  `He00 U00  *H  idݔUT M KN,^0 e*VH,7uVGjBn. ɍcy6쇨+{#uz.?^IV" `Pt)ӗ %y0w0U#0l-'z <ꚼI0U 4ux#!ve0 U0U 00  `He00U00  *H Vf3$4)PgG2?Ҏݤ 8cb-%9&2Vͬ-rK\ @V$)W>/;b'%-1ۋځ _'k%pathfinder-1.1.3/testdata/certs/distributionPoint2CACert.crt0000644000175200017520000000117710652446340024444 0ustar ppattersppatters0{0K0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0I1 0 UUS10U Test Certificates10U distributionPoint2 CA00  *H 00PY\U uqq 9CsF"ь[AHRR|!)H y ;涝yzNHåDZsH6b B^?J⊻kPX3f$|E!|0z0U#0l-'z <ꚼI0U:4vXXć}~]N0U0U 00  `He00U00  *H ƠjS宠 "cmH: uo_Cr ʁ]c,TO֡+{H\U(Gե t,{(ͬyqDNrE[Gapathfinder-1.1.3/testdata/certs/BasicSelfIssuedCRLSigningKeyCACert.crt0000644000175200017520000000121610652446340026164 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA00  *H 0\ !iMXhC<bTZxW;+hSez&: Y7+v!D(eI.;-S0Ey!4oœ;1;^$I/Sv9Rr_B5|0z0U#0l-'z <ꚼI0UILl @)V$m6g,7^/'op} j*J!۸qM,\ FQY)[ g D0@0U#0?@kYZT0UYSK}h0U0U 00  `He00U00b\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL1`0c\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL20  *H "'n}~`fe[r6ߊTQe|, :qA_ʦe򲔬yMDa[kV/)*6=GZ_'ueB4Eٞ4ͺ*+׭/]pathfinder-1.1.3/testdata/certs/ValiddeltaCRLTest5EE.crt0000644000175200017520000000145210652446340023354 0ustar ppattersppatters0&00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA10 010419145720Z 110419145720Z0W1 0 UUS10U Test Certificates1,0*U#Valid deltaCRL EE Certificate Test500  *H 0h!wq;cGMKhΎ(.|+ D\З:J:[ss>//L!`F{M{B[Wk"^Q޼7v~q zFnFn!{00U#0M H2 0U=`FTҞm)}0U0U 00  `He00SUL0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10  *H kRWngh#)O (lBn#>NvmEa%n?YxJwj;u $lP$$(ơћCc6g 5Y r+pathfinder-1.1.3/testdata/certs/NegativeSerialNumberCACert.crt0000644000175200017520000000120310652446340024672 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UNegative Serial Number CA00  *H 0ÜYDN(Wu9+hGbF(y%P!@V&4|w;0I7,D;bqEB@S tqJ/$k5@ЂC$ sjw|0z0U#0l-'z <ꚼI0U#MKꡲ3X˂0U0U 00  `He00U00  *H XW> :[DF}%I&rŐffbS59w?1?ݹ^vrt5f(]-x cU$2Eku=XcfҪqkieiݔ˸yypathfinder-1.1.3/testdata/certs/ValidSelfIssuedinhibitAnyPolicyTest7EE.crt0000644000175200017520000000123410652446340027167 0ustar ppattersppatters000  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA20 010419145720Z 110419145720Z0k1 0 UUS10U Test Certificates1@0>U7Valid Self-Issued inhibitAnyPolicy EE Certificate Test700  *H 00C8|eZӞ)W`]j˯æͩ=T;W0!WS$F{ƞs VS٩;*;I_\&!mઠ]yA|EV(H?"xWk0i0U#0A&L+VgU0Uj[m|j7nHٌ.0U0U 00  `He00  *H i$`S|1qθw1x#'}-*(=v#Έy%plGk- ,d J xI#cJo̚/XT+[SL lﮒIUUΔeefµ_rpathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest7EE.crt0000644000175200017520000000125510652446340025646 0ustar ppattersppatters000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN3 CA0 010419145720Z 110419145720Z0~1 0 UUS10U Test Certificates10U excludedSubtree11806U/Invalid DN nameConstraints EE Certificate Test700  *H 0/QzʘU♉:u;M#r@-d$U?Q{;j 5vBk;]}XOe  )3LrBڣ^U;ՔA "eW?k0i0U#0XVj=;6˶0UsQto ُ:A0U0U 00  `He00  *H 8.>4S<3[U3to~.v4Up*j6Ϥ[TcxP+Z᥎#Ieh[5MNɏ&bnYQ+ǣFs Ա^SK,pathfinder-1.1.3/testdata/certs/nameConstraintsDN1CACert.crt0000644000175200017520000000133510652446340024300 0ustar ppattersppatters00B>0  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA00  *H 02Yڹ{7TMD$|q5!Uq@~Ꚗj,cC]Ag.1dŽGL ؒU?`e<+SgZV'^c+5Pmue 00U#0l-'z <ꚼI0UN.݋;AJÞ|Y#WNS0U0U 00  `He00U00YUO0MK0IG0E1 0 UUS10U Test Certificates10U permittedSubtree10  *H ʚe`ƟQ2Ԟk߷`F}?w.oBj3~rL5UAV0(mڌgxuL/`&[}t~5~ȍJ̧1 \Uog̜Dpathfinder-1.1.3/testdata/certs/pre2000CRLnextUpdateCACert.crt0000644000175200017520000000120310652446340024312 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 Upre2000 CRL nextUpdate CA00  *H 0PwbƍM o&3eAON.[hRm[X{ \%73%ڝ wtB܇+~cEzc蹈1>޿G|0z0U#0l-'z <ꚼI0Uz6] ]Q`&V0U0U 00  `He00U00  *H }7md.o<#}嬞q"?8jcB83pSUO L ٓGf'[BKl=,3 8tC&3-pathfinder-1.1.3/testdata/certs/pathLenConstraint1subCACert.crt0000644000175200017520000000121310652446340025053 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint1 CA0 010419145720Z 110419145720Z0L1 0 UUS10U Test Certificates1!0UpathLenConstraint1 subCA00  *H 0Տ1G3gQvlȰ@C~Hs"6ۚaIwǜMP pieNsbeF_B!A.K¶,pr؟x05L)u۸yA) W4!|0z0U#0 Mvz55f2.7Hj0Uas b5j[bH#+P]07~?68< x CC*!S1JEgJzv Th)qRppathfinder-1.1.3/testdata/certs/ValidDNnameConstraintsTest14EE.crt0000644000175200017520000000122410652446340025371 0ustar ppattersppatters000  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA20 010419145720Z 110419145720Z000  *H 0gQ,%'.cD~G)\ig1a;(}+$=|= ޸z~MeqIVm,luf.6'/Og00U#0կk( Hl *h /mW0U;1$bJld(0U0U 00  `He00AU7053ValidDNnameConstraintsTest14EE@testcertificates.gov0  *H GʐpEkQ] 54G@vX P q6fjXN=:*RCPcm9C>/ gX `}"Ί~h`T%Ӟɏ$sZ_ޟ=3AVpathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest3EE.crt0000644000175200017520000000121710652446340024472 0ustar ppattersppatters000  *H 0M1 0 UUS10U Test Certificates1"0 UP12 Mapping 1to3 subsubCA0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Valid Policy Mapping EE Certificate Test300  *H 0`s@YjLq?ĸZcE,:bh}*1#X}$Ӌ*U p`SɠZRmWo˗N% FMw%N'QIy($GP',00U#0O1bIUb@w'N̶@NK=Ŀ9u0 9K["ىNm>7OIt QWpathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest15EE.crt0000644000175200017520000000126210652446340025723 0ustar ppattersppatters000  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints DN3 subCA10 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U excludedSubtree11907U0Invalid DN nameConstraints EE Certificate Test1500  *H 0??>ؖJI)A/NZՒJM,W3&V5䍜ib(ec,5-1xu)Eؾ5ԗ5N~"I4LY  c_FJk0i0U#0.+!.~i<4u0UgϠXz$Ȏk0U0U 00  `He00  *H '؟>ׯͲ%ZJ/ݺ,SЈiy&|P&*Y}A3mK YPu3 |8!,nϷ#|/N%gi@JCWu6B59,pathfinder-1.1.3/testdata/certs/ValidIDPwithindirectCRLTest25EE.crt0000644000175200017520000000134410652446340025377 0ustar ppattersppatters00I0  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA20 010419145720Z 110419145720Z0d1 0 UUS10U Test Certificates1907U0Valid IDP with indirectCRL EE Certificate Test2500  *H 0% CM0&oS'IE;, ס ܁I8!?6c=vz'j$kǬ wv4\Sz)oeʧ0MMc#wLG@.,F$CSÂU{00U#0O1bqV%yD9'HFgdž&5eDNAV&y47PkX[@MB(36pathfinder-1.1.3/testdata/certs/ValidPolicyMappingTest1EE.crt0000644000175200017520000000120510652446340024465 0ustar ppattersppatters000  *H 0C1 0 UUS10U Test Certificates10UMapping 1to2 CA0 010419145720Z 110419145720Z0]1 0 UUS10U Test Certificates1200U)Valid Policy Mapping EE Certificate Test100  *H 0ݦzR /Hj_ן7դ rWAc9"`ᬐ!T<| UȽ:[#"!.…!wySǝܮ5_o#dx MYƜav)k0i0U#07;t9! V}0UxG!ZL!Řn$17b0U0U 00  `He00  *H  ``/xўտ'$Z^v9yz@&OLD;PGj3#aHgDޅRH_)ٌb2TzM%8:)4p^,bÀekJpathfinder-1.1.3/testdata/certs/AllCertificatesSamePoliciesTest10EE.crt0000644000175200017520000000123610652446340026352 0ustar ppattersppatters000  *H 0C1 0 UUS10U Test Certificates10UPolicies P12 CA0 010419145720Z 110419145720Z0h1 0 UUS10U Test Certificates1=0;U4All Certificates Same Policies EE Certificate Test1000  *H 0L4upkT +zc>ŭ)74Hi5(r(/+zƆCZfNӁBc|Iց`Oz(5]}4OΙD <_ǂ5ɯ\3y0w0U#0eԆ39^L0U7nSF?\p0U0%U 00  `He00  `He00  *H Lsr0r Ro ThN)e9i IIE1ϗ[n]#"cx9\LIriш`y‹En2{?  P- ɻwGU)rЍ.Jpathfinder-1.1.3/testdata/certs/BasicSelfIssuedCRLSigningKeyCRLCert.crt0000644000175200017520000000143510652446340026324 0ustar ppattersppatters000  *H 0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA0 010419145720Z 110419145720Z0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA00  *H 0*G@o/B(8~O:X' XpCDL-m?~=ociẀFsNgCIRIvΝ:+4pgN300U#0IL$ԾmS4:mCv1;juk0i0U#0j#GDPCQ|^10U>$1]OҘE0U0U 00  `He00  *H 8Ȟ+gt4g.g12{!C`|\cͽ5=L0KkN@Jg)Nxv;v'RŸƘ=sˁj)sڊOnn#Yv p= ޟ:Z'VJpathfinder-1.1.3/testdata/certs/pathLenConstraint1SelfIssuedCACert.crt0000644000175200017520000000121010652446340026325 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint1 CA0 010419145720Z 110419145720Z0I1 0 UUS10U Test Certificates10UpathLenConstraint1 CA00  *H 0IJ )y`_yjrt^v_"+<좽չm6뚮C7u gaG:eۏ)/,Z9ӵBﮉ6$*:-ʞ)Aa1n0|0z0U#0se}ÿ&-15Y0U Mvz55f2.7Hj0U0U 00  `He00U00  *H <aE7`'ZrKܭΜOzaYXå)5ð^{`ϧ_a[hhr_F̡=Mqa= }'lD8;]ә}R8<pathfinder-1.1.3/testdata/certs/InvalidDNnameConstraintsTest10EE.crt0000644000175200017520000000131310652446340025713 0ustar ppattersppatters0000  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN5 CA0 010419145720Z 110419145720Z01 0 UUS10U Test Certificates10U permittedSubtree110U excludedSubtree11907U0Invalid DN nameConstraints EE Certificate Test1000  *H 0@IKIX9r$JHC(n+gJ0F2e 6o8[#B:{=\8 ùO*y[ghl~/\p?;"W,ڱ;.s͠k0i0U#05:/wNMY0U֦_kehbxߢu0U0U 00  `He00  *H ,3+1z3)Y"nU0ɸգoOMB&#ٺT%q=X'24"幄:=|,g}huŨ;!`EgQ?@pathfinder-1.1.3/testdata/certs/ValidGeneralizedTimenotAfterDateTest8EE.crt0000644000175200017520000000121610652446340027274 0ustar ppattersppatters000  *H 0;1 0 UUS10U Test Certificates10UGood CA0  010419145720Z20500101120100Z0l1 0 UUS10U Test Certificates1A0?U8Valid GeneralizedTime notAfter Date EE Certificate Test800  *H 0Kq6*è[v5_}_t+vYTY9d糨5V$\4(m>C<7lfR?y%>Yo̷#4m-c (?َ2{x1 Afk0i0U#0.ȼ{'D53ߚ0UMѕ7lZy<0U0U 00  `He00  *H {\͢ooѥP)0 2@&*;,eg+맞[S2$($ &A^|VO&$>:Cj 4$idz$ăΠsD֍O_a#Npathfinder-1.1.3/testdata/certs/pathLenConstraint6subCA4Cert.crt0000644000175200017520000000121710652446340025150 0ustar ppattersppatters000  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint6 CA0 010419145720Z 110419145720Z0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA400  *H 0*nj魒,;*hYq52kqzwHri/2̫)N*S)& X Vk8"u ~ XvQrsL`e8hA8]?0}0U#0vdzJ0UH4TO٘!c#oy>0U0U 00  `He00U00  *H G쩨2jbr}.qI_TqQYòf%;3ciM;oeѣ'jT*40YX]RX<ĘI ):ʰ<pathfinder-1.1.3/testdata/certs/UserNoticeQualifierTest17EE.crt0000644000175200017520000000134710652446340024752 0ustar ppattersppatters00L0  *H 0;1 0 UUS10U Test Certificates10UGood CA0 010419145720Z 110419145720Z0_1 0 UUS10U Test Certificates1402U+User Notice Qualifier EE Certificate Test1700  *H 0A+Q:h -Ÿ'UT6a|'(6wi٢Gp1ق.S>/'ţ3Bm B?c^Ï Г,FWgumY 0,8ӍQ00U#0.ȼ{'D53ߚ0UYR0ߐsmYp0U0}U v0t0rU 0j0h+0\Zq3: This is the user notice from qualifier 3. This certificate is for test purposes only0  *H >+ΗZ hW2{ُ7f>(k[W! *~.'PC緰>*nͽXjGFs[GUD)uA^p#00  *H 0E1 0 UUS10U Test Certificates10UPolicies P1234 CA 010419145720Z 110419145720Z/0-0U#00yOozhCL@q 0 U0  *H .cPz`u!a*7Y=빇a:z=Fަ%xMpGw?6!5 iB~UoPS liU eztRIX.l4?iupathfinder-1.1.3/testdata/crls/TrustAnchorRootCRL.crl0000644000175200017520000000054110652446340023075 0ustar ppattersppatters0]00  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor 010419145720Z 110419145720Z0"0 h 010419145720Z0 0 U /0-0U#0l-'z <ꚼI0 U0  *H 4qkt1%K 0]d1@U _icvϞ_S}itW8p[vX1ܔ38K) )nǿ@4͵M.Dk 13veM9pathfinder-1.1.3/testdata/crls/LongSerialNumberCACRL.crl0000644000175200017520000000057510652446340023400 0ustar ppattersppatters0y00  *H 0I1 0 UUS10U Test Certificates10ULong Serial Number CA 010419145720Z 110419145720Z0503  010419145720Z0 0 U /0-0U#0=H2&R Oߦ0 U0  *H z cUë?7Eal!cH|6;Qf#r撚c10b># )#.E^D <+k|zmM1M_Z.c7Zۦ>kҧ[ 3Spathfinder-1.1.3/testdata/crls/requireExplicitPolicy0subCACRL.crl0000644000175200017520000000051510652446340025312 0ustar ppattersppatters0I00  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy0 subCA 010419145720Z 110419145720Z/0-0U#0pGbсTm)0 U0  *H }pǜNBcH)*E1XA29S$ߚ:#VحVykV(wDQa6n0:!B`E+pathfinder-1.1.3/testdata/crls/keyUsageCriticalcRLSignFalseCACRL.crl0000644000175200017520000000052310652446340025606 0ustar ppattersppatters0O00  *H 0V1 0 UUS10U Test Certificates1+0)U"keyUsage Critical cRLSign False CA 010419145720Z 110419145720Z/0-0U#0P p&<0.?t0 U0  *H lqT5.T`Z/Q󲂐J'z&:Mpathfinder-1.1.3/testdata/crls/requireExplicitPolicy2CACRL.crl0000644000175200017520000000051210652446340024577 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy2 CA 010419145720Z 110419145720Z/0-0U#0q||*z/H XimZ7&0gLkЍ`B%B$a]4j|"k,g6(\zu=C&y!0 U0  *H d3zf NMMH$9l G'>xqn{R"5W{#9fG,J(]#${Qxy %O,g)5+^IfR| Wpathfinder-1.1.3/testdata/crls/RFC3280OptionalAttributeTypesCACRL.crl0000644000175200017520000000063010652446340025526 0ustar ppattersppatters000  *H 01 0 UUS10U Test Certificates10U Gaithersburg1 0 U*John1 0U+Q10UA Fictitious1 0 UCA1 0 U,III1 0 U M.D. 010419145720Z 110419145720Z/0-0U#0,cBWWWc_s0 U0  *H -0됒tc2 Rx﨏3WA w〻HW;dԗj)cXׅэ/4Ĩw]+G: RB)OGlqpathfinder-1.1.3/testdata/crls/requireExplicitPolicy7subsubCARE2RE4CRL.crl0000644000175200017520000000052610652446340026661 0ustar ppattersppatters0R00  *H 0Y1 0 UUS10U Test Certificates1.0,U%requireExplicitPolicy7 subsubCARE2RE4 010419145720Z 110419145720Z/0-0U#0 2DPP`5 jE&0 U0  *H PZJbg7V7Qz'+d(vic,6cHC?{)-z?\5'py3 .riJo{H3pathfinder-1.1.3/testdata/crls/pathLenConstraint6CACRL.crl0000644000175200017520000000050610652446340023710 0ustar ppattersppatters0B00  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint6 CA 010419145720Z 110419145720Z/0-0U#0vdzJ0 U0  *H  =T"i ~AQQs\l@II5R7b^HWD͗DuDXdyM7̀z\S%PX/ugxzpathfinder-1.1.3/testdata/crls/inhibitAnyPolicy1subsubCA2CRL.crl0000644000175200017520000000051410652446340025026 0ustar ppattersppatters0H00  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitAnyPolicy1 subsubCA2 010419145720Z 110419145720Z/0-0U#0"1vܒ0 U0  *H h5 fT{ 3@F6\rP+#@ɣGAPuxo=9$f{|LӂlqҠ-7u2pathfinder-1.1.3/testdata/crls/onlySomeReasonsCA1otherreasonsCRL.crl0000644000175200017520000000057310652446340026044 0ustar ppattersppatters0w00  *H 0G1 0 UUS10U Test Certificates10UonlySomeReasons CA1 010419145720Z 110419145720Z0"0  010419145720Z0 0 U B0@0U#0bP[Ip9n0 U0U00  *H ZpYOkB'*p ,!]jvpa {@x%]ta)@RhL &/p`4rKWZPlDKydO -ƔY$nLMO?)n. pathfinder-1.1.3/testdata/crls/PoliciesP3CACRL.crl0000644000175200017520000000047710652446340022143 0ustar ppattersppatters0;00  *H 0B1 0 UUS10U Test Certificates10UPolicies P3 CA 010419145720Z 110419145720Z/0-0U#0fUeQY*b0 U0  *H p  ˖0YIWӛA?אgہ/mEU%qm3}@.E& oP{:Ϡ zNTWUæ'k(h̞ ~ 5({xY|pathfinder-1.1.3/testdata/crls/pathLenConstraint6subCA1CRL.crl0000644000175200017520000000051210652446340024500 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA1 010419145720Z 110419145720Z/0-0U#0D4P&<# N{ H0 U0  *H #i=驹 d4%b֖~;"|?,ֶ*>~pnUhOeQנk~.^d^jH+7pgDď~⹦(; #ĥpathfinder-1.1.3/testdata/crls/inhibitAnyPolicy1subCAIAP5CRL.crl0000644000175200017520000000051410652446340024651 0ustar ppattersppatters0H00  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitAnyPolicy1 subCAIAP5 010419145720Z 110419145720Z/0-0U#0)c‚={_t soh0 U0  *H ϩnY"%k*&d-eC"{NܝE-|\≀T $naDjMDFL;$6՜>~ yeh0L~-e,Xpathfinder-1.1.3/testdata/crls/BasicSelfIssuedNewKeyCACRL.crl0000644000175200017520000000056110652446340024316 0ustar ppattersppatters0m00  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued New Key CA 010419145720Z 110419145720Z0"0  010419145720Z0 0 U /0-0U#0E̸!GIx(0 U0  *H sۆkh D3]B 80>L=|f_F#N Ek!ε?3Ь2nu1ykPg瓷,~~^rMk0ih]hpathfinder-1.1.3/testdata/crls/PoliciesP123subsubCAP12P1CRL.crl0000644000175200017520000000051410652446340024206 0ustar ppattersppatters0H00  *H 0O1 0 UUS10U Test Certificates1$0"UPolicies P123 subsubCAP12P1 010419145720Z 110419145720Z/0-0U#0##aB5j0^0 U0  *H 8Sr}IXsa?}xG+UsI<^f au ĸ)7 t :r O*+"]VvbD~SMjJ d(WWe7R^O\pathfinder-1.1.3/testdata/crls/requireExplicitPolicy4subCACRL.crl0000644000175200017520000000051510652446340025316 0ustar ppattersppatters0I00  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy4 subCA 010419145720Z 110419145720Z/0-0U#0#a8q, aՉP>0 U0  *H gDWxFvf`,z~M,Qz{MyIltdz].%ݢYw";~t4qjKnЩm_iȰx_40 6.R3a,tqGfpathfinder-1.1.3/testdata/crls/onlyContainsAttributeCertsCACRL.crl0000644000175200017520000000053710652446340025533 0ustar ppattersppatters0[00  *H 0Q1 0 UUS10U Test Certificates1&0$UonlyContainsAttributeCerts CA 010419145720Z 110419145720Z@0>0U#0(ٸmS"0 U0U00  *H M76Wh5 SU/K~UOlqT8PCDžO6\5\VI4ο!@JbĈtFӎ_.Cڄ'"Ƶͪv7):?X+wX5mtHpathfinder-1.1.3/testdata/crls/nameConstraintsDN3subCA2CRL.crl0000644000175200017520000000051310652446340024431 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints DN3 subCA2 010419145720Z 110419145720Z/0-0U#0 H(qjH$ El[Gpathfinder-1.1.3/testdata/crls/requireExplicitPolicy10subsubsubCACRL.crl0000644000175200017520000000052410652446340026617 0ustar ppattersppatters0P00  *H 0W1 0 UUS10U Test Certificates1,0*U#requireExplicitPolicy10 subsubsubCA 010419145720Z 110419145720Z/0-0U#0wq*oQ ڬ20 U0  *H B"ǔZrLX0XcAo;N00ˬ-bi>02]AF9Rt5X~fe#zϑ0 U0  *H ܎E~mV\ǝ!i514 } 6.2ܹ˭95:h7Bg0R9/{CVm/1YH:K |{uXp0!4tA}QRQx%pathfinder-1.1.3/testdata/crls/pathLenConstraint0subCACRL.crl0000644000175200017520000000051110652446340024410 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UpathLenConstraint0 subCA 010419145720Z 110419145720Z/0-0U#0FKnW ''0 U0  *H -h`d^e Iɼ7An [kv@shhc𱵠RUt"7/iT <#< { m6ToM5k ;:xv<AEҳpathfinder-1.1.3/testdata/crls/PoliciesP12subCAP1CRL.crl0000644000175200017520000000050510652446340023126 0ustar ppattersppatters0A00  *H 0H1 0 UUS10U Test Certificates10UPolicies P12 subCAP1 010419145720Z 110419145720Z/0-0U#0BxC޺Ca0 U0  *H 8B'h_`J39(qNakBV@He!iPoD3(U0Ip;_?0XjN>Fv}(D2Xv_7'(ೈuAP"J+pathfinder-1.1.3/testdata/crls/PoliciesP1234subCAP123CRL.crl0000644000175200017520000000051110652446340023437 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UPolicies P1234 subCAP123 010419145720Z 110419145720Z/0-0U#0{I CLF(0 U0  *H E4QHjK-UR卥D aˢX͎(L ȪYAW4\(o:p5Gz$iF&c) QÒm^%նb;$j3t!j%+ pathfinder-1.1.3/testdata/crls/UTF8StringEncodedNamesCACRL.crl0000644000175200017520000000047610652446340024353 0ustar ppattersppatters0:00  *H 0A1 0 UUS10U Test Certificates10U UTF8String CA 010419145720Z 110419145720Z/0-0U#0(Ad \~ V0(e0 U0  *H 5S)tiGq2Bd*Jpk87[t׼xǜ4vO1C%ΕR#8&+>j>Q`_jxPE9@=-9{2_pImD,\#_pathfinder-1.1.3/testdata/crls/BasicSelfIssuedOldKeyCACRL.crl0000644000175200017520000000056110652446340024303 0ustar ppattersppatters0m00  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued Old Key CA 010419145720Z 110419145720Z0"0  010419145720Z0 0 U /0-0U#0!soAEՆ0 U0  *H bޓ6ݲqVN27Qn>%ԁ~fTt 20IܭjVSAf1,:t4qg;(r+C%JR.y$Ru<5]E$g턟ǍU^Rv>/$h]Etpathfinder-1.1.3/testdata/crls/pathLenConstraint0subCA2CRL.crl0000644000175200017520000000051210652446340024473 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint0 subCA2 010419145720Z 110419145720Z/0-0U#0RzkBN͂cn#50 U0  *H #``۠62T|y4uK]nV٢~SOaƆ`DI"Tn^r#׏K^*h%c!{PA\[wHaVn|Ba4rpathfinder-1.1.3/testdata/crls/PoliciesP12subsubCAP1P2CRL.crl0000644000175200017520000000051210652446340024040 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UPolicies P12 subsubCAP1P2 010419145720Z 110419145720Z/0-0U#0g l*Um-"Ks+*0 U0  *H %uY|Ǝc~ԗ  YX}NTYI䗺nEOJA|!s37)-KTMsnmV'Ҵ՜=@H7/"UOepathfinder-1.1.3/testdata/crls/nameConstraintsDNS1CACRL.crl0000644000175200017520000000051010652446340023753 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS1 CA 010419145720Z 110419145720Z/0-0U#0ugG ۞Rsx0 U0  *H awbk? t] BOA-Wo_͚,$_=!x3 ѽPPz,¢tӜstxi]MxixX}]-bkg^Fpathfinder-1.1.3/testdata/crls/deltaCRLCA1deltaCRL.crl0000644000175200017520000000073010652446340022706 0ustar ppattersppatters00=0  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA1 030101120000Z 110419145720Z00  010419145720Z0 0 U 0  010419145720Z0 0 U 0  010419145720Z0 0 U 0  010419145720Z0 0 U >0<0U#0M H2 0 U0 U0  *H ckD)ȋ区&WO5s@yziţم)zK6Q4yˬH-W Iq,qX}h"j=*X;FW~,-0p63iG`[5zpathfinder-1.1.3/testdata/crls/nameConstraintsDN1subCA2CRL.crl0000644000175200017520000000054710652446340024436 0ustar ppattersppatters0c00  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA2 010419145720Z 110419145720Z/0-0U#0կk( Hl *h /mW0 U0  *H sG +\zU4~F~'RU[2Tu^s_&nhL8;V%΂z?ŤxOm_i OGf>UKBTF\_aZa, .pathfinder-1.1.3/testdata/crls/PoliciesP2subCACRL.crl0000644000175200017520000000050210652446340022641 0ustar ppattersppatters0>00  *H 0E1 0 UUS10U Test Certificates10UPolicies P2 subCA 010419145720Z 110419145720Z/0-0U#0XJh#n 40 U0  *H kIv3$A17<0SJ|NXOe -d:+@'io2vKz|Tr#cFU 8,W`!D jWh 7FƐpathfinder-1.1.3/testdata/crls/nameConstraintsDN1subCA1CRL.crl0000644000175200017520000000054710652446340024435 0ustar ppattersppatters0c00  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA1 010419145720Z 110419145720Z/0-0U#0/ȅPXB00 U0  *H 1u%K )jh 0<0U#0O@3]"Vp0 U0 U0  *H  iQ֍J#>oɜMְn#li>f-vE|k|gx TR6\>aZL?vq*x'M>@!B 'S<p).BkZ-Tpathfinder-1.1.3/testdata/crls/BadCRLIssuerNameCACRL.crl0000644000175200017520000000051210652446340023202 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UIncorrect CRL Issuer Name 010419145720Z 110419145720Z/0-0U#04cQP2YCg0 U0  *H * :lŃkËTdž{stLq΁6ߕJjqj {. aOb;_([cb/ Zԋ[ϿDqɒzk]7pathfinder-1.1.3/testdata/crls/indirectCRLCA5CRL.crl0000644000175200017520000000260010652446340022406 0ustar ppattersppatters0|00  *H 0C1 0 UUS10U Test Certificates10U indirectCRL CA5 010419145720Z 110419145720Z00  010419145720Z0 0 U 0u 010419145720Z0a0 U 0SUI0GE0C1 0 UUS10U Test Certificates10UindirectCRL CA60  010419145720Z0 0 U 0  010419145720Z0 0 U 0u 010419145720Z0a0 U 0SUI0GE0C1 0 UUS10U Test Certificates10UindirectCRL CA70  010419145720Z0 0 U 0  010419145720Z0 0 U 0u 010419145720Z0a0 U 0SUI0GE0C1 0 UUS10U Test Certificates10UindirectCRL CA60   010419145720Z0 0 U 0u  010419145720Z0a0 U 0SUI0GE0C1 0 UUS10U Test Certificates10U indirectCRL CA50   010419145720Z0 0 U 00U#0~û7KA=mY?DWm0 U0iU]0YRNp0n1 0 UUS10U Test Certificates10U indirectCRL CA51)0'U indirect CRL for indirectCRL CA6p0n1 0 UUS10U Test Certificates10U indirectCRL CA51)0'U indirect CRL for indirectCRL CA7h0f1 0 UUS10U Test Certificates10U indirectCRL CA51!0UCRL1 for indirectCRL CA50  *H IGt5c?4[\?.ّ%B®ڸ8QkBnŞD:6WVLʶg.QT7XSyȪEac^,{Lnq{ĽEΚ |b<ǯpathfinder-1.1.3/testdata/crls/PoliciesP123subCAP12CRL.crl0000644000175200017520000000050710652446340023275 0ustar ppattersppatters0C00  *H 0J1 0 UUS10U Test Certificates10UPolicies P123 subCAP12 010419145720Z 110419145720Z/0-0U#0Z!ܓm |jhKU0 U0  *H g R#3*za.2P̸^ }k)}͚ J8.FJXq!jR/Xݻ>[:G7ZB1ÆB2p#Wpathfinder-1.1.3/testdata/crls/RolloverfromPrintableStringtoUTF8StringCACRL.crl0000644000175200017520000000053710652446340030107 0ustar ppattersppatters0[00  *H 0b1 0 UUS10U Test Certificates1705U .Rollover from PrintableString to UTF8String CA 010419145720Z 110419145720Z/0-0U#074U5ɴM~K褉<0 U0  *H *r2ęcG ('I8T+X4ؼ>I?*fDUOݺl (TPL撿Ͷi]=%-^N0 'M/mAN1 *ؐ42!W.cpathfinder-1.1.3/testdata/crls/inhibitPolicyMapping1P12CACRL.crl0000644000175200017520000000051510652446340024650 0ustar ppattersppatters0I00  *H 0P1 0 UUS10U Test Certificates1%0#UinhibitPolicyMapping1 P12 CA 010419145720Z 110419145720Z/0-0U#0v0_K{7 &f0 U0  *H  h"_$sX{8pa|8! rA !pNL1Po[Q@sh [VsRu/Q[@?qBT3U hCxU~MۨW64ߢu#M0edpathfinder-1.1.3/testdata/crls/onlySomeReasonsCA4compromiseCRL.crl0000644000175200017520000000073310652446340025506 0ustar ppattersppatters00@0  *H 0G1 0 UUS10U Test Certificates10U onlySomeReasons CA4 010419145720Z 110419145720Z0"0  010419145720Z0 0 U 00U#0?@kYZT0 U0nUd0b\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL1`0  *H  ϮkQ:O;0lYPuIDqt%  ʛͿ->Jdu&/{=dSeZ"; træ4Tu4N@.(mK-||(upathfinder-1.1.3/testdata/crls/pathLenConstraint1subCACRL.crl0000644000175200017520000000051110652446340024411 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UpathLenConstraint1 subCA 010419145720Z 110419145720Z/0-0U#0as b5j[bH#+cÏd9EuL_8ʜJѓb(y'1A8zȮZB%F18>Mq7Z[>o}4;oXXӿ3=Y{cWb'rm7 ;G;#n:pathfinder-1.1.3/testdata/crls/nameConstraintsDN1subCA3CRL.crl0000644000175200017520000000054710652446340024437 0ustar ppattersppatters0c00  *H 0j1 0 UUS10U Test Certificates10U permittedSubtree11#0!UnameConstraints DN1 subCA3 010419145720Z 110419145720Z/0-0U#0W'o 5g$k0 U0  *H ZJُ}@oMX;wy`^9bg,v;&y|<%x![fwmF(^{JDPR@Tf0 d dA3]a^`Vpathfinder-1.1.3/testdata/crls/PoliciesP2subCA2CRL.crl0000644000175200017520000000050310652446340022724 0ustar ppattersppatters0?00  *H 0F1 0 UUS10U Test Certificates10UPolicies P2 subCA2 010419145720Z 110419145720Z/0-0U#0q/QI|K0 U0  *H a+bR6gҿyNDL;.XG-?b՜}ڽ4]DB7s;т,ozQvV'TTZ[dS1ikwB֭jdJ.hd/\pathfinder-1.1.3/testdata/crls/inhibitPolicyMapping1P1subCACRL.crl0000644000175200017520000000051710652446340025302 0ustar ppattersppatters0K00  *H 0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping1 P1 subCA 010419145720Z 110419145720Z/0-0U#0RS߆fIFc3 0 U0  *H jmFeJKja{Oʰ>BppQ QOxY[oy8"dcZXl?d$ wR#?_ bb u8ֿ"R%rwEpathfinder-1.1.3/testdata/crls/nameConstraintsURI1CACRL.crl0000644000175200017520000000051010652446340023766 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints URI1 CA 010419145720Z 110419145720Z/0-0U#0K _adZyE0 U0  *H HbLxMK#mk5% =\{ۖbN[AuҊg%"L +MÅT)~Ş?q2]: EAgFjx&qpathfinder-1.1.3/testdata/crls/P12Mapping1to3CACRL.crl0000644000175200017520000000050410652446340022545 0ustar ppattersppatters0@00  *H 0G1 0 UUS10U Test Certificates10UP12 Mapping 1to3 CA 010419145720Z 110419145720Z/0-0U#0 Rm%ͩ hr0 U0  *H 4b4Q@=l|~8P[h9쨜7$g7EO_V#`Z<<'iJz9^,gZOopN1s*[[Ns[-ͼuDB;pathfinder-1.1.3/testdata/crls/inhibitPolicyMapping1P12subCACRL.crl0000644000175200017520000000052010652446340025356 0ustar ppattersppatters0L00  *H 0S1 0 UUS10U Test Certificates1(0&UinhibitPolicyMapping1 P12 subCA 010419145720Z 110419145720Z/0-0U#0z0\6@ ؟R0 U0  *H s$:ymt`e &dpA6O-VoӪ DgW4tW.ԣA$,Ͼ do$UqX,jeS49 C[ Al\%?pathfinder-1.1.3/testdata/crls/BasicSelfIssuedCRLSigningKeyCRLCertCRL.crl0000644000175200017520000000073710652446340026504 0ustar ppattersppatters00D0  *H 0X1 0 UUS10U Test Certificates1-0+U$Basic Self-Issued CRL Signing Key CA 010419145720Z 110419145720Z00U#0I0 U0  *H neIcvT&_GO8 ߴ~jjœju6Y21lBrt'If32{fkH!#mĴ@֏vn^ǡ\(|srS\pathfinder-1.1.3/testdata/crls/BasicSelfIssuedOldKeySelfIssuedCertCRL.crl0000644000175200017520000000071610652446340026706 0ustar ppattersppatters0030  *H 0P1 0 UUS10U Test Certificates1%0#UBasic Self-Issued Old Key CA 010419145720Z 110419145720Z00U#0jOruKzm\9$0 U0|Ur0pnlj0h1 0 UUS10U Test Certificates1=0;U4Self-Issued Cert DP for Basic Self-Issued Old Key CA0  *H k[=1@R0UýͱEDBߏM% [ hΰ羁sU\k=1_nK 1D)'w?F1fZЌ﮻6ub޸_&Y'ޝfIpathfinder-1.1.3/testdata/crls/onlySomeReasonsCA1compromiseCRL.crl0000644000175200017520000000057210652446340025504 0ustar ppattersppatters0v00  *H 0G1 0 UUS10U Test Certificates10UonlySomeReasons CA1 010419145720Z 110419145720Z0"0  010419145720Z0 0 U A0?0U#0bP[Ip9n0 U0U0`0  *H  ]M\,Q|aJ8 \FVU)pDٚSHMB}B9Co@^V?L`")Ð}-Җ=50rD:Ҽ+d%?nrpathfinder-1.1.3/testdata/crls/pre2000CRLnextUpdateCACRL.crl0000644000175200017520000000051210652446340023652 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 Upre2000 CRL nextUpdate CA 980101120100Z 990101120100Z/0-0U#0z6] ]Q`&V0 U0  *H ?AK[Gw~*ceAAOE݌AqpQ5$&CLXC*1^^ ݠ֋MLo0<0U#0),P#y]e`p0 U0 U0  *H s]I-/ŏ9 J[YMG3QٱDqf}H+ AQˆȎ nereX;u|Y2YPNA^b*:niMtϵ--<`04Lpathfinder-1.1.3/testdata/crls/pathLenConstraint6subCA4CRL.crl0000644000175200017520000000051210652446340024503 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA4 010419145720Z 110419145720Z/0-0U#0H4TO٘!c#oy>0 U0  *H z^\H:6їf7:Dۄ*|lGick)vrKj"X 9GEНq;'ϲCzP"CHߚ̌>T>GO2Jblpathfinder-1.1.3/testdata/crls/deltaCRLCA2deltaCRL.crl0000644000175200017520000000056010652446340022710 0ustar ppattersppatters0l00  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA2 030101120000Z 110419145720Z0"0  010419145720Z0 0 U >0<0U#0Wf&mr:le C 0 U0 U0  *H %e+Gy&x"5`{pP=Ԛ"w!> W.Sz>ggm# Zp45rxbP]l_|3ƱxVv zۮpathfinder-1.1.3/testdata/crls/BadSignedCACRL.crl0000644000175200017520000000047610652446340022010 0ustar ppattersppatters0:00  *H 0A1 0 UUS10U Test Certificates10U Bad Signed CA 010419145720Z 110419145720Z/0-0U#0Bo #yW: 0 U0  *H }NbFA1Iyf.spt?yZ*gFзېF# GDEc@uK/t )4\nkk@tQX&ߕr=v C71pathfinder-1.1.3/testdata/crls/GoodsubCACRL.crl0000644000175200017520000000047310652446340021567 0ustar ppattersppatters0700  *H 0>1 0 UUS10U Test Certificates10U Good subCA 010419145720Z 110419145720Z/0-0U#0|\i|U")C{}0 U0  *H 5XAXJ"!2֩}`8miFcHs?alBz;5A7}ܠ59Ⱦ*yW!T+7* /G0RϼF9)}*\pathfinder-1.1.3/testdata/crls/basicConstraintsCriticalcAFalseCACRL.crl0000644000175200017520000000052610652446340026367 0ustar ppattersppatters0R00  *H 0Y1 0 UUS10U Test Certificates1.0,U%basicConstraints Critical cA False CA 010419145720Z 110419145720Z/0-0U#0GOt"ECu60 U0  *H 2ж>ru* 'tG ԟb%m[ *>k[wg 3El0Y|qc`1 wp.ѩBfTHDVVWZ|M\oWjqծ(pathfinder-1.1.3/testdata/crls/PoliciesP123subsubsubCAP12P2P1CRL.crl0000644000175200017520000000052110652446340025120 0ustar ppattersppatters0M00  *H 0T1 0 UUS10U Test Certificates1)0'U Policies P123 subsubsubCAP12P2P1 010419145720Z 110419145720Z/0-0U#0*WARϨns0 U0  *H 7ώp(k 1,w>n# M3?7M„m*%@%@zY)Nȍc{#rpZ*6ƚEcIɟh2"Rٙ48 &[; ΅CGPKB藑tZpathfinder-1.1.3/testdata/crls/nameConstraintsRFC822CA1CRL.crl0000644000175200017520000000051310652446340024200 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA1 010419145720Z 110419145720Z/0-0U#0z;yĽ.Y0 U0  *H ws jzeV83~7A畤@1l?k$ֿ'e5\kM4B\FfEHXfc h [[wn2.VVRsx^f,x6Cpathfinder-1.1.3/testdata/crls/requireExplicitPolicy7subCARE2CRL.crl0000644000175200017520000000052010652446340025626 0ustar ppattersppatters0L00  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy7 subCARE2 010419145720Z 110419145720Z/0-0U#0h / QKXs9?K0 U0  *H $ % ؜a Z S8xpo9%\O\| znɈI~+č6G;4>ΗyrLzxͤ0,6dF a&@pathfinder-1.1.3/testdata/crls/BadCRLSignatureCACRL.crl0000644000175200017520000000050510652446340023072 0ustar ppattersppatters0A00  *H 0H1 0 UUS10U Test Certificates10UBad CRL Signature CA 010419145720Z 110419145720Z/0-0U#0 {8HZ`UP6lC0 U0  *H h},'.)"D^n7\^p HQ!!8PÅLjBL.$Kh< |`xF7h(O20pathfinder-1.1.3/testdata/crls/deltaCRLCA3CRL.crl0000644000175200017520000000062410652446340021700 0ustar ppattersppatters000  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA3 010419145720Z 030101120000Z00U#0O@3]"Vp0 U0SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA30  *H dh;*t&+~lOp9p%41nYV$gvTtO(l}Q ׏Rig+:p֊Œa)UT;c9,).vF@1 ~)5sʡ#Ppathfinder-1.1.3/testdata/crls/requireExplicitPolicy0subsubsubCACRL.crl0000644000175200017520000000052310652446340026535 0ustar ppattersppatters0O00  *H 0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy0 subsubsubCA 010419145720Z 110419145720Z/0-0U#0YnypaRI*0 U0  *H #u;'īgty[K 2g_ڃ1 d*xw&:A农6ob3>y妏ignػ/f qhX~'N:4E#pathfinder-1.1.3/testdata/crls/GoodCACRL.crl0000644000175200017520000000057610652446340021061 0ustar ppattersppatters0z00  *H 0;1 0 UUS10U Test Certificates10UGood CA 010419145720Z 110419145720Z0D0  010419145720Z0 0 U 0  010419145720Z0 0 U /0-0U#0.ȼ{'D53ߚ0 U0  *H  q-עMnfr0srQ1?yAЖ2GLeosUY V`y'.@~WL8u*% @,߹J7O%m 6O^pathfinder-1.1.3/testdata/crls/nameConstraintsDN5CACRL.crl0000644000175200017520000000050710652446340023642 0ustar ppattersppatters0C00  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN5 CA 010419145720Z 110419145720Z/0-0U#05:/wNMY0 U0  *H t=va#'.@{ED]nZm5N! *{'YgK|x"(g1_ssÜ/V'z,ŀ-69[yTa7F,+iqO?L#pathfinder-1.1.3/testdata/crls/PanyPolicyMapping1to2CACRL.crl0000644000175200017520000000051310652446340024271 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UPanyPolicy Mapping 1to2 CA 010419145720Z 110419145720Z/0-0U#0ҺO>h8%ڒC6n0 U0  *H ̃5=Rcy 5rD+ ?&xY-M+JZX,vEF483kye*:TiTnw2Ec >7%@Wai=)Q݅leÃz7~ l+G{pathfinder-1.1.3/testdata/crls/nameConstraintsRFC822CA2CRL.crl0000644000175200017520000000051310652446340024201 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA2 010419145720Z 110419145720Z/0-0U#0+6ftK1U16co50 U0  *H G֛1j^:s+i\GuVkV/fLkS&9>as)!LJZ!N}.19n+ jF$,ƄPx1y5G U4"Ԣ`<pathfinder-1.1.3/testdata/crls/BadnotBeforeDateCACRL.crl0000644000175200017520000000050610652446340023312 0ustar ppattersppatters0B00  *H 0I1 0 UUS10U Test Certificates10UBad notBefore Date CA 010419145720Z 110419145720Z/0-0U#0z3#*lO8"}X0 U0  *H K\3;^Y-~\-"Q83>hz jH A *htݶMPĀzj dʥd䘖uPæȶշd{@RJ"YD v%Ǥpathfinder-1.1.3/testdata/crls/UIDCACRL.crl0000644000175200017520000000046710652446340020611 0ustar ppattersppatters0300  *H 0:1 0 UUS10U Test Certificates10 UUID CA 010419145720Z 110419145720Z/0-0U#0e|AXDx0 U0  *H i'xpp[:x:܊wjɃd _' $yADVx`/.ВA* _kx07De.w}Kr?2ِR Q!%Y4R$ i/-pathfinder-1.1.3/testdata/crls/RevokedsubCACRL.crl0000644000175200017520000000047610652446340022301 0ustar ppattersppatters0:00  *H 0A1 0 UUS10U Test Certificates10U Revoked subCA 010419145720Z 110419145720Z/0-0U#0xK-@P2븴GT H0 U0  *H 8!.6;#ЪbKchZ":^rAHXw&VRiE8L0dXdh?:V[! ; =Okh<iqL zS$\Ipathfinder-1.1.3/testdata/crls/GoodsubCAPanyPolicyMapping1to2CACRL.crl0000644000175200017520000000052310652446340026021 0ustar ppattersppatters0O00  *H 0V1 0 UUS10U Test Certificates1+0)U"Good subCA PanyPolicy Mapping 1to2 010419145720Z 110419145720Z/0-0U#0ᵤq/f'{J0 U0  *H FYIr4YP-1kzl{6IP8مgIފ 6lJ˃s1oig6rRQj/kzg f"R^X]\ziڱpathfinder-1.1.3/testdata/crls/inhibitAnyPolicy1subCA1CRL.crl0000644000175200017520000000051110652446340024310 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA1 010419145720Z 110419145720Z/0-0U#0) x)BK|*5[<0 U0  *H u;BDcP2KHImBL)Vߒ'z22-)8uQ#G6ќKUVG@gKtZ NһRDpsapathfinder-1.1.3/testdata/crls/TwoCRLsCABadCRL.crl0000644000175200017520000000055410652446340022071 0ustar ppattersppatters0h00  *H 0K1 0 UUS10U Test Certificates1 0UBad CRL for Two CRLs CA 010419145720Z 110419145720Z0"0  010419145720Z0 0 U /0-0U#00JC&A#SSG0 U0  *H i Mjk8#:ԂVYgK$@K…<(>VLh6R0Iv >QYHG!2)uoz j1h07{\HmЛsSb6\)ȯ@b2J ˻r.> wd-Y//w|hZcgt:tөpLyȴ1pz;pathfinder-1.1.3/testdata/crls/OldCRLnextUpdateCACRL.crl0000644000175200017520000000050610652446340023303 0ustar ppattersppatters0B00  *H 0I1 0 UUS10U Test Certificates10UOld CRL nextUpdate CA 010419145720Z 020101120100Z/0-0U#0j#GDPCQ|^10 U0  *H  ܴP).9nn|E$]jozw^ch>W+&.=V97N.JTT/Zҧv>icL@@_/~!f_M(pathfinder-1.1.3/testdata/crls/NoPoliciesCACRL.crl0000644000175200017520000000047710652446340022235 0ustar ppattersppatters0;00  *H 0B1 0 UUS10U Test Certificates10UNo Policies CA 010419145720Z 110419145720Z/0-0U#0S%}[>W]%0 U0  *H 2_Q dC4{SMCGxg*:K\?9,1qxu߄:h7ey1Nj;hy4U[BU-Gdj ,Ɩbs@pathfinder-1.1.3/testdata/crls/keyUsageNotCriticalkeyCertSignFalseCACRL.crl0000644000175200017520000000053310652446340027216 0ustar ppattersppatters0W00  *H 0^1 0 UUS10U Test Certificates1301U*keyUsage Not Critical keyCertSign False CA 010419145720Z 110419145720Z/0-0U#0 4ux#!ve0 U0  *H B ֯*uR MdS9O]ڻ 2Sb3 lJo"|H *wR,}_12ʞBﳛ6|˅HuY~lpz;pathfinder-1.1.3/testdata/crls/PoliciesP12CACRL.crl0000644000175200017520000000050010652446340022206 0ustar ppattersppatters0<00  *H 0C1 0 UUS10U Test Certificates10UPolicies P12 CA 010419145720Z 110419145720Z/0-0U#0eԆ39^L0 U0  *H !k fy-7MsߑcUS2\Yr>+0m"ܜHG>Dl=ll&Hf%^q-M?F1H H ]j?9[)-}採~1*F<iþbkpathfinder-1.1.3/testdata/crls/requireExplicitPolicy5subsubCACRL.crl0000644000175200017520000000052010652446340026025 0ustar ppattersppatters0L00  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy5 subsubCA 010419145720Z 110419145720Z/0-0U#0 bO/?'ȣ_{Fk0 U0  *H >GͮK0*Մʱ+7`Ar tZ觽2%mǾ%cCfJფ^p{6XfҠAn.E6q>z 0DH*ZI[l*?;]ppathfinder-1.1.3/testdata/crls/nameConstraintsDNS2CACRL.crl0000644000175200017520000000051010652446340023754 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints DNS2 CA 010419145720Z 110419145720Z/0-0U#0~;ޜқBD{n0 U0  *H <%rGє L>#vhЫ}s Y6p?8eBwxymTYRZXsxgAtx@ʈtxAK`?C1~`= ߝj@pathfinder-1.1.3/testdata/crls/P1Mapping1to234CACRL.crl0000644000175200017520000000050510652446340022632 0ustar ppattersppatters0A00  *H 0H1 0 UUS10U Test Certificates10UP1 Mapping 1to234 CA 010419145720Z 110419145720Z/0-0U#0̧҆!cDԐ0 U0  *H E tpfpЩ! qEP8N먄ky dm M6 kF!D`޴~pKJ]TZkQ Ȧz:?ㅜDw~Upathfinder-1.1.3/testdata/crls/distributionPoint1CACRL.crl0000644000175200017520000000076510652446340024003 0ustar ppattersppatters00Z0  *H 0I1 0 UUS10U Test Certificates10U distributionPoint1 CA 010419145720Z 110419145720Z0"0  010419145720Z0 0 U 00U#0PWjoA^z0~0 U0U{0ywus0q1 0 UUS10U Test Certificates10U distributionPoint1 CA1&0$UCRL1 of distributionPoint1 CA0  *H 6W9?IPB_+>R^lG_ڮWA@-l9= EyA$ͩ{W+>Z*[}%u%QXo:bYTv-* Fݱ<#g9jIpathfinder-1.1.3/testdata/crls/UnknownCRLExtensionCACRL.crl0000644000175200017520000000060210652446340024054 0ustar ppattersppatters0~00  *H 0L1 0 UUS10U Test Certificates1!0UUnknown CRL Extension CA 010419145720Z 110419145720Z0"0  010419145720Z0 0 U D0B0U#0j7L'naU0 U0 `He 0  *H 4ZJ2Z)@[OźZڽӡ珀HT"Št[3j0C5 ‡Z0l"{q~?ڪJ|pjџ]6D02l$bh$U:pathfinder-1.1.3/testdata/crls/requireExplicitPolicy7CACRL.crl0000644000175200017520000000051210652446340024604 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy7 CA 010419145720Z 110419145720Z/0-0U#0"pNb/p˵NM0 U0  *H [҂:_:c~FI_$K7(T`;徠>8p{U 0.e]`U鴯cǣEN,z;R?7 A*PJQGsWϗ5ˬ*S Epathfinder-1.1.3/testdata/crls/requireExplicitPolicy5subsubsubCACRL.crl0000644000175200017520000000052310652446340026542 0ustar ppattersppatters0O00  *H 0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy5 subsubsubCA 010419145720Z 110419145720Z/0-0U#0>0f/%gɭ0 U0  *H  f-.I5TvP7jd֗uਫ਼;F1S{5h\`ک-a@vblL>%W;ӫ{ZUcI;EúIyE=puSFCvAI#pathfinder-1.1.3/testdata/crls/pathLenConstraint0CACRL.crl0000644000175200017520000000050610652446340023702 0ustar ppattersppatters0B00  *H 0I1 0 UUS10U Test Certificates10UpathLenConstraint0 CA 010419145720Z 110419145720Z/0-0U#0! vvӳ*&O֡oK0 U0  *H V{d1d%º˹_=L̞Z6Sպ!Ĝ=)g.,SڦlV pathfinder-1.1.3/testdata/crls/pathLenConstraint6subCA0CRL.crl0000644000175200017520000000051210652446340024477 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UpathLenConstraint6 subCA0 010419145720Z 110419145720Z/0-0U#0HxQ1t9*7D~i0 U0  *H D4$B3tqvK|F jmKjXX~& {sڰ̠af*Y_t$w4#}5o*)Y /D%fjZ3>eiWpathfinder-1.1.3/testdata/crls/keyUsageCriticalkeyCertSignFalseCACRL.crl0000644000175200017520000000052710652446340026540 0ustar ppattersppatters0S00  *H 0Z1 0 UUS10U Test Certificates1/0-U&keyUsage Critical keyCertSign False CA 010419145720Z 110419145720Z/0-0U#0|?蒶Mr1N:70 U0  *H 7{d ;\Ntވ~3*3i8\*hXXI\o-|;MGMVAwxIU}װ(%uY{0yŜs}c:pathfinder-1.1.3/testdata/crls/requireExplicitPolicy5CACRL.crl0000644000175200017520000000051210652446340024602 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy5 CA 010419145720Z 110419145720Z/0-0U#0-+h^+fC0 U0  *H 2nI-~}OKZHGs8]pathfinder-1.1.3/testdata/crls/basicConstraintsNotCriticalcAFalseCACRL.crl0000644000175200017520000000053210652446340027045 0ustar ppattersppatters0V00  *H 0]1 0 UUS10U Test Certificates1200U)basicConstraints Not Critical cA False CA 010419145720Z 110419145720Z/0-0U#0ĕvlKhBET[0 U0  *H SLfȦLo.1H7kv#:IԔ , ß~7#\vnĄ!*}.qT-sz|w G!dmʲMfxu]v|]l'Ė 5jspathfinder-1.1.3/testdata/crls/requireExplicitPolicy4subsubsubCACRL.crl0000644000175200017520000000052310652446340026541 0ustar ppattersppatters0O00  *H 0V1 0 UUS10U Test Certificates1+0)U"requireExplicitPolicy4 subsubsubCA 010419145720Z 110419145720Z/0-0U#0+ݱzZbs1*y0 U0  *H u]O)"r1d;+Mx^ ~ayBVxݚ^ xJ0`}1aެ@V6ErN-U% @uDu5yرTpathfinder-1.1.3/testdata/crls/inhibitAnyPolicy1CACRL.crl0000644000175200017520000000050510652446340023520 0ustar ppattersppatters0A00  *H 0H1 0 UUS10U Test Certificates10UinhibitAnyPolicy1 CA 010419145720Z 110419145720Z/0-0U#0f۵ij>+ȨM+4D0 U0  *H "KCы ̶!/-ۺ\Y6 yh. jC q>:t1\삹ܘŽZG1~՟R1Т?w~$b{U'$BLixY3;'h=o=ǟ+9Ãw$h>*pathfinder-1.1.3/testdata/crls/inhibitPolicyMapping0CACRL.crl0000644000175200017520000000051110652446340024360 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UinhibitPolicyMapping0 CA 010419145720Z 110419145720Z/0-0U#0l B@ApR^7Z0 U0  *H ̘z.f:.k*FdZU>v~hs!kNa =a'HeGf;)f ,H7t,JjN@^X˂SGCyk^]@pathfinder-1.1.3/testdata/crls/UTF8StringCaseInsensitiveMatchCACRL.crl0000644000175200017520000000052510652446340026072 0ustar ppattersppatters0Q00  *H 0X1 0 UUS10U Test Certificates1-0+U $UTF8String Case Insensitive Match CA 010419145720Z 110419145720Z/0-0U#06b)|Є^'ߩDb0 U0  *H 2FZișL_f'Asr fb"$w8pd)vY&C5ck O}jh44;r|%$W.XRpathfinder-1.1.3/testdata/crls/inhibitPolicyMapping5subCACRL.crl0000644000175200017520000000051410652446340025102 0ustar ppattersppatters0H00  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping5 subCA 010419145720Z 110419145720Z/0-0U#0t]'!\mwD&mܿck 0 U0  *H 3#U55!5(/W[k>vrs\{c3^;3̞3"µ2eqĮ6Ӟ$Qwѩb*:YrH4 &k Wd)pw4낚2pathfinder-1.1.3/testdata/crls/inhibitAnyPolicy5subCACRL.crl0000644000175200017520000000051010652446340024232 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UinhibitAnyPolicy5 subCA 010419145720Z 110419145720Z/0-0U#0JwbX#ùnMo0 U0  *H  | rG4mlX-j Ō19"Ϩ ?q{r!앩|M\$aЊn)l2yqʇMT[G9Ĝd+f l]4 4`| Dpathfinder-1.1.3/testdata/crls/DSACACRL.crl0000644000175200017520000000033310652446340020567 0ustar ppattersppatters000 *H80:1 0 UUS10U Test Certificates10 UDSA CA 010419145720Z 110419145720Z/0-0U#0t$^e ~HNa0 U0 *H8/0,F K͑ qj>]G%j?TA٣WtHşpathfinder-1.1.3/testdata/crls/inhibitPolicyMapping5CACRL.crl0000644000175200017520000000051110652446340024365 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UinhibitPolicyMapping5 CA 010419145720Z 110419145720Z/0-0U#0@p.8ZٲCYL0 U0  *H o;lQ ?` 6 qJ]30, n~yoV ID3*? N(]d۹ˏfb\[u~T0Y P#ɑI#ވz9nDD@.et`pathfinder-1.1.3/testdata/crls/requireExplicitPolicy7subsubsubCARE2RE4CRL.crl0000644000175200017520000000053110652446340027367 0ustar ppattersppatters0U00  *H 0\1 0 UUS10U Test Certificates110/U(requireExplicitPolicy7 subsubsubCARE2RE4 010419145720Z 110419145720Z/0-0U#0(hji>)6cp0 U0  *H .F`%o[On:MP6٪0~ $mgcȇi͆;@8G#>ѯ0GYϊ*xc]y>g(_m&i 0^yQ62Hpathfinder-1.1.3/testdata/crls/keyUsageNotCriticalCACRL.crl0000644000175200017520000000051110652446340024067 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UkeyUsage Not Critical CA 010419145720Z 110419145720Z/0-0U#0*B33*MsU0 U0  *H :M<~OrG,yM/]q5&'#Ŝq|j@}F(u+aKcLe< Mj=(iE\+/nUri͈^DOΫXpathfinder-1.1.3/testdata/crls/keyUsageNotCriticalcRLSignFalseCACRL.crl0000644000175200017520000000052710652446340026273 0ustar ppattersppatters0S00  *H 0Z1 0 UUS10U Test Certificates1/0-U&keyUsage Not Critical cRLSign False CA 010419145720Z 110419145720Z/0-0U#0["XV."0 U0  *H  ПCQ&⭡مTgr;'Qtʥr!-F!^6_cdRZ_?s8~Yp7Ա1JqĮ}z#W)Kx/eM8ntqWJpathfinder-1.1.3/testdata/crls/anyPolicyCACRL.crl0000644000175200017520000000047510652446340022136 0ustar ppattersppatters0900  *H 0@1 0 UUS10U Test Certificates10U anyPolicy CA 010419145720Z 110419145720Z/0-0U#0>Cg@1a0 U0  *H *-g{f"dɀנuկrNB)b#2%YME7Ȳy }XędN_o9T4{C &nj퀚G8kn>̱J߆:-bl'Q´?źlpathfinder-1.1.3/testdata/crls/onlySomeReasonsCA4otherreasonsCRL.crl0000644000175200017520000000073410652446340026046 0ustar ppattersppatters00A0  *H 0G1 0 UUS10U Test Certificates10U onlySomeReasons CA4 010419145720Z 110419145720Z0"0  010419145720Z0 0 U 00U#0?@kYZT0 U0oUe0c\ZX0V1 0 UUS10U Test Certificates10U onlySomeReasons CA41 0 UCRL20  *H =ٵJ. E^'z>=&is/6}&/X_΄mJQ@JQWFvrÈttv8D¥4˩o㧫?`KNiZx8EMpathfinder-1.1.3/testdata/crls/pathLenConstraint6subsubCA11CRL.crl0000644000175200017520000000051610652446340025277 0ustar ppattersppatters0J00  *H 0Q1 0 UUS10U Test Certificates1&0$UpathLenConstraint6 subsubCA11 010419145720Z 110419145720Z/0-0U#0Q\N,PQX[+0 U0  *H _= O(;~-6TT/~?ܓ2ȫY;jߎ9Pڌ|$'8rn2ġ 4]b!"o%\{J)۠n˞3%-Hp=pathfinder-1.1.3/testdata/crls/onlyContainsCACertsCACRL.crl0000644000175200017520000000053010652446340024044 0ustar ppattersppatters0T00  *H 0J1 0 UUS10U Test Certificates10UonlyContainsCACerts CA 010419145720Z 110419145720Z@0>0U#0Fg{YUȬU0 U0U00  *H T'zcR LRbqrROhJJ~]zHg61) 1WO~<  [wʕ71}M`O<_-.N,TNl"7 a!F6)pathfinder-1.1.3/testdata/crls/Mapping1to2CACRL.crl0000644000175200017520000000050010652446340022255 0ustar ppattersppatters0<00  *H 0C1 0 UUS10U Test Certificates10UMapping 1to2 CA 010419145720Z 110419145720Z/0-0U#07;t9! V}0 U0  *H )cW5,.~9,_):pcB?d'æ]Hmz$mNMXORȿp|^T]bc.Ql?A6cF}Pij4E 8^ՋwjtZhhUpathfinder-1.1.3/testdata/crls/inhibitPolicyMapping5subsubsubCACRL.crl0000644000175200017520000000052210652446340026325 0ustar ppattersppatters0N00  *H 0U1 0 UUS10U Test Certificates1*0(U!inhibitPolicyMapping5 subsubsubCA 010419145720Z 110419145720Z/0-0U#0$qWVHl10 U0  *H 5.~Fy6Ht(jhY2şdZ\*b/sf޷w&zj/>;_?)k FofqA9!o]KߕY` q+桼^,*vpathfinder-1.1.3/testdata/crls/requireExplicitPolicy0CACRL.crl0000644000175200017520000000051210652446340024575 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy0 CA 010419145720Z 110419145720Z/0-0U#0wjdQz-e~ J'0 U0  *H xemes7fQח1bJ!; zMҕ6ewQՁ bv8wr, |1X$e~!b]7{4G^Xip;.|w3}T]_ ʛpathfinder-1.1.3/testdata/crls/pathLenConstraint6subsubsubCA11XCRL.crl0000644000175200017520000000052210652446340026136 0ustar ppattersppatters0N00  *H 0U1 0 UUS10U Test Certificates1*0(U!pathLenConstraint6 subsubsubCA11X 010419145720Z 110419145720Z/0-0U#0j6Wu?BP(7ŭ0 U0  *H ԟSUfF/ÁR%ʲǴPp0ڠU?7Dj\}4|_-?Y1<(M&E/pwh]U]d<0-:N{p0pathfinder-1.1.3/testdata/crls/requireExplicitPolicy10subCACRL.crl0000644000175200017520000000051610652446340025374 0ustar ppattersppatters0J00  *H 0Q1 0 UUS10U Test Certificates1&0$UrequireExplicitPolicy10 subCA 010419145720Z 110419145720Z/0-0U#0Cazet0:0 U0  *H xGBxo874ڮpL=S|X$|.vpCA"Q 2mD}NKՆd-R I9L"NdInc6(_~~Hczpathfinder-1.1.3/testdata/crls/inhibitPolicyMapping0subCACRL.crl0000644000175200017520000000051410652446340025075 0ustar ppattersppatters0H00  *H 0O1 0 UUS10U Test Certificates1$0"UinhibitPolicyMapping0 subCA 010419145720Z 110419145720Z/0-0U#00ܮ0 9,!80 U0  *H R[!;\pQd=Kh E~EK&f9B-Ve9*(kj~j,?)su)\5Ed5y<8Vc8'aܰ]P 0 U0  *H B[q3<͙ &pBDar Ug#vIƂ#p:N[f8!eq嶐zsvAo$Ȯ8pathfinder-1.1.3/testdata/crls/SeparateCertificateandCRLKeysCRL.crl0000644000175200017520000000057210652446340025550 0ustar ppattersppatters0v00  *H 0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA1 010419145720Z 110419145720Z0"0  010419145720Z0 0 U /0-0U#0B){YxRJHqqW0 U0  *H yW4<(ߐjQҴ:dA5Bb kLɧHB ~n֦?yj9?i/ZdF Vy3&IjBDicx-pathfinder-1.1.3/testdata/crls/PoliciesP1234subsubCAP123P12CRL.crl0000644000175200017520000000051710652446340024442 0ustar ppattersppatters0K00  *H 0R1 0 UUS10U Test Certificates1'0%UPolicies P1234 subsubCAP123P12 010419145720Z 110419145720Z/0-0U#0̴\7PU1.䑤h0 U0  *H ^b;"Ds#g)g9;SL$j7 '<5Smcن3,G-ZhyZ]yJZ99 .bo-`s}Hs*ex*|Zpathfinder-1.1.3/testdata/crls/inhibitPolicyMapping5subsubCACRL.crl0000644000175200017520000000051710652446340025617 0ustar ppattersppatters0K00  *H 0R1 0 UUS10U Test Certificates1'0%UinhibitPolicyMapping5 subsubCA 010419145720Z 110419145720Z/0-0U#0jkGKwTR&0 U0  *H 9/:pRF::^3Ls Iؐo#6ұl-!k&Xh3}Nnrqj׈:罤~},L/K5c͕.40pathfinder-1.1.3/testdata/crls/GeneralizedTimeCRLnextUpdateCACRL.crl0000644000175200017520000000052210652446340025633 0ustar ppattersppatters0N00  *H 0S1 0 UUS10U Test Certificates1(0&UGenerizedTime CRL nextUpdate CA 010419145720Z20500101120100Z/0-0U#0.`b㊫x00 U0  *H KtN0l"N[*+z SߤEuZW.V rWMdIOؖ"aeWcl6(&/t7~߬')5ᙑ1$ }pathfinder-1.1.3/testdata/crls/SeparateCertificateandCRLKeysCA2CRL.crl0000644000175200017520000000052610652446340026035 0ustar ppattersppatters0R00  *H 0Y1 0 UUS10U Test Certificates1.0,U%Separate Certificate and CRL Keys CA2 010419145720Z 110419145720Z/0-0U#0Uګdòa7)(a*0 U0  *H s%FZ 2ؠǎmCեoZVI&g(??@ "G:´]h <V.SA]"Sդr瞃铦H9`' nuO> 2vv dN/4iN=S{^ɴb_noO3r^.#z:4>i?jD]`#Hr/Y\Lpathfinder-1.1.3/testdata/crls/inhibitAnyPolicy1subCA2CRL.crl0000644000175200017520000000051110652446340024311 0ustar ppattersppatters0E00  *H 0L1 0 UUS10U Test Certificates1!0UinhibitAnyPolicy1 subCA2 010419145720Z 110419145720Z/0-0U#0A&L+VgU0 U0  *H h] *\sK#ֳҹܡH)Y+ZL$|ߠMC$pb a֙{Xy:R^}Κ4  -ҏY%Epathfinder-1.1.3/testdata/crls/nameConstraintsDN1CACRL.crl0000644000175200017520000000050710652446340023636 0ustar ppattersppatters0C00  *H 0J1 0 UUS10U Test Certificates10UnameConstraints DN1 CA 010419145720Z 110419145720Z/0-0U#0N.݋;AJÞ|Y#WNS0 U0  *H Yv[puM`rqaC[e %9m< !q__R9etF\||LJj; )pǪ:9Q\ک):؜^62pathfinder-1.1.3/testdata/crls/requireExplicitPolicy5subCACRL.crl0000644000175200017520000000051510652446340025317 0ustar ppattersppatters0I00  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy5 subCA 010419145720Z 110419145720Z/0-0U#06zoE'k0 U0  *H sTw}=|Цkp=+̧w z/zvw˖6;\0ftnuYA7BNs1S=w!žy'E$pathfinder-1.1.3/testdata/crls/indirectCRLCA3CRL.crl0000644000175200017520000000065310652446340022412 0ustar ppattersppatters000  *H 0C1 0 UUS10U Test Certificates10U indirectCRL CA3 010419145720Z 110419145720Z00U#0()Xg.:(0 U0fU\0ZXVT0R1 0 UUS10U Test Certificates10U indirectCRL CA31 0 UCRL10  *H evmտȺԘރz钖 {2ȤQbF|_7VG]<>Yk,#Igb52h$v\]&:m fnrIY/Ҽ>3=pathfinder-1.1.3/testdata/crls/P1Mapping1to234subCACRL.crl0000644000175200017520000000051010652446340023340 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UP1 Mapping 1to234 subCA 010419145720Z 110419145720Z/0-0U#0W}hsҦ0 U0  *H 3S,nID}\KW55K8N3~lrF(K3鏤J Mڭjڕb03"{*g$NN1#B vd$b{^$ol`pathfinder-1.1.3/testdata/crls/BadnotAfterDateCACRL.crl0000644000175200017520000000050510652446340023150 0ustar ppattersppatters0A00  *H 0H1 0 UUS10U Test Certificates10UBad notAfter Date CA 010419145720Z 110419145720Z/0-0U#0- &>a#.72Q20 U0  *H ٽ ݼߴ]1vo nAOxgw貃^S6x9W3d]qyD2y֙`...j`A)p*'Run9uppathfinder-1.1.3/testdata/crls/inhibitAnyPolicy5subsubCACRL.crl0000644000175200017520000000051310652446340024747 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UinhibitAnyPolicy5 subsubCA 010419145720Z 110419145720Z/0-0U#0s dU0 U0  *H NJ ~);raѲkvDWҮ(){ amvk)-RKH8LNP`hյR~"m_%B`޿.8|]Jpathfinder-1.1.3/testdata/crls/P12Mapping1to3subsubCACRL.crl0000644000175200017520000000051210652446340023770 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UP12 Mapping 1to3 subsubCA 010419145720Z 110419145720Z/0-0U#0,)9AS-.0 U0  *H o)65vbn)惋^%MqVP%hM t6R݇ dXjLqLԍ}t4?^|*{)5BtOC]ls NEh=f*)*AcTWO'Ü%]pathfinder-1.1.3/testdata/crls/NoissuingDistributionPointCACRL.crl0000644000175200017520000000051710652446340025554 0ustar ppattersppatters0K00  *H 0R1 0 UUS10U Test Certificates1'0%U No issuingDistributionPoint CA 010419145720Z 110419145720Z/0-0U#0,'#AaO210 U0  *H   zYݱp"~:뜕 c 9g^|u5+5&@l_~~ޖy }\|ups{6#!l-ސi !pathfinder-1.1.3/testdata/crls/MappingFromanyPolicyCACRL.crl0000644000175200017520000000051210652446340024266 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UMapping From anyPolicy CA 010419145720Z 110419145720Z/0-0U#05/Z67YomH0 U0  *H hɠ\5p$7Y8Qdʪ1ך8_g qe ˇŊ&' V FuO[="o)kd{^%}{?&n-Gz((pathfinder-1.1.3/testdata/crls/indirectCRLCA1CRL.crl0000644000175200017520000000056510652446340022412 0ustar ppattersppatters0q00  *H 0C1 0 UUS10U Test Certificates10UindirectCRL CA1 010419145720Z 110419145720Z0"0  010419145720Z0 0 U @0>0U#0l_ا-\ I%[0 U0U00  *H lK8bH(;ŌobD7/(!I*Z9ڗ_w>B&wʌ>pathfinder-1.1.3/testdata/crls/nameConstraintsURI2CACRL.crl0000644000175200017520000000051010652446340023767 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UnameConstraints URI2 CA 010419145720Z 110419145720Z/0-0U#0Uc#lmZZ0 U0  *H s!$p'ha, ~Ivl6LDf /WG澅Sh~2׉c?G0DB0:FOlC~ZQ^szZ g+$bpathfinder-1.1.3/testdata/crls/TwoCRLsCAGoodCRL.crl0000644000175200017520000000047410652446340022274 0ustar ppattersppatters0800  *H 0?1 0 UUS10U Test Certificates10U Two CRLs CA 010419145720Z 110419145720Z/0-0U#00JC&A#SSG0 U0  *H 8;ry>ears.ے>*ܺ2 kR2 |o0_&5yL?*>%nB^o9c4"V$b0,pQt<ܩ(Upathfinder-1.1.3/testdata/crls/requireExplicitPolicy4subsubCACRL.crl0000644000175200017520000000052010652446340026024 0ustar ppattersppatters0L00  *H 0S1 0 UUS10U Test Certificates1(0&UrequireExplicitPolicy4 subsubCA 010419145720Z 110419145720Z/0-0U#0l LS#c0 U0  *H  &\7k,1z"ߙpOP$( yiVy^wzbX}o.'%g D9̲!I%,3n*Y{]h§&@n77ajPݒSpathfinder-1.1.3/testdata/crls/onlyContainsUserCertsCACRL.crl0000644000175200017520000000053210652446340024501 0ustar ppattersppatters0V00  *H 0L1 0 UUS10U Test Certificates1!0UonlyContainsUserCerts CA 010419145720Z 110419145720Z@0>0U#0Z7F\߸:@0 U0U00  *H Rc@UJ# d>P 0/c֤"~ T ?`k%QcWѿ w㇠]JA6T2|TwxEKBRO9 pathfinder-1.1.3/testdata/crls/WrongCRLCACRL.crl0000644000175200017520000000054110652446340021616 0ustar ppattersppatters0]00  *H 0@1 0 UUS10U Test Certificates10U Trust Anchor 010419145720Z 110419145720Z0"0 h 010419145720Z0 0 U /0-0U#0l-'z <ꚼI0 U0  *H 4qkt1%K 0]d1@U _icvϞ_S}itW8p[vX1ܔ38K) )nǿ@4͵M.Dk 13veM9pathfinder-1.1.3/testdata/crls/onlySomeReasonsCA3otherreasonsCRL.crl0000644000175200017520000000066710652446340026052 0ustar ppattersppatters000  *H 0G1 0 UUS10U Test Certificates10U onlySomeReasons CA3 010419145720Z 110419145720Z00U#0I{Oi~#ZVj00 U0nUd0b[YW0U1 0 UUS10U Test Certificates10U onlySomeReasons CA31 0 UCRL0  *H (ff}K@ 9N0 |=@K`ފ~l7BI#ߚQ)ĸ=) 15F8$} m f҈o PNəw6JMiF wJ=pathfinder-1.1.3/testdata/crls/nameConstraintsRFC822CA3CRL.crl0000644000175200017520000000051310652446340024202 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints RFC822 CA3 010419145720Z 110419145720Z/0-0U#0n+ 6gi5=)x0 U0  *H m g]zzR>MPF:}-]mKAt;sOzp{ YۃSCq//FUdTrO7݈;c$~m/WזgH~m^xXƾ̱JWEpathfinder-1.1.3/testdata/crls/MappingToanyPolicyCACRL.crl0000644000175200017520000000051010652446340023743 0ustar ppattersppatters0D00  *H 0K1 0 UUS10U Test Certificates1 0UMapping To anyPolicy CA 010419145720Z 110419145720Z/0-0U#0z,cZN?SU i0 U0  *H  *HZ{t2pJ0&ϠqHO YeI=61>4Ӥ}[p%T2JPAWS|Ǽ6Q&o7b{/$SΉ>q#sگyJ+*pathfinder-1.1.3/testdata/crls/requireExplicitPolicy2subCACRL.crl0000644000175200017520000000051510652446340025314 0ustar ppattersppatters0I00  *H 0P1 0 UUS10U Test Certificates1%0#UrequireExplicitPolicy2 subCA 010419145720Z 110419145720Z/0-0U#0)O:MF_00 U0  *H _ kNxV/Ք`@ 6vAfczNT'vIč0jZ#f '4?WCrO/uHt8[;mgKikʖv*pathfinder-1.1.3/testdata/crls/requireExplicitPolicy4CACRL.crl0000644000175200017520000000051210652446340024601 0ustar ppattersppatters0F00  *H 0M1 0 UUS10U Test Certificates1"0 UrequireExplicitPolicy4 CA 010419145720Z 110419145720Z/0-0U#0%~ вGAyB50 U0  *H iLk0L<س5Q58& E9_T2AT驒N.pZ]o@4ce[ɷjK`Zv5Y'}:bpathfinder-1.1.3/testdata/crls/deltaCRLCA1CRL.crl0000644000175200017520000000077510652446340021705 0ustar ppattersppatters00b0  *H 0@1 0 UUS10U Test Certificates10U deltaCRL CA1 010419145720Z 110419145720Z0f0  010419145720Z0 0 U 0  010419145720Z0 0 U 0  010419145720Z0 0 U 00U#0M H2 0 U0SU.L0J0HFDB0@1 0 UUS10U Test Certificates10U deltaCRL CA10  *H H2:q7$Z/*m{0m$sݽU1\|Q`mCR2~.3"_fĔ +.&89b~Ȼqs”S,4P}Npathfinder-1.1.3/testdata/crls/PoliciesP123subsubCAP2P2CRL.crl0000644000175200017520000000051410652446340024126 0ustar ppattersppatters0H00  *H 0O1 0 UUS10U Test Certificates1$0"UPolicies P123 subsubCAP12P2 010419145720Z 110419145720Z/0-0U#09n9pdh+MT,0 U0  *H |8 LCOK.gw?U*N |&7G(Gyt0f}O7RqP XT"QӒ 5K8Q͒K-@/%M} $~Nϝ0pathfinder-1.1.3/testdata/crls/nameConstraintsDN3subCA1CRL.crl0000644000175200017520000000051310652446340024430 0ustar ppattersppatters0G00  *H 0N1 0 UUS10U Test Certificates1#0!UnameConstraints DN3 subCA1 010419145720Z 110419145720Z/0-0U#0.+!.~i<4u0 U0  *H .

Y"g+ܣt*q"/{2pathfinder-1.1.3/testdata/crls/inhibitPolicyMapping1P12subsubCAIPM5CRL.crl0000644000175200017520000000052710652446340026532 0ustar ppattersppatters0S00  *H 0Z1 0 UUS10U Test Certificates1/0-U&inhibitPolicyMapping1 P12 subsubCAIPM5 010419145720Z 110419145720Z/0-0U#0$UD~0 U0  *H  3G.V FH7cqi4 ЪagFg0 PskJ+u~d9890w3wRp$4zFx~mj.ȠvFGQGƅLpathfinder-1.1.3/testdata/crls/onlySomeReasonsCA2CRL2.crl0000644000175200017520000000052610652446340023470 0ustar ppattersppatters0R00  *H 0G1 0 UUS10U Test Certificates10UonlySomeReasons CA2 010419145720Z 110419145720ZA0?0U#0\83EAЊ{0 U0U00  *H 8|:Gz<۔GkhL{p _2U48Sa=܏9EQ\{gG`lKWsi -#b1J;N苙gqb@ bBiEdؔO0@C8:Y)mr pathfinder-1.1.3/pathfinderd.ini.sample0000644000175200017520000000107711103611562020404 0ustar ppattersppatters[General] CRL Cache Location = /var/cache/pathfinder/crls/ [Trusted directories] Extra certs = /tmp/trusted [Policy] apache = 1.2.3.4 [Verification options] skip revocation check = 0 [bridges] My bridge = /tmp/mybridge.p7c [intermediate CAs] E0:26:A2:10:00:7D:D5:96:95:14:0C:F2:2E:54:63:F1:65:66:D9:0E = 1 [CRL Location] CN=CAcert WoT User%2femailAddress=pg@futureware.at = file:///var/pathfinder/crls/mycrl.crl [CA Location] O=Root CA, OU=http:%2f%2fwww.cacert.org, CN=CA Cert Signing Authority%2femailAddress=support@cacert.org = file:///var/pathfinder/cas/myca.ca pathfinder-1.1.3/pathfinderd.cc0000644000175200017520000001051311245314401016724 0ustar ppattersppatters/* * pathfinderd.cc * * Copyright (C) 2007-2008 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include #include #include "pathserver.h" #include "version.h" #include "wvx509path.h" #include "wvcrlcache.h" using namespace boost; #define DEFAULT_CONFIG_MONIKER "ini:/etc/pathfinderd.conf" #define DEFAULT_DBUS_MONIKER "dbus:system" #define DEFAULT_CRLSTORE_LOCATION "/var/cache/pathfinder/crls/" class PathFinderDaemon : public WvStreamsDaemon { public: PathFinderDaemon() : WvStreamsDaemon("pathfinderd", PATHFINDER_VERSION, wv::bind(&PathFinderDaemon::cb, this)), dbusconn(NULL), cfgmoniker(DEFAULT_CONFIG_MONIKER), dbusmoniker(DEFAULT_DBUS_MONIKER), fips_mode(false) { trusted_store = shared_ptr(new WvX509Store); intermediate_store = shared_ptr(new WvX509Store); args.add_option(0, "pid-file", "Specify the .pid file to use (only applies with --daemonize)", "filename", pid_file); args.add_option('c', "config", WvString("Config moniker (default: %s)", DEFAULT_CONFIG_MONIKER), "ini:filename.ini", cfgmoniker); args.add_option('m', "moniker", WvString("Specify the D-Bus moniker to use (default: " "%s)", DEFAULT_DBUS_MONIKER), "MONIKER", dbusmoniker); #ifdef OPENSSL_FIPS args.add_set_bool_option('f', "fips", WvString("Enable FIPS mode crypto " "(default: OFF)"), fips_mode); #endif } void cb() { WvHttpStream::global_enable_pipelining = false; #ifdef OPENSSL_FIPS if (fips_mode) { // do something here that enables fips. if (!FIPS_mode_set(1)) { log(WvLog::Error, "FIPS mode requested, but not enabled!\n"); } else { log(WvLog::Info, "FIPS mode is enabled.\n"); } } #endif // Mount config moniker cfg.unmount(cfg.whichmount(), true); // just in case cfg.mount(cfgmoniker); if (!cfg.whichmount() || !cfg.whichmount()->isok()) { log(WvLog::Error, "Can't read configuration from '%s'! Aborting.\n", cfgmoniker); return; } // Load stores { UniConf::Iter i(cfg["trusted directories"]); for (i.rewind(); i.next();) trusted_store->load(i->getme()); } { UniConf::Iter i(cfg["bridges"]); for (i.rewind(); i.next();) intermediate_store->add_pkcs7(i->getme()); } crlcache = shared_ptr( new WvCRLCache(cfg["general"].xget("crl cache location", DEFAULT_CRLSTORE_LOCATION))); // Initialize D-Bus // HACK: dbus:system doesn't correspond to anything useful most of the // time, use a hardcoded value instead if (dbusmoniker == "dbus:system") dbusmoniker = "unix:/var/run/dbus/system_bus_socket"; dbusconn = new WvDBusConn(dbusmoniker); dbusconn->request_name("ca.carillon.pathfinder"); // FIXME: need to check for success of name request add_die_stream(dbusconn, true, "wvdbus conn"); // Initialize pathfinder "server" object pathserver = new PathServer(trusted_store, intermediate_store, crlcache, cfg); dbusconn->add_callback(WvDBusConn::PriNormal, wv::bind(&PathServer::incoming, pathserver, dbusconn, _1), this); } shared_ptr trusted_store; shared_ptr intermediate_store; shared_ptr crlcache; WvDBusConn *dbusconn; PathServer *pathserver; WvString cfgmoniker; WvString dbusmoniker; bool fips_mode; UniConfRoot cfg; }; int main(int argc, char *argv[]) { return PathFinderDaemon().run(argc, argv); } pathfinder-1.1.3/util.cc0000644000175200017520000000163611207567056015435 0ustar ppattersppatters#include #include #include #include #include "util.h" using namespace boost; WvX509::DumpMode guess_encoding(WvBuf &buf) { if (buf.used() < 10) return WvX509::CertDER; if (!strncmp("-----BEGIN", (const char *) buf.peek(0, 10), 10)) return WvX509::CertPEM; return WvX509::CertDER; } WvX509::DumpMode guess_encoding(WvStringParm fname) { WvFile f(fname, O_RDONLY); WvDynBuf buf; size_t read = f.read(buf, 10); WvX509::DumpMode mode = guess_encoding(buf); if (mode == WvX509::CertPEM) return WvX509::CertFilePEM; return WvX509::CertFileDER; } bool is_md(shared_ptr &x509) { X509 *cert = x509->get_cert(); int alg = OBJ_obj2nid(cert->sig_alg->algorithm); if (alg == NID_md5WithRSAEncryption || alg == NID_md2WithRSAEncryption) return true; return false; } pathfinder-1.1.3/pathfinder-dbus.conf.sample0000644000175200017520000000207211103611553021335 0ustar ppattersppatters 512 pathfinder-1.1.3/pathverify.cc0000644000175200017520000001044511100417652016623 0ustar ppattersppatters/* * pathverify.cc * * Copyright (C) 2007 Carillon Information Security Inc. * * This program and accompanying library is covered by the LGPL v2.1 or later, * please read LICENSE for details. */ #include #include #include #include #include #include "pathvalidator.h" #include "util.h" #include "wvx509policytree.h" // for ANY_POLICY_OID using namespace boost; #define DEFAULT_CONFIG_MONIKER "ini:/etc/pathfinderd.ini" #define DEFAULT_CRLSTORE_LOCATION "/var/cache/pathfinder/crls/" static WvLog::LogLevel log_level = WvLog::Info; static bool done = false; static bool dec_log_level(void *) { if ((int)log_level > (int)WvLog::Critical) log_level = (WvLog::LogLevel)((int)log_level - 1); return true; } static bool inc_log_level(void *) { if ((int)log_level < (int)WvLog::Debug5) log_level = (WvLog::LogLevel)((int)log_level + 1); return true; } static void path_validated_cb(shared_ptr &cert, bool valid, WvError err) { done = true; if (err.geterr()) { wvcon->print("Error while validating path (%s)\n", err.errstr()); return; } wvcon->print("Path validated. Result: %s.\n", valid ? "valid" : "invalid"); } int main(int argc, char *argv[]) { wvcrash_setup(argv[0]); WvStringList remaining_args; WvString certtype; WvString cfgmoniker(DEFAULT_CONFIG_MONIKER); WvString initial_policy_set_tcl(ANY_POLICY_OID); bool crl_check = true; WvArgs args; args.add_required_arg("CERTIFICATE"); args.add_option('t', "type", "Certificate type: der or pem " "(default: autodetect)", "TYPE", certtype); args.add_option('p', "policy", "Initial policy set to use for validation, " "in tcl-encoded form (default: " ANY_POLICY_OID ")", "POLICY", initial_policy_set_tcl); args.add_option('c', "config", WvString("Config moniker (default: %s)", DEFAULT_CONFIG_MONIKER), "ini:filename.ini", cfgmoniker); args.add_option('q', "quiet", "Decrease log level (can be used multiple times)", WvArgs::NoArgCallback(&dec_log_level)); args.add_option('v', "verbose", "Increase log level (can be used multiple times)", WvArgs::NoArgCallback(&inc_log_level)); args.add_reset_bool_option('\0', "skip-crl-check", "Skips any CRL checking.", crl_check); if (!args.process(argc, argv, &remaining_args)) { args.print_help(argc, argv); return 1; } WvLogConsole console_log(1, log_level); UniConfRoot cfg(cfgmoniker); WvHttpStream::global_enable_pipelining = false; WvString certname = remaining_args.popstr(); shared_ptr trusted_store(new WvX509Store); { UniConf::Iter i(cfg["trusted directories"]); for (i.rewind(); i.next();) trusted_store->load(i->getme()); } shared_ptr intermediate_store(new WvX509Store); { UniConf::Iter i(cfg["bridges"]); for (i.rewind(); i.next();) intermediate_store->add_pkcs7(i->getme()); } shared_ptr crlcache = shared_ptr( new WvCRLCache(cfg["general"].xget("crl cache location", DEFAULT_CRLSTORE_LOCATION))); shared_ptr x509(new WvX509); if (certtype == "der") x509->decode(WvX509::CertFileDER, certname); else if (certtype == "pem") x509->decode(WvX509::CertFilePEM, certname); else if (!certtype) x509->decode(guess_encoding(certname), certname); else { wverr->print("Invalid certificate type '%s'\n", certtype); return -1; } if (!x509->isok()) { wverr->print("Certificate is NOT ok. Not doing path validation.\n"); return -1; } PathValidator p(x509, initial_policy_set_tcl, crl_check ? 0 : WVX509_SKIP_REVOCATION_CHECK, trusted_store, intermediate_store, crlcache, cfg, path_validated_cb); p.validate(); while (!done && WvIStreamList::globallist.isok()) WvIStreamList::globallist.runonce(); }